The URL can be used to link to this page

Home My WebLink AboutFebruary 7, 2006 V) VI) Audit Committee Meeting Agenda Tuesday, February 7,2006 4:00 PM Main Committee Room PAGE I) INTRODUCTION OF MANAGER. INTERNAL AUDIT & CONTROL II) ADOPTION OF MINUTES 1-4 Minutes of the meeting held on Monday, July 25, 2005 In Camera Minutes of the meeting held on Monday, July 25, 2005 Under Separate Cover III) 1. MATTERS FOR CONSIDERATION Audit Plan for Year Ending December 31 2005 - Presentation by Auditor 5-35 2. Interim Audit Update - Auditor's Interim Management Comments and Management's Response . Under Separate Cover IV) REPORTS 1. Director, Corporate Services & Treasurer Re: Clerks Division Revenue Cycle Review 36-66 RECOMMENDATION THAT Report No. CS 11-06 of the Director, Corporate Services & Treasurer be received for information OTHER BUSINESS 1. Letter from MMAH Advising of May 31,2006 Filing Requirements for FIR and Performance Measures 67 -68 ADJOURNMENT 001 AUDIT COMMITTEE MEETING MINUTES Monday, July 25, 2005 4:30 PM PRESENT: Mayor David Ryan, Chair COMMITTEE MEMBERS: M. Brenner ALSO PRESENT: D. Dickerson T. J. Quinn D. Bentley G. Paterson J. Reble K. Senior D. Watrous - Councillor - Chief Administrative Officer - City Clerk - Director, Corporate Services & Treasurer - Solicitor for the City - Manager, Accounting Services - Committee Coordinator GUESTS: P. Jesty, Deloitte & Touche R. Oake, Cake & Associates G. E. Moulton, Deloitte & Touche ABSENT: Councillor Ashe Councillor McLean The Committee proceeded without a quorum and recommendations were approved pending ratification. (I) ADOPTION OF !\IIINUTES Meeting of Monday, June 20,2005 ß!) R_EPORTS The Committee met In Camera at 4:37 pm. - 1 - 002 Citq c~ AUDIT COMMITTEE MEETING MINUTES Monday, July 25, 2005 4:30 PM Moved by Councillor Brenner That the meeting be closed to the public in order to consider the receiving of advice that is subject to solicitor-client privilege, including communications necessary for that purpose. CARRIED PENDING RATIFICATION Discussion ensued with respect to a confidential memorandum from the Director, Corporate Services & Treasurer, with respect to the 2004 Forensic Audit. Refer to the Closed minutes of July 25, 2005. Moved by Councillor Brenner That the meeting be open to the public. CARRIED PENDING RATIFICATION 1. Director, Corporate Services & Treasurer Re: Confidential Memorandum on 2004 Forensic Audit Approved See Recommendation #1 2. Director, Corporate Services & Treasurer, Report No. CS 58-05 Re: Clerks Division Revenue Cycle Review Approved As Amended See Recommendation #2 II OTHER BUSINESS a) Audit Committee Meetinq Schedule A meeting schedule will be implemented for the Audit Committee to meet three times a year with further meetings when required. - 2- 003 AUDIT COMMITTEE MEETING MINUTES Monday, July 25, 2005 4:30 PM b) Work Plans for Internal Audit Processes Deloitte & Touche will provide sample work plans to the Director, Corporate Services & Treasurer. ß!!) ADJOURNMENT The meeting adjourned at 5:50 pm. The Committee reconvened at 10:45 pm and ratified the actions taken. - 3 - 004 Appendix I Audit Committee Report AC 2005-02 That the Audit Committee of the City of Pickering having met on July 25,2005, presents its Second Report to Council and recommends: 1. Director, Corporate Services & Treasurer Re: Confidential Memorandum on 2004 Forensic Audit That Confidential Memorandum from the Director, Corporate Services & Treasurer, dated July 15, 2005, be received for information. 2. Director, Corporate Services & Treasurer, Report No. CS 58-05 Re: Clerks Division Revenue Cycle Review 1. That Report No. CS 58-05 of the Director, Corporate Services & Treasurer be received for information; and 2. That Deloitte & Touche be retained for the purposes of investigating the recommendations noted within the Clerks Division Revenue Cycle Review and providing their comments with respect to the actions taken by the Clerks Division; and 3. That the appropriate officials of the City of Pickering be given authority to give effect thereto. - 4- b1J ~ .~ ~ C]) ~ u .~ ~ '" GI .... .... .- 0 - GI C in 0 0 N ... '1""1 M ... CU .a E cu u cu C Q RJ c:n - c Q. =ã .... c .- w "C ... ::::I ra ct ~ Deloitte #& Deloitte & Touche LLP 5140 Yonge Street Suite 1700 Toronto, ON M2N 6L7 Canada <=> <::) 0) January 27, 2006 Tel: (416) 601 6150 Fax: (416) 601 6151 www.deloitte.ca The Members of the Audit Committee, The Corporation of the City of Pickering Dear Audit Committee Members: We are pleased to have the opportunity to meet with you to review our 2005 audit plan for the examination of the financial statements of The Corporation of the City of Pickering for the year ended December 31, 2005. Our primary goal is to report to the Audit Committee on the faimess of the presentation of The Corporation of the City of Pickering's financial statements. We intend to provide the best quality service at a fair price and in a timely and efficient manner, with open and effective communication with both the Audit Committee and Management. The key objectives of this document are to: . . Outline our formal reporting responsibilities; Outline our audit approach; Introduce the professional resources we will employ on the audit; Provide you with the opportunity to review our audit plan and ask any questions you might have; and Assist you in discharging your responsibilities relative to the extemal audit of The Corporation of the City of Pickering . . . We view the development of our audit plan as an important process that provides all parties involved in the audit (i.e. The Audit Committee, Management and Deloitte & Touche) with an opportunity to assess together audit needs, focus areas, approach and expectations for performance. We are confident that the plan will enable us to fommlate our report on the financial statements of The Corporation of the City of Pickering on a cost-effective basis. This communication is intended solely for the use of the Audit Committee to assist it in discharging its responsibilities with respect to the financial statements and is not intended for any other purpose. We accept no responsibility to a third party who relies on this infomlation. We look forward to meeting with you to discuss this report and to answer any questions which you may have. Yours sincerely, -Æt ;~ Paula A. Jesty, CA Partner Member of Deloitte Touche Tohmatsu Index Overview Financial Reporting Responsibilities Determining Audit Scope Audit Risk Materiality Areas of Audit Risks or Focus Internal Controls Audit Work Plan for 2005 Deloitte & Touche Client Service Team Auditor Independence Proposed Audit Fees Current Developments @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 3 4 6 7 8 9 13 15 17 18 19 20 2 a a '""-l Overview We have been engaged to perform the following statutory audits for the year-ending December 31, 2005: . Consolidated financial statements of the Corporation of the City of Pickering (the "City"). . Financial Statements of the Pickering Public Library Board, . Financial Statements of the City of Pickering Trust Funds, and . Financial Statements of the Ajax-Pickering Transit Authority (separate audit plan is presented to APTA's board) This audit plan forms part of our ongoing communication with the audit committee in accordance with Section 5751 of the CICA Handbook, "Communications with those having oversight responsibility for the financial reporting process." Over the past couple of years, the auditing environment has changed dramatically due to numerous new auditing standards and the harmonization of Canadian auditing standards with international auditing standards. This has resulted in changes for all audits, in particular as it relates to areas such as the assessment of risk, fraud and error and internal controls. These matters are discussed in more detail in this audit plan document. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 3 0 <;:) 00 Financial Reporting Responsibilities . Our audit procedures on the financial statements of the City will be conducted in accordance with Canadian generally accepted auditing standards ("GAAS"). . Our responsibilities under these standards include: . the expression of an opinion on the financial statements based on an audit thereof; . obtaining reasonable, but not absolute, assurance as to whether the financial statements are free from material misstatement; . examining on a test basis, evidence supporting the amounts and disclosures in the financial statements; . assessing the risk that the financial statements may contain misstatements that are material to the financial statements taken as a whole; . assessing significant estimates made by Management; and . assessing the accounting principles used and their application. . The responsibility for the preparation of the financial statements resides with Management. This responsibility includes, but is not restricted to, responsibilities related to internal control, selecting and applying accounting policies, safeguarding assets and preventing and detecting error and fraud. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 4 a a CD Financial Reporting Responsibilities (continued) <=> ¡...~ <::> - Review, and approve financial statements - Review audit plan and audit results - Ensure systems are in place to manage and monitor risks - Maintain oversight of management control and information systems - Report financial results on a fair, consistent and timely basis in accordance with Canadian GAAP - Select appropriate accounting policies - Identify principal risks and establish and maintain a cost-effective internal control environment - Provide management representations - Assess accounting principles and financial statement disclosures - Understand key management control systems and processes - Perform audit in accordance with Canadian generally accepted auditing standards - Report opportunities for improvements in control processes - Report any identified instances of suspected fraud and error @ Deloitte & Touche LLP and affiliated entities. ""'1""", ?d /, . +' Audited Financial Statements of the City Communications to the Audit Committee The City of Pickering - 2005 Audit Plan 5 Determining Audit Scope » Understand the City and its environment » Understand Internal Control and the Accounting Process » Review of current regulatory, accounting and auditing developments » Consideration of any significant transactions ~ Consider significant changes in operations ~~ r)" ... I l:::.J~J ...... .. ~n Y J1 OnJ 2005 Audit Scope Assess risk and determine materiality. Development of a business risk based audit approach. Determine areas of audit focus and extent of testing. » Discussions with Senior Management » Reassessment of critical accounting policies & management estimates » Assess the effectiveness of the design and implementation of internal controls over key financial accounting cycles » Assess prior year's audit scope and findings @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 6 <::) ~ ¡... Audit Risk Þ- We will perform our audit in accordance with Canadian generally accepted auditing standards. As guided by these standards, we will employ a risk-based approach in the discharge of our professional responsibilities. Þ- Audit Risk is the risk that we will express an inappropriate opinion on the financial statements. In order to reduce the overall audit risk to an acceptable level we make assessments of inherent risk, control risk and detection risk. Þ- We assess risk both in terms of risk to the engagement as a whole and risks which are specific to certain account balances (e.g. existence of assets). The level of inherent risk associated with account balances will influence the level of controls testing and substantive audit procedures which we will need to perform. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan <=> t-'- N 7 Materiality ~ Materiality is an essential element of Canadian generally accepted auditing standards and affects the judgment of the auditor. In the context of financial reporting, materiality refers to the magnitude of an omission or misstatement of accounting information that, in light of the surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been influenced, or a decision changed, by the omission or misstatement. ~ Materiality is calculated based on professional judgement which involves an assessment of quantitative and qualitative considerations. We utilize materiality as a basis for evaluating errors noted during the audit to assess whether there is a misstatement in the financial statements that would impair their quality. Materiality is also used in the determination of sample sizes for certain substantive tests and as guidance in conducting our analytical review. ~ Our quantitative calculation of materiality is based on the current assurance guidelines. Consistent with the prior year, we have selected budgeted expenditures as the quantitative basis for materiality. In our professional judgment, this measure most appropriately meets the needs of the users of the financial statements. We will use 1.5% of budgeted expenditures for our planning materiality. