State of Colorado Department of Revenue IT Audit
University of Colorado at BoulderState of Colorado Department of Revenue IT AuditCreated byJose Giardiello, Robby Mushet, Karin Rosen, Sandra Sifuentes, Douglas Waechter4/29/2009This page was intentionally left blank.Table of ContentsEngagement SummaryEngagement Letter………………………………………………….…………………………………………………………………………..………………….……………..… page 7Audit PlanAudit Arrangement Summary……………………………………………………………………………………………………………………………………..………..…………. 11 Audit Objectives and Background…………………………………………………………………………………………………………………………………………………….. 12Audit Scope………………………………………………………………………………………………………………………………….…………………………………….………….… 14Internal Audit Planning Memorandum……………………………………………………………………………………………….……………...……………………………. 16Infrastructure UnderstandingDOR Infrastructure………………………………………………………………………………………………………………………..…………….……….……………………….…. 23DOR Information Technology Division Organization Chart……………………………………………..….…………….……………………………………..…..…… 24Colorado DOR Functional Organization Chart…………………………………………………………………………..………….………………………………..…….….. 25Acquisition As-is Process Map…………………………………………………………………………………………………………………………….………………...……..….. 26Installation As-is Process Map………………………………………………………………………………………………………………..………………………………....…….. 27Maintenance As-is Process Maps..………………………………………………………………………………………………………………………………….……...……….. 28Disposal As-is Process Map…………………………………………………….………………………………………………………………………………………………..…….… 30Risk Assessment Introduction of Risk Assessment………………………………………………………………………………………………………………………………………..…..………… 33Prioritizing Business Risk……………………………………………………………………………………………………………………………..…………………………………... 35DOR IT Asset Risk Matrix (Table)……………………………………………………………………………………………..……………………………………………………….. 37DOR IT Asset Risk Matrix (Graph)…………………………………………………………………………………….…………………………………………….…………………. 38DOR IT Asset Risk Matrix Summary (Table)…………………………………………………………………….………………….…………………………………………….. 39DOR IT Asset Risk Matrix Summary (Graph)………………………………………………………………………………….……………………….…………………….…... 40Controls of Risks……………………………………………………………………………………………………………………….………………………………..……………….…… 41Control/Risk Matrix………………………………………………………………………………………………………………………………………………………..………………… 42Tests and FindingsTest Plans………………………………………………………………………………………………………..……………………………………………………………………………….. 45DOR Test Forms……………………………………………………………………………………………………………………………………………..................…………………. 49Findings Summary………………………………………………………………………………………………………………………………………………………..………………..… 77RecommendationsRecommendations and Suggestions……………………………………………………………………………………………………………………………..………………….. 83Supplementary DocumentationThis page was intentionally left blank.Engagement SummaryThis page was intentionally left blank.Internal Audit Engagement LetterMarch 11, 2009Accounting Information Systems 2Leeds Schools of BusinessBoulder, CO 80303Dear Matthew Morgan,The Internal Audit Team is planning its audit for the Department of Revenue. The objectives of this audit will be:Establish procedures and develop a pilot audit program to be used as a guide and followed in future audits.Audit IT assets through its life cycle going from acquisition, installation, maintenance, and ultimately towards disposal.Provide risk and control assessments as they relate to managing IT assets, along with recommendations to solve any problem.Enhance awareness of inventory management and internal control structure.The proposed timetable for this audit is as follows:Start date in the field: February 4, 2009Estimated weeks to complete: 12The audit team will include the following members:Jose GiardielloRobert MushetSandra SifuentesDoug WaechterKarin RosenOur goal is to perform an effective and efficient audit. We will need your staff to provide us with documents and procedures upon request.At the conclusion of our audit, we will discuss audit results and potential recommendations with management of the audited area before scheduling an exit conference with you. Prior to the exit conference, you will receive a draft audit report. After the exit conference, a final audit report will be delivered to you with a request for formal management's responses to include in the audit report.Our mission is to help you achieve your inventory objectives by providing you information about the effectiveness of internal control and by recommending courses of actions which will improve performance. If you have any questions about this audit, please do not hesitate to contact us.Sincerely,The Inventory Asset Management TeamThe Inventory Asset Management TeamAudit PlanThis page was intentionally left blank.Audit Arrangement SummaryA well-written audit report is a highly effective tool for management to bring about positive change and to improve controls, risk management, accuracy of information, and the underlying process reviewed. This audit report as should future ones considers the following:Objectives and backgroundWhy and what area was selected for the auditHistory of past issuesWhat are the key aspects, risks and objectives of the area reviewedScopeWhich facets of operations are included in the scopeRange of the work and when it is performedWhat key risks does the work addressPlanning memorandum and key conceptsSignificant aspects of the infrastructureFindingsThe overall findings from tests and risk matrixes The severity of the findingsIssues to be addressed and reviewedRecommendationsWhat actions must management take to adequately address the audit findingsTrack confirmed positive resolutionsIndustry best practicesAudit Objectives and BackgroundProject Purpose:The main focus of this project is to create a pilot audit plan for the Department of Revenue which they will be able to use in future internal audits. This pilot audit plan will actually be used to audit a piece of the inventory asset management system. Recommendations for possible risks will be included in the audit. The main goal is to enhance awareness of inventory management at the Department of Revenue by enhancing their internal control structure, reducing asset management risk, and creating a guide for future audits.Background of Project:Jim Marlatt a professor at the University of Colorado in Boulder made contact with Matthew Morgan from the Colorado Department of Revenue (DOR). Matthew Morgan is the Internal Audit Manager of DOR. During their initial contacts they both agreed to use student help to aid the DOR Internal Audit Department in their asset management system. After the project was presented to the students, five of them agreed to work together to help Matthew Morgan and the DOR Internal Audit Department prepare an audit plan. Past Issue History:The following list has been created by Matthew MorganThere are no previous risk assessments completed by the Internal Audit SectionThere is budget/financial limitations on the departmentThere have been security control risksControls around disposition and inventory management could be enhancedObjectives of DOR:These objectives have been created by Matthew MorganProvide a description of current processes to manage software and hardware including how purchases, disposals and transfers managed.Develop a risk assessment as it relates to managing IT assets and develop an audit program that addresses these risks that can be used by the Department’s staff going forward.Objectives of the Audit team:Establish procedures and develop an audit program to be used as a guide and followed in future audits.Audit IT assets through entire life cycle from acquisition, installation, maintenance, and disposal.Provide risk and control assessments related to the IT asset life cycle, along with recommendations to solve any problems identified. Audit ScopeProject In-Scope:Develop a pilot internal audit program to provide guidelines for future auditsProvide a comprehensive audit plan that can be used by DOR internal auditors in future audits.The audit plan will be delivered in the form of an actual audit of IT assets with supplemental information to show how the internal audit work was actually performed.Execute actual internal audit programMatthew Morgan the Internal Audit Manager of DOR will be provided with an audit of IT assets.If the entire audit has been completed and if time permits, the team will