The URL can be used to link to this page

Home My WebLink AboutMINUTES - 10282003 - C94 TO: BOARD OF SUPERVISORS Contra FROM: INTERNAL OPERATIONS COMMITTEE Costa DATE: OCTOBER 20, 2003 .. ..... County SUBJECT: EMPLOYMENT AND HUMAN SERVICES DEPARTMENT INTERNAL SECURITY PLAN UPDATE SPECIFIC REQUEST(S)OR RECOMMENDATION(S)&BACKGROUND AND JUSTIFICATION RECOMMENDATIONS: 1. ACCEPT report from the Employment and Human Services Director on the status of the Department's Internal Security Plan to prevent welfare fraud and COMMEND the Department on the development and implementation of multiple strategies to lower the County's risk and exposure to internal fraud. 2. RECOGNIZE that the Internal Security Plan addresses risk and exposure to internal fraud, and is separate and apart from client fraud detection efforts. 3. REFER to the 2004 Finance Committee the formulation of budget strategies to maintain the more staff-intensive internal security efforts for fiscal year 2004/05. BACKGROUND: On April 6, 1999, the Board of Supervisors referred to the 2000 Internal Operations Committee the monitoring of actions taken by the Employment and Human Services Department (EHSD) following the filing of fraud charges against two County employees, and on County check issuance procedures and administration of petty cash funds, particularly the Immediate Need Imprest Fund. The 1999 Committee reported back to the Board on County check issuance procedures and administration of petty cash funds, and had these items removed as referrals. Since 1999, the Internal Operations Committee has monitored the implementation of the EHSD Internal Security Plan, and reported out to the Board on July 18, 2000, in November 2000, on September 25, 2001, and on September 24, 2002. CONTINUED ON ATTACHMENT: YES SIGNATURE:(. ----------------—--------------------------------------------------------------- ----------- RECOMMENDATION OF COUNTY ADMINISTRATOR RECOMMEN I N OF BOARD COMMITTEE APPROVE OTHER SIGNATURE(S)- GAYLE�I3,tfILKEMA, CHAIR FEDERALD. GLOVER ------------------- -------- ACTION ---------------------------------------------------------- ----------------------------------/-------------------------------------------- z ACTIONOFSOARDON October 28, 2003 APPROVE AS RECOMMENDED X OTHER VOTE OF SUPERVISORS I HEREBY CERTIFY THAT THIS IS A TRUE AND CORRECT COPY OF AN ACTION TAKEN X UNANIMOUS(ABSENT None AND ENTERED ON THE MINUTES OF THE BOARD OF SUPERVISORS ON THE DATE AYES: NOES: SHOWN. ABSENT: ABSTAIN: CONTACT: JULIE ENEA(925)335-1077 ATTESTED: OCTOBER 28,2403 JOHN SWEETEN,CLERK OF THE BOARD OF SUPERVISORS AND COUNTY ADMINISTRATOR CC: INTERNAL OPERATIONS COMMITTEE STAFF EMPLOYMENT AND HUMAN SERVICES COUNTY ADMINISTRATOR EPUTY EHSD Internal Security Pian Update October 20, 2003 Internal Operations Committee Page 2 At its October 20, 2003 meeting, the IOC received the attached report from the Employment and Human Services Director that outlines actions that have been taken and that are planned to be taken in the Department's efforts to prevent welfare fraud. The Department has identified its most significant future challenges for the Internal Security Program as: ♦ the need to re-assess and formulate what specific actions first level supervisors should review, ♦ identifying how new capabilities afforded by the future CalWIN welfare payment and tracking system can assist supervisors and managers in the critical review of eligibility determination and disbursement, ♦ sustaining staff-intensive security efforts such as the Quality Improvement Unit despite diminishing resources Our Committee considers the Internal Security Program to be a necessary activity to deter and prevent loss. Therefore, we recommend that the Employment and Human Services Director meet with the 2004 Internal Operations Committee next March for guidance in the development of budget priorities for 2004/05. Employment & Human Services Department Contra Costa County Bate: October 10, 2003 MENTO TO: Supervisor Federal D. Glover r: Julie Enea Supervisor Gayle B. Uilkema Internal Operations Committee FROM: John B. Cullen, Director /� f SUBJECT: 2003 Internal Operations Committee - EHSD Status Report on Implementation of Internal Security flan Enclosed is our annual status report on the implementation of EHSD's Internal Security Plan. / We ask that the Internal Operations Committee accept the attached report, as a follow-up to our previous September 2002 report to the Committee. We also ask that the Committee schedule a future annual update, in 2004, on the Plan's status. Internal Operations Committee Status of Internal Security Plan October 2003 EHSD► Status Report - Internal Security Pian Implementation Background In 1998, E ISIS established a Fiscal Compliance;Security function and an Internal Security Plan (Plan) focusing on a series of goals, strategies and actions to improve controls over welfare benefit disbursements. Our mission has been to lower the risk and exposure to internal fraud, through prevention and detection methods that are cost effective and enable us to meet legislative mandates. In the past year, EHSD enhanced the security environment and lowered its risk and exposure to potential fraud by implementing major Plan actions, detailed below, that involve: • Second Party Reviews of Welfare Cases • Accountability and Training • Computer Audit Trail for Sensitive Transactions • EBT Security • Improved Segregation over Payment-Related Duties • Financial and Systems Audits • Controlling Security over Computerized (CDS/GIS) Case Data Systems • Fraud Alert Reports and Tools • Future Implementation of New Fraud Prevention.Methods - CalW I Major Actions Taken to Improve Internal Security • Second Party.Reviews of Welfare Cases A fundamental part of our Security Plan calls for increasing the extent and effectiveness of case reviews by second parties. This means establishing a centralized, independent unit devoted to reviewing a large number of welfare cases, and implementing more systematic methods that hold