HomeMy WebLinkAboutAudit Reports - Public - Public Records Law Compliance Internal Audit Report -
FINAL REPORT
City of Glendale
PUBLIC RECORDS LAW COMPLIANCE INTERNAL AUDIT REPORT
November 16, 2021
Moss Adams LLP
999 Third Avenue, Suite 2800
Seattle, WA 98104
(206) 302-6500
Public Records Law Compliance Internal Audit Report for the City of Glendale
Table of Contents
Executive Summary 1
A. Objectives 1
B. Conclusions 1
Detailed Report 3
A. Introduction 3
B. Background 3
C. Scope and Methodology 3
Findings and Recommendations 5
Process Improvement Opportunities 7
Appendix: Definitions of Audit Findings Rankings 8
Public Records Law Compliance Internal Audit Report for the City of Glendale | 1
EXECUTIVE SUMMARY
Moss Adams LLP (Moss Adams) was contracted by the City of Glendale (the City) to evaluate and
test internal controls related to the City’s public records law compliance, including validating the
completeness and recency of records retention schedules, sampling records to determine if they are
in compliance with state laws, reviewing the cycle time in completing public records requests,
comparing current policies to best practices, as well as identifying opportunities for process
improvement. We performed a variety of procedures to test internal controls and assess the public
records function, including testing samples of transmittal forms from various City departments to the
City Clerk’s Department Records Center (City Clerk’s Department) and public records requests. This
internal audit was limited in scope to the specific objectives defined below, and therefore, did not
cover additional public records risks that were identified throughout the course of the audit. These
additional risk areas should be considered as part of a future internal audit.
This engagement was performed in accordance with Standards for Consulting Services established
by the American Institute of Certified Public Accountants. Accordingly, we provide no opinion,
attestation, or other form of assurance with respect to our work or the information upon which our
work is based. This engagement was also performed consistent with the guidance issued by the
Institute of Internal Auditor’s (IIA’s) International Professional Practices Framework (IPPF). This
report was developed based on information gained from our interviews with City Clerk’s Department
staff and analysis of sample documentation. The procedures we performed do not constitute an
examination in accordance with generally accepted auditing standards or attestation standards.
Our objectives for this engagement were to:
Assess the City’s records retention schedule, and the related processes for identifying and
communicating changes, for compliance with state requirements
Test the internal controls and processes over the transfer of public records and the fulfilling of
public records requests for compliance with state requirements and the City’s policies and
procedures
Identify opportunities for improvement within the public records management function to ensure
compliance
The procedures and testing performed identified one area that requires improvement which is
highlighted below:
Public Records Law Compliance Internal Audit Report for the City of Glendale | 2
FINDING 1. RECORD MANAGEMENT POLICIES AND PROCEDURES – LOW RISK
Finding Comprehensive policies and procedures are not up-to-date and do not provide clear
instructions on the processes of records management.
Recommendation The City should update its records management policies and procedures to specifically
address and instruct on records management within the City Clerk’s Department and at
individual departments.
Although the focus of this internal audit was to identify opportunities for improvement, it is important to
note the areas that are operating well. The City should be commended for the following
accomplishments:
Comprehensive Trainings: In July 2021, the Records Program Manger delivered a
comprehensive training to City departments to ensure that departments understood their roles
and responsibilities with records management.
Records Retention Schedule: The City’s Record Retention Schedule was current and in
accordance with state laws.
Public Records Transmittals: A process was established and implemented to utilize Records
Center Transmittal Forms to document the transfer and location of City public records.
Public Records Requests: The City has implemented effective procedures for responding to
public records requests timely as well as ensuring appropriate approvals are obtained and
requests are responded to in compliance with state laws.
We would like to thank City staff and management for their time and efforts in assisting with this
internal audit.
Public Records Law Compliance Internal Audit Report for the City of Glendale | 3
DETAILED REPORT
Moss Adams was contracted by the City to perform an internal audit over public records law
compliance. Each City department is responsible for maintaining their own records. Additionally, the
City Clerk’s Department stores City department overflow and coordinates responses for public
records requests, excluding police and court records. This audit was focused on records that are
available to the public, which will be referred to throughout this report as “public records.” This internal
audit was performed as part of the Fiscal Year (FY) 2021 Annual Audit Plan developed by the City’s
Independent Internal Audit Program (IIAP). Our internal audit was performed between April 2021 and
October 2021.
