· As Chief Financial Officer for the City and County of San Francisco, the Controller is responsible for establishing the necessary framework to facilitate sound financial management and accounting practices. Sound financial and accounting practices are contingent upon authoritative and comprehensive policies and procedures that guide financial processes, and a financial accounting system and structure that can produce useful financial reports for the monitoring and control over the City's finances and operations.

· A review of the Controller's findings with respect to routine audits of financial transactions found a decrease in the adherence to the City's policies and procedures from calendar year 2001 to the first three months of 2003. With respect to reporting issues, departments have created parallel applications, spreadsheets and other duplicative procedures to obtain financial data and information in a format that is useful. Further, the lack of centralized monitoring of the accounting structure has led to the existence of unnecessary funds, unreconciled financial activity, the accumulation of resources, and accounting structures that do not necessarily meet the needs of departments. Incomplete and untimely reviews of user security allows for unauthorized access to financial systems and weakens the integrity of financial activity.

· The Controller should strengthen the financial management framework by developing authoritative and comprehensive policies and procedures, addressing departmental financial reporting needs, ensuring consistent and stable departmental accounting structures, and verifying that only appropriate personnel have user access to the financial systems.

Role of the Controller as Chief Financial Officer

As the Chief Financial Officer for the City and County of San Francisco (the City), it is the Controller's responsibility to establish authoritative and comprehensive accounting policies and procedures, as well as to establish the financial accounting systems and reporting necessary for departments to effectively manage City finances and operations. Further, it is the Controller's responsibility to establish the appropriate internal controls over accounting processes and the financial accounting systems to ensure sound financial management and accounting practices.

Authoritative and Comprehensive Policies and Procedures

Historically, the Controller has relied upon various resources to communicate financial and accounting policies and procedures to departments. Such resources included training classes and user manuals for the financial accounting system, FAMIS, as well as departmental instructions, memoranda and email "flashes" that communicate to departments policies and procedures on a topical basis.

According to Controller staff, the Controller's Office has made significant strides toward providing departments guidance through financial system on-line access to screen inquiries, help menus, real-time edits and other technological improvements. The Controller also asserts that policies and procedures that guide departments and promote sound financial practices are contained in the City's Administrative Code and the Governmental Accounting, Auditing, and Financial Reporting text published by the Government Finance Officers Association and otherwise known as the "Blue Book." Individually, however, these resources do not provide a comprehensive overview of the City's financial and accounting policies and procedures to ensure departments are utilizing sound and consistent financial management practices. Written policies and procedures do not exist for several accounting and finance processes, such as the preparation of indirect cost rates and the reconciliation and monitoring of funds and sub-funds. Accordingly, the Controller's Office does not have a document that brings all of the various resources together and expands on areas that may not be addressed anywhere else.

In Fall 2002, the Compliance Unit of the Accounting Operations and Systems Division (AOSD) conducted an annual "Post-Audit" of accounting transactions for the previous calendar year. In total, the Compliance Unit tested $19.5 billion of transactions and found processing exceptions on accounting transactions that totaled $742.3 million. 1,178 exceptions were found on a test population of 5,470 documents for an exception ratio of one exception for every 4.64 documents. The Controller's Office has noted that several of the exception categories do not, in their judgment, impact financial integrity. These exceptions include non-compliance with 12B/HRC requirements, incorrect or incomplete data input, insufficient supporting documentation, and non-current business tax certificate. When these exceptions are excluded, the ratio increases to one exception for every 10.06 documents. According to the Compliance Unit Manager, due to the high exception rate, the Controller's Office conducted a training in January and February 2003 in an attempt to improve departmental performance.

