EXECUTIVE SUMMARY Information Technology General Controls Audit AUDIT SCOPE This audit focused primarily on general controls performed by the IT Department located in City Hall and utilized the Control Objectives for Information Technology (COBIT) 4.1 framework and associated criteria to determine the department’s current maturity level for each of the areas tested. For information on COBIT 4.1, please refer to the Information Systems Audit and Control Association’s (ISACA) website at http://www.isaca.org/cobit. Fifteen processes of the 34 noted in COBIT were reviewed during this audit. At the time of the audit, implementation had not begun on the remaining 19 COBIT processes, which include critical IT controls (including security); therefore, Internal Audit was unable to test all COBIT processes as part of this audit (see Appendix A on page 5). Internal Audit testing included interviews and discussions with management and staff, document review, walk-throughs and testing of available documentation. The audit covered the period from October 2006 through May 2009. REPORT CONTENT AND LIMITATION OF USE This executive summary report is limited in detail. In order to obtain the full background on a particular item, please either review the detailed audit report or contact Internal Audit prior to drawing conclusions based on the limited information contained in this report. Objective ratings indicate the levels at which the objectives were met; rating definitions are included in Appendix B (page 6). OVERALL CONCLUSION The results of the audit indicate SIGNIFICANT OPPORTUNITIES FOR IMPROVEMENT EXIST. This internal audit focused on the following objective: Audit Objective Objective Rating The overall objective of the audit was to determine whether IT general controls are in place and functioning effectively for the fifteen tested COBIT areas. X Significant audit observations are listed below. For a complete list of all audit observations and recommendations, see page 3 of this report. Significant Issues 3 5 4 Audit Item Number/ Observation Priority 3. A tested and fully functional IT-specific disaster recovery plan is not in place. High 4. IT performance measures have not yet been developed. The department does not measure progress or perform benchmarking activities. High 5. Priority-setting for IT projects is done on an ad-hoc basis. The current IT Strategic Plan for the City was drafted by the IT Director and approved by the City Manager; not all Charter Officials and Department Directors were solicited for input into the plan. High 2|Page Audit #09-08: Information Technology General Controls Information Technology General Controls Audit Subject 1 PO 9‐ Assess and Manage IT Risks 2 AI 1 Identify Automated Solutions‐ (also includes AI 2‐5, 7; PO 10) 3 DS 4‐ Ensure Continuous Service Priority Observation Recommendation Management Response Medium While some general risks were identified in the IT Strategic Plan, To ensure appropriate consideration of all key potential IT An internal IT risk matrix, policy, and technical and security risks were not specifically noted as IT risks risks (technical, security, compliance, legal, contractual, etc), action plan will be established based on (ie. viruses, worms, malicious code, risks to systems/data, etc). especially due to the continuously changing nature of COBIT. security risks, IT management consider: Internal Audit was unable to obtain evidence that an on‐going internal IT department risk assessment process currently exists a) Establishing an internal department process for to ensure that risks and controls are appropriately reviewed on identifying and assessing risks outside of the annual City‐ a periodic basis. wide Risk Assessment in which all staff members are solicited for input; and A risk action plan to mitigate known risks was not in place at the time of the audit. This is considered crucial in an IT climate b) Developing a risk action plan to aid in effectively where risks (especially security risks) are continuously changing. mitigating and addressing identified risks. Medium Internal Audit testing of projects was limited by the fact that For the City to achieve the benefits of proper project The CM will draft an IT Project only 60% of the audit sample had either full or partial IT management (resource planning, standardization of Management Policy based on PMI involvement. hardware and software, reduced maintenance issues and framework. version conflicts), management should consider: For the one project in the audit sample where both IT and the affected department were fully involved, Internal Audit noted a) Adopting full project management framework for large projects; that the full project management approach was followed and applied to the project. b) Formalizing and communicating the project management framework all affected departments; and c) Involving IT during the needs assessment phase. High Although a city‐wide Continuity of Operations Plan (COOP) plan To reduce the probability and impact of a major IT service An IT‐specific COOP will be developed exists and contains a section for the IT Department, a finalized interruption on key business functions, develop, maintain based on COBIT. and fully tested plan for IT‐specific business continuity has not and test an IT‐specific continuity plan. To ensure that IT been in place for the previous 12 months. employees are adequately prepared for their roles, provide periodic continuity plan training. The IT Director stated that he did not establish critical function restoration timelines that appear in the city‐wide COOP plan and also indicated they had not been tested as the City's participation in the annual County emergency management drill is not a full blown restoration. Internal Audit was unable to confirm that IT Department employees are at an adequate state of readiness to perform their assigned duties in the event of a disaster. No equipment is stored offsite and/or pre‐staged in anticipation of an event or disaster (ie. hardware, software, server scripts, etc). 