Controls and Performance Audit Dece

Controls and Performance Audit
December 2012
This report is intended solely for the information and use of OMB, DOR and the State Budget Committee and is not intended to be, and should not be, used by any other party, with the exception of oversight agencies for the performance of their oversight responsibilities.


Contents
Contents
Background 4
Executive Summary 6
Overview 6
Summary of Opportunities for Improvement 8
Scope and Methodology 13
Opportunities for Improvement 16
Known and Identified Errors 18
Reconciliations of Funds 18
Unreconciled Accounts 19
Organizational Wide Opportunities for Improvement 20
Control Environment 20
Integrated Tax System 21
Key Operational Business Process Opportunites for Improvement 22
Taxpayer Registration and Education 22
Perform Front-End Processing 23
Process Tax Return Data 25
Process Receipts 26
Perform Billing Activities 28
Issue Refunds or Credits 28
Provide Taxpayer Assistance 31
Perform Collection Activities (past-due items) 31
Perform Enforcement Activities 33
Perform Tax Administration and Analysis 35
Manage Revenue Accounting and Distribution 36
Key Infrastructure Business Process Opportunities for Improvement 40
Plan for and Manage the Organization 40
Manage Organizational Design 41
Manage Information Technology 44
Manage Financial Accounting and Reporting 51
Perform Internal Audit 58
Legal 59
Report Administration 61
Appendix A — Updated Key Business Process Maps 63

.

Background
Background
In May 2012, OMB embarked on performing an independent risk assessment and internal Controls and Performance Audit of DOR. This initiative related to concerns that arose over the Organization’s information technology (IT) systems and financial operations after two significant financial errors were discovered.
DOR is the state entity that collects and accounts for the majority of general fund tax revenues for the State of Indiana (the “State”). DOR is responsible for assessing and collecting the taxes and transferring them into proper funds so that they may be utilized by the State and, when required, local governments as prescribed by statute. It is also responsible for managing taxpayer accounts and for generating reports that are utilized to distribute certain local revenues, such as local option income taxes (LOITs), food and beverage, auto rental, professional sports development areas, etc., back to local governments.
DOR has strategically focused its efforts on increasing customer satisfaction and serving its customer, the Indiana taxpayer. In recent years they streamlined operational areas, which resulted in more efficient returns processing and an enhanced taxpayer experience. Since 2008, DOR has significantly reduced the time frame for processing returns while also cutting the processing cost per return. With their focus primarily on processing taxes, support areas such as information systems management and financial accounting and reporting appear to have been a lower priority for the Organization. Without this same degree of focus, the control environment and importance of financial and IT controls were not as rigorous in preventing or detecting errors within the financial accounting systems.
Within the past year, DOR discovered two significant errors regarding corporate tax and LOIT distributions. Specifically, DOR discovered that $320 million of corporate tax e-file payments were not transferred from a holding account, thereby overstating the account balance of one account while understating the balance of another. Additionally, DOR identified that $206 million in LOITs were not distributed to local governments because programming changes related to new legislative rules were not thoroughly tested within the system and the allocation of the funds was not correctly computed. DOR has acknowledged these errors and is taking proactive measures to reclaim the trust of the taxpayers and the legislature.
As a result of DOR’s challenges, a new Revenue Commissioner and Chief Financial Officer were hired in May 2012, soon followed by a new Chief Information Officer, two Deputy Controllers and a Strategic Transformation Initiatives Leader. Additionally, some supervisory and management staff have also turned over, with new individuals being placed into those positions. This new management team is focused on evaluating and correcting the identified errors while identifying other risks requiring remediation.
OMB initiated an independent and objective Risk Assessment along with a Controls and Performance Audit of DOR to analyze the circumstances and corrective actions necessary for the identified errors along with the identification of additional risks and concerns that may exist in DOR. OMB’s expectation is that the final Controls and Performance Audit report will provide recommendations for improving IT and financial controls and other recommendations deemed
Background
appropriate to include replacement of IT system(s), Organizational/structural changes, legislative changes, etc. As such, Deloitte & Touche was contracted to perform the requested services, starting with a risk assessment and continuing into the Controls and Performance Audit.
The risk assessment process identified and risk ranked eighteen key business processes for the Organization’s performance audit universe. Nine key business processes were identified as high risk, eight were identified as medium risk, and one was identified as low risk. Furthermore, several general risk themes became apparent and relate to one of the following fundamental questions:
• Does the Organization have the right strategy and governance mechanisms in place to achieve its mission?
• Does the Organization have the right processes and technologies in place to support its strategies?
• Does the Organization have the right people in place to execute the processes and technologies in accordance with the Organization’s expectations?
The Controls and Performance Audit further examined these risk themes along with the specific risks identified within the risk assessment and the ensuing report presents the results of this work.  
Executive Summary
Overview
Deloitte & Touche performed a Controls and Performance Audit of the key business processes within DOR based on the initial risk assessment concluded in August 2012. The testing covered eighteen key business processes as well as the identified errors that were recently uncovered. The Controls and Performance Audit was directed toward determining whether the foundational elements of people, processes, technology and governance within the Organization are adequately utilized, efficiently designed and operating effectively.
A number of significant opportunities for improvements were identified which highlights the need for DOR to enhance their key business processes and supporting technologies to better serve the needs of the Organization and ultimately the Indiana taxpayer. The issues identified are an accumulation of events and decisions that have been made over several decades which contributed to a weak control environment that resulted in DOR’s inability to prevent and detect errors such as the Corporate Tax and Local Income Tax errors. Furthermore, DOR does not have in place the technology systems necessary to support their core business functions resulting in a number of technology work arounds and manual processing that increases risk of errors being made and going undetected. A strong system of internal controls and supporting technologies must be in place for an organization to be able to maintain integrity and help ensure completeness and accuracy of their transactions.
The issues identified did not arise overnight; neither will they be fixed overnight. Many of the issues are complex and will require a significant investment of time and resources to address while others may be able to be addressed quickly. The task of evaluating, prioritizing, and remediating these issues will be great, especially in light of other competing priorities and sustaining day-to-day operations. While many within the State will be focused on wanting to see immediate and sustained results, it’s important that the task be done diligently so as to truly create transformative change that drives value to Indiana taxpayers.
Report Layout
Our report is organized in five main sections. The Background section provides a look into the events that led to OMB hiring Deloitte & Touche to conduct the Risk Assessment and Controls and
Performance Audit. The Executive Summary provides an overview of the challenges faced by DOR, the procedures performed, identified strengths exhibited by DOR, and the identified opportunities to improve. The Scope and Methodology section provides detail as to what processes were reviewed and what testing methods were utilized while the Opportunities for Improvement section discusses each of the significant issues identified. Finally, the Appendix provides a risk map of DOR’s eighteen key business processes and subprocesses updated to reflect the risks for each at the conclusion of the Controls and Performance Audit.


Procedures Performed
Thinking of the known errors as symptoms, a top-down assessment was completed to diagnose root causes of these symptoms. This review began with a risk assessment focused on gaining an understanding of DOR’s key business processes through interviews with key DOR personnel and review of relevant policies, procedures, and business process-related documentation. Once an understanding of key business processes was gained, DOR-specific risks were identified and combined with the inherent risks that are pervasive within revenue agencies and similar governmental organizations. An overall ranking of high, medium, or low risk was then assessed for each subprocess. These risk rankings were then captured on the Controls and Performance Audit Universe by color-coding each subprocess with its overall risk s