HomeMy WebLinkAboutAudit Reports - Public - Technology and Technology Projects Fund Audit - 6/15/2018r&F
GLE City Auditor's Office Memorandum
Date:
June 15, 2018
To:
Kevin R. Phelps, City Manager
From:
Candace MacLeod, City Auditor
Subject:
Technology & Technology Projects Fund Audit
As part of the FYI approved audit plan, the City Auditor's Office completed an audit
of the Technology Fund and Technology Projects Fund that are managed by the
Innovation and Technology (IT) Department in January 2018. The audit report includes
20 recommendations to strengthen controls. Management concurred with all of the
recommendations and has developed action plans to address them by December 31,
2018.
Risks identified in the audit include:
• Annual inventories of technology equipment were not completed by 15% of City
departments and physical counts are performed in single custody.
• Periodic counts of City telephones are not performed to verify the accuracy of
Citywide telephone cost allocations and ensure the City is not paying for unused
phones.
• Testing identified 32 employees with multiple desktops, laptops, and/or tablets
assigned to them without a documented business reason.
• A Citywide meal policy has not been developed and $1,003 in meal expenses were
charged to the recently established Technoloav Proiects Fund.
• Performance measures have not been established for hardware deployments and
the Telephone and Technology Replacement divisions.
We would like to extend our appreciation to the staff that assisted us throughout this
audit.
cc: Michael D. Bailey, City Attorney
Lisette Camacho, Assistant Director of Budget and Finance
Tom Duensing, Assistant City Manager
Jack Friedline, Assistant City Manager
Craig Johnson, Director of Water Services
Chuck Murphy, Director of Innovation and Technology
Vicki Rios, Director of Budget and Finance
GLEE
City Auditor's Office
Technology and Technology Projects Fund
January 2018
(Redacted)
5850 West Glendale Avenue I Glendale, AZ 85301
Introduction
As part of the FY18 approved audit plan, the City Auditor's Office conducted an audit
of the Technology Fund and Technology Projects Fund, which are managed by the
Innovation and Technology (IT) Department, which has 30 FTEs.
The Technology Fund is used to track income and expenses of the internal services
provided to City departments for telephone services, information technology services,
and support. It specifically supports all the City's computers, hardware, and software.
This includes both the everyday operations of the IT Department and the replacement
of technology equipment. City departments pay for these services through a
chargeback that is allocated through either device or FTE counts. The funds are
designed to balance, with the rates (revenues) set to recover the actual expenses
each year.
The Technology Projects Fund tracks income and expenses for significant technology
projects. These projects are typically funded by individual departments through budget
supplementals that are approved by City Council.
Table 1 summarizes the revenues and expenses for the Technology Fund and the
Technology Projects Fund for the last three fiscal years:
Table 1 - Technology Fund and Technology Projects Fund Revenue and Expenses
FY
Division
Revenues
Expenses
2017
Telephones
$1,148,580
$1,083,539
Technology Replacement
$6,038,362
$1,333,245
Information Technology
$4,811,342
Technology Projects
$1,427,225
$917,177
2017 Totals
$8,614,167
$8,145,303
2016
Telephones
$1,137,136
$1,167,391
Technology Replacement
$2,899,142
$2,788,892
Information Technology
$2,694,866
$2,507,793
Technology Projects
$3,234,800
$747,240
2016 Totals
$9,965,944
$7,211,316
2015
Telephones
$678,174*
$1,069,457
Technology Replacement
$40,910*
$2,848,004
F- 2015 Totals
1 $719,084
$3,917,461
* Chargebacks allocated to City departments were reinstated in FY2016.
Purpose and Objectives
The purpose of the audit was to determine whether controls over the Technology Fund
and Technology Projects Fund were appropriate, whether the associated chargebacks
City Auditor's Office 1 Technology & Technology Projects Funds
were allocated to City departments in an equitable and appropriate manner, and
whether the Funds operated in an efficient and effective manner.
