Village of Westbury – Purchasing, Claims Audit and Information Technology (2013M-301)

Issued Date
January 24, 2014

Purpose of Audit

The purpose of our audit was to review the Village’s internal controls over selected financial operations for the period June 1, 2011 through November 30, 2012.

Background

The Village of Westbury is located in the Town of North Hempstead, Nassau County. The Village is governed by an elected Board of Trustees comprising a Mayor and four Trustees. The Village’s general fund expenditures totaled about $6.8 million and $7.4 million for the 2011-12 and 2012-13 fiscal years, respectively.

Key Findings

  • Village officials do not consistently require the use of purchase orders when approving purchases, and use purchase orders which were reviewed and approved after the invoice was received.
  • Village personnel did not always obtain and document verbal or written quotes before purchasing goods and services as required by the Village’s procurement policy.
  • The Board does not review claims for payment; instead, one Trustee is appointed as Commissioner of Claims.
  • Village officials have not established sufficient internal controls over key components of the Village’s IT system, including the safeguarding of computerized financial data against unauthorized access or potential loss, data backup, monitoring of remote-access users and server room security.

Key Recommendations

  • Ensure that Village employees use requisitions and purchase orders prior to ordering goods and services. Restrict the use of confirming purchase orders to exceptional situations, such as a documented emergency situation.
  • Ensure that all Village employees who are involved in the procurement process are aware of and comply with the Village’s procurement policy requiring the use of verbal and written quotes.
  • Conduct a thorough and deliberate audit of claims for payment, ensuring that each claim has sufficient supporting documentation.
  • Review and revise user access rights (permissions) along with job descriptions to ensure that users have access only to transactions within the scope of their responsibilities. Adopt comprehensive policies and procedures addressing the safeguarding of computerized data and assets. Establish remote-access policies and procedures to define who can access the system and the methods to gain access. Locate physical components of the IT system in an adequately ventilated or climate-controlled area that is protected from unauthorized access.