field supervisors 2 Internal Operations Committee Status of Internal Security Plan October 2003 accountable for reviewing their workers' handling of cases. We have made progress in this area, and much additional work remains to be done. ❑ New Quality Improvement Unit - The Board approved the start-up of a Quality Improvement Program Unit to independently review Food Stamp cases. (This Unit essentially replaces the Quality Assurance Unit that was initiated in 2001, but later disbanded given resource limitations at that time.) While this action relates directly to the Food Stamp error rate reduction activities (on which EHSD reports separately to the Committee), creation of this Unit also coincides with a fundamental goal in our Security Plan requiring more effective "Second Party Reviews" of welfare case transactions. Our long-term goal is still to expand this control to cover all programs, including CalWORKS and Welfare-to-Work. l We are currently recruiting to fill four Program Integrity Assistant positions and one Coordinator position to perform these compliance reviews and develop corrective actions. This is the first phase, and as further resources become available, we will fill the remaining four Assistant positions. Although this unit's focus is to review welfare cases for compliance with program quality issues, the resultant higher level of scrutiny over caseworkers' actions also provides a fraud deterrent and another detection tool that complements our separate, internal fraud monitoring. Closer review of a larger number of cases by specialized reviewers increases the likelihood that a potential internal fraud could be detected, in it earliest stages,by a second"set of eyes". To enhance detection capabilities, Fiscal Compliance will be devising a set of internal fraud-related review questions (fraud indicators) to insert into the Unit's program compliance review checklist. 3 .r 914/ Internal Operations Committee Status of Internal Security Plan October 2043 j Enhanced Reviews by Unit Supervisors — We have standardized the design of case reviews by Food Stamp supervisors and have set up a management reporting process. The Field (continuing cases) Supervisors perform monthly reviews of a minimum sample of Food Stamp cases assigned to each caseworker. Intake (application stage) Supervisors now also perform targeted reviews of Food Stamp cases prior to their transfer to continuing units. A Feer Review Team group then re-reviews a sample of completed supervisory reviews to verify accuracy. We will need to continue to work toward expanding this design to other programs, such as CaIWORKS and Welfare-to-Work. Looking forward, we will also need to closely evaluate how the new CaIWIN case data system (planned for implementation in late 2404) can best be utilized to improve current supervisory review techniques. (This is discussed further in the final topic heading below "Future Implementation of New Fraud Prevention Methods- CalWIN".) • Accountability and Training Staff Development and personnel have developed a comprehensive, new Supervisors' Manual to communicate clear expectations and standards for all supervisors. The Manual reinforces security standards for computer system and password usage, case review requirements, accountability, and proper reporting of security breaches. Staff Development conducted a companion series of department-wide training presentations to approximately 150 employees, including the supervisors and managers in the Children and Family Services, Aging and Adult, and Workforce Services Bureaus. Additionally, 20 supervisors received 48 hours of intensive workshop training. The manual material has also been published on the Department's intranet site available to all employees. 4 Internal Operations Committee Status of Internal Security Plan October 2003 • Computer Audit Trail for Sensitive Transactions Fiscal Compliance now preserves and utilizes four new audit trail reports provided by the automated system's vendor. The reports detail all transactions, relating to more than 2,500 monthly Welfare-to-Work supportive service payments, entered by staff on the CDS GAIN Information System (CAIS). This data enables chaser tracking of payment and new provider(payee) transactions and enhances investigation and compliance assessment capabilities. The reports were recently made available after diligent efforts by our security and information technology staff, together with other counties, to press the vendor for this long needed enhancement. • EBT Security Our IT Security Administrator closely manages and controls employees' computer access to the EBT system. o Assignment of individual access levels is based on each employee's job function. Access is divided into 3 categories: 1) The EBT Administrative Terminal (315 Users mostly having "read only" access); 1) PILI selection machines (43 Users disbursed among eight field offices serving the recipients who confidentially select their own PLNS); and 3) Reports Server(14 Users having"read only" ability). o The Administrative Terminal allows for on-line update of welfare data directly to the EBT system, however, only a select few employees have this capability and their use of the terminal is tracked and monitored. Actions taken by these employees is also supported by caseworker and supervisory approval documents that are retained for audit. 