Purchasing Internal Audit and Management Responses2

Purchasing Internal Audit
March 26, 2015

March 26, 2015
Dear Audit and Accountability Committee:
On behalf of Schneider Downs, we thank you for selecting our firm to assist the Internal Audit
Department in the performance of the Purchasing internal audit for Columbus City Schools (CCS). The
scope of the audit is outlined in this document. Our report includes the following sections: Executive
Summary, Background, Objectives and Scope, Procedures Performed and Summary of Observations.
It should be recognized that controls are designed to provide reasonable, but not absolute assurance that
errors and irregularities will be prevented, and that procedures are performed in accordance with
managements intentions. There are inherent limitations that should be recognized in considering the
potential effectiveness of any system of controls. For instance, the projection of any evaluation of
controls to future periods is subject to the risk that the controls may become inadequate due to changing
conditions and/or that the operating effectiveness of the controls may deteriorate. Additionally, though a
review of evidential matter and other procedures performed may suggest specific controls are functioning
effectively, there remains the risk that controls may not have been functioning effectively or consistently
throughout the prior periods.
The accompanying internal audit report is the result of our internal audit conducted in accordance with the
Statements on Standards for Consulting Services of the American Institute of Certified Public
Accountants. In accordance with our engagement letter, this internal audit did not constitute an audit of
financial statements in accordance with generally accepted auditing standards. This report has been
prepared for use by the Audit and Accountability Committee of Columbus City Schools and Internal
Audit.
Please contact me (614-586-7257/dowens@schneiderdowns.com) or Angela Gillis (614-586-7209/

agillis@schneiderdowns.com) if you should have any questions.
Sincerely,
Donald R. Owens
Shareholder
Internal Audit and Risk Advisory Services
cc: Dr. J. Daniel Good, Superintendent

Mary Jo Hudson, Audit & Accountability Committee Chair
Carolyn Smith, Internal Auditor
Columbus City Schools Purchasing Audit Report
March 26, 2015
Table of Contents
PAGE
EXECUTIVE SUMMARY 1
BACKGROUND 1
OBJECTIVES AND SCOPE 2
PROCEDURES PERFORMED 2
SUMMARY OF OBSERVATIONS 4
APPENDIX A PURCHASING REQUIREMENTS SUMMARY 13

March 26, 2015
EXECUTIVE SUMMARY
This report summarizes the observations of the 2014 Purchasing internal audit performed by Schneider
Downs on behalf of the Internal Audit Department of Columbus City Schools. The results of our review
can be found in the subsequent sections. This report summarizes the observations identified during
fieldwork and provides recommendations to enhance the processes and controls with respect to
purchasing activities. The details provided within the observations were previously reviewed with the
Internal Audit Department and respective management.
For the areas reviewed, Schneider Downs identified several key observations as described in the
Summary of Observations section.
In the course of our fieldwork we worked closely with personnel in the Purchasing Department, as well as
other personnel that support purchasing activities. In doing so, we found that the staff take great pride in
their work and are committed to the success of Columbus City Schools.
BACKGROUND
The Columbus City Schools District (CCS or District) is under the leadership of Superintendent Dan
Good, Ph.D. and the seven-member Board of Education. The CCS mission states that each student is
highly educated, prepared for leadership and service and empowered for success as a citizen in a global
community. As a part of the 2014 internal audit plan, the CCS Internal Audit Department was tasked by
the Board to perform an internal audit of the purchasing activities throughout the District.
CCS has adopted and maintains a system of purchasing and procurement that is based on sound business
practices and is supported by the following standards:
Interest of the school district and the betterment of its educational program.
Greatest value for every tax dollar expended.
Integrity of the sales representative.
Equal consideration and unbiased judgment in answering responsible vendors.
Decline of gifts or favors which may influence purchases.
A purchasing manual is maintained that includes procedures for outside purchasing, internal
requisitioning and distributing, and internal and external auditing. Special efforts are made to award work
to companies owned or controlled by local economically disadvantaged enterprises (LEDE) in purchases,
leases, contracts and subcontracts authorized by district personnel.
Board approval is required for consulting, engineering fees and architectural purchases of $5,000 and
over. Additional cumulative purchases over $25,000 in a fiscal year for a single vendor must be Board-
approved, regardless of the amount. Smaller purchases may be covered by the Pre-Approved Vendor
List. A Request for Exemption from Purchasing Requirements is used if appropriate justification exists.
Any individual purchase order of $25,000 or more must be Board-approved, even if the vendor appears
on the Pre-Approved Vendor List.
Contracts and/or payments for professional and legal consulting services require authorization by the
Board. Two different Board actions, in the form of two authorization resolutions, are required to process
professional and legal consulting fees:
1. The Board must first authorize (1) the engagement of the consultant and (2) the encumbrance of
funds for payment of consulting fees.
2. After the Board's approval of the engagement and encumbrance, claims for services performed
must be submitted to the Board to authorize the treasurer to pay fees.
Page 1
March 26, 2015
An advertisement is required to be placed in the Columbus Dispatch and in the Ohio MBE if the purchase
is expected to be $100,000 or more. If the purchase is construction-related or the purchase is for school
buses, the advertisement is placed in the Columbus Dispatch for two consecutive weeks.
See Appendix A for the Purchasing Requirements Summary document that is used by the Purchasing
Department to ensure that the appropriate actions are taken for the different types of services and
materials procured at different dollar thresholds.
OBJECTIVES AND SCOPE
The primary objectives of the Purchasing internal audit were the following:
Comprehensive policies and procedures addressing purchasing and procurement activities are
formal and documented
Training, communications, tools, resources and information required to support procurement and
contracting are available, sufficient and provided in a timely manner
Delegations of purchasing authorities are consistent with applicable regulations and policies and
are adequately documented, maintained and communicated
Proper segregation of duties exist within the Purchasing Department and the Accounts Payable
department
Vendor information is complete and accurate and maintained appropriately
Adequate internal controls exist to limit exposure to unauthorized or inappropriate transactions
Procurement files are well organized and contain all supporting documents
Process exists to monitor and document vendor performance
Appropriate and timely financial and non-financial procurement information is reported internally
and externally as required
PROCEDURES PERFORMED
Review of process and control documentation was performed to assess the adequacy of the design of
controls identified during the walkthroughs and confirm whether the controls were properly placed in
operation. In addition, we performed walkthroughs of purchasing processes and controls to further
understand processes, assigned responsibilities and key controls. Once the critical processes and controls
were identified, we (selecting samples where appropriate) tested the identified controls to assess the
operating effectiveness of the controls within the purchasing environment. This information was then
used to assess residual risk and identify control gaps that may need remediation or performance
enhancement opportunities to further strengthen the purchasing control environment.
The specific areas and artifacts reviewed, and tasks performed, are as follows:
Obtained applicable purchasing policies and procedures and determined the adequacy of the policies
and procedures with respect to amount and type of purchasing activities and compliance with
regulations.
Ensured that the policies and procedures have been communicated to appropriate personnel.
Reviewed prior examination reports to determine whether corrective action has been implemented for
noted deficiencies.
Obtained a system-generated listing of purchase orders processed within the testing period and
performed the following:
o Reviewed the listing for any unusual amounts (i.e. frequently repeating amounts, credit
balances, etc.)
o Reviewed for numerical sequence of purchase orders
Page 2
March 26, 2015
o Reviewed for purchase orders open for an unreasonable amount of time

