Pima County : report on internal control and compliance, year ended June 30, 2008

View Description

View PDF & Text

PDF
Text

Text Search...

Report on Internal Control and Compliance
A REPORT
TO THE
ARIZONA LEGISLATURE
Pima County
Year Ended June 30, 2008
Financial Audit Division
Debra K. Davenport
Auditor General
The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five
senators and five representatives. Her mission is to provide independent and impartial information and specific
recommendations to improve the operations of state and local government entities. To this end, she provides financial
audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and
conducts performance audits of school districts, state agencies, and the programs they administer.
Copies of the Auditor General’s reports are free.
You may request them by contacting us at:
Office of the Auditor General
2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333
Additionally, many of our reports can be found in electronic format at:
www.azauditor.gov
Pima County
Report on Internal Control and Compliance
Year Ended June 30, 2008
Table of Contents Page
Report on Internal Control over Financial Reporting and on Compliance and
Other Matters Based on an Audit of Basic Financial Statements Performed in
Accordance with Government Auditing Standards
1
Schedule of Findings and Recommendations 3
County Response
Report Issued Separately
Comprehensive Annual Financial Report
2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051
DEBRA K. DAVENPORT, CPA
AUDITOR GENERAL
STATE OF ARIZONA
OFFICE OF THE
AUDITOR GENERAL WILLIAM THOMSON
DEPUTY AUDITOR GENERAL
Independent Auditors’ Report on Internal Control over Financial Reporting
and on Compliance and Other Matters Based on an Audit of Basic Financial
Statements Performed in Accordance with Government Auditing Standards
Members of the Arizona State Legislature
The Board of Supervisors of
Pima County, Arizona
We have audited the financial statements of the governmental activities, business-type activities, the
discretely presented component unit, each major fund, and aggregate remaining fund information of Pima
County as of and for the year ended June 30, 2008, which collectively comprise the County’s basic
financial statements, and have issued our report thereon dated December 19, 2008. Our report was
modified to include a reference to our reliance on other auditors and as to consistency because of the
implementation of Governmental Accounting Standards Board Statement Nos. 45, 48, 49, and 50. We
conducted our audit in accordance with U.S. generally accepted auditing standards and the standards
applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller
General of the United States. Other auditors audited the financial statements of the Stadium District,
School Reserve Fund, Self Insurance Trust, Regional Wastewater Reclamation Department, Pima Health
System & Services, Development Services, and Southwestern Fair Commission, as described in our report
on the County’s financial statements. This report includes our consideration of the results of the other
auditors’ testing of internal control over financial reporting and compliance and other matters that are
reported on separately by those other auditors. However, this report, insofar as it relates to the results of
the other auditors, is based solely on the reports of the other auditors.
Internal Control over Financial Reporting
In planning and performing our audit, we considered the County’s internal control over financial reporting
as a basis for designing our auditing procedures for the purpose of expressing our opinions on the basic
financial statements, but not for the purpose of expressing an opinion on the effectiveness of the County’s
internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of
the County’s internal control over financial reporting.
Our consideration of internal control over financial reporting was for the limited purpose described in the
preceding paragraph and would not necessarily identify all deficiencies in internal control over financial
reporting that might be significant deficiencies or material weaknesses. However, as discussed below, we
identified certain deficiencies in internal control over financial reporting that we consider to be significant
deficiencies.
2
A control deficiency exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control
deficiencies, that adversely affects the County’s ability to initiate, authorize, record, process, or report
financial data reliably in accordance with generally accepted accounting principles such that there is more
than a remote likelihood that a misstatement of the County’s basic financial statements that is more than
inconsequential will not be prevented or detected by the County’s internal control. We consider items 08-
01 and 08-02 described in the accompanying Schedule of Findings and Recommendations to be
significant deficiencies in internal control over financial reporting.
A material weakness is a significant deficiency, or combination of significant deficiencies, that results in
more than a remote likelihood that a material misstatement of the financial statements will not be
prevented or detected by the County’s internal control.
Our consideration of internal control over financial reporting was for the limited purpose described in the
first paragraph of this section and would not necessarily identify all deficiencies in internal control that
might be significant deficiencies and, accordingly, would not necessarily disclose all significant
deficiencies that are also considered to be material weaknesses. However, of the significant deficiencies
described above, we consider items 08-01 and 08-02 to be material weaknesses.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether the County’s basic financial statements are free
