Audit Report

Department of Public Safety and Correctional Services
Office of the Secretary and Other Units
February 2007

OFFICE OF LEGISLATIVE AUDITS
DEPARTMENT OF LEGISLATIVE SERVICES
MARYLAND GENERAL ASSEMBLY

•

This report and any related follow-up correspondence are available to the public through the
Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland
21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877486-9964.

•

Electronic copies of our audit reports can be viewed or downloaded from our website at
http://www.ola.state.md.us.

•

Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258.

•

The Department of Legislative Services – Office of the Executive Director, 90 State Circle,
Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related
correspondence. The Department may be contacted by telephone at 410-946-5400 or 301970-5400.

DEPARTMENT OF LEGISLATrvE SERVICES
OFFICE OF LEGISLATIVE AUDITS
MARYLAND GENERAL ASSE:'IBLY
K.rl S. AI'<>
E>«:~,;YC

"""i_

I)...-,...M........ CPA

r>;_

l.cpol.,;"",

February 16, 2007
Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee
Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee
Members of Joint Audit Committee
Annapolis, Maryland
Ladies and Gentlemen:
We have audited the Office of the Secretary and other units of the Department of
Public Safety and Correctional Services (hereinafter referred to as the Office) for the
period beginning May 28, 2003 and ending June 30, 2006. The specific budgetary
units are indicated on page 19 of this report.
Our audit disclosed certain internal control deficiencies relating to the Office’s
inmate medical contracts with five contractors to provide health services to inmates
in the State’s correctional institutions. For example, the Office did not adequately
review contractor invoices before payment and, as a result, certain overpayments
were made to contractors. Payments made to contractors under the inmate health
services contracts totaled $110 million in fiscal year 2006. Subsequent to our audit
fieldwork, the Office negotiated agreements which require the medical services
contractor and the mental health services contractor to pay liquidated damages
totaling $1.75 million and $130,000, respectively, for the period from July 1, 2005
through January 17, 2007. These agreements also specify that the Office will hold
the contractors harmless from any further claims related to this period.
Our audit also disclosed that the Office had not established procedures to verify that
all 911 Trust Fund fees collected each year by service carriers were remitted to the
State. Furthermore, we noted control deficiencies with respect to cash receipts,
accounts receivable, fingerprint database security, corporate purchasing cards, and
equipment.
Respectfully submitted,

Bruce A. Myers, CPA
Legislative Auditor

2

Table of Contents
Executive Summary

5

Background Information

7

Agency Responsibilities
Performance Audit
Settlement Agreements
Current Status of Findings From Preceding Audit Report

Findings and Recommendations

7
7
7
8
9

Inmate Health Services Contracts
Finding 1 – The Office Did Not Adequately Review Contractor Invoices for 9
Propriety Resulting in Overpayments to Contractors
Finding 2 – The Office Reimbursed Contractors for Items Purchased
11
Without Ensuring that the Items Had Been Received
Finding 3 – The Office Had Not Ensured that Contractors Complied
11
with Contract Provisions for Identifying Third Party Payments
911 Trust Fund
Finding 4 – The Office Lacked Procedures to Verify the Propriety of
911 Trust Fund Fees Remitted by Service Carriers
Criminal Justice Information System Cash Receipts
Finding 5 – Adequate Controls Were Not Established over Collections

12

13

Accounts Receivable
Finding 6 – Non-Cash Credit Transactions Were Not Always Properly
Supported

14

Fingerprint Database Security
Finding 7 – Controls over Automated Fingerprint Images Need
Improvement

15

Corporate Purchasing Cards
Finding 8 – Sufficient Controls Were Not Established over Corporate
Purchasing Cards

16

3

*

Equipment
Finding 9 – Proper Controls Were Not Established over the Office’s
Capital Equipment

17

Audit Scope, Objectives, and Methodology

19

Agency Response

*

Appendix

Denotes item repeated in full or part from preceding audit report

4

Executive Summary
Department of Public Safety and Correctional Services
Office of the Secretary and Other Units
February 2007

•

The Office did not adequately review invoices from the contractors
providing inmate health services to ensure that only appropriate
payments were made.
The Office should verify the propriety of contractor invoices to ensure that
payments are proper and within the terms of the applicable contract.

