Dept of Social and Health Services - Adoption, Foster Care Program Improprieties, Misappropriation - June 1, 2009

Washington State Auditors Office
Accountability Audit Report
Department of Social and Health Services

Audit Period July 1, 2007 through June 30, 2008 Report No. 1001539
Issue Date June 1, 2009
Washington State Auditor Brian Sonntag
June 1, 2009
Susan Dreyfus, Secretary Department of Social and Health Services
Report on Accountability
We appreciate the opportunity to work in cooperation with your Department to promote accountability, integrity and openness in government. The State Auditors Office takes seriously our role to advocate for government accountability and transparency and to promote positive change. Please find attached our report on the Department of Social and Health Services accountability and compliance with state laws and regulations and its own policies and procedures. Thank you for working with us to ensure the efficient and effective use of public resources. Sincerely,
BRIAN SONNTAG, CGFM STATE AUDITOR
Insurance Building, P.O. Box 40021 Olympia, Washington 98504-0021 (360) 902-0370 TDD Relay (800) 833-6388 FAX (360) 753-0646 http://www.sao.wa.gov
Table of Contents
State of Washington Department of Social and Health Services
Audit Summary.............................................................................................................................................. 1 Related Reports ............................................................................................................................................ 3 Description of the Department ...................................................................................................................... 4 Schedule of Audit Findings and Responses ................................................................................................. 5 Status of Prior Audit Findings...................................................................................................................... 36
Audit Summary
State of Washington Department of Social and Health Services ABOUT THE AUDIT
This report contains the results of our independent accountability audit of the Department of Social and Health Services for the period from July 1, 2007, through June 30, 2008. We evaluated internal controls and performed audit procedures on the activities of the Department. We also determined whether the Department complied with state laws and regulations and its own policies and procedures. In keeping with general auditing practices, we do not examine every transaction, activity or area. Instead, the areas examined were those representing the highest risk of noncompliance, misappropriation or misuse. The following areas were examined during this audit period: Department-wide Background checks Social Service Payment System (SSPS) duplicate payments Crisis Residential Center slot payments Cash receipt internal controls Division of Child Support Agency Financial Reporting System (AFRS) duties Local funds Green Hill School Overcapacity foster homes Payroll Internal controls child care payments Overpayment write-offs Citizen referrals System controls Agency Contract Database (ACD), Automated Client Eligibility System (ACES), Electronic Jobs Automated System (eJAS) and Support Enforcement Management System (SEMS) Loss/misappropriation Division of Developmental Disabilities Case management internal controls Individual Service Plans (ISPs) Social Service Payment System (SSPS) disbursements Contracts Cash receipts Fixed assets
Washington State Auditors Office 1
RESULTS
In most areas, the Department complied with state laws and regulations and its own policies and procedures. However, we identified seven conditions significant enough to report as findings: The Department of Social and Health Services, Childrens Administration and Economic Services Administration, paid an adoptive parent, foster care providers and child care providers who had not cleared background checks. The Department of Social and Health Services did not have controls in place to prevent misappropriation and ensure payroll accuracy. The Department of Social and Health Services internal controls over provider payments are not adequate, resulting in misappropriations totaling approximately $230,000. The Department of Social and Health Services does not ensure all payments made through its Social Services Payment System are supported and approved. The Department of Social and Health Services Economic Services Administration systems are vulnerable to misappropriation and inappropriate data changes. The Department of Social and Health Services does not adequately monitor access to critical systems. The Department of Social and Health Services does not adequately monitor contracts with Crisis Residential Centers to ensure compliance with state law and contract requirements. We also noted certain matters that we communicated to Department management. appreciate the Departments commitment to resolving those matters. We
Related Reports
State of Washington Department of Social and Health Services FINANCIAL
We perform an annual audit of the statewide basic financial statements, as required by state law (RCW 43.09.310). Our opinion on these financial statements is included in the Comprehensive Annual Financial Report (CAFR) prepared by and available from the Office of Financial Management. The CAFR reflects the financial activities of all funds, organizations, institutions, agencies, departments and offices that are part of the state's reporting entity. That report is issued by the Office of Financial Management in December of each year and can be found at www.ofm.wa.gov.
FEDERAL PROGRAMS
In accordance with the Single Audit Act, we annually audit major federal programs administered by the state of Washington. Rather than perform a single audit of each agency, we audit the state as a whole. As a result of the federal audit work performed at the Department, including the Medicaid program, we identified 31 conditions significant enough to report as federal findings. The results of that audit are published in a report issued by the Office of Financial Management in March of each year. A link to that report can be found on our Web site.
PERFORMANCE AUDITS
Initiative 900, approved by voters in 2005, gives the State Auditor's Office the authority to conduct independent performance audits of state and local government entities. Performance audits include, but are not limited to, providing objective analysis to improve program performance and operations, reducing costs and identifying best practices. We did not issue any performance audit reports related to the Department since the last accountability report was issued.
OTHER REPORTS
In addition to these reports, we issued 11 reports pursuant to the State Employee Whistleblower Act (Chapter 42.40 RCW), which are available on our Web site.
Description of the Department

State of Washington Department of Social and Health Services ABOUT THE DEPARTMENT
The mission of the Department of Social and Health Services is to improve the quality of life for individuals and families in need. The Department works to help people achieve safe, selfsufficient, healthy and secure lives. The Department spends over $9 billion a year, which represents approximately one-third of the state budget, and has more than 18,000 employees. Department resources, most of which flow through the general fund, are composed of approximately 49 percent federal funds, 46 percent state funds and 5 percent from other sources. Based on the most recent data available, every two years the Department serves one in three state residents (or approximately 2.1 million people) and one of every two children and youth in the state up to the age of 17. The Department is divided into six administrations: Aging and Disability Services, Childrens Services, Economic Services, Health and Recovery Services, Juvenile Rehabilitation and Executive Administration, which provides centralized support services to the administrations. The Health and Recovery Services Administration, which includes the majority of services provided under the Medicaid program, accounts for over half the Departments total budget.
DEPARTMENT CONTACT INFORMATION

Address Department of Social and Health Services Headquarters (OB2) P.O. Box 45030 1115 Washington St. S.E. Olympia, WA 98504-5030 (360) 902-8400 www.dshs.wa.gov
Phone: Web site:
AUDIT HISTORY
We audit the Department annually. During the past five audits, we reported several areas of concern as follows: Four findings in 2003, one finding in fiscal year 2004, three findings in fiscal year 2005, four findings in fiscal year 2006 and four findings in fiscal year 2007. In addition, we audit several federal programs, including Medicaid, at the Department annually. Audit findings related to those programs can be found in the annual single audit reports, which are issued by the Office of Financial Management. Links to those reports can be found on our Web site, www.sao.wa.gov.
Schedule of Audit Findings and Responses