perform a second audit of a different IT assets chosen by Matthew Morgan.The audit will cover the acquisition, installation, maintenance, and disposal of IT assets.Provide evaluation of process and control design, as well as testing methods to determine the operating effectiveness of controls.Provide a prioritized risk assessmentVerify control procedures exist for all risksProvide solutions and recommendations to improve flagged proceduresRecommend formal control procedures that are documented and tested frequentlyOffer recommendations to address the findings Project Out-of-Scope: Provide a description of information technology infrastructurePlanning for hardware and software upgradesThe Department consolidation of multiple tax processing systems into a single, integrated systemPhysical inventory countThe Lottery DivisionExamination of current budget allocationFull understanding of legal and state complianceColorado State Titles and Registration (CSTAR)Approval stage of an IT asset during its acquisition The audit of mobile IT devices (cell phones, USB drives)Memorandum: Internal Audit Planning To: Matt Morgan Date: Monday, February 18, 2009Company: Department of RevenueFrom: DOR Asset Management Student Audit TeamInternal Audit Team Members:NameE-mailContact Phone #Jose Giardiellojose.giardiello@colorado.edu(720) 982-6563Sandra Sifuentessandra.sifuentes@colorado.edu(303) 746-5555Doug Waechterwaechter.douglas@(715) 572-0503Karin Rosenkarin.rosen@colorado.edu(507) 236-0773Robby Mushet mushet@(415) 233-0616Duration of the Audit:The internal audit will begin with our first meeting with Matt Morgan the Internal Audit Manager on February 4th, and will end with a final presentation of our finding on April 29th. It is anticipated that the final draft of the deliverable will be presented on April 29th, the date of our presentation to the client. Location of the Internal Audit:The audit will take place in any of the Front Range Department of Revenue locations necessary to attaining the audit objectives laid out in this document. Key Department of Revenue Contacts:ContactPositionCompanyE-mailContact Phone #Matt MorganInternal Audit ManagerDepartment of Revenuemmorgan@spike.dor.state.co.us(303) 866-3803Lou EnnisDesktop Support ManagerDepartment of Revenuelenis@spike.dor.state.co.us(303) 205- 1380Roy MitzeWarehouse Logistics/ Program AsstDepartment of Revenuermitze@spike.dor.state.co.us(303) 205- 5651Maria ArmentaBudget AnalystDepartment of Revenuemarmenta@spike.dor.state.co.us(303) 205- 5718Vanessa JozefIT ProDepartment of Revenuevjozef@spike.dor.state.co.us(303) 205- 1386Alison RobertsIT ProDepartment of Revenuearoberts@spike.dor.state.co.us(303) 205- 8340Standard Definitions for Internal Audits:The following definitions are provided by the COSO Internal Control – Integrated Framework. The SEC and PCAOB have acknowledged that the COSO framework is a suitable framework for purposes of evaluating internal audits.Risk Assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.Control Environment – Sets the tone of an organization, influencing the control consciousness of its people. This is the foundation for all other components of internal control, providing discipline and rmation and Communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.Internal Controls – It is a process, a means to an end, not an end in itself. It is affected by people. Internal controls can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.Audit Plan Models:The following models were used to establish the DOR IT audit and audit plan.The Global Technology Audit Guide (GTAG): Developing an IT Audit Plan by the institute of Internal AuditorsGuide to Internal Audit: Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function, second edition created by ProtivitiProtiviti Risk Assessment Workshop Presentation.ppt templateDeliverables:The project deliverables will consist of the following:Audit Arrangement SummaryAudit Objectives and BackgroundAudit ScopeInternal Audit Planning MemorandumInfrastructure UnderstandingsAs-is process mapsRisk assessmentsAudit Findings and ReportRecommendations and Best PracticesWork Papers/Testing DocumentationMeeting MinutesIt is planned that the above deliverables will be split into two phases. The first deliverable will consist of the audit plan and will be delivered on February 25th and the second will be delivered on April 29th, which will contain all of the audit findings.Schedule:DateTaskFebruary 4th, 2009Field work at clientFebruary 18th, 2009Review audit plan, understand and map processesFebruary 25th, 2009First deliverable due, work on as-is process mapsMarch 4th, 2009 Field work at client, work on as-is process mapsMarch 11th, 2009Field work at client, do the “walk-through,” finish as-is process maps, Turn in Upgraded first deliverableMarch 18th, 2009Begin Risk AssessmentApril 6th 2009 – April 15th 2009Finish Risk Assessment, test for controls, audit IT asset and finish the auditApril 22nd 2009Present draft presentations for feedbackApril 29th 2009Final presentations to the client and final deliverable dueMay 6th 2009Present final presentation at the DORInfrastructure UnderstandingThis page was intentionally left blank.DOR InfrastructureGetting started in the right perspective is crucial in creating a successful Audit Plan. Having fundamental knowledge of the organization’s infrastructure, will help auditors assess unique risk and how technology supports existing models. Auditors can use different internal resources to identify and understand the organization, some of which include:Vision statementsStrategic plansOrganization chartsAs-is Process MapsAfter becoming familiar with the organization, the next step is to identify key processes and significant applications that are critical to the success of the Department of Revenue.Key ProcessesThe following processes are in relevance with an IT asset life cycle within DOR.AcquisitionInstallationMaintenanceDisposalSignificant ApplicationsThe following applications are frequently used within DOR.Altiris – This application specializes in service-oriented management software, allowing organizations to manage IT assets.Problem Solve – A program in which technicians can view ongoing tribulations with IT assets, log solutions, and archive each problem.-1008380699135-79248026035-1066800489585-742950618490-41910036195095250203835-781685165735Risk AssessmentThis page was intentionally left blank.Introduction of Risk AssessmentThe risk and controls matrix is a tool used in the scoping stage of an IT audit to detect risks and mitigate controls in a specific procedure. For the Department of Revenue the asset management team examined the risks and controls associated with continuity and assessed, categorized, and prioritized the current infrastructure within the risk and controls matrix.Definition of Business Risk:The level of exposure to uncertainties that the enterprise must understand and effectively manage as it achieves its objectives and created value.It is not just about threats; there is an upside as well as a downside.Risk is not about a single point estimate.Exposure and uncertainty are important factors.Things to Consider:Risk is a fact of life; life is constantly changing and is uncertain.All management is essentially risk management.Many risk management activities are well defined and accountability has been assigned. For risks that have not been defined/assigned, risks can “slip between the cracks” and/or be managed inconsistently due to individual perceptions of the significance of the risk.Identifying Business Risks:Think about risks from the point of view within DOR, considering goals and objectives. Identify Inherent RisksMust identify risks that are inherent in the organization regardless of the internal controlsWhether the risk is being controlled is only known until it is tested.Questions to Identify Risks:Where do you devote considerable internal effort in order to control?What areas receive considerable management reporting?Where have you devoted significant resources?What wouldn’t you want on the front page of the newspaper?What are key obstacles to taking advantage of opportunities?What do other States do better?What keeps you up at night?What do people complain about within the organization?If you could fix one thing at the company, what would it be?Prioritizing Business RisksTwo variables of Business Risk:SignificanceHow big of an impact would this risk have if it were to occur?Impact could be in many areas, including financial, reputation, human resources, etc.LikelihoodConsider how likely it is that this risk would actually occur given the inherent uncertainties in your business.Don’t consider the mitigating effects of internal controls.Significance Scale:You can rank the ‘significance’ of your key business risks using the scale described below.LevelDescriptorBusiness Impact Description7,8,9MajorVery significant financial loss and ultimately could jeopardize the ability of the organization to continue without major changes. May require regulatory communication. Very significant efficiency problems. Very high public scrutiny. 