The URL can be used to link to this page

Home My WebLink Aboutagenda.council.worksession.20150310 CITY COUNCIL WORK SESSION March 10, 2015 4:00 PM, City Council Chambers MEETING AGENDA I. Internal Controls Audit Review II. Old Power House Proposal Review and Discussion - no packet information Memorandum To: City Council From: Don Taylor, Director of Finance CC: Steve Barwick, City Manager Date: March 6, 2015 Re: Internal Control Audit Attached is a copy of the internal control audit performed by Colorado Independent Consultants Network (CICN). CICN performed an audit of the internal controls in place for the City of Aspen and made 12 recommendations for improvements to the internal control system. CICN also did an in-depth review of parking operations including specifically the facts around the parking meter scheme utilizing expired prepaid debit cards to purchase on street parking. They also made an estimate of the amount of actual revenue lost through the scheme. In general, CICN found the internal control of the City to be sufficient to protect the cash at the various points of sale around the City with the exception of a few processes that needed to be tightened up. With a few exceptions, management’s responses to the recommendations was to make immediate changes to implement the recommendation. Management’s response is provided as part of the format for this report for each of the recommendations. CICN will discuss each of the recommendations in the report at the work session. I did want to separately mention that as part of the first recommendation which was to file a claim with our insurance carrier for the loss, that this has been done and that the City will also investigate claims related to the hard cost (transaction processing fees) that were incurred as a part of this scheme. As to the estimate of the actual loss of revenue as a result of the scheme, CICN used four different models to try and come up with an estimate. In the end they averaged to results of the four models which yielded a result of $182,937. As you may recall the total declined transactions related to the scheme were estimated at $692,000. CICN’s estimate implies that the total amount of revenue actually lost is a lot less than the amount of the total declined transactions. P1 I. Colorado Independent Consultants Network, LLC City of Aspen, Colorado Parking Revenue Loss Analysis & Review of Internal Controls over Revenue Reporting Prepared by: Colorado Independent Consultants Network, LLC Denver, Colorado March 10, 2015 P2 I. Table of Contents Executive Summary ........................................................................................................................................... 1 Background ......................................................................................................................................................... 5 Objective, Scope, and Procedures Performed ............................................................................................... 6 Interviews Conducted ....................................................................................................................................... 7 Timeline of events ............................................................................................................................................. 8 Quantification of Parking Loss ...................................................................................................................... 12 Observations and Recommendations .......................................................................................................... 29 Appendix A- Process Flowcharts .................................................................................................................. 54 P3 I. Page 1 of 65 Executive Summary In September 2014, the City of Aspen (City) announced that its Police Department had opened an investigation into illicitly obtained meter parking. Such parking was obtained through a scheme whereby expired payment cards, or depleted debit cards (with insufficient funds to complete the transaction) would be used in lieu of valid payment methods. As transactions were batch processed the following morning, the meters would accept the invalid card as valid payment, generating a valid meter receipt for the amount of time illicitly purchased. In January 2015, the City engaged Colorado Independent Consultants Network (CICN) to identify, to the extent possible, the amount of revenue lost through the scheme- the amount of declined transactions that would have been good revenue had the scheme not occurred. CICN was also tasked with reviewing internal controls over other revenue sources, to assess the risk of revenue loss and identify areas for potential improvement. Parking Revenues Losses We estimate the scheme started on a small scale in early 2012, peaking in May 2014. Scheme activity took a sharp decline in September 2014 upon the City’s blacklisting of key offending Bank Identification Numbers (BIN’s). Scheme activity was eliminated in its entirety upon installation of new parking meters with real-time card authentication in November 2014. Scheme activity was likely committed by local workers, who would be more likely than visitors to have knowledge of the control weaknesses which would make the scheme possible. Additionally, the volume of scheme transactions were not as affected by seasonal fluctuations as good transactions. We employed four models to project revenue loss as a result of scheme activity. These models resulted in a projected revenue loss range between zero and $348K. Averaging the results of all four models resulted in a projected loss of $183K. Based on the estimated declined transactions as a result of the scheme and above loss models, 26% of the scheme activity would have been good revenue. In addition to any projected revenue loss, we believe the City suffered a hard dollar loss of $50K resulting from credit card processing fees related to scheme activity. This estimate is less subjective than revenue loss estimates, as this portion of the loss represents actual additional expenditures incurred by the City as a direct result of the scheme. We believe the scheme had minimal effect on complimentary revenue sources of the parking garage or parking enforcement tickets. The ability to defraud the City through this scheme no longer exists due to the installation of new meters with real-time credit card authorization capabilities. We verified this by attempting to use a debit card with no remaining balance to purchase both metered and garage parking, noting our transaction was immediately declined. We also examined declined parking transactions for December 2014 and January 2015, noting there were none. P4 I. Page 2 of 65 Regular monitoring of financial transactions within the parking department will help detect unusual activity, and should identify potential schemes in a more timely manner. Institution of reconciliations by individuals independent of the cash collection function will reduce the likelihood that schemes occur within a department. Internal Control Improvements Overall, the City’s internal controls over revenue reporting, for the areas examined within the scope of this engagement, appear to be designed effectively. CICN identified the following opportunities to address the parking revenue loss and to improve controls over revenue collection: 1. Parking revenue loss recovery- With a $10,000 deductible, the City should consider filing a claim with its property and casualty insurance provider for: a. Lost parking revenue; b. Credit card processing charges associated with the parking scheme as identified in this report; c. Costs associated with quantifying the loss 2. Golf course inventory- Two members of golf course management have access to purchase and receive inventory as well as make inventory adjustments within the POS system. Such access would allow theft of merchandise and subsequent concealment through adjustment of inventory balances in the system. The City should consider adjusting the access controls to ensure proper segregation of duties, and/or implementing a “review of inventory adjustments” control by someone who does not have the ability to make such adjustments. 3. Reconciliation of deposits to Points Of Sale (POS)- City Clerks Office - Deposited amounts should be tied to POS reports for the City Clerk’s office. Absent such a reconciliation, the City Clerk would be able to, for example, denote a speeding ticket as being paid and misappropriate the cash payment. Such activity would likely go undetected. To properly segregate duties, the reconciliation should be performed by a staff member in the finance department that does not have access to adjust POS reports. Further, these reconciliations should be reviewed by the accounting supervisor or controller on a monthly basis. 4. Parking revenue controls- We noted two control procedures within the parking department that could be improved. The independent review of meter coin counts is not currently being evidenced. If the control is not consistently performed, meter coin could potentially be misappropriated. In the parking garage, the attendant can manually open the exit gate to let vehicles out without paying. While there are legitimate reasons for this, the report of non-revenue gate openings should be reviewed for unusual or excess activity. 5. Reconciliation format- None of the daily revenue reconciliations reviewed were in a format that would allow easy identification of issues. Many “reconciliations” were a series of P5 I. Page 3 of 65 reports that one could tie out, but did contain evidence that this tie out was actually being performed. 6. System access review- Most of the departments reviewed did not perform regular documented reviews of which users have access to the various POS systems, as well as the appropriateness of such access. While segregation of duties policies can dictate who should be performing certain duties, appropriately designed system controls and user access roles serve as a stronger control to prevent incompatible duties. 7. Safeguarding of cash- The following issues pertaining to the safeguarding of cash were noted during our review: • At the finance cashier window, large amounts of cash are stored in an unlocked cabinet during the day. This is a larger issue with marijuana tax payments, which are usually large sums of cash. • The Finance Department safe containing petty cash was left unlocked during the day. • The portable cash boxes used by Finance Cashiering, although locked, could easily be removed. • The daily bank deposit for the Red Brick center was observed as being unattended on a front desk, assessable to the public 8. Ability to divert parking credit card proceeds- The contract with Global Payments, the City’s credit card processor, is currently signed solely by the Controller. This one individual can establish and change the bank account to which City revenue streams are deposited, which would allow the controller to divert revenues from the City to their personal bank account. 9. League fees- There is a dedicated staff member that manages all leagues. This staff member enrolls teams and individuals for the league, collects payment, and also creates the schedule. As a result, the staff member would be able to add a team without collecting the fee, or misappropriate a fee paid by a team and still enroll the team. 10. Documented policies and procedures- Several of the departments we reviewed did not have documented policies and procedures that would be considered adequate for internal control purposes. 