Scope and Methodology
The scope of the audit was July 1, 2016 to November 30, 2017. To gain an
understanding of the processes, policies, and procedures, we interviewed staff from IT,
Budget and Finance, Water Services, and various City department where test work was
performed. We also reviewed various documents including:
• Budgets and financial reports
• Chargeback allocation spreadsheets
• Procurement card statements
• TRF inventory listings
• Vendor contracts and invoices
Observations, Recommendations and Management Responses
Our testing identified the following observations:
City Auditor's Office 2 Technology & Technology Projects Funds
Recommendations
Management's Response
City Auditor's Office 3 Technology & Technology Projects Funds
Useful Life of Technology:
• While IT has determined what the typical useful life for technology equipment is and
uses this for anticipating replacement needs, it has not formally documented
equipment's useful life in a policy
Recommendations
2.1
2.2
The City Manager's Office, in conjunction with IT, develop an IT Governance Policy
and Charter for the IT Steering Committee, and governance policies for the
Management's Response
2.1 Concur. IT has developed a document that contains IT Steering Committee bylaws
and procedures for IT project governance that is currently under review by the City
Manager's Office. The document will be ratified upon completion of this review. IT
City Auditor's Office 4 Technology & Technology Projects Funds
has also modified the IT Internal Service Funds Policy to include telephones. This
should be completed by June 30, 2018.
2.2 Concur: IT has updated its data classification policy that will include the use of any
computer or storage device used in the City.
3) Annual inventories of technology equipment were not completed by 15% of City
departments and physical counts are performed in single custody.
In accordance with the IT Department's Technology Replacement Fund (TRF)
Procedure, IT provides City departments with an annual report itemizing their assets
included in the Technology Replacement Fund (TRF) hardware inventory. IT requests
that City departments review the report, compare asset tags and/or serial numbers
listed on the report to their assets on hand, and note any changes or discrepancies. This
information is used to update IT's TRF hardware inventory. Accurate inventory
information is critical, as this inventory review and the resulting device counts are the
basis for the PC Replacement Chargeback charged to City departments through the
allocation model developed by the Budget and Finance Department.
However, the (TRF) Procedure does not require staff to perform asset inspections in dual
custody or department heads sign off on the results of the inspections. Furthermore, final
inventory results are not summarized or provided to management for review. If a
department indicates to IT that an asset on the report was disposed of during the year
through the Materials Control Warehouse, IT will change an asset's status from active to
disposed in the TRF hardware inventory without requiring any further evidence, such as
a copy of an approved surplus property disposal form.
Auditors reviewed department asset listings returned to IT and noted the following:
• In FYI 7, 5 of 33 (15%) departments did not return their completed inventory results
back to IT for assets costing $2.527 million.
• In FYI 8, 4 of 27 (15%) departments did not return their completed inventory results
back to IT for assets costing $1.998 million.
• IT was unable to provide surplus property disposal forms for 4 of 9 departmental
requests to remove assets from their inventory listings. The departments were also
unable to provide copies of the forms.
• In FYI 7, one technology asset was reported as stolen from the Community Services
Department. The Department followed City protocol for reporting the stolen asset.
The auditors also requested a list of employees with the ability to change an asset's
status to disposed in IT's ServiceDesk Plus system. The list provided by IT included 23
City Auditor's Office 5 Technology & Technology Projects Funds
Recommendations
3.1 IT review and update the TRF Procedure to ensure that physical inventories are
performed in dual custody and the final department inventory results are reviewed
by a department head.
3.2 IT, in conjunction with the City Manager's Officer, develop controls to ensure all
departments return their inventory reports by the designated due dates.
3.3 IT require departments to provide a copy of the surplus property disposal form prior
to deleting assets when the assets disposals are not performed through IT.
3.4 IT prepare management reports on the results of annual IT inventory counts.
3.5 IT generate and review audit logs of deleted assets and continually monitor
access to the asset management system to ensure only those employees have
authority to delete assets based on their job duties.
Management's Response
3.1 Concur. IT has updated it's TRF procedure (Section TRF Hardware Inventory).
3.2 Concur. IT will work with the City Manager's Office to develop a system to ensure
department inventories are returned. IT will generate a report indicating which
departments are non-responsive for follow-up by the City Manager's Office.
3.3 Concur. IT has updated it's TRF procedure (Section TRF Hardware Inventory).
3.4 Concur. IT staff will create a summary report of returned inventory and any
discrepancies for IT management on an annual basis. This should be completed by
December 31, 2018.
3.5 Concur. IT will make adjustments to the TRF database that will report if an asset has
been deleted, to include who deleted it and when. In addition, we are removing
the ability to delete anything in the TRF database unless authorized by the CIO or
Deputy CIO. IT will review access to the asset management system on an annual
basis. This should be completed by August 30, 2018.
4) Periodic counts of City telephones are not performed to verify the accuracy of
telephone charges allocated to City departments and ensure the City is not paying for
unused phones.