The Compliance Unit is currently completing a small Post-Audit of accounting transactions for the first three months of 2003 and has recently compiled summary statistics. A review of these statistics shows that overall the Compliance Unit found an exception for every 4.00 documents, an overall decrease in adherence to City policies and procedures of 13.9 percent from the Post-Audit conducted the previous fall. Excluding the exception categories that the Controller believes do not impact financial integrity, the exception ratio for this period is one exception for every 8.47 documents, a decrease in adherence to policies and procedures of 15.7 percent from the Post-Audit conducted the previous fall. A summary table of these findings is attached to the end of this section as Appendix 2.1. Departmental detail on these summary statistics shows significant variation among departments. Some departments have greatly decreased processing exceptions while other departments showed significant increases in processing exceptions. It should be acknowledged that because the training occurred early in the period being audited, the training would have had only limited impact on the audit results for the period. Nonetheless, not only has there not been improvement, an actual overall decrease in the adherence to the City's established policies and procedures has been found. This is an important finding, because the Post-Audits are reviewing the practices of departments and any exception, whether for $10 or $1.0 million, represents a lapse in internal controls. The extent of these lapses and the inconsistencies among departments found during our review indicates a need for authoritative, standardized and comprehensive policies and procedures.

Select departments were interviewed about accounting policies and procedures and their use of the Controller's financial accounting systems. One department fiscal manager stated that there was a need for comprehensive training to understand how accounting and finance were structured in the City. This manager further stated that FAMIS training was not sufficient to learn the City's accounting and finance policies and procedures. Another fiscal staff stated that he had not received training in FAMIS although he started nearly 10 months previously. This departmental fiscal staff stated that the best training for him came from his supervisor, who had previously worked at the Controller's Office. None of the departments that were interviewed had a readily accessible accounting and finance policies and procedures manual.

The Controller's Office has recognized a need for highly skilled and trained fiscal staff that understand the accounting and finance practices of the City. To address this need, the Controller developed an accountant internship program in the mid-1990s, which rotates interns through two departments over 18 months. Due to Controller identified gaps in the training, the program has been restructured and strengthened during the last year. According to the Deputy Controller, interns currently take 10 to 12 formal training courses, prepare a training binder, and are instructed in the full cycle of accounting transactions. While the internship and training program is specific to new accountants in the 1649 and 1652 classifications, the policies and procedures that they gather throughout their internship are relevant to all City finance and budget staff. Yet, these staff or departments in general are not provided similar binders of policies and procedures.

The Controller's Office should develop and distribute or make available a written comprehensive and authoritative policies and procedures manual for all aspects of accounting and financial management in the City. A written manual would ensure that policies and procedures support accurate, consistent, and quality accounting and finance practices throughout the City and would enhance the Controller's oversight of the accounting and financial practices throughout the City. It would bring together the various resources that the Controller now relies upon, including online system edits and controls, Controller instructions, memoranda, and email flashes, industry guidelines such as those presented in the Blue Book, and Administrative Code requirements. Additionally, a written manual would ensure that policies and procedures are available and communicated to departments. These written policies and procedures should be reviewed and updated annually. Several counties, including Los Angeles and Orange counties, have comprehensive policies and procedures manuals that can provide guidance to the Controller's Office on format and content. Both of these manuals are available electronically.

Financial Reporting

In addition to the need for comprehensive policies and procedures to guide departments in financial management and accounting activities, the current financial accounting and reporting systems do not meet departmental needs. The City's core financial accounting system, FAMIS, was last upgraded in FY 1995-1996, when the system migrated from batch processing to an on-line, real-time system. Issues surrounding FAMIS and the Controller's financial accounting systems are discussed in more detail in Section 3 of this report. Because FAMIS only provides mainframe reports that are not flexible, the Controller installed the Executive Information System (EIS) in 2000 to develop financial reports. The focus of that program to date has been to develop EIS support for the Comprehensive Annual Financial Report, which is at such a high level that the data and information is not useful for the day to day financial and operational needs of the City. However, the Controller intends to allow departments access to and training on EIS, although no formal program has been developed. The Controller reports 13 departments are working with EIS at this time.

