Internal Audit Report Mobile Devices
Internal Audit Report Limited Operational Audit Mobile Devices/Smartphones Current Practices Issue Date: June 7, 2011 Report No. 2011-08 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Table of Contents Transmittal Letter ....................................................................................................... 3 Executive Summary ................................................................................................... 4 Background ................................................................................................................ 5 Audit Objectives ......................................................................................................... 6 Highlights and Accomplishments............................................................................. 6 Audit Scope and Methodology .................................................................................. 7 Conclusion .................................................................................................................. 8 Schedule of Findings and Recommendations ......................................................... 9 2 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Transmittal Letter We have completed an operational audit of Port mobile devices, includingsmartphones. The purpose of the audit was to determine if the Port is effectively managing its mobile devices. The audit focused primarily on the controls over the 782 smartphones assigned to Port employees as of December 31, 2010. We conducted the audit using due professional care. We planned and performed the audit to obtain reasonable assurance that the risks associated with mobile devices were sufficiently mitigated. Management has the primary responsibility to establish and implement effective controls over the proper use, monitoring, and justification of mobile devices. Our audit objective was to examine and test those controls in order to establish whether the controls were adequate and operating effectively. Based on our audit, Port management has established adequate and effective controls related to negotiated rate structures with its mobile device service providers. We also found no productivity concerns caused by the personal use of mobile devices. However, we noted a weakness in management monitoring. We extend our appreciation to management and staff for their assistance and cooperation during the audit. Joyce Kirangi, CPA Director, Internal Audit 3 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Executive Summary Audit Scope and Objective The purpose of the audit was to determine if the Port is effectively managing mobile devices. Specifically, whether management: 1. Provides sufficient, complete, and clear policy directives and governance on proper mobile device usage. 2. Monitors usage adequately to ensure that Port issued mobile devices are utilized for the intended productivity benefits. 3. Has implemented adequate controls over usage levels and negotiated rate structures to ensure the best economic interest of the Port. The scope of the audit included current Port practices, including billings and usage data from 2010. Background The Port provides mobile devices such as smartphones, air cards, radio transmitters, and pagers to its employees. The business purposes for these devices include facilitating communication when employees are working remotely, in field operations and/or away from their desks. Mobile devices extend various capabilities to Port employees, including email, contact information and internet access. Mobile devices are receiving more attention as technological advancement shifts from desktop computers and cellphones to smartphones and tablet computers amid increasing reliance on mobile applications. The ICT department performs reviews of smartphone usage to ensure that billing plans are properly established. The Port is on shared-minute plans with three vendor providers - Verizon, Sprint, and AT&T. When an employee exceeds their monthly allotment of minutes, additional minutes are pooled from the Port's total available minutes. The Port has approximately 800 smartphones assigned to its employees, and incurs approximately $ 580,000 annually for services related to the smartphone plans. Audit Result Summary Management has implemented adequate controls to ensure the best economic interest of the Port in negotiated rates. We also found no productivity concerns caused by personal use of mobile devices. However, we noted that there is no formalized process to monitor mobile device usage at the department level. Although management has a number of mobile devices policies, it has not clearly defined "incidental personal use" in its policies. The lack of a clear definition has contributed to various individual interpretations and inconsistent management monitoring practices. 