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 8 C> ~ W Areas of Audit Risks or Focus <=> ~ ~ In developing our audit plan, we identify areas where significant audit emphasis will be placed. These audit focus areas are based on a variety of factors including: . significance of the balance in relation to materiality; . internal control considerations; . degree of judgment required by Management in the area; . complexity of accounting applications; . impact on expenditures; and; . application of new accounting pronouncements. In our audit plan, amongst other areas, we have identified the areas of focus below. The Audit Committee may wish to add to this list. Liabilities . Completeness of certain liabilities such as WSIB and Employee Future Benefits . Review of Actuarial Reports including calculations and assumptions used . Review of client calculations and information . Ensure appropriate accounting treatment has been applied . Review related note disclosure in the financial statements . Reliance on the City's actuary with respect to actuarially determined liabilities Reserve and Reserve Funds Revenue - Clerks Department Investment in Veridian Corporation Management Estimates Year-end cut-off Public Sector Accounting (PSAB) Standards . Various activities were approved and incurred during the year . Initiatives to improve the overall recording of these activities to promote accuracy and efficiency . Review of continuity and material transactions . Review of revenue recognition criteria for those externally restricted reserve funds classified as deferred revenue . Completeness of revenue . Review of systems and procedures . Develop expectation for revenue accounts and compare to amounts recorded . Assess implication on financial statements of the City . Communicate with Veridian's auditor regarding reliance on audit. . Compliance with PS3060 Government Partnerships . Value of Investment . Requires management judgment (i.e. allowance for assessment appeals, contingent liabilities, etc.) . Focused review of calculations . Discussion with management . Analytic Review of related account . Focused substantive testing on accounts payable, accruals, deferred revenue and receivables . Accounting for revenue and expenditures in the proper period . Impact of any new accounting standards . Work with Finance staff to ensure compliance <9 Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 9 Areas of Audit Risks or Focus (continued) Fraud and Error We have continued to identify fraud and error as an audit focus area in 2005. This is largely a reflection of the auditing/accounting environment which included the introduction of a revised standard entitled "Auditors' Responsibility to Consider Fraud and Error" effective 2004. Procedures we will perform to address the risk of fraud and error will include discussions with Management within and outside of the Finance Department, discussions with the Audit Committee relating to processes in place to prevent and detect fraud, consideration of the ability of Management to perpetrate fraud through override of internal controls and a review of selected journal entries, with a focus on entries posted around the year-end date. Our procedures are designed to identify fraud risk factors that may have a material impact on the financial statements. Any such items identified will be communicated to the Audit Committee. Due to the limitations and restricted scope of an audit, as well as the nature of fraud, we may not identify all matters that may be of interest to the Audit Committee. Management's Role . Must assess internal control over financial reporting using procedures sufficient to evaluate and test their effectiveness . Includes controls related to the prevention, identification, and detection of fraud . Set "tone at the top" Audit Committees' Responsibilities . Oversight responsibilities of management's efforts to create a strong internal control environment . Includes design and implementation of anti-fraud programs and controls . Proactive in reviewing management's internal controls and process of assessing the risk of fraud . Responsibility for performing the fraud risk assessment lies with management . Audit Committee's role is to oversee the process and have a clear understanding of the fraud risks @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 10 0 ~ CJ1 Areas of Audit Risks or Focus (continued) 0 ¡..-. OJ Fraud and Error Risk Factors . Audit Committee should recognize that every organization has inherent fraud risks due to internal and external conditions relative to: - Entity's industry - Operations - Geographical locations - Size - Organizational structure - General economic environment Consider potential risk of management's override of controls or other inappropriate influence over the financial reporting process More specifically, there are three common fraud risk factors whose existence can increase the likelihood that a fraud could occur. These are pressures/incentives, attitudes/rationalizations and opportunity. Not all three factors need be present for a fraud to occur Pressures/Incentives - Created by circumstances either real or perceived - e.g. - Personal financial pressures / Pressures to achieve a break even level of operations . . . Attitudes/ Rationalization - Process by which person legitimizes or justifies the crime - May include attitude of entitlement or belief "the City can afford it" - The greater the incentive or pressure, the greater the likelihood that the individual will be able to rationalize the acceptability of committing fraud Opportunity - Manifest in different ways - i.e. - Inadequate internal controls - Insufficient safeguarding of assets - Personnel in position to override controls - Collusion @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 11 Areas of Audit Risks or Focus (continued) Specific Inquiries to be addressed by the Audit Committee . Any knowledge of any actual, suspected or alleged fraud or error affecting the entity . What role, if any, does the audit committee exercise in oversight of: 1. Management processes for identifying and responding to the risks of fraud and error in the entity and; 2. The internal controls that management has established to mitigate these risks. . What are your views about the risks of fraud in the entity? Discussion Aud itors @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 12 <::) 1-4 -..J Internal Controls 0 ¡-... 00 Background . By January 2006 the Canadian auditing standards issued by the CICA will be compliant with the International Standards on Auditing (ISA) issued by the International Auditing and Assurance Standards Board. The Deloitte International Audit Approach (IAA) was updated effective for 2005 calendar year end audits to be compliant with the ISA standards. The major international auditing firms have decided to implement the ISA standards in 2005. These standards expand our requirements to annually review internal control as part of our risk assessment process. Significant changes impacting the audit . Required to evaluate Organization/Entity level controls including documentation and substantiation. This brings into scope various control elements including the control environment, risk assessment process, information system and communication and monitoring controls. . Required to evaluate the "design" of internal controls over financial reporting and to determine whether the controls have been implemented, regardless of intent to test operating effectiveness of controls. . Increased requirements for audit evidence and pervasive increase on documentation requirements in all areas of the audit. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 13 Internal Controls (continued) Under the new audit risk model, and in line with changes in professional standards, our approach to controls testing has been expanded in 2005 and is now divided into two phases: . Design and Implementation of Controls - mandatory for all business cycles in order to obtain an understanding of each business cycle and identify the related audit risks. Operating Effectiveness of Controls - tests of internal controls for those business cycles where we determine it may be appropriate to test and rely on controls in order to reduce our substantive audit procedures. . Under the above approach, we assess risk for each business cycle. This assessment gives consideration to individual transactions, systems, potential errors and internal controls. The approach includes identifying: . major business cycles within the operations of the City; significant account balances and classes of transactions within each cycle; . . specific financial risks or potential errors with respect to each significant account balance and class of transactions which may result in the misstatement of financial reports or the misappropriation of assets; and Management's response to those specific risks; i.e., the key elements of the internal control structure, which are designed to prevent those errors from occurring or to detect them should they occur. . Once such risks are identified, an audit approach is developed in response to the risks. Details of account-balances risks we have identified and the related audit approach for each risk are provided later in this report. As we progress through the year, additional factors may come to our attention that may warrant modification to our audit plan. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 14 <=> f-4 CD Audit Work Plan for 2005 0 l',) 0 Our audit work will be performed in the following phases and in accordance with the approximate timeline noted below. Key milestones and deliverables are noted with an.. During the course of our audit, we will communicate both formally and informally with the Audit Committee. We consider regular and timely communication key to the success of our audit. Communication will take many forms and range from conversations regarding specific aspects of the City's activity to formal reports. DETAILED ANNUAL WORK PLAN PHASE 1: PRE-COMMENCEMENT ACTIVITIES Assess engagement risk Meet with Management to discuss audit planning matters Meet with the Audit Committee to present our Audit Plan Key Client Deliverables: Engagement Letter Audit Plan PHASE 2: PRELIMINARY PLANNING Document/update our understanding of the business, control environment (including computer controls) and accounting processes Perform preliminary analytical review procedures Determine planning materiality PHASE 3: ASSESS RISK AND DEVELOP AUDIT Assess risk at account and potential error level Make preliminary conclusion about internal controls and reliability of financial information Plan the audit approach including substantive tests and test of control as appropriate Summarize and communicate the audit plan to the Audit Committee PHASE 4: PERFORM AUDIT PLAN Perform substantive analytical procedures Perform tests of detail Meet with management periodically during audit to review preliminary results (continuous) Review draft financial statements @ Deloitte & Touche LLP and affiliated entities. SEP JUN JAN FEB MAR I APR MAY . The City of Pickering - 2005 Audit Plan 15 Audit Work Plan for 2005 (continued) DETAILED ANNUAL WORK PLAN (continued) SEP PHASE 5: CONCLUDE AND REPORT Perform subsequent events review Review all final financial audit reports and financial statements disclosures Meet with Management to discuss audit results and findings Obtain management representations, sign audit reports Obtain responses from management and issue management letter Meet with Audit Committee to discuss results of audit and present management letter Key Client Deliverables: Audit Results Audit opinion Management letter, including recommendations PHASE 6: POST-ENGAGEMENT ACTIVITIES Assess engagement quality and performance Commence preliminary planning for the following year @ Deloitte & Touche LLP and affiliated entities. OCT NOV DEC JAN FEB MAR APR The City of Pickering - 2005 Audit Plan JUN 16 0 i\) ~ Deloitte &. Touche Client Service Team The chart below shows the professionals from our firm that have been assembled to best serve the City of Pickering. Computer Assu Partner Doug Wilkinso Manager Pina Colavecchia Commodity Tax Director Craig Robertson I Audit Senior SherriMolzan I @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan <::) {'..) N 17 Auditor Independence The CICA Handbook requires that we communicate with you on an annual basis all relationships between the City of Pickering and Deloitte & Touche LLP that, in our professional judgment, may reasonably be thought to bear on our independence. In determining whether a relationship exists that may be thought to bear on our independence, we must consider the following matters: . whether a financial interest, either directly or indirectly exists; . whether a position, either directly or indirectly is held by us that gives us the right or responsibility to exert significant influence over the financial or accounting policies of the Corporation; . economic dependence on the Corporation; . services provided to the Corporation in addition to the audit engagement; and . any personal or business relationships of immediate family, close relatives, partners or retired partners, either directly or indirectly with the Corporation. We formally confirmed our independence as auditors of the City of Pickering in a letter dated May 20, 2005 and we will formally report again at the conclusion of the 2005 audit. We confirm that we continue to be independent under the Rules of Professional Conduct of the Institute of Chartered Accountants of Ontario. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 18 0 t\;) C,.ù Proposed Audit Fees <=> N ~ We believe our audit approach is cost effective and every attempt has been made to keep our audit fees to a minimum. This is accomplished through: . Detailed planning and coordination with senior management. . Encouraging involvement by, and assistance from, the City of Pickering finance personnel. . Ensuring that the audit staff has the appropriate mix of municipal and client expertise and experience. . Carefully managing and supervising staff through the audit. . Significant partner and manager involvement throughout the audit. Since we submitted our proposal in October 2001, professional standards have dictated an increased focus on new auditor standards, particularly related to internal controls. As previously noted we will identify, and test the design and implementation of selected controls relevant to the key financial accounting cycles. As a result, our proposed fees for audit services to be provided to the City of Pickering for 2005 are as follows: . The City of Pickering consolidated financial statements including trust funds - see below . Pickering Public Library Board $55,000 $ 3,750 The 2005 proposed audit fee for the consolidated financial statements was calculated as follows: . 2004 fee . Inflation factor as per our proposal document . Additional work required due to the following: - New Accounting and Assurance Standards - Harmonization of audit approach with international standards relating to the requirements to test the design and implementation of internal controls over all financial accounting cycles as well as entity level controls $48,500 1,200 $ 5.300 $55.000 @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 19 Current Developments New PSAB Accounting Recommendations and Exposure Drafts The Public Sector Accounting Board's (PSAB) goal is better financial and performance information for government decision-making and accountability. PSAB meets this goal by setting accounting standards for all levels of government, these standards are tailored to meet the unique information needs of the public sector. . Provides guidance for applying the definition of liabilities . Defines constructive and equitable obligations and indicates that if there are obligations of this type and they meet the definition of a liability, they should be recognized as such . Effective for years beginning on or after September 1, 2004. . Defines and recommends general recognition, measurement and disclosure requirements for contingent liabilities . Effective for years beginning on or after September 1, 2004. . Defines and recommends general disclosure requirements for contractual obligations . Effective for years beginning on or after September 1, 2004. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 20 <:> è'J '.n Current Developments (continued) 0 l") 0) New PSAB Accounting Recommendations and Exposure Drafts . Applies to Federal, Provincial, Territorial and Local Governments . Status: Revised Section issued August 2003, PS1300 . Government reporting entity- includes organizations that are controlled by the government . Definition and explanation of "control", for purposes of applying the Section Control is the power to govern the financial and operating policies of another organization with expected benefits or the risk of loss to the government from the other organization's activities (PS1300.08) . Indicators of control to assess whether control exists for financial reporting purposes Some indicators of control are more persuasive than others but on balance it is the preponderance of evidence that would be considered . Guidance is included to provide examples of situations where control does not exist . Implications: Organizations previously not included as part of government reporting entity need to be reassessed given the new definition as they may now need to be included . The recommendations are to be applied for fiscal year beginning on or after April 1, 2005. Earlier adoption is encouraged. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 21 Current Developments (continued) New PSAB Accounting Recommendations and Exposure Drafts . Approved in November 2004. Key requirements are as follows: . Public Sector Reporting entities are to apply every primary source of GAAP. The primary sources of GAAP in descending order are: CICA Public Sector Accounting (PSA) Handbook Sections PS1200-3800 Public Sector Guidelines; and Appendices and Illustrative material of those pronouncements described . In the absence of a primary source of GAAP, or if additional guidance is needed to apply a primary source to specific circumstances, public sector reporting entities must exercise professional judgment and adopt accounting policies and disclosures that are consistent with: The primary sources of GAAP; and The application of Section PS 1000, Financial Statement Concepts -- Federal, Provincial & Territorial Governments, or Section PS1700, Objectives of Financial Statements -- Local Governments. . A public sector reporting entity required to prepare financial statements in accordance with regulatory, legislative, or contractual requirements can describe the basis of accounting as in accordance with GAAP only when those requirements are within the range of acceptable choices allowed by the proposed Section. . Italicized Recommendations and non-italicized paragraphs in PSA Handbook Sections have equal authority. . Effective for fiscal years beginning on or after April 1, 2005. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 22 0 N ~ Current Developments (continued) <=> l"':) 00 New PSAB Accounting Recommendations and Exposure Drafts . The new section provides guidance for the disclosure of measurement uncertainty for items recognized and disclosed in public sector financial statements. The Section provides: - A definition of measurement uncertainty - Disclosure of measurement uncertainty to be provided for both recognized and disclosed amounts - The nature and extent of measurement uncertainty to be disclosed - When disclosure of the extent has not been made, the reason for the disclosure must be stated, and - Key assumptions and the sensitivity of the amount is to be disclosed. Effective for fiscal years beginning on or after April 1, 2005. Earlier adoption is encouraged. . . Capital Assets for Local Governments . The Public Sector Accounting (PSA) Handbook does not currently provide standards for accounting for capital assets for local governments . Tangible capital assets represent a significant investment for local governments. Financial information about the stock and use of those assets is currently not being provided in the financial statements of local governments. This information is vital for stewardship, accountability, costing and developing asset management plans including ongoing maintenance and replacement requirements . For a number of local governments, legislation is either being passed or being considered requiring local governments to cost certain services. At the moment, there is no generally accepted definition of a capital asset, and practices vary from local government to local government. Other initiatives are underway, such as benchmarking and performance reporting, that are, in part, based on the cost of services provided. Accounting for the stock and use of non-financial assets will provide needed information for these initiatives . In June 2005, PSAB approved associate drafts of: - Section PS 3150, Tangible Capital Assets; and - A Public Sector Guideline, Tangible Capital Assets of Local Governments . Both the standard and guidelines will be applicable to local governments. Local governments should be reviewing these documents, providing comments and considering implementation plans. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 23 Current Developments (continued) New PSAB Accounting Recommendations and Exposure Drafts Financial Instruments Project . Issue: Increase in availability and use by governments of sophisticated, non-traditional financial instruments gives rise to complex recognition and measurement issues . The AcSB approved three Handbook sections: Financial Instruments - Recognition and Measurement, Section 3855, Comprehensive Income, Section 1530 and Hedges, Section 3865. The new standards are for fiscal years beginning on or after October 1, 2006 . Development of accounting standards in both the private and public sectors is not keeping pace - PSAB only deals with temporary and portfolio investments and long term debt . PSAB is silent, therefore new standards in the private sector handbook will be applicable to government business enterprises and government business-type enterprises for the purposes of preparing their own financial statements . Expected to pose accounting and reporting difficulties for governments . PSAB plans to conduct a survey to ask governments at all levels about the nature and extent of, as well as current reporting practices for, their financial instruments . Objective of project will be to develop standards that will make government's use of financial instruments as transparent and understandable as possible. Periormance Reporting Project . Project on financial and non-financial performance reporting approved . Designed to develop a set of basic principles that will guide the future development of a framework for identifying specific performance indicators performance reporting including . A Public Exposure Draft "Introduction to Public Performance Reporting" has been approved . "Statement of Recommended Practice" expected to be issued in 2006. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 24 0 l\~ ~ Current Developments (continued) 0 C,;.) 0 New Assurance Requirements and Exposure Drafts . New Assurance Standard issued effective for audits of periods ending on or after December 15, 2004 . Harmonizes Canadian standards with the equivalent international (ISA 240) and US Standards (SAS 99) . Principal changes from the Existing 5135 - More emphasis on the respective responsibilities of auditors, management, and those charged with governance with respect to fraud -- Significantly more guidance on assessing the risk of misstatement due to fraud -- Greater emphasis on the risk that management can override internal controls and management fraud generally -- Requirements for procedures to be performed to address management's ability to override internal controls . Classification of fraud risk factors into factors relating to: -- Incentive to commit fraud -- Opportunity to commit fraud -- Ability to rationalize the fraudulent act. Impact: . Additional audit procedures required in considering Fraud & Error risks in planning the audit. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 25 Current Developments (continued) New Assurance Requirements and Exposure Drafts . This new Section contains new requirements for: - understanding the entity's business risks to the extent they are relevant to the financial statements; - understanding each component of the entity's internal controls; -- obtaining an understanding of the design and implementation of controls on all audits; -- understanding an entity's risk assessment process and its monitoring of controls; and specifically addressing significant risks. . In addition, this new Section places more emphasis on: -- using various sources to obtain a broader understanding of the entity and its environment, including its internal control; u- supporting the assessment of the risks of material misstatement at the financial statement level and at the assertion level; and -- adhering to more rigorous documentation requirements. . The new Recommendations are effective for audits of financial statements for periods beginning on or after January 1, 2006. Impact on City: . Recent changes to the Deloitte international audit approach have brought our procedures in line with these new requirements. Deloitte will be applying these new requirements during the audit of the 2005 consolidated financial statements of the City. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 26 0 W ~ Current Developments (continued) <=> W N New Assurance Requirements and Exposure Drafts . Section establishes standards and provides guidance on determining overall responses to assessed risks, and designing and performing further audit procedures to respond to the assessed risks of material misstatement at the financial statement and assertion levels. . The Section contains new requirements for specifically addressing significant risks and places more emphasis on: - directly linking assessed risks to audit procedures that are responsive to those risks; - performing tests of controls when the auditor has determined that evidence obtained from substantive procedures alone will not reduce risk tò an acceptably low level; - assessing whether, in certain circumstances, reliance can be placed on evidence from prior periods; - obtaining evidence about disclosures; and - adhering to more rigorous documentation requirements. Impact on City; . Additional audit procedures required . Effective for periods ending on or after June 30, 2004 Understand entity's processes and controls Evaluate management's significant assumptions Evaluate management's ability and intent Evaluate method and consistency of application Consider use of a specialist Communicate sensitive fair value estimates. . . . . . . Impact on City: . Additional audit procedures for any fair value disclosure requirements. Should not have significant impact on City. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 27 Current Developments (continued) New Assurance Requirements and Exposure Drafts . This Section has been revised and expanded to set out requirements for the auditor of an entity's financial statements who uses a service auditor's report when planning the audit; assessing control risk at the entity; using audit evidence obtained from substantive procedures performed by service auditors; and evaluating audit evidence. It also contains requirements related to communication of internal control weaknesses and to the content of the auditor's report when a service auditor's report is used. The new Recommendations are effective for financial statements and financial reports for periods beginning on or after January 1, 2006. . . Impact on City: . Additional audit procedures required. . Section establishes standards and provides guidance on the use of management's representations as audit evidence and on obtaining written representations from management. The new Section emphasizes that the auditor: - should corroborate management's representations when obtaining sufficient appropriate audit evidence; - discusses the relevance of management representations to the audit evidence and the need to obtain written representations with both management and the audit committee when planning the engagement; - obtains management's written representations for all financial periods covered by the auditor's report; - obtains written representations from current management even if current management was not present for part or all of the financial periods covered by the auditor's report; and - should express a qualified opinion or deny an opinion if there is a scope limitation as a result of management's refusal to provide written representations requested by the auditor. The new Recommendations are effective for audits of financial statements for periods beginning on or after August 1, 2005. . . Impact on City: . Additional audit procedures required. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan <::> Co.\;) <:..ù 28 Cu rrent Developments (continued) <:> w ~ New Assurance Requirements and Exposure Drafts . The Section requires the auditor to establish an understanding of the terms of the engagement with the entity and to document this understanding in a written agreement. This agreement is to include the objective, scope and limitations of the engagement; the responsibilities of the auditor and the responsibilities of the entity's management. . Recommendations are effective for periods commencing on or after August 1, 2005. Impact on City: . No current impact as procedures are already compliant. . Date for auditors' report is the date of substantial completion . Substantial completion - paragraph .03 "date by which the auditor has identified and sought all the audit evidence they require to support their opinion, and has obtained and examined substantially all such evidence; however, they will often be awaiting receipt of specific corroborating evidence or documentation before signing and releasing their report. . Represents completion of the audit . Considers events to the report date . After financial statements are approved by management. Impact on City: . No current impact as procedures are already compliant. @ Deloitte & Touche LLP and affiliated entities. The City of Pickering - 2005 Audit Plan 29 Deloitte @ Deloitte & Touche LLP and affiliated entities. Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,100 people in 47 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.1. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. Member of Deloitte Touche Tohmatsu <::) W CJ1 036 Cih¡ c~ REPORT TO AUDIT COMMITTEE Report Number: CS 11-06 Date: February 7, 2006 From: Gillis A. Paterson Director, Corporate Services & Treasurer Subject: Clerk's Division Revenue Cycle Review Follow up Review by Deloitte Recommendation: That Report CS 11-06 of the Director, Corporate Services & Treasurer with respect to the report by Deloitte concerning a follow up to the June 2004 Revenue Cycle Review be received for information. Executive Summary: As per the direction of the Chief Administrative Officer to engage our auditors to undertake a process and controls review of the Clerks Division revenue cycle in June 2004, a further follow up review was completed in August 2005 by Deloitte. Background: The new City Clerk was hired on May 30, 2005 and was updated in July 2005 on the original review of Deloitte. A preliminary review was conducted at that time by the City Clerk based on the Divisional workplan that was created after the June 2004 Deloitte process review. On July 20, 2005, a report on the original June 2004 Deloitte recommendation was presented to the Audit Committee through Report CS 58-05, a copy of which is includeQ as Attachment 1 to this report.