1.
The Department of Social and Health Services, Childrens Administration and Economic Services Administration paid an adoptive parent, foster care providers and child care providers who had not cleared background checks. Background
State law requires adoptive parents, foster care providers and child care providers to have a criminal background check completed prior to the placement of a child. The Childrens Administration administers the foster care and adoption placement programs. In fiscal year 2007, the Department paid approximately $96 million to foster care providers and approximately $72 million to adoptive parents and support service providers. The Economic Services Administration determines eligibility and processes payments for in-home and relative child care providers. The Department paid approximately $40 million to these child care providers during fiscal year 2008. Adoptive parents must undergo one background check. In-home and relative child care providers must be checked every two years and foster care providers every three years. Some providers are paid for foster care services even though no child is placed with them. These services include transportation and respite care. These providers also are required to undergo background checks. Background check requests have been submitted to the Departments Background Check Central Unit and tracked in a database since August 2000. In our audits of fiscal years 2003 through 2007, we reported the Department was not complying with criminal background check requirements. We are repeating the finding in this audit report.
Description of Condition
We obtained foster care, adoption and child care support payment data for fiscal year 2008 from the Social Service Payment System, which is used to authorize and issue payments to these providers. We cross-matched the names of individuals who received payments during fiscal year 2008 with the names in the Unit database to identify individuals who may not have had a background check prior to payment. The cross-match identified 5,902 providers whose names did not have an exact match in the database. Of those, we selected 250 child care providers receiving the highest payments and randomly selected 400 providers of foster and adoption services. We found: Ninety-seven payments were related to adoptions that took place prior to 2002. Records retention requirements permit destruction of background check records after six years, so we were unable to pursue a further review regarding the appropriateness of these payments.
Five hundred names were recorded in the database with slightly different spellings or other minor differences, such as Bob and Robert. Other identifying information, such as Social Security numbers, matched. We consider these resolved. Twenty-seven provided services that did not include having unsupervised access to children. No background check was required. Of the remaining 26, we found the Department paid: Twenty transportation or respite care providers who had not had background checks. One relative child care provider for transportation services whose background check was not completed until nine months after the payment. One provider whose background check was not conducted until more than two years after the adoption. Two child care providers who had not had background checks. One child care services provider who did not have a background check every two years. One provider whose background check was incorrectly cleared using a relatives name. We were not able to determine how the error was made.
Cause of Condition
The Department requires a supervisor to review the background check and sign off before a child is placed in a foster or adoptive home. However, the Department does not have a similar review process in place for child care providers or support service providers.
Effect of Condition
The Department paid adoption, foster care and child care providers who had not had background checks. The lack of background checks increases the risk of people with disqualifying criminal backgrounds having access to children served by the Department.
Recommendation
We recommend the Department do a secondary review of all providers, required to have cleared background checks, prior to being authorized to provide services and receive payment. We further recommend the Department ensure all rejected background check forms are corrected, resubmitted and cleared prior to authorizing payment. The Departments processes should be documented so they can be monitored and enforced.
Departments Response
This finding was directed at the Economic Services Administration and Childrens Administration. Both administrations concurred with the finding. Their individual responses follow. Economic Services Administration Economic Services concurs that four child care cases were missing a background check. The Community Service Division (CSD) did not have a supervisory review process in place for child care providers similar to that which Childrens Administration had for foster and adoptive homes. CSD was aware of the lack of adequate controls in this area and submitted a work request to BarCode April 28, 2008 that included adding an automated feature to BarCode that will prevent SSPS from making a payment to a provider who does not have a current background check. Because of competing priorities, BarCode was unable to complete the request last year. However, as a result of this finding, we will attempt to have the request elevated on the priority list for completion this year.
CSD does have a front-end process that prevents the background check form from being submitted with incomplete information. The form must include specific data elements before it can be processed by BarCode. When a form is submitted without all required information, it is returned to the client to obtain the missing information from the child care provider. When the completed form is returned, the information is entered and the form is sent through the automated system to be processed. CSD does not track forms that are not returned from clients. CSD does not authorize payment for providers that do not have a completed and current background check on file. However, SSPS does not check with BarCode to see if there is a current background check, consequently some providers may unintentionally get paid. The work request change in BarCode described above will ensure providers that do not have a background check do not receive payments. The client is notified when the chosen provider does not respond to requests for additional information and informed they need to find a different child care provider. When a background check results in a finding that is not disqualifying, the client decides character and suitability of the provider. The client decides whether to use the provider and informs the department of their decision. Supervisory review is not required for this decision. BarCode automatically sends a tickle to the worker 45 days prior to expiration date of the providers background check. CSD is exploring the possibility of staff working the tickler as a mandatory part of their job to help assure background checks are completed every two years as required. Childrens Administration Childrens Administration concurs with this finding. Following the October 2006 enactment of federal Adam Walsh legislation, practices and procedures around background checks were significantly strengthened through implementation of the legislation, which addressed who was to be checked, how often, when providers could be compensated and what is to be covered in the check. Childrens Administration will work with field staff to assist them in complying with Department policy regarding obtaining background checks for providers. For those exceptions identified where a background check was not located, Childrens Administration will confirm whether or not one was completed. If it is determined that one was not done or if it cannot be confirmed, we will conduct background checks. The steps to be taken to address each of these will be outlined in our corrective action plan. Those identified as exceptions because payments were made prior to the completion of a background check cannot be addressed in a corrective action plan because the finding addresses the timeliness of completing the background check, versus not completing a background check. If the background check revealed disqualifying information action would have been taken to terminate the provider as a service provider. If it did not, those providers will continue to provide and be paid for their services. However, the issue of timely completion of checks will be addressed through additional emphasis on compliance with existing policy as referenced above.
Auditors Remarks
We thank the Department for its response and the steps it is taking to prevent future occurrences. We look forward to reviewing these improvements during our next audit.
Applicable Laws and Regulations

RCW 26.33.150, Petition for adoption Filing Preplacement report required, states: (1) An adoption proceeding is initiated by filing with the court a petition for adoption. The petition shall be filed by the prospective adoptive parent. (2) A petition for adoption shall contain the following information: (a) The name and address of the petitioner; (b) The name, if any, gender, and place and date of birth, if known, of the adoptee; (c) A statement that the child is or is not an Indian child covered by the Indian Child Welfare Act; and (d) The name and address of the department or any agency, legal guardian, or person having custody of the child. (3) The written consent to adoption of any person, the department, or agency which has been executed shall be filed with the petition. (4) The petition shall be signed under penalty of perjury by the petitioner. If the petitioner is married, the petitioner's spouse shall join in the petition. (5) If a preplacement report prepared pursuant to RCW 26.33.190 has not been previously filed with the court, the preplacement report shall be filed with the petition for adoption. RCW 26.33.190, Preplacement report -- Requirements Fees, states in part: (3) All preplacement reports shall include a background check of any conviction records, pending charges, or disciplinary board final decisions of prospective adoptive parents. The background check shall include an examination of state and national criminal identification data provided by the Washington state patrol criminal identification system including, but not limited to, a fingerprint-based background check of national crime information databases for any person being investigated. It shall also include a review of any child abuse and neglect history of any adult living in the prospective adoptive parents' home. The background check of the child abuse and neglect history shall include a review of the child abuse and neglect registries of all states in which the prospective adoptive parents or any other adult living in the home have lived during the five years preceding the date of the preplacement report. WAC 388-06-0110, Who must have background checks? The department requires background checks on individuals who will have unsupervised access to children or to individuals with a developmental disability in homes, facilities, or operations licensed, relicensed, or contracted by the department to provide care as required under chapter 74.15 RCW. The department requires background checks on the following people: (1) A person licensed, certified, or contracted by us to care for children (chapter 74.15 RCW and RCW 43.43.832);
(2) A prospective or current employee for a licensed care provider or a person or entity contracting with us; (3) A volunteer or intern with regular or unsupervised access to children who is in a home or facility that offers licensed care to children; (4) A person who is at least sixteen years old, is residing in a foster home, relatives home, or child care home and is not a foster child; (5) A relative other than a parent who may be caring for a child or an individual with a developmental disability; (6) A person who regularly has unsupervised access to a child or an individual with a developmental disability; (7) A provider who has unsupervised access to a child or individual with a developmental disability in the home of the child or individual with a developmental disability; and (8) Prospective adoptive parents as defined in RCW 26.33.020. WAC 388-06-0130, Does the background check process apply to new and renewal licenses, certification, contracts, and authorizations to have unsupervised access to children or individuals with a developmental disability? These regulations apply to all applications for new and renewal licenses, contracts, certifications, and authorizations to have unsupervised access to children and individuals with a developmental disability that are processed by the department after the effective date of this chapter. WAC 388-06-0150, What does the background check cover? (1) The department must review the following records: (a) Criminal convictions and pending charges. (b) For children's administration, child protective service case file information (CAMIS) for founded reports of child abuse or neglect; and (c) For children's administration, administrative hearing decisions related to any DLR license that has been revoked, suspended or denied. (2) The department may also review any civil judgment, determination or disciplinary board final decisions of child abuse or neglect. (3) The department may review law enforcement records of convictions and pending charges in other states or locations if: (a) You have lived in another state; and (b) Reports from credible community sources indicate a need to investigate another state's records. (4) If you have lived in Washington state less than three years immediately prior to your application to have unsupervised access to children or to individuals with a developmental disability, the department requires that you be fingerprinted for a
background check with the Washington state patrol (WSP) and the Federal Bureau of Investigation (FBI), as mandated by chapter 74.15 RCW. WAC 170-290-0140, When is my in-home/relative provider not eligible for WCCC payment? We do not pay for the cost of in-home/relative care if: (1) Your provider does not meet the requirements in WAC 388-290-0130, 388-290-0135, and 388-290-0138; (2) Your in-home/relative provider has been convicted of, or has charges pending for crimes posted on the DSHS secretary's crime and action list for background checks for ESA. You can find the complete list at http://www1.dshs.wa.gov/esa/dccel/policy.shtml; (3) We do not have background check results according to WAC 388290-0143; (4) The provider is: (a) The child's biological, adoptive or step-parent; (b) The child's non-needy or needy relative or relative's spouse or live-in partner; (c) The child's legal guardian or the guardian's spouse or live-in partner; or (d) Another adult acting in loco parentis or that adult's spouse or live-in partner. (5) We do not have the results of all applicable criminal background checks under WAC 388-290-0143(1) and 388-290-0150. An inhome/relative provider is not an eligible provider (per WAC 388-2900095 and 388-290-0100) prior to receiving these background results. Providers other than in-home/relative providers you can use are described in WAC 388-290-0125; or (6) We determine your provider is not of suitable character and competence or of sufficient physical or mental health to meet the needs of the child in care, or the household may be at risk of harm by this provider, as indicated by information other than conviction information. We will use criteria, such as the following, when reviewing information about incidents/issues/reports/findings: (a) Recency; (b) Seriousness; (c) Type; (d) Frequency; and (e) Relationship to the direct care of a child including health, mental health, learning, and safety.
WAC 170-290-0143, Who must have a background check for the WCCC program and how often is the check done? (1) A background check must be completed for: (a) All in-home/relative providers who apply to care for a WCCC consumer's child; and (b) Any individual sixteen years of age or older who is residing with a provider when care occurs outside of the child's home. (2) A background check must be completed for individuals listed in subsection (1)(a) and (b) of this section at least every two years. (3) Additional background checks must be completed for individuals listed in subsection (1)(a) and (b) of this section when: (a) Any individual sixteen years of age or older is newly residing with a provider when care occurs outside of the child's home; (b) We have a valid reason to do a check more frequently. (c) An in-home/relative provider applies to provide care for a family, such as when: (i) A break in service occurs to the current consumer; (ii) There is a break in consumer eligibility; or (iii) A provider is currently providing care and there are no prior background results for this provider. (4) We do not need to request a new background check for an individual in subsection (1)(a) or (b) if: (a) We have results that were received no more than ninety days prior to the current requested start date of care; and (b) The results indicate that there is no record.