The City Clerk’s Department is responsible for maintaining various departments’ public records and
working with City departments to obtain and fulfill public records requests. Additionally, many
departments transfer inactive records to the City Clerk’s Department for storage. The City leverages
Laserfiche to track the retention of electronic records.
Our objectives for this internal audit were related to the City’s processes and controls surrounding
public records and state law compliance. Specifically, the internal audit focused on the following
objectives:
Assess the City’s records retention schedule, and the related processes for identifying and
communicating changes, for compliance with state requirements
Test the internal controls and processes over the transfer of public records and the fulfilling of
public records requests for compliance with state requirements and the City’s policies and
procedures
Identify opportunities for improvement within the public records management function to ensure
compliance
In order to obtain an understanding of the City’s records management function, we conducted
interviews with City personnel specifically within the City Clerk’s Department, who have designated
responsibilities related to public records document retention and fulfilling public records requests. We
performed the following detailed testing procedures:
Public Records Transmittal and Location: To evaluate and test the City’s tracking of records
between various City departments and the City Clerk’s Department, we obtained a listing of all
records stored at the City Clerk’s Department as of the time of this audit. From this listing, we
selected a sample of 25 records for testing to determine whether the transmittal and location of
the records were properly documented. Specifically, we performed the following:
○ Evaluated whether a Records Center Transmittal Form was on file
Public Records Law Compliance Internal Audit Report for the City of Glendale | 4
○ Assessed whether the form appeared to be complete, with the necessary information, to
support the records transfer and location (e.g., documentation of change in custody, date of
transmittal, details of the items transferred, document location, and destruction dates)
Department Resources: We reviewed City policies, procedures, and training materials related to
records management to assess whether adequate resources were available to City departments
to comply with public records requirements. We also researched record retention best practices
to assess opportunities for improvements.
Public Records Requests: To evaluate whether public requests are being fulfilled in compliance
with state laws we performed the following tests:
○ Researched state laws and documented all applicable requirements
○ Obtained a list of all public records requests from January 1, 2021 through June 30, 2021,
and selected a haphazard and judgmental sample of 25 requests and performed the following
procedures:
− Compared the date each request was received to the date completed/fulfilled to
determine whether the request was responded to timely in compliance with state laws
− Determined whether inter-departmental approvals were documented
− Assessed whether the records were released in a timely manner
− Evaluated the results of the testing performed to determine whether current procedures
allow for the City to achieve compliance with state laws
− Assessed whether each request resulted in the City locating the requested documents,
signifying compliance with required location and storage requirements
Other Procedures: We performed the following detailed procedures to assess the City’s
compliance with best practices and state laws as it relates to records management:
○ Researched records management state law requirements
○ Assessed whether the City’s current Records Retention Schedule complied with state laws
and whether processes were established to communicate changes to affected departments in
a timely manner
○ Evaluated current City policies related to records management to determine whether roles
and responsibilities were clearly defined
As described above, our scope was focused specifically on the defined objectives that were
developed and included as part of the FY 2021 Annual Audit Plan. Given the defined scope, there
were additional concerns raised by City Clerk management that could not be addressed during this
internal audit. Given the additional concerns that were raised, an expanded scope internal audit
should be considered in the future that would cover the broader public records process and the
related risks, including conducting interviews with various departments throughout the City, outside of
the City Clerk, that are responsible for maintaining records.
Public Records Law Compliance Internal Audit Report for the City of Glendale | 5
FINDINGS AND RECOMMENDATIONS
1. Finding Comprehensive policies and procedures are not up-to-date and do not
provide clear instructions on the processes of records management.
Recommendation The City should update its records management policies and procedures
to specifically address and instruct on records management within the
City Clerk’s Department and at individual departments.
Condition: Formal documented policies and procedures covering all significant components of
records management are not in place. Currently, the City has guidelines on the intranet for
departments to use when carrying out certain functions related to records management. However, the
City Clerk’s Department, who is the overall custodian of records management, does not have written
policies and procedures in place to cover all of the key aspects and requirements related to the
records management function.
The City is currently working on an initiative to develop all policies and procedures needed; however,
it had not been completed at the time of this internal audit. In addition, the requirements and
responsibilities for completing the Records Center Transmittal Form are not documented in a formal
written policy. The City Clerks Department works directly with other departments to review the
transmittal forms prior to the acceptance by the City Clerk’s Department.
