Internal Audit Information Technology Equipment

Similar documents
Capital Assets / Construction in Progress Internal Audit

Inventory Control Internal Audit

Fleet Management Internal Audit

Bond Funds Compliance Monitoring Internal Audit

Internal Audit Records Management and Public Information Requests

Internal Audit Permitting

FOLLOW-UP OF COMPUTER EQUIPMENT TRACKING CONTROLS AND PROCEDURES REPORT NO F

REPORT NO DECEMBER 2014 SURPLUS COMPUTER HARD DRIVE DISPOSAL PROCESSES AT SELECTED STATE AGENCIES. Information Technology Operational Audit

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Public Affairs & Security Studies Report No.

Overview. Responsibility

Executive Summary Background Objectives and Approach Issues Matrix Observations and Considerations...

E. Custodian - the Vice President for Administrative Services and Finance or designee.

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Rehabilitation Report No

UW-EXTENSION BUSINESS SERVICES POLICY AND PROCEDURE DOCUMENT (BSPPD) #18 CAPITAL EQUIPMENT

March 28, 2001 Audit Report No Controls Over the FDIC s Laptop Computer Inventory

Department of Developmental Disabilities Accounts ReceivableAudit

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

Physician Assistant Program

DISPOSAL OF SURPLUS PERSONAL PROPERTY

ULSTER COUNTY COMPTROLLER S OFFICE Elliott Auerbach, Comptroller

ARKANSAS TECH UNIVERSITY

Review of Document Imaging Railroad Unemployment Insurance Act Programs Report No , November 17, 2000

Fl ori d a Departm e nt of E d ucati on Office of Early Learning. Program Guidance Tangible Personal Property

Department of Consumer Affairs Cash Disbursements by Agency Checks

Department of Youth Services Asset ManagementAudit

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

Walton County Clerk of the Court s Office Fixed Asset Review. Martha Ingle Clerk of the Courts

Fixed Assets Management Review

Audit of Financial Reporting Controls

RANDALL COUNTY FIXED ASSET POLICY April 2002 Revised 5/20/2014

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Internal Control Guide & Resources

GENERAL FIXED ASSETS Fixed Assets Administration

Audit of Milwaukee Fire Department Fixed Assets Controls

ffi n te rnal Au Public Works and Assets d it Land Management Process January 2011 P u b lic W o rks a n d A sse ts L a n d Ma n a g em

Performance Audit. Non-Real Estate Capital Asset Management. Durham County Internal Audit Department

7.50 PURCHASING POLICY ON ITEMS UNDER $10, PURCHASING POLICY ON ITEMS OF $10,000 OR MORE 7.60 USE OF PHYSICAL FACILITIES BY OUTSIDE GROUPS

LAS CRUCES PUBLIC SCHOOLS FIXED ASSETS PROCEDURES

SYSTEM ADMINISTRATION REAL ASSET MANAGEMENT MANUAL

Section 700 Fixed Assets

WHO SHOULD READ THIS POLICY

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Criminal Justice Report No

Controls Over the SEC s Inventory of Laptop Computers

October 2, Mayor Andy Berke City Council Members. Subject: Police Aircard Inventory Management (Report #14-03)

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Office of Alumni Relations Report No

An Audit Report on the Child Support Enforcement Program at the Office of the Attorney General

Data Management Policies. Sage ERP Online

Fixed Assets Management Performance Audit

Judicial Council of California Administrative Office of the Courts

Mecklenburg County Department of Internal Audit. Park and Recreation Department Contract Management Investigation Report 1401

KAREN E. RUSHING. Audit of Purchasing Card Program

ACCOUNTING BY GOVERNMENTAL ENTITIES ACCOUNTING AND CONTROL OF FIXED ASSETS OF STATE GOVERNMENT, ACCOUNTING FOR ACQUISITIONS AND ESTABLISHING CONTROLS