- Further to the Audit Committee meeting held on July 25, 2005 and the request of Mayor Ryan to ensure that all processes were formally in place with respect to the revenue cycle review, the City Clerk began to document the divisional processes for tighter controls related to the manual systems in place, with the understanding that a large part of the audit controls required would be permanently enhanced with the implementation of an electronic business licensing system (Amanda location module). The enhancement of the Amanda system for the licensing module was ordered in September 2005, following meetings held by the City Clerk with the Manager, Information Technology. Installation of the module was completed late November and testing of the system commenced in November 2005, with the launch of the majority of the system in January 2006. It should be noted that this location module was further developed in December 2005 in order to accommodate animal services licensing. Report CS 11-06 Date: February 7,2006 037 Clerk's Division Revenue Cycle Review Page 2 Due to the implementation of the Amanda module, staff have spent considerable time testing the system to ensure the options of tracking, data management and renewal activities meet our needs as well as comments received in relation to the revenue cycle review. Due to the large volume associated with animal services licensing, the focus by staff was geared to this testing in December 2005. This aspect of licensing is fully integrated and functional as of January 1, 2006 and aside from minor changes requested, such as greater search capabilities, it appears to be meeting our needs. With respect to remaining licensing functions of the Clerks Division, staff are currently transferring all manual files into the Amanda location module. As we enter the files we are completing quality assurance testing to ensure it will meet our needs. At the present time, we are completing the entry and testing of the licensing files for home based businesses. It is anticipated that the entry and final testing will be completed by the end of April, 2006. The timing is such that we are giving ourselves plenty of time for the implementation due to the sheer volume of animal licenses (approximately 300 per week) that are required to be entered, on top of current staff constraints. It should also be noted that the the Clerks Division is now at full complement with respect to the senior management team and a large number of processes and procedures related to budget monitoring and revenue cycles have now been more appropriately assigned to these staff, with formal review and sign off by the City Clerk. Based on the review results of October 19, 2005 by Deloitte, the following comments are offered based on the fact that the Amanda location module has now been installed. You will recall that a large number of the recommendations by Deloitte were dependant upon this installation. It should further be noted that the City Clerk was satisfied with the comments submitted by Deloitte following the review, based on the time and staff constraints that were placed upon the Division, along with any further advice for improvement that was recommended. 0 3 ~eport CS 11-06 Clerk's Division Revenue Cycle Review Date: February 7,2006 Page 3 CLERK'S DIVISION REVENUE CYCLE RECOMMENDATIONS FROM DELOITTE & TOUCHE Budget Monitoring: Financial tracking Management Manual informal Clerk's Division sheets have been comments address reconciliations are still management should established for By-law the being prepared by the monitor activities on a Enforcement and are recommendations. Audit Analyst pending full regular basis through currently being finalized implementation of the reviewing reports and for balance of the Management Amanda system in the analyzing the statistics. Division. Policy and comments have been interim. Results and comments on procedures have been implemented with the any deviations should be completed. exception of the Tracking sheets and documented and signed- Clerks division reconciliations, including off. Finance, as an The Clerk's Division will reconciliations. reconciliations for our independent party, should reconcile all accounts Manual informal contractor with respect to review the actual revenue on a monthly basis and reconciliations are Animal licensing are in numbers per type of provide verification to being prepared by the place. licence, permit, service or the Finance Division. Audit Analyst pending parking ticket and follow Regular reviews will be the launch of the Monthly computer print up with Clerk's Division completed by the Amanda system. outs of sectional management on any Finance staff. Statistics accounts are provided to noted variances on the number of the management team licences, permits. for review and Parking tags, etc. have subsequent sign off by been or are in process the City Clerk. (January of being produced for 30, 2006 will be first full management review, month for new process) productivity and control ur oses. Central Filing: All documents are filed Management With the furniture move All documents should be within central files, with comments address that recently took place filed in the Central the exception of active the within the Division, all Files, which should be by-law enforcement recommendations. Clerks Division files are locked during non- officer files. All files are within a central filing business hours. locked during non- Management system. File sign out Procedures for filing business hours. comments have been sheets are in place within documents should be Procedures have been implemented with the the central files in the established and followed developed for tracking exception of event staff are utilizing by all employees involved. of the work in progress procedures for files for work in progress. files. Access to the tracking work in central files after hours progress files. have been restricted to management only. No formal procedures were noted to track work in process files stored outside of central filin . 039 Report CS 11-06 Date: February 7,2006 Clerk's Division Revenue Cycle Review Page 4 Reconciliations: Reconciliation Management Monthly computer print Reconciliations and procedures have been comments address outs of sectional reviews need to be established and forms the accounts are provided to documented and signed- have been developed. recommendations. the management team off by the responsible for review and personnel. Any deviations Establishment of Management has subsequent sign off by or problems encountered additional separate implemented the City Clerk. (January should be explained. revenue accounts have reconciliation 30, 2006 will be first full been completed. procedures however month for new process) they do not include documented reviews and signoffs. Templates have been developed for tracking sheets. Separate revenue accounts have been created. Policies and Desk reference binders Management Ongoing project for 2006 Procedures: have been com pleted comments address and established as a We understand that for clerical staff, and will the recommendation. divisional goal. management has initiated be incorporated into The desk reference the process of Clerks Division policy binders have been documenting the activities and procedure manual. developed however and we encourage By-law Enforcement they will be management to continue staff are anticipating significantly changed with its efforts in completion early in 2006 upon the full developing and due to current workload implementation of the documenting the commitments. Amanda software. Clerk's Division's procedures. These We encourage procedures such as pre- management to numbering forms, central continue with its filing, segregation of efforts in developing duties should cover areas and documenting such as pre-numbering, procedures in light of reconciliations of revenue, the anticipated etc. software implementation. Taxi Driver's Licence: All files and blank forms Recom mendations Identicam software has Taxi driver licence cards are secured at all times. have not been been purchased and is should be pre-printed and implemented pending currently being tested by contain special features Software program - the launch of the IT staff. Delay for (i.e. watermark, digital Identicam has been Identicam software. installation due to photos) to prevent researched for licence implementation of new falsification. Additionall , issuance and is in the Files and blank forms front counter in the Clerks Report CS 11-06 04 °Clerk's Division Revenue Cycle Review Date: February 7, 2006 Page 5 cards should be numbered to allow management to control the stock of blank cards and the number of licences issued by the Division. The issuance of taxi driver licences should be recorded in a centralized database to allow Clerk's Division to have better control of the licences and the expiry dates. Physical files should be securely locked during non- business hours. Licences should not be signed until documentation is completed and ready to be issued. Blank stock of Sensitive Forms: Blank stock of sensitive forms should be securely locked outside of business hours. Management should keep control of forms received and issued. Monthly reconciliations should be performed, documented and signed-off, by an independent party, who should also compare the stock position to the monthly revenue. process of being purchased. Database is currently being developed for licence tracking. No licences are pre-signed and a temporary manual numbering system has been established. All licences are reviewed by the City Clerk effective July 1, 2005, prior to issuance. Sensitive forms are locked and a monthly stock reconciliation (log book) has been developed. Private information is securely locked during non- business hours. The Clerk's Division completes reconciliations on a monthly basis and Finance staff completes final reconciliation every six months. DJ;I:iOl'rrE";> '(k , ~~EVlE:W: RESULTS 'aCrOBE' , '," , "', . have been secured. Licenses are being reviewed prior to issuance by either the City Clerk or the Manager, By-Law Enforcement. Management comments address the recommendations. The comments have been implemented with the exception of the reconciliations of blank stock which will now be the responsibility of the new Deputy Clerk. Management expects that this recommendation will be implemented by the new Deputy Clerk. March 2006 implementation anticipated. Reconciliations are now in place by the Deputy Clerk. Report CS 11-06 Date: February 7,2006 Clerk's Division Revenue Cycle Review Page 6 041 Permits, birth Pre-printed forms are Management Full implementation with registrations, licences being used but special comments address the Amanda system and compliance letters: security measures are the expected by April 2006. Birth registration, pending the integration recommendations. municipal licences, of upgrades to the permits and compliance Amanda system in the Pre-printed letters should be issued Fall. Enhancement of sequentially on pre-printed forms with the existing database numbered forms are special features to will also be realized as only used for prevent part of the Amanda marriage and lottery falsification. Forms should system. licenses, thus the be sequentially numbered recommendation has to allow management to Compliance letters are not been fully control the number of now completed utilizing implemented. registrations, licences and a standard template permits issued by the including computer Compliance letters Division. All issuance of generated numbers and are completed using licences and permits are signed by clerical a standard template should be recorded in a personnel. however the database to allow Clerk's numbering system is Division to maintain better still manual. control of the documents and, if applicable, the There is no formal expiry date. database for the issuance of all licenses and ermits. Safeguard of Private All central file cabinets Management Completed. Information: are locked during non- comments address Private information should business hours and the the recommendations be kept securely locked key secured and appear to have during non-business been implemented. hours. Customer Information: Counter signage has Recommendations Completed. Signage should notify been established and have yet to be customers to make permanent signage is implemented. payments only at the pending redesign of the Expected to be cashiers. front counter and the implemented upon necessary approvals. remodeling of the counter area. 042 Report CS 11-06 Clerk's Division Revenue Cycle Review Date: February 7, 2006 Page 7 Vital Statistics/Lottery Systems: Management should consider updating these systems and enforcing users to change their passwords at least every 90 days. Passwords should have a minimum length of 6 characters and, if possible, complexity should be enforced. The system should lockout users who exceed 3 unsuccessful login attempts until the IT Section can reset the password. Segregation of Duties: The following duties should be segregated: By-law Section or an independent party .