Department of Finance
Financial Audit Division

The Office of the Legislative Auditor (OLA) is a professional, nonpartisan office in the legislative branch of Minnesota State government. Its principal responsibility is to audit and evaluate the agencies and programs of state government (the State Auditor audits local governments). OLA's Financial Audit Division annually audits the state's financial statements and, on a rotating schedule, audits agencies in the executive and judicial branches of state government, three metropolitan agencies, and several "semi-state" organizations. The division also investigates allegations that state resources have been used inappropriately. The division has a staff of approximately fifty auditors, most of whom are CPAs. The division conducts audits in accordance with standards established by the American Institute of Certified Public Accountants and the Comptroller General of the United States.

Consistent with OLA's mission, the Financial Audit Division works to:
Promote Accountability, Strengthen Legislative Oversight, and
Support Good Financial Management.
Through its Program Evaluation Division, OLA conducts several evaluations each year and one best practices review.

OLA is under the direction of the Legislative Auditor, who is appointed for a six-year term by the Legislative Audit Commission (LAC). The LAC is a bipartisan commission of Representatives and Senators. It annually selects topics for the Program Evaluation Division, but is generally not involved in scheduling financial audits.

All findings, conclusions, and recommendations in reports issued by the Office of the Legislative Auditor are solely the responsibility of the office and may not reflect the views of the LAC, its individual members, or other members of the Minnesota Legislature.

This document can be made available in alternative formats, such as large print, Braille, or audio tape, by calling 651-296-1727 (voice), or the Minnesota Relay Service at 651-297-5353 or 1-800-627-3529. All OLA reports are available at our Web Site: http://www.auditor.leg.state.mn.us

If you have comments about our work, or you want to suggest an audit, investigation, evaluation, or best practices review, please contact us at 651-296-4708 or by e-mail legislative.auditor@state.mn.us

Representative Tim Wilkin, Chair
Legislative Audit Commission

Members of the Legislative Audit Commission

Mr. Dan McElroy, Commissioner
Minnesota Department of Finance


We have conducted an information technology audit of state agency spending authority controls. The primary purpose of this audit was to determine if the Department of Finance had controls to ensure that state agencies used funds for their prescribed purposes and did not exceed the spending authority limits imposed by lawmakers. Our audit reviewed spending authority controls as of November 2003.

We conducted our audit in accordance with auditing standards generally accepted in the United States of America contained in Government Auditing Standards, issued by the Comptroller General of the United States. Those standards require that we obtain an understanding of management controls relevant to the audit. The standards also require that we design the audit to provide reasonable assurance that the Department of Finance complied with provisions of laws, regulations, contracts, and grants that are significant to the audit. The department’s management is responsible for establishing and maintaining the internal control structure and complying with applicable laws, regulations, contracts, and grants.

Information technology audits frequently include the review of sensitive security data that is legally classified as nonpublic under the Minnesota Data Practices Act. In some cases, to protect state resources and comply with the Minnesota Data Practices Act, we must withhold security-related details from our publicly released report. When these situations occur, we communicate all pertinent details to agency leaders in a separate, confidential document. For this audit, we issued a separate, confidential document to the management of the Department of Finance.

This report is intended for the information of the Legislative Audit Commission and the management of the Department of Finance. This restriction is not intended to limit the distribution of this report, which was released as a public document on January 6, 2004.