of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations,
contracts, and grant agreements, noncompliance with which could have a direct and material effect on the
determination of financial statement amounts. However, providing an opinion on compliance with those
provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The
results of our tests and those of the other auditors disclosed no instances of noncompliance or other
matters that are required to be reported under Government Auditing Standards.
Pima County’s responses to the findings identified in our audit are presented on pages 6 through 8. We
did not audit the County’s responses and, accordingly, we express no opinion on them.
This report is intended solely for the information and use of the members of the Arizona State Legislature,
the Board of Supervisors, management, federal awarding agencies, and pass-through entities and is not
intended to be and should not be used by anyone other than these specified parties. However, this report
is a matter of public record, and its distribution is not limited.
Jay Zsorey, CPA
Financial Audit Director
December 19, 2008
Pima County
Schedule of Findings and Recommendations
Year Ended June 30, 2008
3
08-01
The County should strengthen controls over its financial computer systems
The County’s general ledger, purchasing, and treasurer computer systems are critical to its operations.
Establishing and following effective internal control policies and procedures is essential to prevent or
detect unauthorized use, damage, intentional misstatement, loss, and unintended or unauthorized
changes to the County’s financial computer systems and critical data. However, the County had not
established adequate policies and procedures and did not always follow its policies and procedures to
adequately protect its systems and data. Specifically, auditors noted deficiencies in the County’s
procedures for making changes to computer programs and financial data, granting and monitoring
access to computer systems and data, and disaster recovery planning.
Change Management
Effective change management controls should ensure that program changes and changes to financial
data are valid, meet user needs, and are subject to review and independent approval. Additionally, it is
important to maintain a separation of duties between the individual programmers who develop and test
the program changes and the individuals who implement the changes in the production environment.
However, the County did not have adequate policies and procedures in place to ensure that changes to
its general ledger computer system and financial data were sufficiently reviewed, authorized, and
documented. Specifically, programmers approved their own program change requests with no evidence
of an independent review or approval. Programmers also bypassed the County’s change management
process altogether by routinely preparing and approving changes to financial data.
User Access
To help prevent unauthorized access and modification to computer systems and financial data, it is
essential that users are only granted access that is consistent with their job duties and responsibilities.
However, the County did not have sufficient policies and procedures in place to ensure that users’ access
to systems and data was always appropriate. Specifically, auditors noted several instances where users
were granted access to financial data that was not needed for their job duties. In addition, the County
established a powerful group user account for its purchasing system and several group accounts in its
general ledger system that allowed users to create, modify, and delete critical financial data without
individual accountability. The County did not adequately monitor these group accounts. Further, although
county policies required users to obtain written authorization for access to financial systems and data,
auditors noted instances in which the County was unable to provide access-approval forms indicating that
users had been approved for their access to the general ledger, purchasing, and treasurer’s systems or
data. Auditors also noted at least 35 terminated employees who had active system accounts.
Disaster Recovery
The County’s general ledger, purchasing, and treasurer computer systems and data are critical to its
operations. Therefore, it is important for the County to ensure that it can continue to operate in the event of
a system or equipment failure by developing, implementing, and testing a disaster recovery plan. A
properly designed disaster recovery plan helps to ensure that procedures are in place to provide for
continuity of operations and to ensure that electronic data files are not lost. However, the County has not
yet completed or tested its disaster recovery plan.
Pima County
Schedule of Findings and Recommendations
Year Ended June 30, 2008
4
To help strengthen controls over its financial computer systems for managing program changes, user
access, and disaster recovery, the County should:
Change Management
• Develop comprehensive change management policies and procedures to help ensure that all program
or data changes are appropriate, authorized, developed, tested, reviewed, and approved.
• Implement standardized change management request forms that include an appropriate level of detail
and authorization.
• Develop a comprehensive list of individuals who are authorized to approve program changes.
• Ensure that the change management forms are tracked and retained.
• Monitor system-generated audit logs and reports that track all changes to verify that all significant
changes are appropriately documented and approved.
User Access
• Ensure that requests for access to computer systems and data are consistent with employee job
duties and responsibilities and access approval forms are retained.
