Attachment 4. Finance - Information Technology - Computer & Computer Equipment Lease Tracking Audit



Similar documents
June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Software License and Hardware Use October 3, 2011

AUDIT REPORT PERFORMANCE AUDIT OF COMPUTER EQUIPMENT INVENTORY DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET. February 2014

Audit of IT Asset Management Report

Chapter 15: Accounts Payable and Purchases

IT Outsourcing s 15% Problem:

Software Asset Management on System z

December 2014 Report No An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

1 PROPONENT SELECTION TO PROVIDE A MANAGED INTEGRATED VOICE AND DATA NETWORK

The Commonwealth of Massachusetts

March 28, 2001 Audit Report No Controls Over the FDIC s Laptop Computer Inventory

External Audit Reviews. Report by Director of Finance

Innovation and Technology Department

Or download and view an electronic copy by visiting:

OFFICE OF INSPECTOR GENERAL. Audit Report

Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr.

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

Internal Audit Report DEPARTMENT OF TECHNOLOGY & COMMUNICATION SERVICES COMPUTER INVENTORY AUDIT APRIL Office of the County Auditor

ULSTER COUNTY COMPTROLLER S OFFICE Elliott Auerbach, Comptroller

Aberdeen City Council IT Asset Management

Fixed Assets Management Performance Audit

REQUEST FOR PROPOSAL FOR IT ASSET MANAGEMENT SERVICES

Hardware Inventory Management Greater Boston District

10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process

Audit of Financial Reporting Controls

AUDITOR GENERAL DAVID W. MARTIN, CPA

UW-EXTENSION BUSINESS SERVICES POLICY AND PROCEDURE DOCUMENT (BSPPD) #18 CAPITAL EQUIPMENT

One source. One amazing service. Procurement Process and the Sarbanes-Oxley Act

CHAPTER: Administration AUTHORITY: KRS 15A.065 SUBJECT: Fiscal Management POLICY NUMBER: DJJ 107 TOTAL PAGES: 5 EFFECTIVE DATE: 12/01/2014

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

FIVE MANAGEMENT SYSTEM Policies and Procedures Checklist

Chapter 10 Receiving, Inspection, Acceptance Testing and Acceptance or Rejection

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

4.01. Archives of Ontario and Information Storage and Retrieval Services. Chapter 4 Section. Background

IBM Tivoli Asset Management for IT

SEC s Controls Over Government Furnished Equipment and Contractor Acquired Property

IT Asset Inventory and Outsourcing: The Value of Visibility

FOLLOW-UP OF COMPUTER EQUIPMENT TRACKING CONTROLS AND PROCEDURES REPORT NO F

How To Manage A University Computer System

Internal Audit. Audit of the Inventory Control Framework

Review of Miscellaneous Income Reporting to the Internal Revenue Service

COMPTROLLER FINANCIAL AUDIT

Accounts Payable and Inventory Management

TTC AUDIT COMMITTEE REPORT NO.

Managed Information Technology Services For the Town of Moraga

INTERNAL CONTROL MATRIX FOR AUDIT OF BILLING SYSTEM CONTROLS Version No. 4.2 August 2006

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

August 2012 Report No

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

Policy No: F&A Approved by Council: June 26, 2013 Resolution: The policy should assist in:

The Power to Take Control of Software Assets

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Final Audit Report. Follow-up Audit of Information Technology Asset Management. January Canada

Xavier University. Policy and Procedure Purchasing Card Program. Purchasing Card Program Policy and Procedure

License management service

TOPIC NO TOPIC Supplies and Materials Inventory Table of Contents Overview...2 Policy...4 Procedures...8 Internal Control...