However, to meet departmental financial reporting needs, departments continue to request special reports from one of two Systems Units or from the Budget and Analysis Division in the Controller's Office. While the Controller may be able to provide these reports relatively quickly, within a day or two, there is little flexibility and the process remains an obstacle to obtaining meaningful and timely financial reporting. By way of example, for this audit, a request was made to obtain cash and fund balances by fund. It took over three weeks to obtain this basic financial information.

Understandably, departments undertake varying degrees of effort to create data and information they need on a timely basis, as noted in a survey of select departments. For example, the Department of Human Resources (DHR) creates excel spreadsheets to monitor expenditures by index code and sub-objects. Additionally, DHR creates excel spreadsheets for monitoring the Health Service System, for analysis during the budget development process, and for position control. The Department of Children, Youth and Their Families re-enters transaction data into excel spreadsheets to track expenditures by index code and by lower levels of detail, such as purchase order. The Recreation and Park Department has developed their own monthly report by index code to track revenues and expenditures. These efforts by departments require considerable resources to essentially recreate financial data and information in a useable format. The Recreation and Park Department reports that it takes 50 percent of one accountant's time just to produce the monthly financial reports that the Department needs for the Recreation and Park Commission.

In addition to the inefficiencies created by the need to recreate financial data and information, the inability to obtain useful financial reporting impairs the ability to effectively monitor and control departmental finances and operations. To the extent that departments do not develop the reports they need to monitor activity, they risk making uninformed decisions that can ultimately impair departmental finances and operations.

The Controller should conduct an assessment of departmental and City reporting needs and should develop a formal strategic plan for meeting those needs. The Controller should utilize existing analytical resources, such as City Projects Division or Financial Systems and Reporting Division staff which should be available now that GASB 34 conversion project has been completed.

Financial Accounting Structure

The Financial Systems and Reporting Units of the AOSD are responsible for the financial accounting systems and the reporting structure. The responsibility for the accounting structure and the chart of accounts, such as funds, departments, index codes, and so on, is fragmented between and amongst various units in the Controller's Office. For example, according to Controller documents, funds can be created by the Business Systems and Intelligence Unit, the Cash and CAFR Support Unit, and the Reconciliation and Analysis Unit. Additionally, index codes and other departmental accounting coding can be created by the Compliance Unit, the Grant Management Unit, and selected departments. Accordingly, there is no single area or unit to provides guidance on or control over the entire accounting structure.

As noted in Section 6 of this report, our review found there are no formal policies and procedures that define the Controller role or assigns responsibility in the area of fund and sub-fund creation, monitoring and reconciliation. Subsequently, the lack of centralized monitoring has led to the existence of unnecessary funds, unreconciled financial activity, and the accumulation of resources.

Additionally, departmental "recasts" are customary, where a department's accounting structure is significantly revised and prior year financial data must be "recast" to conform with the revised structure. Recasts are an intensive process that requires considerable Controller and departmental resources. Additionally, recasts are generally problematic. Historical information is restated and reported in a way that was never intended, impairing the quality and comparability of financial data and departmental activities over time. There are legitimate reasons why a recast may be necessary, such as fundamental changes in the operating environment. However, departmental structures should remain relatively stable and not be subject to shifting policies or personalities, such as when changes in department heads and fiscal officers occur. Departmental accounting structures should be based on a thorough analysis of a variety of factors, including the department's mission, its operational structure, service delivery, expenditure patterns, and so on. If the accounting structure is sound, there should be no reason to change it for political or other human influences.

There are existing departmental accounting structures currently that are not effective. The Controller's Office reports two or three departments significantly recast the departmental accounting structure each year. During interviews with the Recreation and Park Department and the Sheriff's Department, which both recast their accounting structures within the last few years, the fiscal staff stated that the old accounting structure was meaningless and did not serve the needs of the departments. Additionally, a Controller summary of recasts completed in 2002 states that the Department of Human Services created new index codes "to help with their internal reporting." Clearly, if the structure is not meeting a department's needs or if there is a fundamental change in the operating environment, an accounting structure should be recast. As the Controller's Office reviews departmental requests for and provides assistance to departments during the recast process, it should perform its assessment with the intent of establishing a structure for long-term stability. Ultimately, the Controller, as the Chief Financial Officer and as the expert on and control over the financial accounting structure, is responsible not only to ensure that the technical needs of the departments are being met, but also that operationally the accounting structure makes sense.

