The series of e-mails reproduced below were written in the 6 months leading up to the October 2012 finance debacle. Nothing of corrective substance was undertaken in that period likely because the former Manager and Finance director knew things were too far gone by then to make a difference.
THE IMPORTANT question however is whether substantive internal control enhancements have occurred since. In light of this year’s audit comments including the failure to reconcile city bank accounts on a timely basis for most of last year I fail to see how the answer could be yes.
I found reviewing the e-mails reproduced below to be helpful in preparing for tomorrow’s joint meeting, and I felt you all might likewise appreciate the opportunity to review same.
From: Ted Noftall [mailto:Ted@americanforwarding.us]
Sent: Tuesday, July 17, 2012 6:48 AM
To: Allen Green Construction Company; Bob Ford; Bob Pohlmann; Dennis Kennedy; Don Burnette
Cc: Hank Springer; ‘Parker, Ken’
Subject: Renewed calls fo an independent Finance Department investigation.
Mayor and Council,
On 26 April 2012 I wrote Manager Parker inquiring as to how he had in fact complied with the 2008 audit recommendation that the City “conduct and document a formal risk assessment to indentify, analyze and manage the risk of asset misappropriation.” While he has not yet responded to my question an interesting series of e-mails have transpired and are re-produced below.
Basically they advise that, as was the case with preparing Financial Statements in house the City is now relying on the external auditor Brent Millikan & Company for any efforts that are being made to “identify, analyze and manage the risk of misappropriation of City assets”. ( Before the Manger tells you that is not the case as he has retained another firm Milestone Professional Services for that purpose I would remind you that his finance director did not turn to Milestone to answer the question I posed to the Manager……. he turned to Millikan & company )
Both actions, financial statement preparation and internal control development are totally unacceptable.
The role of the external auditor is to render an independent professional opinion of a limited nature. His ability to maintain that independence is compromised with every additional service he renders to the City. At this point he has become all too familiar and protective of the Manager and his finance staff. His demonstrated willingness over the years to drop serious and embarrassing audit recommendations without credible explanations is troubling. At this point I would have great difficulty approving a 2 year extension to his audit contract as the Manager is recommending in tonight’s Council agenda.
The un-answered question is why the Manager’s staff is not performing these vital financial statement and internal control functions in-house BECAUSE responsibility has not shifted as the auditor makes clear in the annual CAFR.
“The financial statements are the responsibility of the City” (CAFR P25 line 4) “Management of the City is responsible for establishing and maintaining effective internal control…” (CAFR P220 line 23)
I have never received a credible answer from the Manager as to his decision regarding financial statement preparation and can conclude no better reason than he did so largely to compensate for some inadequacies in his Finance department.
I have had reservations as to the Auditor’s ability to express an “independent” opinion on financial statements he has prepared AND to learn that auditor is now directing internal control for the City lessens that independence to the point where it must be seriously questioned.
Not only is his involvement wrong from an independence perspective ……. It is totally inadequate for City purposes on so many levels. The auditor himself explains that his decision making processes regarding internal controls is based on narrow concerns and limited purposes relating to the effect any such weaknesses might have on material misstatement in financial reporting and nothing more. (CAFR P222/223 )
The external auditor’s role is one of a watchdog ….not a bloodhound AND this is exactly why he did not uncover the inadequacies that came to light at Public Works.
The concept of materiality is not well understood outside of audit circles. The auditor if asked, would likely advise that if every other weed wacker, leaf blower and gallon of fuel the City purchased was stolen, that dollar value misappropriation would not constitute a material misstatement of the financial statements themselves.
The public would not likely find much comfort in such examples of materiality as their interests regarding internal controls are far broader than material misstatement in financial reporting and most defiantly encompass the safeguarding their assets from misappropriation — such as exactly happened in Public Works with large purchases of vehicle parts being expensed rather than inventoried such that no one knows where those parts went, OR unregulated fuel withdrawals such that no one can say with certainty how many gallons were stolen.
The bottom line here is that no matter how or why e the external auditor was co-opted to mitigate the Manager’s un-willingness to follow his recommendation the fact remains that the Manager and his Finance Director did not implement, the 2008 audit recommendation that the City “ conduct and document a formal risk assessment to indentify, analyze and manage the risk of asset misappropriation”.
The direct and proximate result of that misfeasance were the entirely preventable 2010 Public Works thefts that mirrored those 2008 recommendations AND THAT leads to the un-answered question as to how exactly did the Manager and the Finance Director adequately discharged the very same standard that was recently applied to the former Public Works Director ……… “ to place the public’s interest above all other interests” ??
That it took a major scandal for the Manager to start implementing the as yet un-disclosed internal control enhancements AND TO now uncover that he and his Finance Director failed to undertake a formal risk assessment is totally unacceptable. Who knew what and when, and the actions that were taken and not taken need to be disclosed. The Comptroller testified under oath that she conveyed “opportunity fund” concerns to her boss the Finance Director….did he in turn convey those concerns to his boss the Manager. The Comptroller further testified regarding assets that were expensed rather than being inventoried and that she cannot determine where those assets went on multiple occasions. What more would she testify to if asked ???
These and other un-answered questions need to be fully investigated by other than the Manager and his Finance director who are responsible for the inadequate internal control procedures in the first place.
Mayor and Council I would remind you that several hundred thousand dollars worth of City assets have been stolen over the past 15 years right out from under the noses of the Manager and Finance director as a direct result of inadequate internal controls. You have fiduciary responsibilities to the citizens of Port Orange and permitting your Manager to whitewash inadequacies in his Finance department does not constitute an adequate discharge of those responsibilities. I would again request that you undertake a independent examination of the Finance department.