STATE OF MISSISSIPPI DEPARTMENT OF EDUCATION TOPIC: FIXED ASSETS AND FACILITY USAGE

Property Room. Records Management System

1. The records have been created, sent or received in connection with the compilation.

Or download and view an electronic copy by visiting:

Renfrew County Joint Transportation C onsortium

Internal Audit Report DEPARTMENT OF TECHNOLOGY & COMMUNICATION SERVICES COMPUTER INVENTORY AUDIT APRIL Office of the County Auditor

Managing Government Records A Cooperative Undertaking. An Introduction to Kentucky s Public Records Management Law

CONCORD UNIVERSITY BOARD OF GOVERNORS

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

AUDIT REPORT PERFORMANCE AUDIT OF COMPUTER EQUIPMENT INVENTORY DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET. February 2014

Within the context of this policy, the following definitions apply: A. Fixed Assets A resource that meets all the following criteria:

- 1 - First Time Pharmacy Managers (Revised 02/02/2011)

543.7 What are the minimum internal control standards for bingo?

PSAB Supplement 21 Records Retention and Disposition

UCLA Policy 360: Internal Control Guidelines for Campus Departments

August 2012 Report No

INVENTORY AND FIXED ASSET POLICY ORANGE COUNTY PURCHASING DEPARTMENT POLICIES AND PROCEDURES

STATE OF NORTH CAROLINA

SEC s Controls Over Government Furnished Equipment and Contractor Acquired Property

PURCHASING CARD RISK REVIEW

Mojave Water Agency. Fixed Assets and Surplus Property Policy

Office of the Chief Internal Auditor. Audit Report. Lap Top Inventory Audit

AUDITOR GENERAL DAVID W. MARTIN, CPA

AUDITOR GENERAL WILLIAM O. MONROE, CPA

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Internal Control Review of Capital Assets and Inventory Control

Newcastle University Information Security Procedures Version 3

Government Purchase Card Responsibilities Page 1 of 22 Welcome to Government Purchase Card Responsibilities

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Mississippi Institutions of Higher Learning IHL Executive Office. Administrative Policies. Property Guidelines

Payment Card Industry Compliance

Chapter 10 Receiving, Inspection, Acceptance Testing and Acceptance or Rejection

LEVEL SECTION NUMBER DATE 1 FIN SUBJECT: Equipment Receipt, Control, Inventory, and Disposal

FLORIDA ATLANTIC UNIVERSITY. Property Policy

LIVINGSTON COUNTY CREDIT CARD PROCEDURES

CITY OF PALO ALTO OFFICE OF THE CITY AUDITOR

Village of Port Byron

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

Department of Homeland Security

Follow-up Audit Golf Course Retail Inventory Controls

Communicating Internal Control Related Matters Identified in an Audit

State of New York Office of the State Comptroller Division of Management Audit and State Financial Services

How To Prevent Fraud On A Credit Card

Department of Purchasing and Supply Management Contract Management Audit Final Report. August promoting efficient & effective local government

ADMINISTRATIVE CODE BOARD OF COUNTY COMMISSIONERS ADOPTED: 05/23/90

California State University, Long Beach Research Foundation. Fixed Assets Policy & Procedures

ACCOUNTING RECORDS AND SOURCE DOCUMENTATION

Transcription:

Internal Audit Information Technology Equipment June 2012

Bernalillo County Internal Audit Information Technology Equipment Executive Summary SUMMARY OF PROCEDURES REDW performed an internal audit of the Bernalillo County Information Technology (IT) Equipment process. Our internal audit focused on assessing the adequacy and reasonableness of the internal controls surrounding the safeguarding of IT equipment including inventory tracking and disposition. We performed a variety of procedures, including: Reading various New Mexico State Statutes (NMSA) and applicable portions of the New Mexico Administrative Codes (NMAC); Obtaining an understanding of the County IT equipment procedures through reading Administrative Instruction (AI) No. 24 Fixed Assets, AI No. IT 15 Purchasing, Installing, and Relocating Information Technology Equipment; Obtaining an understanding of the County IT equipment procedures through interviewing various IT and Accounting Department Personnel; Testing a sample of computer hard drive disposals and capitalized IT asset disposals to determine compliance with applicable regulations; Testing a sample of IT capital assets and low-value equipment to determine if they were at the locations specified in the system and that the equipment was accurately tagged; and, Testing a sample of IT equipment purchases to determine if the equipment was accurately tagged and existed at the location specified in the system. If the equipment was for take home use, we tested that a Take Home Equipment Authorization Form signed by the Department Director and the employee was on file. i