MODULE 4 - ASSET MANAGEMENT

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

BENEFIT SERVICES DIVISION CUSTOMER ACCOUNT SERVICES DIVISION. Audit Objectives. Agenda Item 6a Attachment 1 Page 1 of 9

4 FAH-2 H-210 CHECK STOCK, SIGNATURE DIE, INTERNAL CONTROLS AND FILE MANAGEMENTS

A Performance Audit of the State s Purchasing Card Program

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Citywide Contract Compliance Audit Report

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

FASHION INSTITUTE OF TECHNOLOGY SELECTED FINANCIAL MANAGEMENT PRACTICES. Report 2006-S-71 OFFICE OF THE NEW YORK STATE COMPTROLLER

Workers Compensation Commission

Technology Asset Inventory Policies and Procedures

Information Technology Asset Management: Control and Compliance

A Provance White Paper

Environment. Main points Introduction Our audit conclusions and findings Internal reporting needs improvement...

Internal Control Systems

Configuration and Asset Management

IBM Maximo Asset Management for IT

REQUEST FOR PROPOSAL-INFORMATION TECHNOLOGY SUPPORT SERVICES

Internal Control Guide & Resources

Asset management guidelines

Unisys Contract Review. Published by Order of the Audit Committee on June 27, 2012

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

Symantec Asset Management Suite 7.6 powered by Altiris technology

U.S. Department of Agriculture Office of Inspector General Financial and IT Operations Audit Report

Fixed Asset Policy and Procedures

COUNTY OF ORANGE, CA Schedule 2D Service Desk Services SOW SCHEDULE 2D SERVICE DESK SERVICES SOW. for. Date TBD

FIXED ASSET ACCOUNTING AND MANAGEMENT PROCEDURES MANUAL. 1 Purpose. 2 Scope. 3 Periodic Procedures

Audit Program for Accounts Payable and Purchases

TOPIC NO TOPIC Physical Inventory Table of Contents Overview...2 Policy...2 Procedures...3 Internal Control...13 Records Retention...

Fixed Asset Inventory & Valuation Services. for. Educational Organizations. Whitepaper. Fixed Assets Inventories Audits Valuations

Information System Audit Report Office Of The State Comptroller

Mecklenburg County Department of Internal Audit. Park and Recreation Department Contract Management Investigation Report 1401

LEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL FINAL REPORT ON SELECTED INTERNAL CONTROLS RHODE ISLAND LEGAL SERVICES, INC.

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

How To Manage A Corporation

AUDIT OF GSA FLEET S LOSS PREVENTION PROGRAM FEDERAL ACQUISITION SERVICE REPORT NUMBER A060116/F/5/V07002 FEBRUARY 8, 2007

Service Integration &

Recommendations for Improving Purchasing Card Procedures

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Development, Acquisition, Implementation, and Maintenance of Application Systems

Knox College PNC BANK PNC PURCHASING CARD. Policy and Procedures Manual

THE SCHOOL ADMINISTRATOR

Department of Administrative Services Voyager CardAudit

Fleet Management Internal Audit

Transcription:

Attachment 4 Finance - Information Technology - Computer & Computer Equipment Lease Tracking Audit

TABLE OF CONTENTS 1.0 MANAGEMENT SUMMARY...1 2.0 INTRODUCTION...2 3.0 OBJECTIVES, METHODOLOGY, SCOPE...3 4.0 DETAILED OBSERVATIONS AND RECOMMENDATIONS...4 4.1 PROCUREMENT OF LEASED COMPUTER HARDWARE UNDISCLOSED LEASE INFORMATION...4 4.2 REPORTING ON KEY INTERNAL CONTROLS LEASE TRACKING...5 4.3 REPORTING ON KEY INTERNAL CONTROLS SEGREGATION OF DUTIES FOR CMDB...5 4.4 REPORTING ON KEY INTERNAL CONTROLS LEASE RECONCILIATION...7 4.5 REPORTING ON KEY INTERNAL CONTROLS CMDB MANAGEMENT REPORTING...8 4.6 ANALYSIS OF STOLEN ASSETS...9 Internal Audit Report Page 1