From: Shelley, John
To: Parker, Ken
Cc: Gurnee, Stella; firstname.lastname@example.org
Subject: FW: Fraud Risk Assessment from 2008 CAFR
Date: Wednesday, May 02, 2012 10:11:44 AM
Below is the response from our external auditor regarding risk assessment of the City. In
short, the risk assessment process and related documents are auditor prepared, subject to
professional determination, proprietary and not subject public disclosure rules. Please see
Brent Millikan’s notes below.
This is not the risk assessment Mr. Noftall is asking about but City Staff answers significant
internal control questionnaires and provides information to the audit staff for the risk
assessment evaluation. Do you think Mr. Noftall would like copy of these internal control
questionnaires? I am not sure of the end product of a nonprofessional third party evaluation
of these documents although I would think City Staff prepared internal control (I/C)
documents are open to the public.
Stella will be out through today and scheduled to return tomorrow. We will prepare another
copy of these documents and provide them to Mr. Noftall either this Friday or Monday of
next week depending on work load.
Is this acceptable to you and do you think these I/C Document are desired by Mr. Noftall?
From: Alex Kish [mailto:email@example.com]
Sent: Monday, April 30, 2012 10:13 AM
To: Shelley, John
Subject: RE: Fraud Risk Assessment from 2008 CAFR
I wanted to get back with you on this as soon as possible.
As you know, the risk assessment process was completed through a series of events and related
procedures that transpired over a 12 month period. In response to our initial request, you and your
management staff provided a detailed summary of the various internal control functions, including
delegation of authority and responsibility associated with each function. This was documented
through the completion of a series of our firm’s proprietary Control Activity Forms for each of
nineteen (19) listed areas of internal control. After receiving your completed forms, we analyzed
your responses to the control environment issues for the purpose of establishing risk scores for
each fundamental control area. The actual procedures involved are somewhat lengthy and involve
our further completion of several sets of internal control and risk assessment forms and
documents, all of which we consider to be extremely sensitive and confidential.
Generally, under most circumstances the approach we take to analyzing risk is based on a
combination of two fundamental ways of establishing risk scores: non-systematic and systematic.
The systematic approaches involve systematic decomposition of risk into individual factors which
are assessed individually, then combined into an overall score reflecting an audit unit’s riskiness.
The process requires identification of key areas of risk (i.e., termed risk factors) important to
management, grouping risk factors into categories based on similar characteristics, and assigning
weights to the risk factors indicating their relative importance in a model for setting audit scope
(frequency, intensity and timing). The input data for this process was composed of your response
to the Control Activity Forms discussed above.
The non-systematic approach is much more difficult to use and document, thus, it is used to only
to evidence the existence and utilization of a series of judgmental factors and decisions that are
made from our historical knowledge of your specific systemic procedures and activities. This
approach is seldom used as the only way to examine and rank control environment issues since it is
highly dependent on individual intuitive judgments, which are difficult to conclusively document.
Once all of these procedures were clearly documented, our firm used all of these inputs to
complete our “audit” risk assessment process. The actual documentation that we use to internally
list, categorize and classify what we determine to be your various risk functions is confidential and
is not part of the working papers that we make available for external access. Furthermore, to
provide it in response to your inquiry would make this documentation a matter of public record,
which we do not believe it would be in the best interest of the City.
If you have any questions, please call me at your convenience.
Alex H. Kish, CPA
Brent Millikan & Company, P.A.
Certified Public Accountants
205 Magnolia Street
New Smyrna Beach, FL 32168
Phone: (386) 427-1333 ext. 13
Fax: (386) 427-5823
From: Shelley, John [mailto:firstname.lastname@example.org]
Sent: Friday, April 27, 2012 5:32 PM
To: Parker, Ken
Cc: email@example.com; Gurnee, Stella
Subject: RE: Fraud Risk Assessment from 2008 CAFR
The risk assessment process does not eliminate fraudulent activities…. only helps prevent
them. Risk assessment is part of every annual audit. I have a call into Alex Kish to discuss
his professional decision making process and the premise of his risk assessment. He has left
for the weekend but I am sure will contact me next week to discuss.
I am not aware of deficiencies we had in Fuel purchasing…. Maybe Ted is referring to not
having an adequate fuel monitoring system. We agree with this observation and are in the
process of corrective measures to strengthen administrative and accounting controls.
Yes, we agree that deficiencies exist with vehicle maintenance accountability. These
deficiencies have been documented by our internal audit firm Milestone. You have copy of
this report and has also been reviewed with Ted. As discussed we are working through
As soon as we have risk assessment information compiled, we will forward to you.
From: Parker, Ken
Sent: Friday, April 27, 2012 10:49 AM
To: Shelley, John
Cc: Parker, Ken
Subject: Fwd: Fraud Risk Assessment from 2008 CAFR
see the note from Ted concerning fraud assessment.
Sent from my iPad
Begin forwarded message:
From: “Ted Noftall” <Ted@americanforwarding.us>
To: “Parker, Ken” <firstname.lastname@example.org>
Subject: Fraud Risk Assessment from 2008 CAFR
You may remember my asking the external auditor at the 04-17-12 Council
meeting why he had dropped the 2008 CAFR Fraud Risk Assessment
recommendations from the 2009 and subsequent year CAFR’s.
I believe he answered to the effect that it was dropped because the City had
indeed acted upon his recommendation “to conduct and document a formal
risk assessment to indentify, analyze and manage the risk of asset
I am curious as how any type of such assessment could have failed to address
the startling deficiencies in both fuel purchases and vehicle maintenance AND
would ask that you please send me over a copy of that assessment or