2. The Department of Social and Health Services did not have controls in place to prevent misappropriation and ensure payroll accuracy. Background
The Department processes approximately $1.2 billion in yearly payroll for more than 20,000 employees. In 2006 it began using the states new Human Resources Management System (HRMS) to process payroll. An important aspect of information technology security is limiting employees access to computer systems to only those areas they need to do their jobs. Properly configured access helps reduce the risk of misappropriation and errors. Within HRMS, roles determine what areas and functions system users can access. Payroll processing roles in HRMS include personnel administrator, payroll processor and time and attendance processor. In fiscal year 2008, we performed a review of HRMS and identified multiple system weaknesses including: Employees in state payroll offices have conflicting roles. Users can make unauthorized changes to data. Insufficient monitoring of information entered into or changed in HRMS. The full report can be found on our Web site, www.sao.wa.gov. Due to the weaknesses in HRMS security, it is critical that agencies compensate by segregating incompatible functions when possible and increase monitoring to detect inappropriate activity. We reviewed the payroll process to determine if the Department had increased monitoring and had limited system access. Payroll is split between headquarters, which processes approximately 13,000 employees and 22 institutions such as Residential Habilitation Centers for the developmentally disabled and Juvenile Rehabilitation Centers, which process the remaining 7,000. Approximately 300 time and attendance processors across the state post sick and annual leave to HRMS.
We found the Department is not using the available system controls and has not compensated for this through increased monitoring. Specifically: The payroll and personnel functions are segregated at Department headquarters. The human resource offices at the institutions perform both functions. HRMS provides separate roles for payroll and personnel processing so those who add employees to the system and enter their salaries are not able to enter and authorize pay. However, the Department granted both roles to 25 employees.
No control is in place to prevent employees with the payroll processing or personnel administrator roles from changing payroll or personnel records, including their own, without approval. Reports are available to identify individuals who have changed their own records so such changes can be monitored and investigated; however, at headquarters and at one institution we reviewed, management was not running these reports.
Cause of Condition
The Department does not have a uniform payroll process. The 22 institutions fall under three Department administrations; each administration has its own guidelines. Headquarters provides guidance, but each administration can choose to follow that guidance or to have its own policies. Supervisors of employees who enter data directly into HRMS were not familiar with the lack of system controls. Headquarters employees stated they knew about the control issues, but did not have authority over the institutions. Institution personnel stated they could not prevent employees from changing their own records without a formal policy in place. They also stated they needed to key their own payroll in order to meet payroll deadlines. Management stated the report that identifies HRMS changes is too difficult to run and too cumbersome to use.
Effect of Condition
Although our audit work did not identify inappropriate payroll changes, the current process creates significant risks of misappropriation and errors that will not be detected in a timely manner if at all. If detected, the Department could have a difficult time determining who was responsible.
Recommendation
We recommend the Department: Establish and follow compensating controls to monitor transactions entered into HRMS without supervisory approval and changes to payroll records. Ensure individuals responsible for processing payroll do not have the access needed to add individuals to or delete them from the personnel system. Review reports and obtain additional training on how to interpret them in order to more effectively monitor changes made to HRMS data.
The Department does not agree that the payroll and personnel functions at the institutions are not segregated. Payroll responsibilities and staff are and have been under the direct supervision of the institution, while the personnel data processes are under the supervision of the Human Resources Division within Management Services. The Department concurs with the finding that the Department granted both payroll and personnel processing roles to headquarters and institution employees. When HRMS was initially implemented, the functions within those roles were not clear and neither was the impact of the implementation to the personnel and payroll processes. In order to allow the most flexibility with the resources available, Personnel and Payroll processing roles were given to approximately 30
employees within the Personnel and Payroll processes to allow for manual intervention if necessary. Even with dual access we maintained a segregation of duties by clearly defined work roles and responsibilities for personnel and payroll staff. In March of 2009 and in response to the SAO audit the department reviewed all HRMS users and removed all conflicting roles. The Department concurs with the finding that we did not have compensation controls in place to prevent employees with payroll processing or personnel administrator roles from changing payroll or personnel records without approval. The HRMS system does not have any controls to prevent an individual from entering or changing data on their own personnel/payroll account. The request for this control to be provided through the system was made on September 17, 2008 to the Department of Personnel (DOP) under Help Ticket # 109793. Completion of this Help Ticket is dependent on DOPs schedule. The Department concurs with the finding that reports are available to identify individuals who have changed their own records. As indicated in the statewide audit report, the HRMS does provide a Logged Changes in the Info type Data Report to monitor data changes. This report is reviewed by Headquarters Payroll Office staff, however as the SAO auditor verbally noted when reviewing this report on site, it is a post-transaction report and not a control that prevents payroll processing staff or personnel administrators from changing payroll or personnel records, including their own, without approval. The Department will continue to examine possible solutions to effectively and efficiently monitor data changes in the system until HRMS system changes providing pre-transaction controls are implemented by DOP.
Auditors Concluding Remarks

We thank the Department for its response and the steps it is taking to establish and follow internal controls. We look forward to reviewing these improvements during our next audit.

RCW 43.88.160 (4) requires the Director of the Office of Financial Management (OFM), as an agent of the Governor, to: Develop and maintain a system of internal controls and internal audits comprising methods and procedures to be adopted by each agency that will safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies for accounting and financial controls. The system developed by the director shall include criteria for determining the scope and comprehensiveness of internal controls required by the classes of agencies, depending on the level of resources at risk. Each agency head or authorized designee shall be assigned the responsibility and authority for establishing and maintaining internal audits following the standards of internal auditing of the Institute of Internal Auditors . . . . State Administrative and Accounting Manual (SAAM), Section 20.15.40.e, Monitoring, states in part: An agencys internal control is most effective when there is a proper monitoring control environment, results are prioritized and communicated, and weaknesses are corrected and followed up on as necessary.