For a sample of purchase orders processed within the testing period, performed the following:
o Ensured that adequate documentation exists to support the purchase and meet purchasing
requirements
o Ensured that the proper approvals were obtained prior to purchase
o For purchases requiring bids to be solicited, ensured that a Request for Quote (RFQ) was
documented and the proper bidding activities were performed
o For purchases requiring the solicitation of consulting services, ensured that a Request for
Proposal (RFP) was documented and the proper solicitation activities were performed
Obtained a system-generated listing of current vendors processed through Vendor Self-Service (VSS)
and performed the following:
o Searched for duplicate vendors
o Searched for vendors that are also CCS employees or Board members
For a sample of vendors processed through VSS, ensured that adequate documentation existed to
support approval of the vendor as a qualified CCS vendor (W-9, proof of insurance, TIN, email
address)
Obtained evidence of the most recent daily run of the VSS listing against the Federal Terrorist List
and Findings for Recover List and ensured that matches were investigated and resolved
Obtained the current Pre-Approved Vendor Listing and ensured that the listing was being monitored
and audited on a periodic basis
Selected a sample of vendors on the Pre-Approved Vendor Listing and performed the following:
o Ensured that adequate documentation existed to support approval of the vendor as a qualified
CCS vendor (W-9, proof of insurance, TIN, email address)
o Ensured that the vendor met the qualifications for inclusion on the list
Obtained the current LEDE Vendor Listing and performed the following:
o Ensured that the listing was monitored and audited on a periodic basis
o Ensured that LEDE vendor purchases as a percentage of all vendor purchases was within a
specified timeframe conforming to CCS policy
o Ensured that analyses of LEDE purchases were performed and periodically reviewed by the
Board
Selected a sample of vendors on the LEDE Vendor Listing and performed the following:
o Ensured that adequate documentation existed to support approval of the vendor as a qualified
CCS vendor (W-9, proof of insurance, TIN, email address)
o Ensured that the vendor met the qualifications for inclusion on the list
Determined how vendor performance and experiences were measured, documented and used for
future purchasing activity
Obtained evidence of training provided during the testing period relating to requisitioning, purchase
order processing, approval process and other purchasing activities and assessed the adequacy, nature
and timing of the training and whether the appropriate CCS employees were in attendance
Page 3
March 26, 2015
SUMMARY OF OBSERVATIONS
Based upon the procedures performed, a number of observations having varying degrees of risk were
noted. The following table outlines the observations and the risk ratings assigned to each. The definition
of each ratings significance is noted below.
Observations 1 2 3
1. Outdated Board Policies X
2. Missing Insurance Documentation for Active Vendors in Vendor Self-Service

X
(VSS)
3. Discrepancies on the Pre-Approved Vendor Listing X
4. Discrepancies on the LEDE Vendor Listing X
5. NETCOM.NET.COM Vendor Inappropriately on the LEDE Vendor Listing X
6. Lack of Review of the Gaps in Purchase Order Sequence X
7. Duplicate Vendor FINs and SSNs in MUNIS X
8. Excessive Access to Vendor Setup and Processing in the MUNIS System X
9. MUNIS System Access Accounts Payable Manager Improper Access X
10. Vendor Lists Not Run Against Terrorists Lists X
11. Monitoring of LEDE Vendor Use Not Performed X
12. Inadequate Storage of Vendor Files X
13. Vendors with Employee Addresses X
14. Purchase Orders with Future Dates X
15. Failure to Document Vendor Performance Issues X
16. Loss of Vendor Data History Due to the Vendor Merge Program X
17. Improper Filing and Storage of RFP and RFQ Documentation X
NOTE: 1-high/unacceptable risk requiring immediate corrective action; 2-moderate/undesirable risk

requiring future corrective action; and 3-low/minor risks that management should assess for potential
corrective action.
The sections below contain the observations from the internal audit. Each observation includes the
condition identified during the audit and recommendations to enhance the control environment.
Page 4
March 26, 2015
Observation 1 Outdated Board Policies
The Board-approved purchasing policies include the date of the adoption, as well as the date that the
policy was last updated at the bottom of each policy; however, the date of the most recent Board review
and approval is not documented on the policy. Per inspection of the Board meeting minutes, the
purchasing policies had not been reviewed and approved by the Board in the last 12 months.
Recommendation:
A full inventory of policies should be performed, and a schedule of reviews and approval by the Board
should be established and maintained. The Purchasing Director should be assigned responsibility for
maintaining the schedule and presenting the purchasing-related policies to the Board. Additionally,
management should add the date of the last Board review/approval to the bottom of each policy.
Observation 2 Missing Insurance Documentation for Active Vendors in Vendor Self-Service

