The URL can be used to link to this page

Home My WebLink AboutIR 9081INFORMAL REPORT TO CITY COUNCIL MEMBERS To the Mayor and Members of the City Council No. 9081 July 14, 2009 Page 1 of 1 SUBJECT: Deloitte & Touche "Report to Management" for the FY2008 Audit In accordance with generally accepted auditing standards, Deloitte & Touche assessed the City of Fort Worth's (City) internal control environment when auditing the 2008 financial transactions and associated Comprehensive Annual Financial Report (CAFR). This action was performed as a basis for designing audit procedures and not for the purpose of expressing an opinion on the effectiveness of the City's internal controls. However, as a result of their observations, the external auditors have communicated the enclosed report for the consideration of management. It details internal control material weaknesses, significant deficiencies, and other observations. For your convenient reference and /or edification, please see Appendix of this report for definitions of these terms (see page 19). Section I of this report contains one additional material weakness and one significant deficiency that were not included in previous reports. Section II details two material weaknesses and five significant deficiencies that are repeated from prior management letters, while Section III includes two material weaknesses and two significant deficiencies that have been remediated since the most recent reporting period. This improvement is an accomplishment since, as you know, City staff has been focused on catching up and has published three CAFRs over the last year. As you may remember, the "Report to Management" or management letter for the fiscal year 2008 audit was scheduled to be presented to the Audit & Finance Advisory Committee on June 25"'. Because there was not a quorum, that meeting was cancelled. Since the next Audit & Finance Advisory Committee is not scheduled until July 23rd, it was decided to provide you with the Deloitte & Touche management letter accompanied by this Informal Report. The "Report to Management," the related governance letter, and other details of the 2008 audit will be discussed in the August Audit & Finance Advisory Committee meeting. Terry Kile, Audit Director of Public Sector Services with Deloitte & Touche, is out of the country at this time. However, he will be in attendance at the August meeting to present this information to the Committee members. In the interim, Lena H. Ellis (x8517) is available should you have questions or comments about the abovementioned report. Dale A. Fi r, P.E!' City Manager ISSUED BY THE CITY MANAGER FORT WORTH, TEXAS I I City of Fort Worth, 110- -" Report to Management Year Ended September 30, 2■■4 1-1-11" 1 Deloittel,,.`-.11 Deloitte & Touche LLP Suite 1501 201 Main Street Fort Worth, TX 76102-3134 June 23, 2009 USA FIR" Tel: +1 817 347 3300 Fax: +1 817 336 2013 www.deloitte,com The Honorable Mayor and City Council Members City of Fort Worth Fort Worth, Texas In planning and performing our audit of the financial statements of the City of Fort Worth (the "City") as of and for the year ended September 30, 2008 (on which we have issued our report dated June 23, 2009, which included a reference to other auditors), in accordance with auditing standards generally accepted in the United States of America, we considered the City's internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the City's internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of the City's internal control over financial reporting. Our consideration of internal control over financial reporting was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control over financial reporting that might be significant deficiencies or material weaknesses. However, in connection with our audit, we have identified, and included in the attached Appendix, certain matters involving the City's internal control over financial reporting that we consider to be material weaknesses or significant deficiencies under standards established by the American Institute of Certified Public Accountants. This report does not include the communications of the other auditors on inter al control over financial reporting and other matters the are reported on separately by thoose auditors, The definitions of a deficiency, a material weakness, and a significant deficiency are also set forth in the attached Appendix. A description of the responsibility of management for establishing and maintaining irate al control over financial reporting and of the objectives of and inherent limitations of intemal control over N Avlermne, Deloftte Touch e Tohmatsu Although we have included mana•emenVs written response to our comments in the attached Appendix, such responses have not been subjected to the auditing procedures applied in our audit and, accordingly, we do not express an opinion or provide any form of assurance on the appropriateness of the responses or the effectiveness of any corrective actions described therein. This report is intended solely for the information and use of management, the City Council, others within the organization, and federal and state awarding agencies and is not intended to be, and should not be, used by anyone other than these specified parties. I Yours truly, Ims APPENDIX SECTION I — MATERIAL WEAKNESSES AND SIGNIFICANT DEFICIENCIES FBI IDENTIFIED IN CURRENT AUDIT We consider the following deficiencies in the City's internal control over financial reporting to be a material weakness or significant deficiency as of September 30, 2008: Criteria — Proper and timely accounting of all cash and investment transactions within