/s/ James R. Nobles /s/ Claudia J. Gudvangen, CPA

James R. Nobles Claudia J. Gudvangen, CPA
Legislative Auditor Deputy Legislative Auditor

End of Fieldwork: November 14, 2003

Report Signed On: January 2, 2004

Table of Contents
Report Summary
Chapter 1. Introduction
Chapter 2. State Agency Spending Authority Controls
Agency Response

Audit Participation

The following members of the Office of the Legislative Auditor prepared this report:

Claudia Gudvangen, CPA Deputy Legislative Auditor
Christopher Buse, CPA, CISA, CISSP Information Technology Audit Manager
Michael Hassing, CPA Auditor-in-Charge
Susan Mady Auditor

Exit Conference

We discussed the results of the audit with the following staff of the Department of Finance at an exit conference on December 19, 2003:

Anne Barry Deputy Commissioner
Lori Mo Assistant Commissioner, Accounting &
Information Services
Peggy Ingison Assistant Commissioner, Budget
Services
Ron Mavetz Agency Support Director
Steve Olson MAPS Security Officer
Norman Foster Executive Budget Officer
Tim Jahnke Executive Budget Officer



Report Summary

Overall Audit Conclusions

The Department of Finance has adequate controls to ensure that new appropriations recorded in the Minnesota Accounting and Procurement System (MAPS) agree with amounts authorized in law. The department also implemented computerized edits in MAPS to ensure that state agencies could not exceed the spending authority in their appropriation accounts. Furthermore, the department protected MAPS appropriation records from unauthorized changes. However, inadequate controls over appropriation transfers could provide state agencies with an avenue to circumvent spending authority limits and use funds for unauthorized purposes. Finally, we identified some appropriation accounts with large spending authority balances that were not properly secured.

Key Findings and Recommendations

The department does not have effective controls to prevent or detect unauthorized appropriation transfers. The ability to transfer spending authority between appropriation accounts in MAPS had not been restricted to only those employees who needed such access. We also found widespread noncompliance with policies and procedures developed by the department to control appropriation transfers. Should unauthorized transfers occur, the department may not detect them because it had design flaws in its monthly reconciliation procedures. (Finding 1, page 9)

The department did not properly secure some appropriation accounts that were created to move cash between funds in MAPS. Though the department did not intend to give these state agencies the authority to spend the money in these accounts, we found two cases where the Department of Transportation transferred out a total of $8.8 million. The Department of Finance is now investigating the propriety of these transfers. (Finding 2, page 10)

Background

This information technology audit assessed the adequacy of state agency spending authority controls. The Minnesota Legislature gives state agencies the authority to spend when it passes appropriation laws. The Legislature also codifies recurring spending authority decisions in Minnesota Statutes. Agencies must use funds for their prescribed purposes and not exceed the spending authority limits imposed by lawmakers. The Department of Finance plays a pivotal role in ensuring that state agencies do not exceed their spending authority limits.

Chapter 1. Introduction

This information technology audit assessed the adequacy of state agency spending authority controls. The Minnesota Legislature gives state agencies the authority to spend when it passes appropriation laws. The Legislature also codifies recurring spending authority decisions in Minnesota Statutes. Agencies must use funds for their prescribed purposes and not exceed the spending authority limits imposed by lawmakers.

The Department of Finance plays a pivotal role in ensuring that state agencies do not exceed their spending authority limits. The department performs reconciliations and other manual control procedures to monitor state agency spending limits. The department also relies on numerous computerized edits in the Minnesota Accounting and Procurement System (MAPS).

Unique MAPS appropriation accounts are one tool used by the department to help ensure that funds appropriated by the Legislature for one program are not inadvertently used for another. Unique appropriation accounts also help keep agency spending within legally imposed limits. Most state agencies have many appropriation accounts in MAPS. In fact, it is quite common for agencies that oversee many programs to have hundreds of appropriation accounts. For example, the Department of Natural Resources had 577 appropriation accounts for budgetary fiscal year 2003. In total, MAPS had 5,785 appropriation accounts for budgetary fiscal year 2003.

Determining the spending authority limit of an appropriation account is a complex process that includes many factors. Amounts directly appropriated by the Legislature are typically the most significant factor. However, the Legislature also gives some agencies the authority to spend receipts that they collect for certain program activities. These types of receipts are commonly referred to as “dedicated” receipts. Legislators also give some agencies the authority to carry forward unused funds from prior years for certain programs. And finally, the Legislature sometimes gives certain agencies the authority to transfer funds between programs. Employees in the Department of Finance add special codes to each MAPS appropriation account to reflect these decisions made by legislative leaders. MAPS then uses these codes to compute the spending authority limit of each appropriation account.