•

The Office reimbursed contractors for certain items purchased under the
terms of the inmate health services contracts without ensuring that the
items had been received.
Documentation supporting the receipt of items purchased should be received
prior to processing the related invoices for payment.

•

The Office had not determined whether the contractors providing inmate
health services had complied with the contract provisions for identifying
third party payments.
The Office should ensure that the contractors comply with the contractual
requirement for identifying and obtaining third party payments.

•

The Office had not established procedures to verify the propriety of the
911 Trust Fund fees remitted by the service carriers operating in the
State.
The Office should establish procedures to ensure that all fees collected by
service carriers for the 911 Trust Fund were subsequently remitted.

•

The Office had not established adequate controls over Criminal Justice
Information System cash receipts.
We provided detailed recommendations to improve controls, including the
segregation of incompatible duties.

5

•

Non-cash credit transactions were not always properly supported.
Adequate documentation should be maintained to support non-cash credit
transactions.

•

Access controls over a database that contained fingerprint images for law
enforcement purposes need improvement.
The Office should restrict the capability to delete fingerprint images from the
database to employees who need such access to perform their job duties. In
addition, reports of such deletions should be periodically generated for
subsequent review.

•

The Office had not established sufficient controls over corporate
purchasing cards.
The Office should comply with the Comptroller of the Treasury’s Corporate
Purchasing Card Program Policy and Procedures Manual requirements.

•

An independent control account was not maintained by the Office for
computer equipment and the results of the physical inventories of such
equipment were not reconciled to the related detail records.
The Office should comply with the Department of General Services’
Inventory Control Manual requirements.

6

Background Information
Agency Responsibilities
The Department of Public Safety and Correctional Services – Office of the
Secretary has statewide responsibility for the control and habilitation of
incarcerated individuals. The Office is also responsible for the maintenance of
the State’s criminal history record information. In addition, the Office is
responsible for administering the 911 Trust Fund as required by law. According
to the State’s records, during fiscal year 2006, the expenditures for the six
budgetary units audited, which are indicated on page 19 of this report, totaled
approximately $214 million.

Performance Audit
Our Office also conducted a performance audit of the process used by the
Department of Public Safety and Correctional Services to monitor certain aspects
of its inmate healthcare services program which is administered by contractors.
The objectives of this performance audit were as follows:
1. To determine whether the Department had established procedures to
ensure that the contractors hired sufficient staff with the requisite
qualifications as stipulated by contracts and other directives of the
Department.
2. To determine whether the Department implemented the necessary
contractor monitoring procedures to ensure compliance with significant
reporting provisions of the contracts.
3. To determine whether the Department had implemented adequate
procedures to ensure effective coordination of the services rendered to the
inmate population by the contractors.
The results of this performance audit will be reported in a separately issued audit
report.

Settlement Agreements
In January 2007, the Office entered into settlement agreements for liquidated
damages totaling $1.75 million and $130,000 from two contactors providing
services under the Office’s inmate health service contracts. Specifically, these
settlements were with the contractors providing services under the medical
services module and the mental health services module of the inmate health

7

contracts, respectively, and were for the period from July 1, 2005 through
January 17, 2006. The inmate health services contracts permit the Office to
assess liquidated damages against any contractor that fails to perform in a manner
consistent with the contract provisions. The settlements were negotiated
agreements which specified that the Office would hold the contractors harmless
from any further claims related to this period, including any claims associated
with billing overpayments or deviations from the contract terms as related to
services provided.

Current Status of Findings From Preceding Audit Report
Our audit included a review of the current status of the seven findings contained
in our preceding audit report dated February 18, 2004. We determined that the
Office satisfactorily addressed six of these findings. The remaining finding is
repeated in this report.

