Office of the Legislative Auditor State of Minnesota
Management Letter
Department of Finance Fiscal Year Ended June 30, 1999

MARCH 16, 2000 00-10

Financial Audit Division
The Office of the Legislative Auditor (OLA) is a professional, nonpartisan office in the legislative branch of Minnesota State government. Its principal responsibility is to audit and evaluate the agencies and programs of state government (the State Auditor audits local governments). OLA's Financial Audit Division annually audits the state's financial statements and, on a rotating schedule, audits agencies in the executive and judicial branches of state government, three metropolitan agencies, and several "semi-state" organizations. The division also investigates allegations that state resources have been used inappropriately. The division has a staff of approximately fifty auditors, most of whom are CPAs. The division conducts audits in accordance with standards established by the American Institute of Certified Public Accountants and the Comptroller General of the United States.

Consistent with OLA's mission, the Financial Audit Division works to:
Promote Accountability, Strengthen Legislative Oversight, and
Support Good Financial Management.
Through its Program Evaluation Division, OLA conducts several evaluations each year and one best practices review.

OLA is under the direction of the Legislative Auditor, who is appointed for a six-year term by the Legislative Audit Commission (LAC). The LAC is a bipartisan commission of Representatives and Senators. It annually selects topics for the Program Evaluation Division, but is generally not involved in scheduling financial audits.

All findings, conclusions, and recommendations in reports issued by the Office of the Legislative Auditor are solely the responsibility of the office and may not reflect the views of the LAC, its individual members, or other members of the Minnesota Legislature.

This document can be made available in alternative formats, such as large print, Braille, or audio tape, by calling 651-296-1727 (voice), or the Minnesota Relay Service at 651-297-5353 or 1-800-627-3529. All OLA reports are available at our Web Site: http:// www. auditor. leg. state. mn. us

If you have comments about our work, or you want to suggest an audit, investigation, evaluation, or best practices review, please contact us at 651-296-4708 or by e-mail at auditor@ state. mn. us

OFFICE OF THE LEGISLATIVE AUDITOR State of Minnesota James Nobles, Legislative Auditor Summary Management Letter
Department of Finance Fiscal Year Ended June 30, 1999

Key Findings and Recommendations:
The statutory method used to allocate the assets of the Post Retirement Fund may distort the financial reporting of the individual retirement funds in the state's financial statements. Use of the cost basis may vary from the fair value based allocation required by generally accepted accounting principles. We recommended that the Department of Finance work with the State Board of Investment and the retirement systems to develop a method of calculating participation in the Post Retirement Fund for financial reporting purposes that uses fair value accounting as the basis for the allocation. (Finding 1, page 2)

The department does not provide state agencies with useful or timely information about employees' access to the state's accounting system. The system security report, issued annually, does not allow agencies to easily determine the appropriateness of employees' security clearances. We recommended that the department provide agencies with usable security information, structured to meet their decision-making needs. (Finding 2, page 3)

The department does not understand some parts of the security infrastructure for the state's accounting system. We recommended that the department critically review and document all aspects of the system's security infrastructure. (Finding 3, page 5)

Agency Response:
In its response, the Department of Finance agreed with the report's findings and is taking corrective action to resolve the issues.

Background Information:
The Department of Finance prepares the state's general purpose financial statements and is responsible for the financial operations of the state. The department manages the state's main accounting systems, coordinates the sale of state general obligation bonds, enters into master lease purchase agreements for state agencies, processes payments of some appropriations and grants, and provides guidance to other state agencies in areas of financial management. We expanded our fiscal year 1999 audit scope to include a review of some of the Department of Finance's administrative expenditures, including payroll, computer system services, and professional/ technical services.

Room 140, 658 Cedar Street, St. Paul, Minnesota 55155-1603 Tel: 651/ 296-4708 Fax: 651/ 296-4712 E-mail: auditor@ state. mn. us TDD Relay: 651/ 297-5353 Website: www. auditor. leg. state. mn. us

Department of Finance Table of Contents

Management Letter
Status of Prior Audit Issues
Department of Finance Response

Audit Participation
The following members of the Office of the Legislative Auditor prepared this report: Claudia Gudvangen, CPA Deputy Legislative Auditor Cecile Ferkul, CPA, CISA Audit Manager

Chris Buse, CPA, CISA Audit Manager Tony Toscano Auditor-in-Charge Carl Otto, CPA, CISA Auditor-in-Charge (Information Systems) Charlie Gill Auditor Fubara Dapper, CPA Auditor Keith Bispala Auditor Crystal Eskridge Auditor Eric Roggeman Auditor John Hakes, CPA Auditor Patrick Phillips, CPA Auditor Dan Kingsley Auditor Susan Mady Auditor Natalie Steen Intern

