MOUNT VERNON — Results from an independent audit report for the City of Mount Vernon showed deficiencies in internal controls and compliance — results that were not a surprise.
The auditing firm Clark Schaefer Hackett (CSH) provided administration officials with a draft copy of the report on Thursday. The audit covers Fiscal Year 2023, from Jan. 1 through Dec. 31, 2023.
The independent audit report noted two noncompliance instances:
• Failure to file the annual report within 150 days of the fiscal year-end. The auditor’s office filed the report on Sept. 5, 2024; it was due May 30.
• Payout of sick leave. City policy states that employees terminated for just cause can transfer unused sick leave to another government employer, but they will not be paid for the unused leave. In 2023, the city terminated an employee for cause and paid $12,363.25 in cash for unused sick leave. The report states that this happened partly due to the lack of segregation of duties in the auditor’s office.
The remaining three deficiencies involved weak internal controls:
• Misstatements in the financial statements required adjusting entries relating to 1) accounts payable, accrued wages, accounts receivable and deferred inflows in the CDBG fund; and 2) a restatement of beginning fund positions to correct accounts receivable entries recorded in improper funds in 2022
• Lack of segregation of financial duties, including the auditor being responsible for 1) receiving, posting, and depositing funds and reconciling bank accounts; 2) the auditor being able to make disbursements, process payroll, and make journal entries with no review or approval; and 3) the auditor being responsible for recording and closing out cash drawers, posting receipts, and making deposits for the water park.
• Medical insurance premiums and other withholdings, including poor documentation and tracking of wellness credits
Audit results were not a surprise
Safety-service Director Tanner Salyers said the audit results were not unexpected given what the administration has learned over the past months.
“We are fully aware that there are internal control and dual control issues,” he said. “I think people refused to address it. I refused to not address it.”
Salyers said that as the administration started investigating compensation and other benefits to become more competitive in employee recruitment and retention, it became apparent that the systems were antiquated.
For example, withholdings were off, and different rules were applied among employees.
“We started finding payroll issues, too,” he said.
When the city discovered the payroll and noncompliance issues, it notified union leadership. The payroll issues led to several employees filing a grievance with their union.
“We worked as a team [to resolve it]. We’ve been open and transparent,” Salyers said.
Then and Now
Under the Ohio Revised Code, the city cannot place an order or enter into a contract until the fiscal officer certifies that the amount involved is lawfully appropriated and is either in the treasury or in the process of being collected.
Department heads typically complete a purchase order (PO) for an item or contract amount. The PO must be dated on or before the invoice date, the date services are performed, or the invoice’s due date.
The fiscal officer can issue a Then and Now certificate if the PO is not requested on time. The certification means money was in the account when the transaction occurred (then) and when the PO was issued (now).
Then and Now certificates must be approved within 30 days. City council must approve amounts over $3,000. The fiscal officer can approve ones under $3,000.
Clark Schaefer Hackett noted in the independent audit report four instances in 2023 where the invoice date occurred before the PO date. The firm found another instance where the amount was over $3,000, but city council did not approve it.
IT control
CSH identified information technology as another area that would benefit from better internal controls on oversight and protection. Their findings included the following:
•Lack of a policy to evaluate risks; instead, employees deal with issues as they arise.
•The city does not receive a SOC1 Type 2 report (system and organization control) from its software provider.
•Lack of a policy requiring employees to undergo cybersecurity training.
•The city does not conduct penetration testing on its firewall.
Corrective action plan
Under the city’s corrective action plan, the city will contract with a third-party consultant to file the 2024 annual report and financial statements.
Salyers said the city has already taken other steps to install internal controls.
The city treasurer now has access to bank accounts, and the administration and treasurer will be more involved with the auditor on budgets.
Department heads will write POs only from their budget, not another department’s.
“If projects are collaborative, then all departments have to be at the table,” Salyers said.
Administration officials are modernizing software to reduce the chance of human error and installing dual controls to ensure that more employees are looking at documents as they move through the process.
Salyers said the administration has been working on IT over the past year.
“I created a Municipal Tech Board to review all cyber/tech-related matters. We will work with county IT to make sure we address these issues,” he said.
In 2023, the city contracted with the county for IT services. The three-year contract expires Jan. 31, 2026.
The Ohio Bureau of Workers Compensation is conducting an audit. Salyers does not have an estimated completion date.
When BWC concludes its audit, the city will conduct a three-year forensic audit.