4,5,6ModerateFinancial loss is moderate, could be significant, and may require public disclosure. Management involved with issue and focused on completing it within a timely manner. Efficiency problems are moderate. Public scrutiny is moderate to none.1,2,3InsignificantLittle financial loss. May not require attention of management. Process changes likely not required in response to risk occurrence. Little efficiency problems. No public scrutiny.Likelihood Scale:You can rank the ‘likelihood’ of your key business risks using the scale described below.LevelDescriptorBusiness Impact Description7,8,9ProbableThe future event or events are expected to occur in most circumstances.4,5,6PossibleThe chance of the future event or events is more than remote but less than probable.1,2,3RemoteThe future event or events may occur only in exceptional circumstances.Risk category and placement:After identifying the inherent risks within the Department of Revenue, the risks were ranked within a Significance/Likelihood Scale. The risk chart and matrix is detailed on the following page.Risk MatrixList of RisksSignificanceLikelihoodControl System Processes?KEYR1 - Reporting confusion4.58.0SignificanceR2 - Unclear duties6.58.5Major9R3 - Non-standardized practices7.08.5High7R4 - Non-collaboration with the accounting department7.59.0Significant5R5 - Segregation of duties9.04.0Moderate3Spread Sheet Issues?Insignificant1R6 - Spreadsheet location/multiplicity3.07.0??R7 - Lack of confirmation/verification of spreadsheets6.56.0Likelihood?R8 - Design of spreadsheet3.07.0Almost Certain9R9 - Access to spreadsheets7.05.0Probable7PII Liability?Reasonably Possible5R10 - PII Becomes exposed9.05.5Unlikely3Non-Budget Purchases?Remote1R11 - Non-approved purchases3.53.0??R12 - Delivery of assets3.05.0R13 - Pro-card controls3.03.5Misplacement/Storage Issues?R14 - Warehouse security access7.05.0R15 - Surplus Storage3.56.5R16 - Misplacement of assets (outside warehouse)7.07.0R17 - Untagged assets4.04.5Software Controls?R18 - Licensing storage inefficiency3.08.0R19 - Software copyright violation5.08.0Hard Copy Documentation?R20 - Lack of hard copy sign offs8.57.0R21 - Hard copies are incomplete8.57.0R22 - Hard copy security8.57.0-86677568580Risk Matrix - SummaryList of RisksSignificanceLikelihood1 - Control System Processes6.907.602 - Spread Sheet Issues4.886.253 - PII Liability9.009.004 - Non-Budget Purchases3.173.835 - Misplacement/Storage Issues5.385.756 - Software Controls4.008.007 - Hard Copy Documentation8.507.00KEYSignificanceLikelihoodMajor9Almost Certain9High7Probable7Significant5Reasonably Possible5Moderate3Unlikely3Insignificant1Remote1??????-937895-311785Controls of RisksIn order to address and mitigate all of the risks identified and prioritized, a list of controls was generated and added to the risk matrix. Regardless of whether the risk was being controlled, it was only known until it is tested. Controls were identified based on the following:Controls were identified throughout the as-is process, and thus recorded in the as-is process mapsOften times several risks are mitigated by one control activityManual and automated controls were both identifiedControls could be preventive (stop risk from occurring)Controls could be detective (identify risk that has occurred)Controls could be corrective (correct risk that has occurred)Controls were a link between the inherent risks and the actually processThe control/risk matrix is detailed on the following page.-149392-221582Test and FindingsThis page was intentionally left blank.Test PlansA high-quality audit report has overall findings from audit tests and control tests. These tests are highly effective tools for management to bring about positive change and to improve controls. During the Department of Revenue IT asset management audit, tests performed and planned pertained to:The controls which are inherent in the highly likely and very significant risks.Above a six in the Likelihood risk prioritizing scale.Above a six in the Significance risk prioritizing scale.The IT asset life cycle- acquisition, installation, maintenance, disposal.Randomly chosen IT asset sample sizeIn-scope and out-of-scope testing Controls 11, 12, 13, 15, 16, and 21 were not tested as it moved away from IT asset management and or the related risks were not significant enough.Control 5 test was omitted from the deliverable due to insufficient evidence. Each test is designed to test specific controls and contains all observations, results, and recommendations. The testing of IT assets through the IT asset life cycle was intertwined in the testing of specific controls. The information included in the tests is as follows:Process: Which section of the IT asset life cycle the control takes place.Control Activity: Description of the control.Control # and Associated Risk: What control/risk it is as reference to the control/risk matrix.Risk/Control Type: Identifies the priority of the key control, since all tests are associated with highly likely and very significant risks, all the risk/control types are primary.Assigned To: Whom or what department has the most frequent interaction with the control.Closed Date: The date of when the audit ends.Frequency: The fiscal period for the test, all of the tests were done in the annual fiscal period which ends in June.Control Objective: Defines the control.Walkthrough Documentation: Documentation most likely viewed and tested for that control.Operating Effectiveness – Test Steps: Planned audit steps and questions before execution of the actual test.Test Performed By: Every one of the Audit Team or Internal Auditing office involved and executing the test. Approved By: Internal Auditing Manager whom approved the test.Date of Validation: Date during which the test took pleted By: The primary person in-charge of completing the test form. Sample Details: Details about the sample.Period Tested: The preliminary period test.Validation Results/Findings: Observations and findings during the audit.Effective Control: Yes: The control effectively mitigates the riskNo: The control is missing or it does not mitigate the riskN/A: Not applicableOther: Other or the control will effectively mitigate the risk after small modifications to the current processComments / Recommendations: Further explanation and recommendations if applicable. The tests are on the following pages.This page was intentionally left blank.DOR Test FormsProcess AcquisitionControl Activity Storage of IT asset hard copiesControl # andAssoc. RisksC1R 7, 21, 22, 23Risk/Control TypePrimaryAssigned ToBudgetControl ObjectiveTo securely store and complete the IT acquisition asset (RFS purchase orders) hard copies.