Exit Conference
The findings and recommendations in this report were discussed with the following officials of the Department of Finance at an exit conference held on March 6, 2000:

Anne Barry Deputy Commissioner Lori Mo Assistant Commissioner
Michael Ladd Chief Information Officer Margaret Jenniges Director of Financial Reporting
Barb Ruckheim Financial Reporting Supervisor Ron Mavetz General Ledger Unit Supervisor

OFFICE OF THE LEGISLATIVE AUDITOR State of Minnesota James Nobles, Legislative Auditor
Representative Dan McElroy, Chair Legislative Audit Commission
Members of the Legislative Audit Commission
Ms. Pamela Wheelock, Commissioner Department of Finance

We have preformed certain audit procedures at the Department of Finance as part of our audit of the general purpose financial statements of the State of Minnesota as of and for the year ended June 30, 1999. We have also reviewed department procedures related to the state's compliance with certain requirements described in the U. S. Office of Management and Budget's Circular A-133 Compliance Supplement that were applicable to the department for the year ended June 30, 1999.

The Department of Finance prepares the state's general purpose financial statements and is responsible for the financial operations of the state. The department manages the state's main accounting systems, coordinates the sale of state general obligation bonds, enters into master lease purchase agreements for state agencies, processes payments of some appropriations and grants, and provides guidance to other state agencies in areas of financial management.

We expanded our fiscal year 1999 audit scope to include a review of some of the Department of Finance's administrative expenditures, including payroll, computer system services, and professional/ technical services. Our objective was to determine whether the department adequately supported and accurately recorded these transactions and whether they complied with applicable legal provisions or other rules or regulations. We conducted our audit in accordance with generally accepted auditing standards and the standards applicable to financial audits contained in the Government Auditing Standards,
issued by the Comptroller General of the United States.

Conclusions
Our December 1, 1999, report included an unqualified opinion on the State of Minnesota's general purpose financial statements included in its Comprehensive Annual Financial Report for the year ended June 30, 1999. In accordance with Government Auditing Standards, we also issued our report, dated December 1, 1999, on our consideration of the State of Minnesota's internal control over financial reporting and our tests of compliance with certain provisions of laws, regulations, contracts, and grants. In March 2000, we will issue our report on compliance with requirements applicable to each major federal program and internal control over compliance in accordance with the U. S. Office of Management and Budget's Circular A-133. As a result of our financial statement audit work, we identified some internal control weaknesses, which we discuss in Findings 1 through 3 below. Our review of the Department of Finance's administrative expenditures concluded that the department adequately supported and accurately recorded transactions in the state's accounting records. The department complied with material finance-related legal provisions and bargaining unit agreements with respect to the items tested.

1. The statutory method used to allocate the assets of the Post Retirement Fund may distort the state's financial statements.
The method the State Board of Investment (SBI) used to allocate the assets of the Post Retirement Fund may distort the participation of the retirement plans in the Post Retirement Fund. Although SBI based its allocation method on statutory provisions, current accounting pronouncements require a different valuation method.

As required by state statute, SBI used the cost basis of the fund's investments to determine each retirement plan's share. SBI then applied that participation percentage to the fair value of investments to allocate the fund's assets. The Government Accounting Standards Board (GASB) Statement No. 31, Accounting and Financial Reporting for Certain Investments and for External Investment Pools requires governmental entities to report investments at fair value (market value). Use of the cost basis to determine participation in the Post Fund could distort the financial reporting of the individual retirement funds in the state's financial statements and in the retirement plans' separately issued financial statements. Table 1 shows a simplified calculation of the differences between an allocation using the cost basis and one using fair value basis for determining each retirement plan's share in the Post Fund.

Table 1 Comparison of Fair Value to Cost Basis for Computing Participation in the Post Retirement Investment Fund At June 30, 1999 (1)

Retirement Fund Cost Basis Fair Value Basis (2) Difference
Teachers Retirement Fund $ 8,669,445,383 $ 8,638,394,071 ($ 31,051,312)
State Employees Retirement Fund 2,655,240,917 2,664,644,562 9,403,645
Public Employees Retirement Fund 5,624,136,719 5,656,823,857 32,687,138
Police and Fire Fund 927,990,723 909,031,354 (18,959,369)
Police and Fire Consolidation Fund 869,446,198 885,431,496 15,985,298
State Patrol Retirement Fund 290,298,723 283,840,434 (6,458,289)
Legislative Retirement Fund 34,465,694 36,281,617 1,815,923
Correctional Employees Retirement Fund 127,997,370 120,866,230 (7,131,140)
Judicial Retirement Fund 94,434,292 98,142,398 3,708,106

Total $19,293,456,019 $19,293,456,019 $ 0
(1) Amounts reported in this table are based on year-end values and do not reflect changes in fair value during the year.