SUMMARY OF OBSERVATIONS AND RECOMMENDATIONS Significant medium or high risk observations are presented below: IT Equipment Inventory Management There was a lack of segregation of duties surrounding IT equipment inventory management. The PC Systems Support Supervisor ordered inventory, received inventory, and reconciled the inventory maintained in the IT storage room. IT Take Home Equipment Take Home Authorization Forms were not consistently on file authorizing the issuance of the take home equipment. Additionally, the County did not have a standard Take Home Equipment Authorization Form or process. Destruction of Computer Hard Drives Computer hard drives were not always destroyed timely. Additionally, computer hard drive certifications were not sent to the Office of the State Auditor. Capitalized IT Equipment Tracking Several servers were not tagged in an accessible place; therefore, we were unable to ensure proper tracking of these items. Additionally, numerous items in the main server room were no longer in use and IT equipment on the fixed assets listing included servers that were capitalized in 2003 which could potentially be obsolete. The lower risk observations are included in the attached detailed report. * * * * * Further detail of our purpose, objectives, scope, procedures, observations, and recommendations is included in the internal audit report. In that report, management describes the corrective action taken for each observation. We received excellent cooperation and assistance from the various departments during the course of our interviews and testing. We sincerely appreciate the courtesy extended to our personnel. Albuquerque, New Mexico July 30, 2012 ii

Bernalillo County Internal Audit Information Technology Equipment Table of Contents Page INTRODUCTION 1 PURPOSE AND OBJECTIVES 1 SCOPE AND PROCEDURES PERFORMED 1 OBSERVATIONS, RECOMMENDATIONS AND MANAGEMENT RESPONSES 3

Bernalillo County Internal Audit Information Technology Equipment Report INTRODUCTION We performed the internal audit services described below solely to assist Bernalillo County in evaluating the internal controls and safeguards in place surrounding Information Technology (IT) equipment. We also assessed if equipment was disposed of in accordance with policies and applicable state regulations. Our services were conducted in accordance with the Consulting Standards issued by the American Institute of Certified Public Accountants, Generally Accepted Government Auditing Standards, and the terms of our contract agreement for internal audit services. Since our procedures were applied to samples of transactions and processes, it is possible that significant issues related to the areas tested may not have been identified. An entrance conference was held on May 23, 2012 at which time most items needed for the audit were requested. Fieldwork began the week of May 28, 2012. An exit conference was held on July 20, 2012, and final management responses were received on July 27, 2012. Although we have included management s responses in our report, we do not take responsibility for the sufficiency of these responses or the effective implementation of any corrective action. PURPOSE AND OBJECTIVES Our internal audit focused on the assessment and testing of internal controls encompassing IT equipment including inventory tracking and disposition. SCOPE AND PROCEDURES PERFORMED In order to gain an understanding of the processes and operations surrounding IT equipment, we interviewed the following personnel: Rod Rolston, Infrastructure Manager Bonnie Ulibarri-Romero, Financial Projects Coordinator Accounting 1