- Recording ticket information into Ticket Processor from handhelds and manual tickets should be delivered directly to this section. By-law Section should not have access to Ticket Processor functionalities other than uploading and viewing tickets. Clerical personnel - Reconciling tickets recorded in Ticket Processor with handheld print-outs or manual tickets; - Recording payment into Ticket Processor; - Cancelling tickets accordin to Excel database created and implemented by IT for affected staff. Restricted password access established. Procedures have been developed Duties have been segregated and controls established, including a cancellation policy. This process will be further reviewed upon the purchase of the new parking ticket handheld units (lease expires this year). Co-signing of all documents is strictly enforced. MTO plate information can only be accessed by the Manager, By-law Enforcement and one senior MLEO officer. One clerical personnel confirms the search and matches to the appropriate parking ticket. Daily log for pay tickets is completed and signed by the Cit Clerk, then Management comment does not appear to address password changes in Vital Statistics and Lottery System Software. Although computer network access requires regular password changes, access to Vital Statistics/Lottery systems do not currently appear to require password changes. Management comments address the recommendations. Segregation of duties have not been implemented as recommended. Co-signing of documents, daily log of Pay Tickets, reconciliation of Moneris information and payment processing has been implemented. I nstallation of new handheld units being completed in February 2006. Segregation of duties will be enhanced with the implementation of this new system. Report CS 11-06 Clerk's Division Revenue Cycle Review 043 Date: February 7,2006 Page 8 cancellation policies; - Obtaining MTO car owner information; and - sending plate to plate denial Ticket cancellations PayTicket payment reversal and plate denial activities should also be co-signed by a second clerical staff member and reviewed by management on a regular basis. Exceptions from cancellation policy should be approved by management and reasons noted. If possible, system should log the user responsible for the cancellation and second review. Finance .. Receiving payments done at the cashier, drop-box, direct deposit via PayTicket or cheques from MTO. .. Recording payment received in the accounting system. .. Reconciling payments processed by the Finance with payment information recorded into Ticket Processor. Ticket Cancellation Process: Each condominium or private area should formally designate the appropriate personnel who will have the authorit forwarded to Finance staff for processing. Reconciliation on a monthly basis is completed by the Clerk's Assistant and amended forms are forwarded to Finance staff for payment. Any payment processing is handled by the cashiers in the Finance Division. The Clerk's Division, in accordance with the cancellation policy, handles all cancellations. A letter was sent to all Management comments do not address the recommendations. Management has implemented a Completed. Cancellation policy has been updated to formally list the designated personnel with approval to authorize ticket cancellation. - Report CS 11-06 044 Clerk's Division Revenue Cycle Review Date: February 7, 2006 Page 9 to cancel tickets. condominiums advising cancellation policy Only authorized personnel of this change in policy however it does not should be able to request in the fall of 2004. include the the cancellation of a recommended listing ticket. Requests should of formally be signed and the original designated personnel document should be with approval to compared to the name authorize ticket and signature in the cancellation. authorization process and filed together with the cancelled tickets. Ticket cancellation should be co- signed by two clerical staff members. Any exceptions from the policy should be approved by management and reasons noted. Management should review cancellations on a regular basis. Reconciliation: Monthly reconciliations Management Completed. Monthly reconciliations have re-commenced comments address should be performed, since the hiring of the the recommendation. documented and signed- new City Clerk. off by an independent Formal party. Payments reconciliations are processed by Finance not being performed should be compared to by the Audit Analyst the information in the pending the launch of Ticket Processor system. the Amanda software. Logic Security: Information from the Management Reconciliations of Information downloaded downloads are saved comments address uploaded information and from the handhelds within a protected the recommendation. ticket information are should be saved in a directory and errors are under review. protected directory in the verified by Clerical Reconciliations of network to which only the personnel prior to uploaded information Ticket Processor has further processing. and ticket information access. Control totals has not been checks should be All ticket reconciliations implemented. implemented in Ticket are handled by one Processor to ensure clerical personnel, with Clerical personnel information was uploaded an additional sign off by restricted as does not correctly. Additionally, the Clerk's Assistant. have access to tickets uploaded into change or modify Ticket Processor should Clerical staff do not uploaded ticket Report CS 11-06 Clerk's Division Revenue Cycle Review 045 Date: February 7, 2006 Page 10 be reconciled to the handhelds printed tickets by an independent party. Clerical personnel should not have access to change nor to modify ticket information uploaded from handhelds. Payments Received at the Drop-Box: Drop-box content should be directed to Finance to count and document the payments received. A list of payments should then be sent to the Clerk's Division to identify whether payments should be processed or returned to the customer. Car Owner Request to MTO: Cancellation due to inconsistent or lack of information should be co- signed by two clerical personnel. Any exceptions from the policy should be approved by management and reasons noted. Management should review cancellations on a regular basis. Distribution of Manual Ticket Books: Ticket books should be given to authorized personnel upon presentation of identification document. Clerk's Division should kee track of which officer have the authority to change or modify the ticket information uploaded. Finance document through a log the cheques received and send to clerical personnel for verification. Payment is processed once the verification is received All cancellations are reviewed in accordance with the cancellation procedures by two clerical personnel and final review and approval by the Manager, By-law Enforcement. A log book for sign out of the books have been established. A copy of the officer identification is kept with the log book for verification purposes. Management comments address the recommendation and have been implemented. Completed. A cancellation policy requiring co-signing by the two clerical personnel plus management signature for exceptions has been implemented. Completed. This policy is consistent with the recommendations, however, it is inconsistent with management comments. Management comments address the recommendations. Completed. Management has implemented a log book for the sign out of the books which ~eport CS 11-06 046 Clerk's Division Revenue Cycle Review Date: February 7, 2006 Page 11 collected which books. Periodic reconciliations should be performed by an independent party to ensure ticket books are being used appropriately (i.e. if there are no tickets missing nor gaps in the sequence). Ticket Processor Audit Trail: Customized reports should be developed to allow management to monitor Clerks Division activities. Attachments: An RFP for the handheld units has been prepared and specifications have been developed to ensure customized reports can be developed. With the existing units, customized reports cannot be obtained. DELOITTE REVIEW RESULTS OCTOSE 2005 keeps track of the officer who collected the books. Officer identification and periodic reconciliation were not evident. RFP is still outstanding thus recommendation has not been implemented. Completed purchase of handheld units and installation scheduled for February 2006. 1. 2. Report CS 58-05 of the Director, Corporate Services & Treasurer Clerk's Division Revenue Cycle - Follow up dated October 2005 047 Report CS 11-06 Date: February 7,2006 Clerk's Division Revenue Cycle Review Page 12 Prepared By: Approved I Endorsed By: Db', çQ:-;¡3,..-noo 1 Debi A. Bentley City Clerk ß~~ Gillis A. Paterson Director, Corporate Services & Treasurer GAP/vw Attachments Copy: Chief Administrative Officer Recommended for the consideration of Pickering Cit~o .~ /' Ciú¡ 0# ATTACHMENT#Í- TO REPORT#..ts-Ll-o~ REPORT TO AUDIT COMMITTEE 048 Report Number: CS 58-05 Date: July 20, 2005 From: Gillis A. Paterson Director, Corporate Services & Treasurer Subject: Clerks Division Revenue Cycle Review Recommendation: 1. That Report CS 58-05 of the Director, Corporate Services & Treasurer be received for information. Executive Summary: As per the direction of the Chief Administrative Officer, the Director, Corporate Services & Treasurer engaged our auditors, Deloitte & Touche, to undertake a process and controls review of the Clerks Division revenue cycle in June 2004. The purpose of the review was to document the processes of the Division's principal business activities and provide recommendations to enhance internal controls within these processes. Deloitte & Touche issued their report in August 2004 and a Divisional implementation workplan was developed from this report. The following report is a summary update of actions taken and those in progress for the information of the Audit Committee. Background: By the direction of the Chief Administrative Officer, with the endorsement of Council, the Clerks Division was transferred to the Corporate Services Department in May 2004. At that time it was thought necessary and beneficial to- undertake a process review of the Clerks Division's revenue cycle to documenLand review their business processes. With the various sources of revenue the Division collects, it was seen as an opportunity to assess where efficiencies or synergies could be made within the Division and the Department as a whole. As existing City resources were not available due to daily workload and other commitments, Deloitte & Touche was engaged to undertake the review based on the firm's extensive municipal background. The scope of the review was to document key systems and processes as weB as the intemal controls for each of these processes. They were to review the existence and effectiveness of the controls and provide recommendations for improvements where necessary. It was agreed jointly by the Chief Administrative Officer and the Director, Corporate Services & Treasurer, that following the Forensic Audit, the next logical step was to undertake this review. Report CS 58-05 Clerks Division Revenue Cycle Review Date: July 20, 2005 049 Page 2 Deloitte & Touche's report was received in late August 2004 and was forwarded to the Clerk in early September to assist in and oversee the implementation of the various recommendations. The Supervisor, Legislative Services and the Audit Analyst reviewed the report and drafted an implementation plan for each of the recommendations. Work on the implementation plan continued through the fall and early winter. Progress meetings were held with the Clerk, the Supervisor and the Department Head up until the end of the year to ensure all actions that could be undertaken quickly were readily implemented. However with the by-election in the fall of 2004, year end work, departure of the Supervisor at the end of 2004, together with the Manager, By-law Enforcement and the announcement of the Clerk's retirement in June 2005, progress was impeded and a number of original target dates had to be revised. With the hiring of the new Clerk in May 2005, she has had an opportunity to review the recommendations, meet with staff, and review and update the implementation plan. She is confident that any remaining key items will soon be addressed and implemented accordingly. Below are the recommendations included in Deloitte & Touche's report. In light of discussions at the Audit Committee meeting of June 20, 2005, we have provided our comments on the status of these recommendations and a copy of this report has been provided to the auditors for their information. A number of the items reflected within the table are contingent upon the upgrade of the Amanda software, which was provided for in the 2005 Budgets, and database development assistance from the IT Division. This assistance commenced in the fall of 2004 and the new City Clerk will be meeting with the Manager, Information Technology in order to prioritize Divisional requirements and seek the necessary guidance from IT. CLERKS DIVISION REVENUE CYCLE RECOMMENDATIONS FROM DELOITTE & TOUCHE INSIGHT Budget Monitoring: Management prepares the annual budget mainly based on previous year numbers per type of licence, permit, service or parking tickets. However, Finance only reviews the budget for the total revenue. RECOMMENDATION MANAGEMENT' COMMENTS. Financial tracking sheets have been established for By-law Enforcement and are currently being finalized for balance of the Division. Policy and proced ures have been completed. Clerks Division management should monitor activities on a regular basis through reviewing reports and analyzing the statistics. Results and comments on any deviations should be documented and signed- off. Finance, as an independent party, should review the actual revenue numbers per type of licence, permit, service or i The Clerks Division will I reconcile all accounts on ê. month I)! basis and provide verification to the Finance Division. Regular reviews will be com leted b the ,.1eport CS 58-05 050 Clerks Division Revenue Cycle Review Central Filing: Currently, part of the supporting documentation used to issue licences and permits is filed in the Central Files; however, some documents are kept in separate files by the By-law officer responsible for the review and approval of the licence/permit (e.g. business licence, pool enclosure permits, etc.). Decentralized filing may make it difficult to locate required records as each record set would be arranged and managed differently. Reconciliations: As part of the process of monitoring Clerks Division's activities, reconciliations and reviews need to be performed. We observed that some reviews and reconciliations are not documented nor are they signed-off. Policies and Procedures: Clerks Division's procedures have not been formalized. Work is performed based on the experience of clerical personnel. Taxi Driver's Licence: The stock of blank licence cards is kept RECOMI\II.Ef.l[1 parking ticket and follow up with Clerks Division management on any noted variances All documents should be filed in the Central Files, which should be locked during non- business hours. Procedures for filing documents should be established and followed by all employees involved. Reconciliations and reviews need to be documented and signed- off by the responsible personnel. Any deviations or problems encountered should be explained. We understand that management has initiated the process of documenting the activities and we encourage management to continue with its efforts in developing and documenting the Clerks Division's procedures. These procedures such as pre- numbering forms, central filing, segregation of duties should cover areas such as pre-numbering, reconciliations of revenue, etc. Taxi driver licence cards should be pre-printed and contain special features Date: July 20,2005 Page 3 rtlL~NAG.