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationRFS formsReceiving DocumentationApproval PacketsPayment voucherOperating Effectiveness - Test StepsEvaluate storage of IT acquisition forms.Verify forms are complete.Check that all documentation is done similarly.Test Performed BySandra Sifuentes, Jose GiardielloApproved ByMatthew MorganDate of Validation4/10/09Completed ByJose GiardielloSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Asset RFS # 11963 11908 11899 1191412030 12083 sample gathered from a Population of 45 completed ordersItems chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) There is clear organization when it comes to the storage of IT hard copy acquisition forms2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office3) All RFS# tested had proper sign offs/authorizations4) All RFS# tested had complete receiving documentation, approval packets, and payment vouchers5) RFS#11899 had proper supplement information in the form of RFS#11899A6) RFS#11963 was found in its proper place although it had last year’s date, but it was correct due to the fiscal year date7) A Hardware RFS# was chosen randomly during the test, RFS#12083, it was tested and the findings show proper documentation including the packing slip from the Warehouse, signatures, pro-card forms and payment vouchersEffective Control_x_Yes__ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessEffective organization and storageCommentsTemplates are used for RFS form, which is effective in maintaining proper and similar documentationAll RFS# had digital copies of the physical forms, which were recorded in a secure global spreadsheet (refer to test/control #2)RecommendationsNoneProcess AcquisitionControl Activity Updated RFS SpreadsheetControl # andAssoc. RisksC2R 2,3,6,7,8,9,22Risk/Control TypePrimaryAssigned ToBudgetControl ObjectiveRFS documents are being consolidated and being kept up to date in a global spreadsheet.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationRFS formsReceiving DocumentationApproval PacketsPayment voucherGlobal SpreadsheetOperating Effectiveness - Test StepsCheck for access to spreadsheet.Test for completion of spreadsheet. Check that correct people have access global spreadsheet.Test Performed BySandra Sifuentes, Jose Giardiello, Matthew MorganApproved ByMatthew MorganDate of Validation4/10/09Completed ByJose GiardielloSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Asset RFS # 11963 1190811899 1191412030 12083sample gathered from a Population of 45 completed ordersItems chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) Everyone at the DOR can view the global spreadsheet within the intranet2) Only 5 people can make changes to the spreadsheet, those 5 people have a password to be able to make changes3) The password has not been changed at all since its creation4) Remote connectivity checked with Matt Morgan, people without passwords cannot make changes and can only save a copy of the spreadsheet5) All RFS# were found in the spreadsheetAll RFS# had all the documentation the hardcopies had6) RFS#11899 had proper supplement information in the form of RFS#11899A7) A Hardware RFS# was chosen randomly during the test, RFS#12083, it was tested and the findings show all the proper copies of hardcopy documentation8) CIO needs to approve all orders above $10,0009) The spreadsheet is kept up to date by the budget staff only to what they know/work on…i.e. budgetEffective Control__Yes__ No__ N/A_X_ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessEffective control except password has not been changed at all since its creation and spreadsheet is not fully updatedCommentsControl #1 and #2 are connected, since very few people can change the spreadsheet the hardcopies must match the copies in the intranet, which in our tests they doRecommendationsChange the global spreadsheet password regularlyHave one consolidated spreadsheet that is frequently updatedProcess InstallationControl Activity Verification of asset during receiving phaseControl # andAssoc. RisksC 3R 7, 14, 21, 22, 23Risk/Control TypePrimaryAssigned ToWarehouse Logistics Control ObjectiveAssets are being properly accounted for and kept up to date in a global document.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationRFS formsReceiving DocumentationUpdated document with received assetOperating Effectiveness - Test StepsCheck RFS forms match receiving forms.Check for proper signatures in regards to the receiving of an asset.Test for completion of spreadsheet.Test Performed ByKarin Rosen, Jose Giardiello, Doug WaechterApproved ByMatthew MorganDate of Validation4/17/09Completed ByJose GiardielloSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Asset RFS # 11963 1190811899 1191412030 12083sample gathered from a Population of 45 completed ordersItems chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) All RFS forms are copies of the global spreadsheet2) All RFS forms kept in the warehouse are copies of the first 2-3 pages of the RFS packets kept in the budget office3) Once an assets is delivered, the packing slip gets put into the corresponding RFS packet4) Not all assets that arrive have packing slips, this is a third party malfunction not a DOR oneThose assets without a packing slip are held in the warehouse until they are claimed by someone, only then will the RFS packets be completed5) Once asset is received, the global spreadsheet (the budget one) gets updated (date added of when asset is received)6) All RFS# tested matched the receiving forms including RFS#12083 (the hardware RFS that was randomly chosen during the test for control #1)Effective Control_x_Yes__ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessMissing packing slips is not a DOR control failureCommentsTemplates are used for RFS form, which is effective in maintaining proper and similar documentationRecommendationsSince packing slips are used as a “signature” to verify a received asset which sometimes assets don’t have, use other verification methods (beyond the global spreadsheet verification)Process InstallationControl Activity Who receives the asset?Control # andAssoc. RisksC4R 2, 3, 5, 11, 12, 13Risk/Control TypePrimaryAssigned ToWarehouseControl ObjectiveTo verify who receives the purchased item when first delivered to the warehouse.Closed Date4/29/09FrequencyAnnualWalkthrough Documentation1.Asset packing slipOperating Effectiveness - Test StepsDetermine who receives the asset when first delivered.Check for documentation and signatures that verify the deliveryConfirm this process is done in a timely manner Test Performed ByDoug Waechter, Karin RosenApproved ByMathew MorganDate of Validation4/17/2009Completed ByKarin RosenSample Details What is being tested? Warehouse logisticsPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) Personnel from the warehouse receive the asset along with the packing slip.2) They have the packing slip signed by the warehouse manager. 3) The equipment is then left in the warehouse until it is tagged and given to the user. The packing slip is stored with the RFS# form in hardware or software binders.4) There seemed to be no specific assignment as to who receives the asset or when the slip needs to be signed by the warehouse manager.Effective Control__Yes__ No__ N/A_X_ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThere is documentation that is kept to verify that the warehouse has received the asset but there is no specific process for receiving an asset.RecommendationsThere should be a specific, documented order about how an asset is received. There should be guidelines on how quickly a packing slip needs to be signed by the warehouse manager.Process InstallationControl Activity Proper Documentation and recording for licensesControl # andAssoc. RisksC6R 1,2,3,6,7,8,9,18,19Risk/Control TypePrimaryAssigned ToBudget and TechniciansControl ObjectiveTo securely complete and store the proper licensing records, electronic and hard copies.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationRFS formsApproval PacketsLicense CertificateOperating Effectiveness - Test StepsEvaluate storage of IT Licenses.Verify forms are complete.Check that all documentation is done similarly.Test Performed BySandra Sifuentes, Doug Waetcher, Karin RosenApproved ByMatthew MorganDate of Validation4/12/09Completed BySandra SifuentesSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Asset RFS # 11963 11908 11899 11914 12030sample gathered from a Population of 45 orders completedItems chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) There is clear organization when it comes to the storage of IT hard copy license certificates2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office3) All RFS# tested had proper sign offs/authorizations4) All RFS# tested had complete license documentation5) Both, budget employees and technicians, had copies of electronic and hardcopy licenses in their recordsEffective Control_x_Yes__ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessEffective organization and storageCommentsTemplates are used for RFS packets, which is effective in maintaining proper licensing documentationRecommendationsNoneProcess InstallationControl Activity Warehouse spreadsheet is completeControl # andAssoc. RisksC7R 2,3,6,7,8,9,14,15,21,22Risk/Control TypePrimaryAssigned ToWarehouseControl ObjectiveTo confirm that the global warehouse spreadsheet is complete with all information pertaining to new assets.