(2) Fair value amounts for fiscal year 1999 were calculated by using the fair value of individual retirement fund assets at June 30, 1998, adding current year contributions and withdrawals, and adding the statutorily required six percent earnings increase and the annual Post Fund benefit increase. Source: Office of the Legislative Auditor analysis.

Each retirement fund's investment balance could be distorted in the state's financial statements as a result of the procedures used to determine participation in the Post Retirement Fund. Because the Department of Finance has the responsibility to prepare the state's annual financial statements, it needs to work with SBI and the retirement systems to develop another method of calculating participation for financial reporting purposes. The new method needs to consider adjusting for fair value changes on a more frequent basis, such as monthly or quarterly. Recommendation
The Department of Finance should work with SBI and the retirement funds to develop a method of calculating participation in the Post Retirement

Fund for financial reporting purposes that uses fair value accounting as the basis for the allocation.

2. The department does not provide state agencies with useful or timely MAPS security information.

Annually, the Department of Finance distributes one MAPS security report to state agencies. The purpose of this report is to give agencies a tool to assess the appropriateness of employee security clearances. This report does not provide agencies with a sufficient level of detail to make informed security decisions. The report's usefulness is also diminished because the department produces it only once each year.

The MAPS security report does not identify the specific tables or screens that employees can use to accomplish business functions, such as recording deposits and processing payments. Instead, it lists each employee's security profile. As Figure 2-1 illustrates, this format forces agency managers to use a separate document to identify the specific security groups that fall within each profile. Agencies then must use a second external document to identify the specific screens and tables accessible through each security group.

Figure 2-1 Identifying Screens and Tables Accessible From A MAPS Security Profile

Security Profile

Security Group #1
Security Group #2
Security Group #3
Security Group #4
Security Group #9
Security Group #8
Security Group #7
Security Group #6
Security Group #5

Table A
Table L
Screen J
Screen K
Screen 6

Screen 9

Table R
Table T
Screen Y
Screen W
Screen X

Table W
Table B1
Screen C
Screen E
Screen G

Table E
Table F
Screen A
Screen B

Table 8
Table 32
Table 43
Table 18
Table 45

Table 49
Table 17
Table 81
Table 82

Table 13
Table 6
Screen J
Screen P7
Screen 96

Screen 99

Table 16
Table 18
Screen J
Screen 19
Screen 22

Screen 23
Screen 4
Screen X

Table N
Table O
Table 87
Table 92
Screen Z

Step #1: Use external document to identify security groups within each profile

Step #2: Use second external document to identify specific screens and tables accessible from each security group

This manual translation process places an unnecessary burden on state agencies and creates a disincentive to monitor employee security clearances. It also makes it difficult to scrutinize security clearances across an entire agency. For example, it is now very difficult to identify all employees in an agency who can process a particular type of transaction, such as a vendor payment. It is even more difficult to identify those employees who can perform incompatible business functions, such as purchasing goods and processing vendor payments. Though we did not find any evidence of security breaches, searching for such breaches was not a primary objective of this audit.

The effectiveness of the MAPS security report is further diminished because the department only distributes it annually. State agency managers are responsible for reviewing employees' job duties and selecting appropriate security clearances. They also are responsible for modifying employees' security clearances when their job duties change. Without detailed and timely security information, agencies cannot fulfill these important responsibilities.

Recommendation
The department should provide state agencies with usable MAPS security information, structured to meet their decision-making needs.

3. The department does not understand some parts of the MAPS security infrastructure.
The Minnesota Accounting and Procurement System (MAPS) security infrastructure has some employee and special purpose accounts with very powerful security clearances. The Department of Finance could not explain the purpose of these accounts or why they needed such a high level of clearance.

We identified several reasons why the MAPS security officers have difficulty understanding some aspects of the security infrastructure. The security infrastructure has evolved since MAPS became operational in 1995. It is now quite complex and many of the original developers no longer work for the department. In some cases, current security officers have little or no documentation to support complex security decisions that were made by their predecessors. For example, one security infrastructure component that we reviewed gives a large group of people clearance to change critical MAPS business data. The department's security officers agree that very few people should need this type of clearance to fulfill their job responsibilities. However, they are reluctant to revoke this clearance, fearing that its removal could disrupt statewide business operations. Without historical documentation, current security officers now must investigate the original purpose of this security infrastructure component before making any changes. We also found certain employees with complete and unfettered access to all MAPS programs and business data. Current security officers removed these powerful clearances after concluding that they were unnecessary. To improve controls, the department needs to critically review all aspects of the MAPS security infrastructure. This critical review will help the department identify and remove outdated infrastructure components that could lead to security breaches. The department should also develop high-level documentation that describes the security infrastructure. This documentation will help the department proactively assess how future system enhancements will impact the security infrastructure.