3|Page Audit #09-08: Information Technology General Controls Subject Priority 4 ME 1‐ Monitor and Evaluate IT Performance High 5 ME 4‐ Provide IT Governance High Observation Recommendation Management Response The IT Director indicated that there are no clearly established To ensure effective IT performance management, develop, Performance measures will be performance targets for measuring IT service delivery, nor does implement and monitor performance measures for critical IT developed in accordance with COBIT processes. Ongoing performance management permits early recommendations. the department utilize any benchmarking techniques. identification and provides an opportunity to take action on The IT Director indicated that the measures reported in the deviations from performance targets. budget book for IT may not be verifiable or reliable. The IT Director has selected, and the City Manager has agreed, In order for an information technology strategic plan to a) The IT strategic plan will be based on that COBIT v. 4.1 will be used as the IT governance framework. ensure that the City's IT investment is appropriately aligned the framework established by COBIT. with key city objectives it must: An IT Advisory Committee has been established; however, b) The strategic plan will be updated auditors were unable to determine the committee's a) Be based on the input and support of all key affected annually to be aligned with each fiscal responsibilities as they relate to prioritization of IT projects and parties (i.e. Charter Officials, Department Directors, etc) and year budget. investments and setting of strategy/ strategic planning. organizational units; Auditors were provided evidence of one half‐hour meeting that c) A tactical plan will be developed with occurred; however, minutes were not kept and Internal Audit b) Be reviewed and revised on a frequent basis (such as each years strategic plan. The tactical could not determine any actions taken by the committee. annually) based on the input of an Information Technology plan will be a base document for all Steering Committee comprised of key decision‐makers; and project plans (recom #2) stemming from the strategic plan. The IT Director has created an IT Strategic Plan for the City, which he developed and which received approval from the City c) Be supported by an approved, detailed, and up‐to‐date Manager. Auditors were unable to obtain evidence that the tactical plan outlining the resource needs, prioritization and plan had been reviewed and approved by the other Charter scheduling of projects. Officials or whether input of other key decision‐makers was included in the drafting of the plan. The IT Director has indicated that individual user‐departments are responsible for assessing their technology resources and aligning those investments with strategic objectives and business imperatives. 4|Page Audit #09-08: Information Technology General Controls APPENDIX A COBIT Processes Not Tested During this Audit Of a total 34 COBIT processes, 19 were identified through a self-assessment by IT management as processes where implementation levels were not a current state of readiness that would allow for effective Internal Audit testing. The following 19 processes were not included in the scope of this audit, as IT management indicated only an awareness of the area and/or a commitment to resolve in the future: The area highlighted in yellow is of key importance to Information Technology Governance. COBIT Domain Plan and Organize (PO) Provides direction to solution delivery and service delivery Acquire and Implement (AI) Provides the solutions and passes them to be turned into services Deliver and Support (DS) Receives the solutions and makes them usable for end users Monitor and Evaluate (ME) Monitors all processes to ensure that the direction provided is followed COBIT Processes PO 1‐ Define a Strategic IT Plan PO 2‐ Define the Information Architecture PO 3‐ Determine Technological Direction PO 4‐ Define the IT Processes, Organization and Relationships PO 5‐ Manage the IT Investment PO 8‐ Manage Quality AI 6‐ Manage Changes DS 1‐ Define and Manage Service Levels DS 2‐ Manage Third‐party Services DS 3‐ Manage Performance and Capacity DS 5‐ Ensure Systems Security DS 6‐ Identify and Allocate Costs DS 7‐ Educate and Train Users DS 9‐ Manage the Configuration DS 10‐ Manage Problems DS 12‐ Manage the Physical Environment DS 13‐ Manage Operations ME 2‐ Monitor and Evaluate Internal Control ME 3‐ Ensure Compliance with External Requirements 5|Page Audit #09-08: Information Technology General Controls APPENDIX B Audit Rating System The audit ratings listed below are based on the auditor’s assessment of whether the following control objectives have been met: • • • • Safeguarding of assets, Effectiveness and efficiency of operations, Reliability of financial and operating information, and Compliance with City policies, regulations or rules and/or other governmental laws and regulations. Red- A red control rating denotes significant business risk or exposure to the City that requires immediate attention and remediation efforts. The controls reviewed do not appear to provide reasonable assurance that the control objectives are being met. The City is being exposed to a high level of business risk and exposure. Management is advised to immediately review the design and effectiveness of existing controls or consider implementing new or additional controls. Yellow- A yellow control rating denotes opportunities for improvement exist relating to the controls reviewed. If this state of control is not improved, it could lead to a higher than acceptable level of business risk or exposure to the City. The controls reviewed provide some, but not sufficient assurance that control objectives are being met. Management is advised to review the design and effectiveness of existing controls or consider implementing new or additional controls on a priority basis. Green- A green control rating indicates that the controls reviewed at the time of the audit indicated a satisfactory or acceptable state of control, where risk appears to be minimized and appropriately managed. Controls reviewed appear to provide a high degree of assurance that control objectives are being met. To maintain this rating management is advised to continue to assess the control systems and monitor existing controls for efficiency and effectiveness as business and organizational changes occur. 6|Page Audit #09-08: Information Technology General Controls