Martin Gallegos, Fixed Assets Manager Accounting Shannon Ronquillo, IT Help Desk Supervisor In order to understand the IT Equipment policies and procedures we read: Applicable portions of the New Mexico State Statutes Annotated (NMSA) including: (NMSA 1978) 13-6-1 to 13-6-5 Disposition of Property; Relevant sections of the New Mexico Administrative Code (NMAC) 2.2.2.10 (V) Disposition of Property; Administrative Instruction No. 24 Fixed Assets; and, Administrative Instruction No. IT 15 Purchasing, Installing, and Relocating Information Technology Equipment. We performed the following testwork: Hard Drive Destruction: We obtained a listing computer disposals processed between July 1, 2011 and April 30, 2012 and selected a sample (based on 90% CL, 10% TD) of 21 disposals. For each computer in the sample we tested that: The hard drive or storage device was erased and sanitized appropriately; and, Written certification was sent to the Office of the State Auditor (OSA) at least 30 days prior to disposal stating the computer hard drive had been properly erased; IT Capital Asset Disposals: We obtained a listing of IT capital asset disposals that occurred between July 1, 2011 and April 30, 2012 and selected a sample (based on 90% CL, 10% TD) of 13 asset disposals. For each capital asset disposal we tested that: The disposal of the asset was approved by the IT Director and the Fixed Assets Review Committee; A written declaration was submitted to the DFA and/or the State Auditor 30 days prior to the disposal; Method of disposal was appropriate; and, If asset had a net book value of more than $5,000, DFA approval was obtained. IT Capital Asset Tracking: We obtained a listing of all capitalized IT assets as of April 30, 2012 and selected a sample (based on 90% CL, 10% TD) of 21 assets. For each asset in the sample we tested that: The barcode and serial numbers on the asset matched what was recorded in the fixed assets system; and The asset was at the proper location. Low-value IT Equipment Tracking: We obtained a listing of all low-value IT equipment at April 30, 2012 and selected a sample (based on 90% CL, 10% TD) of 22 assets. For each asset in the sample we tested that: The barcode and serial numbers on the asset matched what was recorded in the IT equipment tracking system; 2

The asset was at the proper location; and, If the equipment was portable, an approved Take Home Equipment Authorization Form was on file. IT Equipment Purchases: We obtained a listing purchase orders involving IT equipment processed between July 1, 2011 and April 30, 2012 and judgmentally selected a sample of 10 purchases orders and tested all IT equipment assets purchased on those purchase orders. This resulted in a total of 130 items. For each item we tested that: The barcode and serial number on the asset matched what was recorded in the IT inventory tracking system or capital asset listing; and The asset was at the proper location; and, If the equipment was portable, an approved Take Home Equipment Authorization Form was on file. In addition we obtained the expense detail for office supplies for fiscal year 2012 and scanned the listing to determine if IT equipment was inaccurately coded as office supplies. OBSERVATIONS, RECOMMENDATIONS AND MANAGEMENT RESPONSES We identified the following weaknesses relating to the Bernalillo County IT Equipment process: 1) IT Equipment Inventory Management There was a lack of segregations of duties surrounding IT equipment inventory management. The PC Systems Support Supervisor ordered inventory, received inventory, and reconciled the inventory maintained in the IT storage room. This creates the risk that fraud could occur and not be detected in a timely manner. Risk level - High The County should segregate the duties of ordering inventory, receiving inventory, and reconciling inventory maintained in the IT storage room to three personnel. IT will segregate the duties of ordering, receiving, and reconciling IT equipment in the IT storage room to three separate individuals. IT will create a department procedure identifying, by position, the responsibilities for ordering, receiving, and inventorying IT equipment. IT plans on having this implemented during fiscal year 2013. 3