(VSS)
For a sample of 25 Active vendors in MUNIS (in Vendor Self-Service (VSS)), two vendors were found
to not have the required insurance documentation maintained within MUNIS. DLT Solutions, Inc. had
one purchase order issued for $2,778.87. Maredy Candy Corp. had five purchase orders issued totaling
$7,386.
Further, for the same sample of 25 Active vendors, two vendors were found to have expired insurance
policies. Mid City Electric had two purchase orders totaling $29,790 issued after the insurance expiration
date. NAPA had seven purchase orders totaling $162,189 issued after the insurance expiration date.
Further, per review of Purchasing Department listings that the department uses to verify whether a vendor
is exempt from the insurance requirement before a purchase order is approved and processed, three
different versions of the listing were on file.
Recommendation:
CCS should add a step to the purchase order approval process in which the Purchasing Department
representative ensures that the appropriate documentation (up-to-date insurance and W-9) is included
within the MUNIS vendor file. The validation of this information should be documented within the
purchase order screens.
Additionally, one listing of vendors exempt from insurance requirements should be maintained in a
centralized location (e.g., the intranet). The list would be accessible for read-access to all processors, but
write-access to only select authorized individuals within the Purchasing Department. Further, employees
should be required to use only the intranet version and should not be permitted to print the list.
Observation 3 Discrepancies on the Pre-Approved Vendor Listing
For a sample of 10 Active vendors on the Pre-Approved Vendor Listing, two were found to have
expired insurance policies maintained within MUNIS. L.L. Davis Floors, Inc. had seven purchase orders
issued to it after the insurance expiration date, totaling $9,204.08. Phonak Hearing Systems had two
purchase orders issued to it after the insurance expiration date, totaling $9,000.
One of the 10 vendors sampled (School Health Corporation) failed to meet the requirements to maintain
an active status by not providing evidence of insurance and a W-9. 406 purchase orders were issued to
this vendor, totaling $199,513.59.
Page 5
March 26, 2015
One of the 10 vendors sampled (Textbook Exchange) did not meet the pre-approved purpose, since it had
no purchase history. Also, the vendor failed to meet the documentation requirements to maintain an
active status by not providing a W-9. However, there were no purchase orders issued to this vendor
during the testing period.
One of the 10 vendors sampled (Premier Office Movers) did not meet the pre-approved purpose, since it
has only one purchase in its history and the purchase was for a low amount. Also, it fails to meet the
documentation requirements to maintain an active status by having expired insurance. However, there
were no purchase orders issued to this vendor during the testing period.
One of 10 vendors sampled (Innovative Education Services, Inc.) failed to align with the Pre-Approved
Vendor Listing's purpose based on its stop status within MUNIS. The stop status was placed on
October 21, 2014, but a purchase order was issued on October 22, 2014 for $208.24.
Recommendation:
representative ensures that the appropriate documentation (up-to-date insurance, W-9 and due diligence
documentation for pre-approval status) is included within the MUNIS vendor file. The validation of this
information should be documented within the purchase order screens.
The Pre-Approved Vendor Listing should be immediately re-evaluated to ensure that each vendor meets
the requirements to be on the listing. Going forward, all due diligence performed in order to place a
vendor on the listing should be documented and maintained with the vendor file in MUNIS.
Observation 4 Discrepancies on the LEDE Vendor Listing
For a sample of 25 vendors on the LEDE Vendor Listing, eight were found to have expired insurance
policies maintained within MUNIS. For one vendor (Superior Enterprises), two purchase orders were
issued after the insurance expiration date, totaling $608,068. For one vendor (Barnett Mechanical), one
purchase order was issued after the insurance expiration date, totaling $3,300. For one vendor (A Mop &
A Mess), two purchase orders were issued after the insurance expiration date, totaling $3,350. For one
vendor (Communications Design), two purchase orders were issued after the insurance expiration date,
totaling $2,279.96. The remaining vendors found to have expired insurance policies did not have
purchase orders issued subsequent to the insurance expiration date.
Seven of the 25 vendors sampled failed to meet the requirements to maintain an active status by not
providing evidence of insurance. For one vendor (Kyros Development), two purchase orders were issued
without insurance documentation on file, totaling $9,400.95. For one vendor (Buckeye Business Form),
10 purchase orders were issued without insurance documentation on file, totaling $23,054.55.
Two of the vendors sampled (MPG Landscapes and NETCOM.COM.NET) did not qualify as LEDE
vendors, since the appropriate LEDE application documentation was not maintained in MUNIS. For
NETCOM.COM.NET, one purchase order was issued without any vendor documentation (W-9s and
insurance) for $17,675.00. No purchase orders were issued for MPG Landscapes.
One of the vendors sampled (Integrity Insulation) did not qualify as an LEDE vendor, since the LEDE
packet did not provide complete information on its locality. Information was not provided to show that at
least 51% of the vendors employees reside within the District. No purchase orders were issued for this
vendor.
Page 6
March 26, 2015
For one of the vendors sampled, Capital Financial Resources, proof was not maintained within MUNIS
supporting its status as economically disadvantaged (personal financial statements). No purchase orders
were issued for this vendor.
For one of the vendors sampled, Cap City Direct, LLC, proof was not maintained within MUNIS
supporting its status as economically disadvantaged (personal financial statements, proof of enterprise and
proof of LEDE acceptance in the form of a certificate). One purchase order was issued totaling $500.
Recommendation:
representative ensures that the appropriate documentation (up-to-date insurance, W-9 and due diligence
documentation for LEDE status) is included within the MUNIS vendor file. The validation of this
information should be documented within the purchase order screens. CCS may also consider working
with the Tyler Technologies representative(s) to potentially add an insurance expiration date field, as well
as a flag in MUNIS that is triggered on the date when an insurance policy expires.
CCS may also consider requiring certain vendors, based on specific traits, to add CCS as a certificate
holder on the insurance policy.
The LEDE Vendor Listing should be immediately re-evaluated to ensure that each vendor meets the
requirements to be on the listing. Going forward, all due diligence performed in order to place a vendor
on the listing should be documented and maintained with the vendor file in MUNIS and, on a periodic
basis, the LEDE vendors should be reviewed to ensure that they continue to meet the LEDE requirements.
Observation 5 NETCOM.NET.COM Vendor Inappropriately on the LEDE Vendor Listing
One of the 25 vendors sampled (NETCOM.NET.COM) on the LEDE Vendor Listing failed to meet any
of the documentation requirements to be an LEDE vendor (or a vendor at all) by only providing one of
the required elements an email address. On May 20, 2014, the vendor's status was changed from a V
