HomeMy WebLinkAboutMINUTES - 09242002 - C.79 TO: BOARD OF SUPERVISORS
`Contr
•: w
FROM: INTERNAL OPERATIONS COMMITTEE Goats
DATE: SEPTEMBER 24, 2002 County
SUBJECT: EMPLOYMENT AND HUMAN SERVICES DEPARTMENT
INTERNAL SECURITY PLAN UPDATE
SPECIFIC REQUEST(S)OR RECOMMENDATION(S)&BACKGROUND AND JUSTIFICATION
RECOMMENDATIONS:
1. ACCEPT report from the Employment and Human Services Director on the status of the
Department's Internal Security Plan to prevent welfare fraud and COMMEND the
Department on the development of a multiple strategies to lower risk and exposure to
internal fraud.
2. DIRECT the Employment and Human Services Director to return to the Internal Operations
Committee annually with a status report on the progress of the implementation of the Plan.
3. DIRECT the Employment and Human Services Director to return to the Internal Operations
Committee in November 2002 with a follow-up report on the status of the food stamp error
rate, and addressing how the Internal Security Program might be used to detect and avoid
eligibility determination errors, and what legislative opportunities or legal remedies may be
available to the Board of Supervisors to gain relief from error rate penalties.
BACKGROUND:
On April 6, 1900, the Board of Supervisors referred to the 2000 Internal Operations Committee
the monitoring of actions taken by the EHSD following the filing of fraud charges against two
County employees, and on County check issuance procedures and administration of petty cash
funds, particularly the Immediate Need Imprest Fund. The 1999 Committee reported back to
the Board on County check issuance procedures and administration of petty cash funds, and
had these items removed as referrals.
CONTINUED ON ATTACHMENT: YES SIGNATURE
RECOMMENDATION OF COUNTY ADMINISTRATOR _ .. •F2ECOMMEN AT N OF BOARD COMMITTEE
-'APPROVE OTHER ,�
U
`.• 1> >
StCiNAT RE(S): ,�.. ,�;'�-. .� - ,.'� x <� �::.� -�°"=�3 s..r=,.-•--
MARK DeSAULNIER GOLE S. UILK '
ACTION OF BOARD ON September 24, 2002 APPROVE AS RECOMMENDED X OTHER
VOTE OF SUPERVISORS I HEREBY CERTIFY THAT THIS IS A TRUE
AND CORRECT COPY OF AN ACTION TAKEN
X
UNANIMOUS(ABSENT_ None I AND ENTERED ON THE MINUTES OF THE
BOARD OF SUPERVISORS ON THE DATE
AYES: NOES: SHOWN.
ASSENT. ABSTAIN:
ATTESTED.-_----September 24, 2002
CONTACT: JULIE ENEA(925)335-1077 JOHN SWEETEN,CLERK OF THE BOARD OF
CC: INTERNAL OPERATIONS COMMITTEE STAFF SUPERVISORS AND COUNTY ADMINISTRATOR
EMPLOYMENT AND HUMAN SERVICES
COUNTY ADMINISTRATOR ¢f +-�' f�
BY _ DEPUTY
EHSD Internal Security Plan Update September 24, 2002
Internal Operations Committee Page 2
Since 1999, the Internal Operations Committee has received updates from the Employment and
Human Services Department on the status of the implementation of its Internal Security plan,
and reported out to the Board on July 18, 2000, in November 2000, and on September 25, 2001.
At its September 16, 2002 meeting, the IOC received the attached report from the Employment
and Human Services Director that outlines actions that have been taken and that are planned to
be taken in the Department's efforts to prevent welfare fraud. Of great concern to the Committee
is the impact of recent budget reductions, which forced the elimination on the Quality Assurance
Unit one of the Department's key tools in improving program compliance. The Employment
and Human Services Director has advised that food stamp error f eligibility determination error
rates are likely to increase over the next two years due to these cuts and the impending
implementation of new systems such as the Electronic Benefits Transfer {EBT} and CalWIN
systems.