8

Findings and Recommendations
Inmate Health Services Contracts
On June 1, 2005 the Office entered into two-year one-month contractual
agreements (with three one-year renewal options) totaling approximately $223
million, with five different contractors to provide inmate health services under six
different service modules. The modules are medical, mental health, dental,
pharmacy, utilization management and electronic patient health records/health
management information system. The contractors are to provide these services to
all inmates and arrestees in the custody of the Department. According to the
Office’s records, payments made to these contractors under the contracts totaled
$110 million in fiscal year 2006.
Finding 1
The Office did not adequately review contractor invoices to ensure that only
appropriate payments were made.
Analysis
The Office did not adequately review contractor invoices for propriety.
Specifically, our review disclosed that the Office’s procedures required contractor
invoices to be subject to only a cursory review before being approved for
payment. For example, the Office did not verify the propriety of rates or hours
billed by the contractors. Subsequent to payment, the invoices were to be
reviewed by the Office of Inmate Health Services and any overpayments
identified noted were to be recovered at the conclusion of the review process.
Our test of 10 invoices totaling approximately $2.1 million processed during
fiscal year 2006 disclosed certain billing problems that were not identified prior to
invoice payment as follows:
•

For the medical module of the contract, we identified an overpayment of
$34,600 on one monthly invoice which had not yet been detected by the
Office. This overpayment occurred because the contractor improperly billed
the Office a higher hourly rate for one service category than the hourly rate
specified in the contract. After we brought this matter to the Office’s
attention, the contractor adjusted a subsequent invoice to recover these
overpayments.

•

For dental services, the contractor improperly calculated the amounts due on
two monthly invoices resulting in overpayments totaling $55,200. The

9

contractor subsequently identified and adjusted a later invoice to recover these
overpayments.
•

During fiscal year 2006, a contractor billed and was paid $54,300 for
telephone related charges even though the contract specifically stated that the
Office would provide telephone related services. When questioned about
these charges, Office management stated that the contractor had been
provided certain space in a facility where telephone service was not available
and that the Office had instructed the contractor to obtain telephone service
and provided reimbursements to the contractor to meet its contractual
obligation. However, the Office could not provide specifics regarding
services provided to, and reimbursed by, the Office. Therefore, the propriety
of this payment under the terms of the contract was questionable.

It is preferable to verify the propriety of contractor invoices prior to payment to
avoid overpayments and negate the need to recover such overpayments. In
addition, the existence of overpayments is significant since the process of
subsequently reviewing paid invoices, on which the Office was relying to identify
overpayments, was not effective. In this regard, as of November 2006, such a
review had only been initiated for certain expenditures related to the medical
module for the month of November 2005. Furthermore, the review process had
not been completed for this one month, no overpayments had been recovered and
the process was not initiated timely. The preliminary results of this one-month
review resulted in a potential cost recovery of $219,805 for work hours deemed
not in compliance with the contract.
As noted in the Background Information section of this report, the Office
subsequently entered into settlement agreements with the contractors providing
services under two of the inmate health services contracts (including the medical
module). These agreements preclude the Office from pursuing any additional
claims related to the period from July 1, 2005 through January 17, 2007.
Recommendation 1
We recommend that the Office conduct a more thorough review of
contractor invoices for inmate health services prior to payment. These
reviews should include a verification of the propriety of rates and the
reasonableness of the hours being billed. To the extent that the Office must
rely on reviews of contractors’ invoices after payment as the mechanism to
ensure invoice propriety, we recommend that the Office complete those
reviews and recover any overpayments in a timely manner.

10

Finding 2
The Office reimbursed contractors for items purchased without ensuring
that the items had been received.
Analysis
The Office reimbursed contractors for items purchased without ensuring that the
items had been received. Our test of 14 invoices totaling $400,000 paid during
fiscal year 2006 disclosed that, for 8 invoices totaling $314,000, there was no
documentation that the related goods had been received. According to the
Office’s records, supplies purchased under the terms of the inmate health services
contracts totaled approximately $3.5 million during fiscal year 2006.
Under the terms of the inmate health services contracts, the contractors are
permitted to purchase supplies, pharmaceuticals and materials after approval by
the Office and are reimbursed upon the submission of appropriate third party
invoices. While the contractors submitted third party invoices to support their
reimbursement requests, in many instances verification of receipt (such as a
receiving report) was not obtained.
Recommendation 2
We recommend that documentation supporting the receipt of items
purchased be obtained prior to processing the invoices for payment.

