The URL can be used to link to this page

Home My WebLink About09/06/2022 - Regular Minutes - City Council - Audit CommitteeMayor Karl Moony Mayor Pro Tern Bob Brick City Manager Bryan C. Woods CITY OF Coll.EGE STATION Hom e o/Texas A&M University" Minutes Councilmem be rs Linda Harvell John Nichols Dennis Maloney John Crompton Elizabeth Cunha CITY COUNCIL AUDIT COMMITTEE IN-PERSON WITH TELECONFERENCE PARTICIPATION Tuesday, September 6, 2022, at 3:00 pm Audit Committee Members Present: Karl Mooney, Mayor Linda Harvell, Councilmember Elizabeth Cunha, Councilmember Michelle McMillin, Committee Member Richard Price, Committee Member City Staff: Ty Elliott, Internal Auditor Bryan Woods, City Manager Jeff Kersten, Assistant City Manager Jennifer Prochazka, Assistant City Manager Barbara Moore, Assistant to the City Manager/ Special Projects Ross Brady, Assistant to the City Manager/ Special Projects Adam Falco, City Attorney Mary E. Leonard, Finance Director Sam Rivera, IT Director John Jones, Assistant IT Director Larry Vierus, Technology Services Coordinator Yvette Dela Torre, Deputy Local Registrar 1. Call meeting to order and Announce a Quorum is Present. With a quorum present, the Audit Committee of College Station was called to order by Mayor Mooney at 3:01 Q!!! on September 6, 2022, in the 1938 Executive Conference Room of the City of College Station City Hall. 2. Hear Visitors There were no hear visitors. 3. Agenda Items 3.1 Presentation, discussion, and possible action of minutes for the City Council Audit Committee meeting held on September 6, 2022. MOTION: Upon a motion made by Councilmember Harvell and a second by Councilmember Cunha the Audit Committee voted five (5) for and zero (0) opposed to approve the September 6, 2022, Audit Committee minutes as amended. The motion carried unanimously. 3.2 Presentation, discussion, and possible action regarding the Information Technology Asset Management audit. Internal Auditor Ty Elliott presented the scope, findings, and recommendations of the Technology Asset Management audit. The audit scope was restricted to personal computers (laptops, desktops, and tablets). Areas for improvement were found in the process of acquiring PCs, accounting for PC inventory, the deployment & management of PCs, and the PC maintenance & retirement process. Mr. Elliott stated that the IT department already has solutions and has started implementing those solutions to some of his recommendations. 3.3 Presentation, discussion, and possible action to provide an update and anticipated timeline for the Developer Constructed Streets audit. Internal Auditor Ty Elliott provided the Audit Committee with an update on the Developer Constructed Streets audit. He informed the committee that the survey phase of the audit was complete but that due to being short-staffed in his department, the completion of the audit would be delayed. Mr. Elliott informed the committee of his upcoming peer review in October. 4. Discussion and possible action on future agenda items. There were no future agenda items discussed. 5. Adjourn. There being no further business , Mayor Mooney adjourned the meeting at 4:08 pm on Tuesday, September 6, 2022. ATTEST: Payroll 2021 1 APRIL 2022 IT Asset Management Audit FILE#: 22-01City Internal Auditor’s Ofﬁce City of College Station Payroll 2021 2 Executive Summary Why We Did This Audit Effective information technology asset management (ITAM) keeps information updated, reduces waste, and improves utilization. It saves money by helping avoid unnecessary purchases and cutting licensing and support costs. Increased control also enforces compliance with security and legal policies and reduces risks. The positive implications on costs and productivity benefit the entire organization. Based on the direction given by the Audit Committee, an audit of ITAM was included in the Fiscal Year 2022 Audit Plan. What We Found There is room for the Information Technology (IT) Department to improve policies, procedures, and processes related to how technology assets are tracked and managed. Specifically, we found the following areas of potential improvement related to the purchasing, deployment, storing, and disposal of personal computers (PCs): Purchasing records and processes need improvement. It is difficult to accurately identify PC purchases – which complicates tracking PCs throughout their asset life cycle. In addition, timely entry of the receipt of PCs into the City’s financial system when they are delivered does not consistently occur. Finally, although most PCs are purchased centrally through IT, we identified a handful that were not and the justification for this deviation from City policy was not well-documented. Asset tracking practices and tools are inadequate. The approach for tracking PCs does not account for assets that are not connected to the City’s network. As a result, technology asset records maintained by IT did not reconcile with purchasing records. We found purchasing records of 191 PCs which were unaccounted for in IT’s asset records. Assets are not being effectively deployed and managed. IT has not updated their ITAM related policies for several years. As a result, these polices do not reflect current IT processes and procedures. In addition, we found the following indicators that PCs are not being effectively deployed and managed across City Departments: (1) employees commonly being assigned multiple computers, (2) computers not being timely deployed to end-users, and (3) computers utilized by end-users that are well beyond their scheduled replacement dates. Methods for maintenance and retirement of PCs could be enhanced. The City does not have adequate systems or processes to take a proactive approach to computer maintenance. In addition, the City’s computer replacement and disposal processes are not timely, well-organized, and accurately recorded. The City’s policy does not provide clear, precise timeframes for replacing and disposing of old assets. However, the data security risk of the disposed assets is low due to using data encryption and hard drive shredding practices. Payroll 20213 Summary of Audit Recommendations To address the audit findings, there are a few improvements the City could make to better track and manage its IT assets. They are encompassed in the following audit recommendations: 1. The City should develop a policy stating when it is appropriate to use a purchasing card to make technology purchases. In addition, a process should be developed to efficiently identify the purchasing records in Munis of all technology assets. 