1.0 Management Summary Audit Services has completed a review of Computer and Computer Equipment Lease Tracking in York Region (the Region s) Finance Information Technology Branch. The Region formally began tracking computer assets in 2005. A significant effort has been made by the Finance IT Branch to help ensure that current leased assets being acquired are tracked via the Configuration Management Database (CMDB), and to ensure that orders are tracked and matched to leases. However, the setting up of the CMDB database has been a difficult task. Current leases are being entered and reconciled, however a significant amount of equipment was received by the Region during 2003, 2004 and 2005 that is not on a current lease. Our estimation of the size of this unrecorded population is at least 280 items with a minimum cost estimate of $610,000. Adding to the above estimate of unrecorded equipment is the practice of computer equipment purchases through individual department budgets. Procurement of computer equipment that is not financed through the approved supplier cannot be tracked and may not be supported by the Finance IT Branch. We noted that the leasing companies with whom the Region has contracted for computer services and equipment have created financial arrangements which favor the leasing companies. The main variable in a lease is the implicit interest rate of the lease. The leasing companies used by the Region do not fully disclose this important figure. The Finance IT Branch began documenting procedures for this area in June 2005 with the creation of a draft process document ITAM IT Asset Management, Draft ITS Process Guidance Document. Completion of this document should be made a high priority, as it would help to enhance overall internal controls over the recording and tracking of computer and computer equipment. Responsibility for control of the CMDB database rests with very few people. This increases the risks associated with insufficient segregation of duties to ensure effective physical control over the related assets. Reconciliation of the Region s PC, Thin Client and Printer Lease Commitment Schedule and CMDB reports for the leases drawn from our sample showed differences. The Region s PC, Thin Client and Printer Lease Commitment Schedule is maintained and used by those responsible for lease management to summarize the details of existing and expired leases. Leases are then recorded, tracked, and reconciled in CMDB for the determination of a physical inventory of leased computer assets. Lease Commitment Schedules accurately depicted the financial details of most leases based on our sample testing. Detailed equipment listing in the CMDB database allowed us to physically examine reports for randomly selected leases. Internal Audit Report Page 1

The Region s Network and PBX Lease Commitment Schedule equipment is currently not facilitated in the CMDB database. Efforts are currently in progress to migrate Network and Telecommunications data into the CMDB database to streamline, reconcile, control, and manage the activities of purchasing and order tracking. Once completed, this will allow reporting in similar fashion as York Region s PC, Thin Client and Printer Lease Commitment Schedule equipment. Physical master lease files were found to be in good form. Lease documents, lease appendices, equipment schedules, and other supporting documentation in the form of email correspondence, accounting / payable authorizations, invoice copies and other such relevant information were included in lease master files. There were however, some instances where leases were not filed or were missing. In two instances misfiling of lease documents were discovered. The Computer and Equipment Lease tracking review was conducted based on stated review objectives and applied against a drawn sample of 20 leases. The following is a brief summary of the observations with reference to supporting details. Objectives Reference 1 Procurement: Ensure compliance with the York Region Purchasing Bylaw. Information relating to the residual value, buyout amount, interest rate is not disclosed. Implicit interest rate information is withheld and well concealed in the lease contract. 4.1 2 Key Internal Controls: Ensure accurate and complete recording, tracking, reporting of leases. 3 Analysis of Stolen Assets: Frequency of thefts to any benchmark data. Instances of inaccurate data found to exist in the CMDB when compared to lease documents. Lease Management function not being used as a check or control on the accuracy of CMDB. Agreement between the CMDB and claims for insurance is not apparent. 4.2 4.3 4.4 4.5 4.6 We wish to thank management and staff in the Finance IT and Insurance Risk Branches for their co-operation and assistance in providing requested documentation and timely responses. 2.0 Introduction The York Region Finance - Information Technology Branch leases computer hardware for business purposes. Currently the Region has over 1,600 desktops, 450 laptops and 100 thin clients for a total 2005 annual cost of approximately $3.8 million. Network and PBX computer Internal Audit Report Page 2

