As part of the Office of the City Controller’s annual audit of the city’s basic financial statements for Fiscal Year 2019 (FY19), the Controller’s Office engaged EisnerAmper to conduct an IT General Controls and Application Controls Review of the OnePhilly system. The assessment was limited to internal controls in place and designed as of the close of FY19 (June 30, 2019). Testing was limited to the design and implementation of the IT general controls and application controls. In order to test for operating effectiveness, controls must be designed and implemented effectively. Based on the severity of the issues identified, auditors were unable to perform further testing on the operating effectiveness of the controls.
Given the IT general controls and application controls evaluation, EisnerAmper conducted additional testing of the city’s payroll to identify error types and quantify the frequency and magnitude of errors in employees’ pay on behalf of the Controller’s Office. This testing, which focused on eight departments that represent approximately 75 percent of the city’s payroll expense, was limited to the launch of the Payroll and Time and Attendance modules of the OnePhilly system through the fiscal year end (March 18, 2019 to June 30, 2019). The findings from this additional testing are detailed in the Error Identification and Analysis Report.
Based on its potential impact in the city’s Comprehensive Annual Financial Report (CAFR), each IT general controls and application controls finding were assigned a rating of material weakness or significant deficiencies. In total, one material weakness and four significant deficiencies were identified, as well as other control deficiencies. The additional testing of the city’s payroll provided deeper insight into the impact of the IT general controls and application controls findings.
Multiple breakdowns were identified in the functionality and application controls of the OnePhilly system. As a result of these breakdowns, the Payroll expense and other related liability accounts could be materially misstated in the City’s Comprehensive Annual Financial Report, constituting a material weakness. Additionally, individual employee’s pay may be inaccurate or unauthorized.
For example, the OnePhilly system assumes employees work their full minimum scheduled hours in a pay period by generating “assumed time” to fill in hours not documented on a timesheet. This generated assumed time is not reviewed for accuracy or authorization. Additional testing showed that OnePhilly’s use of assumed time has the potential to cause underpayments, overpayments or other errors, including but not limited to incorrect leave balances. Of the period under review, approximately 300,000 hours totaling $8.4 million of assumed time remained unedited in the system. Of note, the OnePhilly system did not accurately calculate all employee leave accruals during and after the testing period. According to the OnePhilly team, approximately 3,000 employees’ vacation and sick balances were not accurately reflected in the OnePhilly system as of November 4, 2019. As a result, city departments were asked to verify their employees’ balances outside of the system.
Other breakdowns noted in the report include: changes are made to employee timecards by the OnePhilly or Central Payroll Teams without documented authorization or approval; the OnePhilly team runs a process that automatically changes employee timecards from unapproved to approved status; employees who enter their time via Manager Self-Service were able to authorize their own timecards instead of submitting it to his/her direct supervisor for approval; and an overpaid/underpaid report generated to identify employees who may have been overpaid or underpaid had known inaccuracies according to OnePhilly and required a manual review of more than 3,000 lines for each payroll period.
Additional testing demonstrated that payroll and leave-related errors have largely been identified through self-reporting at the employee and department level. OnePhilly had no formal process for reporting, tracking and resolving errors. No audit trail to identify all reported payroll errors and corresponding resolutions has been kept by OnePhilly. Moreover, there was no evidence that the OnePhilly team systematically considers the universe of potential employees historically impacted by any one instance or type of reported error(s). Importantly, approximately one in five payroll payments appears to have required some form of retroactive or miscellaneous adjustment to time and/or pay since go-live.
Many of the issues identified appear to have existed from the time the OnePhilly system went live and, therefore, may have occurred prior to the launch of OnePhilly. Without formal documentation of approvals or sign-offs by the OnePhilly steering committee to authorize go-live for the system – a significant deficiency noted in the report – there is no evidence that known risks, open tasks to be completed, and the completion of testing scenarios occurred and were agreed to by all Steering Committee members.
Other key findings include:
- The implementation of OnePhilly failed to reduce certain inefficiencies and redundancies related to time entry and payroll processing and, in some instances, resulted in increased workloads and risk associated with errors in time and pay. For example, four departments stated that they have incurred additional overtime and/or a need to hire new staff as a result of the additional time needed to process payroll under the new system; departments performed manual calculations of rate differentials for overtime, out-of-class time and shift time after issues were identified with OnePhilly’s calculations of these time types; and Prisons stated it takes the department three times longer to process payroll since go-live.
- Several departments are not utilizing the timecard and payroll approval processes and functionality within the OnePhilly system. Police, Streets and Courts continue to use their own time entry systems that operate independently from OnePhilly, for time entry and human resources. Only one department, Aviation, is now fully integrated into the OnePhilly system. Additionally, there does not appear to be a concerted effort to integrate these systems into OnePhilly and eliminate the use of these independent legacy systems. For example, the OnePhilly team planned to train Streets department clerks in the field to enter time directly into OnePhilly, however the training was unsuccessful, and no further attempts have been made. As such, approximately 1,200 sanitation workers continue to use paper timesheets that are manually entered into its internal timekeeping system, called ISIS. Clerks print reports of these employees’ time then manually enter the data from those reports into OnePhilly, daily.
- Since go-live, neither OnePhilly nor the departments have sufficiently tracked or enforced the City’s sick abuse policy. Potential overpayments to employees who received pay for Uncertified Sick Time while they were either on the Sick Abuse list, or incorrectly omitted from the Sick Abuse list, was identified totaling approximately $180,000. Payments to employees who were paid while out on unpaid leave were also identified totaling $120,000. Additionally, approximately $220,000 of payments to individuals no longer employed by the city were identified.
- Monitoring of the third parties that significantly support the OnePhilly system was not formal or documented, a significant deficiency. The primary third party, Ciber Global LLC, is embedded and working closely with OnePhilly for the development and support of the OnePhilly system. There is no evidence of formal monitoring of the Service Level Agreement between OnePhilly and Ciber. There is no evidence of formal review and evaluation by the OnePhilly team of critical reports provided by Ciber and its subsidiaries. Additionally, there is an increased risk of unauthorized access and exposure of confidential employee data.
- Incompatible roles, responsibilities, and permissions were not formally and comprehensively identified, a significant deficiency. User access provisioning was not formally documented and did not consider segregation duties. Periodic user access reviews have not been performed. As a result, there may be users with access not commensurate with their job responsibilities and users may potentially be able to bypass system controls.
- Passwords were not configured to meet City requirements, including complexity, minimum length, and expiration after 90 days, a significant deficiency. Inadequate password configurations significantly increase the possibility of unauthorized access to the system, including malicious or accidental data manipulation or breach of data confidentiality.
What the Controller’s Office Recommends
The Controller’s Office has presented a number of recommendations to address the findings in this report. Some of the more significant recommendations are noted below.
The Controller’s Office recommends that the city should evaluate the resources dedicated to identifying, prioritizing, testing and implementing corrections to the OnePhilly system and develop a formal framework for an identification and remediation process for system issues. OnePhilly should also formally document and track all issues from identification to resolution. The OnePhilly team should work to proactively identify and resolve all errors in employee pay, leave balances, accruals, etc., and conduct a comprehensive, system wide analysis to proactively identify all potential over- and underpayments to employees, including total amounts owed by or due to the city. The OnePhilly team should establish and document routine monitoring of performance of third parties, including against established Service Level Agreements and evaluation of all relevant reports. The OnePhilly team should work directly with departments to develop and implement a plan for fully integrating all independent legacy systems into OnePhilly.
Additional recommendations can be found in the body of this report.