11. Golf course walk-on prevention- There is likely a limited number of unauthorized free rounds of golf that are either given by pro shop staff members or taken from individuals beginning play past the view of the pro shop. Players receiving “free” golf may or may not have paid to play if they were not given the free golf/had not snuck onto the course. Players that would have paid to play represent a loss of revenue to the City. 12. Recreation center free facility usage prevention- Due to the layout of the Aspen Recreation Center (ARC), a person could enter the front door and sneak into the cardio and weight room, which is not within view of the front desk. Another possibility for P6 I. Page 4 of 65 unauthorized facility usage is cashiers allowing people to enter the ARC for free. Individuals that would have paid to enter represent a loss of revenue to the City and may occupy equipment desired by paying customers. End of Executive Summary Section P7 I. Page 5 of 65 Background In 1995, the City of Aspen became the first city to implement a “Pay and Display” system of parking to manage its 3,000 parking spots. Using this system, patrons park their vehicle, select their desired parking time, and obtain a receipt from a nearby parking meter upon submitting payment. Meters would accept coin, credit/debit cards (payment cards), and “smart cards” (prepaid parking cards). Payment card information was batched throughout the day and submitted for processing at the end of the day. This process, which was the only known option at the time, resulted in a relatively minimal number of declined transactions for which the City did not receive revenue. Declined transactions were the result of expired or cancelled credit cards, or debit cards which did not have sufficient account balances to fund the transaction amount. From 2009-2011, monthly declined transactions averaged 3.2% of total revenues. Beginning in 2012, declined transactions began to creep over the 5% of total revenues threshold, steadily increasing until September 2014, when “problem cards” were blacklisted. This problem was eliminated in its entirety in December 2014 after new meters were installed with real-time card processing technology. From January 2012 through November 2014 (what we will be referring to as the “scheme period” in this report), a total of $813K transactions were declined, $692K of which (representing 17% of gross meter proceeds) were attributable to the scheme. The difference between these two amounts reflects what we are referring to as “innocent declines”- transactions where a patron truly believed they were paying for parking but did so without sufficient funds in their account, or unintentionally used an expired card. These “innocent declines” were accepted by the City as a cost of doing business using the existing technology. The City believes that the vast majority of this amount would not have resulted in “good revenue”. Put another way, patrons who used invalid (expired or depleted) payment cards would not have paid to park had they been required to use a valid payment. This assumes that patrons would have used alternative methods of transportation, such as walking, biking, or public transportation, rather than pay the $28/day (2014 rates) on-street parking rates for the downtown core. The City’s assumption is bolstered by the fact that net parking revenues actually increased during the scheme period. Had the scheme involved patrons who regularly paid to park, one would expect a decrease in net revenues over the scheme period. Wanting to know the true amount of revenue lost as a result of this scheme, the City engaged Colorado Independent Consultants Network (CICN) in January 2015 to quantify the loss. In an effort to prevent similar issues in other City departments, the city also requested a review of internal controls over revenue reporting for the City’s major revenue sources. P8 I. Page 6 of 65 Objective, Scope, and Procedures Performed CICN was engaged to estimate the amount of revenues lost as a result of the “parking scheme” discussed in the background section above. CICN was also engaged to perform an examination of processes and procedures over revenue reporting for the revenue streams presented in Figure 1- In Scope Revenue Streams: Figure 1- In Scope Revenue Streams: Department Revenues Finance General Cashiering, Sales/Lodging Tax Parking & Garage Multi‐space Meters, Short Term Meters, Pay by Phone, Tickets/Fines, Construction Parking, Garage Parking, Parking Permits/Passes Recreation & Golf Pass and Program Fees, Merchandise Sales Utilities Water and Electric Fees, Tap Fees Wheeler Opera House Ticket Sales, Commission, Bar and Merchandise Sales The scope for quantification of parking revenue loss was 1/1/12-12/31/14. For all other revenue streams, we reviewed the current process as of the time of our fieldwork, which was conducted in February 2015. See Appendix A for process flowcharts. It should be noted that we were not engaged to perform, nor did we perform transactional testing on the operating effectiveness of appropriately designed controls. Procedures performed included the following: • Conducted interviews and obtained supporting documentation to evaluate the revenue generation and cash collection procedures for all areas within the scope of this audit • Obtained parking data from 2009-2015, performing procedures to assess the accuracy of the data received. Data was considered from several sources, including Precise Parklink (the meter manufacturer), Global Payments (the merchant card processor), and Eden (the City’s General Ledger system). Note: Full data sets for the scope period were not available from all of the above sources. • Reviewed 2009-2014 parking revenues and declined payments to evaluate fluctuations between “good” and “bad” revenue periods • Formally documented processes through narratives and flowcharts • Evaluated processes; determining control weaknesses and recommending solutions in collaboration with City Management • Estimated parking revenue loss through use of multiple scenarios and various assumptions P9 I. Page 7 of 65 Interviews Conducted A key component of our review involved interviewing key City staff and process owners. See Figure 2- Interviews Conducted for list of interviews. These interviews allowed us to understand the City’s management practices and evaluate the adequacy of its internal controls. Figure 2- Interviews Conducted Finance/Administration Chris Lundgren, Accountant Alice Hackney, Accounting Manager/Controller Don Taylor, Director of Finance and Administrative Services Pat Buettow, Accounts Payable Clerk Michelle Holman, Sales Tax & Business License Specialist Kathy Rogo, Finance Department Cashier Reed Patterson, Municipal Clerk Alissa Farrell, HR Director Courtney DeVito, Risk Management Wheeler Opera House Rose Bennett, Wheeler Opera House Senior Manager of Finance Genna Moe, Wheeler Opera House Front of House Manager Rochelle Obechina, Wheeler Opera House Box Office Pete Strecker, Wheeler Opera House Interim Director/ Assistant Finance Director Parking Blake Fitch, Parking Manager Debbie Kirkwood, Parking office Curtis Paas, Parking garage Tim Ware, Former Parking Director Ken Tolle, Parking Garage Manager Recreation Center Jeff Alden, Recreation Center Joasia Smith, Recreation Center Golf Course Steve Aitken, Director of Golf Jim Pratt, Assistant Golf Professional Joasia Smith, Golf course P10 I. Pa g e 8 o f 6 5 Ti m e l i n e o f e v e n t s CI C N p r e p a r e d t h e f o l l o w i n g t i m e l i n e t o h e l p u n d e r s ta n d t h e b a c k g r o u n d o f t h e p a r k i n g s i t u a t i o n a n d a s si s t w i t h d e v e l o p m e n t o f re v e n u e f o r e c a s t i n g m o d e l s . A s u m m a r y o f k e y t i m e l i ne d a t e s i s p r e s e n t e d i n Fi g u r e 3 - T i m e l i n e S u m m a r y , w h i l e a m o r e d e t a i l e d s e r i e s o f ev e n t s i s p r e s e n t e d i n F i g u r e 4 - T i m e l i n e D e t a i l . Fi g u r e 3 - T i m e l i n e S u m m a r y P11 I. Page 9 of 65 Figure 4- Timeline Detail Date Event 1995 New “Pay and Display” parking meters installed throughout downtown core and adjacent residential areas. Aspen was the first city to implement such a system. At the time of purchase, City was aware that meters were not live and could result in declined transactions. Declined or invalid payment cards could be individually blacklisted to avoid multiple bad transactions. As late as August 2014, the Parking Department was under the impression that Precise Parklink was automatically blacklisting declined cards. It is unknown whether this was ever occurring. At this time, Meters took coin, tokens and smart cards only. 2007-2008 Original “Pay and Display” parking meters replaced with new credit card technology as the old meters had exhausted their useful life. Nov. 26-30th 2007 first 26 meters were replaced in the downtown core. In May 27-30th 2008 remaining 33 meters were replaced in the downtown core. Oct 8th- 15th 2008 15 meters were installed in residential areas only as a payment option for purchasing day passes- this was not an expansion of paid parking. At the time of purchase, City was aware that meters were not live and could result in declined transactions, but continued to assume Precise was automatically blacklisting cards. Declined or invalid payment cards would be individually blacklisted automatically by Precise Parklink to avoid multiple bad transactions. 2009 Finance became aware that City’s meters are not live, and would allow for declined transactions. Percentage of declined transactions were not being reviewed; no booking of associated bad debt. 2009 Precise Parklink develops the ability for live processing of credit card transactions. Upgraded technology offered to City for $4,500/meter (Approximately $360K installation cost) 2009 The blacklisting of individual declined card numbers was discontinued by Precise Parklink due to Payment Card Industry (PCI) compliance regulations. The City was unaware of this. July 2011 Issue of non-live parking meters and ability for “bad” cards to obtain free parking discussed during budget meeting with the Parking department director and the City Manager’s office. At this time, it was decided that the cost of fixing the issue (approximately $360K) outweighed the benefit (elimination of approximately $30K/year [3% of total revenues] July ’10- June ‘11 in declined transactions). January 2012 Beginning of parking scheme May 9, 2013 Finance completes application to transition from Precise Parklink settlements to Global Payments settlements, eliminating the intermediary and reducing settlement time. P12 I. Page 10 of 65 Date Event October 6, 2013 Finance ends practice of resubmitting of declined credit card charges (previously, declined charges were resubmitted each weekday until approved, up to a maximum of 90 days). This practice resulted in excess bank processing charges for an average .14% success rate for the prior year October 2012-September 2013. November 2013 Settlement of credit card charges for multi-space meter revenues performed directly by Global Payments. Deposits now occur daily (vs. 45 day delay through Precise Parklink). Delay in this transition from the May 2013 application due to Precise not programming the new merchant ID in a timely fashion. December 2013 Settlement of credit card charges for garage revenues performed directly by Global Payments. Deposits now occur daily (vs. 45 day delay through Precise Parklink). Delay in this transition from the May 2013 application due to Precise not programming the new merchant ID in a timely fashion. January 2014 Last regular report received by Finance from Parking Department (reflects November 2013 activity). This reconciliation process stopped, as the check from Precise was used to prompt the reconciliation process. When the settlements were made via electronic funds transfer, the parking report was no longer reconciled to the monthly settlement. Note: It appears that Parking may have been providing reports to Finance sporadically during 2014. August 7, 2014 Finance requests detailed transaction listing for May and July 2014 from Precise Parklink. Purpose was to compare number of declined transactions from busy season (May) to slow season (July), and to determine if same declined cards continued to be used. August 21, 2014 Requested data received; finance analysis shows an abnormally high increase in declined charges year over year, most of which originated from prepaid debit cards. Net deposits were similar to prior years. August 22, 2014 Parking informs Finance that declined cards were being blacklisted, under the impression from Precise Parklink that they were. They were not. August 25, 2014 Precise Parklink recommends live interface to alleviate issue and would provide proposal. August 27, 2014 City of Aspen Management team informed of parking scandal. Cost of converting meters to live processing quoted at $606,690 September 5, 2014 Top 35 Bank Identification Numbers (BIN’s) of declined cards blacklisted by Finance. By November 2014, over 100 BINs would be blacklisted September 8, 2014 City Council notified about problem. September 22, 2014 Issue formally presented to City Council. City Council directs police to commence criminal investigation. Lease/purchase of new meters approved by City Council. P13 I. Page 11 of 65 Date Event Early October 2014 Parking Department discovers that Veras “pay by phone” app is also not live. This is mitigated by the fact that the pay by phone app requires the input of a license plate number and can easily be tracked by the police. Finance generates report of all declined pay by phone transactions for pursuit of collection by parking and