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationAsset RFS formsGlobal spreadsheetOperating Effectiveness - Test StepsRandomly select 5 RFS numbers from listVerify that the information on the RFS forms matches the information on the global spreadsheetCheck to see if the spreadsheet is correctly filled out for complete life cycle of an asset. Confirm that uniform process is being used for entire spreadsheetTest Performed ByKarin Rosen, Doug Waechter, Jose GiardielloApproved ByMatthew MorganDate of Validation4/17/09Completed ByJose GiardielloSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Asset RFS # 11963 11908 11899 1191412030 12083 sample collected from a population of 45 completed ordersItems chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/FindingsThe randomly selected RFS# were found in the hardware or software binders kept by the warehouse manager.The information on the spreadsheet matched the information on the hard copies. The spreadsheet was correctly filled out. However, the spreadsheet was not updated after the asset was disposed of.The “order status” and “est. delivery date” columns were uniformly filled out. However, there were some columns filled out incorrectly by different departments.Effective Control__Yes_x_ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThis control is somewhat effective because the spreadsheet information matches the information on the hard copies. However, there are no set guidelines for how the spreadsheet should be filled out and the spreadsheet was not filled out after disposal.RecommendationsSet guidelines for the global spreadsheet on how each column should be filled out. Give examples of the specific information that should be going into each category and when a signature or initials is necessary. Confirm that the spreadsheet is updated after equipment is disposed of.Process Installation- Desktop SoftwareControl Activity Software Storage and Re-installationControl # andAssoc. RisksC 8R 2, 3, 7, 16, 21, 22 Risk/Control TypePrimaryAssigned ToEnterprise ServicesControl ObjectiveSoftware ordered before the new system was implemented is being stored safely and licenses are being recorded accurately. Closed Date4/29FrequencyConstantControl ActivityWalkthrough Documentation1) Software ordered before new process was implemented is recorded on Desktop_Licensing.xls on intra web and installation disk is stored in secure cabinet at capitol hill location.2) Any requests for installation of the software should be recorded on the spreadsheet and the hard copy documentation should be included in the hardcopy packet in the cabinet with the software. All documents should be included in the packet in the software cabinet at capitol hill location.1) Purchase Order2) Payment Voucher3) License Transfer FormOperating Effectiveness - Test StepsObserve the security of software and associated hardcopy.Find hardcopies associated with assets chosen from the spreadsheet.Look for: purchase order, payment voucher, and license transfer form in the hard copy packet.Ensure that the information on the hard copy matches the information from the spread sheet.Ensure that the installation CD for the chosen software can be found in the cabinet. Test Performed ByBeth WilliamsApproved ByMathew MorganDate of Validation4/22/09Completed ByRobert MushetSample Details What is being tested?How many items tested? State ID tag: 425-70633- Microsoft access 2000 VUP425-28428- Adobe Acrobat v4.0425-70842- Crystal Decisions Crystal Reports v9.0Period TestedFromJuly 2008ToApril 2009Validation Results/FindingsNumbers correlate to the test steps above:1) Storage of Software seems secure but hardcopies are not in the cabinet. 2) Hard copies are not in cabinet; also unable to find the specific software in the cabinet.3) None of the software in the cabinet had any of the following items. Per Rick Dean, five or so years ago they started a project to gather all of this information. They wanted to incorporate their tracking with the software Altris but that never happened due to someone creating a special report for that to work. Currently, they do not keep this information together.4) No hard copies were found. The specific software was not found.5) Older or newer versions were in the cabinet but not the specific one selected. The Adobe version was located but not for the specific one selected. There is a chance that some of the software selected was put on a server and then DOR purchased multiple licenses for installing on many computers.Effective Control?__ Yes _x_ No __ N/A__ Other, please specify in comments section belowManagement ResponseRick Dean suggested talking to Lou Ennis who is in charge of Altris to try and track these applications through Altris instead. May have to look for the purchase order, payment voucher, etc. in Accounting and Financial Services (AFS).Comments / RecommendationsOperating EffectivenessThis control does not seem to be effective. We knew this would be the case before testing it. The process only relates to software ordered before the new ordering process was implemented, a little over a year ago, and is currently only used for specialty software. CommentsNo further follow up was done for the related control. The issue does not seem significant enough to warrant any more testing: the risks associated with this control is that 1) someone reorders a piece of old software because it cannot be located (possible likely hood but low significance) 2) a license key is used more than once to install an old piece of software (possible likelihood low significance: DOR can uninstall if there is a complaint from manufacturer). RecommendationsA comprehensive software and license storage system is incorporated to manage both the old and the new software. Process InstallationControl Activity Completion and storage of IT work ordersControl # andAssoc. RisksC9R 20, 21Risk/Control TypePrimaryAssigned ToTechniciansControl ObjectiveTo securely complete and store the IT installation work orders, electronic and hard copies.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationRFS formsApproval PacketsWork Order Request FormGlobal DriveOperating Effectiveness - Test StepsEvaluate storage of IT Work Order Forms.Verify forms are complete.Check that all documentation is done similarly.Check Global Drive for updated installation status.Test Performed BySandra Sifuentes, Doug Waetcher, Karin RosenApproved ByMatthew MorganDate of Validation4/15/09Completed BySandra SifuentesSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Asset RFS # 11963 11908 11899 11914 12030sample gathered from a Population of 45 of orders completedItems chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) There is clear organization when it comes to the storage of IT hard copy acquisition forms2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office3) All RFS# tested had proper sign offs/authorizations4) All RFS# tested had complete receiving documentation, approval packets, and payment vouchers5) RFS#11899 had proper supplement information in the form of RFS#11899A6) RFS#11963, RFS#11908A (orders in 2008) were not complete – missing IT work request forms and signoffs – in pending status 7) A transfer of software RFS# was chosen randomly during the test, RFS#58750, it was tested and the findings show proper documentation including request forms, signatures, and date of completionEffective Control_x_Yes__ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessEffective organization and storageCommentsTemplates are used for IT work request form, which is effective in maintaining proper documentationRecommendationsMaintain a consistent deadline for IT PROs to return completed work order formProcess InstallationControl Activity Verification between tags and spreadsheetControl # andAssoc. RisksC10R 6,7,8,9,17Risk/Control TypePrimaryAssigned ToIT departmentControl ObjectiveTo verify that the computer tag numbers match the numbers stored on the spreadsheet.