the City's general ledger is critical to adequate controls over those balances. Condition — In December 2007 the City issued certain water bonds, but the City's Financial Management Services Department did not become aware of the transaction until March 2009. After the City recorded the transaction in March we noted that although the funds were now included in total cash and investments, they were not included within the City's overall reconciliation of cash and investments. Upon our notification to the City of this fact, the additional account was also added to the overall cash and investments reconciliation process, Context — The total amount of the funds were approximately $30 million. Cause — There appears to be incomplete communication of all of the cash and investment transactions between the treasury department and the Financial Management Services Department. Although the transaction occurred in the early part of fiscal year 2008, the Financial Management Services Department did not learn of the transaction or record it until well after year end. kiEffect — The absence of the funds from the City's records created an imbalance between the funds actually on deposit, or invested with the bank, and the City's general ledger. This occurred because Financial Management Services Department personnel were not aware of the additional account, Recommendation — Implement a formal communication process between the treasury function and the accounting function to properly report on a timely basis all debt issuances and new account deposits that occur throughout the year. In addition, on a monthly basis prepare an overall summary of all the individual bank and investment account reconciliations in order to reconcile the total of all accounts to the general ledger. I Significant Deficiency: Processing Expenditures in Excess of Budget Criteria — City policy requires that budgeted funds be available before expenditures can be processed within the system, City Council has the authority to amend the original budget to realign funds or INS release additional funds for spending; however, such spending should not occur until approval of such 0111 amendments has taken place. Condition — In certain instances, we noted that expenditures were incurred before. the City Council a prove an amended budget. thus resultill 41- t .110 1 Context — Budgetary comparison reports for July 2008 reflected overspent budgets for several funds, 10 including the General Fund, without prior approval from the Citv Council. Cause — The timing of expenditures sometimes causes unexpected budgetary differences that require a budgetary amendment approval by the City Council. Effect — In order for the budgetary control process to be an effective control over City expenditures, approval must be obtained prior to the expenditure of the funds. Recommendation — The budgetary process for a large city is certainly a very complex and inexact process. However, the strengths and benefits of pre-approval of expenditure levels by City Council are worthy of the efforts it takes to insure the process is effective. Reconsider the required procedures that would allow for a more timely approval of expenditures by the City council. Such consideration rs might include: • A reconsideration of the actual requirements of the City charter as they relate to specific approval of expenditures. 0 A reconsideration of the annual budgetary process to more closely plan for anticipated expenditures. • A reconsideration of the usefulness of an encumbrance process in anticipating contemplated expenditures that might exceed the original budget and require amendment. 9 A reconsideration of the timing and form of monthly reporting of expenditures as compared to budget, accompanied by estimations of future additional expenditures. WIN 0 A reconsideration of the budgetary level of control desired by City Council — whether at the functional, departmental, or some other level of reporting, E1110 go It is noted that while the City can improve or tighten its controls over the expenditure approval process, ultimately all expenditures are approved by Council. Most are approved as outlined above, W Mail, while others may be ratified after-the-fact in case of an emergency or other urgency. Budget Office and Financial Management Services staff will continue to monitor and work with city-wide departments to ensure all anticipated expenditures are properly approved before dollars are expended. 11914,1111;114 R 17 V. M-re We identified and previously communicated the following deficiencies that were considered to be a material weakness or significant deficiency in the City's internal control over financial reporting during our audit of the financial statements of the City for the year ended September 30, 2007, As of the date of this report, we believe these deficiencies have not yet been remediated by the City: da Material Weakness.- Accounting for Capital Assets (updated from fiscal ,years 2004-2007) Criteria - Proper accounting for capital assets requires the maintenance of an accurate, detailed listing of all expenditures that meet the City's criteria for capitalization - those that are long-lived and meet the City's capitalization threshold, Condition - A significant amount of effort has been made by the City over the past several years to improve the practices used to account for and report the City's investment in capital assets. For fiscal 2008, we did not note the level of errors that were noted in previous years related to capital assets. Audit adjustments for fiscal 2008 related to capital assets were not material and were generally 10 W11-T isolated to specific areas of the accounting process. However, there are certain matters that remain unresolved; and when considered cumulatively, we believe these matters represent a potential risk of material error in future years and therefore warrant continued attention by City management. These matters include: 0 A lack of formally written policies and procedures to be applied by all departments of the City. * An inconsistent application by various departments of the City's policies and procedures as currently implemented. • An incomplete understanding of the nature and purpose of accounting for Construction-in- Progress ("CIP") by some departmental personnel. 