With the likelihood that the County's error rates may worsen, our Committee has requested the
Employment and Human Services Director to return in November with a status report on the food
stamp error rate, how the Internal Security Program might be used to verify program compliance,
and what opportunities the Board of Supervisors might have in supporting legislation or seeking
legal remedies that would provide relief to California counties that are struggling with the need to
improve program compliance despite diminishing resources.
Employment & Human Services Department Contra Costa County
Date: September 16, 2002
MEMO TO: Supervisor Mark DeSaulnier c: Julie Enea
Supervisor Gayle B. Uilkema
Internal Operations Committee
FROM: John B. Cullen, Director
SUBJECT: 2002 Internal Operations Committee - EHSD Status Report on
:Implementation of Internal Security Plan
Enclosed is our annual status report on the implementation of EHSD's Internal
Security Plan.
We ask that the Internal Operations Committee accept the attached report, as a
follow-up to our September 2001 report to the Committee.
We also ask that the Committee schedule, in 2003, a future update on the Plan's
status.
E
Internal Operations Conunittee
Status of Internal security:Plan
September 16,2002
EHSD Status Report - Internal Security Plan Implementation
Background
In 1998, EHSD established a security function (Fiscal Compliance Unit) and
developed an Internal Security Plan (Plan) outlining goals, strategies and actions
to improve operational controls over welfare benefit disbursements. We have
implemented major aspects of the Pian, and continue to work toward
accomplishing the remaining objectives. We have also periodically modified our
strategies and action items, due to changing mandates and system requirements.
The Plan's fundamental principles, though, still center on lowering risk and
exposure to internal fraud, using prevention methods and detection tools, in
balance with cost concerns and legislative mandates.
Since 1999, EHSD has presented regular reports to the IO Committee on the status
of improving security, and the Committee has made periodic recommendations to
the Board. Subject report is our annual update, as requested last September 2001.
In the past year, we focused on the major goal of improving security and
accountability by increasing the level of Second Party Reviews. From a security
view, Second Party Reviews increase fraud prevention and detection capabilities.
In our Plan, use of this tool is important because of the high number of eligibility
caseworkers who are assigned a concentration of payment related duties. For
accountability and security purposes, therefore, EHSD made considerable effort to
create a Quality Assurance Unit (QA). (We also recognized, at the same time, this
tool could help achieve other EHSD goals of improving compliance and lowering
case error rates.) The other type of"Second Party Review" in our Plan calls for
systematic case reviews by line supervisors, a process we implemented July 2002
for food stamps.
2
Internal Operations Committee
Status of Internal security Plan
September 16,2002
Below is a brief status report on actions taken toward completing our Plan.
Status Update on Actions Taken:
1. Implement "Second party Reviews" by QA and line supervisors to
increase accountability and monitoring
Q Our new Quality Assurance Unit(QA), established in 2001 with a staff
of ten, will be discontinued on September 20, 2002, as part of our
budget reduction plan. QA is a discretionary, but valuable, activity that
we hope we can reinstate once funding issues are resolved.
■ As part of our Internal Security Plan, QA was established to
perform "Second Party Reviews" that provide a "check and
balance" control to help: 1) deter internal fraud and lower risk of
occurrence; 2) detect potential fraud and lower exposure; and 3)
compensate for lack of segregation in payment duties.
■ We view QA as very beneficial for improving internal security
and employee accountability, as well as program compliance.
• Our QA design provided increased oversight of more than 8,000
cases, supplementing work by staff in internal security, fiscal
compliance, quality control (*), corrective action, and line
supervision. [*Explanatory nate:EHSD maintains a separate Quality
Control Unit that also performs specialized case reviews, but these are
federally mandated, and are of a more limited and targeted nature than the
reviews under our more comprehensive Quality Assurance design.]