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationComputer tag numbers from spreadsheetTag numbers on the computersOperating Effectiveness - Test StepsRandomly chose 5 tag numbers from the global spreadsheet.Check to find the tag numbers match the physical tag on the computers.Confirm the correct user of the computer is entered into the spreadsheet.Test Performed BySandra Sifuentes, Doug Waechter, Karin RosenApproved ByMathew MorganDate of Validation4/15/2009Completed ByKarin RosenSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Computer tag numbers70633 7787571809 7177571587Items chosen by random number generator in excelPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) There was a list of computer tag numbers that was complete and filled out correctly.2) The spreadsheet showed the users of the tagged computers3) All five, randomly selected, tag numbers matched the physical tag number on the computers and the users matched what was recorded in the spreadsheet.70633 Margaret Youngman77875 Brian Shell71809 Kathy Beesing71775 Michelle Lane71587 Martin KinneyEffective Control_x_Yes__ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThis control seems effective. The tags and user names were properly recorded on the spreadsheet and matched the physical asset and mentsnoneRecommendationsnoneProcess MaintenanceControl Activity Testing of Patches & UpgradesControl # C 14, 18, 19R 1, 2Control TypePrimaryAssigned ToTechnicianControl ObjectiveTo ensure the IT asset have the appropriate patches and upgrades as recommended by the manufacturer and as determined by technicians.Closed Date4/29/09Control FrequencyAnnualWalkthrough DocumentationAll documentation is contained in the Altiris systemOperating Effectiveness - Test StepsDetermine where technician find out about patches and upgrades.Evaluate how technician determine if the patch or upgrade is appropriate.Determine the methodology used for defining a super user tester.Check for completeness of the documentation associated with patches and upgradesTest Performed ByDouglas Waechter, Karin Rosen,Sandra SifuentesApproved ByMatt MorganDate of Validation4/15/09Completed ByDouglas WaechterSample Details What is being tested? Do to the nature of the Altiris system the sample was the entire system.Period TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) Information about patches and upgrades are sent out through email by the manufacturer. Microsoft patches and upgrades are checked daily and updated monthly.2) Technicians evaluate the patches and upgrades based on their knowledge of the operational needs of the IT system.3) Super users are select as needed by the technicians. They are selected for their willingness to participate and their expertise with a specific application. Due to the level of expertise needed, this selection is done for each patch or upgrade.4) Documentation is stored in the Altiris system for each computer and its history of patches and upgrades. The system automatically pushes patches and upgrades to the appropriate systems.Effective Control_X_ Yes__ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThe Alitris system is recognized as an industry standard for managing the type of computer system that the DOR operates. The technicians appear to be well trained and confident in their ability to use the system to keep IT assets up to mentsHard copies of patches and upgrades are currently not being kept. It would be impractical to do so for a system as large as the DOR.RecommendationsTechnicians should define in writing what they are looking for in a super user.Process DisposalControl Activity Policy to determine if equipment has a hard driveControl # andAssoc. RisksC 17R 3Risk/Control TypePrimaryAssigned ToWarehouseControl ObjectiveTo determine if a piece of equipment that is ready to be disposed of has a hard drive in it.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationSpreadsheet listing IT assetsOperating Effectiveness - Test StepsLook at global spreadsheet to determine if piece of equipment has hard driveRemove hard drive from equipment and record on global spreadsheet and hard drive spreadsheetCheck each piece of equipment to be sure the spreadsheet was not filled out incorrectly or the equipment contains more then one hard drive.Test Performed ByJose Giardiello, Doug Waechter, Karin RosenApproved ByMathew MorganDate of Validation4/17/2009Completed ByKarin RosenSample Details What is being tested?Spreadsheet listing IT assetsPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/FindingsWarehouse personnel checks each piece of equipment waiting to be disposed of, for a hard driveIf equipment contains a hard drive it is removed by the warehouse managerEffective Control__Yes_x_ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThis control is very ineffective. There is no documentation that says if a piece of equipment contains a hard drive or not.RecommendationsIt should be recorded on the global spreadsheet when the asset is first received whether or not it contains a hard drive. The warehouse can then refer to this spreadsheet along with checking each piece of equipment to be sure a hard drive is not left in a disposed of asset. It should also be recorded on the global spreadsheet when a hard drive is removed from an asset.Process DisposalControl Activity Post-spreadsheet Reported, Tracked and VerifiedControl # andAssoc. RisksC20R 1,2,4,6,7,8,9,18,19Risk/Control TypePrimaryAssigned ToWarehouse Logistics Control ObjectiveTo keep global spreadsheet up to date after the disposal of an asset and to insure the proper personnel were informed of the disposal.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationGlobal SpreadsheetOperating Effectiveness - Test StepsTest for completion of spreadsheet or any other reporting documentation. Check reporting after disposal. Test Performed ByKarin Rosen, Jose Giardiello, Doug WaechterApproved ByMatthew MorganDate of Validation4/17/09Completed ByJose GiardielloSample Details What is being tested?Post disposal documentationPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) After the disposal of an asset there is no global reporting2) The global spreadsheet does not get updated after the disposal of an asset3) After the disposal of an asset, no upper management is informed/confirmed of the disposal (warehouse manager is the one doing the disposal so there is zero confirmations)Effective Control__Yes_X_ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessNot effective, because other departments don’t know if an asset got disposed offRecommendationsThere needs to be confirmations of the disposal to upper management (if the warehouse manager continues to be the only one doing the disposal, otherwise have someone in charge of the disposal who would report to the warehouse manager) and other departments, have sign-offs and a column in the spreadsheet for disposal (or have one consolidated spreadsheet that is frequently updated)Process DisposalControl Activity Procedures for hard drive disposalControl # andAssoc. RisksC22, 23R 5, 7, 10, 14, 15, 20, 21, 22Risk/Control TypePrimaryAssigned ToWarehouseControl ObjectiveTo verify proper reporting and authorization procedures for hard drives taken to third party for disposal.Closed Date4/29/09FrequencyAnnualWalkthrough DocumentationList of removed hard drives recorded by DORList of disposed of hard drives recorded by GRXVerified form with signatures from DOR and GRXOperating Effectiveness - Test Steps Compare all numbers on list of removed hard drives with list of disposed of hard drives to ensure that every hard drive removed and given to GRX was disposed ofVerify that transfer forms were properly signed and keptVerify that disposal of hard drives was watched by a DOR employeeTest Performed ByJose Giardiello, Doug Waechter, Karin RosenApproved ByMathew MorganDate of Validation4/17/2009Completed ByKarin RosenSample Details What is being tested?What is the population? (List the entire population or reference where the population source.)How were items