4 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Background Individual departments are responsible for justifying and approving the issuance of smartphones. ICT's Administrative Team is responsible for establishing, monitoring, and maintaining agreements with the service providers. Specifically, ICT's responsibilities include: Placing orders for devices and service-related requests upon requesting management approval. Issuing mobile devices to Port employees. Conducting periodic inventories. Reviewing monthly usage to ensure Port plan limits are not exceeded. Coordinating with State agencies for the disposal of outdated or damaged devices. Smartphones, tablet computers, and other mobile devices have become indispensable tools for today's highly mobile workforce. Such small and relatively inexpensive devices can be used for many functions, including sending and receiving electronic mail, storing documents, delivering presentations, and remotely accessing data. The Port started providing mobile devices in the early 1990's, primarilyto Fire and Police Department staff. Since then, the issuance has been steadily increasing and stabilized to approximately 800 smartphones in 2010. Many of the Port operating units, especially at the airport, operate in a 24/7 environment which requires staff to be on-call or otherwise available. This Port environment is unique in comparison to most other governmental and municipal entities. Financial Highlights: As of December 31, 2010, there were 780+ smartphones and 200+ air card mobile devices in use by Port employees. During calendar year 2010, the Port paid the following amounts to the three vendors who provide mobile device services to the Port: Device 2010 Expenditures Count Cost of Cost of Cost of Smartphone Smart Air Annual Air Vendor Smartphone Monthly Total Costs phones Cards Card Devices Service Charges Plans AT&T 563 - 32,590 461,745 - 494,335 Verizon 113 144 15,119 57,352 74,287 146,758 Nextel/Sprint 106 63 10,314 62,197 30,240 102,751 Total 782 207 $ 58,022 $ 581,294 $ 104,527 $ 743,844 5 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Current mobile device offerings on average include: Device Cost Device Type Plan Cost PDA, Smartphone, or Blackberry- an electronic device which $100-$600 ea. includes some of the functions of a computer and a $50-$150 per Month cellphone. Standard Cellphone short-range, portable electronic device $0-$350 ea. used for mobile voice communication over a network of $20-$50 per Month specialized cell sites. EVDO Card (Evolution Data Optimized, know as Air Cards at $0-$110 ea. the Port) Card that connects to the wireless network to allow users to connect online. $40-43 per Month Tablet Computers, notably iPads $300-$600 ea. $45 Wi-Fi costs per Month Audit Objectives The purpose of the audit was to determine if the Port is effectively managing mobile devices. Specifically, whether management: 1. Provides sufficient, complete, and clear policy directives and governance on proper mobile device usage. 2. Monitors usage adequately to ensure that Port issued smartphones are utilized for the intended productivity benefits. 3. Has implemented adequate controls over usage levels and negotiated rate structures to ensure the best economic interest of the Port. We reviewed current Port practices based on billings and usage data from 2010. Highlights and Accomplishments During the review, we observed efficient and effective management controls in the following areas: ICT's periodic reviews of the market environment and the level of device usage has ensured that the Port receives best service bundles at a reasonable cost. ICT Administration meets with the service providers quarterly to review current plans and proactively discuss any plan changes. When appropriate, ICT prepares a cost-benefit analysis to determine potential plan savings. For instance, changes to the AT&T plan in 2010 included unlimited text and data which resulted in overall cost savings of $53,474. 6 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices ICT Administration Team has been prudent in its responsibilities to manage rate structures in the best economic interest of the Port. Below is a declining trend graph of telecommunications expenses for the past three years. 1,000,000 800,000 VERIZON WIRELESS 600,000 NEXTEL WEST CORP 400,000 AT&T 200,000 0 2008 2009 2010 Source: PeopleSoft (accounts 66500, 66510, and 66550) Audit Scope and Methodology We conducted the audit to determine whether management controls surrounding mobile device usage is adequate to provide reasonable assurance of effective operations and compliance with Port policy/procedure. We excluded from our analysis tablet computers, air cards, radios and data usage due to the complexities in obtaining complete and relevant data. Our audit examined current practices and existing policies. Our work was conducted at various locations throughout the Port and involved test work and interviews of all Port divisions. Our approach to the audit was risk-based from planning to test sampling. We reviewed and assessed risks associated with processes, policies, and other procedures that have been established to effectively manage the Port's mobile devices. The established processes cover all phases, from the initial service request, to mobile device distribution, monitoring, and plan negotiation. As part of the audit, we visited many business units across the Port and evaluated whether the established controls were carried out as intended. We applied additional detailed audit procedures to areas with the highest likelihood of significant negative impact. We considered the nature of the activity and evaluated it within the context of our audit objectives. Our consideration included control (both manual and system driven) assessment and control testing, as necessary. Our additional detailed audit procedures can be grouped and summarized into policy compliance, management monitoring, and rate negotiation. We approached each audit area with the following methodology: 1. Policy Compliance In order to determine whether management has provided sufficient, complete and clear policy directives and governance on proper mobile device usage, we first evaluated current Port policies, procedures, and practices. These included policies in the Port's Code of Conduct and personnel policies. In our evaluation, we considered mobile device policies of other governmental agencies including, but not limited to, the City of Seattle and the Port of Tacoma, as well as published guidance from the Washington State Auditor's office. 