2) IT Take Home Equipment For portable equipment that is issued to an employee, Administrative Instruction No. IT 15 section C requires that a Take Home Equipment Authorization Form be completed and approved by the employee s Department Director. It also requires that the forms be maintained by the Purchasing Department. We found: a. 13 out of 69 instances where a Take Home Authorization Form was not on file authorizing the issuance of the take home equipment. b. The County did not have a standard Take Home Equipment Authorization Form. Instead the IT department had created an Information Technology Portable Equipment Authorization Form. This form did not have a department director signature line, and therefore there was no documented approval by department directors for those employees with take home equipment. c. These forms were not maintained by the Purchasing Department and instead the IT Department was maintaining these forms. d. Upon separation there was no process to ensure take home equipment was returned to the County. Risk level - Moderate There are various departments that require take home equipment authorization, and therefore the County should create a standard Take Home Equipment Form to ensure consistency, proper approvals are obtained, and information is documented in a consistent manner. Additionally, a process should be implemented to ensure that a Take Home Authorization Form is completed prior to the issuance of any take home equipment. The County should consider which department would be most appropriate for maintaining Take Home Authorization Forms. Effective September 2012, IT will add a Department Director signature line to the IT Portable Equipment Authorization Form and make sure forms are on file for all IT Take Home Equipment. IT will ensure the Department Director s signature is obtained before the Take Home equipment is issued. IT will also request a change to Administrative Instruction No. IT 15 section C to reflect that copies of IT Portable Authorization forms will be maintained by the IT department. 3) Destruction of Computer Hard Drives Section 2.2.2.10 (V) of the New Mexico Administrative Code (NMAC) requires that written certification be sent to the Office of the State Auditor (OSA) stating that computer hard drives have been effectively erased under the acceptable approaches specified by NMAC guidelines. The County was not submitting the required written certification to OSA for the disposal of computer hard drives. With regard to hard drive disposals we observed the following: a. Computer hard drives were not always destroyed timely. Six out of 21 computers tested were removed from the IT equipment listing and set for disposal; however, as of our 4

fieldwork these computers were still residing at the respective departments. The average amount of time since removal from the equipment listing was approximately 268 days. b. All 21 computer disposals tested had a disposal form on file with a signed affidavit by the Chief Information Officer attesting that the computer hard drive was destroyed in accordance with NMAC requirements; however, this notification was not sent to the OSA. Risk level-moderate Computer hard drives removed from the IT equipment listing should be destroyed immediately. This will help ensure sensitive information is removed from hard drives that are no longer tracked on the IT equipment listing. To ensure compliance with NMAC requirements, County IT should re-engineer the asset disposal process to ensure that written certifications are sent to the OSA at least 30 days prior to the disposal of the asset. IT will create a department procedure that outlines how computer hard drives will be removed and destroyed before the asset is taken off the IT equipment listing. This procedure will also include the requirement to provide a written certification to OSA. The IT Department will have this procedure implemented by September 2012. 4) Capitalized IT Equipment Tracking According to Administrative Instruction No. 24, as capital equipment is purchased it should be tagged and added to the capital asset listing and tracked/inventoried on a regular basis. There were several servers that were not tagged in an accessible place; therefore, we were unable to ensure proper tracking of these items. Numerous items in the main server room were no longer in use, including a server purchased in 2009 for $42,000, and IT equipment on the fixed assets listing included servers that were capitalized in 2003 and could potentially be obsolete and no longer in use. Risk level - Moderate To ensure proper tracking, all IT assets should be visibly tagged upon purchase, inventoried regularly, and investigated when missing. If it is determined that an item is no longer needed every effort should be made to sell the item in a timely manner and minimize the County s loss. The County should dispose of obsolete IT equipment in the sever room and remove it from the fixed assets listing if it is no longer in use and not specifically designed for backup or part purposes. IT will make sure barcode tags are placed on equipment in a visible area to ensure that equipment is easily identifiable at all times. IT will also perform an assessment of the capitalized 5