® Effective July 2002, EHSD implemented a new policy requiring that
Unit Supervisors review a random sample of three Food Stamp cases
per worker, per month.. (increasing to five cases in 11/02). The process
includes specific review elements and formal reporting of results to
management. We have assembled a Peer Review Team to re-review a
sample of the above case reviews to ensure supervisors' compliance
3
Internal Operations Committee
Status of Internal security Plan
September 16,2002
with policy. This team includes a supervisor from each of the Bureaus:
Workforce, Children and Family, Aging and Adult, and Administration.
Lender our Plan, this type of increased supervisory review over the
disbursement function is necessary to improve employee accountability
and security.
• Our future goal is to expand the supervisory reviews to include
CalWORKS and Welfare-to-Work programs. Design of a
comparable process is already underway.
• Program staff will be working with Fiscal Compliance to
enhance the current reviews to include a checklist of security-
related items. This will provide supervisors with additional
means to detect and report any security breaches.
2. Design and use monitoring reports and other fraud alert tools to help
detect and halt potential internal fraud
u Fiscal Compliance continues to monitor employees' usage of the
welfare case data systems. There are currently 1,900 system users
assigned some level of computer access. Based on their job function,
access ranges from "inquiry only" to "monetary update" capabilities.
a The monitoring effort includes reviewing daily computer audit trail
reports that have captured and time stamped case transactions as input
(on-line) by employees. Transactions are tracked both by user ID and
by case.
a The entire case data system is surveyed, using software database
querying techniques, and sensitive transactions are extracted for closer
review and testing.
u We have designed a series of 51 automated reports listing a variety of
monetary transactions. Transactions are selected based on fraud and
non-compliance indicators we have developed. Matching and
4
Internal Operations Committee
Status of Internal security Ilan
September 16,2002
crosschecking of case data elements is also done to detect discrepancies,
omissions and exceptions to policy.
a Particular scrutiny is given to the more sensitive monetary transactions,
a total of approximately 4,500 transactions monthly, including check
and food stamp issuances, and payee data.
a In the past year, after designing some additional fraud alert reports, we
increased by 10 percent the volume of transactions monitored in this
manner.
a We use random sampling as well as specific fraud alerts or indicators to
test transactions and detect possible security breaches.
ca All 1,900 users remain on notice that all transactions are subject to
monitoring and independent review.
n Each month, on average, as a result of fraud alerts and referrals
received, Fiscal Compliance conducts a special targeted review of
caseload transactions.
• New fraud alert reports and controls are continuously added to keep
pace with changes in programs, computer system designs, and service
delivery methods, a recent example being the processing of direct
deposit benefits. New fraud alert reports will soon be devised in
anticipation of the December 2002 implementation of the Electronic
Benefit Transfer(EBT) delivery system.
• The District Attorney Office's (DA) General Fraud Hotline is in
operation as a service to the entire County. EHSD and the DA maintain
a cooperative working relationship, sharing information when
appropriate. Since our last IO report, we have not received any Hotline
referrals of suspected employee fraud.
• Fiscal Compliance organized and hosted a statewide Internal Security
Meeting attended by 40 security representatives, including social service
and district attorney staff from 22 counties. These forums facilitate an
5
Internal Operations Committee
Status of Internal security Plan
September 16,2002
exchange of information about successful techniques and emerging
issues.
3. Properly manage staffs computer access to case data systems
• The Information Technology Unit continues to closely control the
assignment and maintenance of employees' computer access, involving;
1,900 users.
• Employees are assigned the appropriate level of access, based on their
job function and classification. Each month, approximately 300 system
changes are processed. These include the more routine password
expirations and resets for existing users, as well as security model
changes and caseload restrictions arising from staff reassignments and
promotions.
o In addition, approximately 65 obsolete users, per quarter, are promptly
removed from the systems.
• Supervisors are required to prepare a formal "security request form" that
meets established standards before access is granted.
o Each quarter, Fiscal Compliance reviews access levels for
approximately 100 users to ensure standards are being adhered to
properly.
• Security training has been provided to 20 new supervisors and 30 new
caseworkers to reinforce standards for computer password and terminal
usage.
4. Implement new methods to prevent fraud
u We continue to assess security impacts of new mandates and
modifications to computer systems with the aim of developing
preventive controls.
