Missouri State Auditor's Office

Internal Control and System Weaknesses Increase Risk of Invalid Child Welfare Payments

This audit reviewed the internal controls used to ensure the accuracy and integrity of child welfare payments processed by the Department of Social Service (DSS) Children's Services Integrated Payment System (CSIPS). Auditors reviewed a limited number of CSIPS payment records and found DSS overpaid vendors at least $51,628 during fiscal year 2005. Our work concluded DSS and Information Technology Services Division (ITSD) officials have established appropriate security controls to protect CSIPS from unauthorized access.

Service dates are not thoroughly tracked

DSS officials face an increased risk of making duplicate children services payments or paying for services which should not be provided at the same time because CSIPS does not record or track the exact calendar days services are provided. We found DSS officials overpaid vendors at least $31,898 in fiscal year 2005 due to exact service dates not being recorded on payment transactions. (See page 5)

System control weaknesses allow inaccurate payments

DSS and ITSD officials have established multiple internal controls to edit and validate CSIPS payment data. However, weaknesses in the system may allow inaccurate or unauthorized payments. These weaknesses are the result of established data validation and edit controls that are not working effectively and edit controls that have not been included in the system. A DSS official said some of these weaknesses have been identified, but edits necessary to fix them are not a priority because resources are currently being focused on development of a new processing system. We found DSS officials overpaid vendors at least $19,730 in fiscal year 2005 due to these weaknesses. (See page 7)

No assurance payments are approved

Approval and review of payment source documents is done manually before the payment is entered in CSIPS. There are no post-payment reviews to ensure the amount approved on the source document equals the amount input on the payment transaction. Without performing a post-payment review or authorizing payment source documents electronically after being input, there is an increased risk inaccurate payments will go undetected or invoices and services will be paid that were never approved. (See page 10)

Use of overrides not reviewed

DSS officials did not monitor the use of overrides on CSIPS payment transactions. Overrides bypass CSIPS data validation and edit controls to allow the processing of a transaction to continue. Without properly monitoring the use of overrides on CSIPS payment transactions, there is an increased risk inappropriate payments can be processed without detection by management. (See page 10)

Documented policies and procedures needed to ensure continuity and consistency

DSS officials have developed policies and procedures for the operation of CSIPS, but have not yet formally documented procedures for tracking overpayments and processing deductions, processing transaction errors, or for the retention of payment source documents. Documentation of all aspects of computer operations and support is important to ensure continuity and consistency. (See page 11)