A Performance Audit
An Audit Report on Manufactured Foods Program Inspection Processes at the Department of State Health Services
January 2020
Summary Analysis
The Department of State Health Services (Department) has implemented a risk-based process to prioritize inspections of food facilities monitored by its Manufactured Foods Program (Program). During the period audited, the Department ensured that the inspections it conducted complied with the targeted timelines established in its policies.
However, the Department’s processes were not sufficient to ensure that all facilities requiring inspections were included in its process for assigning inspections. As a result, the Department had not inspected some facilities for at least 58 months, some of which it had assigned a risk rating of High. Additionally, the Department developed processes designed to ensure that it assigned correct risk ratings to its Program facilities. However, those manual and automated processes did not always work as intended. As a result, some facilities were not assigned a risk rating or were assigned an incorrect one.
While the Department consistently followed its enforcement processes, it did not ensure that it consistently updated the enforcement status in its licensing and enforcement system accurately or within the required time frames. The Department should strengthen its procedures for conducting complaint investigations within the required time frames.
The Department developed and implemented processes to ensure that it identifies and performs inspections for Program facilities. In addition, nearly all of the inspections it conducted from September 1, 2014, through June 30, 2019, complied with the established time frames.
However, the Department did not identify all facilities that should be inspected and, as a result, it did not perform all required inspections. This was caused in part by weaknesses in the Department’s controls over facility records in its licensing and enforcement system, VERSA Regulation (VERSA).
The Department developed manual and automated processes to ensure that correct risk ratings are assigned to Program facilities. The Department’s staff consistently entered facility information into VERSA as required, including information related to violations identified during inspections.
However, the Department staff did not always assign initial risk ratings and the automated program the Department developed did not always correctly reassess and adjust the risk rating. Specifically, an incorrect risk rating was assigned for 17 (28 percent) of 60 facility records tested. Of those 17 incorrect ratings:
- Fifteen facilities should have been assigned a lower risk rating.
- Two facilities should have been assigned a Medium risk rating but were incorrectly assigned a Low.
In addition, 2,781 facilities did not have any risk rating assigned in VERSA. The Department attributed the missing ratings for those records to its processes not working as intended. The Department’s policy is to assign a Medium risk rating to all facilities that have not had an inspection. For 290 (10 percent) of those facilities, the Department had not conducted any inspections from September 1, 2014, through June 30, 2019. The Department had conducted at least one inspection of the other facilities during that time period.
The Department developed policies and procedures that describe and define the various enforcement actions that should be taken for violations identified during inspections of Program facilities, and it complied with the criteria established in those policies for all 60 inspections tested. Specifically, for those inspections, the violations that the inspectors identified were classified correctly according to the Department’s policies. That classification determines whether enforcement actions are required.
The Department’s Program developed and documented policies and procedures for investigating complaints that it receives related to food safety, and it generally ensured that investigators complied with those procedures. However, it should strengthen its procedures for conducting complaint investigations within the required time frames, documenting non-jurisdictional complaints, and maintaining its central complaint tracking spreadsheet. It should also ensure that its documented policies are consistent and match its processes.
The Department established documented policies and controls for the use of its information systems. However, the Department should improve its user access controls and processes for deleting inspection and complaint records.
The Department’s policies require it to disable user accounts when they are no longer needed and to conduct user access reviews. The Department also obtained a System and Organization Controls (SOC) Report for the third-party vendor that maintains VERSA. That report did not identify any issues related to change management, policies and procedures, and backup and recovery. Additionally, the Department established password rules and settings that complied with its policies.
While the Department removed network access for separating employees, it did not consistently disable those users' access to VERSA in a timely manner. In addition, the Department should improve its reviews of user access.
The Department did not have adequate controls over the deletion of inspection and complaint records. Specifically, some users have the ability to delete records without any review or approvals required. The Department also does not have processes for monitoring its inspection and complaint records to identify deletions and verify that they are authorized.
Graphics, Media, Supporting documents