3. The Department of Social and Health Services internal controls over provider payments are not adequate, resulting in misappropriations totaling approximately $230,000. Background
The Department uses computer systems to establish client and provider eligibility for social service programs and to authorize and generate payments. The Social Service Payment System (SSPS) is the primary provider payment system for non-Medicaid programs. It is used by approximately 2,000 Economic Services Administration and Developmental Disabilities Division social workers to authorize payments in excess of $800 million annually to more than 45,000 providers. For this audit, we focused on more than $283 million in child care provider payments and more than $511 million in developmental disability client provider payments. Our audit examined the internal controls the Department has in place to prevent and detect misappropriation and errors. Examples of preventive controls are separation of duties, proper authorization of transactions, adequate documentation and physical control over assets. Detective controls are designed to provide evidence that an error or loss has occurred. Examples are reviews, analyses, reconciliations and audits. In order to be effective, these controls need to be carefully designed and appropriately used. Both are essential to an effective internal control system.
Preventive Controls Child care case workers who have the system access needed to set up clients and providers also have the ability to authorize payments. Developmental disability client case managers cannot establish providers. Payments can be authorized only if a provider already is in the Departments Agency Contract Database. However, we found Division case managers can authorize payments to providers even if the provider contract has expired. Detective Controls For the child care program, the Department does not have detective controls in place to verify payments to providers are for services rendered. In addition, no system is in place to prevent child care payments in excess of the maximums established by state law without prior approval from a supervisor or proper supporting documentation on file. A number of Department supervisors stated they relied on a process called Audit 99 to determine if payments are valid.
We learned this process was developed to monitor client eligibility, not as a way to identify invalid payments. We reviewed the process and determined it would not be effective in detecting inappropriate provider payments. The Developmental Disabilities Division has a detective control in place that requires supervisors to select three cases each month, contact the client or client representative and verify that services paid for were rendered. Division supervisors also receive reports of high-risk transactions, such as one-time payments and payments in excess of the maximums allowed by policy. However, supervisors do not consistently do either of these. Similar to the child care program, the Division also lacks controls to prevent developmental disability provider payments in excess of the maximums established by policy without prior approval from a supervisor or proper supporting documentation on file. We also noted for both programs, supervisors perform the audit and verification procedures. In most instances, these supervisors also establish and authorize payments to service providers. No mechanism is in place to ensure transactions initiated by supervisors are independently reviewed.
Cause of Condition
SSPS is a 30-year old system that lacks software to track transactions created or updated within the mainframe. This condition is compounded by a lack of supervisory review of transactions. We also found no process is in place to eliminate providers whose contracts have expired from the Agency Contracts Database. Economic Services Administration management stated they were putting a payment review process in place, but that had not occurred by the end of our audit. Regional offices relied on an audit process designed to evaluate case worker performance. It would not detect inappropriate payments because it does not include verification with anyone associated with the case to ensure services were rendered. The Department stated that adding preventative controls in SSPS is not reasonable because the Department is creating a new social service payment system designed in part to correct these weaknesses. However, the new payment system has been delayed with no new target date set.
Effect of Condition
Two misappropriations continued for several months at the Department. The Department notified our Office of both as required. In May 2007 through January 2008, three child care workers established false providers in the system and authorized and paid them $130,000. In August of 2006, a case resource manager paid $100,000 for services not rendered to clients. A Washington State Patrol investigation found $8,289.92 was misappropriated when the case resource manager issued payments to a relative who was a former contracted client service provider still registered in the system. The remaining payments of $91,000 were issued to a home health agency for services not rendered. We were unable to determine the nature of the relationship, if any, between the case resource manager and the home health agency. We reported these misappropriations as part of our State of Washington Single Audit. That report is available on the Office of Financial Managements web site, www.ofm.wa.gov. Without controls designed to detect and prevent misappropriation, the Department is at risk of these occurring in the future.
Recommendation
The Department stated SSPS cannot segregate the duties of setting up providers and issuing payments. Therefore, we recommend the Department: Develop a process to identify inappropriate child care payments. Increase the number of developmental disability client case files reviewed by supervisors and enforce policies and procedures regarding this review. Establish and follow a process of reviewing child care and Developmental Disability payments issued by supervisors. Develop an approval process for payments in excess of maximums set by state law and Department policy. Establish and follow controls to prevent payments to providers without current contracts.
This finding was directed at the Aging and Disability Services Administration (ADSA) and the Economic Services Administration (ESA). ADSA concurred with the finding and ESA partially concurred. The response from each administration follows. Aging and Disability Services Administration ADSA concurs with these findings. We will increase compliance with the Division of Developmental Disabilities policy requiring supervisory review of client case files and CASIS output reports to at least fifty percent. We will continue supervisor monthly review of all authorization for payments in excess of maximums. Controls currently in place to prevent payments to providers without current contracts will be continued, including worker verification of provider contracts and supervisor verification during client case review. Economic Services Administration ESA concurs with the finding that there are no preventive controls in place to limit child care authorizing workers from having system access needed to set up client cases and authorize payments. In our current automated work environment, the same person who sets up the case can also authorize payments, and the current 1% supervisory audits are designed to check for improper authorization of transactions and adequate documentation. ESA partially concurs that there are no detective controls in place designed to provide evidence that an error or loss has occurred. Current policy requires supervisory review and approval for authorizations in excess of the standard amount; however, that process is not consistently followed. To minimize child care payment errors for authorizations over the standard, on June 1, 2009 ESA will implement a 9-code pre-authorization process. The new process will include system controls that prevent the worker from submitting over the standard authorizations for payments that do not have appropriate supervisory approval. This change will create a separation of duties and enforce tighter controls for this type of authorizations. The change will apply to supervisors who can also authorize over the standard payments as allowed in policy. A non-authorizing supervisor will have to review and approve authorizations created by a child care supervisor. The system will not accept authorizations over the standard if the person submitting the authorization is the same person authorizing the payment. Audit 99 (a multi-level audit tool
used by ESA to complete performance audits on workers and programs) will continue to be used by ESA to ensure eligibility and authorizations are made correctly. Audit 99 was not designed nor expected to detect inappropriate provider payments. To address provider payments, ESA relies on the Quality Assurance (QA) Attendance Reconciliation effort. QA pulls a random sample of Working Connections Child Care cases to compare child care authorizations to attendance records and the payments issued. ESA staff correct errors when identified and establish an overpayment when warranted. Report training for supervisors, stressing payment accuracy, has been developed to assist the field in minimizing payment errors. The training will begin May 1, 2009 and be completed no later than June 30, 2009.
Auditors Remarks
We thank the Department for its response and the steps it is taking to improve internal controls. We will review the status of the Departments corrective action during our next audit.

State Administrative and Accounting Manual (SAAM), 20.15.30, Who is responsible for internal control? Each agency, regardless of size, is required to adopt methods to periodically assess risk and to develop, implement, and review its system of internal controls. The methods should be tailored to the specific needs of the agency. State Administrative and Accounting Manual (SAAM), 80.30.92, Agency fiscal activities must be organized to provide effective internal control, states in part: Agency fiscal activities are to be organized in such a manner as to provide the maximum degree of internal control in the most efficient and effective manner . . . . Department of Social and Health Services Administrative Policy No. 16.05, Internal Control Risk Assessment and Self-Evaluation, states: Every manager in the Department of Social and Health Services (DSHS) is responsible for maintaining appropriate internal controls for those organizational processes within their area of responsibility so that: Department resources and assets are safeguarded; Operations are efficient and effective; Programs comply with applicable laws and regulations; Financial reporting is accurate and reliable. This policy establishes the requirement for all DSHS managers to annually conduct a comprehensive internal control Risk Assessment and Self-Evaluation (RASE) within their respective areas of authority, regardless of size, function, or location. The intent is to provide all DSHS managers, particularly executive managers, reasonable assurance that perceivable risk to the organization has been appropriately identified, considered and mitigated for, in an effort to help the department successfully achieve its stated mission and business objectives. This policy applies to all department operations.
Department of Social and Health Services Information Technology Security Policy Manual, 2.2.5 SEPARATION OF DUTIES AND SUPERVISION, Policy Statement 2.2.5, states: Take reasonable precautions to minimize the risk of financial fraud or theft, or of the mishandling of confidential or sensitive information (i.e. categories 2, 3, or 4as defined at Section 3.2.1), through separation of duties and supervision. Standards S1. Design program area workflow to provide as much separation of sensitive functions as possible. S2. Actively supervise and review employee efforts where confidential data or the potential for committing fraud exists.

