City of Middletown – Selected Financial Operations and Information Technology (2013M-56)

Issued Date
May 31, 2013

Purpose of Audit

The purpose of our audit was to examine the City’s purchasing practices, Council oversight, and IT for the period January 1, 2011, to July 9, 2012.

Background

The City of Middletown City is located in Orange County and has a population of approximately 28,000. The City is governed by its Charter, general State laws, and local laws and ordinances. The City has a Mayor, a nine-member City Council, and an appointed Treasurer. The City’s 2012 and 2013 general fund budgets totaled $34 million and $35 million, respectively.

Key Findings

  • The City did not adopt a comprehensive procurement policy. As a result, City officials and employees did not solicit competitive proposals for five of eight professional services providers who were paid $164,613. City officials also did not have a written agreement with one of eight professional service providers we tested. City officials did not solicit written quotations for eight of 18 purchases tested totaling $73,661.
  • The Council did not require the Treasurer to provide written periodic financial reports for use in monitoring City financial operations.
  • System users were unnecessarily assigned administrative rights and had access to system modules that they did not need to perform their job duties.
  • The Council did not establish an information breach notification policy or a disaster recovery plan to minimize disruption of operations in the event of a catastrophic event.

Key Recommendations

  • Consider revising the City’s procurement policy to require the use of competitive methods when obtaining professional service providers. Enter into written agreements with all professional service providers. Obtain quotations as required by the procurement policy prior to making purchases that fall below the bidding thresholds.
  • Require the Treasurer to provide the periodic written financial reports it needs to fulfill its responsibility of monitoring City financial operations.
  • Limit individual system users’ access to modules to only those needed to perform their job responsibilities.
  • Adopt a comprehensive IT policy that includes the breach notification requirement.