Audit Objective
Determine whether City officials ensured the City’s Information Technology (IT) systems were adequately secured and protected against unauthorized use, access and loss.
Key Findings
- City officials did not develop adequate IT policies or procedures.
- 70 user accounts have not been used in the last six months, 19 of these accounts were never used and one account was last used to logon to the network more than nine years ago.
- Financial application users had excessive permissions.
In addition, sensitive IT control weaknesses were communicated confidentially to City officials.
Key Recommendations
- Adopt comprehensive written IT policies and procedures to address acceptable computer use and online banking.
- Develop written procedures for managing system access that include periodically reviewing user access.
- Limit financial application access to ensure City users cannot control all phases of a transaction.
City officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated or planned to initiate corrective action. Appendix B includes our comments on issues raised in the City’s response letter.