hardware is carried at an annual lease cost of approximately $3.0 million for 2005. The Region has over 100 servers leased. 3.0 Objectives, Methodology, Scope Objectives 1. Ensure compliance with the York Region Purchasing By-law for procurement of leased computer hardware. 2. Determine the existence and operation of key internal control procedures and associated resources related to accurate and complete purchasing, recording, tracking and reporting of leases for computer hardware. 3. Ensure the accurate and timely payment of leased computer hardware. 4. Compare computer hardware costs to market costs. 5. Determine compliance with the York Region Disposal of Obsolete, Damaged or Surplus Property. 6. Perform an analysis of assets stolen and compare the frequency of thefts to any benchmark data. Methodology Sample testing of individual leases selected from the Lease Commitment Schedules. There was one for PC, Thin Client and Printers and another for Network and PBX; Cross referencing selected leases with CMDB reports; Interviews with staff; Reviewing documents including RFP s, lease agreements, and reports to the Finance and Administration Committee; Detailed calculations of sample leases. Scope Many of our conclusions were drawn from sample testing of individual leases selected from two Lease Commitment Schedules provided to us. One list is for PC, Thin Client and printers and the other is for Network and PBX. For PCs, thin clients and printers we selected ten leases out of 45 representing approximately 54% of the total number of items and 45% of the total asset costs. For network and PBX leases, we selected ten leases of 49 that made up 51% of the total asset costs. Internal Audit Report Page 3

4.0 Detailed s and s 4.1 Procurement of Leased Computer Hardware Undisclosed Lease Information For the sample leases reviewed, information needed to do a thorough analysis was not clearly disclosed. For instance, in the case of HP Financial Services the residual value or buyout amount is not given. The HP Financial Services Master Lease states in section 4a) Purchase Option - that the Lessee may elect to purchase any or all Units of Equipment for an amount equal to the Fair Market Value of such Units of Equipment as of the end of the Then Applicable Term. On the individual leases, they also only show the Rent amount and do not give the interest rate or the buy out amount. Rates appear to be set quarterly by an Advanced Pricing Agreement ( APA Exhibit B to the Master Agreement). This document seems to be issued quarterly and details the Amount Available which is defined as the Total Cost of Equipment to be subject to such Leases, and, Financed Items to be subject to such Financings. This lease rate factor is not the interest rate. There are five variables in a lease for equipment: PV Present value or cost of the equipment (without tax); N Number of payments (i.e. 12 for a three year quarterly lease); PMT The monthly lease payment amount (without tax); I Interest rate (per period, i.e. a 12% annual interest rate is 3% per quarter); FV Future Value (sometimes referred to as residual value, or buyout amount). Determination of the implicit interest rate is a key component to financial calculations, but this information is with-held and well concealed in the lease contract wording. Each lease should include the residual value or buyout amount in an exact dollar amount or percentage of original costs. This figure is known to the leasing company (HP Financial Services and MFP). A thorough lease analysis can only be done when the required information is disclosed to the Region. The APA should clearly show the interest rate inherent in each lease entered into during the quarter. It refers to a lease rate factor which is to be multiplied by the Total Cost of the Equipment subject to each such lease to determine the periodic rent payable. The Region should develop and implement a procedure that requires a detailed calculation be done on each new lease to ensure the interest rate implicit in the lease is at an acceptable rate. The results should be compared to the Region s cost of borrowing rate which may even be lower than prime, as per discussion with the Finance Policy, Risk and Treasury Branch. Internal Audit Report Page 4