Finding 3
The Office had not ensured that contractors complied with contract
provisions for identifying third party payments.
Analysis
The Office had not determined whether the contractors providing inmate health
services had complied with contractual requirements for identifying third party
payments. Specifically, the Office had not determined whether the contractors
had established a system to identify and collect potential third party payments
from insurance companies and government agencies for medical services
rendered to inmates and did not obtain quarterly reports from contractors detailing
all third party payments received, as required. Office management advised us
that, in their opinion, such a system would cost more than any monies received.
However, management could provide no documentation (a study or cost/benefit
analysis) to substantiate its opinion.

11

Under the terms of the contracts, the contractors are required to establish a system
to identify and collect third party payments from insurance companies or other
entities for medical services provided inmates and submit quarterly reports
detailing payments received. For example, third party payments may be available
from insurance coverage obtained through inmates’ previous employment or
through Medicaid. These payments are to be remitted to the Office.
Recommendation 3
We recommend that the Office ensure that the contractors providing inmate
health services comply with the contractual requirements for identifying and
obtaining third party payments, unless these requirements are determined to
not be cost effective based on a documented analysis performed by the
Office.

911 Trust Fund
Finding 4
The Office had not established procedures to verify that all 911 Trust Fund
fees collected by the service carriers were remitted to the State.
Analysis
The Office had not established procedures to verify that all 911 Trust Fund fees
collected by mobile telecommunication service carriers (wireless providers) and
by telephone service carriers (wired providers) operating in the State were
properly remitted. According to the Office’s records, receipts deposited in the
911 Trust Fund totaled approximately $58 million in fiscal year 2006, of which
$27 million was remitted by the wireless providers and $31 million was remitted
by wired providers.
The Public Safety Article of the Annotated Code of Maryland requires that,
effective October 1, 2003, the Office adopt procedures for auditing these fee
collections and remittances from the wireless providers. In response to a request
for information from the General Assembly regarding the 911 Trust Fund, the
Office reported in December 2003 that it was their intention to design the process
and format for independent audits of wireless providers that should provide
verification from the carriers records of the accuracy of the fees collected and
remitted. However, as of November 2006, the Office had not established the
audit procedures required by law. The law does not specifically address auditing

12

the fee collections and remittances made by the wired providers; however, it is
our opinion that, because of the significance of collections and remittances,
procedures should also be established for auditing the wired providers.
The Public Safety Article of the Annotated Code of Maryland requires all
counties and Baltimore City to operate an enhanced 911 system for both wired
and wireless services. The Office is responsible for administering the 911 Trust
Fund, which finances the operation, maintenance, and enhancement of 911
systems. The Fund is financed by a monthly fee paid by subscribers to their
service carriers. The monthly subscriber fee, which is included on customers’
bills, consists of a State fee of $.25 per subscriber and a local fee of up to $.75 per
subscriber. Carriers are required to report activity and remit collections monthly
to the Comptroller of the Treasury for deposit to the 911 Trust Fund. The
Comptroller forwards these activity reports to the Office.
Recommendation 4
We recommend that the Office establish procedures to verify that all fees
collected by service carriers for the 911 Trust Fund, including those received
since October 1, 2003 if practicable, were subsequently remitted.

Criminal Justice Information System Cash Receipts
Finding 5
Adequate controls were not established over the Criminal Justice
Information System (CJIS) collections.
Analysis
Adequate controls were not established over collections, such as for criminal
background and fingerprint checks, received at the CJIS office. According to the
Office’s records, collections at this location totaled approximately $2.7 million
during fiscal year 2006. Specifically, we noted the following conditions:
•

Independent verifications were not performed to ensure that amounts collected
and recorded were subsequently deposited.

•

Employees who recorded collections on the automated system had the
capability to void transactions without obtaining documented supervisory
approval.

13

•

The employee who initiated and recorded non-cash credit adjustments to the
accounts receivable records also had access to the related cash receipts.

As a result of these conditions, receipts could be misappropriated without
detection.
Recommendation 5
We recommend that an employee independent of the CJIS cash receipts
function verify that all collections are subsequently deposited by agreeing the
amounts recorded on the initial source documents to deposit documentation
provided by the bank. In addition, we recommend that voided transactions
be reviewed and approved by supervisory personnel and that this review be
documented and retained for future verification. Finally, we recommend
that the employee who initiates and records the non-cash credit adjustments
to the accounts receivable records not have access to the related cash
receipts. We advised the Office on accomplishing the necessary separation of
duties using existing personnel.

