August 19, 2011 at 7:07 am
Credit card control problems found in audit
In the Department of Health and Mental Hygiene, 342 employees used their government credit cards to make $13.5 million in purchases – but lax policies showed an open door for fraud.
The Office of Legislative Audits found no suspicious transactions when it looked over the department’s records. They did find many problems with oversight and control that could make it easy for employees to use their cards for their own purposes.
Card purchases need to be approved by an employee’s supervisor and a department fiscal officer. Auditors looked at 30 monthly card use logs and found that nine of them were not properly approved. Purchases on those cards totaled $99,306.
Each purchase also needs to be verified, and needs to include supporting documentation. In the 30 monthly card use logs examined by auditors, they found 26 purchases worth $20,334 that weren’t properly documented. The purchases were all in eight logs, all of which were approved by the employee’s immediate supervisor. Six of those were also approved by the financial officer. This means that supervisors are not paying close enough attention to the logs, auditors wrote.
Many of the cards also allowed much more spending than the employees could legitimately use them for. Auditors looked at 92 cards that had monthly spending limits of between $10,000 and $68,000. About 72% of these cards never got to half of that monthly spending limit. The report notes two particular cards: one with a $60,000 monthly limit that never had monthly charges over $6,885, and one with a $40,000 monthly limit that had a maximum of $13,059 charged in a month.
In a story last year, we reported that many departments have control issues with government credit cards.
The Department of Health and Mental Hygiene has been unable to verify that birth and death certificates contain valid information, that certificates were only issued to the right people, and that payments for certificates were correctly collected, according to a report issued by the Office of Legislative Audits Thursday.
The attorney general is investigating an employee in one local health department’s office for potential fraud, the report states.
Legislative Auditor Bruce Myers said that serious problems with vital records have been found – and not corrected – in departmental audits since 1999.
“These documents can be used for other things,” Myers said. “This is not just about the money involved. There is potential for immigration fraud.”
Problems with prescription, payments, IT security
The problem with vital records are not the only ones uncovered by auditors. They also found that employees did not always look into how services would be paid for, or go after money they were owed. They did not investigate issues about prescriptions after significant issues were found in pharmacy audits. And there were significant internal control issues with computer networks and IT security, government credit cards, and payroll verification.
In his response to the audit, DHMH Secretary Joshua Sharfstein agreed with the majority of the findings.
“I will work with the appropriate Administrators, Executive Directors, and the Deputy Secretary to promptly address all audit exceptions,” he wrote.
Vital records not verified
The Department of Health and Mental Hygiene issues birth, death and marriage certificates. There are registration and copying fees for all of the certificates, which brought in $7 million in fiscal year 2010.
More important than revenues, birth certificates are used to prove citizenship and get important documents – like driver’s licenses and passports – as well as benefits like Social Security and temporary welfare.
At the state level, information for birth certificates is entered into a computer database. However, the audit noted, the information entered into the database had not been verified with hospitals since the employee who used to have that responsibility left state employment in 2008. And when records were changed to reflect things like spelling errors or changes in paternity information, nobody independently reviewed them. Auditors found that a total of 17 employees were able to make changes to birth certificates.
There was no review of applications for certified birth certificates, either, auditors found. There were 26 users who could both create and print certified birth certificates; there was one who had access to blank certificates, and two with access to related collections. This means fraudulent certified birth certificates could have been created and not caught. And there were no periodic checks on the blank and numbered birth certificates, meaning that nobody made sure that all of the blanks were accounted for.
Additionally, the number of certificates issued was not reconciled with the amount of fees collected. Auditors asked DHMH to try to come up with reconciliation numbers from department records, but they could not report anything accurate. For example, one day, collections of $43,404 were reported – but that day’s deposit was just $21,552.
Local health departments
The same sorts of problems trickled into local health departments, most of which can also issue certified birth, death and marriage certificates. Auditors investigated four departments and found that:
· Employees could both issue birth certificates and process the payments. This means that they could misuse the funds, and not be easily detected. An employee in one county health department has been under investigation by the criminal division of the Attorney General’s Office for this sort of misuse since 2009.
· Too many employees could issue birth and death certificates, even if they did not need to for their jobs. Ten employees at the four departments studied could print the certificates, but did not need to.
Failing to pursue funds
Auditors found problems with the department’s Division of Cost Accounting and Reimbursements, which is supposed to examine patients admitted to the state’s mental health and chronic disease facilities and determine their ability to pay for services. In fiscal year 2009, this division got $102 million from services, while $234 million was determined to be unrecoverable.
Auditors found that the division tended to wait too long to determine if treatment costs could be recovered, did not go after money that was owed, and sometimes made questionable determinations about patients’ ability to pay.
“This is a significant item, especially in these days when the state is watching every dollar,” Myers said. “This is an area where more diligence would have saved the state many, many dollars.”
Auditors looked at 10 accounts for which the division was supposedly investigating the patients’ ability to pay for more than six months. The audit found that seven of the accounts were under investigation for nine to 15 months. One of those belonged to a patient who had been undergoing treatment for 11 months, and was not yet complete.
Most of the completed investigations were not subject to review by supervisors, even though there was paperwork – like tax returns – that was missing. Auditors found that one investigation where it was determined there was no responsible party was particularly questionable – little work had been done and the patient’s Medical Care Program card was on file.
Additionally, the division did not always chase after unpaid funds or refer them to the state’s central collection unit. Auditors looked at 10 accounts worth $2.8 million that had gone uncollected for about four months. The division had not taken adequate steps to get funds from six of them, they found. DHMH is owed about $15 million from unpaid accounts, and $10 million of that has been unpaid for more than 120 days – and therefore should be referred to the central collections unit, auditors found.
Pharmacy investigations and internal control issues
Previous audits found problems at several pharmacies, without proper documentation – like written prescriptions – for several medicines dispensed. DHMH was able to recover some money from the pharmacies, but did not act on the recommendation to expand the investigation at pharmacies to determine if the problem was larger.
Several internal control problems were also found, including:
· Inadequate review of security reports for the hospital management information system, meaning that billings and receivables data could be manipulated without being detected.
· Incomplete logs were kept of security issues – like granting and revoking database privileges — in the electronic vital records system database. Some incidents were logged, but not reviewed.
· Firewalls to protect internal network systems were more porous than they should be. Firewall security logs also were not reviewed.
· Servers were not configured to ensure privacy.
· Samples of manager signatures were not kept to ensure that actual managers were approving employee payroll sheets.
· Necessary documentation for employees working both for DHMH and other departments was not on file. This documentation would solidify working hours at each department.