(void is used when proper documentation is not provided) to an A (active status), and an FIN was
added.
On May 21, 2014 the vendor bid on, and won, Bid 303. On the same day, purchase orders were produced
and approved totaling $17,675. On October 23, 2014 the vendor's status was changed from A (active)
to S (stop). A note was added to the vendors account within MUNIS to justify the changes. The
change to S status was made as a result of the audit inquiries. As of the last date of audit testing, no
invoices had been received and paid regarding the purchase orders.
Recommendation:
CCS should immediately investigate the nature of this vendor and whether any invoices have been
received and paid for the purchase orders since the last date of audit testing.
As is stated in a previous observation, CCS should add a step to the purchase order approval process in
which the Purchasing Department representative ensures that the appropriate documentation (up-to-date
insurance, W-9 and due diligence documentation for LEDE status) are included within the MUNIS
vendor file. The validation of this information should be documented within the purchase order screens.
The LEDE Vendor Listing should be immediately re-evaluated to ensure that each vendor meets the
requirements to be on the listing. Going forward, all due diligence performed in order to place a vendor
on the listing should be documented and maintained with the vendor file in MUNIS.
Page 7
March 26, 2015
Observation 6 Lack of Review of Gaps in Purchase Order Sequence
A listing of purchase orders generated from MUNIS was analyzed for any gaps in the sequence of
purchase order numbers. The analysis indicated 11 gaps. Requisitions and purchase orders can be
deleted through the submission of an incident report via Tyler Technologies, but management could not
determine who within CCS had the authority to submit a request for deletion to Tyler Technologies. The
Purchasing Director does not approve of deletions prior to submission to Tyler Technologies. Further, the
log of incident reports (deletion requests), as well as a listing of purchase order sequence gaps is not
reviewed/analyzed or reported to Purchasing management on a periodic basis.
Recommendation:
The Purchasing Director should be authorized to approve of all deletions prior to submission of the
incident report to Tyler Technologies. Documentation of the incident report and its approval by the
Purchasing Director should be maintained. Since the purchase order is no longer in the MUNIS system,
this documentation should be maintained either outside of the system or attached to the applicable
vendors file in MUNIS, for future reference. Further, the log of incident reports (deletion requests), as
well as a listing of purchase order sequence gaps, should be periodically reviewed/analyzed for any gaps
that do not agree to an incident report and trends in deletions (the reoccurrence of specific vendors,
requestors of the incident report, timing, etc.).
Observation 7 Duplicate Vendor FINs and SSNs in MUNIS
Through the use of data analysis software on the full listing of vendors within MUNIS, 10 sets of active
vendors were discovered to share the same FIN. Also, one set of active vendors shared the same social
security number. Management was acting with the knowledge that MUNIS was systematically
programmed to not allow for duplicate FINs and SSNs. Further, management does not currently perform
a periodic review of vendors with duplicate FINs and/or SSNs.
Recommendation:
CCS should immediately investigate the nature of the duplicate vendors identified during the audit and
make the necessary adjustments to the MUNIS vendor files. Adjustments should ensure that activity
history is not lost due to the deletion of one of the duplicates. Tyler Technologies should be consulted to
understand how the system programming can be modified to not allow for this to happen in the future.
Observation 8 Excessive Access to Vendor Setup and Processing in the MUNIS System
Analysis of the employee access to the MUNIS vendor listing indicated that 16 departments have access
to set up and/or process vendors. The following departments have access to vendor setup and/or
processing: Application Development, Education Management Information Systems, Food Services,
Office of Accountability and Report Services, Payroll, Office of Human Resources, Office of the Budget
& Financial Management, Office of the Treasurer, School Support, Treasurer's Office Administration,
Accounting and the State and Federal Program.
Additionally, several individuals had access to vendor setup and/or processing that could not be verified
as a current employee in accordance with the current CCS phone listing.
Page 8
March 26, 2015
Recommendation:
Management should perform a comprehensive review of all vendor access within MUNIS. This will
create a baseline of employees with the proper and improper access. Management should limit access to
only a few individuals within select departments who do not also have responsibility or ability to generate
purchase orders. After the baseline review is confirmed and approved, CCS should implement a periodic
management review of access to the vendor module within MUNIS.
Observation 9 MUNIS System Access Accounts Payable Manager Improper Access
The Accounts Payable Manager has access within MUNIS to perform the following functions: Add
vendors, modify vendor information, override PO vendor, add purchase orders and manage accounts
payable (invoice approval and payment). He also has the Business Logic Access role in which he can
modify the approval authorities for purchase orders within the MUNIS workflow.
Recommendation:
Management should perform a comprehensive audit of all user access within MUNIS, and specifically the
Accounts Payable Manager. Changes should be made to establish proper access per job duties and
responsibilities. This will create a baseline of employees with the proper access. Management should
limit access to only a few individuals within select departments. After the baseline review is confirmed
and approved, CCS should implement a periodic management review of access to the vendor module
within MUNIS.
Observation 10 Vendor Lists Not Run Against Terrorist Lists
The vendor listing from MUNIS (VSS) is run daily against the Federal Terrorist List and the State
Unresolved Findings List. Any matches are investigated and resolved. As a result of data analysis, it was
determined that the following notification was returned for many of the days during the testing period:
"Pseries3 - QTS: Excluded vendors: NO new FEDERAL datafile found; NO new STATE datafile found."
This notification indicates that the report is not being run correctly.
Further, for 29 of the days tested, the vendor listing was not run against the lists at all.
Recommendation:
An individual separate from the individual who runs the matching process (supervisor) should review the
results and document that review through a sign-off and date.
Observation 11 Monitoring of LEDE Vendor Use Not Performed
Policy 3210 states that The School District will collect data to measure the participation of economically
disadvantaged as well as socially disadvantaged business in the School District contracting and
procurement activities. This number (percentage use of LEDE vendors) is calculated using prime and
subcontractor information for both operations and capital improvements. The policy also states that
After the analysis of the data has been performed, the Board will modify its policy, if necessary, to
achieve its objectives of diversity and inclusion. The calculation of the LEDE vendor utilization was last
presented to the board in November 2011. The most recent calculation for FY 2012/2013 was below the