Accounts Receivable
Finding 6
Non-cash credit transactions were not always properly supported.
Analysis
The Office did not always maintain adequate documentation to support non-cash
credit transactions. Our test of 10 non-cash credit transactions totaling $119,084
disclosed that, for 6 transactions totaling $76,597, the Office was not able to
locate any documentation to support the propriety of the related transaction.
These accounts receivable were primarily related to billings for services provided
by the Office’s data center to various State and local law enforcement and
criminal justice agencies. According to the State’s accounting records, during the
period from May 2003 through April 2006, non-cash credits processed by the
Office for these accounts receivable totaled approximately $1.4 million.
Recommendation 6
We recommend that the Office maintain adequate documentation to support
the non-cash credit transactions.

14

Fingerprint Database Security
Finding 7
Controls over the deletion of fingerprint images in the Maryland Automated
Fingerprint System (MAFIS) need improvement.
Analysis
Five accounts assigned to current users had authority to delete fingerprint images
in the MAFIS Database Management System and did not require this capability.
Furthermore, reports of fingerprint deletions were not generated for subsequent
review by supervisory personnel. Consequently, there was a lack of assurance
that the fingerprint images deleted were authorized for deletion by management.
DBM’s Information Technology Security Policy and Standards states that State
agencies must establish adequate access controls. The Policy and Standards
further requires that agencies ensure that all systems have the ability to log and
report specific actions (such as deletions) to data produced by information
technology systems, and this capability must be enabled at all times.
The Office, through its Information Technology and Communication Division
(ITCD), receives automated management information services and criminal
history record information which is used by the Department of Public Safety and
Correctional Services (DPSCS) and other criminal justice agencies in the State.
The ITCD supports several critical applications, such as MAFIS.
Recommendation 7
We recommend that the Office comply with DBM’s Information Technology
Security Policy and Standards and restrict the capability to delete fingerprint
images to only those users who require such access to perform their job
duties. We also recommend that reports of deleted fingerprint images be
regularly generated and that these reports be subject to a documented
supervisory review to ensure that all fingerprint image deletions are
appropriate and authorized by management.

15

Corporate Purchasing Cards
Finding 8
Sufficient controls were not established over corporate purchasing cards.
Analysis
The Office, which is responsible for coordinating the corporate purchasing card
program for all units of DPSCS, did not exercise sufficient control over the
assignment and use of DPSCS corporate purchasing cards. According to the
records of the State’s credit card bank, as of April 2006, there were 229 active
corporate purchasing cards throughout DPSCS. In addition, the corporate
purchasing card expenditures for all DPSCS units, according to the State’s
accounting records, totaled $9.7 million for the period from July 2005 to April
2006. Specifically, we noted the following conditions:
•

Our test of the corporate cardholder agreements for eight Office employees
disclosed that four were not approved by the Office’s procurement card
program administrator (PCPA), as required.

•

The Office did not maintain a current list of cards issued to DPSCS
employees, as required. Consequently, there was no assurance that active
purchasing cards were only held by current employees. During two recentlycompleted audits of DPCSC units, we reported that 8 employees’ cards
remained active for periods ranging from 2 to 12 months after their
employment was terminated.

•

Two units of the Office did not use the required monthly activity logs, which
are to be used to record and approve purchases made. Consequently, there
were no documented approvals for purchases made by unit personnel. During
the period from July 2005 through April 2006, the corporate purchasing card
expenditures for these two units, according to the State’s accounting records,
totaled approximately $700,000.

The Comptroller of the Treasury’s Corporate Purchasing Card Program Policy
and Procedures Manual requires that the PCPA complete and sign the applicable
cardholder agreement form. Furthermore, the Manual requires each agency to
maintain a current list of cards issued and to promptly cancel cards upon the
termination of the employee. Finally, the Manual requires cardholders to

16

maintain an activity log and the cardholder’s immediate supervisor must certify
the accuracy and completeness of the log by signing and dating the log.
Recommendation 8
We recommend that the Office comply with the provisions of the
aforementioned Manual. Specifically, we recommend that the Office ensure
that cardholder agreements are approved by the PCPA. We also recommend
that the Office maintain a current list of cards issued and ensure that cards
are only held by current employees. Finally, we recommend that activity logs
be maintained by all units to ensure that purchases have been reviewed and
approved by supervisory personnel.