2. IT should develop a policy and procedure to inspect and receive ordered items in Munis when they are delivered. 3. There may be a business justification for a technology purchase to not be centralized. In these instances, the business justification for purchasing an item outside city policy should be clearly documented. Alternatively, the City could implement a policy establishing the criteria for when Departments are allowed to make their own technology purchases. 4 .The City should develop new strategies for tracking technology assets at every stage of the asset life cycle. In developing this strategy, the City should consider new systems, processes, and policies to plan for technology replacement efficiently and effectively. 5. To get the most output from technology assets, IT should be continuously evaluating user technology utilization through robust processes and systems. Once IT can accurately track and collect these data, they should update hardware standards, policies, and procedures to ensure these assets are being utilized efficiently and effectively – including timely deployment and replacement. 6. IT should develop policies and procedures for computer replacement and disposal which provide guidelines for (1) determining the disposal method, (2) improving documentation of replaced and disposed computer assets, and (3) providing objectives related to the timeliness of replacement, storage, and disposal. Payroll 2021 4 Table of Contents Introduction .............................................................................................................................................................5 Audit Objectives...................................................................................................................................................5 Information Technology Asset Management Offers Significant Benefit .......................................5 Our Review of ITAM Focused on City Personal Computers (PCs) ......................................................6 Findings and Analysis .....................................................................................................................................7 The Process to Acquire PCs Could Be Improved .....................................................................................7 The Process to Account for PCs Inventory Needs Improvement ......................................................8 Deployment and Management PCs Should Be Improved ..................................................................10 The IT Assets Maintenance and Retirement Process Needs Improvement ................................12 Scope ...........................................................................................................................................................................15 Methodology ........................................................................................................................................................15 Appendix A: Management’s Response ...........................................................................................16 Payroll 20215 Introduction The Office of the City Internal Auditor conducted this performance audit of the City of College Station’s management of personal computer (PC) assets pursuant to Article III Section 30 of the College Station City Charter, which outlines the City Internal Auditor’s primary duties.1 A performance audit is an objective, systematic examination of evidence to assess independently the performance of an organization, program, activity, or function. The purpose of a performance audit is to provide information to improve public accountability and facilitate decision-making.2 Performance audits encompass a wide variety of objectives, including those related to assessing program effectiveness and results; economy and efficiency; internal control; compliance with legal or other requirements; and objectives related to providing prospective analyses, guidance, or summary information. A performance audit of information technology asset management (ITAM) was included in the Fiscal Year 2022 Audit Plan based on the direction given by the Audit Committee. Audit Objective This audit aims to provide management with assurance that PC inventory and records are complete and accurate and to evaluate the internal controls throughout the PC life cycle. Information Technology Asset Management Offers Significant Benefit ITAM is the process of ensuring an organization’s assets are appropriately accounted for, deployed, maintained, upgraded, and disposed. IT assets include hardware, software systems, or information the City of College Station values. This most commonly includes but is not limited to computer related hardware and software licenses. IT assets have a finite period of use. To maximize the value the City generates from them, the IT asset lifecycle should be managed. This generally includes (1) procurement, (2) inventory, (3) deployment, (4) management, (5) maintenance, and (6) retirement (see Figure 1 below). An important part of ITAM is applying a consistent process across all lifecycle stages to understand the total cost of ownership and optimize the use of assets. 1City of College Station, TX, “Code of Ordinances,” § 30 (2017), 12. 2U. S. Government Accountability Office, “Government Auditing Standards 2018 Revision (GAO-18-568G)” (2018), 10–17. 