5 Internal Operations Conunittee Status of Internal Security Plan October 2003 c Fiscal Compliance is utilizing new EBT system reports and also designing new in-house alert reports to enhance prevention and detection methods, and adapt to the new design of EBT. c3 Fiscal. staff developed and implemented comprehensive EBT card stock and embossing controls. The procedures cover inventorying, ordering and tracking of the cards issued in-house, and incorporate standards for accountability, segregation and the audit trail. We are planning an in- house compliance audit for the fourth quarter 2003. • Improved Segregation over Payment-Delated Duties u In our four major district offices, we implemented full segregation of duties involving Welfare-to-Work supportive service payments on the cases assigned to our Assessment/IntensiveService (AIS) units. The involvement of three separate classifications of employees is now required to disburse supportive payments on these caseloads. Clerical employees issue the payments upon reviewing acceptable documentation and sign- offs, which include pre-authorizations' by caseworkers and final authorizations by supervisors. ca To provide a further "check and balance" segregation control in our four Child Care Units, IT and security staff removed the clerks' computer ability to directly update provider payees on the automated case data system (GIS). Instead, an independent unit at our central Administrative Office now enters this sensitive payment information. o Similarly, we implemented a requirement for centralized data entry of all new providers related to CDS welfare "vendor" payments (approximately 700 vendor warrants are issued per month) and all GIS supportive service payments(approximately 2,500 vendor warrants issued per month). 6 Internal Operations Committee Status of Internal Security Plan October 2003 a Our IT, Security and program staff implemented supervisory pre-approval requirements for Emergency Food Stamp and Emergency Cash Assistance benefits issued on EBT cards. • Financial and Systems Audits o In June 2003, an internal audit of EHSD financial and system operations was commenced by the County Auditor Controller's Office. We will be reviewing the results as they become available and resolving any issues needing attention. o Our Fiscal Compliance staff is planning a fourth quarter 2043 departmental audit of the EBT function to assess compliance with card stock controls and other safeguards. • Controlling Security over Computerized (CDS/GIS) Case Data Systems a Security staff continues to closely control the assignment and maintenance of employees' computer access to the primary Case Data System(CDS and CAIS)that involves 1,540 users. o Each month, security staff evaluates and processes approximately 354 system changes,analyzing these based on employees'job functions. Changes include password resets for existing users, and also security model changes and caseload restrictions arising from staff reassignments, promotions and separations. As a further safeguard, Fiscal Compliance staff re-reviews access levels assigned to the 1,500 users, testing compliance with our security standards. Results have consistently shown that the Department's security assignment process is effective. 7 Internal Operations Committee Status of Internal Security flan October 2003 • Fraud Alert Reports and Tools ❑ Fiscal Compliance monitors, for fraud detection and prevention purposes, the approximate 1,500 users of the welfare case data systems. This is accomplished by using software database querying techniques and audit trail reports detailing transactions by User ID and by welfare case. Monitoring staff also modifies and adds to these reports, keeping pace with changes in programs and computer system designs. ❑ To detect discrepancies, omissions, security breaches and other policy exceptions, staff analyzes data from over 50 reports displaying potential fraud and noncompliance characteristics. Staff matches and crosschecks data elements against compliance factors. E ❑ All users of our automated systems are on notice that all transactions are subject to monitoring and independent review. ❑ The District Attorney Office's (DA) General Fraud Hotline remains in effect as a tool for the entire County, and since our last IO report, we have not received any Hotline referrals of suspected employee fraud. • Future Implementation of New Fraud Prevention Methods - CalWIN ❑ We recognize that more efforts will be necessary, in the coming year, to increase supervisory approval/review requirements for CalWORKS and Food Stamp transactions that are more prone to fraud, and not already covered by our existing supervisory reviews. We will accomplish this in a cost effective manner that also allows us to provide services on a timely basis. ❑ In view of this, an operational work group, under our CalWLN implementation project, is studying efficient ways to implement more on- 8 Internal Operations Conuunittee Status of Internal Security Plan October 2003 line supervisory pre-approval and post-approval requirements for sensitive case transactions. (CalWIN is the new case data system scheduled to replace CDS/GIS, in late 2004.) Our desire is to use enhanced automated sampling techniques available with CalWIN programming. Areas under review include adding new computer edits to hold certain transactions for supervisory approval, thus decreasing the number of staff with direct payment access. Summary We have made good progress in lowering our risk and exposure to potential internal fraud, during a period when we also faced organizational and cost-related challenges to maintain quality services to County residents. We have implemented more controls involving segregation of payment duties, and improved our` Second Party Review processes. However, we recognize that additional work is needed to enhance supervisory "checks and balances", and put in operation the new Quality Improvement Program Unit. In the coming year, we will mobilize our senior and mid level program managers to work together with IT and Security staff to redefine our policies and practices concerning supervisory reviews, in view of the anticipated 2004 Ca1WlN implementation. The goal is to upgrade employee accountability and policy compliance. Additionally, we will adapt our detection tools as this new case data system is rolled out, and seek to implement even more preventive controls and edits. We remain dedicated to heightening security and accountability within the Department, and improving overall program integrity and compliance--to assure that the general public and County interests are best served. 9