0 A lack of proper communication between the Financial Management Services Department and other City departments regarding donated assets received by the City, resulting in incomplete recording of donated assets. * A significant work load required of Financial Management Services Department accountants related to capital assets. Context - Capital assets represent the City's single largest asset. As of September 30, 2008, the City has over 1,500 projects set up to track and manage CIP costs. !La—use - The City has multiple departments and contractors managing construction projects and capital assets without consistent. complete guidance on the proper procedures to account for transactions or purchases, Formal procedures are not in place to establish timely communication 111- 11111, 1111, between the various departments and the Financial Management Services Department. 11 I Effect — Various inconsistent practices have developed throughout the City for accounting for CIP, Errors in accounting for cavital assets could have a material effect on the City's financial statemen We believe that the City's current system of accounting for capital assets (both electronic and manual) is not sufficiently designed or implemented to prevent or detect potential material errors in capital assets without a significant effort made at year-end to review transactions for the existence such errors. I - • • Implement a more sophisticated system of accounting for capital assets. Such a system should contain automated controls to insure proper accounting and reconciliation of capital assets. However, consider the importance of fully integrating an electronic capital asset system with the City's general ledger system and plan appropriate timing for the implementation of any new capital asset system relative to the City's overall ERP implementation time-table. • Develop a City-wide policy that defines when CIP projects are considered complete and should be transferred to completed assets. Develop a City policy that defines the date on which developer contributions should be added to capital assets. In addition, develop policies on accounting for capital assets in general and the related reconciliation processes. Ensure that such policies are implemented and enforced. • Implement controls over the application of overhead and direct labor charges to CIP projects and develop procedures that require the review and approval of these charges for accuracy and propriety. • Implement a policy to count the assets of each department on a rotation basis. Ensure that mona each asset is counted at least biennially, in order to comply with the requirements established N®R for Federally-funded assets. • Perform an evaluation of the useful life and salvage value estimates for classes or types of capital assets by comparing to actual experience to ensure they are reasonable. • On an overall basis, improve communication between the operating departments and the Financial Management Services Departments related to capital assets. I To better improve communications with departments, FMS is also using the Fiscal Accountability Committee to educate and coordinate capital asset matters. Future plans are to develop and administer training on accounting and fiscal topics, which includes providing guidance and instruction on proper capital asset management. The abovementioned will be facilitated with the selection and implementation of an Enterprise Resource Planning (ERP) financial system. This system will provide the means to better administer and enforce policies and procedures for overall accounting operations, inclusive of capital assets. Planning, requirements gathering, and system selection is in the initial stage, with system implementation scheduled for fiscal 2012. Material Weakness. Reporting Component Units (updated from fiscal years 2005-2007) Criteria — Governmental Accounting Standards Board ("GASB'*) Statement No. 14, The Financial .'a Reporting Entity and GASB Statement No. 39 Determining Whether Certain Organizations are Component Units provides guidance on the reporting of related organizations in the City's basic financial statements. Condition — The City did not accurately classify some organizations closely related to the City as component units. While the City has a process in place to identify potential component units, it did not include a thorough consideration of all criteria set forth in GASB Statement No. 14 and GASB Statement No. 39. Final conclusions for these related entities were not reviewed by someone knowledgeable of the guidance and the City's relationship to the entities. There is no consistent process in place to review activities of component units to determine whether their activities are properly accounted for in the City's general ledger. 