1 2 3 5 46 PROCUREMENT Organize purchasing data associated with IT assets to have information available for future decisions. INVENTORY Account for each IT asset. Ideally, administer QR barcode labels to facilitate asset tracking. DEPLOYMENT Assemble, inspect, and conﬁgure IT assets. Assign assets to users. RETIREMENT Assess asset value towards the end of useful life. Sell or dispose of assets. MANAGE Get the most output from IT assets by continuously checking the value and performance of IT assets. MAINTENANCE Evaluate IT asset quality to help determine when assets should be ﬁxed or disposed of. Figure 1: IT Asset Life Cycle Source: Roots Tim (2020), Asset Life Cycle Management: Stages to Success. Payroll 2021 6 The primary goal of ITAM is to establish and maintain a centralized asset repository that contains a complete, current, and accurate inventory of all the IT assets in the City. This information helps City officials understand: (1) what systems and software exist, (2) where components reside, (3) how they are used, (4) what they cost, (5) to what they are connected, (6) the current phase of their lifecycle, and (7) how they impact IT and business services. Best practices suggest leveraging ITAM processes, tools, and operational functions to drive long-term value and ITAM-related projects to make targeted improvements to the City’s technology asset management maturity. Therefore, an effective ITAM function should include an asset management repository, data on both hardware and software components, and a set of processes for maintaining that data. At the most basic level, an ITAM function must perform the following activities: (1) asset discovery and data capture, (2) tracking asset changes, (3) asset-lifecycle management, and (4) asset reporting and alerting. Our Review of ITAM Focused on City Personal Computers (PCs) The City should be tracking and managing technology assets which have value, require ongoing support, or could create potential risk to the City if the necessary documentation that shows proper ownership or licensure is lacking. The first step in managing technology assets is to be able to identify every technology asset owned by the City. These assets are typically classified into three sections depicted below (see Figure 2). Compared to all other IT assets, our preliminary review found that IT asset records, processes, policies, and procedures related to PCs3 to be the best documented. Given this preliminary finding, we decided to focus our review on examining only PCs based on the following logic: if the City has not implemented ITAM principles to track and manage PCs, then the risk that these best practices are not being used to manage other technology assets is high. 3For the purpose of this report, personal computers (PC) refer to workstation, desktop computers, laptops, tablets, portable devices, and Toughbooks (which were all within the scope of our review). Servers Workstations (PCs) Copiers Keyboards Mouse Webcams Projectors Software Software licenses HARDWARE ASSETS ASSET COMPONENTS SOFTWARE ASSETS Printers Scanners Monitors Dock Stations Routers Smart phones Tablets Figure 2: Information Technology Asset Classification Source: ManageEngine ServiceDesk Plus (2020), 7 Step Guide to IT Asset Management Success Payroll 20217 4On the Dell website, an account holder can also use purchase order number which can be helpful. 5Munis 2017.1 Manual, Receiving Training Manual, P.2 Findings and Analysis We examined each aspect of the asset life cycle for City of College Station PCs and compared the City’s processes, policies, and procedures to ITAM best practices. This report summarizes our findings within each aspect of the technology asset life cycle: (1) procurement, (2) inventory, (3) deployment and management, and (4) maintenance and retirement. The Process to Acquire PCs Could Be Improved Our examination of the process by which PCs are acquired found a few areas of possible improvement. First, it can be challenging to accurately identify all technology purchases. Second, IT personnel do not always timely enter that they have received PCs into the City’s financial system when they are delivered. Finally, although most PCs are purchased centrally through IT, we identified a handful that were not and the justification for this deviation from City policy was not well-documented. It is difficult to accurately identify technology purchases. In an efficient and effective ITAM system, all technology purchases are easy to identify and reconciled to any technology assets at any stage of the asset life cycle. There are two ways IT purchases can be tracked. First, IT purchases are made either with a City credit card or through the purchase order (PO) process – thereby creating a record in the City’s financial system (Munis). Because various accounts are used to acquire IT assets, compiling a complete list of all PC purchases through Munis can be challenging. Second, some PC purchases can be identified through vendor websites. Although data from vendor websites were helpful, relying completely on this data has the following disadvantages (1) it is limited to only certain vendors, (2) it is only able to access purchases made by the IT Department, and (3) it requires the asset’s serial number which may not be available.4 Risk (medium): The full benefits of ITAM cannot be realized if purchasing records of all technology assets cannot be easily identified and reconciled to IT asset records. In addition, purchases made through the PO process generally have stronger internal controls than those made on City credit cards. Recommendation: The City should develop a policy stating when it is appropriate to use a purchasing card to make technology purchases. In addition, a process should be developed to efficiently identify the purchasing records in Munis of all technology assets. PCs are not always being timely received in