4. The Department of Social and Health Services does not ensure all payments made through its Social Services Payment System are supported and approved. Background
The Departments Social Services Payment System (SSPS) authorizes and pays almost $2 billion in client services each year. This system is used by the Economic Services, Aging and Disability Services, Health and Recovery Services, Juvenile Rehabilitation and Children's administrations. Approximately 4,700 caseworkers across the state use the system to authorize payments to over 78,000 providers of services to more than 290,000 clients. During previous audits, we identified inappropriate payments totaling $116,912.17 in fiscal year 2005, $66,079.42 in fiscal year 2006 and $88,230.42 in fiscal year 2007.
The Department pays providers on an invoiced or non-invoiced basis. For invoiced payments, providers approve or change the invoices and return the information to the Department. Non-invoiced payments are paid monthly to the provider over a specified period of time. The Departments Payment Review Program (PRP) contracts with a private company to develop and run algorithms on system data to help identify inappropriate payments. The programs that use the system to pay providers work with PRP and the contractor to develop the algorithms designed to enhance each programs existing provider and payment reviews. The contractor runs the algorithms from once a quarter to once a year, depending upon each programs request. The algorithm logic and data are reviewed and approved by Department staff before the Department determines if an overpayment has occurred. PRP reviews and approves all overpayment data before submitting it to the Office of Financial Recovery, which collects the money back from providers. To follow up on the weaknesses previously identified, we selected 1,234 potentially inappropriate payments for 399 clients based on: Multiple payments to the same provider for the same client for the same time period and amount. Multiple manual override payments to the same provider for the same client for the same time period and amount. Multiple State Supplemental Payments to the same client for the same month.
We reviewed documentation supporting transactions for the Childrens, Aging and Disability Services and Economic Services administrations. We found: Administration Number of Clients 83 155 161 399 Number of Payments 281 523 430 1234 Number of Clients with inappropriate payments 62 124 68 254 Number of inappropriate payments 116 201 93 410 Dollar amount of overpayment identified $40,155.35 $106,587.78 $7,117.54 $153,860.67
Childrens Aging and Disability Economic Services TOTAL
We found 33 percent of the payments tested were inappropriate. The Department made 410 inappropriate payments to clients and providers, totaling $153,860.67. The Department identified 49 of these through its review process and our audit identified the remaining 361. The overpayments were a combination of state and federal dollars.
Cause of Condition
The Department relies on internal controls that do not identify all potentially inappropriate payments. The different methods of paying providers coupled with controls designed only to detect overpayments increases the risk of inappropriate payments that will not be identified in a timely manner.
Effect of Condition
The Department overpaid $153,860 for client support and services and risks making future overpayments.
Recommendation
We recommend the Department: Establish and follow controls to prevent duplicate payments from occurring. Strengthen reviews of SSPS payments to identify overpayments. Continue collecting on overpayments identified during the audit. Consult with grantors to determine if funds used for inappropriate payments should be repaid to the federal government.
This finding is directed at the Aging and Disability Services Administration (ADSA), the Childrens Administration (CA) and the Economic Services Administration (ESA). Each administration concurred with the finding. The response for each administration follows.
Aging and Disability Services Administration ADSA concurs with this finding. We agree that the errors identified by the auditor were made and will continue to use and enhance the tools in place to prevent duplicate payments from occurring. ADSA will take steps to ensure quality assurance reviews are being completed as required. Also, ADSA will review established procedures to determine if additional controls can be implemented to reduce duplicate payments. Finally, we will continue to train staff on overpayments, and ensure supervisors are conducting adequate reviews of SSPS payments to identify overpayments. We reviewed all the exceptions identified in the audit. We established overpayments on all duplicate payments and will take action to recover those overpayments. Finally, we will work with the U.S. Department of Health and Human Services to determine if any costs are unallowable. Childrens Administrations CA concurs with this finding. There were a total of 116 exceptions identified during this audit, 17 of which were overpayments that had already been identified by the Department and reported to the Office of Financial Recovery, (OFR) for collection. For the other 99 exceptions the Department will compile the relevant information needed to submit them also to OFR for collection. This activity will be outlined in our corrective action plan for this finding. In response to a similar finding in the 2007 SAO audit, we indicated that Famlink, the new case management system includes many additional edits and controls to prevent such duplicate payments. Familink was implemented in February 2009 and we anticipate the new controls will significantly reduce future duplicate payments. Those not prevented by FamLink controls will be identified and corrected through algorithms run by the Payment Review Program. Economic Services Administration ESA concurs with the auditors finding that we do not have adequate internal controls to identify duplicate authorizations before issuing payments. Staff currently use a pre-authorization process for exception payments. This process requires the supervisor to review and approve payments over the standard prior to authorizing payment; however, the process is not consistently followed. ESA has some controls in place to review authorized payments issued through supervisory audits. Supervisors review and work the Duplicate Payment Report (40N51) monthly to identify duplicate payments, and when warranted, staff corrects the case and completes an overpayment. ESA utilizes two additional safeguards: (1) running algorithms to identify duplicate payments; and (2) Quality Assurance (QA) attendance reconciliation effort. QA pulls a random sample of Working Connections Child Care (WCCC) cases to compare child care authorizations to attendance records and the payments issued. Overpayments are written on duplicate payments found in both of these reviews. ESA has developed report training for supervisors, stressing payment accuracy. The training is scheduled to begin May 1, 2009 and be completed no later than June 30, 2009. Beginning in June 2009 ESA will also implement a 9-code pre-authorization process that will require supervisors to approve authorizations over the standard amount prior to payment. Code 9 is the authorization code a worker uses to authorize exception payments above the standard. ESA does not agree that there were 56 payments that were inappropriate. We reviewed the payments and determined that four payments for two cases were issued for the wrong child. In each case an overpayment will be established and a new authorization issued for the correct child. We determined cases identified as a duplicate payment were not in error. What appeared to be multiple payments to the same provider for the same client were actually appropriate payments based on a Department of Early Learning (DEL) policy that requires staff to pay additional childcare units needed above the maximum rate for travel and work hours that exceed the maximum rate. "Unit of Care" refers to the type of care authorized. For example, if a school age child needs less than 22 half-days per month, the worker authorizes one extra half-day per
week, or up to five additional half-days per month, to allow for school closures/holidays. The authorization for the extra half-days are put on a separate line with a "9" code so the provider will bill the extra half-days only for days when the child is in care five or more hours. The multiple manual override payments often appear as additional half or full day authorizations when in fact they were appropriate authorizations for child care.
Auditors Remarks