• Limit the use of group access accounts in accordance with existing policies and monitor and track
user activities on group access accounts.
• Improve procedures for removing or modifying access rights of users when they terminate
employment or transfer departments.
Disaster Recovery
• Maintain a current listing of employees assigned to disaster teams, including emergency phone
numbers to reach them.
• Prepare a risk analysis identifying critical applications and an assessment of the impact on the County.
• Maintain a listing of off-site storage locations and information stored at these locations.
• Prepare a list of procedures for processing critical transactions, including forms or other documents to
use. Also, include detailed tasks and assignments for each member of the recovery teams.
• Determine hardware and software requirements needed to run critical systems and the applicable
vendors where hardware and software can be obtained.
• Implement the disaster recovery plan and update and test the plan annually.
Pima County
Schedule of Findings and Recommendations
Year Ended June 30, 2008
5
08-02
The County should improve its capital asset reporting
The County maintains a network of transportation and flood control infrastructure assets valued at $609
million and land valued at $314 million, so it is essential that the County accurately report and account for
these assets. However, the County’s internal control policies and procedures did not always ensure that its
infrastructure and land were properly reported. Specifically, during fiscal years 2006 and 2007, several
housing subdivisions dedicated $70.1 million in public roads and land parcels to the County to maintain.
Generally accepted accounting principles require the County to report these capital assets when they are
dedicated. However, because the County did not have internal control procedures to identify, record, and
report these assets, it failed to include them in either the fiscal year 2006 or 2007 financial statements. The
County adjusted its fiscal year 2008 financial statements for these errors.
To help ensure that the County accurately reports its capital assets, the County should strengthen its
internal control policies and procedures to include specific steps to readily identify and report all
infrastructure roadways and land parcels when they are dedicated to the County.
130 West Congress Street, 6th Floor, Tucson, Arizona 85701-1317 Ph. (520) 740-8041 Fax (520) 243-2329
PIMA COUNTY
DEPARTMENT OF FINANCE AND RISK MANAGEMENT
Thomas E. Burke, Director
February 18, 2009
Ms. Debbie Davenport
Auditor General
2910 N. 44th St., Suite 410
Phoenix, AZ 85018
Dear Ms. Davenport,
The following corrective action plans have been prepared as recommended by Government
Auditing Standards. Specifically, we are providing you with the name of the contact person
responsible for corrective action, the corrective action planned, and the anticipated completion
date.
Sincerely,
Thomas Burke, Director
Department of Finance and Risk Management
08-01
The County should strengthen controls over its financial computer systems m
Contact person – Lionel Bittner, Information Technology Director
Anticipated completion date – July 1, 2009 for Change Management and User Access and
December 31, 2009 for Disaster Recovery Plan, for planning and development, and December
31, 2010 for implementation
Change Management
The County concurs with the finding. By October 2008, the County implemented new controls
over the change request forms for the financial computer systems under the management of the
County's Finance Department to provide for appropriate review and authorizations. The Finance
Department developed internal departmental procedures to monitor and manage changes initiated
by Finance. In addition, the County's Information Technology Department (ITD) established a
project team to review existing change management and implement a new, comprehensive
change management process. Some changes were made immediately, and a complete process
revision is expected by July 1, 2009, with finalization of new formal administrative procedures
by September 30, 2009. The County Treasurer, who maintains some County financial computer
systems independently of the maintenance of the County's other financial computer systems, has
indicated that her office has improved its procedures.
User Access
The County agrees with the finding and has begun changes to current processes and procedures
applicable to physical access, logical access and password management in the Finance and ITD
areas of financial computer systems. The County initiated a comprehensive review of physical
and logical access controls and eliminated access provided to employees unless proper
authorization was documented. All procedures associated with user access are under revision to
strengthen current internal controls. By September 30, 2009, revised administrative procedures
will be submitted to the County Administrator. The Treasurer has stated that she has taken
corrective action to remediate the findings of the Auditor General.
Disaster Recovery
The County concurs with the portion of item 08-01 relating to the need for a Disaster Recovery
plan. The County is developing a plan that provides for a prioritization of critical services and
their associated recovery times. The plan is expected to be developed by the end of 2009 and
implemented by the end of 2010. The County will include the Treasurer's computer financial
systems in its Disaster Recovery plan.
08-02
The County should improve its capital asset reporting g
Contact person – Paul Guerrero, Finance and Risk Management
Anticipated completion date - fully completed
The County concurs and has completed internal control procedures to ensure dedicated
infrastructure roadways and drainageways are reported on an accurate and timely basis.