Munis. Once an ordered computer is delivered by a vendor, IT personnel should enter the receipt quantity and amount as soon as possible in the City’s financial system (Munis)5. The receipt of quantities ordered is part of the “three-way match” internal control of the accounts payable process. Three-way match in accounts payable allows you to match vendors’ invoices with POs and received quantities of goods or services before the invoices are processed and paid. It automates the verification of these documents to ensure that an invoice should be paid. We did not find any instances where invoices were paid prior to IT entering the receipt in Munis; however, there are still some risks associated with not timely entering the receipt of delivered items into Munis. Although Munis allows the user to receive separate quantities ordered as they are delivered, IT personnel often wait until all items on a PO are delivered before they make the receiving entry in Munis. As a result, computers are often deployed prior to the receiving entry being made. Risk (high): Because IT currently does not have an asset management system capable of effectively tracking the asset through the entire life cycle of the asset, there is a risk that receipt information could be inaccurate. This could result in the City paying for technology assets which have not actually been delivered. Recommendation: IT should develop a policy and procedure to inspect and receive ordered items in Munis when they are delivered. Payroll 2021 8 Most PCs are purchased centrally through IT. We found 32 computers and iPads purchases between 2015 and 2021 which were not acquired by IT staff. To put this into perspective, we identified 1,996 PC purchases during this same period. Per City policy, Departments are required to coordinate all technology or software-related purchase requests with the IT Department. Once reviewed and agreed upon, technology purchases should be initiated by the IT Department. This policy has the potential to help ensure that (1) acquired technology assets are compatible with City standards and existing infrastructure, (2) all costs are properly considered, (3) unnecessary duplication of capabilities is avoided, and (4) the proposed equipment or software does not interfere with the operation of existing systems or create any undue risk to City resources. The value of the policy depends on the (1) efficacy by which it is being enforced, and (2) extent to which the other ITAM best practices have been implemented. The exceptions we found are described in Table 1. Risk (low): Over 98% of computers purchased between 2015 and 2021 were centrally purchased by IT. Of the less than 2% that were purchased by other Departments, 78% were purchased by the Electric Department. Although there may be good justification for Electric or other Departments to operate outside the City’s technology purchasing guidelines, this justification was not well documented in purchasing records we were able to identify. Recommendation: There may be a business justification for a technology purchase to not be centralized. In these instances, the business justification for purchasing an item outside City policy should be clearly documented. Alternatively, the City could implement a policy establishing the criteria for when Departments are allowed to make their own technology purchases. The Process to Account for PCs Inventory Needs Improvement We found the City’s IT assets tracking approach is not effective since it does not account for assets that are not connected to the City network. As a result, technology asset records maintained by IT did not reconcile with purchasing records. Table 1: PC and iPad Purchases not Made by IT Department Make & Model Purchase Date Qty Unit Price Total Amount Canceled Amount Cancel Qty Fire Department HP Pavilion 1/21/16 1 430 430 -- Electric Toshiba Satellite 2/23/16 1 1,030 1,030 -- Fire Department Microsoft Surface 7/13/16 1 500 500 -- Fire Department Apple iPad 1/21/16 1 590 590 -- Fire Department Apple iPad 9/20/17 2 528 1,056 -- Finance Apple iPad 1/7/22 1 330 330 -- Communications Apple iMac 3/29/21 1 3,863 3,863 -- Electric Dell XPS 15 12/14/21 1 1,799 1,799 -- Electric HP EliteBook 850 7/14/16 2 1,796 3,592 3,592 2 Electric IBM Lenovo ThinkPad 3/10/20 3 1,003 3,009 -- Electric IBM Lenovo ThinkStation 1/27/21 9 1,203 10,831 -- Electric IBM Lenovo ThinkStation 1/27/21 7 1,269 8,881 -- Electric IBM Lenovo ThinkPad 1/27/21 2 1,283 2,567 -- Source: Purchase Orders obtained from Munis Payroll 20219 6Although Lansweeper is the primary repository of technology asset records, we were also able to obtain some records from vendor websites. Asset management practices and tools are inadequate to account for IT assets throughout their life cycle. Since April 2021, the City has used an ITAM solution called Lansweeper to gather hardware and software information of computers and other devices on the City’s network. Although IT’s utilization of this tool has resulted in significant improvement in their tracking of technology assets, the use of Lansweeper as the primary method to plan for computer replacement has limitations because it only tracks assets which have touched the City’s network. Therefore, the following technology assets may not be accounted for through Lansweeper: 1. Assets which have been purchased and delivered but not yet deployed. 2. Assets which have been replaced but have not been timely disposed. 