AUDIT SHOWS FINANCIAL TRICKERY, DUCKING OF HIRING PROCESSES AND FAILURE TO KEEP CRIMINALS OUT OF CHILD CARE FACILITIES DURING O’ MALLEY’S TENURE

Illegal money dealings exceeded $12 Million

The Audit of the State of Maryland of the Education Department financial affairs during the Martin O’Malley Administration, which was released on June 28, 2016, reveals improprieties that exceeded $12 million, hiring of top staff that avoided established hiring procedures and a failure to conduct criminal background checks for child care workers, all of which violated Maryland law.

The Office of Legislative Audits operates a Fraud Hotline to report fraud, waste, or abuse involving State of Maryland government resources.  Reports of fraud, waste, or abuse may be communicated anonymously by a toll-free call to 1-877-FRAUD-11, by mail to the Fraud Hotline, c/o Office of Legislative Audits, or through the Office’s website.

Status of Findings From Preceding Audit Report

Our audit included a review to determine the status of the eight findings contained in our preceding audit report dated February 20, 2013.  We determined that MSDE satisfactorily addressed five of these eight findings.  The remaining three findings are repeated in this report.         

Findings and Recommendations

Federal Funds

Finding 1  

The Maryland State Department of Education (MSDE) did not revert statewide indirect cost recoveries totaling $12.3 million to the State’s General Fund as required. 

Analysis

MSDE did not revert statewide indirect cost recoveries for fiscal years 2012 through 2014, totaling approximately $12.3 million, to the State’s General Fund as required.  Although MSDE included statewide indirect costs in its calculation of the indirect cost recovery rate to be applied to federal grants, MSDE did not revert any of the subsequent federal reimbursements of these costs to the State’s General Fund.  MSDE’s total indirect cost recoveries for fiscal years 2012 through 2014 were approximately $39.3 million.

State law provides that funds recovered from federal sources for statewide indirect costs must be reverted to the General Fund and it prohibits granting any waiver or exemption to this requirement.  Statewide indirect costs include the costs of central overhead services provided by other State agencies (for example, Comptroller of Maryland) to support MSDE federal grant activities.  Although MSDE recovered and appropriately retained approximately $27 million of its own indirect costs during the aforementioned period, MSDE advised us that these amounts were insufficient for its needs and that it retained the statewide indirect costs recovered to help fund its central service functions, such as human resources and information technology.

Recommendation 1

We recommend that MSDE revert the aforementioned and future statewide indirect cost recoveries to the State’s General Fund, as required. 

Finding 2 

MSDE did not recover expenditures associated with a federal grant in a timely manner, resulting in lost interest income of $140,000.  

Analysis

MSDE did not recover, in a timely manner, $10.4 million in federal funds for expenditures associated with a federal grant under the Library Services Technology Act, resulting in lost interest income totaling $140,000.  This condition occurred because MSDE failed to initially submit to the federal grantor agency adequate documentation for certain expenditures claimed and did not correct this deficiency for several years.

An audit conducted by the federal grantor agency during fiscal year 2010 concluded that there was a lack of adequate support for grant-related expenditures claimed and recovered by MSDE in fiscal years 2008 and 2009.  Consequently, the agency withheld all future payments under that grant until MSDE developed a corrective action plan and submitted detailed support for the past expenditures.  MSDE did not submit the corrective action plan until December 2013.  The plan was approved by the granting agency in February 2014 and, during the period from March 2014 through June 2015, MSDE submitted requests for reimbursement dating back to fiscal year 2010, which totaled $10.4 million.  Because of the resulting delay in recovering these funds, the State lost interest income of approximately $140,000.  This issue was commented upon in our Statewide Review of Budget Closeout Transactions for fiscal years 2012 and 2013.

Recommendation 2

We recommend that MSDE ensure that federal funds are recovered in a timely manner.   

Interagency Agreements

Finding 3  

MSDE improperly used interagency agreements with a State university to staff its Chief Information Officer position.  The related agreements lacked details to facilitate effective monitoring by MSDE.

Analysis

MSDE improperly used interagency agreements with Towson University to staff its Chief Information Officer (CIO) position.  In addition, the related agreements lacked sufficient details to facilitate effective MSDE monitoring of deliverables.  MSDE entered into three consecutive interagency agreements with the University’s Division of Economic and Community Outreach (DECO) to provide a CIO, with one individual serving as MSDE’s CIO for the first two agreements and a second individual serving in this capacity for the third agreement.  The three agreements covered the period from November 2011 through June 2015 and the costs incurred by MSDE for the agreements totaled approximately $771,000, which, based on MSDE’s representations, included DECO’s administrative fees of $164,000.

Schedule of Interagency Agreements and Associated Costs November 2011 through June 2015

Agreement           Billing Period               Total             Administrative Costs

Number          From             To             Costs*           Value Total CostPercent of 

1 11/14/11 06/30/13 $314,793 $47,219 15% 2 07/01/13 11/29/13    82,591   12,389 15%

3 01/06/14 06/30/15   373,282 104,519 28%  Total $770,666 $164,127 21%

* Total costs include the administrative costs.

   Source: State accounting records and DECO invoices submitted to MSDE

Questionable Use of Interagency Agreements

Generally, the use of an interagency agreement permits one State agency to obtain services directly from another, alleviating the need for a competitive third party vendor procurement process.  MSDE’s use of interagency agreements with DECO to procure the CIO was not consistent with State law or DECO’s mission.  State law provides that State employees should perform all State functions in preference to contracting with the private sector.  MSDE had an existing budgeted position for a CIO but did not believe the salary was sufficient to obtain highly qualified applicants.  As a result, MSDE used the interagency agreement to procure the services of a CIO at enhanced salaries.  For example, the fiscal year 2014 payments under the agreements exceeded the budgeted salary and fringe benefit costs for the CIO position by approximately $58,000.^[1]  While DECO is a State entity, the individual who provided the CIO services in the most recent agreement was not a University employee; rather, the individual was hired contractually specifically for MSDE.

Furthermore, the use of the agreement to obtain the CIO was not consistent with DECO’s mission, which is to leverage the highly qualified research and project talent of the University to solve critical issues facing Maryland’s workforce and economy.  As noted above, the individual was not a University employee.  DECO’s involvement was generally limited to hiring the employees, paying the salary of the individual provided and invoicing MSDE for those costs, which included its administrative fees.  MSDE controlled the selection of the individual hired under the third agreement, and was solely responsible for the daily supervision and monitoring of the individual obtained under all the agreements, including ensuring responsibilities were performed.  Information regarding the selection process for the first two agreements was not available since current MSDE personnel were not involved and the related documentation was not retained.

We confirmed with staff at the Board of Public Works that the use of interagency agreements to procure personnel was not appropriate.  MSDE management personnel advised us that they were unaware that this was an improper use of the agreements.

Lack of Certain Details in the Agreements

The agreements lacked sufficient details to enable effective monitoring of deliverables.  Each agreement was established at a not-to-exceed fixed cost, and payments to DECO were to be based on invoices received, although the basis for payment was not specified.