ËME . COMMENT Finance staff. Statistics on the number of licences, permits, parking tags, etc have been or are in the process of being produced for management review, productivity and control ur oses. All documents are filed within central files, with the exception of active by-law enforcement officer files. All files are locked during non- business hours. Procedures have been developed for tracking of the work in progress files. Access to the central files after hours have been restricted to management only. Reconciliation procedures have been established and templates have been developed incorporating the recommendations. Establishment of additional separate revenue accounts have been com leted. Desk reference binders have been completed for clerical staff, and will be incorporated into Clerks Division policy and procedure manual. By-law Enforcement staff are anticipating completion early in 2006 due to current workload commitments. All files and blank forms are secured at all times. Software ro ram- Report CS 58-05 Clerks Division Revenue Cycle Review Date: July 20,2005 05ìl1 Page 4 unlocked and pre-signed on a desk. Cards are not sequentially numbered. In addition, information about taxi driver's licence is not recorded into a centralized database. Physical files are kept in an open cabinet. (Le. watermark, digital photos) to prevent falsification. Additionally, cards should be numbered to allow management to control the stock of blank cards and the number of licences issued by the Division. The issuance of taxi driver licences should be recorded in a centralized database to allow Clerks Division to have better control of the licences and the expiry dates. Physical files should be securely locked during non-business hours. Licences should not be signed until documentation is completed and ready to be issued. Blank stock of sensitive forms should be securely locked outside of business hours. Management should keep control of forms received and issued. Monthly reconciliations should be performed, documented and signed-off, by an independent party, who should also compare the stock position to the monthl revenue. Blank Stock of Sensitive Forms: Marriage and lottery licences are printed on pre-printed numbered paper. However, the stock of blank forms is not securely stored and is accessible at any time. Additionally, management does not control the sequence of lottery licence forms. Numbering and inventory of marriage licence forms is reconciled by the Finance Section. GE~E . ENtS Identicam has been researched for licence issuance and is in the process of being purchased. Database is currently being developed for licence tracking. No licences are pre-signed and a temporary manual numbering system has been established. All licences are reviewed by the City Clerk effective July 1 , 2005, prior to issuance. Sensitive forms are locked and a stock reconciliation (log book) has been developed. Private information is securely locked during non-business hours. The Clerks Division completes reconciliations on a monthly basis and Finance staff com pletes final reconciliation every six months. . qeport CS 58-05 052 Clerks Division Revenue Cycle Review Permits, birth registration, licences and compliance letters: Permits, birth registration, licences and compliance letters with the exception of marriage and lottery licences, are issued on plain blank paper. Although these documents need to be signed by the City Clerk, Manager, Municipal Law Enforcement Officer "MLEO" or clerical personnel, depending on the type of document, controls do not ensure that the City only issues and charges for legitimate documents. Compliance letters are also printed on plain blank paper and do not need to be signed. In addition, most of the licences and permits are not controlled by a system nor are they recorded into a database. Safeguard of Private Information: Some files like the marriage licence and taxi driver's licence contain private information. Documents are ke t in unlocked cabinets. Customer Information: There are no signs indicating that payments can not be accepted by the clerical personnel and should be made directl at the cashier. Vital Statistics/Lottery Systems: The Vital Statistics system is used to record birth registrations, marriage licences and burial permits. The Lottery system records lottery licences. None of these systems enforce periodic user password changes. RECOMMENDATION Birth registration, municipal licences, permits and compliance letters should be issued on pre-printed forms with special features to prevent falsification. Forms should be sequentially numbered to allow management to control the number of registrations, licences and permits issued by the Division. All issuance of licences and permits should be recorded in a database to allow Clerks Division to maintain better control of the documents and, if applicable, the expiry date. Private information should be kept securely locked during non-business hours. Sign age should notify customers to make payments only at the cashiers. Management should consider updating these systems and enforcing users to change their passwords at least every 90 days. Passwords should have a minimum length of 6 characters and, if possible, complexity should be enforced. The system should lockout users who exceed 3 unsuccessful login attempts until the IT Section can reset the assword. Date: July 20,2005 Page 5 . MANÃGEM EN't , , ' COMMENTS Pre-printed sequentially numbered forms are being used and special security features are pending the integration of upgrades to the Amanda system in the Fall. Enhancement of the existing database will also be realized as part of the Amanda system. Compliance letters are now completed utilizing a standard template including computer generated numbers and are signed by clerical personnel. All central file cabinets are locked during non-business hours and the key secured. Counter signage has been established and permanent signage is being reviewed. Excel database created and implemented by IT for affected staff. Restricted password access established. Procedures have been developed. Report CS 58-05 Clerks Division Revenue Cycle Review 053 Date: July 20, 2005 Page 6 Segregation of Duties: Manual parking tickets are keyed into the system by the Clerks Division, which is also responsible for processing ticket cancellation, recording payment, obtaining car owner information from the MTO and sending plates to plate denial. RECOMMENDATION The following duties should be segregated: By-law Section or an independent party . Recording ticket information into Ticket Processor from handhelds and manual tickets should be delivered directly to this section. By-law Section should not have access to Ticket Processor functionalities other than uploading and viewing tickets. Clerical personnel . Reconciling tickets recorded in Ticket Processor with handheld print-outs or manual tickets; . Recording payment into Ticket Processor; . Cancelling tickets according to cancellation policies; . Obtaining MTO car owner information; and . sending plate to plate denial . Ticket cancellations, PayTicket payment reversal and plate denial activities should also be co-signed by a second clerical staff member and reviewed by management on a regular basis. Exceptions from cancellation policy should be approved by management and reasons noted. If possible, system should 10 the user MANAGEfI(1EN COMMENTS Duties have been segregated and controls established, including a cancellation policy. This process will be further reviewed upon the purchase of the new parking ticket handheld units. Co-signing of all documents is strictly enforced. Plate information can only be accessed by the Manager, By-law Enforcement and one senior MLEO officer. One clerical personnel confirms the search and matches to the appropriate parking ticket. Daily log for Pay Tickets is completed and signed by the City Clerk, then forwarded to Finance staff for processing. Reconciliation on a monthly basis is completed by the Clerk's Assistant and amended forms are forwarded to Finance staff for payment. Any payment processing is handled by the cashiers in the Finance Division. , 'ieport CS 58-05 0154 Clerks Division Revenue Cycle Review Date: July 20, 2005 Page 7 RECOMMENDATION responsible for the cancellation and second review. Finance . Receiving payments done at the cashier, drop-box, direct deposit via PayTicket or cheques from MTO. . Recording payment received in the accounting system. . Reconciling payments processed by Finance with payment information recorded into Ticket Processor. MANAGEMENT. COMMENTS. Report CS58-05 Clerks Division Revenue Cycle Review Date: July 20, 2005 Page 8 055 u Ticket Canceilation Process: Condominium or private area parking tickets are cancelled upon issuer request. During our work, we identified a ticket that was cancelled upon the receipt of a fax document. The fax had the logo of the condominium but it was not signed and did not indicate the full name of the condominium representative. In addition, there is no second review/approval for the cancellation of a ticket. Reconciliation: Ticket payments processed by Finance and recorded into the G/L are not reconciled to the tickets paid in Ticket Processor (system used to control parking tickets). Logic Security: Information stored in the handheld units is downloaded via Citation+, which produces a text file to be saved in a network directory. A File is then uploaded into Ticket Processor by appropriate clerical personnel. The Interface file contains control totals; however, the Ticket Processor does not perform checks to ensure information was uploaded correctly. Each condominium or private area should formally designate the appropriate personnel who will have the authority to cancel tickets. Only authorized personnel should be able to request the cancellation of a ticket. Requests should be signed and the original document should be compared to the name and signature in the authorization process and filed together with the cancelled tickets. Ticket cancellation should be co- signed by two clerical staff members. Any exceptions from the policy should be approved by management and reasons noted. Management should review cancellations on a regular basis. Monthly reconciliations should be performed, documented and signed- off by an independent party. Payments processed by Finance should be compared to the information in the Ticket Processor s stem. Information downloaded from the handhelds should be saved in a protected directory in the network to which only the Ticket Processor has access. Control totals checks should be implemented in Ticket Processor to ensure information was uploaded correctly. Additionally, tickets uploaded into Ticket Processor should be reconciled to the handhelds printed tickets b an inde en dent art. N I\iI.ÅJNÂGEM C0MMENT The Clerks Division, in accordance with the cancellation policy, handles all cancellations. A letter was sent to all condominiums advising of this change in policy in the fall of 2004. Monthly reconciliations have re-commenced since the hiring of the new City Clerk. Information from the downloads are saved within a protected directory and errors are verified by clerical personnel prior to further processing. All ticket reconciliations are handled by one clerical personnel, with an additional sign off by the Clerk's Assistant. Clerical staff do not have the authority to change or modify the ticket information u loaded. 056 Report CS 58-05 Clerks Division Revenue Cycle Review Date: July 20,2005 Page 9 Payments Received at the Drop-Box: Payments received at the drop-box are directed to the clerical personnel to ensure parking tickets are due (i.e., identify whether ticket is in court or was sent to MTO for plate denial). If Clerks Division approves payment receipt, then cheque or cash is sent to Finance to process payment. Car Owner Request to MTO: Tickets that are not paid up to 14 days after the due date are extracted from Ticket Processor and a text file is produced to be sent to MTO, which sends back a text file containing the car owner information. A Text file is received by clerical personnel and uploaded into Ticket Processor. If the information received from MTO is inconsistent or the car owner information can not be found, the ticket is cancelled. Distribution of Manual Ticket Books: Parking tickets books are distributed at the Clerks Division. To obtain a book, a document identifying the number sequence of the book must be signed by the recipient/parking control officer. However, no identification is requested, as the recipients are usually in uniform. Ticket Processor Audit Trai!: Ticket Processor records audit trails. However, there are no customized reports to be used for monitoring purposes. In order to check all the operations done by clerical personnel, a query needs to be run against the database. Clerical personnel should not have access to change nor to modify ticket information uploaded from handhelds. Drop-box content should be directed to Finance to count and document the payments received. A list of payments should then be sent to the Clerks Division to identify whether payments should be processed or returned to the customer. Cancellation due to inconsistent or lack of information should be co- signed by two clerical personnel. Any exceptions from the policy should be approved by management and reasons noted. Management should review cancellations on a regular basis. Ticket books should be given to authorized personnel upon presentation of identification document. Clerks Division should keep track of which officer collected which books. Periodic reconciliations should be performed by an independent party to ensure ticket books are being used appropriately (i.e. if there are no tickets missing nor gaps in the se uence. Customized reports should be developed to allow management to monitor Clerks Division activities. Finance document through a log the cheques received and send to clerical personnel for verification. Payment is processed once the verification is received. In accordance with the cancellation procedures, all cancellations are reviewed by two clerical personnel and final review and approval by the Manager, By-law Enforcement. A log book for sign out of the books have been established. A copy of the officer identification is kept with the log book for verification purposes. Periodic reconciliations will be undertaken by an independent person. An RFP for the handheld units has been prepared and specifications have been developed to ensure customized reports can be developed. 057 Report CS 58-05 Date: July 20, 2005 Clerks Division Revenue Cycle Review Page 10 INSIGHT AND IMPLICATION RECOMMENDATION MANAGEMENT COMMENTS With the existing units. customized reports cannot be obtained. With all the recent changes within the Division, it should be noted that special care has been taken to ensure there is a strong focus on internal controls, customer service and best practices. The workplan developed based on the recommendations will be reviewed by the City Clerk on a bi-weekly basis with management staff within the Division, along with monthly briefing at Clerks Division staff meetings to ensure that all parties are on track and best practices are continually addressed to determine the feasibility of implementation within the Division. Attachments: 1 . Clerks Division Revenue Cycle - Deloitte & Touche Report Prepared By: Approved I Endorsed By: '--' /" / ~ -? ~-~~/..