you wish to report:

Your comment:

Your Name:

Submit

Cancel

...

Rating
TITLE	Pima County : report on internal control and compliance, year ended June 30, 2008
DESCRIPTION	11 pages (PDF version). 178 KB
TYPE	Text
RIGHTS MANAGEMENT	Copyright to this resource is held by the creating agency and is provided here for educational purposes only. It may not be downloaded, reproduced or distributed in any format without written permission of the creating agency. Any attempt to circumvent the access controls placed on this file is a violation of United States and international copyright laws, and is subject to criminal prosecution.
DATE ORIGINAL	2008-06-30
Time Period	2000s (2000-2009)
ORIGINAL FORMAT	Born Digital
Source Identifier	LG 6.3:P 45 I 45
DIGITAL IDENTIFIER	Pima_County_06_30_08_Rpt_on_IC_Compliance.pdf
DIGITAL FORMAT	PDF (Portable Document Format)
REPOSITORY	Arizona State Library, Archives and Public Records--Law and Research Library
Full Text	Report on Internal Control and Compliance A REPORT TO THE ARIZONA LEGISLATURE Pima County Year Ended June 30, 2008 Financial Audit Division Debra K. Davenport Auditor General The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the operations of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of school districts, state agencies, and the programs they administer. Copies of the Auditor General’s reports are free. You may request them by contacting us at: Office of the Auditor General 2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333 Additionally, many of our reports can be found in electronic format at: www.azauditor.gov Pima County Report on Internal Control and Compliance Year Ended June 30, 2008 Table of Contents Page Report on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Basic Financial Statements Performed in Accordance with Government Auditing Standards 1 Schedule of Findings and Recommendations 3 County Response Report Issued Separately Comprehensive Annual Financial Report 2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051 DEBRA K. DAVENPORT, CPA AUDITOR GENERAL STATE OF ARIZONA OFFICE OF THE AUDITOR GENERAL WILLIAM THOMSON DEPUTY AUDITOR GENERAL Independent Auditors’ Report on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Basic Financial Statements Performed in Accordance with Government Auditing Standards Members of the Arizona State Legislature The Board of Supervisors of Pima County, Arizona We have audited the financial statements of the governmental activities, business-type activities, the discretely presented component unit, each major fund, and aggregate remaining fund information of Pima County as of and for the year ended June 30, 2008, which collectively comprise the County’s basic financial statements, and have issued our report thereon dated December 19, 2008. Our report was modified to include a reference to our reliance on other auditors and as to consistency because of the implementation of Governmental Accounting Standards Board Statement Nos. 45, 48, 49, and 50. We conducted our audit in accordance with U.S. generally accepted auditing standards and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. Other auditors audited the financial statements of the Stadium District, School Reserve Fund, Self Insurance Trust, Regional Wastewater Reclamation Department, Pima Health System & Services, Development Services, and Southwestern Fair Commission, as described in our report on the County’s financial statements. This report includes our consideration of the results of the other auditors’ testing of internal control over financial reporting and compliance and other matters that are reported on separately by those other auditors. However, this report, insofar as it relates to the results of the other auditors, is based solely on the reports of the other auditors. Internal Control over Financial Reporting In planning and performing our audit, we considered the County’s internal control over financial reporting as a basis for designing our auditing procedures for the purpose of expressing our opinions on the basic financial statements, but not for the purpose of expressing an opinion on the effectiveness of the County’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of the County’s internal control over financial reporting. Our consideration of internal control over financial reporting was for the limited purpose described in the preceding paragraph and would not necessarily identify all deficiencies in internal control over financial reporting that might be significant deficiencies or material weaknesses. However, as discussed below, we identified certain deficiencies in internal control over financial reporting that we consider to be significant deficiencies. 2 A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the County’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the County’s basic financial statements that is more than inconsequential will not be prevented or detected by the County’s internal control. We consider items 08- 01 and 08-02 described in the accompanying Schedule of Findings and Recommendations to be significant deficiencies in internal control over financial reporting. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by the County’s internal control. Our consideration of internal control over financial reporting was for the limited purpose described in the first paragraph of this section and would not necessarily identify all deficiencies in internal control that might be significant deficiencies and, accordingly, would not necessarily disclose all significant deficiencies that are also considered to be material weaknesses. However, of the significant deficiencies described above, we consider items 08-01 and 08-02 to be material weaknesses. Compliance and Other Matters As part of obtaining reasonable assurance about whether the County’s basic financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests and those of the other auditors disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards. Pima County’s responses to the findings identified in our audit are presented on pages 6 through 8. We did not audit the County’s responses and, accordingly, we express no opinion on them. This report is intended solely for the information and use of the members of the Arizona State Legislature, the Board of Supervisors, management, federal awarding agencies, and pass-through entities and is not intended to be and should not be used by anyone other than these specified parties. However, this report is a matter of public record, and its distribution is not limited. Jay Zsorey, CPA Financial Audit Director December 19, 2008 Pima County Schedule of Findings and Recommendations Year Ended June 30, 2008 3 08-01 The County should strengthen controls over its financial computer systems The County’s general ledger, purchasing, and treasurer computer systems are critical to its operations. Establishing and following effective internal control policies and procedures is essential to prevent or detect unauthorized use, damage, intentional misstatement, loss, and unintended or unauthorized changes to the County’s financial computer systems and critical data. However, the County had not established adequate policies and procedures and did not always follow its policies and procedures to adequately protect its systems and data. Specifically, auditors noted deficiencies in the County’s procedures for making changes to computer programs and financial data, granting and monitoring access to computer systems and data, and disaster recovery planning. Change Management Effective change management controls should ensure that program changes and changes to financial data are valid, meet user needs, and are subject to review and independent approval. Additionally, it is important to maintain a separation of duties between the individual programmers who develop and test the program changes and the individuals who implement the changes in the production environment. However, the County did not have adequate policies and procedures in place to ensure that changes to its general ledger computer system and financial data were sufficiently reviewed, authorized, and documented. Specifically, programmers approved their own program change requests with no evidence of an independent review or approval. Programmers also bypassed the County’s change management process altogether by routinely preparing and approving changes to financial data. User Access To help prevent unauthorized access and modification to computer systems and financial data, it is essential that users are only granted access that is consistent with their job duties and responsibilities. However, the County did not have sufficient policies and procedures in place to ensure that users’ access to systems and data was always appropriate. Specifically, auditors noted several instances where users were granted access to financial data that was not needed for their job duties. In addition, the County established a powerful group user account for its purchasing system and several group accounts in its general ledger system that allowed users to create, modify, and delete critical financial data without individual accountability. The County did not adequately monitor these group accounts. Further, although county policies required users to obtain written authorization for access to financial systems and data, auditors noted instances in which the County was unable to provide access-approval forms indicating that users had been approved for their access to the general ledger, purchasing, and treasurer’s systems or data. Auditors also noted at least 35 terminated employees who had active system accounts. Disaster Recovery The County’s general ledger, purchasing, and treasurer computer systems and data are critical to its operations. Therefore, it is important for the County to ensure that it can continue to operate in the event of a system or equipment failure by developing, implementing, and testing a disaster recovery plan. A properly designed disaster recovery plan helps to ensure that procedures are in place to provide for continuity of operations and to ensure that electronic data files are not lost. However, the County has not yet completed or tested its disaster recovery plan. Pima County Schedule of Findings and Recommendations Year Ended June 30, 2008 4 To help strengthen controls over its financial computer systems for managing program changes, user access, and disaster recovery, the County should: Change Management • Develop comprehensive change management policies and procedures to help ensure that all program or data changes are appropriate, authorized, developed, tested, reviewed, and approved. • Implement standardized change management request forms that include an appropriate level of detail and authorization. • Develop a comprehensive list of individuals who are authorized to approve program changes. • Ensure that the change management forms are tracked and retained. • Monitor system-generated audit logs and reports that track all changes to verify that all significant changes are appropriately documented and approved. User Access • Ensure that requests for access to computer systems and data are consistent with employee job duties and responsibilities and access approval forms are retained. • Limit the use of group access accounts in accordance with existing policies and monitor and track user activities on group access accounts. • Improve procedures for removing or modifying access rights of users when they terminate employment or transfer departments. Disaster