The scope of the work was generally to direct MSDE’s information technology functions; the four stated deliverables were broad in nature (analysis of MSDE’s Office of Information Technology functionality, recommendations for refinement and improvement, technical supervision and management, and leadership and communication) and remained unchanged from agreement to agreement.  One of these deliverables (technical supervision) did require monthly status reports from DECO; however, MSDE could not provide copies of these status reports.

Determination of Agreement Costs Not Supported

MSDE could not explain or provide documentation as to how the costs (reimbursement of salary costs and administrative fees) for these agreements were developed, nor could it provide any independent analysis to determine whether the administrative fees charged by DECO were reasonable.  Although not specified in any of the agreements or the related invoices, we were advised by MSDE management that the costs billed to MSDE included DECO’s administrative fees, which were 15 percent for the first two agreements and 28 percent for the third agreement.  MSDE could not explain or justify this significant increase in administrative fees in the third agreement.  In contrast, in our February 2015 special report on interagency agreements between the Maryland Transit Administration (MTA) and DECO, we noted that DECO advised it charged MTA an administrative fee of 10 percent for the agreements spanning fiscal years 2010 to 2013.

MSDE advised us that it discontinued this arrangement after June 30, 2015, and

that it intended to recruit for the CIO as a full-time regular State employee position.     

Recommendation 3

We recommend that MSDE

1. discontinue its practice of using interagency agreements to hire individuals in lieu of using budgeted positions;
2. ensure that agreements contain sufficient details to enable effective monitoring, including assurance that all deliverables are received; and
3. ensure that amounts paid under future interagency agreements are reasonable and supported.

Contract Procurement and Monitoring

Finding 4   

State regulations for procuring services were not always adhered to and the procedures for monitoring contractor performance were not always sufficient. 

Analysis

MSDE did not always adhere to State regulations when undertaking procurements and its monitoring procedures over contractor performance were not always sufficient.  During fiscal years 2012 through 2014, MSDE issued 3,521 purchase orders for goods and services with related payments (excluding corporate purchasing card transactions) totaling $277 million.  We tested nine service contracts procured by MSDE during the period from July 2011 through May 2014 totaling $20.3 million and noted the following conditions:

Bid Evaluation Documentation Did Not Always Support the Awards

        For three contracts totaling approximately $18.1 million, MSDE did not maintain

adequate documentation of the procurement and contractor selection processes.  Specifically, for two contracts, totaling approximately $17.2 million related to the maintenance and support of two MSDE websites and one reporting system, either the required financial proposals or technical proposals of the losing bidders were not on file.  For the third contract, totaling approximately $900,000 for development of online professional courses, there was a lack of documentation of the technical evaluations prepared by the selection committee members.  State regulations require that procurement files include all bids or offers received.

Furthermore, for one of these contracts totaling $4.8 million, the evaluation committee members disagreed on certain aspects of the technical qualifications of four bidders who were ultimately disqualified.  There was no formal explanation provided as to how these differences were resolved in the selection process and the consolidated evaluation for this contract was not signed by the members of the evaluation committee.  This contract was eventually awarded as a single source award to the incumbent vendor even though, based on our review of the technical proposal, this vendor did not meet required education qualifications for 4 of the 11 positions required by the request for proposals (RFP).

Effective Contract and Invoice Monitoring Was Not Established For One Contract

One of the nine contracts, valued at $1.2 million, did not include specific deliverables to enable effective monitoring of performance and verification of the related invoices.  According to the contract, the IT vendor was to bill MSDE based on satisfactory completion of “each deliverable” as specified in the RFP; however, neither the RFP nor the contract included specific deliverables.  Although the RFP provided a general description of the services needed (subject matter expert on certain IT systems), MSDE did not issue any task orders to direct the vendor’s work.

MSDE did not ensure that the hours billed were accurate.  Invoices submitted by the vendor were accompanied by timesheets and logs describing the work performed and the related hours and charges.  We were advised that the invoices were reconciled to both the timesheets and the logs; however, there was a lack of documentation to support this assertion.  Furthermore, our review of six invoices totaling $222,500 disclosed discrepancies between the invoices and these documents that were not identified or resolved by MSDE.  For example, the vendor charged approximately $10,000 for hours that were not worked according to the supporting documents.

Funny timing on certain bids:

MSDE did not always allow the minimum 20-day bid solicitation time (the period between the date of publication of the invitation for bid and the due date for the related bids), as required by State regulations.  Our tests disclosed four contracts, totaling approximately $1.1 million, for which the bid solicitation time ranged from 5 to 9 days.  A shortened solicitation time may result in a reduced number of bids being received.  For one of the four contracts, MSDE received one bid and, for each of the other three, MSDE received either two or three bids.

Bid Solicitation Period and Award Notifications Were Not in Accordance with State Regulations

       MSDE did not always allow the minimum 20-day bid solicitation time (the period between the date of publication of the invitation for bid and the due date for the related bids), as required by State regulations.  Our tests disclosed four contracts, totaling approximately $1.1 million, for which the bid solicitation time ranged from 5 to 9 days.  A shortened solicitation time may result in a reduced number of bids being received.  For one of the four contracts, MSDE received one bid and, for each of the other three, MSDE received either two or three bids.

In addition, for two contracts tested totaling $2 million, MSDE did not publish the awards on eMaryland Marketplace as required by State regulations.  State regulations require that contract awards greater than $25,000 be published on eMaryland Marketplace within 30 days of the contract award.

Recommendation 4

We recommend that MSDE 

1. maintain adequate procurement documentation, including all bidder proposals and support for all critical considerations and decisions made by evaluation committees;
2. ensure that all contracts provide sufficient details as to deliverables to enable effective monitoring of performance;
3. ensure that invoices are appropriately verified to supporting documentation and tasks performed;
4. review all invoices submitted by the aforementioned IT vendor and take appropriate action, such as recovering overpayments made, including those we identified; and
5. ensure compliance with State Procurement Regulations.

MSDE did not adequately control funds received in its business office.  Certain checks were not promptly endorsed and recorded, and prenumbered receipt forms were not accounted for.

Cash Receipts

Finding 5   

MSDE did not adequately control funds received in its business office.  Certain checks were not promptly endorsed and recorded, and prenumbered receipt forms were not accounted for.

Analysis

MSDE did not adequately control funds received in its business office, which totaled approximately $47.4 million during fiscal year 2014.

• Checks related to grant reimbursements (grant funds returned from local education agencies), which totaled approximately $13.5 million during fiscal year 2014, were not recorded and restrictively endorsed immediately upon receipt. Rather, the collections were handled by at least two employees prior to being recorded on prenumbered receipt forms and endorsed.
• MSDE did not maintain complete and accurate records of prenumbered receipt forms. In addition, voided forms were not reviewed for propriety and there was no process to periodically account for the forms as to issued, voided, or on hand.  Numerous MSDE units, including the business office, used these forms to record collections received.  The MSDE units then submitted the forms and the related collections to MSDE’s business office for processing and deposit.  As a result, completed receipt forms and corresponding checks could be misappropriated without detection.
• MSDE did not require large payments to be submitted electronically to enhance control and accountability over the funds. For example, according to MSDE’s records, local education agencies submitted 128 checks totaling approximately $33.9 million to MSDE headquarters during fiscal year 2014 as reimbursement for the costs of certain employee retirement benefits.  Our review disclosed that there were 92 checks submitted, each valued at more than $50,000, including 10 checks that were each between $1.4 million and $2.7 million.  Controls could be enhanced by requiring large payments to be submitted electronically.