Board-established goal of 20% at a combined total of 14.6%, with operations calculated independently at
6.4% and capital improvements at 28.4%.
Page 9
March 26, 2015
Recommendation:
The Board should act to review the LEDE vendor utilization on a set frequency to ensure that the
percentage is in-line with the Board-approved goal of 20%. This process should involve a full analysis of
the effectiveness of the Community Outreach Program (the program that monitors the administration of
the LEDE vendor activities) to ensure that it is functioning as required to meet Board requirements. It is
also recommended that management implement a LEDE utilization evaluation within part II of the
Columbus Administrator Evaluation form. Since administrators are held responsible for the development
and monitoring of school/department budgets, they should also be held responsible for meeting this goal
of inclusion and diversity. The Board may also choose to monitor not just the absolute percentage of
LEDE vendor use, but also the trend in the percentage over time. Additionally, the LEDE utilization
should be calculated at the conclusion of each fiscal year and presented to the Board no later than
September 30.
Observation 12 Inadequate Storage of Vendor Files
Vendor files are stored in the Distribution Center. The files contain sensitive and private information
such as social security numbers and tax returns.
Recommendation:
The files should be housed in a location that can be properly secured with locked file cabinets and/or a
locked door. Access should be limited to only those employees with proper authority and who need the
files to perform their job functions.
Observation 13 Vendors with Employee Addresses
Data analytics software was used to compare purchase order addresses to the active employee listing
provided by the Purchasing Director. The results indicated 1,096 purchase orders matching employee
addresses.
Further, the vendor listing was compared to the employee listing to indicate any matching addresses. A
total of 2,551 addresses were matched, of which 2,451 vendors were classified as employees, three were
corporations, four were partnerships/LLCs, two were refunds/reimbursements, 81 were sole
proprietors/individuals and 10 had no classification. Further analysis revealed 47 matches had the same
last name as the employee but a different first name. Of the vendors with the same name as the employee,
one employee name was classified as a Partnership/LLC, 24 employee names were classified as a sole
proprietor/individual and four employee names were listed as vendors but were not given a classification.
Finally, for 22 matching addresses, the vendor name did not match the employee name (first or last).
Recommendation:
In the short term, CCS should use data analysis software to compare all vendor names and addresses
(from the VSS, the LEDE Listing and the Pre-Approved Vendor Listing) to employee names and
addresses. Each occurrence should be documented within the vendor file in MUNIS as to why the match
is appropriate and approved.
Going forward, CCS should add a step to the vendor setup procedures by which the address and name of
the vendor is compared to the employee listing prior to marking the vendor as active in MUNIS.
Documentation of this control performance should be included in MUNIS as part of the vendor file.
Page 10
March 26, 2015
Observation 14 Purchase Orders with Future Dates
Through an analysis of the aging of purchase orders, the creation date of two purchase orders had future
dates (7/1/2015 and 7/1/2020). The MUNIS system is not designed to automatically populate the
creation date, and there is no edit check for the field during manual entry to ensure that the date is the
actual date of creation.
Recommendation:
The creation date field within MUNIS should be programmed to auto-populate with the current date. If
the system cannot be configured this way, (per discussion with Tyler Technologies) it should be
programmed to perform an edit check that does not allow manual entry of future dates.
Observation 15 Failure to Document Vendor Performance Issues
Through inquiry with management, the Purchasing Director or the employee that originally issues a
purchase order for a vendor handles any disagreements between CCS and the vendor, whether those
disagreements are due to CCS error or the vendors noncompliance with the contract. To date, no vendor
has been classified as "stop" in the MUNIS system due to performance issues. The situation is usually
settled among the parties. However, any documentation regarding the incident, its circumstances and the
resolution activities is not documented in MUNIS (comments section in the vendor account). CCS
employees who then request a purchase order for vendors that have been impacted by disagreements or
performance issues in the past are not provided with relevant information that may impact the terms of the
purchase order or future interaction with the vendor.
Recommendation:
A description of all incidents, disagreements or other performance issues involving a vendor should be
documented and maintained within the vendors file in MUNIS.
Observation 16 Loss of Vendor Data History Due to the Vendor Merge Program
The Vendor Merge program within MUNIS merges vendor records when the same vendor is on file
under two or more different vendor numbers. The program removes a record from the vendor file and
changes all detail history in MUNIS, including the vendor number on invoices, checks, purchase orders,
general ledger history, etc.
Recommendation:
The Vendor Merge program should be altered (through Tyler Technologies) to ensure that all vendor
information and history is maintained within the new vendor file.
Observation 17 Improper Filing and Storage of RFP and RFQ Documentation
The RFP and RFQ process is paper-based. Documentation for issued RFPs and RFQs may or may not be
maintained by the purchaser who originally submitted the request. The Purchasing Department does not
maintain any documentation, and it is not attached to the vendor or purchase order in MUNIS.
Page 11
March 26, 2015
In an attempt to test the documentation and approval process for RFPs and RFQs, a population of RFQs
and RFPs created during the testing period was obtained from the two purchasers within the Hudson St.
locations. A sample of seven RFPs and RFQs for these two individuals was chosen from the filing
cabinets in the department (out of a total 35 documents). After pulling the sample, it was discovered that
the filing cabinets did not contain the entire population for these two purchasers. Some files are kept at
the employees desks. And often, the RFQs and RFPs are not filed immediately within the cabinets.
Employees from other departments are permitted to pull the files as needed and may or may not return the
documentation.
Recommendation:
A full inventory of RFP and RFQ documentation should be performed and maintained within the
Purchasing Department. All future documentation should be forwarded to the Purchasing Department for
approval of adherence to purchasing guidelines and policies. The documentation should be maintained in
a centralized location within file cabinets in the Purchasing Department (if it cannot be scanned and
maintained in MUNIS). Requests to obtain the documentation should be provided to the Purchasing
Department, with a sign-out and sign-in method used to track the location of documentation and the aging
of its absence from the file.
Page 12
March 26, 2015
Appendix A
Page 13
Columbus City Schools
Office of Internal Audit
Schneider Downs & Co., Inc.
Purchasing Audit
Corrective Action Plans
Observation / Recommendation(s) Process Owner Planned Corrective Action/