The City implemented a new ShoreTel telephone sstem in FYI 6. The City _jja s an
annual service charge of $123,876, over a 5 -
year period at a cost of $217,000 annually. IT has assigned one FTE to manage City
telephones, which is paid out of the Telephone division (18400). Telephone expenses
are allocated to City departments through a monthly chargeback that is based on the
departments' telephone count. The FYI allocation model reported there were 2,036
City telephones and 1,771 FTEs. The total estimated FYI chargeback was $1.152 million,
including $840,384 for services charges, $217,000 for hardware upgrades, and $94,890
for overhead.
City Auditor's Office 6 Technology & Technology Projects Funds
The IT Department does not perform, or require City departments to perform, physical
counts of telephones. Auditors reviewed four departments or divisions with telephone
counts larger than their FTE counts, including Water Services, Public Affairs, the Library
Division within Community Services, and the Recreation Administration and Events
Division and Foothill Recreation Center Division within Public Facilities, Recreation &
Special Events. Based on our inquiry and analysis with the departments, we noted the
following:
None of the four departments could provide a listing of telephones that agreed to
the FYI model used allocate telephone charges. Two departments could only
provide a listing of telephone lines rather than telephones.
The listings of phone extensions or telephones provided by the departments
indicated that there were multiple vacant or unassigned extensions or telephones,
including 7 of 48 telephones listed for Public Affairs and 12 of 136 phone extensions
listed for the Library division within the Community Services Department. A vacant or
unassigned telephone costs the City approximately $2 per month in service and
maintenance costs.
In addition to the 2,036 telephones, the City currently has 367 employees who receive a
cell phone stipend, and approximately 572 employees with a City -owned mobile
device.
Recommendations
4.2 The City Manager's Office, in conjunction with IT, evaluate the job-related
technology needs of employees, including whether they are in receipt of a
stipend or City -issued device, prior to the assignment of a telephone.
Management's Response
4.2 Concur. The City Manager's Office, in conjunction with IT, will develop a process to
evaluate the job-related technology needs of employees, including whether they
are in receipt of a stipend or City -issued device, prior to the assignment of a
telephone.
City Auditor's Office 7 Technology & Technology Projects Funds
5) Testing identified 32 employees with multiple desktops, laptops, and/or tablets
assigned to them without a documented business reason.
The IT Department's Technology Replacement Fund Procedure (effective March 31,
2017) states that employees shall have either a desktop PC or a laptop with a docking
station, but are not permitted to have both. IT is enforcing this procedure prospectively,
and is not recovering assets that are already deployed. Instead, these assets will be
removed through attrition based on their scheduled lifecycle.
IT provided the auditors with a list of employees assigned multiple technology assets.
Based on our review, we identified 32 users from 14 departments that had multiple
assets assigned to them including desktops, laptops, and/or tablets as summarized in
Table 2.
Table 2 - Employees with Multiple Technology Assets
Number and type of assigned assets
Number of users
Acquisition cost of
assigned assets
1 Desktop, 1 la to , and 1 tablet
1
$4,524
1 Desktop and 1 laptop
24
$62,852
2 Desktops and 1 laptop
1
$3,719
1 Desktop and 2 laptops
1
$3,829
Laptop and tablet
1
$3,412
Two desktops
2
$4,811
Two laptops
2
$6,694
Totals 1
32
1 $89,841
Prior to the implementation of the Technology Replacement Fund Procedure, IT did not
require departments to justify why employees needed multiple technology assets.
Potential Risk: Moderate - Users having multiple technology assets with redundant
functionality results in unnecessary costs to the City.
Recommendations
5.1 IT monitor future requests for new or replacement technology equipment to ensure
users are not issued multiple assets with redundant functionality, unless it is justified
in writing and approved by IT management.
Management's Response
5.1 Concur: The TRF Procedure has been updated: See Section (New Asset/Software
Acquisition). Several of the identified dual computer scenarios are testing
computers used within IT.
City Auditor's Office 8 Technology & Technology Projects Funds
6) Procurement card statements were approved late, receipts were not signed, and
attendees' names were not documented for meals.