Similar conditions regarding the failure to immediately record collections and account for prenumbered receipt forms were noted in our preceding audit report.  The Comptroller of Maryland’s Accounting Procedures Manual requires immediate recording and restrictive endorsement of collections, as well as proper accounting for prenumbered receipt forms.

Recommendation 5

We recommend that MSDE 

1. ensure that collections are restrictively endorsed and recorded immediately upon receipt (repeat);
2. maintain complete and accurate records of all prenumbered receipt forms and account for the forms as to issued, voided, or on hand (repeat); and
3. pursue requiring large collections to be remitted electronically to enhance accountability and control over the funds.

Child Care Programs

Background  

MSDE is responsible for child care programs in the State, including licensing facilities, monitoring facility compliance with regulations (for example, ensuring that health and safety standards are met), and taking enforcement actions against child care facilities.  MSDE oversees child care facilities through its 13 regional child care offices across the State.  According to MSDE records, as of June 2014, the State’s licensed child care facilities consisted of 7,086 family child care homes and 2,703 child care centers.  These facilities were licensed to serve approximately 219,000 children.

MSDE also oversees the State’s Child Care Subsidy Program, which provides financial assistance to eligible families to meet their child care needs.  The Program is administered by the 24 local departments of social services.  According to MSDE’s records, during fiscal year 2014, Child Care Subsidy

expenditures totaled approximately $81.5 million ($37.8 million in general funds and $43.7 million in federal funds).

The Child Care Administration Tracking System (CCATS) is used by MSDE to record, approve, and monitor facility licenses, individuals associated with those facilities (including employees), and subsidy-related eligibility, vouchers, and payments.

Finding 6 

MSDE did not have an adequate process to ensure that criminal background checks were obtained for all child care employees and that the results of background checks and any subsequent alerts were adequately pursued.

MSDE did not adequately ensure that criminal background checks were obtained for all individuals employed at child care facilities and that the results of the initial background checks and any subsequent alerts were adequately pursued.  According to State law, all individuals must apply for a criminal background check on or before the first day of employment at a licensed child care facility.

Analysis

MSDE did not adequately ensure that criminal background checks were obtained for all individuals employed at child care facilities and that the results of the initial background checks and any subsequent alerts were adequately pursued.  According to State law, all individuals must apply for a criminal background check on or before the first day of employment at a licensed child care facility.

MSDE headquarters and its regional child care offices are notified via the Criminal Justice Information System (CJIS) of the results of the initial background checks.  MSDE also monitors these individuals through annual field visits to each licensed child care facility and through CJIS, receiving alerts if they have any subsequent criminal activity in Maryland.  According to MSDE’s records, approximately 3,600 alerts were received during fiscal year 2014.

• MSDE did not have adequate procedures to ensure the initial criminal background check process was comprehensive. MSDE’s procedures did not require its child care specialists to determine during annual field visits to child care facilities whether all employees working at the facilities were recorded in CCATS.^[2]  For example, child care specialists were not required to compare the names of employees listed in the payroll records of child care centers with those recorded in CCATS.  Only individuals recorded in CCATS were subject to MSDE’s criminal background check verification procedures.

Furthermore, MSDE did not ensure that an initial criminal background check had been received and reviewed for each individual recorded in CCATS.  Our test of nine individuals recorded in CCATS disclosed that there was no record that the initial criminal background check had been obtained for two individuals who were hired 6 and 30 months prior to our test.  For a third individual tested, MSDE’s files indicated that the criminal background check was received and reviewed, but there was no CJIS documentation on file to substantiate those actions.

• MSDE did not ensure that staff at its regional child care offices fully investigated each criminal background check alert and took proper follow-up action, such as by verifying that the individual was no longer associated with the facility. Our review of 25 alerts received at five regional child care offices during the period from June 2013 through July 2014 disclosed that follow-up actions were not taken or were not properly documented for 6 alerts.  Specifically, for 5 alerts, MSDE relied on assertions from the child care centers that the individuals were no longer employed and did not review payroll records to verify these assertions.  Another alert tested indicated that the individual was employed by a local school system and not a child care facility; however, MSDE made no attempt to contact the school system to ensure the employee was not working with children.

Certain of these conditions were commented upon in our preceding audit report.

Recommendation 6

We recommend that MSDE 

1. enhance procedures, as part of its annual inspections, to ensure that all individuals associated with child care facilities are properly recorded in CCATS (repeat);

1. ensure that criminal background check results are obtained and reviewed for all individuals working at child care facilities, including those noted above, and that such reviews are documented; and
2. ensure that criminal background check alerts are thoroughly reviewed and pursued, including those noted above, and that such reviews and related follow-up actions are documented (repeat).

Finding 7   

MSDE did not restrict user access to the Child Care Subsidy Program features on CCATS to those individuals requiring access to perform their jobs and to prevent the recording of improper transactions.

Analysis

MSDE did not ensure that user access capabilities related to the Child Care Subsidy Program assigned to individuals on CCATS were adequately restricted to prevent improper transactions.  Our review of critical system access assigned to 681 users disclosed numerous users who were assigned unnecessary or inappropriate system access.  MSDE did not periodically generate reports for its review that identified all users and their accesses.

Our review of a user access report that we requested and obtained from the CCATS vendor disclosed 90 individuals who had been assigned system access to process critical transactions, such as child care subsidy applications, but who no longer required this access.  These individuals included 68 people who were no longer employed by MSDE, the vendor, or the local department of social services through which access was originally granted.

In addition, we noted 558 employees with user roles in CCATS (predefined access for particular functions) that provided them with incompatible capabilities.  These employees had the capability to create a subsidy application in the system, determine eligibility, issue a payment voucher, and establish and authorize the child care facility to receive payment without independent approval.

According to the State of Maryland’s Information Security Policy, system access should be limited to the appropriate authorized individuals and should be properly controlled.

Recommendation 7

We recommend that MSDE

1. periodically generate and review reports of users’ assigned access capabilities,
2. restrict user access capabilities for critical functions to those employees who require such capabilities for their job duties and ensure proper segregation of duties and independent review and approval of critical transactions, and
3. immediately remove the unnecessary user access capabilities assigned to the aforementioned individuals.

Information Systems and Controls

Background

MSDE information technology (IT) operations are decentralized over several sites including the MSDE headquarters.  Each site’s IT operations function as a separate entity, with its own applications, network components, and detailed disaster recovery plan.  However, most of the network administration is performed by the Office of Information Technology (OIT), which is located at MSDE headquarters.  OIT operates and maintains a wide area network spread throughout the various MSDE offices, which provides connectivity and Internet access to connected sites.  OIT also maintains the MSDE website, and key applications such as the Educator Information System (EIS), which maintains educator accreditation and certification information.  The Child Care Administration Tracking System is hosted by a third-party service provider.  In conducting our audit, we selected the MSDE headquarters for our general controls, security, and network reviews, and focused our review on certain systems including the EIS.