ITS will approach HPFS to include the residual value, or buyout amount. As noted by the auditors, HPFS does not include the residual or buyout amount. The Region chose not to include this requirement in the original RFP. In speaking with ITS staff it is not standard industry practice to include the residual or buyout amount. We can certainly ask HPFS to include this information in future leases as an improvement to our existing processes. This will be implemented by the end of Q2/06. The Region s Policy, Risk, and Treasury Branch reviews the quarterly HPFS APA to ensure that the interest rates are calculated correctly. As an opportunity for process improvement ITS can work with the Policy, Risk and Treasury Branch to develop a process that supports the auditors recommendation by the end of Q4/06. 4.2 Reporting on Key Internal Controls Lease Tracking The process document formalizing the tracking and reporting of computer hardware remains in draft format. The draft process ITAM IT Asset Management, Draft ITS Process Guidance Document was initiated in June 2005 by the Finance IT Branch. The process document should be finalized as soon as possible. The process documents are now complete. We have created process workflow documents for over 30 procedures. The workflow documents have been reviewed by the Customer Service Unit and are currently in the process of receiving sign-off from the ITS management team. This signoff will be completed by Q3/06. 4.3 Reporting on Key Internal Controls Segregation of Duties for CMDB We found that the process of adding data to the CMDB is performed by the efforts of one individual. This individual designed and implemented CMDB, is performing reconciliations of data between Orders placed with HP, delivered computer assets from the vendor (Tech Data) and equipment Schedules from HP-Financial (InfoStream), and is involved in the general follow-up for tracking of leased computer assets. Furthermore, the Region is reliant on this individual to resolve issues of Other Assets existing in the CMDB database, which represents assets that are Internal Audit Report Page 5

not referenced to signed leases, and for other issues that occur with regard to management of leased computer assets, and reporting on those leases. IT and Insurance Risk leased computer information is not periodically reconciled. For example, CMDB was used to generate reports for Leased computer assets which were stolen, but CMDB data did not correspond with information received from Finance Insurance Risk Branch. There should be a direct match in reporting for this key activity as leases rely on this information for proper termination. Leased Assets need to be returned at the end date of the lease term. Stolen, damaged, or returned computer assets need to be communicated to Leasing so that the leases can be terminated on time to avoid penalties or forcing the leases to roll into month to month term due to missing items on the leasing schedules. We recommend that the process of documenting detailed policies and procedures for the overall tracking and reporting of computer and computer equipment be given top priority and be implemented as soon as possible. The CMDB implementation team should consider inviting the Leasing Administrator or a representative from Leasing to attend regular status meetings so that Leasing Schedules and leasing activities can be synchronized with what is occurring and being reported in CMDB on a lease by lease basis. The valuation of records or assets within the database should be realistic. Assets should not be allowed to exist in the database at zero value. If reports stemming from this CMDB database are to be used for Management Purposes then asset valuation would be incorrect without addressing the zero valued entries in the database. The decision to carry these assets at zero value impacts Management Reporting in a significant manner and this decision should be confirmed by IT management. Data ownership is a key issue. The Region may wish to consider expanding involvement in the CMDB from various sources inclusive of Leasing, and, Finance Insurance Risk Branch. The CMDB as a reporting tool must be reliable as data accuracy is key to management reporting. Data accuracy therefore can be achieved by sharing responsibility for the data records within the CMDB. The auditor s observation was correct. ITS now has a number of staff that are involved in the administration of the CMDB. When the audit was conducted we were in the process of configuring the CMDB. During the configuration process we minimized staff access. The CMDB is designed to categorize every item as Leased, Leased MTM (month-to-month), Purchased and/or Bought Out. Effective 2006 an annual reconciliation will be performed early in the budget cycle. ITS has a communication procedure in place. We will ensure that the procedures in Policy, Risk and Treasury link to the corresponding ITS procedures. We currently meet with Policy, Risk, and Internal Audit Report Page 6

