RE: Renewed calls for an independent Finance Department investigation.

Mayor, Council and A&B Advisory Board members,
The series of e-mails reproduced below were written in the 6 months leading up to the October 2012  finance debacle.   Nothing of corrective substance was undertaken  in that period likely because the former Manager and Finance director knew things were too far gone by then to make a difference.
THE IMPORTANT question however  is whether substantive internal control enhancements have  occurred since.  In light of this year’s audit comments including the failure to reconcile city bank accounts on a timely basis for most of last year I fail to see how the answer could be yes.
I found reviewing the e-mails reproduced below to be helpful in preparing for tomorrow’s joint meeting,  and I felt you all might likewise appreciate the opportunity to review same.
Ted Noftall

From: Ted Noftall [mailto:Ted@americanforwarding.us]

Mayor and Council,
On   26 April 2012  I wrote Manager Parker inquiring as to how he had in fact complied with the 2008 audit recommendation  that the City    “conduct and document a formal risk assessment to indentify, analyze and manage the risk of asset misappropriation.”   While he  has  not yet  responded to my question an interesting series of e-mails have transpired and are re-produced below.
Basically they advise that,  as was the case with preparing  Financial Statements in house  the City is now relying on the external auditor  Brent Millikan & Company  for any efforts that are being made  to “identify, analyze and manage the risk of misappropriation of City assets”. ( Before the Manger tells you that is not the case as he has retained  another firm  Milestone Professional Services for that purpose  I would remind you that his finance director did not turn to Milestone to answer the question I posed to the Manager……. he turned to Millikan & company )
Both actions, financial statement preparation and internal control development  are totally unacceptable. 
The role of the external auditor is to render an  independent professional  opinion of a limited nature.    His ability to maintain that independence is compromised  with every additional  service  he renders to the City.  At this point he has become all too familiar and protective of the Manager and his finance staff.  His demonstrated willingness over the years to drop serious and embarrassing audit recommendations without credible explanations is troubling.  At this point  I would have great difficulty approving a 2 year extension to his audit contract as the Manager is recommending in tonight’s  Council agenda.
The un-answered  question is why the  Manager’s staff is not performing  these vital financial statement and  internal control  functions  in-house BECAUSE  responsibility has not shifted as the auditor makes clear in the annual CAFR.
“The financial statements are the  responsibility of the City”  (CAFR  P25 line 4)    “Management of the City is responsible for establishing and maintaining effective internal control…”  (CAFR  P220  line 23)
I have never received a credible answer from the Manager as to his decision regarding financial statement preparation  and can conclude no better reason than  he did so  largely   to compensate  for some   inadequacies in his  Finance department.
I have had reservations as to the Auditor’s   ability  to express  an “independent”  opinion on  financial statements he  has prepared  AND  to  learn that auditor is  now directing internal control for the City lessens  that independence  to the point where it must  be seriously questioned.
Not only is his involvement wrong from an independence perspective ……. It is  totally inadequate for City purposes on so many levels.     The auditor himself explains that his  decision making processes  regarding internal controls is  based on narrow concerns and limited purposes relating to the effect any such   weaknesses might have on material misstatement in financial reporting  and nothing more.  (CAFR  P222/223 )
The external auditor’s role is one of a watchdog ….not a bloodhound  AND this is exactly why he did not uncover the inadequacies that came to light at Public Works.
The concept of materiality  is not  well  understood outside of audit circles.  The auditor if asked,  would  likely  advise that if every other weed wacker,  leaf blower  and gallon of fuel the City purchased was stolen,   that dollar value misappropriation would not constitute a material misstatement of the financial statements themselves.
The public would not likely find much comfort in such  examples  of materiality   as their  interests  regarding internal controls are  far broader  than material misstatement in financial reporting  and most defiantly encompass   the safeguarding  their assets from misappropriation  —  such as exactly  happened in Public Works with large purchases of  vehicle parts being expensed rather than inventoried such that  no one knows where those parts went,  OR unregulated fuel withdrawals  such that   no one can say with certainty how many gallons were stolen.
The bottom line here is that no matter  how or why e the external auditor was co-opted to mitigate the Manager’s un-willingness to follow his  recommendation  the fact remains that  the Manager and  his Finance Director did not implement,  the 2008 audit recommendation that the City    “  conduct and  document a formal risk assessment to indentify,  analyze and manage the risk of asset misappropriation”. 
The direct and proximate result of that misfeasance were the entirely preventable  2010 Public Works thefts that mirrored those 2008 recommendations  AND THAT leads to the un-answered question as to how exactly did the Manager and the Finance Director  adequately discharged the very same standard  that was  recently applied to the former  Public Works Director  ……… “ to place  the public’s interest above all other interests”  ??   
That it took a major scandal for the Manager  to  start implementing the as yet un-disclosed  internal control enhancements    AND TO  now uncover that he and his Finance Director  failed to undertake a formal risk assessment is totally unacceptable.   Who knew what  and when,  and the actions that were taken and not taken  need to be disclosed.  The Comptroller testified under oath that she conveyed “opportunity fund” concerns to her boss the Finance Director….did he in turn convey those concerns to his boss the Manager.    The Comptroller further testified  regarding  assets that were expensed rather than being inventoried and that she cannot determine where those assets went on multiple occasions.  What more would she testify to if asked ???
These and other un-answered questions need to be fully investigated by other than the Manager and his Finance director who are responsible for the inadequate internal control procedures in the first place.
Mayor and Council I would remind you that  several  hundred  thousand dollars worth of  City assets have been stolen over the past 15 years right out from under the noses of the Manager and Finance director as a direct result of inadequate internal controls.  You have fiduciary responsibilities to the citizens of Port Orange and  permitting your Manager to whitewash inadequacies  in his Finance department  does not constitute an adequate discharge of those responsibilities.   I would again  request that you undertake a  independent examination of the  Finance department.
Ted Noftall