Equipment
Finding 9
Proper controls were not established over the Office’s capital equipment.
Analysis
Record keeping and physical inventory procedures at the Office’s ITCD were not
in compliance with certain provisions of the Department of General Services’
(DGS) Inventory Control Manual. According to the Office’s records, as of June
30, 2006, the book value of ITCD’s equipment totaled approximately $45 million,
and consisted of computer-related equipment for all units of DPSCS. Our review
disclosed the following conditions:
•

The control account for the computer-related equipment was posted from the
same source data used to post the detail records. However, because the
control account was based on the same source data as the detail records and
was not reconciled to independent records, it did not provide for control over
amounts recorded in the detail records.

•

Although the Office conducted physical inventories of ITCD’s equipment
items during the audit period, the results of such inventories were not
reconciled to the related detail records. For example, the inventory of ITCD’s
computer-related equipment conducted in April 2006 had not been reconciled
to the related detail records as of October 2006. A similar condition was
commented upon in our preceding audit report.

DGS’ Inventory Control Manual requires the maintenance of a control account
independent of the detail records, and a periodic reconciliation of the control

17

account to the detail records, which should be approved. The Manual also
requires that a complete physical inventory of sensitive capital equipment (such as
computer equipment) be conducted at least annually, that the results of the
physical inventories be reconciled to the related detail records, and that the related
differences be investigated and resolved.
Recommendation 9
We again recommend that the Office comply with the aforementioned
requirements of the Inventory Control Manual.

18

Audit Scope, Objectives, and Methodology
We have audited the following units of the Department of Public Safety and
Correctional Services (DPSCS) for the period beginning May 28, 2003 and
ending June 30, 2006:
Office of the Secretary (including the 911 Trust Fund)
Maryland Parole Commission
Inmate Grievance Office
Police and Correctional Training Commission
Maryland Commission on Correctional Standards
Division of Correction - Headquarters
Our audit was conducted in accordance with generally accepted government
auditing standards.
As prescribed by State Government Article, Section 2-1221 of the Annotated
Code of Maryland, the objectives of this audit were to examine the Office’s
financial transactions, records and internal controls, and to evaluate its
compliance with applicable State laws, rules and regulations. We also determined
the current status of the findings included in our preceding audit report.
In planning and conducting our audit, we focused on the major financial-related
areas of operations based on assessments of materiality and risk. Our audit
procedures included inquiries of appropriate personnel, inspections of documents
and records, and observations of the Office’s operations. We also tested
transactions and performed other auditing procedures that we considered
necessary to achieve our objectives. Data provided in this report for background
or informational purposes were deemed reasonable, but were not independently
verified.
Our audit included various support services (such as payroll, purchasing,
maintenance of accounting records and related fiscal functions) provided by the
Office on a centralized basis for two other DPSCS units, the Division of Parole
and Probation and the Criminal Injuries Compensation Board, which are audited
separately. Our audit did not include the computer operations of DPSCS’s
Information Technology and Communications Division, which will be the subject
of a separate audit and result in the issuance of a separate audit report of the data
center.

19

Our audit scope was limited with respect to the Office’s cash transactions because
the Office of the State Treasurer was unable to reconcile the State’s main bank
accounts during the audit period. Due to this condition, we were unable to
determine, with reasonable assurance, that all Office cash transactions were
accounted for and properly recorded on the related State accounting records as
well as the banks’ records.
The Office’s management is responsible for establishing and maintaining
effective internal control. Internal control is a process designed to provide
reasonable assurance that objectives pertaining to the reliability of financial
records, effectiveness and efficiency of operations including safeguarding of
assets, and compliance with applicable laws, rules and regulations are achieved.
Because of inherent limitations in internal control, errors or fraud may
nevertheless occur and not be detected. Also, projections of any evaluation of
internal control to future periods are subject to the risk that conditions may
change or compliance with policies and procedures may deteriorate.
Our reports are designed to assist the Maryland General Assembly in exercising
its legislative oversight function and to provide constructive recommendations for
improving State operations. As a result, our reports generally do not address
activities we reviewed that are functioning properly.
This report includes findings relating to conditions that we consider to be
significant deficiencies in the design or operation of internal control that could
adversely affect the Office’s ability to maintain reliable financial records, operate
effectively and efficiently, and/or comply with applicable laws, rules and
regulations. Our report also includes findings regarding significant instances of
noncompliance with applicable laws, rules or regulations. Other less significant
findings were communicated to the Office that did not warrant inclusion in this
report.
The Office’s response to our findings and recommendations is included as an
appendix to this report. As prescribed in the State Government Article, Section 21224 of the annotated Code of Maryland, we will advise the Office regarding the
results of our review of its response.