Criteria: Based off our review of best practices, including how other cities handle records
management, comprehensive documented policies and procedures that cover all key aspects of the
records management function, including related internal controls, defined roles and responsibilities,
and compliance with state laws, should be in place.
Cause: Formal policies and procedures are not updated to reflect the current records management
practices and systems used due to a lack of internal resources.
Effect: Without current policies and procedures to guide records management for the City, there is a
risk that internal control gaps would not be identified and a lack of accountability for certain records
management responsibilities could exist.
Recommendation: One of the primary purposes of an effective records management function is to
ensure that information is available when it is needed. To do this efficiently and thoroughly, records
must be identified, organized, and maintained for the requisite number of years, and then
documented when destroyed. Records management policies should be developed to specifically
define what employees at the department level are responsible for, as well as what City Clerk’s
Department, and assigned Records Custodians, are responsible for.
Complete catalogs of what is stored within individual departments and what is stored at public records
should exist and the two catalogs should complement one another.
Comprehensive policies and procedures should be developed that cover the following broad topics
and specific details:
Public Records Law Compliance Internal Audit Report for the City of Glendale | 6
Maintaining Records
Records Retention – Specifically addressing the City’s policies on whether the State Records
Retention Schedule is always applied, how policies are enforced and compliance is monitored,
and how changes are identified.
Records Custody – Specifically addressing the change in custody process, and required
documentation, and when records are transferred from individual City departments to the City
Clerk’s Department. The use of the Records Center Transmittal Form should be addressed and
responsibilities for documentation should be identified.
Public Records Requests – Specifically addressing the timeline, and related responsibilities
between City departments and the City Clerk’s Department, for ensuring that public records
requests are responded to in a timely manner and in accordance with state laws.
Records Inventory
Electronic Records Retention
Electronic Communication on Personal Devices
Destruction of Public Records – Specifically addressing responsibilities for verifying that the City
policy is current, in regard to state laws, prior to the destruction of specific records.
MANAGEMENT RESPONSE
Management Agreement The City Clerk’s Office concurs with this finding.
Owner Deputy City Clerk
Records Program Manger
Records Coordinator
Target Completion Date June 30, 2022
Action Plan The City Clerk’s Office staff will be responsible for:
1) Updating City Administrative Policy No. 1, Records Management Program, to
reflect the current processes and procedures for the effective organization,
maintenance, storage, and disposal of City of Glendale records. *
2) Developing written procedures and guidelines for the management,
retention, and final disposition of City records in the custody of individual
departments or the Records Center.
*For the purpose of this response, "records" means all books, papers, maps,
photographs or other documents, regardless of physical form or characteristics,
including prints or copies of such items produced or reproduced on film or
electronic media
Public Records Law Compliance Internal Audit Report for the City of Glendale | 7
PROCESS IMPROVEMENT OPPORTUNITIES
Moss Adams identified one opportunity for process improvement as a result of this internal audit. The
following table summarizes this recommendation.
CATEGORY PROCESS IMPROVEMENT RECOMMENDATION
1 Record
Retention
Documentation
The City implement a written process for departments
to review the records in their custody to identify those
that have reached the end of their retention period.
Records that have reached their retention period
should be destroyed, and any electronic versions of
those records must also be deleted at that time.
Public Records Law Compliance Internal Audit Report for the City of Glendale | 8
APPENDIX: DEFINITIONS OF AUDIT FINDINGS
RANKINGS
We utilized the City IIAP’s risk rankings, presented below, and assigned rankings based on our
professional judgment. A qualitative assessment of high, medium, or low helps to prioritize
implementation of corrective action as shown in the following table.
HIGH
Critical control deficiencies that expose the City to a high degree of combined
risks. Recommendations from high-risk findings should be implemented
immediately (preferably within three months) to address areas with the most
significant impact related to the City’s records management.
MEDIUM
Represents less than critical deficiencies that expose the City to a moderate
degree of combined risks. Recommendations arising from moderate risk findings
should be implemented in a timely manner (preferably within six months) to
address moderate risks and strengthen or enhance efficiency in internal controls
on areas with moderate impact and likelihood of exposure.
LOW
Represents low risk or control deficiencies and the exposure is not likely to
expose the City and its assets to significant losses. However, they should be
addressed in order to improve efficiency and effectiveness of operations.
Recommendations arising from low-risk findings should be implemented within
12 months.