The available spending authority balance in appropriation accounts can change daily. For example, the available balance decreases each time funds are used to pay for authorized program expenditures. The available balance also decreases when transfers are made to other appropriation accounts. If provided for by law, agencies may balance forward a portion of their current spending authority to the subsequent year. Finally, any unused spending authority that cannot be balanced forward simply cancels on the end date of each appropriation. Figure 1-1 illustrates the sources and uses of spending authority.

Figure 1-1
Sources and Uses of Spending Authority


Source: Auditor prepared.

During budgetary fiscal year 2003, the departments used MAPS appropriation accounts to manage over $36.1 billion in spending authority. As illustrated in Table 1-1, approximately $27.4 billion of that spending authority was used to pay for program expenditures, and
$2.6 billion was balanced forward to budget fiscal year 2004 accounts. Approximately $5 billion was either automatically canceled by MAPS or was reclaimed by the Legislature. At the time of our audit, over $800 million of the remaining $1.1 billion of spending authority had been encumbered to pay for impending program expenditures. This left an unobligated spending authority balance of approximately $268 million.


Table 1-1
Total Sources and Uses of Budgetary Fiscal Year 2003 Spending Authority
All Funds as of November 2003

Budget Fiscal
Spending Authority Category Description Year 2003 Total

Direct appropriations from the Legislature $21,484,555,506
Dedicated receipts 9,506,884,792
Balances forwarded in from prior year appropriations 5,116,969,114

Total Spending Authority Sources $36,108,409,412

Program expenditures $27,436,394,860
Balances forwarded out to subsequent year appropriations 2,592,310,748
Legislative recaptures 764,933,000
Automatic cancellations of unused funds 4,207,347,107

Total Spending Authority Uses $35,000,985,715

Remaining Spending Authority (Note 1) $ 1,107,423,697

Note 1: $839,252,617 of this balance was reserved for encumbrances, leaving an unobligated balance of $268,171,080.

Source: Auditor prepared from MAPS appropriation data.


Chapter 2 discusses the scope, objectives, and methodology that we used to assess the adequacy of spending authority controls. We obtained our evaluation criteria from the Control Objectives for Information and Related Technology (COBIT), published by the Information Systems Audit and Control Foundation. The COBIT Framework includes 34 high-level control objectives and 318 detailed control objectives, grouped in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.


Chapter 2. Spending Authority Controls

Chapter Conclusions

The Department of Finance implemented controls to ensure that new appropriation amounts entered in the Minnesota Accounting and Procurement System (MAPS) were authorized by law. The department also implemented security features to protect MAPS appropriation data from unauthorized changes. Finally, the department implemented computerized controls in MAPS to keep agencies from exceeding the spending authority limits in their appropriation accounts.

However, inadequate controls over appropriation transfers provided state agencies with an avenue to circumvent spending authority limits and use funds for unauthorized purposes. Many people had inappropriate security clearances that gave them the ability to transfer spending authority from one appropriation account to another. We also found widespread noncompliance with the policies adopted by the department to control appropriation transfers. Finally, design flaws significantly limited the effectiveness of the monthly reconciliation used by the department to detect unauthorized transfers.

The department gave some state agencies inappropriate clearance to appropriation accounts that are used to move large sums of cash from one fund to another in MAPS. The department did not intend to give state agencies the authority to spend the money in these accounts. However, we found two cases where the Department of Transportation transferred a total of $8.8 million out of one of these accounts. The propriety of these two transfers is now being investigated by the Department of Finance.


The Department of Finance has developed a mix of preventive and detective control procedures to ensure that state agencies do not exceed their legally imposed spending limits. Most preventive controls are built into the Minnesota Accounting and Procurement System (MAPS). For example, edit programs in MAPS will not let an agency process a payment against an appropriation account that does not have sufficient spending authority. Most detective control procedures, such as reconciliations, are initiated by employees.