20

APPENDIX
Department of Public Safety and Correctional Services
Office of the Secretary
300 E. JOPPA ROAD • SUITE 1000 • TOWSON, MARYLAND 21286-3020
(410) 339-5000 • FAX (410) 339-4240 • TOLL FREE (877) 379-8636 • V/TTY (800) 735-2258 • www.dpscs.state.md.us

February 14, 2007

STATE OF MARYLAND
MARTIN O’MALLEY
GOVERNOR
ANTHONY G. BROWN
LT. GOVERNOR
GARY D. MAYNARD
ACTING SECRETARY
G. LAWRENCE FRANKLIN
DEPUTY SECRETARY
MARY L. LIVERS, PH.D.
DEPUTY SECRETARY

DIVISION OF CORRECTION
DIVISION OF PAROLE AND
PROBATION
DIVISION OF PRETRIAL
DETENTION AND SERVICES
PATUXENT INSTITUTION
MARYLAND COMMISSION
ON CORRECTIONAL
STANDARDS
CORRECTIONAL TRAINING
COMMISSION
POLICE TRAINING
COMMISSION
MARYLAND PAROLE
COMMISSION
CRIMINAL INJURIES
COMPENSATION BOARD
EMERGENCY NUMBER
SYSTEMS BOARD
SUNDRY CLAIMS BOARD
INMATE GRIEVANCE OFFICE

Mr. Bruce A. Myers, CPA
Legislative Auditor
Office of Legislative Audits
Room 1202
301 West Preston Street
Baltimore, Maryland 21201
Dear Mr. Myers:
The Department of Public Safety and Correctional Services has reviewed the
draft audit report dated February 2007 for the Office of the Secretary and Other
Units for the period beginning May 28, 2003, and ending June 30, 2006. The
Department appreciates the constructive recommendations that were made as the
result of this audit. Be assured that appropriate corrective actions have been or will
be implemented to ensure full compliance with each agreed upon recommendation.
The Department will continue to strive for excellence, and I am pleased that
our commitment to the elimination of repeat audit findings is demonstrated in this
report. For example, your review of the seven audit findings contained in the
Department's preceding audit report reveals that the Department has satisfactorily
addressed six of those findings.
Below please find the Office of the Secretary's itemized responses that address
the report’s audit findings and recommendations:

INMATE HEALTH SERVICES CONTRACTS
Finding # 1 - The Office did not adequately review contractor invoices to ensure that
only appropriate payments were made.
We agree in part, disagree in part. The Office will verify the propriety of
contractor invoices for inmate health services to ensure that the payments are accurate
and within the terms of the applicable contract. These reviews will include a
verification of the propriety of rates and the reasonableness of the hours being billed.
In addition, the Office will complete those reviews and recover any overpayments
identified in a timely manner.