5. The Department of Social and Health Services Economic Services Administration systems are vulnerable to misappropriation and inappropriate data changes. Background
The Departments Economic Services Administration administers the Electronic Jobs Automated System (eJAS) and the Support Enforcement Management System (SEMS). SEMS is used to manage collection and payment of approximately $670 million in child support. Approximately 1,100 Department employees and 350 to 400 workers in county prosecutors offices use the system. eJAS is a Web-based case management system for more than 50,000 families who participate in the WorkFirst and Food Assistance Employment and Training programs. The system records, tracks and reports on clients participation in job search and retention. It also issues vouchers for support services and automated payments for transportation assistance to WorkFirst clients. In fiscal year 2008, WorkFirst support service expenditures were more than $5 million. The system supports 5,500 users including staff from the Department, the Employment Security Department, the Department of Community, Trade and Economic Development, the state Board of Community and Technical Colleges, Indian tribes and community-based service providers. Our audit of fiscal year 2003 found internal control weaknesses related to eJAS. During our current audit, we followed up on those weaknesses. We had not previously reviewed SEMS.
We interviewed Department staff, reviewed policies and procedures, identified and assessed the adequacy of general and application controls and examined how the controls were used. As part of our review of SEMS, we also evaluated controls over two related systems that interface with SEMS: the Financial Management Imaging System, which is used to create an electronic image of all incoming support payment checks, and the Automated Clearing House (ACH) Manager, which processes electronic transfers of support payments, both to and from the Department. We noted the following weaknesses related to system access: SEMS users can make changes to system records, such as amounts of child support owed, addresses and names without approval. The Department reviews only changes that result in a refund being issued. The ACH Manager processes payments with financial institutions. Twelve ACH Manager users share a system logon and password.
Supervisors do not review changes to payment data in the ACH Manager. Program changes to SEMS and ACH Manager are not always authorized and adequately tested. No system is in place to track the most recent versions of SEMS, ACH Manager or ejAS programs or to identify prior versions, should one be needed. Programmers have the access needed to work on separate versions of the same program at the same time and make different changes. One version could overwrite the other and eliminate valid modifications. The system does not maintain an audit trail of program changes, which prevents changes from being traced to the individual who made the changes. Changes made to the ejAS program code are documented either in notes written by the programmer or not at all. Changes to programs cannot be traced to the individual who made them. Independent approval is not required before changes are made to ejAS. Emergency program changes to ejAS are not monitored or approved
Cause of Condition
The systems were not designed to require approvals prior to data changes. The Department has no formal procedures requiring a review of logs or reports sufficient to detect potential unauthorized changes to data. Management did not enforce a policy on shared logins and passwords. The Department did not focus on controls over change management as an area of potential high risk.
Effect of Condition
The risk of error or misappropriation is increased. Failure to review all adjustments to payments increases the risk money could be shifted between accounts and/or refunded inappropriately. Also, the conditions increase the risk that changes could be made to programs in error or unauthorized programs could be run with no record of who made the changes.
Recommendation
We recommend the Department: Put in place SEMS system edits to ensure staff does not make changes without supervisory approval. Regularly review changes to provide reasonable assurance that inappropriate or unauthorized changes are detected. Use a system for eJAS, SEMS and ACH Manager to ensure program changes are properly authorized, reviewed and accurate.
Require all staff, who process payments through the ACH Manager, to use a unique logon and password. Review and maintain logged changes to ACH Manager data to ensure changes were appropriate.
SEMS The Department does not concur with the finding regarding the need for supervisory approval of changes made in SEMS with an additional audit to detect inappropriate changes. With approximately 2 million changes made each month, requiring supervisory approval for system changes as well as an after-the-fact audit are cost and resource prohibitive. Similarly, reprogramming SEMS to add a supervisory review function prior to a change would not only involve significant programming time but additional FTEs. Adding additional layers of approval would have detrimental impact on DCS ability to complete our mission of improving the lives of children, families and communities and could impact federal performance measures. There are currently controls in place to ensure accountability for changes made in the system. DCS staff that processes payments does not have the ability to make changes to customer address data. Conversely, staff that has the ability to change addresses, cannot process payments. This prevents staff from intercepting a payment and/or redirecting it. Changes to addresses, legal names, bank accounts and other individual level records are automatically recorded in SEMS on the Individual Comment (IC) screen along with the Employee ID of the person making the change and the date and time of the action. All changes are logged and reports are generated that allow auditing and ensure compliance with laws and regulations. In addition, DCS customers have the ability to view the information 24-hours a day, seven days a week online. Finally, if a debt is reduced on a support case, a letter is automatically generated to the custodial parent advising them of the reduction. DCS will make changes to Access Control to ensure appropriate update and view rights for SEMS. Users should only have update and view rights to the level of their supervisor. Additionally, the supervisor may limit the rights for their direct reports based on the needs of the position. DCS staff are hired and trained specifically to perform sensitive functions that carry with them great responsibility. Systems Access and Changes The Department concurs with the findings related to the review of payment changes in ACH Manager and a system in eJAS, SEMS, and ACH to ensure program changes are authorized and accurate. DCS is developing a new ACH Manager that uses SEMS Access and Control for logging into the program. Each SEMS user has a unique ID and password. Only authorized staff will be able to log into the ACH Manager. The new program is scheduled for implementation by fall 2009. Changes to payment data will be logged in with the ID of the person making the change as well as the date and time. Only a limited number of staff will be authorized to make changes. Supervisors will be able to audit the changes made. Since the FY05 audit, ESA has been looking for change control software that will work for our specific and unusual needs in eJAS. Because of the need to control/package both natural and asp programs into a single change, the search has been difficult. Recently, however, new change
control software has demonstrated promise. When the budget permits, we will look more closely at this product. While we will continue to pursue automated solutions, we believe current processes and standards provide reasonable controls. Changes to the ACH Manager will use the same signoff/approval process currently used for SEMS. Program code will be checked in and out by the developer and signed off by the developer and tester. Changes to the codes will be logged. We will also put a two-step process in place to prevent changes to SEMS program code between the time it is approved until release. This will assure that the approved changes match the implemented changes. We will look for an off-the-shelf product that allows source version control in order to track changes to code and allow code rollback as needed. The versions are dated and should be able to be tied to the CMR. This will provide a means to limit the risk of overwrites and provide an audit trail for program changes. We will use the same two-step process identified above to mitigate risk while automated options are evaluated.
Auditors Remarks


6. The Department of Social and Health Services does not adequately monitor access to critical systems. Background
Information technology managers should establish system access privileges that restrict users to only those functions needed to perform their jobs. Properly configured access privileges help enforce the segregation of incompatible duties and minimize the risk of loss, misappropriation and/or unauthorized changes to the system. System access controls are enhanced when access authorizations are approved by management, documented and kept on file for review. The Department uses many computer systems. Most of these systems contain highly sensitive or confidential information, as well as the ability to initiate and approve client or provider eligibility and payments. We reviewed system access controls for the Electronic Jobs Automated System (eJAS), the Automated Client Eligibility System (ACES), the Support Enforcement Management System (SEMS) and the Electronic Agency Contracts Database (EACD) during our fiscal year 2008 audit. Many of these systems also are used by other entities, including the Employment Security Department, Area Agencies on Aging, county prosecutors, the Social Security Administration and Indian tribes. Some of this access limits users to reading the data; in other cases users have full system capabilities. Below is a chart which summarizes some of the key risks associated with the systems reviewed: Risks/System Confidential/Sensitive Data Generates Payments Amount Processed Per Year (In Millions) Approximate Number of Users Users Outside of DSHS Functional Access for Outside Users Multiple Levels of System Authority eJAS X X $5 5500 Yes X X ACES X X $1,000 6500 Yes X SEMS X X $670 1500 Yes X EACD
1300 Yes X X
While the EACD does not generate payments, it plays a critical role in payment processing. Inappropriate access to this system could lead to the processing of inappropriate payments through linked systems.
During our audit, we found the Department does not have adequate internal controls to prevent unauthorized access or misuse. Specifically: The Department did not have accurate information on user access levels in SEMS.
At least 60 individuals have access to directly modify critical data files and programs in both eJAS and SEMS. The Department does not have a uniform policy or guidance on limiting access to the EACD. We found excessive access by outside agencies without adequate justification. The Department failed to remove access to EACD for 34 individuals after they left the outside agencies. Ten of these individuals had the authority to approve contracts. The Department failed to remove ACES access for five individuals after they left the Department and took more than a month to remove it for 27 others after they left the Department. The Department does not have a formal process to ensure user access in eJAS and ACES is updated when employees jobs change. The Department does not have a process to ensure eJAS access is removed when employees leave the Department. More than 1,140 eJAS users have incompatible functions. They can create and pay vouchers in eJAS.
Cause of Condition
The Department stated employees have the access levels needed to carry out their responsibilities. The Department did not identify the ability to change data outside the application as a risk. The mainframe on which SEMS resides does not provide reports with sufficient detail to identify users and their access privileges. Management did not enforce a policy related to sharing logon IDs and passwords. The Department has no process for determining what access privileges are needed for each employee or a policy that requires an individual in each field office to periodically reconcile access levels to job duties. The Department relies on external users to determine which employees are granted access to the EACD and to notify the Department regarding changes in employment status. The Department does not regularly monitor to ensure access is limited.
Effect of Condition
Excessive or incompatible access levels increase the risk of misuse. Critical systems are at risk of unauthorized access, leaving sensitive data vulnerable to inappropriate use or disclosure. Payment systems are at risk of abuse.
Recommendation
We recommend that the Department: Perform on-going assessment to determine the appropriate level of system access for staff and outside users. Develop an accurate report detailing access to systems.
Limit access to modify critical data files through the use of a temporary emergency ID. Periodically reconcile user access and current job duties to ensure each user has only the access needed for their job duties. Revoke system access from employees who leave the agency in accordance with the Departments Information Technology Security Policy Manual.
This finding was directed at the Economic Services Administration (ESA) and Aging and Disability Services Administration (ADSA). ESA partially concurred and ADSA concurred with the areas of the finding for which it was responsible. The response for each administration follows. Economic Services Administration ESA concurs with the findings for ACES, eJAS, and SEMS regarding systems access and reconciliation, and with the finding regarding the number of users with eJAS and SEMS access to modify critical data files. We will develop and implement internal controls to ensure we address the issues identified in the audit conditions regarding regular review and reconciliation for system access. The new process will be shared with appropriate managers and staff, with training provided as needed, to ensure monitoring and reconciliation of system access. We will also review the list of individuals who have access to modify critical files in eJAS and SEMS and, where appropriate, remove access. ESA does not concur with the finding that eJAS users have incompatible functions or inadequate separation of duties. The voucher payment process in eJAS is a three (3) step process that consists of (1) Create, (2) Pay, and (3) Release. Although more than 1,140 eJAS users have Create and Pay abilities, they do not have authorization to Release payments; therefore there is not a risk of unauthorized payment. The Department believes the current separation of duties and authorizations within the system are adequate to ensure unauthorized payments cannot be made. However, DSHS will continue to monitor system access and ensure that there is a separation of duties between the create and pay functions and the release function to ensure payments are authorized. Aging and Disability Services Administration ADSA concurs with this finding. A quarterly report has been developed and is sent to the Area Agencies on Aging (AAA), Home and Community Services Offices, and Division of Developmental Disabilities Offices each quarter to ensure that ACD access rights are appropriate. Rights are revoked by the headquarters contracts unit if an employees job duties have changed or the individual is no longer employed by the AAA or ADSA.
Auditors Remarks