7 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Additionally, we reviewed other regulations, industry guidelines, and publications such as the Federal Labor Standards Act (FLSA) and 2011 technology initiatives survey by American Institute of Certified Public Accountants (AICPA) to identify potential policy gaps. In the context of the audit, policy gaps refer to concerns in mobile device areas that the current policies do not expressly address. The gaps naturally emerge as existing policies become incrementally outdated primarily due to evolving operating environments and/or technologies. Our reviews were intended to capture such potential gaps. We interviewed 33 staff and managers throughout the Port and inquired about their familiarity with Port policies and procedures regarding the appropriate use of Port issued devices and what, if any, additional guidance would be helpful. We also interviewed 18 managers to assess the extent of their monitoring of smartphone usage for non-exempt employees. Our selections of managers and device users for interviews were based on non-productivity testing samples, as described below. 2. Monitoring of Productivity relating to Mobile Device Usage To determine whether management monitors smartphone usage adequately to ensure intended productivity benefits, we utilized 2010 AT&T call data which was readily available in electronic form. The company accounted for over 70% of mobile devices as of 12/31/2010. We reviewed approximately 14,000 calls to/from Port issued smartphones in 2010 to identify non-business-related phone calls. Our approach included isolating numbers with the highest likelihood of being non-business related and analyzed calls to/from those numbers Monday through Friday. The isolation involved examining weekend calls and excluding Port internal numbers and 24/7 operations. We reviewed calls to/from resulting phone numbers to obtain the extent of non-business calls during weekdays. We excluded from our analysis tablet computers, air cards, radios and data use due to the complexities in obtaining complete and accurate data. 3. Provider Rate Structures In order to ensure that the Port is obtaining the most economical and beneficial plan rates available, we conducted a number of interviews and reviewed relevant cost benefit analyses prepared by ICT Administration. To confirm anticipated cost savings, we conducted independent test work to determine if the savings were realized. Conclusion Management has implemented adequate controls to ensure the best economic interest of the Port in negotiated rates. We also found no productivity concerns caused by personal use of mobile devices. However, we noted that there is no formalized process to monitor mobile device usage at the department level. Although management has a number of mobile devices policies, it has not clearly defined "incidental personal use" in its policies. The lack of a clear definition has contributed to various individual interpretations and inconsistent management monitoring practices. 8 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices Schedule of Findings and Recommendations 1. Inadequate Management Controls and Unclear Policy Regarding Smartphone Usage We reviewed the current controls over mobile device/smartphones purchases, usage, and issuance. We noted the following weaknesses. a. Management Monitoring The current Port policy does not specifically identify the parameters for allowable nonbusiness use of smartphones, as recommended by the State Auditor's Office. The Port policy simply states that personal use is to be incidental, but it does not provide a workable definition of the parameters allowed. In practice, the incidental use appears to be defined such that unless the Port incurs additional financial resources for minutes above and beyond negotiated pooled minutes, personal usage is considered incidental. We interviewed 33 staff and managers throughout the Port to assess their understanding of the current mobile device policies. The interview results indicated that all were familiar with the Port policies and procedures, and that the current policies are helpful in defining high level expectations (i.e., limited non-business use). However, 50% of those interviewed believed that the policies and guidance is not clear. Specifically, "incidental personal use" is not clearly defined. The lack of a clear definition of "incidental personal use" has contributed to minimal management monitoring of mobile device usage at the department level. Although our audit procedures found no productivity concerns stemming from personal use of smartphones, we found the current system of monitoring to be inadequate. For example, the current management monitoring does not effectively address the following risks: Non-exempt employee compensation for hours spent on smartphones while working on Port related business, outside the normal working hours. The likelihood of assigning