-2-

However, Section 15-103 of the State Finance and Procurement Article of the
Annotated Code of Maryland requires all invoices to be paid within 30 days, and the
Comptroller’s Accounting Procedures Manual requires that invoices be submitted to
the General Accounting Division for payment within 25 days of receipt of the
invoice. Due to the size and complexity of contractor invoices for inmate health
services, the Office would be unable to conduct a thorough review of these invoices
within the available time frame prior to payment.
Finding # 2 - The Office reimbursed contractors for items purchased without
ensuring that the items had been received.
We agree. The Office will ensure that documentation supporting the receipt of goods
will be obtained to support the validity of payment and retained for audit purposes.
Finding # 3 - The Office had not ensured that contractors complied with contract
provisions for identifying third party payments.
We agree. The Office will contact the contractors providing inmate health services
and determine whether the contractors have established a system to identify and
collect potential third-party payments for medical services rendered to inmates as
required by the contract. In addition, the Office will require the contractors to submit
the required quarterly reports detailing all third-party payments. That said, and as
reflected in the JCR submitted by the Department on October 1, 2006,
institutionalized persons do not qualify for federal financial participation in Medicaid.
911 TRUST FUND
Finding # 4 - The Office had not established procedures to verify that all 911 Trust
Fund fees collected by the service carriers were remitted to the State.
We agree. The Office will establish procedures to ensure that all fees collected by
the providers on behalf of the 911 Trust Fund were subsequently remitted. To this
end, the Office has contracted with a consultant for assistance in determining the
feasibility of auditing surcharge collections and remittances received since October 1,
2003.
CRIMINAL JUSTICE INFORMATION SYSTEM CASH RECEIPTS
Finding # 5 - Adequate controls were not established over the Criminal Justice
Information System (CJIS) collections.
We agree. An employee independent of the CJIS cash receipt function will verify
that all collections are subsequently deposited by agreeing the amounts recorded on

-3the initial source documents to deposit documentation provided by the bank. In
addition, voided transactions will be reviewed and approved by supervisory
personnel, and this review will be documented and retained for future verification.
Furthermore, the employee who initiates and records the non-cash credit adjustments
to the accounts receivable records will not have access to the related cash receipts.

Accounts Receivable
Finding # 6 - Non-cash credit transactions were not always properly supported.
We agree. The Office will establish procedures to ensure that non-cash credit
transactions are reviewed and approved by supervisory personnel and the related
documentation is retained for verification purposes.

Fingerprint Database Security
Finding # 7 - Controls over the deletion of fingerprint images in the Maryland
Automated Fingerprint System (MAFIS) need improvement.
We agree. The Office will comply with DBM’s Information Technology Security
Policy and Standards and restrict the capability to delete fingerprint records to only
those users that require such access to perform their jobs. Additionally, the Office
will work with their MAFIS vendor (Sagem Morpho) to generate reports of deleted
fingerprint records and subject these reports to a supervisory review to ensure that all
fingerprint record deletions are appropriate and authorized by management. Finally,
the deletion report reviews by management will be documented and retained for
subsequent audit verification.

Corporate Purchasing Cards
Finding # 8 - Sufficient controls were not established over corporate purchasing
cards.
We agree. The Office will comply with the provisions of the Comptroller of the
Treasury’s Corporate Purchasing Card Program Policy and Procedures Manual.
Specifically, the Office will ensure that cardholder agreements are approved by the
procurement card program administrator. The Office will also maintain a current list
of cards issued and ensure that cards are only held by current employees. Finally,
activity logs will be maintained by all units to ensure that purchases have been
reviewed and approved by supervisory personnel.

- 4-

Equipment
Finding # 9 - Proper controls were not established over the Office's capital
equipment.

We agree. The Office will comply with the requirements of the Department of
General Services' Inventory Control Manual.
I trust that these responses adequately address the findings and
recommendations in the draft audit report. If you have any questions regarding the
Department's responses, please contact me.

Icer~IY,

~.Maynard
Acting Secretary

c:

G. Lawrence Franklin, Deputy Secretary for Administration
Mary L. Livers, Ph.D., Deputy Secretary for Operations
David N. Bezanson, Assistant Secretary for Property Services
Richard Rosenblatt, Assistant Secretary for Treatment Services
Barbara Alunans, Acting Chief of Staff
Susan D. Dooley, Director of Financial Services
Walt Wirsching, Director, Office of Inmate Health Seryices
Ronald Brothers, Chief Information Officer
Gordon Deans, Executive Director, Emergency Number Systems Board
John Hergenroeder, Director of Property Management Services
RJ. Said-Pompey, Director of Procurement
Joseph M. Perry, Inspector General

AUDIT TEAM
James P. Shevock, CPA
Audit Manager
A. Jerome Sokol, CPA
Information Systems Audit Manager
William R. Smith, CPA
Senior Auditor
Richard L. Carter, CISA
Information Systems Senior Auditor
R. Frank Abel, CPA, CFE
Susanne M. Bramowski
Ken H. Johanning
Elaine D. Kagan
Tracey D. Mayet
Staff Auditors
David J. Burger
Information Systems Staff Auditor