Finding 8  

Contractors had unnecessary network level access to numerous critical MSDE servers and workstations unrelated to the projects they were assigned.

Analysis

Contractors had unnecessary network level access to the MSDE network.  MSDE was developing and enhancing several systems with extensive use of third-party contractors.  Our analysis, performed during December 2014, determined that there were 183 individuals working for contractors who were assigned active MSDE network user accounts.  These contractors worked both on-site at the MSDE headquarters location and remotely via a virtual private network connection to the MSDE network.  We were advised by MSDE personnel that these contractors should only have access to the specific servers involved with their projects and certain support servers.  The access these contractors had been granted allowed them broader access to numerous other critical MSDE servers and workstations, which places these devices at unnecessary risk of compromise.

Recommendation 8

We recommend that MSDE restrict each contractor’s network level access to only those servers and workstations that each contractor needs to access.

Finding 9  

MSDE did not properly safeguard sensitive personally identifiable information and malware protection over MSDE workstations could be inappropriately disabled.

Analysis

Controls over sensitive information and malware protection were not sufficient.

• MSDE inappropriately stored sensitive personally identifiable information (PII) in clear text. Specifically, we identified 1,333,740 unique student social security numbers in clear text with related names and 189,981 unique teacher social security numbers in clear text with related names in two separate databases.  In addition we were advised that this sensitive PII was not protected by other substantial mitigating controls, such as the use of data loss prevention software.  Furthermore, MSDE had not developed a complete inventory of its sensitive PII, where it was located, if it was encrypted, and if there was a valid business reason to retain this information.  This PII is commonly sought by criminals for use in identity theft.  Accordingly, appropriate information system security controls need to exist to ensure that this information is safeguarded and not improperly disclosed.  The State of Maryland’s Information Security Policy states that agencies should protect confidential data using encryption technologies and/or other substantial mitigating controls.
• The management console used to distribute and configure anti-malware software for over 1,000 MSDE computers was set to allow workstation users to disable two critical anti-malware modules that protected these workstations from viruses, spyware, and unknown threats. Accordingly, all workstation users could disable these features of the anti-malware software installed on their workstation and render it unable to protect against network and file based threats.

Recommendation 9

We recommend that MSDE 

1. perform an inventory of its systems and identify all sensitive PII,
2. determine if it is necessary to retain sensitive PII and delete all unnecessary PII,
3. for all retained PII use approved methods to encrypt all sensitive PII not otherwise properly protected, and
4. properly configure its anti-malware management console so that users cannot disable their locally installed anti-malware software.

Finding 10 

Disaster recovery plans for two locations were not comprehensive and backups of certain critical databases were not stored offsite.

Analysis

Disaster recovery plans for two locations were not comprehensive and backups of certain critical databases were not stored offsite.

• MSDE did not have adequate IT plans for recovering from disaster scenarios (for example, a fire). Our review of MSDE’s disaster recovery plans found deficiencies at two critical locations, including the Division of Rehabilitation Services, which operates a case management application that is used to make disbursements associated with the rehabilitation of people with disabilities, which for fiscal year 2014 totaled in excess of $17 million.  For example, MSDE’s disaster recovery plan for the Division did not adequately address certain requirements of the State of Maryland’s IT Disaster Recovery

Guidelines, including the restoration of network connectivity, specific alternate site processing, and provisions for testing.  Without complete disaster recovery plans, a disaster could cause significant delays, for an undetermined period, in restoring operations beyond the expected delays that would exist in a planned recovery scenario.  A similar condition was commented upon in our two prior audit reports.

• Daily backups of two critical databases, which housed teacher certification information, were not stored offsite. These backups were stored within the same data center as the server hosting the critical production databases.  Consequently, if the facility housing the original databases and backup data were destroyed by a disaster, all critical information could be lost.  According to the State of Maryland’s IT Disaster Recovery Guidelines, backup media should be created and stored off-site in a secure, environmentally controlled location.

Recommendation 10

We recommend that MSDE comply with the IT Disaster Recovery Guidelines by

1. developing and implementing comprehensive information systems disaster recovery plans (repeat); and
2. storing all backups of critical data at an off-site secure, environmentally controlled location.

Reporting of Employee Misconduct

Finding 11  

MSDE did not make timely disclosure to the appropriate legal authorities of certain questionable payroll and personnel activity related to five employees. 

Analysis

MSDE did not notify the Governor’s Chief Legal Counsel of certain possible criminal or unethical conduct by five employees, as required.  Further, although MSDE’s chief legal counsel was advised of the situation, the Office of the Attorney General (OAG) – Criminal Division was not notified as required.  Consequently, there is no assurance that MSDE took appropriate follow-up action when questionable activity on the part of several employees was brought to its attention.

During the audit period, MSDE received five allegations of questionable payroll and personnel issues involving five employees.  MSDE performed a limited review for each of these allegations, such as comparing a selection of time records to independent sources and, in each case, substantiated certain improper activity, including misrepresentation of hours worked and falsified documents.  Based on those initial results confirming the allegations, MSDE chose not to expand its review to determine the full scope of the improper activity, believing that it had conducted a reasonable investigation and was limited by the State’s 30-day time frame to impose disciplinary action stipulated in State law.  However, without consulting the Criminal Division there is no assurance that the investigative actions were sufficient or that the resultant disciplinary actions appropriate.

falsified time records

For example, for one allegation of falsified time records, MSDE reviewed the time records for one month for the employee noted in the allegation and compared them to the sign-in logs at the employee’s facility.  The review identified several instances where the employee indicated working on days in which there was no record of the employee signing in to the facility.  Based on MSDE’s calculations, this employee was overpaid $3,592 for the month reviewed.  However, MSDE did not expand testing to determine the extent of the falsified timesheets, allowed the employee (who had worked for MSDE since 1996) to resign in lieu of termination, and deducted the aforementioned $3,592 from the employee’s final leave payment.  For the remaining four cases reviewed, a similar reporting deficiency was noted and MSDE either recovered any improper payment identified (one employee was required to repay $699) or required the individuals to forfeit leave.  Ultimately, two of the employees subsequently resigned, one was terminated, and one received written counseling.

The Governor’s Executive Order, Standards of Conduct for Executive Branch Employees, requires that all departments and agencies of the State immediately report any instance of possible criminal or unethical conduct by an employee or contractor of the State to the Governor’s Chief Counsel and to the agency’s chief legal counsel or the Criminal Division.  Further, internal OAG policy requires the agency’s legal counsel to report all such instances to the Criminal Division.

Recommendation 11

We recommend that MSDE

1. notify the Office of the Attorney General’s Criminal Division and the Governor’s Chief Legal Counsel of the aforementioned questionable activity and, in the future, notify the appropriate entities in accordance with the aforementioned Executive Order and OAG policy; and
2. adhere to guidance from those offices when conducting investigations and imposing disciplinary action.