Italics Mine

 
From: Shelley, John
To: Parker, Ken
Cc: Gurnee, Stella; akish@bmcpa.com
Subject: FW: Fraud Risk Assessment from 2008 CAFR
Date: Wednesday, May 02, 2012 10:11:44 AM
Ken,
Below is the response from our external auditor regarding risk assessment of the City. In
short, the risk assessment process and related documents are auditor prepared, subject to
professional determination, proprietary and not subject public disclosure rules. Please see
Brent Millikan’s notes below.
This is not the risk assessment Mr. Noftall is asking about but City Staff answers significant
internal control questionnaires and provides information to the audit staff for the risk
assessment evaluation. Do you think Mr. Noftall would like copy of these internal control
questionnaires? I am not sure of the end product of a nonprofessional third party evaluation
of these documents although I would think City Staff prepared internal control (I/C)
documents are open to the public.
Stella will be out through today and scheduled to return tomorrow. We will prepare another
copy of these documents and provide them to Mr. Noftall either this Friday or Monday of
next week depending on work load.
Is this acceptable to you and do you think these I/C Document are desired by Mr. Noftall?
Thanks,
John

 
From: Alex Kish [mailto:alexhoodkish@gmail.com]
Sent: Monday, April 30, 2012 10:13 AM
To: Shelley, John
Subject: RE: Fraud Risk Assessment from 2008 CAFR
Hey John,
I wanted to get back with you on this as soon as possible.
As you know, the risk assessment process was completed through a series of events and related
procedures that transpired over a 12 month period. In response to our initial request, you and your
management staff provided a detailed summary of the various internal control functions, including
delegation of authority and responsibility associated with each function. This was documented
through the completion of a series of our firm’s proprietary Control Activity Forms for each of
nineteen (19) listed areas of internal control. After receiving your completed forms, we analyzed
your responses to the control environment issues for the purpose of establishing risk scores for
each fundamental control area. The actual procedures involved are somewhat lengthy and involve
our further completion of several sets of internal control and risk assessment forms and
documents, all of which we consider to be extremely sensitive and confidential.
Generally, under most circumstances the approach we take to analyzing risk is based on a
combination of two fundamental ways of establishing risk scores: non-systematic and systematic.
The systematic approaches involve systematic decomposition of risk into individual factors which
are assessed individually, then combined into an overall score reflecting an audit unit’s riskiness.
The process requires identification of key areas of risk (i.e., termed risk factors) important to
management, grouping risk factors into categories based on similar characteristics, and assigning
weights to the risk factors indicating their relative importance in a model for setting audit scope
(frequency, intensity and timing). The input data for this process was composed of your response
to the Control Activity Forms discussed above.
The non-systematic approach is much more difficult to use and document, thus, it is used to only
to evidence the existence and utilization of a series of judgmental factors and decisions that are
