A Performance Audit
An Audit Report on the Centralized Accounting Payroll/Purchasing System Financials at the Health and Human Services Commission
December 2021
Summary Analysis
The Health and Human Services Commission (Commission) established processes and controls over its purchasing and accounts payable data in its Centralized Accounting Payroll/Purchasing System (CAPPS) Financials. However, it did not have adequate processes in place to ensure that its asset data in CAPPS Financials and the State Property Accounting (SPA) system was complete and accurate.
Completeness of Asset Data. Overall, SPA was missing a total of 4,633 assets with a purchase price of $7.5 million. Due to control weaknesses, the Commission cannot ensure that all of its purchased assets are identified in CAPPS Financials.
Accuracy of Asset Data. The Commission did not ensure that the asset data in CAPPS Financials was accurate. Inaccuracies included invalid asset IDs; missing key asset data like serial numbers; non-asset costs, such as cost of shipping, being assigned an asset ID; and assets having an incorrect status.
IT Controls over CAPPS Financials. The Commission’s controls over access to its IT systems are appropriately designed, and the Commission has processes to manage changes to its applications. However, the Commission should improve its management of access to the CAPPS Financials application and database
The Health and Human Services Commission (Commission) implemented Centralized Accounting Payroll/Purchasing System (CAPPS) Financials in September 2017 to replace the Health and Human Services Administrative System (HHSAS), the Commission’s former financial system.
CAPPS Financials includes (1) eProcurement/ Purchasing, (2) Accounts Payable, (3) Asset Management, and (4) General Ledger as core modules in its baseline version. When a payment is processed in CAPPS Financials’ Accounts Payable module, it gets sent to the Uniform Statewide Accounting System (USAS) for payment. Once payment is made, asset data is posted into the CAPPS Financials Asset Management module and then transferred to the State Property Accounting (SPA) system, the State’s asset system of record.
The Commission cannot ensure that either SPA, which is its system of record for assets, or CAPPS Financials contains all of the assets it acquired from September 1, 2019, through March 31, 2021. SPA was missing 3,525 (70 percent) of 5,037 capitalized and controlled assets that the Commission acquired during that time frame. The total cost of these 3,525 assets was $5.8 million. The data in CAPPS Financials was also not complete. It did not include 1,108 laptops that the Commission purchased for $1.7 million in December 2020. These assets were also not in SPA.
In addition, the Commission cannot ensure that its asset data in CAPPS Financials is complete and accurate. This is because the key controls related to asset purchases in CAPPS Financials were optional and could be circumvented, and CAPPS Financials did not always work as intended.
The Commission generally ensured that the assets it disposed of within CAPPS Financials were also disposed of in SPA. A total of 2,044 (99 percent) of the 2,055 disposed assets in CAPPS Financials were also disposed of in SPA.
The Commission had processes and controls in place to ensure the accuracy and completeness of (1) the purchasing data and (2) the accounts payable (payment) data within CAPPS Financials.
Purchasing. All 244,696 transactions related to purchase orders in CAPPS were approved by a person other than the requestor. In addition, all 44 purchase orders tested had supporting documentation, and 37 of those purchases that required a requisition had the required approvals in the requisition.
Accounts Payable. All 40 payments tested were (1) appropriately approved in the CAPPS Accounts Payable module by an individual other than the person entering the voucher and (2) made in amounts supported by invoices and other documentation as applicable.
While the Commission designed appropriate access controls for its IT systems, auditors identified significant weaknesses in the Commission’s ability to manage access to the CAPPS Financials application and database.
To minimize security risks, auditors communicated details about the identified weaknesses separately to the Commission’s management, in writing.
Segregation of Duties. The Commission’s Accounts Payable Department runs a monthly report to ensure that users are not assigned roles where they could both create and approve transactions. The user role assignments in CAPPS Financial showed that no user was assigned both the creator and the approver roles.
Change Management. The Commission established a change management process for its CAPPS Financials system. Specifically, the Commission appropriately documented, authorized, and tested all 25 changes reviewed.
Graphics, Media, Supporting documents