RCW 43.88.160 (4) requires the Director of the Office of Financial Management (OFM), as an agent of the Governor, to:
Develop and maintain a system of internal controls and internal audits comprising methods and procedures to be adopted by each agency that will safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies for accounting and financial controls. The system developed by the director shall include criteria for determining the scope and comprehensiveness of internal controls required by the classes of agencies, depending on the level of resources at risk. Each agency head or authorized designee shall be assigned the responsibility and authority for establishing and maintaining internal audits following the standards of internal auditing of the Institute of Internal Auditors State Administrative and Accounting Manual (SAAM), Section 20.15.40.e, Monitoring, states in part: An agencys internal control is most effective when there is a proper monitoring control environment, results are prioritized and communicated, and weaknesses are corrected and followed up on as necessary.

7. The Department of Social and Health Services does not adequately monitor contracts with Crisis Residential Centers to ensure compliance with state law and contract requirements. Background
State law requires the Department to contract with providers for secure and semi-secure regional Crisis Residential Centers to provide safe, temporary housing for runaway and other at-risk youth. The Centers also are to counsel and support their clients and work with families toward reconciliation. The Department has licensed nine secure Crisis Residential Centers and seven regional Crisis Residential Centers. The Department paid approximately $7 million to these Centers in fiscal year 2008. The Department pays the Centers a per-bed, per-day fee regardless of the number of residents. The number of beds varies by Center. Payments are made to ensure services are available when needed. The contracts require the Centers to report to the Departments Childrens Administration monthly on the number of clients and the duration of their stay. The Centers are paid out of the Departments regional offices. Under state law, youth admitted to the Centers may stay a maximum of five consecutive days. If certain criteria are met, documented and approved, the five-day limit may be extended if space is available and no other youth is waiting for the bed. State law also prohibits the Department from paying for services rendered to a juvenile admitted to a secure Center for more than five days. Contract language also contains the five-day requirement. For the fiscal year 2007 audit, we determined the Department did not adequately monitor the Centers compliance with state law and contracts by reviewing client lists prior to authorizing payment. Five clients had exceeded the maximum allowable stay by at least 24 hours at the Kitsap Secure Center and 86 clients had exceeded the maximum allowable stay by at least 24 hours at the Spokane Regional Center. We recommended the Department improve contract and payment monitoring to ensure the maximum allowable stay is not exceeded and it pay for services only when secure Centers are in compliance with the contract. The Department developed a plan in June 2008 to address our recommendations.
During our 2008 audit, we reviewed the monthly client lists for all Centers to determine if clients were exceeding the maximum allowable stay and reviewed contracts between the Department and the providers.
We found 155 clients exceeded the five-day maximum allowable stay at regional and secure Centers by at least 24 hours:
Hours over 120
Clients at Regional Crisis Residential Centers
Hours over 120
Clients at Secure Crisis Residential Centers
A 24 - 72 73 - 100 101 - 200 201 - 300 301 - 400 401 - 500 501 - 600 Total Cumulative total 51 32 14 5
B 22 2 1 1
C 4 1 3
D 1
E 20 11 14 14 3 1 2 24 - 72 73 - 100 101 - 200 201 - 300 301 - 400 401 - 500 501 - 600 Total
B 2
C 1
26
65 151
1 4
Cumulative total
We also were unable to determine the length of stay for clients in two regional Centers and three secure Centers: The client list for August was missing for one regional Center. Client lists for July through December and March were from another regional Center. Client lists for July and November through January were missing for a secure Center. The client list for March was missing from another secure Center. The client list for November was missing for another secure Center. When the Department asked the providers to send in the lists, they did not have any data to send to the Department.
Cause of Condition
The Department had not fully implemented its Corrective Action Plan at the time of our fiscal year 2008 audit. The Department did not adequately monitor the Centers compliance with state law and contract requirements by reviewing client lists prior to authorizing payment. Contract language required client lists to be submitted to Childrens Administration headquarters and invoices to be submitted to and paid by regional offices.
Effect of Condition
The Department is not receiving the services agreed to in the contract. Allowing stays beyond contractual deadlines poses a risk that services may not be available for all who need them.
Recommendation
We recommend the Department: Improve contract and payment monitoring to ensure the maximum allowable stay is not exceeded. Pay only for services specified in the contract. Require adequate support for payment from Centers and consider disallowing payment if contract conditions are not met.
The Department concurs we did not adequately monitor crisis centers attendance records and how we paid the centers. This finding is a repeat finding of A07-02 in the FY 2007 Accountability Audit. As the department proceeded to implement its corrective action plan inquiries from legislative staff indicated that legislation impacting the current requirements for regional and secure Crisis Residential Centers would be proposed during the 2008 legislative session. The corrective action plan was then suspended pending the outcome of legislative action. The Department anticipates the passing of legislation SHB2346 that will provide revised direction to the department on maximum stays and payment requirements. When the bill passes the Department will develop a corrective action plan that incorporates the requirements of the new legislation, establishes a payment methodology that allows the Department to only pay the crisis centers for periods that fall within the timeframes outlined by law, and provides improved monitoring of contract and payment provisions. We will detail the approach to these modifications in our corrective action plan for this finding.
Auditors Remarks
We thank the Department for its response, and the steps it is taking to improve monitoring of these contracts. We will review the status of the Departments corrective action during our next audit.

RCW 13.32A.130, Child admitted to secure facility Maximum hours of custody, states: A child admitted to a secure facility shall remain in the facility for at least twentyfour hours after admission but for not more than five consecutive days. If the child admitted under this section is transferred between secure and semi-secure facilities, the aggregate length of time spent in all such centers or facilities may not exceed five consecutive days per admission. RCW 74.13.034, Crisis Residential Centers Removal to another center or secure facility Placement in secure juvenile detention facility, states: A child taken into custody and taken to a crisis residential center established pursuant to RCW 74.13.032 may, if the center is unable to provide appropriate treatment, supervision, and structure to the child, be taken at department
expense to another crisis residential center, the nearest regional secure crisis residential center, or a secure facility with which it is collocated under RCW 74.13.032. Placement in both locations shall not exceed five consecutive days from the point of intake as provided in RCW 13.32A.130. RCW 74.13.0321, Crisis Residential Centers Limit on reimbursement or compensation, states: No contract may provide reimbursement or compensation to a crisis residential center's secure facility for any service delivered or provided to a resident child after five consecutive days of residence. Regional and Secure Crisis Residential Centers Boilerplate Contract, General Terms and Conditions, Compliance with Applicable Law, states in part: At all times during the term of this Contract, the Contractor shall comply with all applicable federal, state, and local laws and regulations . . . . Regional and Secure Crisis Residential Centers Boilerplate Contract, Special Terms and Conditions, Payment Only for Authorized Services, states: DSHS shall pay the Contractor only for authorized services provided in accordance with this Contract. Regional Crisis Residential Centers Boilerplate Contract: Exhibit A: Statement of Work: Length of Stay: Youth may stay in any Crisis Residential Centers (CRC) for up to five (5) days, including Saturdays and Sundays and holidays. If a youth has been transferred between CRCs, the cumulative total number of days spent in both CRCs may not exceed five (5) days. Secure Crisis Residential Centers Boilerplate Contract, Exhibit A, Statement of Work, Length of Service, states: Youth admitted to a Secure Crisis Residential Centers (CRC) must remain in the Secure CRC for, at a minimum, 24 hours, unless the youths parent(s) removes the youth from the Secure CRC. RCW 74.13.034(3) limits a youths stay in any CRC for up to a maximum of five (5) days, including Saturday and Sunday and holidays. If a youth has been transferred between CRCs, the cumulative total number of days spent in both CRCs may not exceed five days.
Status of Prior Audit Findings

