AUDIT COMMITTEE SUMMARY
November 19, 2019
Follow-Up of ITSD Hardware and Software Lifecycle Management Process
Report Issued October 21, 2019
Audit Objective
Determine if prior audit recommendations are successfully implemented and working as intended.
Background
In October of 2016, the Office of the City Auditor completed an audit of ITSD’s hardware and software lifecycle management process. The objective of the audit was as follows:
Determine if current process for managing the lifecycle of hardware and software for general office use throughout the City are appropriate and meeting the needs of City staff.
The Office of the City Auditor concluded that internal controls need improvement to ensure that the lifecycle of hardware and software are effectively managed. Specifically:
• A control to ensure that information needed to effectively monitor IT related purchase requests did not exist.
•
A standard process for performing periodic physical inventories did not exist; ITSD had not performed a physical inventory of assets since September of 2014.
• Privileged users with access to modify IT assets in the Remedy system were not being reviewed for appropriateness. Additionally, critical changes to the status (i.e. disposals or end of life) of IT assets were not being monitored.
• Disposed capital assets were not accurately accounted for in SAP.
ITSD management agreed with the conclusions in the 2016 report and developed action plans to address the audit recommendations.
Audit Scope & Methodology
The audit scope was limited to the recommendations and corrective action plans made in the original report for the time frame May 2017 to July 2018.
Audit Conclusions
We determined that of four action plans, ITSD successfully implemented one, partially implemented two, and did not implement one.
ITSD successfully implemented a process to ensure that ITSD personnel review IT related purchase requests for accuracy and completeness prior to management approval.
ITSD has partially implemented a standard process for conducting periodic physical inventories of IT; however, further effort is needed to address discrepancies between physical counts and IT asset records. ITSD has also partially implemented controls to ensure periodic reviews are performed of Remedy system users with elevated privileges. However, ITSD has not yet implemented asset management subgroups, which would limit users to modifying only the type of assets they are responsible for.
ITSD has not completed a reconciliation of capital IT assets between SAP and Remedy System.
ITSD management agreed with the audit findings and has developed a positive action plan.