10-0 amnm. Context — There are a number of potential component units (or related organizations) for the City that require assessment each year regarding their classification as component units and their financial activities, Recommendation — Perform an annual re-assessment of all potential component units to insure that their classification remains appropriate. This analysis should consider the basic criteria of GASB 14, but should also consider the additional criteria of GASB 39. In -addition, the financial activities of these related entities should be monitored to insure, that proper accounting for their financial activities are recorded in the CiNYI's financial statements, Significant Deficiency: Grant Management {updated from fiscal years 2005-2007) Criteria — OMB Circular A-133 requires the City,to annually prepare a Schedule of Expenditures of Federal and State Awards ("SEFA") that lists all expenditures related to Federal and State award programs for that year. Condition — The City worked very hard to prepare an accurate SEFA for the year ended September 30, 2008. However, numerous errors were noted which required adjustment in the schedule. Althou 9 o • • * ea ed 4 • nt material t the Citv as a whle. these e-rrs ruir su,�sta-tti,?_I effot-t, re_ie? • [ftJVK;W" • Context — For the year ended September 30, 2008, the City managed more than 150 different Feder and State grant awards. The funding methods and provisions for these grant awards vary, requirin 9 Imi the Financial Management Services Department to evaluate proper accounting and reporting for ea grant award. 11 Cause — Large numbers of grants accounted for in multiple funds create a difficult process in accumulating the data for the schedule. Nonstandard grants require research that was not properly or timely performed by grant accounting personnel. Effect — An improperly prepared SEFA misstates the expenditures for grant awards reported to the granting agencies. Further, errors in revenue recognition or untimely capital asset recording can occur when related expenditures are not properly reported. Recommendation — Develop standard policies and procedures for identifying and reporting grants in the general ledger. Continue to educate personnel in all departments on the requirements related to proper accounting and reporting for grants. This information should also include guidance on the nature of grants, both monetary and non-monetary. Use standard funds for accounting for such grants and perform periodic reviews of all departments to ensure that grant accounting standards and compliance requirements are met. Criteria — Policies and procedures related to control activities should be adequately documented in 1-1-111 order to-provide a consistent frarn-e-mrork for dw appliertion of accounting and reporfing,. JAN -8- I Condition — There is currently a general lack of doc umented policies and procedures related to accounting and reporting. As a result, there are instances of improper accounting entries recorded INthat require subsequent correcting journal entries. The City is currently using a combination of NO intensive internal supervisory reviews as well as additional reviews by an outside consultant to analyze year-end trial balances and make corrections before performing final closes and preparing financial statements. This process appears to generally be identifying most errors; however, a better RON,, process would • the correct recording of entries initially and prior to review by supervisors or M consultants. Heavy reliance on this review process could result in some errors not being detected and corrected on a timely basis. Mr MM7rung requirements are very compiex and require thoughtful and consistent policies and procedures that are well-documented in order to ensure consistent application. Cause — A rapidly changing public sector environment, combined with an outdated system has created many situations in which consistent application of procedures is difficult and often absent. ti Effect — The lack of formal policies and procedures contributes to inconsistent application of accounting and reporting methodologies and creates an environment in which changes in personnel can result in errors in the accounting function. Recommendation — We recognize that the City is working on a project to provide appropriate documentation of all accounting and reporting policies and procedures. We recommend swift completion and implementation of this project, including continuous training of all accounting personnel. Consider a periodic update to ensure that all policies and procedures remain appropriate in the changing municipal financial environment. Ensure that documented policies and procedures cover all aspects of the City's financial operations, including both manual and IT-driven procedures. In addition, ensure that training is provided to all appropriate accounting and departmental personnel. Signif klant Deficiency: Court System Accounts Rece&able and Escrow Liabilities (updatedfrom r jiscalyears 206 and 2007) Criteria — The activities of the City's municipal courts system generates both accounts receivable and escrow liabilities. 