Implementation Date
Dennis Carney The district is currently working with
Finding 1 Outdated Board Policies Neola, Inc. to update all board
policies. That process started
Recommendations: months ago and should be completed
later this year, culminating in board
1. A full inventory of policies should be completed, with a schedule of reviews approval of the new policies.
documented and approved by the Board. The responsibility for maintaining the
schedule and presenting the purchasing-related policies should be held by the Implementation Date: 12/31/15
Purchasing Director. Additionally, management should add the date of the last
Board review/approval to the bottom of each policy.
Dennis Carney A pdf file with a list of vendor types

Finding 2 Missing Insurance Documentation for Active Vendors in Vendor that are exempt from the insurance
Self-Service (VSS) requirement was updated and placed
on the districts intranet site.
Recommendations:
Vendor Self-Service instructions were
1. One listing of vendors exempt from insurance requirements should be also revised to include the updated
maintained in a centralized location (e.g., the intranet). The list would be list and posted on the districts
accessible for read-access to all processors, but write-access to only select Internet site.
authorized individuals within the Purchasing department. Further, employees
should be required to use only the intranet version and that the list is to not be Implementation Date: 3/9/15
printed.
Dennis Carney 1. An additional step to check

Finding 3 Discrepancies on the Pre-Approved Vendor Listing vendor documents will be added
to the purchase order process as
Recommendations:
resources are made available. An
1. CCS should add a step to purchase order approval process by which the allocations request for that
Page 1 of 12
Purchasing Audit

Implementation Date
requester, approver and Purchasing department representative ensure that the additional resource will be
appropriate documentation (up-to-date insurance, W-9 and due diligence completed by 4/1/15.
documentation for pre-approval status) are included within the MUNIS vendor file.
The validation of this information should be documented within the purchase order
2. The Pre-Approved Vendor List is
screens. 2. The Pre-Approved Vendor Listing should be immediately re-evaluated
to ensure that each vendor meets the requirements to be on the listing. Going reviewed yearly based on
forward, all due diligence performed in order to place a vendor on the listing anticipated future needs. These
should be documented and maintained with the vendor file in MUNIS. needs do not always materialize
but do not represent a risk to the
district. There is also little risk in
the current system because
purchases from vendors on that
list must go through the normal
approval process before a
purchase order is issued. As
well, there is no need to spend
scarce resources to insert a note
in individual vendor files in
MUNIS since the list is available
in its entirety to all interested
parties.
Implementation Date: (1) 4/1/15

Dennis Carney 1. Please see Response 1 to
Finding 4 Discrepancies on the LEDE Vendor Listing Finding 3.
Recommendations:
2. The district will research the
1. CCS should add a step to purchase order approval process by which the feasibility of adding the
Page 2 of 12
Purchasing Audit

Implementation Date
requester, approver and Purchasing department representative ensure that the district as an additional
appropriate documentation (up-to-date insurance, W-9 and due diligence insured to selected vendors
documentation for LEDE status) are included within the MUNIS vendor file. The insurance policies.
validation of this information should be documented within the purchase order
screens. CCS may also consider working with the Tyler Technologies
representative(s) to potentially add an insurance expiration date field, as well as a 3. The district enlists the help of
flag in MUNIS that is triggered on the date when an insurance policy expires. 2. an outside entity to perform
CCS may also consider requiring certain vendors, based on specific traits, to add an extensive review of all
CCS as a certificate holder on the insurance policy. 3. The LEDE Listing should LEDE applications. That
be immediately re-evaluated to ensure that each vendor meets the requirements process is sound and does
to be on the listing. Going forward, all due diligence performed in order to place a
not need to be changed. The
vendor on the listing should be documented and maintained with the vendor file in
MUNIS. Vendor Self-Service feature of
MUNIS has been changed to
eliminate any future
possibility that a vendor will
designate themselves as an
LEDE before their application
is approved.
Implementation Date: (2) 5/1/15

Dennis Carney 1. The Purchasing Director
Finding 5 NETCOM.NET.COM Vendor on the LEDE Vendor Listing reviewed this issue with the
employee who ordered the
product. The vendor did not
Recommendations:
deliver the items specified on
1. CCS should immediately investigate the nature of this vendor and whether any the purchase order but no
invoices have been received and paid for the purchase orders since the last date invoices were paid. The
of audit testing. 2. As is stated in a previous observation, CCS should add a step purchase order was
to purchase order approval process by which the requester, approver and
Page 3 of 12
Purchasing Audit

Implementation Date
Purchasing department representative ensure that the appropriate documentation subsequently cancelled in
(up-to-date insurance, W-9 and due diligence documentation for LEDE status) are accordance with our standard
included within the MUNIS vendor file. The validation of this information should be terms and conditions which
documented within the purchase order screens. 3. The LEDE Listing should be
allow such action if deliveries
immediately re-evaluated to ensure that each vendor meets the requirements to
be on the listing. Going forward, all due diligence performed in order to place a are not received within 60
vendor on the listing should be documented and maintained with the vendor file in days. The items were then
MUNIS. purchased from the vendor
that provided the second best
bid price.
2. Please see Response 1 to

Finding 3.
3. Please see Response 3 to

Finding 4.
Implementation Date: N.A.

Shawntel Lewis MUNIS has never permitted a
Finding 6 Review of Gaps in Purchase Order Sequence posted purchase order to be
deleted so the missing numbers do
Recommendations: not represent a risk to the district.
However, they can be deleted prior to
1. The Purchasing Director should be authorized to approve of all deletions prior posting. In such cases, deleted
to submission of the incident report to Tyler Technologies. Documentation of the purchase order numbers are not
incident report and its approval by the Purchasing Director should be maintained. reused.
Since the purchase order is no longer in the MUNIS system, this documentation
should be maintained either outside of the system or attached to the applicable Prior to MUNIS version 10.5, the
vendors file in MUNIS, for future reference. Further, the log of incident reports system did not track deleted numbers
(deletion requests), as well as a listing of purchase order sequence gaps should which created no documentation to
Page 4 of 12
Purchasing Audit

Implementation Date
be periodically reviewed/analyzed for any gaps that do not agree to an incident support the missing numbers. CCS
report and trends in deletions (the reoccurrence of specific vendors, requestors of upgraded to version 10.5 on April 22,
the incident report, timing, etc.). 2014. The new version provides a
tool that will help manage purchase
orders that are deleted prior to
posting. This tool gives the district
the ability to require a reason for
deleting a purchase order and the
ability to easily search for, and report
on, any deleted numbers.
The new MUNIS report will be run on

a random basis to check the viability
of the new reporting tool.
(The gap between the last purchase

order number of the fiscal year and
the first purchase order number of
the new year will remain.)
Implementation Date: 3/16/15