Recommendation
The department should critically review and document all aspects of the MAPS security infrastructure.

This report is intended for the information of the Legislative Audit Commission and the management of the Department of Finance. This restriction is not intended to limit the distribution of this report, which was released as a public document on March 16, 2000.

/s/ James R. Nobles /s/ Claudia J. Gudvangen
James R. Nobles Claudia J. Gudvangen, CPA Legislative Auditor Deputy Legislative Auditor
End of Fieldwork: January 28, 2000
Report Signed On: March 13, 2000

Status of Prior Audit Issues As of January 28, 2000 March 12, 1999, Legislative Audit Report 99-18 examined the department's activities and programs material to the State of Minnesota's Comprehensive Annual Financial Report and the Single Audit for the year ended June 30, 1997. The scope included general obligation bond sales, debt service transfers, master lease transactions, municipal energy loans, and appropriation transfers to the University of Minnesota. The audit also covered federal requirements relating to cash management and indirect costs. The report contained three findings. The department implemented all of the recommendations : It improved its oversight of agencies preparing financial statement data, it resolved issues related to the cancellation of outstanding warrants, and it performed reconciliations to verify the accuracy of earnings posted to the Invested Treasurers Cash investment pool.

State of Minnesota Audit Follow-Up Process
The Department of Finance, on behalf of the Governor, maintains a quarterly process for following up on issues cited in financial audit reports issued by the Legislative Auditor. The process consists of an exchange of written correspondence that documents the status of audit findings. The follow-up process continues until Finance is satisfied that the issues have been resolved. It covers entities headed by gubernatorial appointees, including most state agencies, boards, commissions, and Minnesota state colleges and universities. It is not applied to audits of the University of Minnesota, any quasi-state organizations, such as the metropolitan agencies, or the State Agricultural Society, the state constitutional officers, or the judicial branch.

March 10, 2000
James R. Nobles Legislative Auditor
Office of the Legislative Auditor 1 st Floor South-Centennial Building
658 Cedar Street St. Paul, Minnesota 55155

Dear Mr. Nobles:
Thank you for the opportunity for my staff to discuss your audit findings with the people in your office responsible for the Department of Finance audit. We are committed to providing accurate financial information to state agencies, the legislature, and the public. We will continue to work toward improvements in our processes.

Recommendation
The Department of Finance should work with SBI and the retirement funds to develop a method of calculating participation in the Post Retirement Fund for financial reporting purposes that uses fair value accounting as the basis for the allocation. Response
Although Post Retirement Fund investments are reported at fair (market) value as required by GASB Statement No. 31 and each retirement plan's share is determined in accordance with statute, we agree that the suggested methodology may be a more equitable approach. We will work with SBI and the retirement funds to explore other options. Our first steps will be to clarify our options with GASB and evaluate the need for a statute change. Person responsible: Margaret Jenniges Estimated Completion date: August 2000, if no statute change is needed.
Recommendation
The department should provide state agencies with usable MAPS security information, structured to meet their decision-making needs.

State of Minnesota Department of Finance 400 Centennial Building 658 Cedar Street St. Paul, Minnesota 55155 Voice: (651) 296-5900 Fax: (651) 296-8685
TTY: 1-800-627-3529

Page 2 March 10, 2000
Response
While no security breaches have been identified as a result of the shortcomings described in this finding, we agree that agency review of security authorizations will be enhanced by a more user friendly format. The department will assign appropriate analysis resources to thoroughly review agency security reporting needs and requirements, and then will develop the appropriate processes and reports to address the agency decision-making needs. We will begin doing the analysis of the reporting needs and requirements by the end of March 2000, and from that assessment we will determine the appropriate completion date to have this audit finding recommendation satisfied.

Person responsible : John Chesnutt
Estimated completion date: Initial assessment May 2000
Recommendation
The department should critically review and document all aspects of the MAPS security infrastructure.

Response
We agree with this finding of the OLA audit. The MAPS security infrastructure has contained security clearances that were necessary in 1995 when MAPS became operational. We have reviewed these clearances accordingly, and some of the clearances needed in 1995 are no longer needed and have been removed. We have already contacted the application vendor requesting an explanation of these parts of the infrastructure. We will be documenting our findings to provide a complete understanding of the security infrastructure.
Person responsible : John Chesnutt
Estimated completion date: May 2000

Sincerely,
/s/ Anne M. Barry, Deputy Commissioner for

Pamela Wheelock Commissioner

Home | Financial Audit Division | Program Evaluation Division | Search