11'he court fines and fees should be appropriately -calculated, recorded, and reserved, as necessazy, Context — Although a formalized review of the system has now been completed, a final conclusion and settlement has not yet been reached and agreed to by the State of Texas, An audit by state auditors is now underway. Cause — The City implemented a new court system in calendar year 2006. With this implementation certain errors in the calculation and allocation of court fines and fees occurred and were not initially detected, Effect — Improper use • the courts system could result in errors in processing • court fines and fees and improper assessment of the amounts due to • due from the City related to citizens or other Is, parties. Recommendation — Work to resolve any remaining issues with the state auditors and make any necessary final corrections to the records. Insure that any deficiencies noted in the City's processes are fully addressed, 101 Views of Responsible Officials — Concur. The City implemented a new court system in calendar year 2005 and fiscal year 2006. The department has performed an assessment of the municipal court case management system to identify and correct the identified deficiencies, and developed an implementation plan to further enhance utilization of the system. The audit controls were tested to ensure the errors are not repeated. Final adjustments as required have been provided by Municipal Courts to the Financial Management Services department and Deloitte and Touche, LLP. The department has maintained contact with the Texas Comptroller of Public Accounts regarding this issue and is undergoing an audit review, which commenced on April 7, 2009. Distributions of collected funds are reviewed quarterly by the department to ensure accurate payments are being made to the State. These changes were implemented April 30, 2009. Sign�rtcunt Deficiency: * Computer System Access Controls {updated from fiscal years 2006 and Li 2007) Strong Password E?!forcemeat: The City's systems are not configured to force users to use a I 11 User Access Reviewsl• User access to the IT systems is not reviewed on a periodic basis to NO identify and corrp-ct arky inappropriate access, INS, 50 Im -10- I Configuration Reviews: The key configuration data sets and user roles are not reviewed on a periodic basis, This includes the appropriateness of access controls to datasets that are not protected by the security mechanisms (RACF protected dataset), direct access to data (direct database update access or command line access) and definition of key user roles within the ON applications. Security Administration Privileges: We noted a number of instances of excessive administrator privileges to various IT systems. For example, apart from the IT personnel, 25 other users have administrative privileges to the CourtView system, 24 system accounts have administrator privileges on the Windows domain that may not be needed, and the Financial Management Services Department personnel have administrative privileges on the Buy- Speed database that may not be needed. Context - Management is responsible for ensuring that all systems are secure and that unauthorized users do not have access to sensitive data. As such, access should be reviewed periodically and RON security strengthened to minimize such risks. The City is currently reestablishing and documenting 111 -11 policies and procedures related to controls. Effect- Unauthorized access to an entity's information systems can potentially allow damage to the NONE data which can lead to the integrity of the system or information maintained in the system being 0- 11--l---1,- compromised. Recommendation - The following should be considered: k Formal security policies, procedures and standards should be implemented by management. Periodic reviews or monitoring controls should be established to ensure that the established policies are appropriately implemented on all the systems and remain pertinent. System access of all personnel and key security configuration should be reviewed on a regular basis to ensure it is appropriate at all times. Appropriate security monitoring controls should be established and implemented based 1101", on the City's comprehensive security risk assessment, As committed to in the response to the Fiscal Year 2007 Audit, on April 1, 2009, the City updated its Svstern Access Review Procedure to address the key weaknesses, identified in this deficiency. it includes, key smurip coonfiguration, reviews to adminkstro-amr privileges and personne t -m a, e s, User Access Termination: Based on limited testing, three instances of terminated employees with access to the IT systems were noted. It was also noted that the City considers it to be the responsibility of the department heads to log a helpdesk ticket when a user is terminated or transferred. In such instances, a control requiring periodic user access review would allow management to detect and correct any inappropriate access. Configuration Reviews: The key configuration data sets and user roles are not reviewed on a periodic basis, This includes the appropriateness of access controls to datasets that are not protected by the security mechanisms (RACF protected dataset), direct access to data (direct database update access or command line access) and definition of key user roles within the ON applications. Security Administration Privileges: We noted a number of instances of excessive administrator privileges to various IT systems. For example, apart from the IT personnel, 25 other users have administrative privileges to the CourtView system, 24 system accounts have administrator privileges on the Windows domain that may not be needed, and the Financial Management Services Department personnel have administrative privileges on the Buy- Speed database that may not be needed. Context - Management is responsible for ensuring that all systems are secure and that unauthorized users do not have access to sensitive data. As such, access should be reviewed periodically and RON security strengthened to minimize such risks. The City is currently reestablishing and documenting 111 -11 policies and procedures related to controls. Effect- Unauthorized access to an entity's information systems can potentially allow damage to the NONE data which can lead to the integrity of