AUDIT COMMITTEE SUMMARY
November 15, 2016
Audit of ITSD Hardware and Software Lifecycle Management Process
Report Issued October 17, 2016
Background
ITSD provides services and support for City employees’ information technology needs. To ensure adequate support, personnel within the Client Services Division are responsible for responding to and resolving City employees’ technology needs.
All requests for new hardware and software should be coordinated with ITSD. Service Coordinators facilitate the purchase-approval process by ensuring all required information is gathered from the customer and assigned to the appropriate personnel for processing.
The City spent approximately $17.9 million on the purchase and maintenance of computer hardware and software in FY2016. According to the ITSD records, the City owns approximately 12,900 laptop and desktop computers, each with various software packages installed such as Microsoft Office and Adobe products.
Audit Objective
Determine if current processes for managing the lifecycle of hardware and software for general office use throughout the City are appropriate and meeting the needs of City staff.
Audit Scope & Methodology
Our audit scope was from October 1, 2014 through December 31, 2015.
To gain an understanding of internal controls, we conducted interviews of appropriate personnel to identify controls related to the IT hardware and software lifecycle. As part of our testing procedures, we examined the following IT lifecycle management areas:
• IT Governance
• IT service request management
• Purchasing, receiving, and installing IT hardware/software
• Maintenance (Microsoft patch management and updates)
• Physical inventories and reconciliations of IT assets
• Disposal of hardware and software
• Asset management software user privileges
Audit Conclusions
Overall, internal controls need improvement to ensure that the lifecycle of hardware and software are effectively managed. While ITSD has procedures in place to manage hardware and software needs of City staff, we did note areas where processes can be improved:
• Critical information needed to adequately track and record IT assets (i.e. material numbers and asset classification) was not consistently included in the inventory management system (Remedy).
• A standard process for performing periodic physical inventories does not exist. ITSD has not performed a physical inventory of assets since September of 2014.
• Privileged users with access to modify IT asset records in the inventory management system (Remedy) are not being reviewed for appropriateness. Additionally, critical changes to status (i.e. disposals or end of life) of IT assets are not being monitored.
• Disposed capital assets are not accurately accounted for in SAP.
ITSD Management agreed with the audit findings and has developed positive action plans to address them.