police. Parking sends out 25 collection notices regarding this issue. November 25, 2014 New parking meters (Purchased through Cale America) installed, eliminating issue of declined cards. P14 I. Page 12 of 65 Quantification of Parking Loss As discussed in the background section, the City experienced a total of $692K in declined transactions from January 2012 through November 2014 (17% of gross meter proceeds) attributable to the scheme. CICN was tasked with determining how much, if any, of these declined transactions would have been revenue to the city, had the scheme not occurred. To perform this quantification, we reviewed available data sources, determined the period of the scheme, designed models to forecast expected revenues, and evaluated other potential losses resulting from the scheme. We have presented a summary of all of these procedures in the following sections. Available data sources CICN reviewed all available data pertaining to meter revenue. Some of the challenges we experienced in using this data were as follows: • While a contract between Precise Parklink (the meter vendor) to install the initial meters was available, a contract detailing the ongoing arrangement to provide data processing was not. As such, we were unable to determine the markup, if any, of merchant card processing fees passed through Precise Parklink to the City. • Data from Precise Parklink was not in a consistent format throughout our review period, could not be obtained in electronic format, and was at times unclear as to the source (meters vs. garage). Additionally, we were missing several months of data from Precise. • Data showing details of successful and declined transactions from Global Payments (the merchant card processer) was only available from 9/18/13-11/25/14. As such, we were unable to examine pre and post scheme activity trend of particular cards. Additionally, this data did not show the meter location or transaction time which could also be used to examine trends. • Data from Precise showing transaction times and meter locations for each declined transaction was only available for May and July 2014. • Neither Precise nor Global were available to answer questions or respond to information requests. Portions of each vendor’s data required clarification to be of use. See Figure 5- Data gathered for analysis, for a description of each source of data examined as part of our analysis, as well as the source of each data set. Figure 5- Data gathered for analysis Description Source All pay by phone declines between 9/24/09- 9/30/14 Veras (Pay by phone vendor) Summary of all meter and garage revenues booked from 2009-2014 Eden (General Ledger System) Meter transactions showing every processed transaction from 9/18/13- 11/25/14. Global Payments (Merchant Card Processor; obtained through Aspen Police Department) P15 I. Page 13 of 65 Detail of declined meter transactions for May and July 2014 Precise ParkLink (Meter vendor during scheme period) All parking tickets between 2009-2014 T2 (Parking management system) P16 I. Pe r i o d o f S c h e m e ( R e f e r t o Fi g u r e 6 - Pe r c e n t o f d e c l i n e d t r a n s a c t i o n s Th e p e r c e n t o f Tr a n s a c t i o n s D e c l i n e d f i g u r e b e l o w c a n b e u s e d t o a ss i s t i n d e t e r m i n i n g w h e n t h e s c h e m e b e g a n . T h e pe r c e n t a g e o f d e c l i n e d t r a n s a c t i o n s i s b e l o w 5 . 0 % f or a l l b u t o n e m o n t h i n 2 0 1 0 a n d 2 0 1 1 , w i t h t h e e x c ep t i o n b e i n g Se p t e m b e r 2 0 1 1 a t 7 . 0 % . I t a p p e a r s t h a t t h Fe b r u a r y 2 0 1 2 w h e n t h e p e r c e n t o f d e c l i n e s c r o s s e d 5% . A f t e r t h i s p o i n t , t h e p e r c e n t o f d e c l i n e s n e v e r d r o p p e d b a c k b e l o w 5% . T o w a r d s t h e m i d d l e o f 2 0 1 2 , t h e s c h e m e i s c l e a r ly o c c Th e t r e n d b e l o w f i t s a t y p i c a l s c h e m e p a t t e r n . S m a l l t r a n s a c t i o n s a r e d o n e e a r l y t o t e s t t h e s y s t e m . O nc e t h e p e r p e t r a t o r be l i e v e s t h e s c h e m e w i l l n o t b e c a u g h t , t h e v o l u m e of t r a n s a c t i o n s i n c r e a s e s s i g n i f i fe w i n d i v i d u a l s t h a t k n e w a b o u t t h e d e f i c i e n c i e s i n t h e p a r k i n g m e t e r s y s t e m a n d u s e d i t t o t h e i r a d v a nt a g e i n e a r l y 2 0 1 2 . Kn o w l e d g e o f t h e i s s u e m a y h a v e s p r e a d t o o t h e r s t h ro u g h o u t t h e l a t e r p a r t o f 2 0 1 2 t h r o u g In S e p t e m b e r 2 0 1 4 , t h e C i t y b l a c k l i s t e d B a n k I d e n t i fi c a t i o n N u m b e r s o f c a r d s a s s o c i a t e d w i t h f r a u d u l e n t a c t i v i t y ( d e c l i n e d tr a n s a c t i o n s ) . T h i s r e s u l t e d i n a d r o p i n d e c l i n e d tr a n s a c t i o n s , a s c a n b e s e e n i n t h e d a t a b e l o w . In l a t e N o v e m b e r 20 1 4 , t h e C i t y i n s t a l l e d n e w p a r k i n g m e t e r s w i t h r e al t i m e c a r d a u t h e n t i c a t i o n . T h i s e l i m i n a t e d t h e p a rk i n g sc h e m e a n d r e d u c e d t h e n u m b e r o f d e c l i n e d t r a n s a c t i on s t o z e r o , a s c a n b e s e e n f o r D e c e m b e r 2 0 1 4 a n d J an u a r y 2 0 1 5 . Fi g u r e 6 - P e r c e n t o f d e c l i n e d t r a n s a c t i o n s Pa g e 1 4 o f 6 5 Pe r c e n t o f d e c l i n e d t r a n s a c t i o n s , b e l o w ) Tr a n s a c t i o n s D e c l i n e d f i g u r e b e l o w c a n b e u s e d t o a ss i s t i n d e t e r m i n i n g w h e n t h e s c h e m e b e g a n . T h e pe r c e n t a g e o f d e c l i n e d t r a n s a c t i o n s i s b e l o w 5 . 0 % f or a l l b u t o n e m o n t h i n 2 0 1 0 a n d 2 0 1 1 , w i t h t h e e x c ep t i o n b e i n g Se p t e m b e r 2 0 1 1 a t 7 . 0 % . I t a p p e a r s t h a t t h e c r e d i t c a r d s c h e m e m a y h a v e b e g u n o c c u r r i n g a t a sm a l l l e v e l i n J a n u a r y o r Fe b r u a r y 2 0 1 2 w h e n t h e p e r c e n t o f d e c l i n e s c r o s s e d 5% . A f t e r t h i s p o i n t , t h e p e r c e n t o f d e c l i n e s n e v e r d r o p p e d b a c k b e l o w 5% . T o w a r d s t h e m i d d l e o f 2 0 1 2 , t h e s c h e m e i s c l e a r ly o c c ur r i n g a s t h e p e r c e n t o f d e c l i n e s g r o w s r a p i d l y . Th e t r e n d b e l o w f i t s a t y p i c a l s c h e m e p a t t e r n . S m a l l t r a n s a c t i o n s a r e d o n e e a r l y t o t e s t t h e s y s t e m . O nc e t h e p e r p e t r a t o r be l i e v e s t h e s c h e m e w i l l n o t b e c a u g h t , t h e v o l u m e of t r a n s a c t i o n s i n c r e a s e s s i g n i f i ca n t l y . I n t h i s c a s e , t h e r e m a y h a v e b e e n a fe w i n d i v i d u a l s t h a t k n e w a b o u t t h e d e f i c i e n c i e s i n t h e p a r k i n g m e t e r s y s t e m a n d u s e d i t t o t h e i r a d v a nt a g e i n e a r l y 2 0 1 2 . Kn o w l e d g e o f t h e i s s u e m a y h a v e s p r e a d t o o t h e r s t h ro u g h o u t t h e l a t e r p a r t o f 2 0 1 2 t h r o u g h l a t e 2 0 1 4 . In S e p t e m b e r 2 0 1 4 , t h e C i t y b l a c k l i s t e d B a n k I d e n t i fi c a t i o n N u m b e r s o f c a r d s a s s o c i a t e d w i t h f r a u d u l e n t a c t i v i t y ( d e c l i n e d tr a n s a c t i o n s ) . T h i s r e s u l t e d i n a d r o p i n d e c l i n e d tr a n s a c t i o n s , a s c a n b e s e e n i n t h e d a t a b e l o w . 20 1 4 , t h e C i t y i n s t a l l e d n e w p a r k i n g m e t e r s w i t h r e al t i m e c a r d a u t h e n t i c a t i o n . T h i s e l i m i n a t e d t h e p a rk i n g sc h e m e a n d r e d u c e d t h e n u m b e r o f d e c l i n e d t r a n s a c t i on s t o z e r o , a s c a n b e s e e n f o r D e c e m b e r 2 0 1 4 a n d J an u a r y 2 0 1 5 . Tr a n s a c t i o n s D e c l i n e d f i g u r e b e l o w c a n b e u s e d t o a ss i s t i n d e t e r m i n i n g w h e n t h e s c h e m e b e g a n . T h e pe r c e n t a g e o f d e c l i n e d t r a n s a c t i o n s i s b e l o w 5 . 0 % f or a l l b u t o n e m o n t h i n 2 0 1 0 a n d 2 0 1 1 , w i t h t h e e x c ep t i o n b e i n g e c r e d i t c a r d s c h e m e m a y h a v e b e g u n o c c u r r i n g a t a sm a l l l e v e l i n J a n u a r y o r Fe b r u a r y 2 0 1 2 w h e n t h e p e r c e n t o f d e c l i n e s c r o s s e d 5% . A f t e r t h i s p o i n t , t h e p e r c e n t o f d e c l i n e s n e v e r d r o p p e d b a c k b e l o w ur r i n g a s t h e p e r c e n t o f d e c l i n e s g r o w s r a p i d l y . Th e t r e n d b e l o w f i t s a t y p i c a l s c h e m e p a t t e r n . S m a l l t r a n s a c t i o n s a r e d o n e e a r l y t o t e s t t h e s y s t e m . O nc e t h e p e r p e t r a t o r ca n t l y . I n t h i s c a s e , t h e r e m a y h a v e b e e n a fe w i n d i v i d u a l s t h a t k n e w a b o u t t h e d e f i c i e n c i e s i n t h e p a r k i n g m e t e r s y s t e m a n d u s e d i t t o t h e i r a d v a nt a g e i n e a r l y 2 0 1 2 . In S e p t e m b e r 2 0 1 4 , t h e C i t y b l a c k l i s t e d B a n k I d e n t i fi c a t i o n N u m b e r s o f c a r d s a s s o c i a t e d w i t h f r a u d u l e n t a c t i v i t y ( d e c l i n e d 20 1 4 , t h e C i t y i n s t a l l e d n e w p a r k i n g m e t e r s w i t h r e al t i m e c a r d a u t h e n t i c a t i o n . T h i s e l i m i n a t e d t h e p a rk i n g sc h e m e a n d r e d u c e d t h e n u m b e r o f d e c l i n e d t r a n s a c t i on s t o z e r o , a s c a n b e s e e n f o r D e c e m b e r 2 0 1 4 a n d J an u a r y 2 0 1 5 . P17 I. So u r c e o f S c h e m e ( R e f e r t o Fi g u r e B - Pe r c e n t c h a n g e i n g o o d a n d d e c l i n e d r e v e n u e s b e t w e e n m o n t h s Th e s o u r c e o f t h e s c h e m e i s d i f f i c u l t t o a s c e r t a i n us i n g d a t a a n a l y t i c s . T h e a v a i l a b l e d a t a d o e s n o t c on t a i n i n f o r m a t i o n su f f i c i e n t t o e a s i l y i d e n t i f y t h e p e r p e t r a t o r s o f t he s c h e m e . T h e A s p e n p o l i c e a r e c o n d u c t i n g a c r i m i n al i n v e s t i g a t i o n co n c u r r e n t w i t h ou r p r o c e d u r e s t o q u a n t i f y t h e l o s s . A s s u c h , i d e n t if i c a t i o n o f t h e p e r p e t r a t o r s w a s n o t w i t h i n t h e s c op e o f th i s e n g a g e m e n t . Sp e c u l a t i o n s a m o n g C i t y e m p l o y e e s i s t h a t t h e s c h e m e w a s p r e d o m i n a t e l y c o m m i t t e d b y l o c a l w o r k e r s w h o wo u l d n o r m a l l y no t b e wi l l i n g t o p a y f o r p a r k i n g , o p t i n g t o t a k e t h e f r e e o r l o w c o s t R F T A b u s s y s t e m . W h i l e w e d o n o t h a v e da t a t o s u p p o r t or r e f u t e t h i s s p e c u l a t i o n , t h e t h e o r y a p p e a r s s o u n d f o r s e v e r a l r e a s o n s : 1. Lo c a l w o r k e r s w o u l d b e f a r m o r e l i k e l y t o k n o w a b o u t t h e c o n t r o l de f r a u d e d . 2. Th e r e w o u l d b e l i t t l e t o n o i n c e n t i v e t o s h a r e t h i s k n o w l e d g e w i t h o u t o f t o w n v i s i t o r s . 3. “ G o o d ” r e v e n u e s (c a s h r e c e i p t s ) If t h e s c h e m e w a s r o u g h l y e q u al l y s p r e a d b e t w e e n l o c a l s a n d v i s i t o r s , w e w o u l d e xp e c t b o t h g o o d a n d b a d r e v e n u e (u n c o l l e c t e d c h a r g e s ) to m i r r o r e a c h o t h e r i n s e a s o n a l f l u c t u a t i o n s . W h e n l o o k i n g a t t h e p e r c e n t c h a n g e b e t w e e n m o n t h s du r i n g t h e h e i g h t o f t h e s c h e m e , b o t h g o o d a n d b a d re v re v e n u e w a s n o t a s i m p a c t e d b y t h e s e f l u c t u a t i o n s , in d i c a t i n g a h i g h e r l i k e l i h o o d o f t h e s c h e m e b e i n g co m m i t t e d b y l o c a l wo r k e r s w h o l i v e a n d / o r w o r k i n t o w n y e a r ca r d s i n S e p t e m b e r 2 0 1 4 . Fi g u r e 7 - Pe r c e n t c h a n g e i n g o o d a n d d e c l i n e d r e v e n u e s b e t w e e n m o n t h s -1 -0 . 5 0 0. 5 1 1. 