Dennis Carney MUNIS does not allow duplicate
Finding 7 Duplicate Vendor FINs and SSNs in MUNIS Social Security Numbers and it does
not allow duplicate Federal ID
Recommendations: Numbers. However, MUNIS does not
complete a cross-comparison of
1. CCS should immediately investigate the nature of the duplicate vendors Social Security Numbers against
identified during the audit and make the necessary adjustments to the MUNIS Federal ID Numbers during the
vendor files. Adjustments should ensure that activity history is not lost due to the vendor self-service registration
deletion of one of the duplicates. Tyler Technologies should be consulted to process so a vendor can register
understand how the system programming can be modified to not allow for this to twice using the same number.
Page 5 of 12
Purchasing Audit

Implementation Date
happen in the future.
Tyler Technologies Help Desk has
been notified of this issue and the
item has been designated as a high
priority. Tyler is currently
researching the possibility of forcing
vendors to insert the dashes (-) in
those numbers during registration
which would resolve this issue
automatically.
(SS = 999-99-9999 FID = 99-9999999)
During the interim, a step has been

added to the vendor application
approval process that will test new
applicants for duplicates.

Maurice Oldham A review of MUNIS access to add or
Finding 8 MUNIS System Access Vendor Setup and Processing change vendor information is
underway. (That review will indicate
Recommendations: whether current access is read only
and therefore represents minimal risk
1. Management should perform a comprehensive review of all vendor access to the district.) After the review is
within MUNIS. This will create a baseline of employees with the proper access. completed, access will be restricted,
Management should limit access to only a few individuals within select as much as possible given the
departments. After the baseline review is confirmed and approved, CCS should limitations within the software, to
implement a periodic management review of access to the vendor module within those individuals who require access
MUNIS. to complete their jobs.
Page 6 of 12
Purchasing Audit

Implementation Date
Mike Current Accounts Payable Manager
Finding 9 MUNIS System Access Accounts Payable Manager McCammon access is considered proper based
on the duties listed below:
Recommendations:
ADD VENDORS - The AP Manager
1. Management should perform a comprehensive audit of all vendor access within occasionally adds vendors. These
MUNIS, and specifically the Accounts Payable Manager. Changes should be are typically employee vendors or
made to reflect the proper access. This will create a baseline of employees with companies hosting staff development
the proper access. Management should limit access to only a few individuals conferences where the district needs
within select departments. After the baseline review is confirmed and approved, to pay a registration fee in advance.
CCS should implement a periodic management review of access to the vendor In such cases, timing is often critical,
module within MUNIS. so a W-9 is obtained so the vendor
can be quickly added and payment
remitted. The payment must still go
through normal workflow.
MODIFY VENDOR INFORMATION -

The AP Manager has the ability to
modify vendor information. This is
often used to ensure 1099
information is accurate and up-to-
date. It is occasionally used to
update a remit address, which is an
AP responsibility.
OVERRIDE PO VENDOR Anyone in

AP can override the PO vendor. This
is most often done with memo vendor
POs such as athletic officials, police
officers, game workers, employee
travel, or parent transportation
Page 7 of 12
Purchasing Audit

Implementation Date
reimbursements.
ADD PURCHASE ORDERS This may

be an allowed permission of the AP
Manager, but it is not used. The AP
Manager occasionally initiates
requisitions, but these are subject to
normal workflow approval of which
he is not a part.
MANAGE AP (Invoice approval and

payment) The AP Manager does not
approve invoices for payment, since
there is no workflow that would direct
invoices to him for approval. He does
write AP checks as part of his normal
responsibilities using the programs
Select Invoices to be Paid and
Print Checks. The invoices to be
paid have never been approved by
him since he is not in any invoice
approval queue.
BUSINESS LOGIC ACCESS The AP

Manager is one of three persons
responsible for Workflow
Administration. He typically updates
AP workflow approval queues
necessitated by district personnel
changes.
Page 8 of 12
Purchasing Audit

Implementation Date
Dennis Carney The software program that checks
Finding 10 Vendor Lists Not Run Against Terrorist Lists both the Federal Debarment List and
the State of Ohio Findings for
Recommendations: Recovery List has been completely
rewritten providing an easier to
1. An individual separate from the individual that runs the matching process interpret nightly email notice and an
(supervisor) should review the results and document that review through a sign-off easier to interpret report. The report
and date. will be checked by the Purchasing
Director on a random basis.

Terri Wise LEDE participation was 14.5% in FY
Finding 11 Monitoring of LEDE Vendor Use 2013 which is a bit short of our
aspirational goal. However,
Recommendations: $19,106,225.92 was spent with LEDE
vendors that year and this represents
1. The Board should act to review the LEDE vendor use analysis on a set a substantial investment in local
frequency to ensure that the percentage is in-line with the board-approved goal of businesses.
20%. Since the percentage has been consistently below the goal for several
years, the Board should re-evaluate whether the goal is realistic and establish a The district will continue to pursue
new goal if necessary. This should involve a full analysis of the effectiveness of activities in the future that will foster
the Community Outreach Program (the program that monitors the administration LEDE participation.
of the LEDE vendor activities) to ensure that it is functioning as required to meet
Board requirements. It is also recommended that management implement a Implementation Date: Ongoing
LEDE utilization evaluation within part II of the Columbus Administrator Evaluation
form. As administrators are held responsible for the development and monitoring
of school/department budgets, so should they be held responsible for meeting this
goal of inclusion and diversity. The Board may also chose to monitor not just the
absolute percentage of LEDE vendor use, but also the trend in the percentage
over time.
Page 9 of 12
Purchasing Audit

Implementation Date
Dennis Carney The file cabinet containing

Finding 12 Storage of Vendor Files proprietary vendor information has
been locked and keys provided to the
Recommendations: two individuals who need regular
access.
1. The files should be housed in a location that can be properly secured with
locked file cabinets and/or a locked door. Access should be limited to only those Implementation Date: 3/3/15
employees with proper authority and who need the files to perform their job
functions.
Dennis Carney The Purchasing and Accounts

Finding 13 Vendors with Employee Addresses Payable Departments will work with
an outside entity to provide a
Recommendations: crosscheck of employee and
commercial vendor addresses,
1. In the short-term, CCS should use data analysis software to compare all names, etc.
vendor names and addresses (from the VSS, the LEDE Listing and the Pre-
Approved Vendor Listing) to employee names and addresses. Each occurrence Implementation Date: 7/1/15
should be documented within the vendor file in MUNIS as to why the match is
appropriate and approved. 2. Going forward, CCS should add a step to the
vendor set-up procedures by which the address and name of the vendor is
compared to the employee listing prior to marking the vendor as active in
MUNIS. Documentation of this control performance should be included in MUNIS
as part of the vendor file.
Dennis Carney A step has been added to the
Finding 14 Purchase Orders with Future Dates Purchasing Department procedures
that all dates should be checked for
Recommendations: accuracy during the requisition
conversion process.
1. The creation date field within MUNIS should be programmed to auto-populate
Page 10 of 12
Purchasing Audit

Implementation Date
with the current date. If the system cannot be configured this way (per discussion The district pre-dates some purchase
with Tyler Technologies), it should be programmed to perform an edit check by orders for the upcoming fiscal year to
not allowing manual entry of future dates. expedite the start of work. Those
purchase orders are dated July 1 of
the new year. To maintain efficiency,
that practice will continue.