Audit Scope, Objectives, and Methodology

We have conducted a fiscal compliance audit of the Maryland State Department of Education (MSDE) for the period beginning July 1, 2011 and ending June 30, 2014.  The audit was conducted in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

As prescribed by State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine the Department’s financial transactions, records and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations.

In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of significance and risk.  The areas addressed by the audit included the child care program, federal funds, grants, procurements and disbursements, budgetary closeout transactions, cash receipts, payroll, and information systems security and control.  Our audit also included various support services (including payroll processing, purchasing, maintenance of accounting records, and related fiscal functions) provided by MSDE to the Maryland Longitudinal Data System Center, which is audited separately.  We also determined the status of the findings contained in our preceding audit report.

Our audit did not include an evaluation of internal controls over compliance with federal laws and regulations for federal financial assistance programs and an assessment of MSDE’s compliance with those laws and regulations because the State of Maryland engages an independent accounting firm to annually audit such programs administered by State agencies, including MSDE.

To accomplish our audit objectives, our audit procedures included inquiries of appropriate personnel, inspections of documents and records, observations of MSDE’s operations, and tests of transactions.  Generally, transactions were selected for testing based on auditor judgment, which primarily considers risk.  Unless otherwise specifically indicated, neither statistical nor non-statistical audit sampling was used to select the transactions tested.  Therefore, the results of the tests cannot be used to project those results to the entire population from which the test items were selected.

We also performed various data extracts of pertinent information from the State’s

Financial Management Information System (such as revenue and expenditure data) and the State’s Central Payroll Bureau (payroll data).  The extracts are performed as part of ongoing internal processes established by the Office of Legislative Audits and were subject to various tests to determine data reliability.  We also extracted data from the Child Care System for the purpose of testing user access.  We determined that the data extracted from these various sources were sufficiently reliable for the purposes the data were used during this audit.  Finally, we performed other auditing procedures that we considered necessary to achieve our objectives.  The reliability of data used in this report for background or informational purposes was not assessed.

MSDE’s management is responsible for establishing and maintaining effective internal control.  Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved.

Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected.  Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate.

Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations.  As a result, our reports generally do not address activities we reviewed that are functioning properly.

This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect MSDE’s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations.  Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations.  Other less significant findings were communicated to MSDE that did not warrant inclusion in this report.

MSDE’s response to our findings and recommendations is included as an appendix to this report.  As prescribed in the State Government Article, Section 21224 of the Annotated Code of Maryland, we will advise MSDE regarding the results of our review of its response.

Finding 1  

The Maryland State Department of Education (MSDE) did not revert statewide indirect cost recoveries totaling $12.3 million to the State’s General Fund as required.

Recommendation 1

We recommend that MSDE revert the aforementioned and future statewide indirect cost recoveries to the State’s General Fund, as required. 

MSDE Response:

MSDE agrees with the Finding and partially agrees with the Recommendation.

The Agency acknowledges that it had not calculated the specific amount of federal indirect cost recoveries related to the Statewide Cost Allocation Plan and that these were not previously reverted to the State. MSDE had not believed itself to be out of compliance since specific appropriation had not previously been provided for this purpose and because overall revenue to the State was not impacted.

Beginning in FY 2016, MSDE has specific budgetary appropriation to accomplish this transaction and will revert statewide indirect cost recoveries to the State’s General Fund annually henceforth. However, MSDE does not have access to prior year recoveries.  Therefore, it is not possible for MSDE to revert the prior year statewide indirect cost recoveries.

Finding 2 

MSDE did not recover expenditures associated with a federal grant in a timely manner, resulting in lost interest income of $140,000.

Recommendation 2

We recommend that MSDE ensure that federal funds are recovered in a timely manner.   

MSDE Response:

MSDE agrees with the Finding and Recommendation

To ensure that Library Services Technology Act (LSTA) drawdowns are performed on a timely basis in the future, the Division of Library Development Services has developed an ‘IMLS Drawdown Schedule’ covering the quarterly periods for recovery of expenditures incurred from the present through December 31, 2017.  Similarly, the School and Community Nutrition Programs Office and the Accounting Branch have developed schedules which will help to ensure that drawdowns are performed on a timely basis.

Finding 3  

MSDE improperly used interagency agreements with a State university to staff its Chief Information Officer position.  The related agreements lacked details to facilitate effective monitoring by MSDE.

Recommendation 3

We recommend that MSDE

1. discontinue its practice of using interagency agreements to hire individuals in lieu of using budgeted positions;
2. ensure that agreements contain sufficient details to enable effective monitoring, including assurance that all deliverables are received; and
3. ensure that amounts paid under future interagency agreements are reasonable and supported.

MSDE Response:

MSDE agrees with the Finding and Recommendations.

Regarding Recommendation a., in the future, MSDE will limit the use of interagency agreements for appropriate purposes. MSDE recently hired a Chief Information Officer in a regular PIN position.

Regarding Recommendation b., MSDE agrees that agreements should contain sufficient details to enable effective monitoring, including assurance that all deliverables are received. In this regard, see MSDE’s corrective action response for Recommendation b. of Finding 4.

Regarding Recommendation c., MSDE will ensure that future payments under interagency agreements are reasonable and supported.  In this regard, see MSDE’s corrective action response for Recommendation c. of Finding 4.

Finding 4  

State regulations for procuring services were not always adhered to and the procedures for monitoring contractor performance were not always sufficient.

Recommendation 4

We recommend that MSDE 

1. maintain adequate procurement documentation, including all bidder proposals and support for all critical considerations and decisions made by evaluation committees;
2. ensure that all contracts provide sufficient details as to deliverables to enable effective monitoring of performance;
3. ensure that invoices are appropriately verified to supporting documentation and tasks performed;
4. review all invoices submitted by the aforementioned IT vendor and take appropriate action, such as recovering overpayments made, including those we identified; and
5. ensure compliance with State Procurement Regulations.

MSDE Response:

MSDE agrees with the Finding and Recommendations.

Regarding Recommendation a., on October 26, 2015, a procurement meeting was held to reinforce COMAR Title 21 regulations including COMAR 21.05.01.07 detailing the Procurement Record.

In future Request for Proposals (RFP’s), the procurement officer will work with the project sponsor to ensure that the criteria for award are reasonable, justifiable and promotes competition. Correspondence between the procurement officer, project sponsor, and approving agency will be retained to document how the required criteria were determined.  The procurement officer will thoroughly review the memorandum from the technical evaluation committee to verify that the recommendation of award is reflective of the entire committee. If any offeror is deemed non-susceptible of award from the evaluation committee, that the criteria is reviewed and confirmed.  If there are discrepancies with the recommendation for award, the procurement officer will list the concerns to the committee for clarification and corrections. Also, when the procurement officer reviews the evaluation committee’s recommendation for award, the procurement officer will thoroughly confirm that all the requirements of the solicitation have been met.  The evaluation documents of each committee member will be retained in the official procurement file. Documentation for the above-mentioned activities will be printed and retained in the official procurement file.