Employees in several divisions help validate the accuracy of appropriation accounts. Before entering appropriation records in MAPS, executive budget officers confirm the accuracy of each appropriation’s legal citation and amount. They also confirm the accuracy of codes that dictate the year-end treatment of unspent funds and dedicated receipts. After entry into MAPS, appropriation amounts are independently verified by employees in a different division. Security clearance to modify appropriation amounts and codes is limited to select employees who need such access to fulfill their job duties.

Department of Finance policies require agencies to obtain approval from their executive budget officer before transferring spending authority from one appropriation to another. This policy-based control gives the department an opportunity to verify that the requested transfer is allowable under law. In MAPS, this process begins when an agency enters an anticipated transfer (AT) transaction. Executive budget officers are responsible for reviewing these anticipated transfers and entering their approval in MAPS. Once approved by their executive budget officer, agencies can process an actual transfer of appropriation (TA) transaction.

The department did not deploy computerized edits to prevent agencies from transferring spending authority between appropriations without first obtaining the executive budget officer’s approval. Instead, the department developed a monthly reconciliation to identify unauthorized appropriation transfers after the fact.

Audit Objectives and Methodology

Our audit assessed the adequacy of key spending authority controls. Specifically, we designed our work to answer the questions:

Did the department implement controls to ensure that new appropriations recorded in MAPS agreed with amounts authorized in law?
Did the department implement controls to ensure that state agencies could not exceed their legally authorized spending authority?
Did the department implement controls to ensure that all appropriation transfers were authorized by law?
Did the department implement controls to protect appropriation data from unauthorized changes?
Did the department implement controls to ensure that appropriation balance forwards between budgetary fiscal years were accurately processed?

To answer these questions, we interviewed employees from various divisions in the Department of Finance and reviewed pertinent policies and procedures. We also ran queries in MAPS and used computer-assisted audit tools to validate our understanding of key spending authority controls. Finally, we extracted and analyzed data from the security systems underlying MAPS.

Conclusions

The Department of Finance implemented controls to ensure that new appropriation amounts entered in the Minnesota Accounting and Procurement System (MAPS) were authorized by law. The department also implemented security features to protect MAPS appropriation data from unauthorized changes. Finally, the department implemented computerized controls in MAPS to keep agencies from exceeding the spending authority limits in their appropriation accounts. However, as discussed in Finding 1, the department did not have effective controls to prevent or detect unauthorized appropriation transfers. Finding 2 discusses our concerns that the department also did not properly secure some appropriation accounts that were created to move cash from one fund to another in MAPS.


1. The department does not have effective controls to prevent or detect unauthorized appropriation transfers.

To prevent unauthorized appropriation transfers, the Department of Finance has adopted policies and procedures that all agencies must follow. The department also relies on security controls in MAPS. However, we identified significant weaknesses in these security controls and widespread noncompliance with appropriation transfer policies and procedures. Furthermore, should unauthorized transfers occur, the department may not notice them in a timely manner because it has weaknesses in its detective controls.

An extremely large number of state employees had clearance to transfer spending authority from one appropriation account to another. As of June 2003, there were 2,337 state employees who had clearance to enter transactions in MAPS. Over 20 percent, or 437 of these employees had clearance to enter appropriation transfers. However, a substantial number of these employees never used this functionality to fulfill their job duties. Transferring spending authority between appropriation accounts is a complex process with significant legal compliance concerns. As such, it is important to limit this capability to only those individuals who need such clearance to fulfill their job duties. Typically, these individuals are accounting leaders who possess a strong understanding of Department of Finance policies as well as their agency’s finance-related legal compliance requirements. Granting this clearance to others beyond this group exposes legislatively authorized resources to unnecessary risk.