5 J a n u a r y F e b r u a r y M a r c h A p r i l M a y J u n e J u l y A u g u s t S e p t e m b e r O c t o b e r 20 1 3 Pe r c e n t c h a n g e i n r e v e n u e s b e w e e n m o n t h s Pa g e 1 5 o f 6 5 Pe r c e n t c h a n g e i n g o o d a n d d e c l i n e d r e v e n u e s b e t w e e n m o n t h s , b e l o w ) Th e s o u r c e o f t h e s c h e m e i s d i f f i c u l t t o a s c e r t a i n us i n g d a t a a n a l y t i c s . T h e a v a i l a b l e d a t a d o e s n o t c on t a i n i n f o r m a t i o n su f f i c i e n t t o e a s i l y i d e n t i f y t h e p e r p e t r a t o r s o f t he s c h e m e . T h e A s p e n p o l i c e a r e c o n d u c t i n g a c r i m i n al i n v e s t i g a t i o n ou r p r o c e d u r e s t o q u a n t i f y t h e l o s s . A s s u c h , i d e n t if i c a t i o n o f t h e p e r p e t r a t o r s w a s n o t w i t h i n t h e s c op e o f Sp e c u l a t i o n s a m o n g C i t y e m p l o y e e s i s t h a t t h e s c h e m e w a s p r e d o m i n a t e l y c o m m i t t e d b y l o c a l w o r k e r s w h o wo u l d n o r m a l l y wi l l i n g t o p a y f o r p a r k i n g , o p t i n g t o t a k e t h e f r e e o r l o w c o s t R F T A b u s s y s t e m . W h i l e w e d o n o t h a v e da t a t o s u p p o r t or r e f u t e t h i s s p e c u l a t i o n , t h e t h e o r y a p p e a r s s o u n d f o r s e v e r a l r e a s o n s : Lo c a l w o r k e r s w o u l d b e f a r m o r e l i k e l y t o k n o w a b o u t t h e c o n t r o l we a k n e s s e s w h i c h w o u l d a l l o w t h e s y s t e m t o b e Th e r e w o u l d b e l i t t l e t o n o i n c e n t i v e t o s h a r e t h i s k n o w l e d g e w i t h o u t o f t o w n v i s i t o r s . (c a s h r e c e i p t s ) ac t u a l l y i n c r e a s e d d u r i n g t h e s c h e m e p e r i o d . al l y s p r e a d b e t w e e n l o c a l s a n d v i s i t o r s , w e w o u l d e xp e c t b o t h g o o d a n d b a d r e v e n u e to m i r r o r e a c h o t h e r i n s e a s o n a l f l u c t u a t i o n s . W h e n l o o k i n g a t t h e p e r c e n t c h a n g e b e t w e e n m o n t h s du r i n g t h e h e i g h t o f t h e s c h e m e , b o t h g o o d a n d b a d re v en u e g e n e r a l l y d e m o n s t r a t e d s e a s o n a l f l u c t u a t i o n s ; ho w e v e r , b a d re v e n u e w a s n o t a s i m p a c t e d b y t h e s e f l u c t u a t i o n s , in d i c a t i n g a h i g h e r l i k e l i h o o d o f t h e s c h e m e b e i n g co m m i t t e d b y l o c a l wo r k e r s w h o l i v e a n d / o r w o r k i n t o w n y e a r -r o u n d . D a t a t h r o u g h A u g u s t 2 01 4 i s p r e s e n t e d , a s t h e C i t y b e g a n b l a c k l i s t i n g Pe r c e n t c h a n g e i n g o o d a n d d e c l i n e d r e v e n u e s b e t w e e n m o n t h s N o v e m b e r D e c e m b e r J a n u a r y F e b r u a r y M a r c h A p r i l M a y J u n e J u l y A u g u s t 20 1 4 Pe r c e n t c h a n g e i n r e v e n u e s b e w e e n m o n t h s Go o d T r a n s a c t i o n s - Ch a n g e f r o m p r i o r mo n t h De c l i n e d T r a n s a c t i o n s - Ch a n g e f r o m p r i o r mo n t h Th e s o u r c e o f t h e s c h e m e i s d i f f i c u l t t o a s c e r t a i n us i n g d a t a a n a l y t i c s . T h e a v a i l a b l e d a t a d o e s n o t c on t a i n i n f o r m a t i o n su f f i c i e n t t o e a s i l y i d e n t i f y t h e p e r p e t r a t o r s o f t he s c h e m e . T h e A s p e n p o l i c e a r e c o n d u c t i n g a c r i m i n al i n v e s t i g a t i o n ou r p r o c e d u r e s t o q u a n t i f y t h e l o s s . A s s u c h , i d e n t if i c a t i o n o f t h e p e r p e t r a t o r s w a s n o t w i t h i n t h e s c op e o f Sp e c u l a t i o n s a m o n g C i t y e m p l o y e e s i s t h a t t h e s c h e m e w a s p r e d o m i n a t e l y c o m m i t t e d b y l o c a l w o r k e r s w h o wo u l d n o r m a l l y wi l l i n g t o p a y f o r p a r k i n g , o p t i n g t o t a k e t h e f r e e o r l o w c o s t R F T A b u s s y s t e m . W h i l e w e d o n o t h a v e da t a t o s u p p o r t we a k n e s s e s w h i c h w o u l d a l l o w t h e s y s t e m t o b e al l y s p r e a d b e t w e e n l o c a l s a n d v i s i t o r s , w e w o u l d e xp e c t b o t h g o o d a n d b a d r e v e n u e to m i r r o r e a c h o t h e r i n s e a s o n a l f l u c t u a t i o n s . W h e n l o o k i n g a t t h e p e r c e n t c h a n g e b e t w e e n m o n t h s en u e g e n e r a l l y d e m o n s t r a t e d s e a s o n a l f l u c t u a t i o n s ; ho w e v e r , b a d re v e n u e w a s n o t a s i m p a c t e d b y t h e s e f l u c t u a t i o n s , in d i c a t i n g a h i g h e r l i k e l i h o o d o f t h e s c h e m e b e i n g co m m i t t e d b y l o c a l 01 4 i s p r e s e n t e d , a s t h e C i t y b e g a n b l a c k l i s t i n g Ch a n g e f r o m p r i o r Ch a n g e f r o m p r i o r P18 I. Page 16 of 65 Quantification of Scheme One of the more perplexing aspects of our analysis is the fact that good revenues increased during the scheme years from 2012 to 2014. Based on Precise Parklink data, a total of $813K transactions were declined, $692K of which (representing 17% of gross meter proceeds) were attributable to the scheme. In many schemes, the activity of the scheme will impact the normal revenues. For example, the individuals that parked in metered spaces could have displaced a paying customer. As a result, we would expect to see cash based revenues decline during the period of the scheme. However, the actual cash collected from parking meters increased during the period of the scheme. Figure C- Parking Meter Revenues shows the total revenue actually collected from parking meters and garage parking from 2010 through 2014. Figure 8- Parking Meter Revenues Although the actual revenue increased during the period of the fraud, it is possible that the revenue could have increased at a greater rate had the fraud not occurred. We applied four primary inflation factor models to estimate projected revenues based on historical increases (Refer to Figures 11 and 12 on the following pages). $0 $200,000 $400,000 $600,000 $800,000 $1,000,000 $1,200,000 $1,400,000 2010 2011 2012 2013 2014 Parking Meter Revenues (Credit Card Only) Total P19 I. Page 17 of 65 Model #1: Compound growth rate based on good revenue figures from non-scheme period, and timing/magnitude of rate changes The first model creates a revenue forecast for the periods in which the scheme was believed to have occurred, and then takes the difference between the projected revenues and the actual revenues to determine the magnitude of the fraud. Due to the installation of “live” meters in mid-November 2014, we know that December 2014 and January 2015 represent months void of this scheme. Additionally, as previously stated, we believe 2010 and 2011 generally represent “pre-scheme” years and could be used as comparative figures. To determine the projected revenue during the scheme period, we calculated the growth rate between the pre-scheme period (December 2010 & January 2011) and post-scheme period (December 2014 & January 2015). We then applied that rate to the periods in which the fraud was expected to have been occurring. The growth rate in revenues between these above dates averaged out to 36.75% over a three year period. Due to rate increases over this time span (See Figure 9- Parking Meter Rate Table), we cannot assume a straight-line revenue growth pattern. Doing so would overstate projected revenues, as a rate increase that did not occur until later years would be factored into a compound growth rate in earlier years. Figure 9- Parking Meter Rate Table 2009- 2011 % Change 2012 % Change 2013 % Change 2014 First Hour $2.00 0% $2.00 0% $2.00 0% $2.00 Second Hour $2.00 25% $2.50 20% $3.00 0% $3.00 Third Hour $3.00 0% $3.00 0% $3.00 33% $4.00 Fourth Hour $4.00 0% $4.00 0% $4.00 25% $5.00 Half Day $11.00 5% $11.50 4% $12.00 17% $14.00 Full Day $22.00 5% $23.00 4% $24.00 17% $28.00 Single Space Meters (per 15 minutes) $0.50 0% $0.50 0% $0.50 0% $0.50 Residential Permit Parking (Per Day) $ 7.00 0% $ 7.00 14% $ 8.00 0% $ 8.00 P20 I. Page 18 of 65 We considered the annual percentage change in half-day parking rates (See Figure 10- Parking Meter Weighted Escalation Rates), and applied the 36.75% inflation in proportion to the years in which rates increased. 2012 projections were based off of 2011 actual good revenues. 2013 and 2014 projected revenues were based on the previous year’s projections using the weighted revenue increase in Figure 10- Parking Meter Weighted Escalation Rates, below. Using this methodology, our projected December 2014 & January 2015 revenue was within 6% of actual December 2014 & January 2015 revenue. Figure 10- Parking Meter Weighted Escalation Rates Year Weighted % Change % of total change in each year Weighted revenue increase based on fee increases 2011-2012 5% 18% 6.54% 2012-2013 4% 17% 6.25% 2013-2014 17% 65% 23.96% 26% 100% 36.75% A potential flaw in this model is the limited data the assumption is based on. We only have two months of post-scheme data to compare against historical data. Due to seasonal fluctuations, we needed to compare like-periods, resulting in this applying 4 months’ worth of data (December 2010 & 2014 & January 2011 & 2015) across a 3-year scheme period. In total for the period January 2012-October 2014, projected revenues exceeded actual revenues by $334,438 using this model. This amount is the projected loss estimate using this model. P21 I. Page 19 of 65 Model #2: Projection based on parking rate increases This model assumes increased revenues were solely attributable to rate increases, as depicted in Figure 10, above. In actuality, total revenue growth is a combination of volume and price. Increased revenues could be a result of increased volume, increased price, or both. Another factor which comes into play is price sensitivity, as an increase in rates will generally result in a decrease in volume as patrons seek more cost effective ways to park (such as the parking garage) or alternative transportation (such as the City’s free bus system). An advantage of using this model is that price increases are applied in the exact periods in which they occurred. 2012 monthly revenues were projected using 2011 actual good revenues, increased by the 5% increase in daily rate. 2013 monthly revenues were projected using 2012 projected revenues, increased by the 4% increase in daily rate, and so on. Other than the fact that revenues are based on price and volume, whereas this model only considers price, another potential downside of this model is the tiered rate structure. Price increases did not affect all rate tiers each year. For example, the rates for the first and second hours of parking remained constant between 2013 and 2014. This model applies an average rate increase over all tiers, which may not be realistic if some tiers generate a higher volume than others (ex. If more people pay for one hour of parking than four). Using this methodology, our projected December 2014 & January 2015 revenue was within 4% of actual December 2014 & January 2015 revenue. In total for the period January 2012- October 2014, projected revenues exceeded actual revenues by $348,296 using this model. This amount is the projected loss estimate using this model. P22 I. Page 20 of 65 Model #3: Projection based on hotel occupancy rates This approach considers the percent change in hotel occupancy rates. Historical data was obtained from a third-party firm, capturing occupancy rates for a sample of local hotels. This sample included 15 hotels, representing 72% of total room inventory. To develop an inflation factor, we took actual good revenues for 2011 and applied the percent change in occupancy rates for each month between 2011 and 2012 to arrive at 2012 projected revenues. 