There is only one employee—the Boston office revenue coordinator—who is responsible for the entire daily revenue process for the Division of Marine Fisheries (DMF). This employee collects funds from the lockbox daily, reconciles the cash received with the cash out report (a summary of daily transactions from the Fish program), resolves any variances by generating a discrepancy report (a detailed list of all daily transactions), and prepares the daily deposit. As a result, the Department of Fish and Game (DFG) cannot be certain that funds are adequately protected from potential theft, loss, or misuse.
In addition, the Boston revenue coordinator uses DMF’s chief fiscal officer’s (CFO’s) username and password to access the Fish program. This program contains permits’ types, amounts paid, transaction dates, expiration dates, and purchaser names and dates of birth, as well as noting whether the purchasers are Massachusetts residents. As a result of using the CFO’s username and password, the revenue coordinator has inappropriate access to DMF’s commercial revenue process.
Section 10.04. of the Comptroller of the Commonwealth’s Internal Control Guide for June 2015, which DFG is required to follow, states,
Management should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities . . . so that no one individual controls all key aspects of a transaction or event.
The Executive Office of Technology Services and Security (EOTSS) Enterprise Security Office is responsible for writing, publishing, and updating all enterprise information security policies and standards that apply to all executive department offices and agencies. Section 188.8.131.52 of EOTSS’s “Access Management Standard” IS.003 states that a “privileged interactive account” such as the CFO’s “is assigned to one and only one user” and that “passwords for these accounts must not be shared.”
Reasons for Issues
DFG’s management stated that there were not enough employees to process funds, which resulted in the lack of segregation of duties. In addition, the policy and procedures do not address who is responsible for preparing daily/monthly reconciliations.
Because of the age of the Fish system, DFG could not add new users or make changes to various management functions within the system and therefore could not obtain the proper access for the revenue coordinator. DFG management stated that they were in the process of replacing Fish with a new system to account for all commercial permits.
- DFG should revise its policy and procedures to include segregation of duties for the processing of revenue.
- DFG should segregate duties for collecting funds, reconciling transactions, and preparing daily deposits.
- DFG should ensure that all users have their own usernames and passwords for the Fish system once it is upgraded.
The Draft Report found that DFG "lacks segregation of duties within the Division of Marine Fisheries Boston Revenue Process." Specifically, the finding focuses on a single employee, "the Boston revenue coordinator [who] is responsible for collecting funds from the DMF lock box daily, reconciles the cash received with the cash out report (a summary of daily transactions from the DMF FISH program), resolves any variances by generating a discrepancy report (a detailed list of all daily transactions), and also prepares the daily deposit." To place this finding in context, it is important to reiterate that DMF's existing controls appear to have been sufficient: the audit team testing (as noted in the [Office of the State Auditor, or OSA] Draft Report) did not find that any revenue was misappropriated or unaccounted for in DMF. Nevertheless, DFG agrees that existing controls could be supplemented by adopting the three recommendations made by the audit team, and has instituted corrective action.
The first two recommendations were that DFG should (1) revise its policy and procedures to include segregation of duties for the processing of revenue and (2) should segregate duties for collecting funds, reconciling transactions, and preparing daily deposits. DMF has redundant controls in place to ensure no one person is responsible for collecting, reconciling, and reporting cash receipts. The OSA audit team was provided with the DMF Internal Control Plan and all pertinent documents necessary to review and understand the revenue collection process. One of the documents provided, "Issue: Policy and Procedure for Accounts Receivable, No: IPPG-03" . . ., lays out the steps taken by the Boston office revenue coordinator to ensure multiple levels of oversight. On page 2 . . . the policy states, "The Revenue Coordinators report the daily deposit information to the Revenue Supervisor, who verifies that all of the previous day's revenue is accurate and attributed to the correct revenue source (General Fund, Recreational Fund, Shellfish Plant or Trust Account). Spreadsheets with daily transactions are created and maintained by the Revenue Supervisor and revenue is checked daily against Bank of America's Cash Pro and the sweep account in [the Massachusetts Management Accounting and Reporting System] to monitor any irregularities. Hard copies of bank statements are reviewed when received by the Revenue Coordinator in Boston to confirm that all deposit information is accurate." What this means is that all cash receipts reconciled by the Revenue Coordinator in Boston are independently reviewed and verified by the Revenue Supervisor in the Gloucester office. The Revenue Supervisor runs her own reports to verify all cash receipts reported by the Revenue Coordinator are accurate and she does not rely on the reports the Revenue Coordinator prepares as part of her daily reconciliation.
The third recommendation was to ensure that all users have their own usernames and passwords for the FISH system once it is upgraded. This recommendation arises out of the audit team learning that two employees were using a shared password for the FISH permit application, a standalone system used to issue DMF commercial fishing permits outside of the MassFishHunt system. While it is theoretically possible that one of the employees could have used this shared password to issue unauthorized commercial fishing permits, because of the multiple layers of checks and balances in place for all permit issuance, any attempt by that employee to issue a permit would be detected the following day. Nevertheless, DFG agrees with the audit team that individual users should have unique credentials for all systems, including the FISH permit application. Accordingly, DMF has worked with [Executive Office of Energy and Environmental Affairs information technology] to overcome technical issues associated with the age and the limitation of the Oracle based FISH system and has been able to ensure that no two users of the FISH program utilize the same credentials.
The work is independently reviewed and verified by the revenue supervisor; however, because the revenue coordinator and the CFO are the only people who have access to the CFO’s username and password, no other reviewer would be aware of changes made using that login information. Therefore, any adjustments made would not be evident to the revenue supervisor. Based on its response, DFG is taking measures to address our concerns on this matter.
|Date published:||March 17, 2020|