unnecessary smartphones to employees with no business needs. High smartphone usage and its potential impact on employee productivity. b. Business Justification for Smartphone Individual departments are responsible for justifying and approving the issuance of smartphones to their employees (exempt or non-except). Departments submit a request to ICT via an online Service Request. Upon receipt of the approved request, ICT processes and delivers devices. We observed that the current system does not document business justification by the requesting department. While such documentation would help substantiate the need for each employee to have a mobile device, the importance of the justification is escalated with 9 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices non-exempt employees, who are less likely to need their mobile device outside of their normal work hours. We sampled 20 smartphones issued to non-exempt employees and conducted a test to assess the extent of whether a smartphone was necessary for the employee's current job responsibilities. The results indicated thatapproximately 15% of the test population had job responsibilities with a less than clear business reason for a smartphone. Given the extent of smartphones in use, monitoring of the usage is necessary as a sound organizational practice to promote intended effectiveness or productivity gains. Additionally, effective monitoring could result in a cost savings through the reduction of the total necessary pooled minutes. Recommendation We recommend management establish controls to: Refine policies related to "incidental personal use" and provide workable parameters/ guidance that can promote better monitoring. Monitor smartphone usage and assess potential impacts. Document business justification for smartphone acquisition especially for the nonexempt employees. Management Response 1. Refine policies related to "incidental personal use" and provide workable parameters/ guidance that can promote better monitoring. The ICT Department has taken a proactive approach to keep the costs of mobile technologies as low as possible for the Port's 24/7 operations. Our current smart phone plans provide unlimited data, free evening, weekend and mobile to mobile minutes, and pooled calling minutes on weekdays. Because of these plans, incidental personal use by employees typically results in no additional cost to the Port. Management agrees that policies related to "incidental personal use" need to be clarified. Current Port policies governing the appropriate use of Port resources, including mobile device usage, are located in the Code of Conduct (CC-1; CC-7). These policies are currently under revision. The revision process began in Q2 2010, when the Workplace Responsibility (WR) Officer convened a cross-department work group to clarify expectations regarding appropriate non-business use. To inform this effort, the WR Officer also facilitated a series of employee focus groups discussions to solicit input. Research on the appropriate use policies of other governmental agencies and federal tax law implications was also conducted. The revision process was placed on hold pending completion of this audit. With the audit's conclusion, the WR Officer will facilitate completion of the revision process. The cross-department work group will work with the Information and Communications Technology (ICT) Governance Board to finalize a revised policy on appropriate use of Port resources, including appropriate non-business use of mobile devices, in Q3 2011, and it will 10 Internal Audit Report Mobile Devices/Smartphones Operational Audit Current Practices be included in a revised version of the Code of Conduct that all Port employees will be required to read and sign in Q4. In addition to clarifying appropriate personal use, management (led by the Human Resources and Legal Departments) will work to establish guidelines for managers that clearly identify responsibilities for monitoring the use of Port equipment by non-exempt staff to avoid potential compensation issues under to the Federal Labor Standards Act. 2. Monitor smartphone usage and assess potential impacts. Currently, ICT distributes all mobile device bills to Departments for user and manager review. We believe managers are in the best position to determine what usage is appropriate for their staff based upon their job responsibilities. While some employees have very large usage driven by their job responsibilities others may have only minimal usage, but get occasional calls or emails that are extremely important and fully justify the expense of the mobile device. Once clearer policies and guidelines for personal use and tracking non-exempt employee use are provided, the ICT Governance Board will clarify guidance to managers on mobile device monitoring and evaluate opportunities to enhance current processes for distributing and analyzing mobile device usage information. 3. Document business justification for smartphone acquisition especially for the nonexempt employees Manager approval is currently required for all mobile device acquisitions. We believe managers are best able to match mobility requirements with their employee's job responsibilities. The ICT Governance Board will review the use of smart phones by non-exempt employees and will evaluate the benefits versus the costs of requiring formal business justification documentation for mobile devices. 11
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.