2013 and 2014 projected revenues were based on the previous year’s projections inflated using historical changes in occupancy rates between each of the projection years. Using this methodology, our projected December 2014 & January 2015 revenue was 26% less than actual December 2014 & January 2015 revenue. One of the advantages of this model is the availability of historical data. We were able to apply this methodology against 2009 meter revenue to predict 2010 and 2011 revenues. While these calculations did not factor into our projected revenues under this model, we used 2010 and 2011 actual and projected figures to develop a correlation coefficient. A correlation coefficient of 1 indicates a total positive correlation (direct relationship), -1 a total negative correlation (inverse relationship), and zero no correlation. The closer the correlation coefficient is to 1, the more positively correlated the two data sets are. Comparing hotel occupancy rates and meter revenues resulted in a correlation coefficient of .97. In total for the period January 2012-October 2014, projected revenues exceeded actual revenues by $49,015 using this model. This amount is the projected loss estimate using this model. P23 I. Page 21 of 65 Model #4: Projection based on traffic counts This approach considers the percent change in traffic counts year over year. Historical data was obtained from the City’s transportation department, capturing the increase or decrease in total traffic counts between months for each year. Our methodology in executing this model was identical to Model #3. As data was only available through October 2014, we were not able to project December 2014 and January 2015 revenues for comparison to actual. Similar to Model #3, we calculated a correlation coefficient of .96 using this model. A limitation to this model was the need to interpolate some of the data points due to missing data, namely November and December 2013. There is a risk that the interpolated traffic counts may not be reflective of actual traffic counts. Due to the decline in traffic during higher parking revenue months this model resulted in a net negative loss from scheme operations (which would result in the City gaining revenue as a result of the scheme). As we know this is not valid, we adjusted the projection of this model to reflect a zero loss in potential revenues. P24 I. Page 22 of 65 Additional Models: In addition to the above models, we also considered several additional models. These models are described briefly in the following paragraphs, along with the rationale for not including them in our loss assumption. Inflation based on number of parking transactions- As revenues can be affected by either rate or volume, the theory behind this model is that changes in transaction volume are actual changes that do not need to factor in rate changes. This model would also be limited to four data points- January 2011 to January 2015 and December 2010 to December 2014. As the number of transactions decreased from January 2011 to January 2015 and also from December 2010 to December 2014, this projection would result in a net gain from the scheme, which we know is not realistic. As such, we have chosen not to include data from this model. Inflation based on garage revenues-The City’s Rio Grande parking garage was not subject to the scheme, as transactions have always been processed live (i.e. payment card is validated prior to accepting payment). As such, the theory behind this model is that the historical increases in parking garage revenue could be used to predict increases in multi-space meter revenue. One of the limitations in this approach is that the increase in on-street parking rates was primarily undertaken to get folks off the streets and into the garage or using public transit/walking. As such, an increase in garage revenue may actually signify an anticipated decrease in on-street parking revenues. Additionally, application of this model resulted in projected losses that exceeded declined transactions by 40%. As this is not possible, we have chosen not to include data from this model. Inflation based on consumption data- This approach considers economic conditions as reflected in sales tax revenues. While part of increases in sales tax revenues result from increased volume, increased pricing of goods would also result in an increase in sales tax revenues, though such price increases would not be expected to increase parking volume. We have chosen not to include data from this model, as the use of hotel occupancy rates uses a similar methodology, can be argued to have a stronger correlation with parking volume, and does not have a rate/volume component mix that could skew the revenue projections. The details of all models used and considered are presented in Figure 11- Revenue Projection Models on the following page. P25 I. Pa g e 2 3 o f 6 5 Fi g u r e 1 1 - R e v e n u e P r o j e c t i o n M o d e l s Fi g u r e 1 2 - P r o j e c t e d R e v e n u e s Mo d e l # 1 M o d e l # 2 M o d e l # 3 M o d e l # 4 P r o j e c t e d b a s e d on D e c / J a n go o d r e v e n u e ; pr i c e i n c r e a s e se n s i t i v e Pr o j e c t e d b a s e d on 2 0 1 1 d a t a ; in f l a t e d f o r r a t e in c r e a s e s Pr o j e c t i o n b a s e d on h o t e l oc c u p a n c y r a t e s P r o j e c t i o n ba s e d o n t r a f f i c co u n t s P r o j e c t i o n ba s e d o n # o f tr a n s a c t i o n s 20 1 0 - 2 0 1 1 Pr o j e c t i o n b a s e d on g a r a g e re v e n u e s Pr o j e c t i o n b a s e d on c o n s u m p t i o n da t a Pr o j e c t e d R e v e n u e s 3 , 3 6 7 , 9 8 8 $ 3 , 3 8 1 , 8 4 6 $ 3 , 0 8 2 , 5 6 4 $ 2 , 9 5 4 , 8 9 9 $ - $ 4 , 0 0 2 , 4 6 7 $ 3 , 6 0 2 , 0 2 2 $ Ja n u a r y 2 0 1 2 - O c t o b e r 2 0 1 4 A c t u a l G o o d R e v e n u e s 3 , 0 3 3, 5 5 0 $ 3 , 0 3 3 , 5 5 0 $ 3 , 0 3 3 , 5 5 0 $ 3 , 0 3 3 , 5 5 0 $ 3 , 0 3 3 , 5 5 0 $ 3 , 0 3 3 , 5 5 0 $ 3 , 0 3 3 , 5 5 0 $ % D i f f e r e n c e A c t u a l t o P r o j e c t e d 1 0 % 1 0 % 2 % - 3 % 1 0 0 % 2 4 % 1 6% Ma t h e m a t i c a l l y E s t i m a t e d l o s s f r o m s c h e m e 3 3 4 , 4 3 8 $ 3 4 8 , 2 9 6 $ 4 9 , 0 1 5 $ ( 7 8 , 6 5 1 ) $ - $ 9 6 8 , 9 1 7 $ 5 6 8 , 4 7 2 $ % o f b a d r e v e n u e s t h a t w o u l d h a v e b e e n g o o d 4 8 % 5 0 % 7 % -1 1 % 0 % 1 4 0 % 8 2 % Co r r e l a t i o n C o e f f i c i e n t 0 I n s u f f i c e n t D a t a 0 . 9 7 3 4 8 2 9 9 0 .9 6 4 5 8 8 3 9 9 I n s u f f i c e n t D a t a I n s u f f i c e n t D a t a 0 . 9 8 1 6 1 2 3 04 Ad j u s t e d l o s s f r o m s c h e m e ( M i n = 0 ; M a x = 1 0 0 % o f de c l i n e d t r a n s a c t i o n s ) 3 3 4 , 4 3 8 $ 3 4 8 , 2 9 6 $ 4 9 , 0 1 5 $ - $ - $ 8 1 3 , 1 8 8 . 1 6 $ 5 6 8 , 4 7 2 $ In c l u d e i n A v e r a g e Y e s Y e s Y e s Y e s N o N o N o Mi n i m u m L o s s - $ Ma x i m u m L o s s 3 4 8 , 2 9 6 $ Ma t h e m a t i c a l a v e r a g e l o s s o f u t i l i z e d m o d e l s 1 8 2 , 9 3 7 $ Ad d i t i o n a l m o d e l s n o t u s e d 0 10 0 0 0 0 20 0 0 0 0 30 0 0 0 0 40 0 0 0 0 50 0 0 0 0 60 0 0 0 0 Re v e n u e P r o j e c t i o n s Ac t u a l G o o d T r a n s a c t i o n s Pr o j e c t e d - M o d e l # 1 Pr o j e c t e d - Mo d e l # 2 Pr o j e c t e d - M o d e l # 3 Pr o j e c t e d - M o d e l # 4 P26 I. Page 24 of 65 With the understanding that no one model could truly reflect actual losses, we took the mathematical average of the four models to arrive at a projected loss. The four models resulted in a projected revenue loss range between zero and $348K spread over a three year period (averaging between zero and $116K/year) (refer to Figure 12- Projected Revenues, above). Averaging the results of all four models resulted in a projected loss of $183K spread over a three year period (averaging $61K/year). While we have provided average losses per year during the three year period, these losses were lower in initial scheme years and grew during later scheme years. Based on the estimated declined transactions as a result of the scheme and above loss models, 26% of the scheme activity would have been good revenue. P27 I. Page 25 of 65 Quantification of other loss components While the estimate of lost revenues are more subjective and error prone due to data limitations, the City suffered a hard dollar loss resulting from credit card processing fees associated with declined transactions. We were unable to obtain information from the City’s merchant card processor (Global Payments) on how merchant card processing charges are calculated. It is assumed these charges involve flat monthly fees, a per transaction charge “swipe fee”, and a percentage of the transaction amount (which we believe to be a floating percentage based on an established interest rate index (such as the London Interbank Offered Rate- LIBOR). As we did not have the information required to recalculate the excess merchant card fees resulting from the scheme, we compared actual processing fees during each month of the scheme period (averaging 7% of gross revenues and peaking at over 15% in October 2013) to the average processing fee (as a percentage of gross revenue) during 2010-2011. The average fee during this time was 6.3% of gross revenue. The difference between actual processing fees and processing fees based on the historical 6.3% average percent of gross revenues was assumed to be the excess processing fees resulting from the scheme. Using this methodology, we believe the City suffered a hard dollar loss of $50K resulting from credit card processing fees related to fraudulent card activity. Part of the reason this loss is so significant is the resubmission methodology employed by Precise Parklink. Each declined transaction would be submitted the following business day, in hopes that funds would eventually be added to the card, or the card reactivated so that the city could realize this revenue. This would occur for 90 days for each transaction. During the scheme period, nearly $13M in declined charges were resubmitted for processing using the above protocol. Of this amount, $20K was collected, representing a .1% success rate. This $20K does not offset the $50K hard dollar loss, as the above loss factors in a historical baseline decline rate and associated higher credit card processing fees as a percent of gross sales. To put things in perspective, the average card processing fee during 2010- 2011 was 6.3% of gross revenue. Under the same merchant card processor, the processing fee for December 2014 and January 2015 averaged 3.5% of gross sales. The difference is likely attributable to the elimination of declined transactions. Additionally, part of the difference may be also be attributable to mark-ups on processing fees by Precise Parklink, as a breakdown of fees was not provided during the period in which Precise processed these fees and no contract could be produced which would specify processing fee arrangements. P28 I. Page 26 of 65 Consideration of loss of complimentary revenue sources In addition to direct losses in meter revenue from the scheme, CICN considered “complimentary losses”- potentially affected revenue streams indirectly related to on street meter revenue. With the knowledge of “free” on-street parking, one may surmise that individuals who previously paid to park in the garage would move to on-street parking, reducing garage revenues. This is shown to be false in Figure 13- Garage Revenues, which shows a steady increase in garage revenues during the scheme period. Additionally, as garage parking fees have remained constant from 2009-present, the increase in garage revenues is entirely volume driven. Figure 13- Garage Revenues 0 50000 100000 150000 200000 250000 300000 350000 400000 450000 2011 2012 2013 2014 Garage Revenues Total P29 I. Page 27 of 65 Another source of parking revenues is parking fines. Every day, individuals risk receiving a “meter receipt expired” or “meter no receipt” violation and incur associated parking fines. Individuals taking advantage of the scheme may have “paid” to park using invalid payment means, whereas they would have normally risked receiving a parking violation. A reduction in parking violations would have created a decrease in associated revenues. Based on data from Figure 14- Parking Ticket Volume, ticket volume has fluctuated prior to, and during the scheme period, though the average volume has increased over time. During the “pre- scheme” period of 2009-2011, parking ticket volume averaged 31,000 parking tickets annually. During the scheme period of 2012-2014, parking ticket volume increased to 32,400 parking tickets annually. Figure 14- Parking Ticket Volume 0 5000 10000 15000 20000 25000 30000 35000 40000 2009 2010 2011 2012 2013 2014 Parking Ticket Volume P30 I. Page 28 of 65 Summary of parking loss quantification results • We estimate the scheme started on a small scale in early 2012, peaking in May 2014. Scheme activity took a sharp decline in September 2014 upon the City’s blacklisting of key offending Bank Identification Numbers (BIN’s). Scheme activity was eliminated in its entirety upon installation of new parking meters with real-time card authentication in November 2014. • Scheme activity was likely committed by local workers, who would be more likely than visitors to have knowledge of the control weaknesses which would make the scheme possible. Additionally, the volume of scheme transactions were not as affected by seasonal fluctuations as good transactions. • We employed four models to project revenue loss as a result of scheme activity. These models resulted in a projected revenue loss range between zero and $348K. Averaging the results of all four models resulted in a projected loss of $183K. Based on the estimated declined transactions as a result of the scheme and above loss models, 26% of the scheme activity would have been good revenue. • In addition to any projected revenue loss, we believe the City suffered a hard