6
Internal Operations Committee
Status of Internal security Plan
September 16,2002
• In early 2002, EHSD placed controls over: 1) processing of
"direct deposit" assistance benefits (by centralizing and limiting
the number of staff with ability to enter sensitive bank data) and
2) issuing of incentive payment certificates for Welfare-to-Work
participants (by requiring stock inventory controls and
supervisory approval).
• By December 2002, we anticipate several operational changes
arising from statewide implementation of the Electronic Benefit
Transfer(EBT) card delivery system. Participants will receive
benefits via their EBT card at Point-of-Sale or ATM machines.
Security staff has been providing input in development of card
stock controls and adequate segregation of duties for emergency
issuances. We are also working with the State, pilot counties,
Information Technology staff, and the EBT vendor to identify
ways EBT could be used fraudulently, so that we are prepared
with tools and procedures to prevent and detect fraud.
u Further efforts are necessary to increase supervisory approval/review
requirements for some CalW ORKS and Food Stamp transactions that
are more prone to fraud, particularly: supplemental benefits, benefits
exceeding limits, retroactive amounts, and payee name/address changes.
• Special approval requirements are in place for some important
functions, such as Immediate/Emergency Needs, CaIWOR S-
Child Care, Welfare to Work-Supportive Services, Diversion,
and initial case granting. However, extending this control to all
regular monthly aid transactions would not be cost effective,
given the number of benefits issued(about 20,000 monthly), time
limits for issuance, caseload complexities, workload concerns,
and technological constraints of the aged case data system. We
7
Internal operations Committee
Status of internal Security Pian
September 16,2002
have found that most county social service agencies face this
same challenge.
We are,however, pursuing cost effective ways to further
implement on-line supervisory approval before transactions are
finalized. One approach under evaluation is requiring pre-
approval of a percentage of the more sensitive case transactions,
based on random selection. In this example, a system user would
not be able to predict or manipulate which transactions would be
extracted for on-line "Second Party„ approval. Although the
existing "Case Data System" (CDS) is not equipped to select
transactions in this manner, Contra Costa and 17 other counties
will be replacing CDS with CalWIN (locally by November
2003). CaIWIN provides for automated, random selection for
both "pre-approval" and"post-review". We will continue to
pursue this solution as CalWIN implementation proceeds.
• As another efficient means of increasing controls, we anticipate
that CaIWIN will provide enhanced system edits to prevent
inappropriate transactions. Edits could include preventing
issuance of payments over certain dollar limits; retroactive
payments; excessive number of payments on a case;
inappropriate aid category changes; and payments without
second-level approvals.
•
With the enhanced security features available on CalWIN, we
will have the technical means to decrease the number of staff
with access to issue payments, thereby lowering the fraud risk.
8
Internal Operations Committee
Status of Internal Security flan
September 16,2002
5. Enhance processes for background clearances for prospective new
employees
u We have surveyed hiring practices of other counties, specific to
background clearances, and as a result are looking for ways to improve
our current policies regarding two areas: 1) processing fingerprint
clearances and ) reviewing and clearing prospective employees for any
prior welfare fraud history.
Currently, new candidates for employment within EHSD, for
certain job classifications, are required to undergo a
(fingerprinting) criminal clearance. In addition, for certain
classifications, EHSD conducts a clearance of Contra Costa
County public assistance records to identify any history of
assistance fraud.
• We are working toward extending the above two requirements to
all job classifications within EHSD, and include contract and
temporary employees. Our surveying of best practices indicates
that the above two methods are increasingly common to a
number of social service agencies within California, as a means
to help protect the interests and safety of the public, counties, and
agencies.
In conclusion, we continue to make progress in meeting our flan objectives of
lowering risk and exposure to potential internal fraud. This is despite continued
challenges we face through changing mandates, and organizational and related
cost issues. As our fiscal situation improves, we will be investigating how best to
rebuild our QA function. In the coming year, we will focus on improving
prevention methods and detection tools so that the general public and County
interests are best served.
9