The status of findings contained in the prior years accountability audit reports of the Department of Social and Health Services is provided below: 1. The Department of Social and Health Services does not have adequate controls to ensure all payments made through its Social Services Payment System are supported and approved. Audit Report 6663, dated July 13, 2007 Background The Department developed the Social Services Payment System to provide authorization and payment processing for more than $1 billion in services delivered to clients each year. This system is used by the Economic Services Administration, Aging and Disability Services Administration, Health and Rehabilitative Services Administration, Juvenile Rehabilitation Administration, Medical Assistance Administration and Children's Administration. The Department does not have adequate internal controls to prevent overpayments. We found the Department made $88,230.42 in inappropriate payments. Status The finding is not resolved. Refer to the current 2008 audit, Finding 4. 2. The Department of Social and Health Services does not adequately monitor contracts with Crisis Residential Centers to ensure compliance with state law and contract requirements. Audit Report 6663, dated July 13, 2007 Background State law requires the Department to establish, through contracts with private or public vendors, secure and semi-secure regional Crisis Residential Centers (CRC) to provide safe, temporary housing for runaway and other at-risk youth who may be involved in family or home conflict. Under state law, youth admitted to the Centers are not to remain in them for more than five consecutive days. If certain criteria are met, documented and approved, the five-day limit may be extended; however, space must be available and any other juvenile needing the temporary shelter is to have priority over the proposed extension. State law also prohibits the Department from paying for services rendered to a juvenile admitted to a secure CRC for more than five days. Contract language for both secure CRCs and CRCs states juveniles are not to be admitted to the Centers for more than five days. We found 91 clients who exceeded the five-day maximum allowable stay by at least 24 hours. Status The finding is not resolved. Refer to the current 2008 audit, Finding 7.
3.
The Department of Social and Health Services, Childrens Administration did not perform adequate monitoring for background checks of foster care providers. Audit Report 6663, dated July 13, 2007 Background State law requires foster care providers and adoptive parents to undergo criminal background checks prior to placing a child in the home. One respite care provider had no record of a criminal background check. Two foster care providers had no record of a criminal background check. Both providers were relatives of the child; however, the background check requirement still applies. Controls at the Department are inadequate to ensure background checks are performed on all foster care providers upon licensing and every three years thereafter. Status The finding is not resolved. Refer to the current 2008 audit, Finding 1.
4.
Public funds were misappropriated at the Department of Social and Health Services Division of Child Support. Audit Report 6663, dated July 13, 2007 Background We reviewed the investigation performed by the Washington State Patrol and agreed with its conclusion that at least $25,571.58 in public funds was misappropriated by a former employee who took 68 money orders that were mailed to the Division and deposited them into her personal bank account instead of posting them to the appropriate client accounts. The former employee circumvented the Departments internal controls over cash receipting. The cash receipting activities performed by the former employee were inadequately monitored by the Department. Status The finding is partially resolved. management. Remaining issues were relayed informally to Department
ABOUT THE STATE AUDITOR'S OFFICE

The State Auditor's Office is established in the state's Constitution and is part of the executive
branch of state government. The State Auditor is elected by the citizens of Washington and serves four-year terms. Our mission is to work in cooperation with our audit clients and citizens as an advocate for government accountability. As an elected agency, the State Auditor's Office has the independence necessary to objectively perform audits and investigations. Our audits are designed to comply with professional standards as well as to satisfy the requirements of federal, state, and local laws. The State Auditor's Office employees are located around the state to deliver our services effectively and efficiently. Our audits look at financial information and compliance with state, federal and local laws on the part of all local governments, including schools, and all state agencies, including institutions of higher education. In addition, we conduct performance audits of state agencies and local governments and fraud, whistleblower and citizen hotline investigations. The results of our work are widely distributed through a variety of reports, which are available on our Web site and through our free, electronic subscription service. We continue to refine our reporting efforts to ensure the results of our audits are useful and understandable. We take our role as partners in accountability seriously. We provide training and technical assistance to governments and have an extensive quality assurance program. State Auditor Chief of Staff Deputy Chief of Staff Chief Policy Advisor Director of Audit Director of Special Investigations Director for Legal Affairs Director of Quality Assurance Local Government Liaison Communications Director Public Records Officer Main number Toll-free Citizen Hotline
Web Site Subscription Service
Brian Sonntag, CGFM Ted Rutt Doug Cochran Jerry Pugnetti Chuck Pfeil, CPA Jim Brittain, CPA Jan Jutte, CPA, CGFM Ivan Dansereau Mike Murphy Mindy Chambers Mary Leider (360) 902-0370 (866) 902-3900
www.sao.wa.gov https://www.sao.wa.gov/applications/subscriptionservices/
(SAO FACTS.DOC - Rev. 02/09)

Dept of Social and Health Services - Adoption, Foster Care Program Improprieties, Misappropriation - June 1, 2009

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Dept of Social and Health Services - Adoption, Foster Care Program Improprieties, Misappropriation - June 1, 2009

Încărcat de

Drepturi de autor:

Formate disponibile

Washington State Auditors Office

Accountability Audit Report

Department of Social and Health Services

Issue Date June 1, 2009

Washington State Auditor Brian Sonntag

Susan Dreyfus, Secretary Department of Social and Health Services

BRIAN SONNTAG, CGFM STATE AUDITOR

Washington State Auditors Office 1

Washington State Auditors Office 2

Washington State Auditors Office 3

Description of the Department

DEPARTMENT CONTACT INFORMATION

Phone: Web site:

Washington State Auditors Office 4

Schedule of Audit Findings and Responses

Washington State Auditors Office 5

Washington State Auditors Office 7

Applicable Laws and Regulations

Washington State Auditors Office 8

Washington State Auditors Office 10

Washington State Auditors Office 11

Schedule of Audit Findings and Responses

Auditors Concluding Remarks

Applicable Laws and Regulations

Washington State Auditors Office 14

Schedule of Audit Findings and Responses

Washington State Auditors Office 15

Washington State Auditors Office 16

Washington State Auditors Office 17

Applicable Laws and Regulations

Washington State Auditors Office 18

Washington State Auditors Office 19

Schedule of Audit Findings and Responses

Washington State Auditors Office 20

Childrens Aging and Disability Economic Services TOTAL

Washington State Auditors Office 21

Washington State Auditors Office 22

Applicable Laws and Regulations

Washington State Auditors Office 23

Schedule of Audit Findings and Responses

Washington State Auditors Office 24

Washington State Auditors Office 25

Applicable Laws and Regulations

Washington State Auditors Office 27

Schedule of Audit Findings and Responses

Washington State Auditors Office 28

Applicable Laws and Regulations

Washington State Auditors Office 30

Washington State Auditors Office 31

Schedule of Audit Findings and Responses

Washington State Auditors Office 32

Hours over 120

Clients at Regional Crisis Residential Centers

Hours over 120

Clients at Secure Crisis Residential Centers

Washington State Auditors Office 33

Applicable Laws and Regulations

Washington State Auditors Office 35

Status of Prior Audit Findings

Washington State Auditors Office 36

Washington State Auditors Office 37

ABOUT THE STATE AUDITOR'S OFFICE

(SAO FACTS.DOC - Rev. 02/09)

S-ar putea să vă placă și