3. Assets which have been deployed but have not been used on the City’s network. Given the limitations described above, we found that identifying all technology assets within the City’s current system and processes is time-consuming, labor-intensive, and incomplete. IT does not have accurate and complete records of deployed PCs. This is confirmed because PC purchases do not perfectly reconcile to IT asset records. Documentation obtained from the City’s financial system (Munis) appears to indicate that there were significantly more purchases of PCs than what can be identified through asset records maintained by IT.6 Table 2 summarizes these results. Table 2: Asset Purchases That Do Not Reconcile to IT Asset Records (rounded to hundredth) Make & Model Qty Estimated Unit Purchase Cost Estimated Total Purchase Cost Average Min Max Average Min Max Apple iMac 2 5,400 3,900 6,800 10,800 7,800 13,600 Apple iPad 16 700 300 2,000 11,200 4,800 32,000 Apple MacBook 1 2,500 2,300 2,800 2,500 2,300 2,800 Dell Latitude 28 1,400 1,000 2,300 39,200 28,000 64,400 Dell Optiplex 16 700 700 1,000 11,200 11,200 16,000 Dell Precision 3 1,800 1,000 2,500 5,400 3,000 7,500 Dell XPS 1 1,900 1,800 2,000 1,900 1,800 2,000 HP EliteBook 51 1,300 800 3,000 66,300 40,800 153,000 HP EliteDesk 28 800 700 1,000 22,400 19,600 28,000 HP Z4 Workstation 6 1,800 1,800 1,900 10,800 10,800 11,400 HP Zbook 3 2,100 1,600 2,900 6,300 4,800 8,700 IBM Lenovo 20 1,200 1,000 1,300 24,000 20,000 26,000 Microsoft SurfaceBook 6 1,500 500 2,500 9,000 3,000 15,000 Panasonic Toughbook 10 3,500 2,500 4,600 35,000 25,000 46,000 Total:191 26,600 19,900 36,600 256,000 182,900 426,400 Source: Purchase Orders obtained from Munis Payroll 2021 10 Risk (high): The risk that technology assets are lost, stolen, or non-optimally utilized significantly increases if technology assets cannot be tracked efficiently and accurately. There are also potential risks related to data security if technology assets fall into the wrong hands. These security risks are somewhat mitigated due to City computers being locked out of the system if they have not logged onto the City’s network in the past 90 days. Recommendation: The City should develop new strategies for tracking technology assets at every stage of the asset life cycle. In developing this strategy, the City should consider new systems, processes, and policies to plan for technology replacement efficiently and effectively. Deployment and Management PCs Should be Improved Because technology rapidly changes, the City should be frequently reviewing and updating computer hardware standards. When done effectively, these policy and procedures updates are based on information obtained through proper analysis of how PCs are deployed and utilized throughout the City. The City’s hardware standards, policies, and procedures need to be updated. The Department of Information Technology end-user hardware and software standards for all City users of PCs are documented in a policy last updated in 2016. Some of the stated goals of these standards are as follows: (1) Aid in the alignment, consistency, and modernization in the selection and design of business solutions across the City. (2) Control costs associated with software licensing and maintenance, hardware, services, training, and integration. (3) Ensure designated technology will be supported by IT as applicable, and that the selection is in alignment with IT goals, objectives, and strategic direction. (4) Reducing the number of platform configurations in use to enable allocated resources to better support the information systems under management. The benefits which can be achieved when ITAM best practices are implemented align with these stated objectives. However, the City’s hardware standards need to be updated. Not only do they reference hardware that is no longer acquired but it also is deficient in some areas. For example, it lacks (1) an inventory management policy, (2) criteria specifying exceptions to policy, or (3) a deployment and maintenance strategy. Potential causes for the results summarized in Table 2 are as follows: • Dell, HP, and Microsoft computers make up 74.3% of the computers summarized in Table 2. These computers were either (1) lost or stolen, (2) deployed without having ever logged onto the network, or (3) disposed without having adequate documentation of the disposal. • Apple products, summarized in Table 2 , make up 10% of the computers. Apple products cause issues with the City’s network due to their platform security and operating system. As a result, IT has made a business decision to not have these computers connected to the City’s network. • IBM Lenovo computers make up 10.5% of the computers summarized in Table 2 . These computers were purchased by the Electric Department for their SCADA system, which manages the City's electric utility infrastructure. To protect from the threat of cyberattack on this critical infrastructure and to comply with federal energy regulations, these computers are not on the City’s network. • Panasonic Toughbooks make up 5.2% of the computers summarized in Table 2 . As of January 2022, we were able to identify 97 Toughbooks purchased between 2017 and 2021. Ten of these computers were purchased in 2017. Given the nature and use of these computers, it is not unreasonable to assume that 10 Toughbooks were disposed of slightly before their planned replacement (i.e., 5-year useful life). Payroll 202111 3. Computers not timely replaced. Excluding the Panasonic Toughbooks used primarily in public safety vehicles, City policy dictates that computers should be replaced every four years. As of February 24, 2022, there are 245 City computers which appear to not have been timely replaced. A breakdown of these computers categorized by the year in which they were purchased is detailed in Table 4 . Most of these computers seem to be actively used by employees across City Departments. There are indicators that PCs are not being effectively deployed and managed. For example, we found the following: (1) employees commonly being assigned multiple computers, (2) computers not being timely deployed to end-users, and (3) computers used by end-users that are well beyond their scheduled replacement dates. 