made from our historical knowledge of your specific systemic procedures and activities. This
approach is seldom used as the only way to examine and rank control environment issues since it is
highly dependent on individual intuitive judgments, which are difficult to conclusively document.
Once all of these procedures were clearly documented, our firm used all of these inputs to
complete our “audit” risk assessment process. The actual documentation that we use to internally
list, categorize and classify what we determine to be your various risk functions is confidential and
is not part of the working papers that we make available for external access. Furthermore, to
provide it in response to your inquiry would make this documentation a matter of public record,
which we do not believe it would be in the best interest of the City.
If you have any questions, please call me at your convenience.
Alex
Alex H. Kish, CPA
Audit Principal
Brent Millikan & Company, P.A.
Certified Public Accountants
205 Magnolia Street
New Smyrna Beach, FL 32168
Phone: (386) 427-1333 ext. 13
Fax: (386) 427-5823
Email: AKish@bmcpa.com

 
From: Shelley, John [mailto:jshelley@port-orange.org]
Sent: Friday, April 27, 2012 5:32 PM
To: Parker, Ken
Cc: akish@bmcpa.com; Gurnee, Stella
Subject: RE: Fraud Risk Assessment from 2008 CAFR
Ken,
The risk assessment process does not eliminate fraudulent activities…. only helps prevent
them. Risk assessment is part of every annual audit. I have a call into Alex Kish to discuss
his professional decision making process and the premise of his risk assessment. He has left
for the weekend but I am sure will contact me next week to discuss.
I am not aware of deficiencies we had in Fuel purchasing…. Maybe Ted is referring to not
having an adequate fuel monitoring system. We agree with this observation and are in the
process of corrective measures to strengthen administrative and accounting controls.
Yes, we agree that deficiencies exist with vehicle maintenance accountability. These
deficiencies have been documented by our internal audit firm Milestone. You have copy of
this report and has also been reviewed with Ted. As discussed we are working through
corrective measures.
As soon as we have risk assessment information compiled, we will forward to you.
Thanks,
John

 
From: Parker, Ken
Sent: Friday, April 27, 2012 10:49 AM
To: Shelley, John
Cc: Parker, Ken
Subject: Fwd: Fraud Risk Assessment from 2008 CAFR
see the note from Ted concerning fraud assessment.
Ken
Sent from my iPad
 
Begin forwarded message:
From: “Ted Noftall” <Ted@americanforwarding.us>
To: “Parker, Ken” <kparker@port-orange.org>
Subject: Fraud Risk Assessment from 2008 CAFR
Ken,
You may remember my asking the external auditor at the 04-17-12 Council
meeting why he had dropped the 2008 CAFR Fraud Risk Assessment
recommendations from the 2009 and subsequent year CAFR’s.
I believe he answered to the effect that it was dropped because the City had
indeed acted upon his recommendation “to conduct and document a formal
risk assessment to indentify, analyze and manage the risk of asset
misappropriation”.
I am curious as how any type of such assessment could have failed to address
the startling deficiencies in both fuel purchases and vehicle maintenance AND
would ask that you please send me over a copy of that assessment or
assessments.
 
Thank you
Ted Noftall