Regarding Recommendation b., during the Request for Proposals (RFP) process, the procurement officer, project sponsor, and approving agency work together to draft a concise scope of work (deliverables). Also, within the RFP, it will clearly explain how payment is based.  The financial form should link directly with the scope of work.  The RFP, vendor’s technical and financial proposals are incorporated and considered a part of the contract.

Regarding Recommendation c., in the future invoices will be appropriately verified to supporting documentation and tasks performed.  In this regard, MSDE developed a Consultant Work Log which records specific information regarding the work performed by Consultants. The use of this Log particularly when reviewing invoices for payment will be reemphasized for use throughout the Agency during an Executive Team Meeting to be held on September 12, 2016.

Regarding Recommendation d., by September 30, 2016, MSDE will review all invoices submitted by the aforementioned vendor for the period July 1, 2011 through June 30, 2014 and take appropriate action which will include the potential recovery of overpayments, including those identified.

Regarding Recommendation e., to address the last cited non-compliance issue regarding state procurement regulations, on October 26, 2015, a procurement meeting was held to reinforce COMAR Title 21 regulations. It included discussion of the minimum bidding time of 20 days when soliciting bids for services or commodities that are expected to exceed $25,000.  In addition, if an approving agency has a minimum bidding time that is stricter than the COMAR regulations, that must be followed as well. The meeting also discussed the requirement of publishing awards over $25,000 on eMaryland Marketplace within 30 days of award. The internal procurement log was revised to include a section to note the eMaryland Marketplace publish date.

The corrective responses provided for this Finding provides assurance that the Agency is complying with state procurement regulations.

Finding 5   

MSDE did not adequately control funds received in its business office.  Certain checks were not promptly endorsed and recorded, and prenumbered receipt forms were not accounted for.

Recommendation 5

We recommend that MSDE 

1. ensure that collections are restrictively endorsed and recorded immediately upon receipt (repeat);
2. maintain complete and accurate records of all prenumbered receipt forms and account for the forms as to issued, voided, or on hand (repeat); and
3. pursue requiring large collections to be remitted electronically to enhance accountability and control over the funds.

MSDE Response:

MSDE agrees with the Finding and Recommendations a. and b. MSDE respectfully disagrees with Recommendation c.

Regarding Recommendation a., MSDE agrees that collections should be restrictively endorsed and recorded immediately upon receipt.  In this regard, as a result of a prior OLA audit, the Accounting Branch developed ‘Procedures for filling out Receipt of Deposit (RD) Forms’.  These procedures require employees to stamp the back of checks ‘For Deposit Only’ as soon as envelopes containing them are opened. The noted non- compliance is an exception to RD processing procedures. Accounting Branch supervision has reviewed these procedures with employees who perform these responsibilities to ensure that they understand and will comply with these procedures.  Subsequently, Accounting Branch supervision will review the RD procedures on at least a semi-annual basis with Accounting Branch employees who perform these functions and will document the reviews.

Regarding Recommendation b., MSDE agrees that pre-numbered RD receipt forms need to be accounted for as to whether they are issued, voided or on hand.  A complete inventory of issued, voided and on-hand RD forms was completed as of November 30, 2015.  The next inventory is scheduled to be completed by November 30, 2016. MSDE has already taken steps to develop an electronic solution for generating and tracking receipt of deposit forms which will maintain complete and accurate records of prenumbered deposit forms.

Regarding Recommendation c., for several logistical reasons, MSDE does not agree that large collections should be remitted electronically. A key issue is that detail regarding how to apply the payment to multiple funds or programs is not included with electronic payments. Consequently, additional manual work would need to be performed on the payor and payee sides in providing/obtaining the necessary detail to properly account for the payment. Checks are accompanied by detailed allocations on the sub-grant level, which is required by the federal government and processing collections electronically may cause us to fail our federal audits.  Also, additional manual work would be required when subgrants are reconciled between the Annual Financial Reporting (AFR) and Financial Management Information System (FMIS) systems. Finally, there may be a financial impact in using electronic payments since there is usually a fee that is imposed on both parties for these payments.

Auditor’s Comment:  MSDE’s response indicated that it disagrees with our recommendation to receive large dollar payments electronically because of the lack of supporting documentation for the electronic payments and the need for subsequent manual processing.  However, the method used to receive the funds would not preclude the receipt of the existing documentation, and manual processing would be consistent with the accounting required for checks.  Furthermore, these large collections relate primarily to local education agencies.  It is not unreasonable to expect these agencies, who receive State funds electronically, to return those excess funds in the same manner.

Finding 6  

MSDE did not have an adequate process to ensure that criminal background checks were obtained for all child care employees and that the results of background checks and any subsequent alerts were adequately pursued.

Recommendation 6

We recommend that MSDE 

1. enhance procedures, as part of its annual inspections, to ensure that all individuals associated with child care facilities are properly recorded in

CCATS (repeat);

1. ensure that criminal background check results are obtained and reviewed for all individuals working at child care facilities, including those noted above, and that such reviews are documented; and
2. ensure that criminal background check alerts are thoroughly reviewed and pursued, including those noted above, and that such reviews and related follow-up actions are documented (repeat).

MSDE Response:

MSDE respectfully disagrees with the Finding as it does have  adequate processes to ensure that criminal background checks (CBC) are obtained for  all child care employees and that the results of background checks and any subsequent Alerts are adequately pursued. It agrees with Recommendations a and b. Finally, MSDE respectfully disagrees with Recommendation c.

MSDE agrees with Recommendation 6a.   During the audit a separate procedure,

“Verifying Staff Employment in Child Care Facilities During Annual

Unannounced Inspections”, was created and became effective on September 18,

2015. This separate procedure clarified existing procedures used during Annual Unannounced Child Care Facility inspections which verified that all individuals associated with Child Care Facilities had obtained a Criminal Background Check (CBC) and that the individuals were properly recorded in CCATS. The separate procedure requires child care specialists to compare the names of employees listed in the payroll records of child care centers with those recorded in CCATS. This procedure also requires that any differences(s) noted in personnel, whether new or no longer working, as a result of the comparison of the records be input into CCATS within ten days.

MSDE agrees with Recommendation 6b.  While the Criminal Background Check (CBC) for case 2 on OLA’s spreadsheet who was hired 30 months prior to the test was not in the file when OLA tested the documentation on March 11, 2015, the CBC had been performed on a timely basis and documentation was subsequently obtained and placed in file.

MSDE has effective procedures to ensure that Criminal Background Checks (CBCs) are received and reviewed for all employees working at child care facilities. Criminal Background Checks have been obtained and are on file for the remaining two noted exceptions which resulted from non-compliance with MSDE’s CBC procedures. By June 30, 2016, these procedures will be redistributed via email to all Licensing Staff emphasizing their importance and the need to comply with them.

MSDE respectfully disagrees with Recommendation c.  Bullet point 2 of the Finding states that “…..follow-up actions were not taken or were not properly documented for 6 Alerts.”  MSDE has proper procedures to investigate all Alerts received. These procedures require that all actions taken to follow-up on Alerts be documented. MSDE followed its procedures for each of the 6 Alerts and had provided to OLA in its response to the preliminary finding a detailed explanation regarding the follow-up activities which were documented.  Copies of the documentation were also provided to OLA.