The City's Procurement (P -Card) Policy requires that:
• Monthly statements be printed within three working days of the end of the billing
cycle
• Procurement Card Statement Checklists be prepared by the cardholder and
approved by the cardholder's supervisor by the last working day of the month
• Supervisors approve and sign the Procurement Card Statement Checklist within
three working days of its completion
• Meal purchases include the attendees' names and a description of the business
purpose
• Itemized cash register receipts be signed by the cardholder
Auditors reviewed 20 P -Card purchases made for the period June 14, 2016 to October
13, 2017 totaling $34,233 from the Telephones, Technology Replacement, and
Information Technology divisions, and the Technology Projects Fund. Four additional
meal receipts were reviewed. The following was noted:
Printing and Approval of Statements by IT
• For 16 of the 20 purchases reviewed, the monthly statements were printed 4 to 17
days after the end of the statement period.
• For 12 of the 20 purchases reviewed, the Procurement Card Statement Checklist
was prepared 2 to 88 days after the end of the calendar month.
• For 5 of the 20 purchases reviewed, the Procurement Card Statement Checklist was
approved 25 to 28 days after it was prepared.
Meals
• One $44 meal purchase charged to the Information Technology division by IT for IT
staff did not include a list of attendees.
• The Technology Projects Fund was established in FY16 to track income and expenses
related to significant technology projects undertaken by the City. Five meals
totaling $1,003 for City employees and an external consultant during ERP
demonstrations were charged to the Technology Projects Fund by Budget and
Finance. None of the meals included a list of attendees. Additionally, credit card
receipts were not signed by the cardholder and the amount of one receipt did not
agree to the credit card statement. The difference related to a tip amount.
Furthermore, there is no Citywide meal policy that establishes guidelines for eligibility
and payment of expenditures out of City funds for meals not related to travel.
Potential Risk: Moderate - Untimely review of P -Card charges increases the risk of misuse
or that errors go undetected.
City Auditor's Office 9 Technology & Technology Projects Funds
Recommendations
6.1 Budget and Finance enhance controls to ensure attendees' names are
documented for meal purchases, credit card receipts are signed by the
cardholder, and receipts match credit card statements, as required by policy, and
train staff.
6.2 Budget and Finance develop a City-wide meal policy.
6.3 IT enhance controls to ensure P -Card statements and reports are printed and
reviewed in accordance with policy and train staff.
Management's Response
6.1 Concur. Budget and Finance will review P -Card policy and procedures with
cardholders and approvers in the Finance Department by June 30, 2018.
6.2 Concur. Budget and Finance will work with the City Manager's Office to develop
a City-wide food and meal policy by September 30, 2018.
6.3 Concur: IT staff have reviewed the P -Card manual in its entirety and have been
trained on month end processes, including printing reports and acquiring
signatures. IT recommends that Finance review and update the P -Card manual.
Currently, account statements are required to be printed within 3 business days of
period close. It takes 5-7 business days for P -Card transactions to post. Printing the
statement 1-3 business days after period close renders them incomplete and
inaccurate.
7) Testing identified one Technology Fund charge that did not agree with the contract
price sheet and another that could not be verified since the underlying contract was
not retained.
The accuracy of prices on invoices should be verified against supporting
documentation including contracts and price sheets. Additionally, supporting
documentation associated with a procurement, including the underlying contracts for
linking agreements, should be retained for future reference in accordance with City's
record retention schedules.
Auditors selected and reviewed a sample of 30 purchases made from the Technology
Fund and the Technology Projects Fund and noted the following:
• A $200 charge on one invoice for phone analysis and design services was not on the
price sheet for the associated contract. Although IT obtained a quote for the
services, Procurement indicated that a contract amendment should be been
completed to include the additional services.
• A $219,931 charge on one vendor invoice for the renewal of Microsoft software
licenses could not be verified by the auditors as the City's linking agreement did not
include a copy of the underlying contract. Neither IT nor Procurement retained a
copy of the underlying contract.
City Auditor's Office 10 Technology & Technology Projects Funds
Potential Risk: Moderate - Not verifying charges against the contract's price sheet
could result in the City being overcharged for services or billed for services that were
not approved by the contract. Terms of the contract cannot be verified if underlying
contract records are not retained for backup purposes.
Recommendations
7.1 IT verify that charges on invoices agree with the contract's price sheet and amend
contracts, when necessary, to include additional services not included on the
price sheet.
7.2 Budget and Finance develop a written procedure to address how underlying
contracts are retained and incorporated into City linking agreements, and train
staff.
Management's Response
7.1 Concur. Issues with missing/inaccurate price sheets have been mitigated through
iterations of the Attorney's Office requirements for new Professional Service
Agreements and Linking Agreements.