Department of Finance policies require state agencies to obtain approval from their executive budget officer before making appropriation transfers. This requirement gives the Department of Finance an opportunity to confirm the legality of proposed transfers before spending authority is moved. However, during our audit, we reviewed 2,681 budget fiscal year 2003 transfers and found 319 that were not approved in advance. Employees in the Department of Transportation entered 170 of these appropriation transfers in MAPS, totaling over $935 million, without first obtaining approval from their executive budget officer. On average, these transfers were approved 21 days late. Likewise, the Department of Human Services entered 29 appropriation transfers without obtaining advance approval from their executive budget officer. Totaling over $47 million, these transfers were approved an average of 32 days late. Twenty-six other agencies also failed to comply with the department’s transfer approval procedures, leading us to conclude that this policy-based control is ineffective.

The department performs a monthly reconciliation to detect appropriation transfers that were not approved by an executive budget officer. However, design flaws in this reconciliation would permit certain types of unauthorized appropriation transfers to go undetected. Of greatest significance, the reconciliation would not detect transfers that went to different appropriation accounts than the ones originally approved by the executive budget officer. Our audit identified three situations where this occurred in budgetary fiscal year 2003. The reconciliation also would not detect unauthorized transfers made out of prior budgetary fiscal year accounts. Many state agencies that oversee long-term projects have authority to spend money out of accounts created during prior budgetary fiscal years. In fact, during fiscal year 2003, state agencies processed appropriation transfers totaling over $385 million against prior budgetary fiscal years.

In the short-term, the department needs to revamp its monthly reconciliation to detect all types of inappropriate transfers. The department also needs to emphasize to state agency leaders the importance of complying with its transfer policies and procedures. In the long-term, we encourage the department to search for computerized controls that prevent agencies from processing transfers that have not been properly approved. MAPS has such features, but the department made a decision many years ago to deploy detective controls instead. We feel that the department should revisit its original decision to focus on detective rather than preventive controls, given the magnitude of the current noncompliance and risks associated with appropriation transfers.

Recommendations

The department should work with state agencies to restrict clearance to appropriation transfers to only those employees who need such clearance to fulfill their job duties.

In the short-term, the department should fix the flaws in its monthly reconciliation and work with state agency leaders to decrease the rate of noncompliance with its policies.

In the long-term, the department should search for automated methods to prevent agencies from entering transfers that have not been approved by an executive budget officer.


2. Some state agencies had unnecessary clearance to selected appropriation accounts.

The department did not properly secure some appropriation accounts that were created to move cash between funds in MAPS. These accounts contain money that state agencies do not have legislative authority to spend. For example, employees in the Department of Transportation had clearance to appropriation accounts that were created to transfer cash into the Trunk Highway and County State Aid Highway Funds. These two accounts had balances of $1.49 billion and $825 million, respectively. This clearance was unnecessary because the Department of Transportation had no legal authority to spend money in these accounts. The Department of Finance also gave other state agencies access to specific cash transfer accounts in MAPS.

The department did not intend to give state agencies the authority to spend the money in these appropriation accounts. However, we found two cases where the Department of Transportation transferred a total of $8.8 million out of one of these accounts. After bringing these examples to its attention, the Department of Finance is now investigating the propriety of these transfers.

To improve controls, the department should only give state agencies security clearance to the accounts in MAPS that they have the authority to spend. One possible way to implement this would be to make the Department of Finance the custodian of all cash transfer accounts in MAPS. The department also should explore alternate ways to transfer cash between funds in MAPS. It is possible to transfer cash between funds in MAPS with special transactions called journal vouchers. Journal vouchers are less risky because appropriation accounts are not needed in the funds providing and receiving the cash.

Recommendation

The department should only give state agencies security clearance to appropriation accounts in MAPS that they have legal authority to spend or search for less risky methods to transfer cash between funds.