Treasury periodically as required. We will initiate a more proactive meeting schedule to address the auditor s concerns. Both of these tasks will be completed by the end of Q3/06 ITS updates the zero value field once HPFS has forwarded their quarterly update. With the advent of moving from leasing to purchasing we will ensure that we comply with requirements that will be outlined in the Regional Asset Management Strategy. The CMDB is currently used by ITS and Policy, Risk, and Treasury, and as well as other Departments with York Region. 4.4 Reporting on Key Internal Controls Lease Reconciliation We noted the following Asset ID Tags, taken from Leases and traced to the CMDB, did not have the necessary information to physically locate these assets: YRK3261 YRK4592 YRK4598 YRK4661 Inability to locate these assets means that they can never be returned. These assets will continue to be paid on a month to month lease indefinitely, as the leases to which they are linked will never become fully expired. If the assets cannot be located a decision must be made to buy-out the equipment at the end of the lease term to stop further payments. To date the Region has not made a decision to buy out these assets which it cannot locate. Further analysis of the CMDB revealed a section of the CMDB that is not periodically reconciled and is undervalued. This section is defined as Other in the CMDB. A full list of the 280 items comprising other assets was highlighted and provided to management. Management should prepare a periodic, detailed reconciliation of all items in the CMDB database to existing leases. This will help to ensure any anomalies are highlighted and can be investigated in a timely manner for resolution. The Manager of Business Services for ITS will complete a process to write off lost assets by the end of Q4/06. ITS will continue to work closely with HPFS and the supplier to resolve these discrepancies with a resolution in place by Q4/06. Effective 2006 an annual reconciliation will be performed early in the budget cycle. Internal Audit Report Page 7

4.5 Reporting on Key Internal Controls CMDB Management Reporting The following opportunities for improvement relating to the CMDB application were noted: 1. We estimate that there are approximately 280 or more items at an estimated cost of $610,000 or more that is not recorded on the CMDB. A significant amount of equipment was received by the Region during 2003, 2004 and 2005 but is not on a current lease. 2. Instances were found where CMDB did not represent the lease terms as per the Lease and Amending Agreements. 1. The CMDB should be reconciled for all non-lease-related assets. It was designed to track leased computer assets and should maintain its focus for the generation of Management Reports. 2. The Region should periodically reconcile the CMDB to the lease schedule and known equipment. Differences should be investigated and resolved. 3. Since the Region has entered into hybrid leasing / financing transactions with HP- Finance, then the CMDB should be updated and / or re-designed to reflect the nature of the business environment. This would require the development of a full Asset Management System comprising Leased Assets, and Owned and Financed assets. This new Asset Management System could also incorporate Lease Tracking or Lease Management functions to streamline activities from various staff at the Region. Please note that the 280 items referred to above are recorded on the CMDB and exist on the schedule titled Others. The Region continues to work closely with HPFS and the Supplier to resolve outstanding equipment discrepancies and of the $610,000 noted above, less than $20,000 are still being assessed with an expected resolution by Q4/06. Effective 2006 an annual reconciliation will be performed early in the budget cycle. The annual reconciliation process will identify anomalies and corrective action will be taken. The Region undertook a physical audit of all equipment in 2005 and the results verified the integrity of the CMDB data. It is our intention to utilize the CA Unicentre tool set to electronically verify the existence of equipment on the network. Internal Audit Report Page 8

4.6 Analysis of Stolen Assets Agreement between the IT CMDB and Insurance Risk claims for insurance does not occur. Without complete and accurate records over all stolen assets whether leased or purchased, Region management cannot determine the financial impact of this problem. Stolen leased computer equipment impacts lease-termination. When these stolen assets cannot be located for return to the leasing company, the Region effectively cannot terminate the leases to which the assets belonged unless the information is shared between IT and Insurance Risk. We discovered leases that have expired but are being paid for monthly because the Region is unable to locate the referenced leased assets. Stolen computer equipment should be reconciled between the IT CMDB and Insurance Risk claims system. The policies and procedures manual being developed by IT should include this reconciliation process. The Region should investigate any expired leases for which payments continue due to equipment not being located for returned. ITS has a communication procedure in place. We currently meet with Policy, Risk, and Treasury periodically as required. We will initiate a more proactive meeting schedule to address the auditor s concerns by Q3/06. We advise Policy, Risk, and Treasury of stolen equipment. We can revise our processes as per the auditor s direction by Q3/06. Original signed by Louis Shallal Director Information Technology Original signed by Lloyd Russell Commissioner Finance Original signed by Paul Duggan Director Audit Services Internal Audit Report Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information