dollar loss of $50K resulting from credit card processing fees related to scheme activity. This estimate is less subjective than revenue loss estimates, as this portion of the loss represents actual additional expenditures incurred by the City as a direct result of the scheme. • We believe the scheme had minimal effect on complimentary revenue sources of the parking garage or parking enforcement tickets. • The ability to defraud the City through this scheme no longer exists due to the installation of new meters with real-time credit card authorization capabilities. We verified this by attempting to use a debit card with no remaining balance to purchase both metered and garage parking, noting our transaction was immediately declined. • Regular monitoring of financial transactions within the parking department will help detect unusual activity, and should identify potential schemes in a more timely manner. • Institution of reconciliations by individuals independent of the cash collection function will reduce the likelihood that schemes occur within a department. P31 I. Page 29 of 65 Observations and Recommendations Our observations are summarized in the table below and presented in detail on the following pages. More specifically during the course of our review, we have come across various opportunities for internal control improvement. Our recommendations are based on our experience in internal audit, as well as best practices from other functions. These recommendations have been tailored to consider the specific needs of the City of Aspen. Topic of Observation Detail on Page 1. Parking revenue loss recovery 30 2. Golf course inventory 31 3. Reconciliation of deposits to Point Of Sale (POS) system- City Clerk’s office 34 4. Parking revenue controls 36 5. Reconciliation format 38 6. System access review 41 7. Safeguarding of cash 44 8. Ability to divert parking credit card proceeds 46 9. League fees 47 10. Documented policies and procedures 48 11. Golf course walk-on prevention 50 12. Recreation Center free facility usage prevention 52 P32 I. Page 30 of 65 1. Parking revenue loss recovery Issue: The City has two opportunities to recoup part of the lost revenue due to inappropriate acquisition of City parking services. First, the loss of revenue clause in the City’s property and casualty insurance policy may cover the loss of parking revenues and expenditures associated with efforts to quantify the loss. Second, regardless of the exact dollar figure of revenue the City lost, the city suffered a hard dollar loss related to the parking scheme in the amount of related credit card fees, which was approximately $50K. Risk: Based on discussions with the City’s Risk Management personnel, there are no risks involved with filing an insurance claim of this nature. While the City’s insurance company will form an independent opinion on the loss and applicable payout, the City would forgo any potential insurance recovery if a claim is not filed. Recommendation: With a $10,000 deductible, the City should consider filing a claim with its property and casualty insurance provider for: 1. Lost parking revenue; 2. Credit card processing charges associated with the parking scheme as identified in this report; 3. Costs associated with quantifying the loss Management Response: The City has filed a claim with its insurance carrier. Staff believes there is a low probability that a payment will be received based on this loss. We are currently gathering information requested by the carrier in order to assess the amount of the claim Responsible Party: Don Taylor, Director of Finance and Administrative Services Completion Date: June 1, 2015 P33 I. Page 31 of 65 2. Golf course inventory Issue: Two individuals have access to purchase, receive, and add/delete inventory from Pro Shop Keeper (PSK- The golf course’s POS system). Ideally, purchasing and receiving duties are separated between different individuals. More importantly, staff that have access to merchandise should not be able to delete inventory items from the system. As a detective control, Cost of Goods Sold (COGS) as a percentage of sales can be examined and compared to average known merchandise markups for reasonableness. The Association of Golf Merchandizers places industry benchmarks for COGS between 55.5% (for resort golf shops) to 68.8% (for private country clubs). Figures for the City of Aspen’s Pro Shop are presented below in Figure 15- City of Aspen Golf Course Cost of Goods Sold for comparative purposes. Figure 15- City of Aspen Golf Course Cost of Goods Sold As seen in the above table, COGS has increased from 70.5% in 2012 to 75.6% in 2014, both of which exceed industry benchmarks. Per discussion with the City, clothing is typically marked up 50%, hard goods (such as balls) marked up 20-30%, and special order items marked up a minimal amount. With these markup percentages, we would expect a lower COGS. Risk: The head pro or assistant pro (the two individuals with the aforementioned system access) have the ability to take merchandise from the floor and remove it from PSK. The only indication that this potential fraud was occurring would be in higher than expected Cost of Goods Sold figures on the financial statements, which we saw during our review procedures. COGS sold that are higher than expected may indicate the need for a better pricing strategy, or a large shrink rate, either of which should be investigated. A small theft could easily be hidden. Further, merchandise giveaways are common in the golf industry. 2012 2013 2014 Sales 175,150$ 175,122$ 176,497$ COGS 123,465$ 138,766$ 133,399$ COGS as a % of sales 70.5% 79.2% 75.6% P34 I. Page 32 of 65 Recommendation: The city can better control ongoing inventory by either: 1. Removing access to delete inventory from anyone working at the golf course. A monthly report would then be sent to the Finance Department, who would review it and delete the items from inventory. OR 2. Having a member of the Finance Department review a monthly report of deleted inventory items. The city would need to ensure that appropriate reports are available in PSK and could not be modified by golf course personnel. The city can provide additional controls for the purchasing process by segregating the purchasing and receiving duties. Currently, the head pro could purchase inventory, take it for himself, and not enter it into the system. The process could be split by having the head pro do the orders and the assistant pro and/or golf shop manager receive the orders. The assistant pro’s purchasing access would also need to be limited/removed. We further recommend the City investigate the high COGS figures. Management Response: Deletions on merchandise have only happened when we needed to offer merchandise for tournament prizes or donations. To improve upon our security so that staff could always have transparency with their actions regarding removal of merchandise and the documentation of said removed merchandise, I recommend proceeding forward with guidance from the auditors who suggested the following: The Golf Department would utilize a member of the Finance Department to review a monthly report of deleted inventory items. The City would need to ensure that appropriate reports are available in the Point of Sale System and could not be modified by golf course personnel ( The City is working with our computer support team make this adjustment to our Point of Sale System). The Golf Department will also have separation of duties so that there is one person who does the purchasing of inventory (Head Golf Professional), and 1 person who would do the receiving of merchandise (Golf Shop Manager). City staff intends to further evaluate the golf pro shop function and how it delivers this service, including controls over pro-shop inventory. Staff will investigate the relationship between cost of goods sold and sales to ensure appropriateness of these figures. Responsible Party: Steve Aitken, Director of Golf Completion Date: P35 I. Page 33 of 65 October 31, 2015 or earlier P36 I. Page 34 of 65 3. Reconciliation of deposits to Point Of Sale (POS) system- City Clerks office Issue: Revenues per the Full Court Point Of Sale systems for the City Clerk’s office are not tied to receipts per Eden. Instead, Finance ties the bank statement to the Eden G/L upload, which is uploaded by the individual making the cash deposit. Risk: The current cash handling procedures for the City Clerk’s office would allow the individual making the cash deposit, or the individuals accepting the cash deposit at the Finance Cashiering office, to misappropriate cash without being detected. Additionally, anyone with access to the Full Court system used by the City Clerk would have the ability to show a non-parking violation (such as a speeding ticket) as being paid. The money paid towards this ticket could then be misappropriated. Absent a reconciliation as described above, this action would go unnoticed. Recommendation: Reconciliations between the Full Court POS system and Eden should be performed for the City Clerk’s office. To properly segregate duties, these reconciliations should be performed by an individual who does not have access to cash or to process transactions for these entities. All reconciliations should be independently reviewed on a monthly basis. Management Response: A Finance staff member will obtain monthly revenue reports from the Full Court POS system. This revenue report will be reconciled to monthly Eden totals for completeness. To implement a successful process, revenue system reports will be identified, appropriate Finance staff will be granted access to run reports directly from Full Court, and Eden transactions will be identified (create preset system queries) in order to create a complete reconciliation process. Responsible Party: Alice Hackney, Controller Completion Date: July 2015 will be the first month reconciled. Finance is currently short two senior accounting staff out of 5 total. This affects the implementation date. P37 I. Page 35 of 65 P38 I. Page 36 of 65 4. Parking revenue controls Issue: A. As part of the control procedures over meter coin collection, the Interim Parking Director will periodically compare coin counts written on a log sheet to meter receipts (effectively a POS system) showing the expected amount of coins which should have been in the vault. This control is currently not evidenced through initials, signature, etc. B. The parking garage attendant has the ability to open the exit gate without generating a sale. This is done for legitimate purposes, for example to let a vehicle with valid handicapped tags exit without paying (such vehicles can park for free). As of the time of our review, there was no review of these non-revenue transactions. Risk: A. There is a risk that the control over meter coin counts may not consistently be performed, which could allow for theft of meter coins by understating the expected meter coins on the log sheet. B. While the garage attendant needs the ability to open the exit gate for non-revenue transactions for legitimate reasons, this functionality would also allow the attendant to manually open the gate for a revenue generating customer and misappropriate the cash, rather than ring it into the POS system. Recommendation: A. We recommend the Interim Parking Director initial next to portions on the log sheet which have been verified to evidence performance of this control. We also recommend the verification of at least two meter vaults (tying the meter receipt to the amount per the log sheet) per count. B. As part of the daily reconciliation procedures, a report of all manual exit gate openings should be run. This report should be reviewed, along with the reconciliation package, by someone independent of the garage cashiering function. Management Response: The City will implement both recommendations, to be performed by the Parking Director. Recommendation A was implemented in February 2015. Recommendation B will be evidenced by Parking Director sign off on the Manual Exit Open Report and retained as an attachment to daily receipt summaries in the Garage files. Responsible Party: P39 I. Page 37 of 65 Blake Fitch, Interim Director of Parking Services Completion Date: April 1, 2015 P40 I. Page 38 of 65 5. Reconciliation format Issue: A. None of the daily revenue reconciliations reviewed were in a format that would allow easy identification of issues. Many “reconciliations” were a series of reports that one could tie out, but did not contain evidence that this tie out was actually being performed. Also, reviews of voided transactions are not consistently performed. B. While Finance performs a monthly bank reconciliation, this process