~ .~...-.... .------------ -- ,"- --:' ~~ Gillis A. Paterson Director, Corporate Services & Treasurer GAP/vw Attachment Copy: Chief Administrative Officer City Clerk Manager, Accounting Services Audit Analyst Deloìtte & Touche Recommended for the consideration of Pickering Cify cil / - // "I" --- ( - 058 - ATTACHMENT #2- TO REPORT # ß~_.t 1-0(;, 0.. :J ~ bl) 0 - - 0 ~ LL I .~ ~ OJ - u (l) >- ~ U OJ U :J c: .~ OJ ~ > OJ Cl:: ~ c: 0 GI 0 .- U) .- .... > .- .... ~ 0 l{") .- a 0 U) a ~ .... N - .~ ~ L.. L.. Q) GI ..c U OJ 0 C - ..... U u 0 Deloitte Deloitte & Touche LLP 5140 Yonge Street Suite 1700 Toronto, ON M2N 6L7 Canada Tel: (416) 601 6150 Fax: (416) 6016151 www.deloitte.ca Audit Committee The Corporation of the City of Pickering 1 The Esplanade Pickering, Ontario Ll V 6K7 Dear Audit Committee Members: As requested by the Audit Committee, we have followed up on the Clerk's Division Revenue Cycle recommendations prepared by Deloitte & Touche in June 2004 and the respective management comments dated July 20, 2005. As of October 19,2005, Deloitte & Touche reviewed management comments to determine if they were implemented as stated and addressed the recommendations. The results of this review are included in the attached document. Overall, it was noted that the majority of the recommendations have not been fully implemented. The Clerk's Division is expecting to implement the Amanda software in January 2006. Management anticipates addressing the Deloitte & Touche recommendations as part of this software implementation. We would like to acknowledge the assistance and co-operation of management and all the staff during the course of the review. We would be pleased to discuss the results of our review and provide any assistance you may wish in their implementation. Yours truly, /Lt ;~ Paula A. Jesty, CA Partner Member of Deloitte Touche Tohmatsu 0 (Jl E;.O Clerks Division Revenue Cycle Recom mendations From Deloitte &. Touche Insight and Implication Budget Monitoring: Management prepares the annual budget mainly based on previous year numbers per type of licence, permit, service or parking tickets. However, Finance only reviews the budget for the total revenue. Central Filing: Currently, part of the supporting documentation used to issue licences and permits is filed in the Central Files; however, some documents are kept in separate files by the By-law officer responsible for the review and approval of the licence/permit (e.g. business licence, pool enclosure permits, etc.). Decentralized filing may make it difficult to locate required records as each record set would be arranged and managed differently. Reconciliations: As part of the process of monitoring Clerks Division's activities, reconciliations and reviews need to be performed. We observed that some reviews and reconciliations are not documented nor are they signed-off. Recommendation - June 2004 Clerks Division management should monitor activities on a regular basis through reviewing reports and analyzing the statistics. Results and comments on any deviations should be documented and signed-off. Finance, as an independent party, should review the actual revenue numbers per type of licence, permit, service or parking ticket and follow up with Clerks Division management on any noted variances. All documents should be filed in the Central Files, which should be locked during non-business hours. Procedures for filing documents should be established and followed by all employees involved. Reconciliations and reviews need to be documented and signed-off by the responsible personnel. Any deviations or problems encountered should be explained. @ Deloitte & Touche LLP and affiliated entities. 0 c:.n ::;J Management Comments - July 20, 2005 I Follow up - October 19,2005 Financial tracking sheets have been established for By-law Enforcement and are currently being finalized for balance of the Division. Policy and procedures have been completed. The Clerks Division will reconcile all accounts on a monthly basis and provide verification to the Finance Division. Regular reviews will be completed by the Finance staff. Statistics on the number of licences, permits, parking tags, etc. have been or are in the process of being produced for management review, productivity and control purposes. All documents are filed within central files, with the exception of active by-law enforcement officer files. All files are locked during non-business hours. Procedures have been developed for tracking of the work in progress files. Access to the central files after hours have been restricted to management only. Reconciliation procedures have been established and templates have been developed incorporating the recommendations. Establishment of additional separate revenue accounts have been completed. Management comments address the recommendations. Management comments have been implemented with the exception of the Clerks division reconciliations. Manual informal reconciliations are being prepared by the Audit Analyst pending the launch of the Amanda System. Management comments address the recommendations. Management comments have been implemented with the exception of procedures for tracking work in progress files. No formal procedures were noted to track work in process files stored outside of central filing. Management comments address the recommendations. Management has implemented reconciliation procedures however they do not include documented reviews and sign-offs. Templates have been developed for tracking sheets. Separate revenue accounts have been created. City of Pickering - Clerk's Revenue Process 2 Clerks Division Revenue Cycle Recommendations From Deloitte & Touche Insight and Implication Policies and Procedures: Clerks Division's procedures have not been formalized. Work is performed based on the experience of clerical personnel. Taxi Driver's Licence: The stock of blank licence cards is kept unlocked and pre-signed on a desk. Cards are not sequentially numbered. In addition, information about taxi driver's licence is not recorded into a centralized database. Physical files are kept in an open cabinet. Blank Stock of Sensitive Forms: Marriage and lottery licences are printed on pre-printed numbered paper. However, the stock of blank forms is not securely stored and is accessible at any time. Additionally, management does not control the sequence of lottery licence forms. Numbering and inventory of marriage licence forms is reconciled by the Finance Section. Recommendation - June 2004 We understand that management has initiated the process of documenting the activities and we encourage management to continue with its efforts in developing and documenting the Clerks Division's procedures. These procedures such as pre- numbering forms, central filing, segregation of duties should cover areas such as pre-numbering, reconciliations of revenue, etc. Taxi driver licence cards should be pre- printed and contain special features (i.e. watermark, digital photos) to prevent falsification. Additionally, cards should be numbered to allow management to control the stock of blank cards and the number of licences issued by the Division. The issuance of taxi driver licences should be recorded in a centralized database to allow Clerks Division to have better control of the licences and the expiry dates. Physical files should be securely locked during non-business hours. Licences should not be signed until documentation is completed and ready to be issued. Blank stock of sensitive forms should be securely locked outside of business hours. Management should keep control of forms received and issued. Monthly reconciliations should be performed, documented and signed- off, by an independent party, who should also compare the stock position to the monthly revenue. @ Deloitte & Touche LLP and affiliated entities. Management Comments - July 20, 2005 Desk reference binders have been completed for clerical staff, and will be incorporated into Clerks Division policy and procedure manual. By-law Enforcement staff are anticipating completion early in 2006 due to current workload commitments. All files and blank forms are secured at all times. Software program - Identicam has been researched for licence issuance and is in the process of being purchased. Database is currently being developed for licence tracking. No licences are pre-signed and a temporary manual numbering system has been established. All licences are reviewed by the City Clerk effective July 1, 2005, prior to issuance. Sensitive forms are locked and a stock reconciliation (log book) has been developed. Private information is securely locked during non-business hours. The Clerks Division completes reconciliations on a monthly basis and Finance staff completes final reconciliation every six months. Follow up - October 19, 2005 Management comments address the recommendation. The desk reference binders have been developed however they will be significantly changed upon the full implementation of the Amanda software. We encourage management to continue with its efforts in developing and documenting procedures in light of the anticipated software implementation. Recommendations have not been implemented pending the launch of the Identicam software. Files and blank forms have been secured. Licenses are being reviewed prior to issuance by either the City Clerk or the Manager, By-Law Enforcement. Management comments address the recommendations. The comments have been implemented with the exception of the reconciliations of blank stock which will now be the responsibility of the new Deputy Clerk. Management expects that this recommendation will be implemented by the new Deputy Clerk. City of Pickering - Clerk's Revenue Process 3 0 ~ /-tto Clerks Division Revenue Cycle Recommendations From Deloitte & Touche Insight and Implication Permits, birth registration, licences and compliance letters: Permits, birth registration, licences and compliance letters with the exception of marriage and lottery licences, are issued on plain blank paper. Although these documents need to be signed by the City Clerk, Manager, Municipal Law Enforcement Officer "MLEO" or clerical personnel, depending on the type of document, controls do not ensure that the City only issues and charges for legitimate documents. Compliance letters are also printed on plain blank paper and do not need to be signed. In addition, most of the licences and permits are not controlled by a system nor are they recorded into a database. Safeguard of Private Information: Some files like the marriage licence and taxi driver's licence contain private information. Documents are kept in unlocked cabinets. Customer Information: There are no signs indicating that payments can not be accepted by the clerical personnel and should be made directly at the cashier. Vital Statistics/Lottery Systems: The Vita Statistics system is used to record birth registrations, marriage licences and burial permits. The Lottery system records lottery licences. None of these systems enforce periodic user password changes. @ Deloitte & Touche LLP and affiliated entities. Recommendation - June 2004 Birth registration, municipal licences, permits and compliance letters should be issued on pre-printed forms with special features to prevent falsification. Forms should be sequentially numbered to allow management to control the number of registrations, licences and permits issued by the Division. All issuance of licences and permits should be recorded in a database to allow Clerks Division to maintain better control of the documents and, if applicable, the expiry date. Private information should be kept securely locked during non-business hours. Signage should notify customers to make payments only at the cashiers. Management should consider updating these systems and enforcing users to change their passwords at least every 90 days. Passwords should have a minimum length of 6 characters and, if possible, complexity should be enforced. The system should lockout users who exceed 3 unsuccessful login attempts until the IT Section can reset the password. Management Comments - July 20, 2005 Pre-printed sequentially numbered forms are being used and special security features are pending the integration of upgrades to the Amanda system in the Fall. Enhancement of the existing database will also be realized as part of the Amanda system. Compliance letters are now completed utilizing a standard template including computer generated numbers and are signed by clerical personnel. All central file cabinets are locked during non-business hours and the key secured. Counter signage has been established and permanent signage is being reviewed. Excel database created and implemented by IT for affected staff. Restricted password access established. Procedures have been developed. ~ r;¡:¡:. l\;' , Follow up - October 19, 2005 Management comments address the recommendations. Pre-printed sequentially numbered forms are only used for marriage and lottery licenses, thus the recommendation has not been fully implemented. Compliance letters are completed using a standard template however the numbering system is still manual. There is no formal database for the issuance of all licenses and permits. Management comments address the recommendations and appear to have been implemented. Recommendations have yet to be implemented. Expected to be implemented upon remodeling of the counter area. Management comment does not appear to address password changes in Vital Statistics and Lottery System Software. Although computer network access requires regular password changes, access to Vital Statistics/Lottery systems do not currently appear to require password changes. City of Pickering - Clerk's Revenue Process 4 Clerks Division Revenue Cycle Recommendations From Deloitte & Touche Insight and Implication Segregation of Duties: Manual parking tickets are keyed into the system by the Clerks Division, which is also responsible for processing ticket cancellation, recording payment, obtaining car owner information from the MTO and sending plates to plate denial. Recommendation - June 2004 The following duties should be segregated. Bv-Iaw Section or an indeDendent Dartv . Recording ticket information into Ticket Processor from handhelds and manual tickets should be delivered directly to this section. By-law Section should not have access to Ticket Processor functionalities other than uploading and viewing tickets. Clerical Dersonnel . Reconciling tickets recorded in Ticket Processor with handheld print-outs or manual tickets; . Recording payment into Ticket