A Performance Audit
An Audit Report on Financial Management at the Railroad Commission
July 2019
Summary Analysis
The Railroad Commission (Commission) generally ensured that the regulatory-related fees that it collected from oil and gas operators, including administrative penalties that were deposited into its Oil and Gas Regulation and Cleanup Fund (Fund), were supported and accurately recorded in the Uniform Statewide Accounting System. Additionally, the Commission ensured that refunds from the Fund were properly authorized and that refund amounts were accurate and reasonable. However, the Commission should improve its controls over certain revenue processing activities to ensure compliance with Commission requirements.
The Commission also should strengthen access controls over selected information systems; however, it has adequate controls over its change management process and for detecting and correcting data processing errors for those information systems.
While the Commission’s cash receipt process generally ensured that it accurately recorded in USAS and CAPPS the regulatory fees and administrative penalties collected, opportunities exist for the Commission to improve its controls over its cash receipt process, monthly reconciliation of deposited revenues, and the clearing of its suspense fund.
The Commission collected newly established pipeline mileage fees, permit processing fees, and applicable late fees that totaled $3.0 million from June 29, 2018, through January 31, 2019, from pipeline operators. Auditors tested the accuracy of a sample of pipeline mileage fees and permit processing fees, which totaled $699,446, that the Commission collected and recorded in USAS for 53 operators during that time period and determined that the Commission:
- Accurately calculated the pipeline mileage fees tested.
- Collected the correct permit processing fee amount.
- Accurately recorded the collected fees tested in USAS.
However, the Commission did not consistently ensure the accuracy of the data it used to track the active status of operator pipeline permits and the associated pipeline mileage. Specifically, auditors identified inaccuracies in the data related to 2 of the 53 operators tested. For example, the errors included listing an unpaid permit processing fee as paid and listing an inactive operator as active. The Commission also waived a permit processing fee for a third operator; however, it did not have a policy to provide guidance on waiving fees, including required approvals and documentation requirements.
For the administrative penalties it assessed, the Commission (1) ensured that the penalties were collected when required or (2) took appropriate action on past due penalties. From September 1, 2017, through January 31, 2019, the Commission collected and deposited into the Fund administrative penalties of approximately $17.7 million from operators.
The Commission refunded approximately $10.6 million from the Fund for the period of September 1, 2017, through January 31, 2019. The Commission ensured that appropriate management authorized the refunds it processed. It also ensured that the amounts refunded were appropriate and accurately recorded in USAS.
Auditors tested a sample of 22 vendor payments, totaling $388,700, from Economic Stabilization Fund appropriations that were for well-plugging services, and determined that those payments were accurately recorded in USAS and obtained certain required approvals prior to release of payment. However, the Commission should strengthen controls over its vendor payment approval process. Specifically, of the 22 vendor payments tested:
- For 8 (36 percent) payments, totaling $128,826, the Commission did not have documentation, in the form of a signature on the payment voucher, showing that a second member of its accounts payable staff reviewed vouchers prior to payment as required by Commission management.
- For 6 (27 percent) payments, totaling $110,893, the Commission did not ensure that the associated purchase order had received all required approvals prior to purchase. This included 1 payment of $233 on an emergency purchase order for $5,233, which the Commission did not have documentation showing that executive management approved the emergency purchase order as required by the Commission’s policies and procedures and that the amount paid was accurate.
The Commission did not have adequate controls to ensure that active user accounts were appropriate and necessary as required by the Department of Information Resources’ Security Control Standards Catalog.
In addition, while the Commission had written policies and procedures for managing user access to its information systems, they did not include procedures for either (1) conducting periodic user access reviews or (2) managing unsuccessful logon attempts.
All program change requests tested complied with the Commission’s requirements. Specifically, auditors tested a sample of 32 (21 percent) of 154 program change requests that the Commission implemented from September 1, 2017, through January 31, 2019, for selected information systems. All 32 program changes tested were:
- Reviewed and approved by the appropriate information technology management and staff as required.
- Tested in a test environment before being moved to the production environment.
- Adequately documented, including a description of the program change and the applicable approvals.
- Implemented by employees different from the employees who developed the program change.
The Commission had adequate controls for identifying and correcting data processing errors for the data it processed in selected information systems. An example of a data processing error is the use of an invalid revenue processing code. Auditors tested all six data processing errors recorded in the Commission’s information technology operations log from September 1, 2017, through January 31, 2019. The Commission had supporting documentation showing that for all six data processing errors tested (1) it identified and corrected the errors and (2) that subsequent data processing jobs ran successfully.
Graphics, Media, Supporting documents