December 29, 2003

James R. Nobles
Legislative Auditor
Office of the Legislative Auditor
658 Cedar Street
140 Centennial Office Building
St. Paul, Minnesota 55155-4708

Dear Mr. Nobles:

Thank you for the opportunity to discuss your audit findings with the individuals in your office responsible for the information technology audit of state agency spending authority controls. We are committed to providing accurate and secure financial systems and we will continue to work toward improvements in our processes.

Recommendation
The department should work with state agencies to restrict clearance to appropriation transfers to only those state employees who need such clearance to fulfill their job duties.

Response
We agree with this recommendation. With all security access to the statewide administrative systems we believe it is good policy to limit clearance to only the functions necessary for the user to fulfill their job duties. One way we control access is to annually prepare a listing of all system users and their current security access and require each agency to review and update it for any employee or position changes. When we prepare the next MAPS security certification in early calendar year 2004, we will include additional instructions regarding appropriation transfer authority. In it, we will direct agencies to give special attention to those employees with transfer authority who have not needed to use it in the last year.

We do recognize however that there are some situations where it is appropriate to grant an employee transfer authority even if they haven’t needed it to finalize a transfer recently. For example, two large agencies use an internal appropriation transfer approval process where a number of staff are authorized to originate the transfers, but final approval is limited to a very small group. In this situation only the users entering final approval will be identified in a review of appropriation transfer documents. Also, it is reasonable to have access for employees who provide back up during absences of staff who normally do the transfers.

Person Responsible: Steve Olson, MAPS Security
Implementation Date: March 31, 2004

J. Nobles
December 29, 2003
Page Two


Recommendation
In the short-term, the department should fix the flaws in its monthly reconciliation and work with agency leaders to decrease the rate of noncompliance with its policies.

Response
We agree with this recommendation. In the short-term, we will refine our monthly reconciliation of anticipated and actual appropriation transfers. From that process we will identify problem areas and work with the agencies involved to provide training and compliance incentives. From the analysis we have already completed, we have learned that a significant number of the transfers entered in advance of executive budget officer approval occurred prior to the start of the fiscal year during the account set-up process. During this busy period, other system controls prevent spending from all appropriations for which the fiscal year has not yet started.

Person Responsible: Barb Ruckheim, Financial Reporting Director
Implementation Date: March 31, 2004


Recommendation
In the long-term, the department should search for automated methods to prevent agencies from entering transfers that have not been approved by an executive budget officer.

Response
We agree with this recommendation. The ideal solution would prevent appropriation transfers until the anticipated transfer is approved by the executive budget officer but without requiring an additional manual intervention. It would allow multiple transfers up to the total amount of the approved transaction and would edit for both the destination account and the correct fiscal year. As you point out, this is a long-term solution as it would currently require substantial system modifications. We will evaluate the feasibility of implementing this approach with the next version of MAPS as part of our MAPS upgrade assessment this spring.

Person Responsible: Ron Mavetz, Agency Support Director
Implementation Date: June 30, 2004


Recommendation
The department should only give state agencies security clearance to appropriation accounts in MAPS that they have legal authority to spend or search for less risky methods to transfer cash between funds.

Response
We agree with this recommendation. However, our initial evaluation indicates that changing the agency code on these accounts, or using journal vouchers rather than appropriation transfers, is not the best solution for increasing control on these accounts. Changing the agency codes has reporting implications and journal vouchers have several drawbacks. Journal vouchers would result in more difficulty tracking transactions due to a diminished audit trail. JVs are only visible at the fund level complicating some budgetary reporting. JVs would increase the manual effort for loading data into the biennial budget system. We also considered inactivating appropriation accounts without spending authority, but this approach requires frequent manual intervention and could create business process delays. Another option for increasing control on these accounts is to cancel balances to the fund level on a more frequent basis. Upon initial review, we believe this may be the best solution.

Person Responsible: Ron Mavetz, Agency Support Director
Implementation Date: June 30, 2004


Warmest regards,

/s/ Dan McElroy

Dan McElroy
Commissioner