the system or information maintained in the system being 0- 11--l---1,- compromised. Recommendation - The following should be considered: k Formal security policies, procedures and standards should be implemented by management. Periodic reviews or monitoring controls should be established to ensure that the established policies are appropriately implemented on all the systems and remain pertinent. System access of all personnel and key security configuration should be reviewed on a regular basis to ensure it is appropriate at all times. Appropriate security monitoring controls should be established and implemented based 1101", on the City's comprehensive security risk assessment, As committed to in the response to the Fiscal Year 2007 Audit, on April 1, 2009, the City updated its Svstern Access Review Procedure to address the key weaknesses, identified in this deficiency. it includes, key smurip coonfiguration, reviews to adminkstro-amr privileges and personne t -m a, e s, I A Decision Package for Fiscal Year 2010 was submitted to fund a comprehensive Security Risk L Assessment. If approved, upon completion of that assessment a plan to select and implement appropriate security monitoring controls can be established. Significant Defkliency: Change Management of CoMuter Controls {updated fromfiscaldears 2006 and 2007) Criteria — As changes are made to the City's systems (programs, databases, operating systems and data during the change process. Condition — The City has designed and implemented a Change Management Policy, but the current processes do not require that all changes are processed in accordance with the change management policy. Some of the specific cases noted were as follows: Emergency Changes: The programmers are given access to make changes directly in the production environment using special access (emergency access) to correct problems that are to be fixed on an urgent basis. When programmers are given such access, the access is left open for a period of 24 hours during regular weekdays and possibly up to 48 hours or more on the weekends before the access is disabled. Any change made by the programmer using such special access is not logged and reviewed for appropriateness and it is possible for a programmer to make unauthorized changes using this special access privilege. Migrating Changes: In the Water Services IT department, the Administrators implement changes in the production environment and also perform programming duties. In such cases, if unauthorized changes are made, they would not be detected by management on a timely basis. and improve monitoring. These updates include amending all Change Requests to include a test plan, implementation plan, back-out plan and validation plan, Additionally a Change Request is now required to be submitted within 24 hours of the Emergency Change. This update now separates the responsibties for those requesting the access, thoke granting the access, and the ml supervisory/manager who validates the reason for the access, Investigation will be done by March 20 10 to determine what monitoring capabilities the City has with current systems to enhance detection of unauthorized changes. SECTION III - REMEDIATED MATERIAL WEAKNESSES OR SIGNIFICANT DEFICIENCIES Condition and Cause — We noted numerous errors in the Cit:y's initial accounting for the current year's debt transactions. Although not material, these effors included inappropriate breakout and accounting for debt-associated costs, incomplete accounting for the current year's defeasance transactions, and incomplete accounting for the current year's new debt issuances. Certain info is related to some transactiops was not provided to the Citty's Financial Manaigement Services Depart-nneanit hay other deeps artmients involved in the taxis actions,. A On i I 1-000 Significant Deficiency: Controls over Wire Transfers (updated from fiscal years 2005 and 2006) Condition - We noted two instances in which approvals for wire transfers were not documented. We identified the following other deficiencies involving the City's internal control over financial reporting as of September 30, 2008 that we wish to bring to your attention: Cash Reconciliation and Reporting Process (updated from a Material Weakness in fiscal years 2004-2007 to a Deficiency in the current year) Criteria — Internal controls can be classified into two main types: preventive and detective. Preventive controls are designed to prevent material errors from occurring in the accounting process. Detective controls are designed to be a second layer of controls and to detect errors that have slipped through the preventive controls. The cash reconciliation process is a detective control designed to help identify errors in transactions related to cash receipts or disbursements. Appropriate controls over cash require complete and timely reconciliations of all bank accounts. Reconciliations should be reviewed timely to identify any inappropriate reconciling items that would require further research to be resolved. Condition — Although the reconciliations were performed, proper supervisory reviews of the reconciliations of some of the City's bank accounts to the general ledger were not performed on a timely basis throughout the year. Context — For fiscal year 2008, some bank reconciliations were not reviewed until February 2009, Cause — The level of multiple responsibilities assigned to certain supervisory personnel related to the overall efforts in improving the financial reporting process prevented them from performing timely reviews of all cash reconciliations. Effect — Some accounts were not reviewed on a timely basis, resulting in certain balances and activity not properly reflected in the City's general ledger. -14- Supporting Documentation for Journal Entries (updated from a Significant Deficiency in fiscal years 2005 -2007 to a Deficiency in the current year) I Falls - Criteria - Controls over journal entries are critical to the proper control over the City's accounting and financial reporting. �!