is complex and non- intuitive. A traditional bank reconciliation includes the beginning and ending bank balance that is agreed to the general ledger with any reconciling items identified and explained. The current reconciliation appears to be a working document as opposed to a high level reconciliation. Risk: Reconciliations which are convoluted and/or do not clearly show one source tying to another (such as a bank deposit to POS system) make it difficult to review and easily identify potentially suspicious or erroneous activity. A reviewer of a reconciliation would be less likely to catch inappropriate activity with a complex reconciliation than with one which clearly ties to supporting documentation. The ability to void a transaction should typically be limited to personnel at a supervisory level, preferably supervisors who do not have cash handling responsibilities. The ability to void a transaction would allow the individual with this access to void out a transaction and misappropriate the corresponding cash. Recommendation: A. Reconciliations of Point Of Sale terminals to deposit receipts should be set up to clearly tie one source of information (the POS terminal report) to another (the deposit receipt). In general, each reconciliation should have a cover sheet similar to the one presented on the following page. The reconciliation should also include a review of voided transactions. This voided transactions report should be attached to the reconciliation and contain evidence of supervisor review. P41 I. Page 39 of 65 Reconciliation Cover Sheet Parking Operations Date: __________________ Cash/Check revenue per POS system: _________ Amount per deposit: _____________________ Variance: ______________________________ Explanation for variance: __________________ Prepared by: ___________________________ Reviewed by: ___________________________ Documentation should be attached to the reconciliation to support the amounts listed within. As an example, the Audience View POS report for the Wheeler Opera House should be attached to support the “Balance per POS system”, and the deposit receipt from the bank should be attached to support the “Amount per deposit”. We typically saw these supporting documents, without the actual reconciliation to tie it together. Additionally, the supporting documentation should ideally tie directly to the amount per the reconciliation. If this is not the case, adding machine tapes or other methods of demonstrating totals used in the reconciliation should be included. Different entities within the City may have specialized circumstances (such as the Wheeler Opera House paying out credit card tips with cash receipts) that would warrant a variation from a standardized template. We would encourage entities to customize a standardized reconciliation template to their operations. For example, parking should replace “Balance per POS system” to “Balance per T2”. B. The City should review their current bank reconciliation process and consider ways to either simplify the process or automatically generate a high level summary of the complex detail for reconciliation purposes. We understand the City is in the process of evaluating replacement ERP systems. As part of this process, an ERP vendor may have the requisite technology to automate and simplify the current process. P42 I. Page 40 of 65 Management Response: Reconciliation cover sheets will be added to POS system reconciliations, including those performed for the Wheeler, Parking, Parking Garage, Clerks, Recreation, and Golf. Procedures for voided transactions will be developed and implemented. This may involve review of void reports by Finance staff or department staff. Staff will take particular attention to bank reconciliation tools available in ERP software which we begin evaluating in May. Finance will update bank reconciliation instructions which were last updated in 2011. Responsible Party: Liz Woods, Interim Controller Completion Date: August 1, 2015 P43 I. Page 41 of 65 6. System access review Issue: Most of the departments reviewed did not perform regular documented reviews of which users have access to the various POS systems, as well as the appropriateness of such access. Risk: While segregation of duties policies can dictate who should be performing certain duties, appropriately designed system controls and user access roles serve as a stronger control to prevent incompatible duties. Users who have terminated employment could still access POS systems if their access is not removed. Users who have transitioned roles within the organization may inadvertently retain old access rights which are no longer compatible with their new role. “Super users”- those who can assign access rights in the system could assign themselves incompatible access rights, perform fraudulent activity, then revert their system rights to conceal the activity. Recommendation: A review of use access rights should be performed twice per year (or more frequently if warranted). This review should be documented to evidence performance of this control. Consideration should be given to role assignment by an independent party with knowledge of the system but no segregation of duties conflicts, such as Finance or IT. Management Response: Finance staff will review user access in the following systems annually. We have determined that reviewing access annually is sufficient, given overall low turnover at the City and limited available internal resources to conduct the reviews. Eden (or ERP) Kronos Timekeeping Yardi Magnet ProShop Keeper ActiveNetwork T2 Parking Cale Web Office Wells Fargo CEO (pcard) Munis Municipay Citizen Access Audience View Wheeler Bar POS Max Galaxy Full Court CSIP / Colotrust General Banking Accounts P44 I. Page 42 of 65 P45 I. Page 43 of 65 Responsible Party: Don Taylor, Director of Finance and Administrative Services Completion Date: September 1, 2015 P46 I. Page 44 of 65 7. Safeguarding of cash Issue: We noted the following issues with the safeguarding of monies at the finance cashier window and “red brick” locations. • At the finance cashier window, large amounts of cash are stored in an unlocked cabinet during the day. This is a larger issue with marijuana tax payments, which are usually large sums of cash. • The Finance Department safe containing petty cash was left unlocked during the day. • The portable cash boxes used by Finance Cashiering, although locked, could easily be removed. • The daily bank deposit for the Red Brick center was observed as being unattended on a front desk, assessable to the public Risk: Large amounts of cash increase the risk of loss from fraud and theft. Recommendation: The City should consider installing a drop safe where cash can be stored upon receipt. Drop safes allow cash to be securely deposited into the safe by anyone, but removed only by personnel with access to the safe. This would also allow the safe to remain locked at all times during the day, and to be opened only when preparing the deposit. To minimize expense, they City may be able to swap the Finance department and garage safes, as the garage is not using (and does not need) the drop safe functionality of their safe. Cash should be stored in drawers or other devices that are kept locked and cannot easily be removed. In general, cash should be carefully guarded at all times. Management Response: Cash receipts over $100 will be locked in the safe, rather than batched in an unsecure location. (Implemented immediately) A new safe will be installed to include key pad combination and drop slot. Est. $700 Four auto-locking cash drawers with mounts will be installed under the current counter. Est. $800 P47 I. Page 45 of 65 Regarding the unattended deposit observation, cash handling policies will be communicated City-wide by Finance on an ongoing basis, at least annually. Finance has discussed this issue with recreation staff. Responsible Party: Don Taylor, Director of Finance and Administrative Services Completion Date: September 1, 2015 P48 I. Page 46 of 65 8. Ability to divert parking credit card proceeds Issue: The contract with Global Payments, the City’s credit card processor, is currently signed solely by the Controller. This one individual can establish and change the bank account to which City revenue streams are deposited. Risk: Having one signatory on this contract would allow the controller to divert revenues from the City to their personal bank account. This could be done for a portion of the deposit (ex. 1% of revenues to personal bank account; 99% to City) to avoid detection. This risk would remain the same, so long as there is only one signatory required to change account information. Recommendations: The Global Payments contract, as well as any similar merchant card processor contracts, should be set up to require dual signatures to change bank account information. Ideally, these two signatures would not have cash handling or reconciliation responsibilities. Management Response: As standard procedure, new merchant accounts will require dual signature internally. Our opinion is that the POS system reconciliations and bank reconciliations mitigate this risk. Additionally, we verified that merchant processors require a voided City check or bank letter from the City’s bank in order to route revenue deposits to the account. Responsible Party: Don Taylor, Director of Finance and Administrative Services Completion Date: Immediately P49 I. Page 47 of 65 9. League fees Issue: There is a dedicated staff member that manages all leagues. This staff member enrolls teams and individuals for the league, collects payment, and also creates the schedule. While there is a high level review of total revenue for the league by a separate supervisor, this would likely not catch lower level discrepancies between scheduled leagues and expected revenues. Risk: The current arrangement would allow the league manager to add a team without collecting the fee, or misappropriate a fee paid by a team and still enroll the team. Recommendation: A simple check could be done prior to the start of each league to confirm the revenue received equals the number of teams multiplied by the league fee. This check should be done by a supervisor or finance department staff member that does not have the responsibility of managing the leagues or collecting payment Management Response: League payments are made through Activenet and are collected by Keith, front desk staff, and increasingly online. We are checking to make sure all league payments are made prior to the start of the season. Right now the best solution is to use Activenet to pull detailed reports on each league and team to be sure each team has paid in full prior to the season. This will be conducted by someone other than Keith (Financial Analyst or Keith’s supervisor). Responsible Party: Jeff Alden, Aspen Rec Center, Parks Department Financial Analyst Completion Date: April 1, 2015 P50 I. Page 48 of 65 10. Documented policies and procedures Issue: Two of the departments we reviewed did not have documented policies and procedures that would be considered adequate for internal control purposes. While all departments reviewed had a certain level of process documentation, such documentation took the form of a “desktop procedures” manual. Desktop procedures manuals provide explicit details on how to perform certain actions within a system (such as how to ring in a ticket sale), but do not detail the internal control procedures (such as requiring reconciliations to be reviewed independent of the preparer). The departments that would benefit from documented policies and procedures outlining internal controls are Parking and Finance cashiering. In addition to policies and procedures at the functional level, the existing City-wide policies regarding cash handling could be improved to encompass expectations around the reconciliation process.. Risk: The lack of documented policies and procedures undermines management’s efforts to set expectations and processes for staff, decreases consistent performance across staff members, and inhibits continuity when staff turnover occurs. Recommendation: The City should ensure that departments develop policies and procedures for its financial transactions, including revenue collection procedures that adhere to best practices for fraud mitigation. The City should also develop a set of centralized fiscal rules to help ensure consistent expectations and implementation. Management Response: The City has cash handling procedures that are communicated at least annually in Finance Refresher trainings, as well as available on the City’s intranet. The Finance Department has monthly and year end reconciliation checklists in place