MSDE disagrees that it did not ensure the proper disposition, did not attempt to determine the employment status of the individual and that documentation related to the follow- up was inadequate for an Alert associated with a public school system. Since the public school system never owned or operated licensed child care facilities no facility existed to contact or inspect for this Alert. The follow-up action taken for this Alert was adequately documented.  The Agency thoroughly reviewed, pursued and created adequate documentation supporting its follow- up of this Alert.

Auditor’s Comment:  Although MSDE determined the individual was not working with a child care center, we believe that MSDE should have contacted the school system to ensure the individual was not working with children.

Regarding the remaining five Alerts, the second bullet point states “In addition, for 5 Alerts, MSDE relied on assertions from the child care centers that the individuals were no longer employed and did not review payroll records to verify these assertions.” Per its documentation, MSDE made exhaustive attempts to determine the employment status of the individuals associated with each of the five Alerts. Specifically, for each of the five cited Alerts, using the ‘Individual named in the Alert’ MSDE performed a total system search of the CCATS database after which the ‘Named Individual’ was not found.  This means that a search was conducted for the individual throughout the entire CCATS system, which covers the entire State of Maryland, to determine if the individual was ever associated with any child care provider in CCATS, or with any of the other Office of Child Care (OCC) Branches (Child Care Subsidy and Credentialing) since the implementation of the CCATS system. In addition, MSDE performed searches of all other possible relevant databases, such as CHESSIE/CIS (Department of Human Resources databases) in its efforts to properly investigate the Alerts.  None of the five individuals were found in these databases. Following these intensive internal efforts to identify the employment status of the five cited individuals MSDE contacted knowledgeable personnel at the ‘Organizations’ associated with the Alerts and documentation was created and placed in file at point of contact.  Four of the five entities responded that the individuals had ‘never been employed’. The entity associated with the fifth cited Alert having a date of March 3, 2014 responded that the individual’s employment ended July 21, 2006.  Finally, for each of the licensed child care facilities associated with the five cited Alerts MSDE had made Unannounced Annual Inspections before and after the date of the Alerts. During these Unannounced Annual Inspections, none of the individuals in the referenced Alerts were found to be employed. For these reasons,  MSDE believes that it did ensure that staff at its regional child care offices fully investigated each of the five cited criminal background check Alerts and took proper follow- up action. The Agency thoroughly reviewed, pursued and created adequate documentation supporting its’ follow- up of these five Alerts.

Auditor’s Comment:  We were advised by MSDE Child Care management, both during and subsequent to the audit, that no follow-up action was taken to confirm the verbal representations made by the agency.  In addition, no evidence of the efforts noted in the response has been provided by MSDE.

Finding 7   

MSDE did not restrict user access to the Child Care Subsidy Program features on CCATS to those individuals requiring access to perform their jobs and to prevent the recording of improper transactions.

Recommendation 7

We recommend that MSDE

1. periodically generate and review reports of users’ assigned access capabilities,
2. restrict user access capabilities for critical functions to those employees who require such capabilities for their job duties and ensure proper segregation of duties and independent review and approval of critical transactions, and
3. immediately remove the unnecessary user access capabilities assigned to the aforementioned individuals.

MSDE Response:

MSDE wants to note that the processes regarding the processing of Child Care Subsidy Vouchers changed effective August 31, 2015 when a vendor assumed responsibilities which were performed prior by Local Departments of Social Services (LDSS) offices. The Office of Legislative Audits (OLA) tested the processes which were in effect prior to August 31, 2015. Consequently, MSDE agrees with the Finding that in a pre-August 31, 2015 environment one object (Voucher Receipting) was found to have been inappropriately granted to two roles

(POC Case Manager and POC Case Manager Supervisor). The CCATS Security Matrix is in the process of being modified to correct this issue. It is the opinion of the agency that other potential segregation of duties issues noted by the auditors resulted from misinterpretation of information displayed on the CCATS Security Matrix. As an example, the object (function)  entitled ‘Eligibility’ does not mean that roles (job titles)  granted this function can determine whether an individual applying for Child Care Subsidy is eligible since the CCATS system mechanically determines whether the applicant is eligible. However, MSDE disagrees with the Finding  in a post-August 31, 2015 environment as the cited inappropriate access no longer existed and no one individual has the capability to perform from beginning to end all of the ‘critical’ functions associated with the issuance of a Child Care Subsidy Voucher and related payments to Child Care providers. Also, MSDE agrees with Recommendation (a) from both pre- and postAugust 31, 2015 environments and Recommendations (b) and (c) in a pre-August 31, 2015 environment.

Auditor’s Comment:  Based on our analysis, all 558 individuals noted in our report had improper access at the time of our test work, including the ability to process applicant eligibility.  While CCATS determines the eligibility, the individuals cited in our report had user roles that allowed them to enter the data that were the basis for these determinations and, therefore, could manipulate the data to ensure eligibility.

In a post-August 31, 2015 environment, MSDE has established policies and procedures to ensure that all staff  have only the roles and permissions assigned that are necessary for them to perform their specific job functions. All roles are reviewed as required, or needed when new roles are added, to ensure proper access, security and segregation of duties. In addition, MSDE and the vendor for case management (XEROX) have quality assurance procedures in place to review case management functions within the CCATS system both for the LDSS and the vendor. In the case of the vendor, an internal quality assurance staff person reviews cases on a daily basis and reports to the State any issues. The State staff person reviews the cases identified by the vendor as well as conducting their own review of a random sampling of cases. In the case of the LDSS, staff review cases as according to the schedule developed to determine adherence to regulation and policy. In both cases, if errors are noted, a corrective action plan is established and any conflicts or unauthorized access are addressed immediately.

The following discussion clearly demonstrates that in a post-August 31, 2015 environment, no individual has the capability to perform from beginning to end all of the ‘critical’ functions associated with the issuance of a Child Care Subsidy Voucher and subsequent payments.

Step 1.  An application is completed by an individual seeking Child Care Subsidy assistance.

Step 2.  The application is mailed, faxed or emailed to an outside central vendor facility or if the family is applying for or receiving temporary cash assistance is taken to a Local Department of Social Services (LDSS).

Step 3.  If taken to a LDSS, a staff person (data entry personnel or caseworker) keys the information from the application into the CCATS system. If submitted to the Vendor, the information is keyed into the CCATS system by data entry personnel.

Step 4. After the information is keyed into CCATS by data entry personnel the case is available for the eligibility worker  to review the case. The eligibility worker verifies the information provided by the applicant with the information entered into CCATS. If the information is correct, the eligibility worker selects the Determine Eligibility button for the CCATS system to determine the eligibility of the applicant.

Step 5.   If the applicant is determined to be eligible by the CCATS system a Child Care Subsidy Voucher can then be generated by the CCATS system.

Step 6.  The voucher along with a cover letter is generated electronically by the CCATS system, sent through an overnight print batch job and is mailed to the eligible parent.

Step 7. Once the applicant receives the Subsidy Voucher they sign it and present it to the child care provider of their choice.