Recovery • Maintain a current listing of employees assigned to disaster teams, including emergency phone numbers to reach them. • Prepare a risk analysis identifying critical applications and an assessment of the impact on the County. • Maintain a listing of off-site storage locations and information stored at these locations. • Prepare a list of procedures for processing critical transactions, including forms or other documents to use. Also, include detailed tasks and assignments for each member of the recovery teams. • Determine hardware and software requirements needed to run critical systems and the applicable vendors where hardware and software can be obtained. • Implement the disaster recovery plan and update and test the plan annually. Pima County Schedule of Findings and Recommendations Year Ended June 30, 2008 5 08-02 The County should improve its capital asset reporting The County maintains a network of transportation and flood control infrastructure assets valued at $609 million and land valued at $314 million, so it is essential that the County accurately report and account for these assets. However, the County’s internal control policies and procedures did not always ensure that its infrastructure and land were properly reported. Specifically, during fiscal years 2006 and 2007, several housing subdivisions dedicated $70.1 million in public roads and land parcels to the County to maintain. Generally accepted accounting principles require the County to report these capital assets when they are dedicated. However, because the County did not have internal control procedures to identify, record, and report these assets, it failed to include them in either the fiscal year 2006 or 2007 financial statements. The County adjusted its fiscal year 2008 financial statements for these errors. To help ensure that the County accurately reports its capital assets, the County should strengthen its internal control policies and procedures to include specific steps to readily identify and report all infrastructure roadways and land parcels when they are dedicated to the County. 130 West Congress Street, 6th Floor, Tucson, Arizona 85701-1317 Ph. (520) 740-8041 Fax (520) 243-2329 PIMA COUNTY DEPARTMENT OF FINANCE AND RISK MANAGEMENT Thomas E. Burke, Director February 18, 2009 Ms. Debbie Davenport Auditor General 2910 N. 44th St., Suite 410 Phoenix, AZ 85018 Dear Ms. Davenport, The following corrective action plans have been prepared as recommended by Government Auditing Standards. Specifically, we are providing you with the name of the contact person responsible for corrective action, the corrective action planned, and the anticipated completion date. Sincerely, Thomas Burke, Director Department of Finance and Risk Management 08-01 The County should strengthen controls over its financial computer systems m Contact person – Lionel Bittner, Information Technology Director Anticipated completion date – July 1, 2009 for Change Management and User Access and December 31, 2009 for Disaster Recovery Plan, for planning and development, and December 31, 2010 for implementation Change Management The County concurs with the finding. By October 2008, the County implemented new controls over the change request forms for the financial computer systems under the management of the County's Finance Department to provide for appropriate review and authorizations. The Finance Department developed internal departmental procedures to monitor and manage changes initiated by Finance. In addition, the County's Information Technology Department (ITD) established a project team to review existing change management and implement a new, comprehensive change management process. Some changes were made immediately, and a complete process revision is expected by July 1, 2009, with finalization of new formal administrative procedures by September 30, 2009. The County Treasurer, who maintains some County financial computer systems independently of the maintenance of the County's other financial computer systems, has indicated that her office has improved its procedures. User Access The County agrees with the finding and has begun changes to current processes and procedures applicable to physical access, logical access and password management in the Finance and ITD areas of financial computer systems. The County initiated a comprehensive review of physical and logical access controls and eliminated access provided to employees unless proper authorization was documented. All procedures associated with user access are under revision to strengthen current internal controls. By September 30, 2009, revised administrative procedures will be submitted to the County Administrator. The Treasurer has stated that she has taken corrective action to remediate the findings of the Auditor General. Disaster Recovery The County concurs with the portion of item 08-01 relating to the need for a Disaster Recovery plan. The County is developing a plan that provides for a prioritization of critical services and their associated recovery times. The plan is expected to be developed by the end of 2009 and implemented by the end of 2010. The County will include the Treasurer's computer financial systems in its Disaster Recovery plan. 08-02 The County should improve its capital asset reporting g Contact person – Paul Guerrero, Finance and Risk Management Anticipated completion date - fully completed The County concurs and has completed internal control procedures to ensure dedicated infrastructure roadways and drainageways are reported on an accurate and timely basis.

Find results with:

Searching collections:

Home Pima County : report on internal control and compliance, year ended June 30, 2008

Pima County : report on internal control and compliance, year ended June 30, 2008

Description