State Disbursement Unit Payment Processing and Physical Security
DATE: June 16, 2003
TO: ALL IV-D DIRECTORS
RE: State Disbursement Unit (SDU) Payment Processing and Physical Security
As you know, we are currently conducting state child support system certification reviews to determine compliance with the state systems requirements of the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (PRWORA). The document entitled "Automated Systems for Child Support Enforcement: A Guide for States," revised April 1999, and updated December 1999 and August 2000, (the Guide) sets forth the requirements that a state system must meet to receive PRWORA certification. During the certification process, we review the SDU payment process, including internal controls and physical security under Objectives F-2 and H-2g of the Guide.
We have reviewed the SDU in 51 states and jurisdictions and identified certification-related deficiencies in 16 states or jurisdictions regarding payment processing, including internal controls and physical security. Some states have raised concerns that the Guide is not specific regarding physical security requirements. Generally accepted government and industry accounting and payment processing practices and standards require checks, money orders, cash, and other negotiable documents, to be received and processed in a secure environment. OCSE, as the Federal agency with oversight responsibility for the Title IV-D program, needs to ensure that SDUs meet basic internal control, payment processing, and physical security requirements so that children receive the payments intended for their support. Therefore, the following policy and actions are adopted to address state concerns and the need for SDUs to meet basic payment processing and physical security standards:
- A state can receive conditional PRWORA certification if it fails to correct SDU payment processing and/or physical security deficiencies identified during the certification process as a certification issue(s). As a result, if the state otherwise qualifies for certification, the state will not be subject to the IV-D state plan disapproval process, or alternative system penalty.
- OCSE disseminated to the states, for comment and their input, the SDU standards, which address payment processing, including internal controls and physical security. A summary of comments and our responses on these standards is set forth below. The final standards are enclosed in the document entitled "Guide for Auditing State Disbursement Units." The standards will be used to audit any state which has a certification condition related to the SDU that OCSE has not lifted within one year following the date of certification.
- ACF or a Federal contractor will conduct an audit of any SDU where an SDU-related PRWORA systems certification finding has not been lifted within one year following the date of certification under the authority of section 452(a)(4)(C)(iii) of the Social Security Act (the Act). However, if the state corrects the SDU-related deficiency or deficiencies, and the certification condition is lifted within one year following the date of certification, an audit of the state’s SDU will not be necessary.
This approach was developed as a reasonable way to balance concern over security and internal controls of child support payments with the need for flexibility in Federal and state processes. I hope that the IV-D Directors view our approach in this manner.
COMMENTS AND RESPONSES ON THE GUIDE FOR AUDITING STATE DISBURSEMENT UNITS DATED APRIL 2002
One state expressed the following concerns:
- In response to the requirement that mail should be opened and immediately restrictively endorsed - The two requirements are met during the payment processing process; however, they are not performed in the order the SDU guide lays out. Instead, items are opened, batched, logged, and delivered to the scan room, which is in a secure environment separated from the mailroom. Financial instruments are imaged directly from the mailroom and assigned a specific tracking number that is imprinted on the back of the check. The bank endorsement is printed in the "pass two process."
We acknowledge that this is a very acceptable, efficient means of restrictively endorsing checks. We stated this in Chapter II of the final audit guide, as a NOTE under "Mail Opening."
In response to the requirement that an individual not involved in mail opening should run an adding machine tape (or electronic spreadsheet) total of all checks in each batch — The state noted that imaging eliminates the need for creating adding machine tapes prior to processing. Once checks are imaged, the "Tracking Maintenance System" (TMS) automatically maintains control of a batch. Once imaged, all items must be accounted for and balanced. Financial reconciliation is done independently of TMS. All financial documents are 10-key entered. The total number of transactions and dollar amounts must reconcile. Any variances are investigated and corrected.
We acknowledge that this is a very acceptable, efficient means of maintaining control over the total number of items and dollar amount of a batch. We stated this in Chapter II of the final audit guide, as a NOTE under "Mail Opening." The requirement for investigation and correction of any variances was reiterated.
Another state provided a response to findings presented as a result of an SDU review that was performed using the draft audit guide. These findings dealt mainly with internal control issues. The state had made several changes to be in compliance with the requirements detailed in the audit guide. These included:
- Restricting access to the SDU;
- Separating accounting, collection and operations functions among SDU staff;
- Immediately posting to the system unidentified payments; and
- Implementing a system of reconciling payments posted to the system.
The state agreed with the following items and is looking for means of implementing them:
- The SDU must have a security door with a card key or push button type security locking system.
- All mail must be maintained, opened and processed within the restricted access SDU.
- Checks and other payment instruments processed by the SDU are kept in a safe or security type filing cabinet until deposited at the bank within 24 hours.
- The SDU must be accessible only to appropriate staff.
The state objected to the physical security requirements listed in Chapter III of the audit guide, under "Evaluate the Operating Effectiveness of Controls," step 5. It reconfigured the SDU unit to effect an enclosure of the unit using movable soft padded walls, and access to the unit via a security door with a security locking system. However, we believe that these reconfigurations would still not be in compliance with generally accepted physical security measures over the area due to the use of movable soft padded walls, which would not preclude unauthorized entry by either dismantling or scaling the walls. Please note that almost all states have made necessary SDU physical security changes in response to PRWORA certification findings.
The state official felt that the requirement for separation of duties should not apply to the SDU supervisor due to the small staff size. The SDU supervisor has ability and authority to perform all processing and posting functions. This official pointed out that the April 2002 draft audit guide, in Chapter III, under "Evaluate the Operating Effectiveness of Controls," step 5, had underlined "to the greatest extent that is possible considering the size of the SDU and staff resources. If the SDU staffing is very limited….most reasonably….using available resources." Therefore, the state official felt that the supervisor should be exempt from this requirement. Because the staff size of the SDU in question is sufficient (i.e., 14 staff and one supervisor), we firmly believe that the separation of duties must be a required control that applies to the SDU supervisor in order to adequately safeguard assets. We noted that this is not an acceptable control in Chapter III of the final audit guide, under "Evaluate the Operating Effectiveness of Controls," step 5. We also removed the underlines from the words noted above.
We received concerns from two different states that the work performed under an OCSE Audit of State Disbursement Units would duplicate work that is already performed under the Single Audit Act and place additional audit requirement burdens on the states. To address this, we inquired of the Area Audit Office Supervisor responsible for auditing the two states that expressed these concerns. For both states, the supervisor was aware of the Single Audit work performed, and neither supervisor felt that the state had sufficient work done under the Single Audit Act to be deemed a comprehensive audit of the SDU. However, to eliminate any duplicate work and try to keep the audit burden on the states to a minimum, we added the following paragraph to the final audit guide, Chapter III, Step 1 of Preliminary Audit Work: "To the extent possible, build on work done under the Single Audit Act in the area of reviewing internal controls over collections. Contact the auditor that performed the Single Audit prior to the review in order to determine the extent of work done in reviewing internal controls of the SDU. Review workpapers and audit findings."
We also received a comment regarding EFT/EDI processing. We revised the audit guide in Chapter II under EFT Processing to reflect the comment. Lastly, we received comments involving cosmetic changes, which were made.
Sherri Z. Heller, Ed.D.
Office of Child Support Enforcement
cc: Regional Program Managers
Regional Hub Directors/Administrators
Attachment: A Guide for Auditing State Disbursement Units
- PDF Guide for Auditing SDUs.pdf (146.70 KB)