1. Employees assigned multiple computers. We identified 52 employees assigned more than one computer when the assigned computers were still within the 3-year warranty date. However, there are several active computers on the system that fall out of this range. Therefore, the actual number of users with more than one assigned computer is likely much larger. Within the past year, IT has implemented an informal strategy of replacing desktops with laptops with the goal of reducing the number of employees assigned to multiple computers. 2. Computers not timely deployed. Adequate records to determine the length of time it takes for computers to be deployed to end-users are not available for most currently deployed PCs. However, we were able to analyze the deployment of 142 Dell computers–which are among some of the most recent computer acquisitions. Of these computers, 42 had been deployed while 100 were sitting in storage waiting to be deployed (as of February 2022). For the 42 computers which had already been deployed, only 1 computer took longer than 2 months to be deployed. For the 100 Dell computers waiting to be deployed, there were 10 which had been sitting in storage for over three months (see Table 3 below for a more detailed breakdown). It takes on average approximately 10 days to deliver items to the buyer after it is shipped, and three-year warranties on these computers begin once they are shipped. The primary causes of these delays are the prioritizing service requests on deployed computers and the inefficiency of the deployment process. Table 3: Dell Computer Deployment (Time between date delivered and date first seen in Lansweeper) Deployed Not Deployed Range (In Days) Number of Computers Percent of Total Average Days Number of Computers Percent of Total Average Days 91 to 120 0 0%0 10 10%110 61 to 90 1 2.4%64 18 18%77 31 to 60 26 61.9%47 71 71%47 1 to 30 15 36.7%17 1 1%24 Total:42 100%37 100 100%58 Source: Dell Website and Lansweeper as of 02/24/22 Payroll 2021 12 The IT Assets Maintenance and Retirement Process Needs Improvement The City does not have adequate systems or processes to take a proactive approach to computer maintenance. In addition, the City’s computer replacement and disposal processes are not timely, well- organized, and accurately recorded. However, the data security risk of the disposed assets is low due to using data encryption and hard drive shredding practices. IT’s approach to technology maintenance is largely reactive. Computers connected to the City’s network receive periodic software updates to reduce security vulnerabilities, to fix bugs or crashes, and to ensure compatibility with other updated technologies. Outside of these periodic updates, maintenance technology assets appear to be mostly reactive. Issues with software or hardware are reported by end-users through IT’s ticketing system. IT’s system and processes are not currently designed for proactive monitoring – which means identifying potential issues within IT infrastructure and applications before users notice and complain and initiating actions to avoid the issue from becoming user noticeable and operational impacting. Risk (high): Capturing and analyzing data related to technology assets is essential to developing appropriate hardware and software standards, policies, and procedures. Because IT does not track assets throughout their entire life cycle, they are unable to effectively analyze the effectiveness and efficiency of asset acquisition and deployment across the entire City. This has resulted in computer assets not only being deployed untimely but also not being timely replaced. Recommendation: To get the most output from technology assets, IT should be continuously evaluating user technology utilization through robust processes and systems. Once IT can accurately track and collect these data, they should update hardware standards, policies, and procedures to ensure these assets are being utilized efficiently and effectively – including timely deployment and replacement. Table 4: Deployed Computers Purchased Prior to 1/1/18 Date Last Seen in Lansweeper Breakdown by Computer Category Purchase Year 9/2021 – 12/20217 1/2022 Total Assigned to Employees Not Assigned8 Locked per Policy Total 2011 1 2 3 2 1 0 3 2012 1 0 1 1 0 0 1 2013 1 3 4 1 2 1 4 2014 0 13 13 12 1 0 13 2015 2 21 23 19 2 2 23 2016 9 53 62 61 0 1 62 2017 15 124 139 102 25 12 139 Total:29 216 245 198 31 16 245 7Only one PC was last time seen in April 2021 8Examples of computers not assigned to employees include workstations in the College Station Library, Fire Stations, Emergency Operation Center, Utility Substations, HR Training room, CMO meeting room, and Dispatch. Source: Lansweeper as of 02/24/22 includes HP, Dell, Lenovo PCs Payroll 202113 IT should ensure timely, transparent, and cost-efficient disposal of computer assets. According to City policy, technology assets should be disposed of in one of five ways: (1) recycled, (2) auctioned, (3) traded-in, (4) destroyed, or (5) donated to charity. IT is responsible for choosing the most cost-effective and environmentally friendly method to dispose of technology assets. However, IT does not have clearly defined procedures to determine the most optimal disposal method. For example, we found that (1) the condition of replaced computers are not evaluated upon return, (2) asset disposals are often untimely, (3) disposal records are incomplete, and (4) disposal method determinations are inconsistently applied. Table 5 summarizes how IT managed 2019 to 2021 replaceable assets. IT should be maintaining an accurate replacement schedule for major technology assets. According to City policy, IT should be centrally managing and budgeting for the replacement and maintenance of technology assets citywide. The purpose of replacement schedules is to balance both the business needs and budget capacity of the City. According to current policy, Panasonic Toughbook computers (primarily utilized in public safety vehicles) should be replaced every five years while all other computers should be replaced every four years. City policy dictates that IT is responsible for disposing of technology assets. According