— - tain sysmin InTen-a-c-e-a-Furntertunct transter entries the supporting documentation required to be attached to the journal entries and evidence of review and approval was missing or incomplete. NO' Context - Journal entries may significantly adjust the general ledger. Proper preparation, review and documentation of journal entries is crucial to proper accounting. Cause - The supporting documentation for system entries is not currently attached to all interface entries. Effect - Improper journal entries can cause significant errors in the financial statements. Budgetary controls help to mitigate the risk, but stronger controls should exist around journal entries to help prevent misappropriation of assets or misstatement of financial statements. Recommendation - Reinforce the need for careful review of each journal entry including a verification of complete documentation supporting each journal entry to be filed with the entry itself. Documentation of the Performance of Control Activities (updated from fiscal years 2006 and 200 7) Criteria - Control activities should be adequately documented in order to formalize the process, and provide a written record of the performance of the control. Condition - We noted that certain control activities are performed within the City but are not fully documented. Ensure that documented policies and procedures cover all aspects of the City's financial operations, including both manual and IT-driven procedures. 1rM Water Billing Master File (updated fro mf hicalyears 2006 and 200 7) -11-11" Criteria – A Master File of all water customers should be appropriately maintained. N BIG' Condition – Changes to the water billing master file are not appropriately reviewed for accuracy and timeliness. Context – Annually the City receives approximately $300 million in water revenues. Cause – The volume • changes required for the number of customers the City bills makes it diffic to properly segregate duties around the customer master file. I Effect – A lack of segregation of duties in maintaining the water customer master file or an inadequately reviewed master file could result in improper collection of water revenues through adjustments to accounts or improper coding of revenues to be received from customers. Recommendation – Any changes to the Master File should be made by or reviewed by a person independent of the one responsible for sending out bills. Employee Master File Controls (updated farm fiscal year 2007) Criteria - All changes to employee master file data should be logged and reviewed for accuracy by someone independent of those making the changes. Condition - Human resources employees, who are responsible for processing changes to employee master files, are also responsible for reviewing their own changes. In addition, each department coordinator has the ability to change employee addresses and the payroll department has the ability to make temporary changes to the pay rate and changes to direct deposit information. These changes are not tracked or logged and thus, can be made without approval. Context - Access to employee master files should be carefully controlled to prevent unauthorized changes to employee data. —Cause – The volume of employee master file data changes processed makes it difficult to properly segregate duties around the employee master file, Eff ect - Unauthorized or unapproved changes to employee master file data could result in payment errors. RM—Omm—od—elion - Establish formal procedures for tracking, logging, and approving all changes to employee master file data. I Condition and Caus - The City does not have a comprehensive Business Continuity Plan or Disaster Recovery Plan. Although the City performs IT disaster recovery preparedness functions such as back-up and offsite storage of back-ups, the effectiveness of these functions cannot be verified without periodic testing. It was also noted that the Water Department performed a disaster recovery exercise, however the results were not formally documented and analyzed. Context - Management is ultimately responsible for ensuring that all systems and information is available within a predetermined period of time after the occurrence of a business disruption to meet its business and service obligations. Effect- The lack of an adequate business continuity plan becomes evident only in the event a disaster actually occurs. However, such occurrences can never be anticipated and must be prepared for in advance. The existing plans should be periodically tested to ensure that the IT systems and Business process are recoverable as planned. Recommendation - Develop and implement a business continuity and disaster recovery plan to help ensure the continuation of the City's operations and system processing in the event of a disaster. The plan should also include periodic testing requirements and a process to update the plan based on business requirements. The City should: Develop and implement a business continuity plan • Test the plan on a regular basis and make adjustments based on the results of the tests • Create short term and long term information and operational strategies that support the overall business strategy and the information system requirements * Compare the actual results with the created short and long term strategies on a periodic basis and make adjustments as needed. • Implement a succession and cross training plan for key positions. SECTION V - OTHER MATTERS Our observations concerning other matters related to operations, compliance with laws and regulations, and best practices involving internal control over financial reporting that we wish to bring to your attention are as follows: RUM GASB 49.