Processor; . Cancelling tickets according to cancellation policies; . Obtaining MTO car owner information; and . Sending plate to plate denial . Ticket cancellations, PayTicket payment reversal and plate denial activities should also be co-signed by a second clerical staff member and reviewed by management on a regular basis. Exceptions from cancellation policy should be approved by management and reasons noted. If possible, system should log the user responsible for the cancellation and second review. Finance . Receiving payments done at the cashier, drop-box, direct deposit via PayTicket or cheques from MTO. . Recording payment received in the accounting system. . Reconciling payments processed by Finance with payment information recorded into Ticket Processor. @ Deloitte & Touche LLP and affiliated entities. Management Comments - July 20, 2005 Duties have been segregated and controls established, including a cancellation policy. This process will be further reviewed upon the purchase of the new parking ticket handheld units. Co-signing of all documents is strictly enforced. Plate information can only be accessed by the Manager, By-law Enforcement and one senior MLEO officer. One clerical personnel confirms the search and matches to the appropriate parking ticket. Daily log for Pay Tickets is completed and signed by the City Clerk, then forwarded to Finance staff for processing. Reconciliation on a monthly basis is completed by the Clerk's Assistant and amended forms are forwarded to Finance staff for payment. Any payment processing is handled by the cashiers in the Finance Division. Follow up - October 19, 2005 Management comments address the recommendations. Segregation of duties have not been implemented as recommended. Co-signing of documents, daily log of Pay Tickets, reconciliation of Moneris information and payment processing has been implemented. City of Pickering - Clerk's Revenue Process 5 Q ~ W Clerks Division Revenue Cycle Recommendations From Deloitte & Touche Insight and Implication Ticket Cancellation Process: Condominium or private area parking tickets are cancelled upon issuer request. During our work, we identified a ticket that was cancelled upon the receipt of a fax document. The fax had the logo of the condominium but it was not signed and did not indicate the full name of the condominium representative. In addition, there is no second review/ approval for the cancellation of a ticket. Reconciliation: Ticket payments processed by Finance and recorded into the G/L are not reconciled to the tickets paid in Ticket Processor (system used to control parking tickets). Logic Security: Information stored in the handheld units is downloaded via Citation+, which produces a text file to be saved in a network directory. A File is then uploaded into Ticket Processor by appropriate clerical personnel. The Interface file contains control totals; however, the Ticket Processor does not perform checks to ensure information was uploaded correctly. Recommendation - June 2004 Each condominium or private area should formally designate the appropriate personnel who will have the authority to cancel tickets. Only authorized personnel should be able to request the cancellation of a ticket. Requests should be signed and the original document should be compared to the name and signature in the authorization process and filed together with the cancelled tickets. Ticket cancellation should be co-signed by two clerical staff members. Any exceptions from the policy should be approved by management and reasons noted. Management should review cancellations on a regular basis. Monthly reconciliations should be performed, documented and signed-off by an independent party. Payments processed by Finance should be compared to the information in the Ticket Processor system. Information downloaded from the handhelds should be saved in a protected directory in the network to which only the Ticket Processor has access. Control totals checks should be implemented in Ticket Processor to ensure information was uploaded correctly. Additionally, tickets uploaded into Ticket Processor should be reconciled to the handhelds printed tickets by an independent party. Clerical personnel should not have access to change nor to modify ticket information uploaded from handhelds. @ Deloitte & Touche LLP and affiliated entities. Management Comments - July 20, 2005 <:> ~ ;,þ. Follow up - October 19, 2005 The Clerks Division, in accordance with the Management comments do not cancellation policy, handles all cancellations. address the recommendations. A letter was sent to all condominiums advising Management has implemented a of this change in policy in the fall of 2004. cancellation policy however it does not include the recommended listing of formally designated personnel with approval to authorize ticket cancellation. Monthly reconciliations have re-commenced since the hiring of the new City Clerk. Information from the downloads are saved within a protected directory and errors are verified by clerical personnel prior to further processing. All ticket reconciliations are handled by one clerical personnel, with an additional sign off by the Clerk's Assistant. Clerical staff do not have the authority to change or modify the ticket information uploaded. Management comments address the recommendation. Formal reconciliations are not being performed by the Audit Analyst pending the launch of the Amanda software. Management comments address the recommendation. Reconciliations of uploaded information and ticket information has not been implemented. Clerical personnel restricted as they do not have access to change or modify uploaded ticket information. City of Pickering - Clerk's Revenue Process 6 Clerks Division Revenue Cycle Recommendations From Deloitte & Touche Insight and Implication Payments Received at the Drop-Box: Payments received at the drop-box are directed to the clerical personnel to ensure parking tickets are due (i.e., identify whether ticket is in court or was sent to MTO for plate denial). If Clerks Division approves payment receipt, then cheque or cash is sent to Finance to process payment. Car Owner Request to MTO: Tickets that are not paid up to 14 days after the due date are extracted from Ticket Processor and a text file is produced to be sent to MTO, which sends back a text file containing the car owner information. A Text file is received by clerical personnel and uploaded into Ticket Processor. If the information received from MTO is inconsistent or the car owner information can not be found, the ticket is cancelled. Distribution of Manual Ticket Books: Parking ticket books are distributed at the Clerks Division. To obtain a book, a document identifying the number sequence of the book must be signed by the recipient/parking control officer. However, no identification is requested, as the recipients are usually in uniform. Ticket Processor Audit Trail: Ticket Processor records audit trails. However, there are no customized reports to be used for monitoring purposes. In order to check all the operations done by clerical personnel, a query needs to be run against the database. @ Deloitte & Touche LLP and affiliated entities. Recommendation - June 2004 Drop-box content should be directed to Finance to count and document the payments received. A list of payments should then be sent to the Clerks Division to identify whether payments should be processed or returned to the customer. Cancellation due to inconsistent or lack of information should be co- signed by two clerical personnel. Any exceptions from the policy should be approved by management and reasons noted. Management should review cancellations on a regular basis. Ticket books should be given to authorized personnel upon presentation of identification document. Clerks Division should keep track of which officer collected which books. Periodic reconciliations should be performed by an independent party to ensure ticket books are being used appropriately (i.e. if there are no tickets missing nor gaps in the sequence). Customized reports should be developed to allow management to monitor Clerks Division activities. Management Comments - July 20, 2005 Follow up - October 19,2005 Finance document through a log the cheques Management comments address received and send to clerical personnel for the recommendation and have verification. Payment is processed once the been implemented. verification is received. In accordance with the cancellation procedures, all cancellations are reviewed by two clerical personnel and final review and approval by the Manager, By-law Enforcement. A log book for sign out of the books have been established. A copy of the officer identification is kept with the log book for verification purposes. Periodic reconciliations will be undertaken by an independent person. . An RFP for the handheld units has been prepared and specifications have been developed to ensure customized reports can be developed. With the existing units, customized reports cannot be obtained. A cancellation policy requiring co-signing by the two clerical personnel plus management signature for exceptions has been implemented. This policy is consistent with the recommendations, however, it is inconsistent with management comments. Management comments address the recommendations. Management has implemented a log book for the sign out of the books which keeps track of the officer who collected the books. Officer identification and periodic reconciliation were not evident. RFP is still outstanding thus recommendation has not been implemented. City of Pickering - Clerk's Revenue Process 7 a ~ ÇJ1 <9 Deloitte & Touche LLP and affiliated entities. . elOI Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,100 people in 47 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.1. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. e 0 '" ~ Member of Deloitte Touche Tohmatsu 067 Ministry of Municipal Affairs and HousinQ Ministère des Affaires municipales et du LoQement ~ Ontario Municipal Performance and Accountability Branch 777 Bay Street, 13th Floor Toronto ON M5G 2E5 Phone: (416) 585-7264 Fax: (416)585-6161 Direction de la performance et de la responsabilisation des municipalités 777, rue Bay, 13" étage Toronto ON M5G 2E5 Téléphone: (416) 585-7264 Télécopieur: (416) 585-6161 November 2005 To Municipal Treasurers and Municipal Auditors: I am writing to share with you some progress we've made on improving the timeliness of the Financial Information Return (FIR) and some additional information on the Municipal Performance Measurement Program (MPMP). In the past, we have received feedback requesting that the tax schedule portion of the FIR be provided earlier so that this section may be completed in advance of the others. I am pleased to inform you that the entire FIR2005, including the tax and MPMP schedules, is now available for downloading at the FIR website. This is about 8 weeks earlier than in most previous years. The FIR website address has changed - please remember to update your bookmarks! http://csconramp.mah.Qov.on.ca/fir/welcome.htm All information on the FIR website, including the FIR2005, Instructions and Start-Up Guide have also been updated and are available for downloading. As in previous years, a Microsoft Excel Spreadsheet will be used for 2005 FIR reporting. Please remember that only FIR's which have been created by the Ministry and downloaded from the FIR website will be acceptable means of submission. Although some minor content changes and improvements have been made, the functionality of the FIR2005 remains very similar to previous years. For a complete list of content changes, please refer to the FIR2005 Content Changes document available at the FIR website. Before downloading and completing the FIRlMPMP Schedules, we recommend that you print the FIR2005 Start-Up Guide for reference. For those of you already familiar with the FIR, we have attached a quick reference sheet to this letter. Once again, the deadline for completing the FIR and MPMP Schedules will be May 31,2006. In1he past, some municipalities have experienced difficulty in submitting required information by this date. I would like to take this opportunity to remind you that filing your FIR and MPMP data by the deadline is a requirement under the Municipal Act, 2001. It is also critical for enabling the province to calculate and reconcile Ontario Municipal Partnership Fund (OMPF) allocations. 12 1322(06195) 068, After the FIR has been completed, it may be submitted by email to: FIR@mah.gov.on.ca Audit Questionnaires should also be submitted to your local Municipal Services Office. Municipal Performance Measurement Program (MPMP) You received a letter from Minister Gerretsen to your Head of Council dated November 17,2005that describes the Municipal Performance Measurement Program (MPMP) requirements for the 2005 reporting year. After reviewing data for the parks and recreation and library measures introduced in FIR2004, the Municipal Performance Measurement Program Advisory Committee recommended revising the formulas for all efficiency measures to include external transfers. This revision should improve the comparability of results. In light of this change, please take time to review the instructions to the FIR for reporting external transfers (Instructions-Schedule 40) and consolidation (Instructions -Introduction). Highlights of these definitions are also included in the instructions to Schedule 91. For FIR2005, the formula for the amount of program support allocated to other functions remains the same. For a detailed discussion of the allocation formula, please see the introductory chapter to the instructions to the FIR. This formula may be revised in FIR2006 to include external transfers. In preparation forthis change, the Treasurer's Group of the Ontario Municipal CAO's Benchmarking Association (OMBI) has suggested that municipalities review any external transfers reported as program support in SLC 40 0260 06. External transfers related to program areas should not be reported on any line for general government. If external transfers are not related to a specific program, they should be reported on1he line for corporate management in SLC 40 0250 06. Detailed instructions for MPMP measures are posted on the FIR web site. Also, see the section called "MPMP Information" for an Excel workbook for apportioning library uses. In addition, a workbook to assist your library in calculating library uses has been posted on the Ministry website: www.mah.gov.on.ca under "Templates: Library Uses - MPMP 2005 Forms". Should you have any questions or require assistance with completing the FIR and/or MPMP, please contact; Debbie Chen-Yin (FIR) at (416) 585-6299, Bohdan Wynnycky (MPMP) at (416) 585-6638, or your nearest Municipal Services Office. Sincerely, Larry Clay Director C: Directors, MMAH Municipal Services Offices