IT equipment currently on hand to determine what equipment is obsolete and should be disposed of. Going forward, in the event that IT fixed assets are deemed to be incompatible, obsolete, or damaged the IT Department will promptly notify and coordinate with the Fixed Assets Section within the Finance Department to ensure timely disposition. IT will complete these action steps during fiscal year 2013. IT will dispose of all unneeded IT gear in a timely manner. 5) Low-value IT Equipment Tracking Administrative Instruction (AI) No. IT 15 section D requires that an IT Asset Transfer Form be completed upon the transfer of equipment from one employee or department to another. IT equipment was not always assigned to the correct employee or location in the inventory tracking system. 30 out of 152 items tested were assigned to the incorrect employee or location and eight of these items could not be located within the County. Risk level - Low A periodic inventory count should be conducted diligently to ensure IT equipment is adequately tracked and monitored. All items that cannot be located during the count should be investigated timely. For take home equipment, a notification should be periodically sent to employees requesting confirmation of equipment that is in his/her possession. Additionally, an IT Asset Transfer Form should be completed whenever assets are reassigned from one department or employee to another. These transfers should be updated in the IT inventory system and the retention of the transfer forms should be centralized and delegated to specific personnel. Overall, these steps will help identify misappropriation, increase accountability, and ensure that the inventory system is updated accurately and timely. IT will work with Management to update Administrative Instruction No. IT 15 to reflect the detailed instructions for conducting the periodic inventory of all IT equipment and the detailed procedures for updating the IT Inventory system. The IT Department will also provide training on the updated procedures to the IT Liaisons within each department. Additionally, IT will remind all County departments that in accordance with Administrative Instruction No. IT 15B IT equipment must only be installed and relocated by IT Department staff. The IT Department will have these action steps completed during fiscal year 2013. 6) IT Equipment Purchases Departments are instructed to submit purchase orders for IT equipment using designated expense accounts so that equipment can be properly approved and tracked by the IT department. We noted several purchases of IT equipment were purchased using the office supplies expense account. As a result the IT department was not able to properly barcode and record the equipment in the IT inventory system. There is the risk that misappropriation of IT equipment could occur and not be detected in a timely manner. 6

Risk level - Low The County should implement a process to periodically review expense accounts such as office supplies to ensure that departments are not ordering equipment that should be recorded and tracked in the IT inventory system. This will help ensure departments are not circumventing the current workflow for purchasing IT equipment which increases the risk for theft of IT equipment. Additionally, the County should remind the departments about the importance of ordering IT equipment through the designated expense accounts and following the current workflow. The IT department is working with the Purchasing department to assign mandatory commodity codes to all line items in the purchasing module of the SAP ERP system which will identify items being purchased of an IT nature and route the request to the CIO for review and approval/disapproval. This will also prohibit items from being purchased from an inappropriate account, such as office supplies, and will assure that all items are properly inventoried and barcoded. We anticipate the changes to implemented during fiscal year 2013. 7) Capital Asset Disposals Section 13-6-1 of NMSA 1978 requires that notification be sent to the Office of the State Auditor (OSA) and the State Department of Finance and Administration (DFA) 30 days prior to the actual date of disposal of an asset. We found one instance out of 13 where an IT asset was disposed of; however, documentation could not be located to support the OSA or DFA was notified prior to disposal. We also identified one instance where a disposal notification was not sent until after the disposal. Risk level - Low The County Fixed Assets Section should consider creating a disposal checklist to ensure that all State Statutes and County policies and procedures have been followed prior to the disposal of an asset. The checklist and all supporting source documents should be centrally filed for reference. This will help ensure all required communications and procedures have been performed prior to the disposal of capitalized assets. The Fixed Assets Manager has updated the Master Surplus Listing which will be used as a checklist, to better document the compliance with State Statutes and County policies. The Fixed Assets Manager will review and verify that the disposal follows procedures. Declaration requests and approval documents have been placed in a tabbed monthly binder to allow for quick reference. The staff will review that all capital assets have been approved or pending approval by DFA and the State Auditor before final disposition. 7

* * * * * This report is intended for the information and use of Bernalillo County management, the audit committee, members of the board of commissioners of Bernalillo County and others within the organization. However, this report is a matter of public record, and once accepted its distribution is not limited. We received excellent cooperation and assistance from the various departments during the course of our interviews and testing. We sincerely appreciate the courtesy extended to our personnel. Albuquerque, New Mexico July 30, 2012 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information