to City policy, computers should be replaced regardless of their condition at the end of their predetermined useful lives. The replacement schedule is generated from the Lansweeper dataset, and the process is initiated and managed fully by IT. Departments, only in rare cases, request the replacement of damaged assets through IT’s ticketing process. Figure 3 describes the IT asset replacement and disposal process. Table 5: Management of Replaceable Assets Scheduled Replacement Auctioned Recycled/ Destroyed Still in Use Stored Unidentified Total 2019 6 21 12 20 140 199 2020 2 24 7 16 96 145 2021 0 0 143 12 36 191 Total 8 45 162 48 272 535 Source: Multiple data sources obtained from IT and through conducting assets inventory 1. Departments notiﬁed of computer replacement 2. Computers collected & hard drives removed to be shredded later 4. Hard drives stored until shredded internally at CSU or vendor destroys 3. Superﬁcial evaluation of asset condition to: Recycled/Destroyed Taken to Landﬁll or vendor destroys or recycles Auctioned Sent to Fiscal to advertise & auction to highest bidder Used as Loaner Stored until request for temporary deployment Source: Interviews with IT staff and asset disposal guideline Figure 3: IT Asset Replacement of Disposal Process Payroll 2021 14 Shredding of hard drives does not occur timely. IT removes hard drives from all computers identified for disposal. Hard drives are stored until they are either shredded internally by IT personnel or a vendor is employed to perform this service. In both cases, IT creates a list of shredded or physically destroyed hard drives. However, since there was no complete list of owned hard drives, we were not able to confirm whether the records of shredded hard drives were complete. Besides, IT does not have a policy that would define the timeline of hard drive physical destruction. We discovered multiple boxes of hard drives in the storage room that were not accounted for by IT. Risk (low): Although there is a risk that computers scheduled for disposal can be lost or stolen, the value of these assets may be immaterial due to their age.10 Therefore, data security is a greater potential risk. However, these risks are mitigated because IT encrypts the hard drive of all City computers. In addition to encryptions, IT physically destroys hard drives to avoid data leakage from the City. Recommendation: IT should develop policies and procedures for computer replacement and disposal which provide guidelines for (1) determining the disposal method, (2) improving documentation of replaced and disposed computer assets, and (3) providing objectives related to the timeliness of replacement, storage, and disposal. 10On average, PCs are sold on auction for less than $100. Replacement and disposal records are incomplete and inaccurate. Between 2019 and 2021, IT planned to replace 535 computers that were purchased before 2018. Replacement records do not indicate which assets were auctioned, recycled/destroyed, or kept in the storage. In addition, we found that systems and processes for tracking computer replacement and disposal to be inadequate which resulted in inaccurate or incomplete records. Therefore, we were unable to verify the disposal of 272 computers from the replacement schedule. We were unable to verify an adequate chain of custody process when computers are replaced and collected for disposal. The only document that confirms whether the asset was returned to the IT department is the replacement schedule. However, we also identified at least 13 computers9 actively being used by Departments when IT records appeared to indicate that they had been replaced and returned to IT. Moreover, IT does not have guidelines that would define how long Departments are allowed to keep old computers after replacing them with new ones. Computers are not being timely disposed. As of January 2022, we found 309 computers and tablets in storage waiting to be disposed. Only 121 of those assets were documented on the replacement schedules between 2019 and 2021. We were unable to identify the exact purchase year of all these assets. However, a breakdown of HP computers stored for disposal can be seen in Figure 4. 9We verified that these 13 computers are not being used as loaner computers. 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 NA 5 10 15 20 25 30 35 40 7 18 18 19 1 22 2223 5 35 Source: Asset inventory results and HP website Figure 4: HP Computers Stored for Disposal by Purchase Year (as of January 2022) Payroll 202115 Scope The City Internal Auditor’s Office conducted this performance audit in accordance with Generally Accepted Government Auditing Standards (GAGAS). Those standards require that the audit team plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Audit fieldwork was conducted from November 2021 through February 2022. The audit scope encompassed PC inventories and IT asset management practices in place as of February 2022. More precisely, we studied all deployed PCs as of February 24, 2022, PC purchase transactions from 2015 to 2022, stored PCs as of January 31, 2022, and replaced and disposed computers between 2019 and 2021. The audit’s focus is on systems and practices used in the governance, management, control, and oversight of PCs throughout their lifecycle. Methodology To meet the audit objective, we performed the following steps: • Researched leading practices related to ITAM. • Reviewed policies and procedures related to ITAM and compared them to the best practices. • Interviewed staff from the IT Department to obtain a detailed understanding of their ITAM practices. • Performed data analytics, by combining data from applicable sources such as Munis, PC manufacturers’ official websites, and the IT Department to identify inaccurate records and opportunities for improvements. • Performed walkthroughs of PC acquisition, deployment, storing, and retirement processes to gain an understanding of the function and to evaluate