chosen? Hard Drive numbers17201721819LAK20736LAK41776Items chosen by random during auditPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/FindingsThere was a hand written list of hard drive numbers that had been removedThere was a computer-generated list from the GRX containing numbers from the hard drives that had been disposed of.We chose three random hard drive numbers from the GRX list to confirm that they were on the DOR list. We found all three numbers on the list.We then checked that the number of DOR hard drives given to the GRX matched the number that was on the GRX’s list of disposed hard drives. This was the most time efficient way of checking that the lists were complete.There was a transfer form signed by the warehouse manager confirming the hard drives were properly transferred and were destroyed under the supervision of a DOR employee.Effective Control__Yes_x_ No__ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThis control seems somewhat effective however, it is not very efficient. There need to be checking every single number from the DOR list to the GRX list.RecommendationsThe most convenient way to check the numbers from the DOR to the GRX would be to keep the numbers on an excel spreadsheet. The GRX could email their list to the DOR and the numbers could be checked once they were put in order. The easiest way to get the hard drive numbers on an excel spreadsheet would be to use a bar code scanner. This car code scanner could record all the numbers and could easily be transferred to the computer. Process DisposalControl Activity Verification Form – is surplus property checked/trackedControl # andAssoc. RisksC24, 25R 20,21,22Risk/Control TypePrimaryAssigned ToWarehouse Logistics Control ObjectiveTo properly document and track surplus to limit misuse/pilferage/confusionClosed Date4/29/09FrequencyAnnualWalkthrough DocumentationSurplus packetsAuthorized surplus listsOperating Effectiveness - Test StepsCheck for surplus packets and vouchersTest for completion of packets Test Performed ByKarin Rosen, Jose Giardiello, Doug WaechterApproved ByMatthew MorganDate of Validation4/17/09Completed ByJose GiardielloSample Details What is being tested?Post disposal documentationPeriod TestedFromJuly 2008ToFebruary 2009Validation Results/Findings1) Surplus packets had a seven digit state tag and were not referenced by RFS numbers2) Warehouse manager/program assistant created the list of assets that were in the surplus packets3) Out of three packets tested only one had a Declaration of Surplus (list of surplus) which was generated by someone other than the warehouse manager4) Authorized signatures came from warehouse manager and the Declaration of Surplus5) Two out of the three did not have signaturesEffective Control__Yes__ No_X_ N/A__ Other, please specify in comments section below(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)Comments / RecommendationsOperating EffectivenessThere are no previous job duties or standardsControl could be effective if the Declaration of Surplus was included in all the surplus packsRecommendationsTrack surplus with RFS numbers, to continue the tracking from acquisition to disposal and surplusUse the Declaration of Surplus form as a reference in the surplus packetsTrack surplus packets with datesSegregate the duties around the surplus responsibilityUse the Declaration of Surplus to check the DOR list of surplus with the warehouse list of surplus, create that control and always have the Declaration in each surplus packet. Findings SummaryAfter analyzing the results from our tests of the DOR controls we found the following:3429004000545% of controls tested were found to be effective33% of controls tested were found to be ineffective22% of controls tested were found to be mostly effective with exceptionsSpecific areas of concern:Spreadsheets: In general there is a chaotic distribution of spreadsheets and information, this creates gaps in information and may allow for mismanagement of assets. This concern is illustrated by the ineffectiveness of these controls:Control 2: Updated RFS Spreadsheet- The security of the global drive RFS spreadsheet was questionable because the password was not changed regularly. Control 7: Warehouse Spreadsheet is Complete- There is no defined policy regarding updates to the spreadsheet and the spreadsheet is not updated to indicate the disposal of assets. Control 20: Post-spreadsheet Reported, Tracked and Verified- There is no policy in place to record the disposal of assets in a global location. Receiving the assets: The policy regarding sending all IT assets through the warehouse is sometimes ignored. Assets have the potential to be delivered to other areas of the organization, skipping the tagging and recording process at the warehouse. This concern is illustrated by the ineffectiveness of this control:Control 4: Who Receives the Asset? - There is documentation kept to verify that the warehouse has received the asset, but there is no specific process for receiving an asset. Software license storage and transfer: Our tests showed mixed results about the recording and transfer of software licenses. Our test of the current process suggested it is sound, but our test of the older software suggested that system is flawed. It is the opinion of the auditors that, although the test demonstrated the process is sound, it really is not. There are multiple spreadsheets where software license are stored, this creates risk and inefficiency in finding licenses for use. The controls tested regarding this concern are:Control 6: Proper Documentation and Recording for Licenses- This control was shown to be effective by our tests. Control 8: Software Storage and Re-installation- This control was shown to be ineffective by our tests. Proper disposal of assets (especially hard drives): The controls for disposal and keeping records for disposal seem strong; however information about the disposal of assets is not shared with the other departments in the system. Furthermore, the storage of hard drives before they go to destruction could be greatly improved. Our major concern is that the ineffective controls pose an opportunity for leakage of sensitive information contained on hard drives. This concern is illustrated by our testing of these controls:Control 17: Policy to Determine if Equipment has a Hard Drive- The lack of policy means that a surplus asset may be disposed, containing a hard drive with sensitive information. Control 22 and 23: Procedures for Hard Drive Disposal- The control seems effective, but it is inefficient because of the disposal document organization, this may present errors in verifying the document. Control 20: Post Disposal Spreadsheet, Assets are Reported, Tracked and Verified- Records of the disposal of an asset is never sent to another location outside the warehouse for verification and approval. This page was intentionally left blank.Recommendations & SuggestionsThis page was intentionally left blank.Recommendations and SuggestionsRecommendations:Recommendations were researched to repair the controls that were deemed the least effective though the testing phase. Knowledge Leader and internet searches were used to research the best practices regarding IT asset management systems.General best practices:The most relevant document found was "IT Asset Management: How to Improve the Business of IT", by Colleen O’Donnell. The article laid out four hallmarks of the best-in-class IT asset management programs these hallmarks are:A central repository that contains detailed financial, contractual and physical information on assets, coupled with discovery/inventory tools that cover all the disparate platforms within the environment (hardware, network, software).Processes, procedures, and policies around this information to keep it current, with people assigned responsibility/accountability for this task.A well-structured and measured organization enabled to support the ongoing operational management processes and activities of the organization.Perhaps most importantly, these programs have the buy-in and support of upper management.In order to abide by the first hallmark, the DOR should compile the information found on their individual employee’s IT inventory