The Controller should formally designate the responsibility for controlling the financial accounting structure to one of the Financial Systems and Reporting Units of the AOSD or to a consistent working group of Controller staff. This group should be responsible for the creation of all new accounting codes that define a department's main financial framework, including funds, sub-funds, organization, and index codes. Excluded from this level of control would be grants, projects, user codes and department activity. The group should be responsible for ensuring that any changes to the accounting structure are appropriate and in accordance with sound financial management and accounting practices. Additionally, the group should be responsible for periodic review of unused and obsolete codes and the monitoring of funds and sub-funds to ensure that departments are appropriately accounting for financial activity and resources.

User Security Reviews

The Controller's Office has a policy to conduct a user security review for FAMIS, the purchasing system (ADPICS) and the fixed asset database (FAACS) on an annual basis and coinciding with the end of the fiscal year. The Controller's Office reports that the last user security review was completed in January of 2003, which was six months behind schedule for FY 2001-2002, and that the FY 2002-2003 user security review is currently being conducted. According to the Controller's Office, the goal of the survey is "to preserve security by requiring that each department verify their users are active and are assigned to the appropriate and active Department."

As part of the security review for FY 2002-2003, the Controller's Office distributed a list of staff with FAMIS, ADPICS or FAACS access and instructed department heads or chief financial Officers to respond by July 31, 2003 with updated information on which staff are authorized to access the financial systems to: (a) initiate transactions, (b) approve transactions, or (c) inquiry on transactions. The Controller's Office stated that "users whose status is not confirmed or updated by July 31, 2003 may then be denied system access." However, of six department user security surveys selected for review, one department's survey was never submitted and a second department's survey was incomplete. There was no indication that any users were denied system access as a result of non-compliance with the security policy. Because unauthorized access to financial systems weakens the integrity of financial activity, user security reviews should be thorough and conducted in a timely manner. Access should be automatically denied for users whose status is not confirmed.

Conclusions

The Controller could strengthen the financial management framework. The need for comprehensive and authoritative policies and procedures, useful financial reporting, and controls over the accounting structure and controlled access to the accounting systems impair the departments' ability to effectively manage departmental finances and operations and impair the Controller's ability to provide effective oversight.

Recommendations

The Controller should:

2.1 Develop and make available to departments, physically or electronically, written, authoritative and comprehensive policies and procedures for all aspects of the financial and accounting processes;

2.2 Perform an assessment of departmental financial reporting needs, and develop a strategic plan for meeting those needs, by June 30, 2004;

2.3 Consider the long-term structural stability of departmental accounting structures when developing departmental accounting structures and conducting recasts;

2.4 Designate the following responsibility to oversee the accounting structure to a specific unit in the Financial Systems and Reporting Units or to a consistent working group, including:

i. Being the sole authority for the creation of funds, sub-funds, organization and index codes;

ii. Being the sole authority for the recast of a department's accounting structure; and

iii. Ensuring that the accounting structure is appropriate and is in accordance with sound financial management and accounting practices; and

iv. Being accountable for the monitoring of funds and sub-funds.

2.5 Ensure that annual user security reviews are conducted in a timely manner; and

2.6 Deny system access for users whose status is not confirmed or updated by the deadline in order to enforce compliance with the security policy.

Costs and Benefits

The development of a policies and procedures manual should be achieved through the assignment of existing resources. Oversight of the accounting structure can be achieved through the reallocation and consolidation of the current assignments. An assessment of reporting needs and strategic planning will require additional resources which should be obtained through a reallocation of existing staff as current projects, such as GASB 34 implementation, are completed, rather than with new staff. The benefits of these recommendations include operational efficiencies and enhanced controls at the departments and at the Controller's Office which will exceed the costs of implementation.