Dennis Carney A formal, written process for handling
Finding 15 Documentation of Vendor Performance Issues serious vendor issues as prescribed
for public entities by the National
Recommendations: Institute of Governmental Purchasing
will be used if necessary. Minor
1. A description of all incidents, disagreements or other performance issues issues will continue to be resolved in
involving a vendor should be documented and maintained within the vendors file the most efficient manner possible,
in MUNIS. including phone calls. Providing a
record of these discussions to all
district employees by storing them in
the vendor database increases the
risk to the district. If the problem is
serious and cannot be rectified with
the formal, written process, a Stop
will be placed on the vendor in the
vendor database preventing their
future use.

Mike We are currently working with Tyler
Finding 16 Loss of Vendor Data History Due to the Vendor Merge Program McCammon Technologies to determine our
options, including saving reports that
Recommendations: are generated when the program is
Page 11 of 12
Purchasing Audit

Implementation Date
run or changing the program that
1. The Vendor Merge program should be altered (through Tyler Technologies) could satisfy the concern.
to ensure that all vendor information and history is maintained within the new
vendor file. Implementation Date: TBD
Dennis Carney The Purchasing Department

Finding 17 Filing and Storage of RFP and RFQ Documentation maintains extensive files on all
solicitations conducted by its
Recommendations: personnel. Centralizing the
purchasing function, including
1. A full inventory of RFP and RFQ documentation should be performed and adding personnel, would be required
maintained within the Purchasing department. All future documentation should be to implement a single repository of all
forwarded to the Purchasing department for approval of adherence to purchasing bids, RFPs, and contracts.
guidelines and policies. The documentation should be maintained in a centralized
location within file cabinets in the Purchasing department (if it cannot be scanned Implementation Date: TBD
and maintained in MUNIS). Requests to obtain the documentation should be
provided to the Purchasing department, with a sign-out and sign-in method used
to track the location of documentation and the aging of its absence from the file.
Page 12 of 12

Purchasing Internal Audit and Management Responses2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Purchasing Internal Audit and Management Responses2

Uploaded by

Copyright:

Available Formats

Purchasing Internal Audit

March 26, 2015

Dear Audit and Accountability Committee:

Please contact me (614-586-7257/dowens@schneiderdowns.com) or Angela Gillis (614-586-7209/

cc: Dr. J. Daniel Good, Superintendent

OBJECTIVES AND SCOPE 2

APPENDIX A PURCHASING REQUIREMENTS SUMMARY 13

OBJECTIVES AND SCOPE

o Reviewed for purchase orders open for an unreasonable amount of time

1. Outdated Board Policies X

2. Missing Insurance Documentation for Active Vendors in Vendor Self-Service

4. Discrepancies on the LEDE Vendor Listing X

5. NETCOM.NET.COM Vendor Inappropriately on the LEDE Vendor Listing X

6. Lack of Review of the Gaps in Purchase Order Sequence X

7. Duplicate Vendor FINs and SSNs in MUNIS X

8. Excessive Access to Vendor Setup and Processing in the MUNIS System X

9. MUNIS System Access Accounts Payable Manager Improper Access X

10. Vendor Lists Not Run Against Terrorists Lists X

11. Monitoring of LEDE Vendor Use Not Performed X

12. Inadequate Storage of Vendor Files X

13. Vendors with Employee Addresses X

14. Purchase Orders with Future Dates X

15. Failure to Document Vendor Performance Issues X

17. Improper Filing and Storage of RFP and RFQ Documentation X

NOTE: 1-high/unacceptable risk requiring immediate corrective action; 2-moderate/undesirable risk

Observation 1 Outdated Board Policies

Observation 2 Missing Insurance Documentation for Active Vendors in Vendor Self-Service

Observation 3 Discrepancies on the Pre-Approved Vendor Listing

Observation 4 Discrepancies on the LEDE Vendor Listing

Observation 5 NETCOM.NET.COM Vendor Inappropriately on the LEDE Vendor Listing

Observation 6 Lack of Review of Gaps in Purchase Order Sequence

Observation 7 Duplicate Vendor FINs and SSNs in MUNIS

Observation 9 MUNIS System Access Accounts Payable Manager Improper Access

Observation 10 Vendor Lists Not Run Against Terrorist Lists

Observation 11 Monitoring of LEDE Vendor Use Not Performed

Observation 12 Inadequate Storage of Vendor Files

Observation 13 Vendors with Employee Addresses

Observation 14 Purchase Orders with Future Dates

Observation 15 Failure to Document Vendor Performance Issues

Observation 17 Improper Filing and Storage of RFP and RFQ Documentation

Corrective Action Plans

Observation / Recommendation(s) Process Owner Planned Corrective Action/

Dennis Carney A pdf file with a list of vendor types

Dennis Carney 1. An additional step to check

Corrective Action Plans

Implementation Date: (1) 4/1/15

Corrective Action Plans

Implementation Date: (2) 5/1/15

Corrective Action Plans

2. Please see Response 1 to

3. Please see Response 3 to

Implementation Date: N.A.

Corrective Action Plans

The new MUNIS report will be run on

(The gap between the last purchase

Implementation Date: 3/16/15

Corrective Action Plans

During the interim, a step has been

Implementation Date: 3/9/15

Implementation Date: 5/1/15

Corrective Action Plans

MODIFY VENDOR INFORMATION -

OVERRIDE PO VENDOR Anyone in

Corrective Action Plans