7.2 Concur. Budget and Finance will review existing procurement policies and
procedures, and if necessary, will develop written procedures to address how
underlying contracts are retained and incorporated into City linking agreements,
and train staff by September 30, 2018.
City Auditor's Office 11 Technology & Technology Projects Funds
Recommendations
Management's Response
9) Performance measures for City hardware deployments have not been established.
The IT Department has established service level agreement (SLA) metrics to monitor the
quality and efficiency of the service it provides to City users. These metrics require a
response time based on the priority level of a user request. The priority level and the
corresponding response times are summarized in Table 3:
Table 3 - SLA Priority Levels and Response Times
Priority Level
Response Time
Critical
2 hours
High
3 hours
Medium
3 Days
Low
10 Days
However, according to IT staff, these metrics are not applicable to hardware
deployments. IT has not developed and documented performance measures for City-
wide hardware deployments. The Department currently has eight employees involved
in various processes of technology replacement, including financial analysis,
replacement determinations, and the removal and deployment of technology
equipment.
Based on a review of 25 City hardware deployments, auditors noted the following:
The days between the request for new hardware being received and the
assignment to a Service Desk technician ranged from 0 and 72 days and averaged
16 days.
The days between the assignment to a Service Desk technician and the hardware
deployment ranged from 0 and 50 days and averaged 9 days.
The total days between a request for new hardware being received and the
hardware deployment ranged from 0 to 88 days and averaged 26 days.
City Auditor's Office 12 Technology & Technology Projects Funds
Potential Risk: Moderate - Without established performance measures, management
cannot effectively evaluate whether hardware deployments are completed in an
efficient and effective manner. Delayed hardware deployments may lead to
interruptions in users' productivity and reduced levels of customer service.
Recommendations
9.1 IT establish performance measures for City hardware deployments and monitor
the results.
Management's Response
9.1 Concur: IT has added a measure of 350 PC deployments per year, effective
starting in FY2019. This is now an official IT metric.
10) Performance measures have not been developed for the Telephones and Technology
Replacement divisions.
Prior to FY18, IT had an established goal, "Improve service levels", as summarized in
Table 4.
Table 4 - IT Performance Measures (Prior to FYI 8)
Performance Measure #1 - % City external website uptime
Description: Measures the public availability of the City's external website
Fiscal Year FY 16 FYI 7
Target 99.9% 99.9%
Actual 99.74% 99.88%
Performance Measure #2 - % of City desktop computer assets which have
exceeded their replacement date
Description: Measures the percentage of technology assets that have exceeded
their replacement date
Fiscal Year FY 16 FY 17
Target 50% 26.7%
Actual 41.5% 1 24.69%
In FY18, IT utilized software to track new metrics, and revised its performance measures,
as summarized in Table 5.
Table 5 - IT FY18 Performance Measures
Performance Measure #1: % Cityexternal website uptime
Description: Measures the public availability of the City's external website
Fiscal Year FY18
Target 99.9%
Actual * 99.89%
Performance Measure #2: Service Level Agreement SLA compliance
City Auditor's Office 13 Technology & Technology Projects Funds
Description: Measures IT's service response/resolution times as defined in their
Service Level Agreements SLA
Fiscal Year
FY 18
Target
90%
Actual *
92.05%
Performance Measure #3: First call resolution
Description: Measures IT's ability to resolve issues on the "first call"
reported to IT
when they are
Fiscal Year
FY 18
Target
85%
Actual *
98.77%
Performance Measure #4 - Customer satisfaction rating
Description: Measures the satisfaction level of IT's customer on aper
-ticket basis
Fiscal Year
FY 18
Target
4.5
Actual *
4.57
* Interim FY18 results provided by the IT Department
The Technology Fund, which includes the Telephone, Technology Replacement, and
Information Technology divisions, reported $7.2 million in expenditures, with over 4,200
assets and 30 FTEs. However, IT's current performance measures do not address the
performance and effectiveness of all components of the Technology Fund including
the Telephone and Technology Replacement divisions.
Potential Risk: Moderate - Without established performance measures, management is
not able to determine the effectiveness of the funds and whether they assist the City in
meeting its strategic goals and objectives.
Recommendations
10.1 IT establish performance measures for the Telephone and Technology
Replacement divisions.
Management's Response
10.1 Concur: IT has added a measure of 350 PC deployments per year, effective
starting in FY2019. This is now an official IT metric. Telephone service performance is
already being measured with our existing SLAs.
City Auditor's Office 14 Technology & Technology Projects Funds