to track completion of GL reconciliations. The Finance Department should be involved with developing and documenting internal controls, rather than relying on individual departments to develop their own independently. While we agree that internal control documentation would be beneficial, the Finance Department does not currently have the resources to complete such documentation. This is typical with most municipalities of similar size, resources are not available to complete and maintain internal control documentation, even though adequate internal controls exist. P51 I. Page 49 of 65 Responsible Party: Don Taylor, Director of Finance and Administrative Services Completion Date: Not Applicable P52 I. Page 50 of 65 11. Golf course walk-on prevention Issue: There is a possibility that a limited number of unauthorized free rounds of golf are either given by pro shop staff members or taken by individuals beginning play past the view of the pro shop. Staff could possibly grant free play in the afternoon/non-peak hours to a friend or for a return favor. Risk: Players receiving “free” golf may or may not have paid to play if they were not given the free golf/had not snuck onto the course. Players that would have paid to play represent a loss of revenue to the City. While there is a risk that non-paying players are taking the spots of revenue generating customers, we suspect any free play is granted/taken during tee times that would otherwise not be filled, as these would not be officially entered into the starting system and the tee time would show as open. Recommendation: The possibility of free play can be reduced by exercising several options to tighten controls: • Ensure staffing of a paid starter for all times that the golf course is open. The starter would review receipts for all players. This approach would increase the expense to the city but would provide a strong control against free play. • The city could also augment the paid starter staffing with volunteer staffing in off- peak hours. The volunteer staff member would perform the same role as the paid starter in terms of checking receipts for all players before play begins. Volunteer staff members at other courses are typically granted a limited amount of free or reduced cost playing privileges. A cost/benefit analysis should be considered here, as volunteers for this position may have normally paid to play. By granting free golf privileges, the City could be forgoing good revenue to prevent free golf that would not have otherwise resulted in revenue. • The city could sporadically audit play by placing a non-golf city staff member on the 7th or 8th hole to check receipts of players. If a player did not have a receipt, then the city staff member would take their name and verify it against PSK at the end of the day. This approach could also be used to determine if the costs of implementing further controls over free play are justified based on the level of free play that is occurring. Management Response: The auditors surmise that there is a possibility of people accessing the golf course (playing golf for free) by walking on to the golf course out of the sight of the golf shop or by allowing someone to play for free as a favor. My staff and I are extremely confident no one plays for free as a favor. There is always multiple staff in the golf shop so that it would be impossible for a staff member to allow free golf. Persons walking on out of site of the golf P53 I. Page 51 of 65 shop is an occasional problem that staff has utilized with effectiveness the following technique: • Golf Maintenance Staff is periodically asked to audit play by asking for receipts (tee time receipt) of players during their round of golf. This was a recommendation of the Auditors and a program we will continue to utilize in the future. • Additionally the auditors suggested that a starter could be employed at all hours that the golf course is open for play not just during the busy times, to control walk on golf. At this time, the Golf Budget does not have the funding available to allow for the staffing needed. This can be revisited in the future as additional funds become available. • Auditors suggested the use of volunteers to track players and receipts in exchange for free or discounted golf. Staff believes that this would be inconsistent and that we would actually lose revenue do to most of the individuals that would want to do this already pay for a golf pass. • I suggest another method and that is a remote camera placed at the third tee, tenth tee, and sixteenth tee. Remote cameras are inexpensive, no in ground wire is needed and offer at a glance knowledge of any violations of golf course use. Responsible Party: Steve Aitken, Director of Golf Completion Date: April 1, 2015 P54 I. Page 52 of 65 12. Recreation Center free facility usage prevention Issue: Due to the layout of the Aspen Recreation Center (ARC), a person could enter the front door and sneak into the cardio and weight room, which is not within view of the front desk. Another possibility for unauthorized facility usage is cashiers allowing people to enter the ARC for free. The turnstiles could count the number of people going through, but some go through free legitimately (such as parents watching their children at a swim lesson) and it is fairly easy for a person to hop over or go around the turnstile. Risk: Individuals receiving “free” entry to the ARC may or may not have paid to enter if they were not given the free admittance/ did not sneak in. Individuals that would have paid to enter represent a loss of revenue to the City and may occupy equipment desired by paying customers. Recommendation: The possibility of free facility usage can be reduced by exercising several options to tighten controls: • Lifeguards or other swim staff could do occasional audits of the number of swimmers. This could be compared to the number of pool users for the day per the POS report. • The access card system for the cardio room could be periodically audited to compare unique card swipes (which would consider multiple entries/exits during the day) to POS reports showing members and guests who legitimately paid for facility use. For this to work, the use of punch cards would have to be entered into the POS system. Alternatively, punch cards could be sold as an RFID card which would automatically allow the unlimited use for the purchased number of days. This reconciliation would deter staff from providing free facility use, but would not prevent “piggybacking” (holding the door open for the person behind you, which is frequently done as a courtesy). • A camera could be installed to both deter and detect individuals from entering the cardio room without paying. Unless free facility usage was a widespread issue, the above controls would likely not detect the occasional freebie/sneak-in as each control has a certain level of error associated with it. Both the cost of the control and design limitations would have to be considered in conjunction with the expected benefit (reduction in unauthorized free usage). Management Response: Staff currently has Daily Admissions guest get hand stamps (that change daily) for each paying guest. Staff periodically checks these but pass holders are not required to get the hand stamp and access with a card swipe. Because patrons have access the entire facility, a comparison to any hand counts will not match, this is simply a snapshot at users at that given moment. P55 I. Page 53 of 65 Staff conducts spot checks on the fitness and cardio room to be sure all users paid a Daily Admission or are a pass holder. This has recently been expanded. There are cameras for both the fitness room and cardio room that provide a live feed to the front desk. When doors are propped open staff will immediately close them and speak to customers. With the current system comparisons to card swipes and payment for Daily Admissions is not possible. Currently, Daily Admissions guests are given a key to the fitness and cardio rooms and staff holds some collateral. Staff is funded to install RFID this year. Improvements to security and patron counts will be improved with the new system. Without providing staff at all swipe locations, ‘piggybacking’ will continue to be an issue. Responsible Party: Jeff Alden, Aspen Recreation Center Completion Date: Ongoing P56 I. Pa g e 5 4 o f 6 5 Ap p e n d i x A - P r o c e s s F l o w c h a r t s P57 I. Pa g e 5 5 o f 6 5 CI T Y O F A S P E N GE N E R A L C A S H I E R I N G RE C O N C I L I A T I O N S P R O C E S S FE B R U A R Y 2 0 1 5 ST / B L S p e c i a l i s t d o w n l o a d s a l l PO S r e p o r t s , c r e a t e s m a c r o o r ot h e r m o d i f i c a t i o n t o i n t e r f a c e th e r e p o r t s t o E d e n Da i l y S T / B L S p e c i a l i s t in t e r f a c e s t o E d e n ST / B L S p e c i a l i s t en s u r e s i n t e r f a c e i s co m p l e t e w h i l e pr o c e s s i n g . Fr o m : G e n e r a l Ca s h i e r i n g Ba n k S t a t e m e n t s Re c o n c i l i n g It e m s ? En d Ye s No Su m m a r i z e d E d e n Le d g e r D e t a i l De p a r t m e n t P O S Re p o r t s (C o n t r o l G a p ) Ac c o u n t i n g Su p e r v i s o r w i l l re s e a r c h a n d r e s o l v e P e t t y C a s h i s r e c o n c i l e d w e e k l y b y t h e C a s h i e r b y c o u n t i n g c a s h a n d a d d i n g r e c e i p t s t o e q u a l $2 ,5 0 0 . 1 & 2 T h e C a s h i e r p r o v i d e s t h e r e c e i p t s t o t h e A P C l e r k w h o r e v i e w s a n d r e i m b u r s e s t h e P e t t y C a s h Fo o t n o t e s 1. C a s h i e r h a n d l e s a l l c a s h , t h e r e f o r e t h e r e c o n c i l ia t i o n s h o u l d b e p e r f o r m e d b y s o m e o n e i n d e p e n d e n t o f t h e c a s h h a n d l i n g f u n c t i o n . 2. A n i n d e p e n d e n t v e r i f i c a t i o n t h a t P e t t y C a s h i s o nl y r e i m b u r s e d u p t o t h e m a x i m u m $ 2 , 5 0 0 i s n o t b e i n g p e r f o r m e d . St a r t (P e t t y C a s h ) Ba n k r e c o n c i l i a t i o n s a r e pr e p a r e d m o n t h l y b y t h e Ac c o u n t i n g S u p e r v i s o r an d r e v i e w e d b y t h e Ac c o u n t i n g M a n a g e r P58 I. Pa g e 5 6 o f 6 5 P59 I. Pa g e 5 7 o f 6 5 P60 I. Pa g e 5 8 o f 6 5 P61 I. Pa g e 5 9 o f 6 5 P62 I. Pa g e 6 0 o f 6 5 C i t y o f A s p e n U t i l i t y S e t u p F e b r u a r y 2 0 1 5 St a r t (W a t e r ) Ap p l i c a t i o n f o r Co n s t r u c t i o n su b m i t t e d t o C i t y f o r re v i e w Wa t e r S e r v i c e As s e s s m e n t , E a s e m e n t s an d / o r l e g a l d o c u m e n t s re v i e w e d f o r C o m p l i a n c e Ne w o r E x i s t i n g Ac c o u n t ? Ne w Mu n i s a c c o u n t a n d cu s t o m e r f i l e r e v i e w e d fo r e x i s t i n g c o n d i t i o n s / re s t r i c t i o n s Ex i s t i n g In f o r m a t i o n p a c k e t ou t l i n i n g f e e s & re s t r i c t i o n s s e n t t o De v e l o p e r If A p p l i c a t i o n i s a p p r o v e d an d i f D e v e l o p e r w a n t s t o pu l l C o n s t r u c t i o n P e r m i t , th e n t a p f e e s a r e p a i d If a c c o u n t e x i s t s i n M u n i s , th e E C U r a t i n g s a r e up d a t e d . I f a n a c c o u n t do e s n ’ t e x i s t , a n a c c o u n t i s cr e a t e d i n M u n i s b y t h e Bi l l i n g S p e c i a l i s t Wa t e r b i l l s a r e d e t e r m i n e d by 3 M a j o r F a c t o r s : 1. E C U R a t i n g 2. B i l l i n g A r e a s ( Z o n e ) 3. F e e S c h e d u l e (A p p r o v e d b y C i t y C o u n c i l ) To : U t i l i t y B i l l i n g St a r t (E l e c t r i c ) Re q u e s t f o r n e w se r v i c e i s su b m i t t e d t o t h e Cit y f o r r e v i e w Ac c o u n t t y p e i s d e t e r m i n e d by P l a n s R e v i e w e r . 5 A c c o u n t t y p e s i n c l u d e : Re s i d e n t i a l , S m a l l Co m m e r c i a l , L a r g e Co m m e r c i a l , S m a l l C i t y Fa c i l i t y , L a r g e C i t y F a c i l i t y Ac c o u n t t y p e i s e n t e r e d i n t o Mu n i s b y B i l l i n g S p e c i a l i s t . Ti e r s t r u c t u r e i s a p p l i e d ba s e d o n A c c o u n t t y p e Pla n s R e v i e w e r l o o k s a t th e a p p l i c a t i o n , t h e p l a n s an d c a l l s d e v e l o p e r , i f ne c e s s a r y En e r g y C o n v e r s i o n U n i t “E C U ” W o r k s h e e t a n d Ut i l i t y C o n n e c t i o n P e r m i t co m p l e t e d b y P l a n s Re v i e w e r Wo r k O r d e r i s ge n e r a t e d a n d El e c t r i c s t a f f in s t a l l s m e t e r a t Pr o p e r t y P63 I. Pa g e 6 1 o f 6 5 P64 I. Pa g e 6 2 o f 6 5 P65 I. Pa g e 6 3 o f 6 5 P66 I. Pa g e 6 4 o f 6 5 P67 I. Pa g e 6 5 o f 6 5 P68 I.