DLA Did Not Monitor or Reconcile Its PayPal Account.

DLA did not monitor or reconcile its PayPal account. As a result, there is a higher-than-acceptable risk that transactions processed through this account were not entered in the school’s financial records and that inappropriate transactions could have gone undetected.

The school’s PayPal account was set up to make online purchases and accept online donations on behalf of the school. All payments made to vendors through the PayPal account are charged to the school’s credit card, which is linked to the school’s operating cash account. We observed vendor payment activity conducted through DLA’s PayPal account in our analysis of its credit card transactions (see Finding 3); however, we were unable to review detailed account activity to verify cash receipts.

During the audit period, there was no evidence that the school’s business manager regularly monitored and reconciled the PayPal account.

In addition, when we asked the school to generate a statement of activity for its PayPal account, it could not do so. DLA’s former business manager had been designated as the PayPal administrator; she resigned from her position in July 2017, and the role of PayPal administrator was not assigned to a successor. Therefore, the school could not access the account to monitor transactions or reconcile account activity.

Section 1201(H) of the school’s Fiscal Policies and Procedures Guide states, “Reconciliation of cash receipts to deposit slip, bank statements, and general ledger control accounts . . . are performed by the Business Manager on a monthly basis.” Section 1202(G) of the guide states, “Bank statements are reconciled soon after receipt by the Business Manager and any outstanding checks and/or deposits are verified.”

The school did not establish proper internal controls, i.e., policies and procedures, regarding the administration of its PayPal account to ensure that all transactions were properly authorized and that reconciliations were regularly performed by an independent staff member.

According to the board chair, school officials did not appoint a new administrator because they were not aware of the financial risks involved in not gaining access to this account.

1. DLA should immediately gain access to its PayPal account, review the transactions conducted in the account during our audit period, and reconcile the information in the account to DLA’s financial records.
2. DLA should establish policies and procedures regarding the administration of its PayPal account, as well as monitoring controls to ensure that these policies and procedures are adhered to.

DLA attempted to gain control over the Paypal account, but the former business manager was uncooperative. The new Executive Director made best efforts to gain compliance and cooperation from the former business manager but was unsuccessful.

DLA management wanted to immediately discontinue use of its PayPal account for security reasons, however, [OSA] advised DLA management to keep the account active during the audit.

DLA has since deleted all known PayPal accounts for security reasons. DLA no longer maintains a PayPal account, but in the event that a decision to establish such an account is made in the future, DLA will establish policies and procedures regarding the administration of the account, including monitoring controls to ensure that all policies and procedures are complied with.

During our audit period, DLA did not monitor or reconcile its PayPal account, and as a result, there is a higher-than-acceptable risk of improper transactions in this account. This is of particular concern given that very few people had access to this account; it was not independently monitored; and, according to DLA’s response, the one person who was administering the account, DLA’s former business manager, did not cooperate with DLA in giving the school access to the account so that OSA could review the account activity. During our audit, OSA asked DLA to keep the account open until we could review and assess the propriety of any transactions processed through the account. Although DLA management told OSA that they had attempted to give us access to this account, we were never given access. Had DLA been properly administering this account, it would have been able to give us the access needed to conduct the necessary audit testing.

Based on its response, DLA will take measures to ensure that if it uses a PayPal account in the future, there will be better administrative controls in place. However, OSA again urges DLA to gain access to the information in the PayPal account that it maintained, review the transactions conducted in the account, reconcile the information in the account to school financial records, and investigate any questionable transactions.