the design and effectiveness of the processes and internal controls. More precisely, we performed a detailed analysis of the mentioned areas and created corresponding asset records: • Acquisition – created the list of all PC purchases made on a pcard and on a Purchase Order (PO) by IT and other Departments from 2015 to 2022. To identify the number of missing PCs, we reconciled the obtained list with deployed, stored, and disposed PCs’ datasets. To check the completeness and accuracy of the created list of Dell PC purchases made from 2020 to 2022, we compared it with the purchases data generated from the Dell website. • Deployment – to check the timeliness of the PC deployment, we compared the actual delivery dates to the date when PCs first time were connected to the City network. We did this test for selected Dell computers deployed since April 2020. • Inventory – conducted a physical inventory of the PCs kept in old and new storage rooms and created the inventory records as of January 27, 2022 and January 31, 2022, respectively. • Replacement and Disposal – analyzed 2019-2021 PC and MDT replacement schedules and created from these datasets the list of potentially disposed assets by reconciling it with existing incomplete disposed asset records, and also, with stored, deployed, and auctioned datasets. Besides, analyzed in more detail old assets auction practices. Payroll 2021 16 Management Response Summary Risk: Medium 1. The City should develop a policy stating when it is appropriate to use a purchasing card to make technology purchases. In addition, a process should be developed to efficiently identify the purchasing records in Munis of all technology assets. Concur Expected Completion: 1/1/2023 Plan of Action: IT and Fiscal Services will coordinate to develop policies and procedures to provide a clear roadmap for departments purchasing technology with a purchasing card. Responsibility: Chief Information Officer Risk: High 2. IT should develop a policy and procedure to inspect and receive ordered items in Munis when they are delivered.Concur Expected Completion: 10/1/2022 Plan of Action: IT will develop an internal procedure for inspection and receiving items purchased using the Munis system. Responsibility: Chief Information Officer Risk: Low 3. There may be a business justification for a technology purchase to not be centralized. In these instances, the business justification for purchasing an item outside City policy should be clearly documented. Alternatively, the City could implement a policy establishing the criteria for when Departments are allowed to make their own technology purchases. Concur Expected Completion: 10/1/2022 Plan of Action: IT will coordinate with all department heads and CMO and identify specific circumstances where a department can purchase technology items without involvement of IT. Responsibility: Chief Information Officer Risk: High 4. The City should develop new strategies for tracking technology assets at every stage of the asset life cycle. In developing this strategy, the City should consider new systems, processes, and policies to plan for technology replacement efficiently and effectively. Concur Expected Completion: FY24 Plan of Action: The IT department will pursue a software solution with the ability to track and manage the entire life cycle of each asset. IT policies and processes will be updated and or developed to ensure the visibility and insight of each IT asset. Responsibility: Chief Information Officer Appendix A: Management Response Summary The following summarizes the recommendations issued throughout this report. The auditors found that staff and the Department were receptive and willing to make improvements to controls where needed. Management has provided their response to each recommendation. Payroll 202117 Risk: High 5. To get the most output from technology assets, IT should be continuously evaluating user technology utilization through robust processes and systems. Once IT can accurately track and collect these data, they should update hardware standards, policies, and procedures to ensure these assets are being utilized efficiently and effectively – including timely deployment and replacement. Concur Expected Completion: FY25 Plan of Action: IT will use the same IT Asset Management system for asset lifecycle tracking to measure asset utilization. Future asset purchases can be based on historical usage of the asset. Historical usage can be used to develop appropriate hardware standards for expected future needs. Responsibility: Chief Information Officer Risk: Low 6. IT should develop policies and procedures for computer replacement and disposal which provide guidelines for (1) determining the disposal method, (2) improving documentation of replaced and disposed computer assets, and (3) providing objectives related to the timeliness of replacement, storage, and disposal. Concur Expected Completion: FY24 Plan of Action: IT will coordinate with Fiscal Services to develop policies and procedures with the goal of improving asset disposal tracking. These policies and procedures will also include the lifecycle tracking capabilities in the IT Asset Management system to be purchased in FY24. Responsibility: Chief Information Officer Payroll 2021 18 The Office of City Internal Auditor was established in accordance with the City of College Station Charter as an independent office reporting to City Council to help establish accountability and improve City services. The Office of City Internal Auditor is responsible for conducting performance audits of Departments, offices, boards, activities, and agencies of the City and providing recommendations for improvement. Audit Team Ty Elliott City Internal Auditor Ana Mazmishvili Assistant City Internal Auditor Tarek Natsheh Internal Audit Intern City Auditor Ty Elliott Office of the City Internal Auditor 979.764.6269 telliott@cstx.gov cstx.gov/AuditReports Payroll 2021 19 cstx.gov/AuditReports