ICT Management Letter
Management Letter To: Peter Garlock Chief Information Officer From: Joyce Kirangi Director, Internal Audit Date: March 18, 2010 Re: Internal Audit of ICT Department Internal Audit has completed an audit of the Information and Communication Technology (ICT) Department. The audit covered the period of January 1, 2007 through December 31, 2008. Our audit report contains no findings; however, during the course of our audit, we noted weaknesses in the ICT department as well as Port wide internal controls related to IT equipment that could be improved. The ICT control weaknesses related to accountability of equipment and the Port wide weaknesses related to accountability as well as surplus of IT equipment. The noted weaknesses were not significant enough to warrant inclusion in the report; however, if not addressed, the issues could become significant in the future. I. Accountability of Equipment Complete and accurate records are one of many required elements to properly establish accountability over purchased equipment. ICT purchases equipment for other departments and has physical custody of the equipment when it is received, in storage, and awaiting surplus. ICT maintains accountability using DK Inventory Manager (DK), which is an equipment tracking system that is maintained by the ICT department. We noted the following internal control weaknesses with regard to DK during the audit. Deleted Records Two-hundred-forty-eight records were deleted from DK without any supporting documentation. The equipment management module of DK does not prevent the user from deleting records. Based on the recorded serial numbers, we were able to classify 71 records as internal components. However, we could not ascertain the remaining 177 as to the type of equipment. In the absence of documentation, we were not able to determine if the deletions were proper. We noted that there were 398 deletions of records during the audit period as follows. Supported with Type Count documentation? Laptops 75 Yes Docking Stations 75 Yes Internal Components 71 No Unidentifiable 177 No Total 398 Management Letter Information and Communication Technology Page 1 Inaccurate records We selected one-hundred-sixty-five equipment records and tested them for accuracy of documentation in DK. Our testing disclosed eight exceptions where the status of the equipment (the department it was assigned to) was inaccurate in DK and there were two instances where the equipment was missing. Count Type Exception 8 2 laptops, 2 monitors, 2 docking Inaccurate status stations, 2 cell phones 1 1 laptop missing 1 1 docking station Missing When equipment records are inaccurate or incomplete, proper accountability may not be sustained. When proper accountability is not maintained the equipment may not be properly safeguarded or maintained. Recommendation We recommend that ICT implement controls to completely maintain equipment records and documentation. Integrity of data should also be maintained by reviewing and approving record deletions. ICT Management Response We agree that equipment records should not be deleted from the DK inventory management system, and instead, the record should be updated to reflect the reason why the equipment was not placed into service, or why it was returned to supplier, etc. We have already implemented this process. Separate from the internal audit, ICT conducted a full inventory of all 2,088 Personal Computers (PCs) that were issued throughout the Port. Twenty of the 2,088 PCs listed in DK (less than 1%) could not be found, and were reported to the Port of Seattle Police department as either lost or stolen. For comparison, Gartner Group, the largest Information Technology Consulting firm, has established a benchmark for annual PC loss at a rate of 3%-5% for a company of our size and mix of IT equipment. We agree that when equipment records are inaccurate or incomplete, proper accountability might not be sustained. Current Port-wide policy requires all departments to individually maintain records for their PC's, because ICT no longer has physical control of the assets once they have been delivered to using Departments. Departments frequently move or reassign equipment without notifying ICT, so it is impossible for ICT to maintain accurate records. In addition, a recent ICT staff reduction has decreased our ability to track all equipment changes. Management Letter Information and Communication Technology Page 2 II. Port wide Accountability of Non-Capitalized IT equipment The Port'spolicy for non-capitalized purchases requires that all Port departments are individually responsible for maintaining proper records for purchases of tangible, non-consumable items with individual costs of less than $20,000. During the audit, we observed that the procedure was not being followed as intended. Certain departments do not properly maintain records for non-capitalized information technology equipment. Specifically, of the nine Port departments that we visited for testing purposes, Three departments did not maintain any records. Four departments had records that were incomplete/ inaccurate. Although Port policy requires individual departments to track their tangible non-consumable items including information technology equipment, ICT's DK system has become a de facto list for ICT supported equipment for the Port as a whole. Recommendation We recommend that Port management evaluate the current procedures and practices over noncapitalized assets, and strengthen existing controls to assure proper accountability of IT related equipment. ICT Management Response We agree with Internal Auditing that Port-wide policies, procedures and controls regarding noncapitalized Port purchases should be strengthened. Accountability should be improved not only for IT assets, but for all Port assets. For IT equipment, we recommend that Port management implement a policy and process that holds individual users accountable and responsible for all IT equipment that they have been assigned until the asset is returned to ICT. III. Surplus The Port surplus its unneeded information technology equipment through the state surplus program that is administered by the Washington State General Administration (GA) agency. To use this surplus program, the State Surplus General Administration requires an itemized Property Disposal System (PDS) report be completed online prior to accepting surplus equipment. The state then approves the online request and provides an authorization number to be submitted with surplus equipment for proper receiving/handling. The Port's Central Procurement Office completes the online PDS report based on surplus information provided by ICT. When the online request is approved by the state, the Central Procurement Office informs ICT who provides the Maintenance Department with a copy of the PDS report for pick-up and delivery of the surplus equipment to the state. At the time of delivery of the surplus, the Maintenance Department provides a copy of the PDS report to the State Surplus. The report contains the authorization number. The online PDS report is then updated by State Surplus to acknowledge receipt of equipment. For the period 2007 to 2008, a total of 25 shipments of ICT surplus equipment were delivered to the State Surplus. Five of those shipments were not acknowledged as having been received, and an additional four shipments had only a portion of the equipment acknowledged by State Surplus. We Management Letter Information and Communication Technology Page 3 noted approximately 610 out of a total of approximately 2,499 pieces of equipment were not acknowledged as having been received by State Surplus. There seems to be a lack of coordination between the Port departments involved with the surplus process. Without coordination or surplus record reconciliation, we could not determine where in the surplus process the equipment may have been lost. A summary of the unacknowledged equipment is as follows: Computers 412 Laptops 19 Monitors 86 Printers 39 Scanners 6 Plotter 1 Fax 3 Camera 1 Misc. Equip 43 Total 610 Recommendation: We recommend that Port management evaluate the current procedures and practices over surplus to improve accountability through better coordination between the departments. ICT Management Response ICT strictly follows and complies with all current Port-wide procedures regarding surplusequipment disposal. However, we recommend that the Port's Central Procurement Office review these procedures to improve accountability of surplus equipment disposal with outside agencies. Management Letter Information and Communication Technology Page 4
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.