Step 8. If the child care provider agrees to accept the Voucher, they complete the provider section of the voucher, sign it and the countersigned Voucher is submitted to the central vendor facility.

Step 9. The countersigned Voucher is scanned into the vendor’s work management system.

Step 10. The countersigned Voucher is associated in CCATS with the child care provider indicated on the countersigned voucher so that payments can be made to the provider for child care services rendered.

It should be noted that the functions performed at the central vendor facility are randomly assigned to personnel so that no one employee performs all the ‘critical’ steps in processing a Child Care Subsidy Voucher.

Also, as a result of a prior audit, each month the functionalities for at least one role (job title) shown on the CCATS Security Matrix is reviewed for accuracy.

Finally, two additional security reports have been developed and were implemented on December 31, 2015.  The first report lists login activity for a user by date, group and role. This report will be reviewed at least annually to determine if any individual has multiple roles and that those roles are not in conflict with access capabilities or their job responsibilities. The login report is also reviewed to determine and monitor login activity.  The report shows successful logins only.  CCATS is designed so that users do not have the option to log into functions that are not authorized. Only the functions for which the individual is authorized are visible to the user with unauthorized functions not visible and therefore, not available for the user to choose.  When the agency is informed of any staff who has left employment the account is disabled immediately. To ensure that no account is kept active after a period of inactivity, the second report (the User Status Report) lists the user account status with the last login date to identify inactive accounts. The User Status Report is produced and reviewed on a monthly basis.  Any account not used within the past 30 days is disabled as appropriate. Any inactive account is automatically disabled by the CCATS system after 60 days of inactivity.

In view of the above explanation of the controls, procedures and developed reports related to the issuance of Child Care Subsidy Vouchers and related payment, the reviews of eligibility determinations made during the LDSS reviews and the Federal Improper Payment triennial reviews the Agency believes that adequate procedures and controls exist regarding the issuance of Child Care Subsidy Vouchers and related payments.

Finding 8  

Contractors had unnecessary network level access to numerous critical MSDE servers and workstations unrelated to the projects they were assigned.

Recommendation 8

We recommend that MSDE restrict each contractor’s network level access to only those servers and workstations that each contractor needs to access.

MSDE Response:

MSDE agrees with the Finding and Recommendation.

MSDE agrees with the finding and recommendation that contractor network level access be restricted to only the servers and workstations they need to access.  As of May 20, 2016, the list was scrubbed down to thirty-one individuals remaining on the cited VPN.  By June 30, 2016 at the latest, OIT will determine the required access for each of the 31 individuals and either remove them from the cited VPN or will adjust their access to that needed to perform their jobs.  Documentation regarding this review process which will be run every 6 months will be created and on file.

Finding 9  

MSDE did not properly safeguard sensitive personally identifiable information and malware protection over MSDE workstations could be inappropriately disabled.

Recommendation 9

We recommend that MSDE 

1. perform an inventory of its systems and identify all sensitive PII,
2. determine if it is necessary to retain sensitive PII and delete all unnecessary PII,
3. for all retained PII use approved methods to encrypt all sensitive PII not otherwise properly protected, and
4. properly configure its anti-malware management console so that users cannot disable their locally installed anti-malware software.

MSDE Response:

MSDE agrees with the Finding and Recommendations.

Regarding Recommendation a., by December 31, 2016 MSDE will perform an inventory of its systems and identify all sensitive PII.

Regarding Recommendation b., by July 31, 2017 MSDE  will determine if it is necessary to retain sensitive PII  and will also delete any unnecessary PII by the same date.

Regarding Recommendation c., by December 31, 2017 all sensitive PII will be encrypted using approved methods contained in the State of Maryland’s Information Security Policy. 

Regarding Recommendation d., MSDE has configured its anti-malware management console as of June 4, 2015 so that users cannot disable their locally installed anti-malware software.

Finding 10 

Disaster recovery plans for two locations were not comprehensive and backups of certain critical databases were not stored offsite.

Recommendation 10

We recommend that MSDE comply with the IT Disaster Recovery Guidelines by

1. developing and implementing comprehensive information systems disaster recovery plans (repeat); and
2. storing all backups of critical data at an off-site secure, environmentally controlled location.

MSDE Response:   

MSDE agrees with the Finding and Recommendations.

Regarding Recommendation a., a Disaster Recovery Plan will be developed in compliance with the State of Maryland’s IT Disaster Recovery Guidelines for Headquarters by December 15, 2016. A Disaster Recovery Plan for DORS has been developed and the first annual test of its functionality will be performed on or before September 30, 2016.

Regarding Recommendation b., MSDE has commenced the procurement of DoIT’s Enterprise Backup-as-a-Service (BaaS) solution and plans to have this offsite backup system in place by July 30, 2016.  The state DR service will have 2 separate, physically diverse and distinct backup sites. The MSDE backup data will be fully available at either site, one is a commercial datacenter and the other is a state approved datacenter more than 30 miles away for geographical diversity.  

Finding 11  

MSDE did not make timely disclosure to the appropriate legal authorities of certain questionable payroll and personnel activity related to five employees. 

Recommendation 11

We recommend that MSDE

1. notify the Office of the Attorney General’s Criminal Division and the Governor’s Chief Legal Counsel of the aforementioned questionable activity and, in the future, notify the appropriate entities in accordance with the aforementioned Executive Order and OAG policy; and

2. adhere to guidance from those offices when conducting investigations and imposing disciplinary action.

MSDE Response:

MSDE agrees with the Finding and Recommendations.

Regarding Recommendation a., by June 3, 2016 MSDE will notify the Office of the Attorney General’s Criminal Division and the Governor’s Chief Legal Counsel of the five questionable activities. Similarly, it will notify these entities of any future questionable activities in accordance with the aforementioned Executive Order and OAG policy.

Regarding Recommendation b., MSDE will adhere to guidance provided from the Attorney General’s Criminal Division and the Governor’s Chief Legal Counsel after referring cases to them due to questionable activity and receiving such guidance.  

AUDIT TEAM

Brian S. Tanen, CPA, CFE

Audit Manager

Richard L. Carter, CISA

Stephen P. Jersey, CPA, CISA

Information Systems Audit Managers

Julia M. King

Sandra C. Medeiros

Senior Auditors

1. Brendan Coffey, CPA, CISA

Edwin L. Paul, CPA, CISA

Information Systems Senior Auditors

Andrew S. Bien, CPA

Anthony V. Calcagno

Phillip C. Funkhouser

Julian N. Greene, CPA

Amanda L. Howell

James J. Podhorniak, CFE Timothy S. Rice

Donald J. Rodis, III, CPA

Edward A. Rubenstein, CPA

Staff Auditors

1. Gregory Busch

Edward O. Kendall

Information Systems Staff Auditors

[1] This difference was based on an OLA estimate of the budgeted salary and fringe benefits using MSDE’s fiscal year 2014 allowance for the position.

[2] Facilities report new employees to MSDE, and the employees are required to apply for and obtain criminal background checks themselves.  The results are reported by CJIS to the facilities and the regional MSDE offices, with MSDE recording the dates the background checks were received.