- Poltution Remediation Obligations MIN I I 111111- GASB 51: Accounting and Financial Reportingfor Intangible Assets Observation — GASB Statement No. 5 1, Accounting and Financial Reportingfor Intangible Assets, was also issued and is effective for the City beginning in fiscal year 2010. This Statement requires that all intangible assets not specifically excluded by its scope provisions be classified as capital assets. This Statement also provides authoritative guidance that specifically addresses the nature of these intangible assets. Such guidance should be applied in addition to the existing authoritative guidance for capital assets. GASB 52. Land and Other Real Estate Held as Investments by Endowments Observation — GASB Statement No. 52, Land and Other Real Estate Held as Investments by Endowments, was also issued and is effective for the City beginning in fiscal year 2009. This Statement establishes consistent standards for the reporting of land and other real estate held as investments by essentially similar entities. Governments also are required to report the changes in fair value as investment income and to disclose the methods and significant assumptions employed to determine fair value, and other information that they currently present for other investments reported at fair value. GASB 53: Accounting and Financial Reporting far Derivative Instruments Observation — GASB Statement No. 53, Accounting and Financial Reporting for Derivative Instruments, addresses the recognition, measurement, and disclosure of information regarding derivative instruments entered into by state and local governments. The statement requires that the fair value of financial arrangements called "derivatives" or "derivative instruments" be reported in the financial statements of state and local governments. Additional information about derivatives is disclosed in the notes to the financial statements, including identification of the risks to which hedging derivative instruments themselves expose a government. This Statement is effective for the City in fiscal year 2010. Re—commendation — Review all GASB Statements listed above and their implications to determine the potential impact on the City's financial statements, -18- W SECTION VI - DEFINITIONS to Because of the inherent limitations of internal control over financial reporting, including the possibty of collusion or improper management override of controls, material misstatements due to error or fraud may not be prevented or detected on a timely basis. Also, projections of NMI any evaluation of the effectiveness of the internal control over financial reporting to future periods are subject to the risk that the controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. The definitions of a deficiency, a material weakness, and a significant deficiency that are established in AU 325, Communicating Internal Control Related Matters Identified in an Audit, are as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when (a) a properly designed control does not operate as designed, or (b) the person performing the control does not possess the necessary authority or competence to perform the control effectively. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. I SECTION VII - MANAGEMENT'S RESPONSIBILITY FOR AND THE OBJECTIVES AND LIMITATIONS OF INTERNAL CONTROL The following comments concerning management's responsibility for internal control over financial reporting and the objectives and inherent limitations of internal control over financial reporting are ON adapted from auditing standards generally accepted in the United States of America. Management's Responsibility R110 The City's management is responsible for the overall accuracy of the financial statements and their conformity with generally accepted accounting principles. In this regard, management is also responsible for establishing and maintaining effective internal control over financial reporting. Objectives of Internal Control over Financial Reporting Internal control over financial reporting is a process affected by those charged with governance, management, and other personnel and designed to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over the safeguarding of assets against unauthorized acquisition, use, or disposition may include controls related to financial reporting and operations objectives. Generally, controls that are relevant to an audit of financial statements are those that pertain to the entity's objective of reliable financial 0 reporting (i.e., the preparation of reliable financial statements that are fairly presented in conformity _0 M with generally accepted accounting principles). Inherent Limitations of Internal Control over Financial Reporting Because of the inherent limitations of internal control over financial reporting, including the possibility of collusion or improper management override of controls, material misstatements due to error or fraud may not be prevented or detected on a timely basis. Also, projections of any evaluation of the effectiveness of the internal control over financial reporting to future periods are subject to the risk that the controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate, --'0- ILI