spreadsheets into one comprehensive spreadsheet.This will improve the asset management system by:Reducing time spent by employee’s in locating specific assetsEnsure assets are more secure by making the information about them easier to access. Compiling software licenses into one location so the availability of licenses can be easily determined. In order to abide by the second hallmark, the DOR should refer to the process maps in this document to chronicle the duties necessary to accomplish the task of managing their IT assets. They can then create documents for each position in their organization laying out duties and responsibilities of the individual employed in this position. This will improve the asset management system by:Ensuring that specific individuals are responsible for specific duties. This will make sure every duty is being fulfilled and ensure there is accountability in the process. Making the process more efficient; each employee knows specifically what they should be accomplishing. Advertising who is responsible for which aspects of the process so personnel know who to go to when they need a specific piece of information. In order to accomplish the third hallmark, the DOR should define their duties and processes, assign these duties and processes to specific employees, and create a comprehensive spreadsheet with built-in, quantifiable, indicators. These tasks were recommended to accomplish the first two hallmarks and will accomplish the third hallmark by:Adding performance indicators and ensuring the advice is incorporated into the processes. Performance indicators will also ensure that each individual is accomplishing their duties which are documented in the employee packets.In order to accomplish the fourth objective the DOR must ensure that management is informed, involved, and supportive of these changes. The fourth hallmark will accomplish:Organization wide support for the new process.Less resistance to changes in the system.Ensures an easier conversion to the new system. Other/ Specific recommendations:There are four recommendations that could be easily implemented at the DOR to greatly improve the security and efficiency of their IT asset management program:Purchasing storage locker, chain, and lock to store hard drives before they are destroyed. During the testing we observed lacking controls surrounding the security of hard drives that could, potentially, contain sensitive information. Purchasing a barcode scanner, compatible with Microsoft Excel, to record the hard drives as they come into the warehouse. This electronic list will be easier to compare to the disposal list obtained from GRX after destruction of the hard drives. This ensures that the list of hard drives with sensitive information is less prone to tempering and errors. Altering the regulation stating that only the CIO can authorize the pickup of abandoned assets to allow technicians to pick up these assets as well. There is a tendency at the DOR for employees to dispose of obsolete IT assets by storing them in offices or hallways. This leaves assets prone to theft and misplacement. In order to reduce this risk, technicians should be able to pick up abandon inventory and store it until the owner abandons or reclaims the asset. This page was intentionally left blank.Supplementary DocumentsThis page was intentionally left blank.AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEJanuary 21, 2009Meeting called by Internal Audit TeamLocation: Classroom 320 – Leeds School of BusinessAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionProject OverviewTopic 2Meet ClientsDiscussionsTopic 3QuestionsGather Team ContactsAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEFebruary 4, 200912:00- 2:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Denver, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionExpectationsScope of AuditTopic 2Meeting with Budget Department TeamProceduresQuestionsTopic 3Wrap UpSuggestions from Client and AdvisorQuestionsAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEFebruary 17, 20098:00-9:00amMeeting called by Internal Audit TeamLocation: Professor Marlatt’s Office S450G – Leeds School of Business Attendees: Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1Steps for the AuditProcess MapsQuestionsTopic 2Acquisition of MaterialsWhite Pad and EaselAdditional Instructions:Spoke with professor before meeting with client. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEFebruary 18, 20099:30- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionOverview with ClientTopic 2Meeting with Mike Lichvar – Enterprise Services ManagerIntroduction and ProceduresProcess Map Topic 3Steve McCarthy- Elect EngineerIntroduction and ProceduresProcess Map- Shipping and ReceivingTopic 4Lou Ennis- IT Desktop Support ManagerIntroduction and ProceduresProcess Map- MaintenanceQuestionsTopic 5Mark Buckingham and David Loewi- CIOIntroduction and Project DiscussionAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEMarch 4, 20099:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue – Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionOverview with ClientTopic 2Meeting with Alison RobertsIntroduction and ProceduresProcess MapTopic 3Meeting with Vanessa JozefIntroduction and ProceduresProcess MapTopic 4Meeting with Jane HendersonIntroduction and ProceduresProcess MapTopic 5Closing DiscussionsFinal QuestionsAdditional Instructions:The audit team will provide client with documents that will be used during meeting. Sandra will be writing process steps on white board for visualization.AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEMarch 11, 20099:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue – Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionReview Walk through Plan with ClientTopic 2Set-upLay Out Process Maps in Asset Life Cycle OrderDiscuss maps with visitorsTopic 4Closing DiscussionFinal QuestionsAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEMarch 18, 20099:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue – Denver, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionOverview of Risk AssessmentTopic 2DOR IT Asset Risk MatrixReviewed Risk Averages- Significance and Likelihood Defined and categorized each risk with ClientTopic 3Client’s SuggestionsRanked risksReorganized and Added to list of risksTopic 4Closing DiscussionFinal QuestionsFurther contact arrangedAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEApril 10, 200910:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Sandra Sifuentes, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionOverview with ClientTopic 2Testing Meeting with Maria Armenta, Jane Henderson, Brad Denning and Cindy WitkaTest RFS# ControlsTest licensing ControlsTest global drive ControlsTopic 3Compile InformationDiscuss test resultsAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEApril 15, 20099:30- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug WaechterTopic 1IntroductionOverview with ClientTopic 2TestingMeeting with Vanessa Jozef, Brandon and Maria ArmentaTest RFS sheet ControlsTest super user controlsTopic 3Wrap UpOverview of testing resultsAdditional Instructions:The audit team will provide client with documents that will be used during meeting. AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEApril 17, 200910:00- 11:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Karin Rosen, Jose Giardiello, Doug WaechterTopic 1IntroductionMeeting with Roy MitzeTopic 2TestingTest spreadsheet and acquisition controlsTest hard drive and disposal controlsTest warehouse securityAdditional Instructions:The audit team will provide client with documents that will be used during meeting. ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- state of alabama department of education
- state of colorado division of banking
- state of colorado department of treasury
- state of colorado department of motor vehicles
- state of colorado department of health
- state of colorado department of human services
- state of ct dept of revenue services
- colorado department of revenue forms
- state of colorado dept of health
- colorado department of revenue online
- colorado department of revenue online filing
- state of colorado department of revenue