City_of_Akron_08-Summit_Ml by warnermendenhall

VIEWS: 10 PAGES: 13

									                                           MANAGEMENT LETTER

City of Akron
Summit County
166 South High Street
Akron, Ohio 44308

To the City Council:

We have audited the financial statements of the City of Akron, Summit County, Ohio, (the City) in
accordance with Government Auditing Standards, as of and for the year ended, December 31, 2008 and
have issued our report thereon dated June 22, 2009.

Government Auditing Standards require us to report significant internal control deficiencies, fraud, and
illegal acts (including noncompliance with laws and regulations), and also abuse and noncompliance with
contracts and grant agreements that could directly and materially affect the determination of financial
statement amounts. We have issued the required report dated June 22, 2009, for the year ended
December 31, 2008.

Office of Management and Budget Circular A-133 requires that we report all material (and certain
immaterial) instances of noncompliance, significant deficiencies, and material weaknesses in internal
control related to major federal financial assistance programs. We have issued the required report dated
August 25, 2009, for the year ended December 31, 2008.

We are also submitting the following comments for your consideration regarding the City’s compliance
with applicable laws, regulations, grant agreements, contract provisions, and internal control. These
comments reflect matters that do not require inclusion in the reports Government Auditing Standards or
Office of Management and Budget Circular A-133 require. Nevertheless, these comments represent
matters for which we believe improvements in compliance or internal controls or operational efficiencies
might be achieved. Due to the limited nature of our audit, we have not fully assessed the cost-benefit
relationship of implementing these recommendations. However, these comments reflect our continuing
desire to assist your City. If you have questions or concerns regarding these comments please contact
your regional Auditor of State office.

* Indicates a comment repeated from the 2007 financial audit.

                                      Federal Noncompliance Citations

1. 24 C.F.R. Section 58.22* provides that Community Development Block Grant (CDBG) funds (and
   local funds to be repaid with CDBG funds) cannot be obligated or expended before receipt of the
   Department of Housing and Urban Development (HUD’s) approval of a Request for Release of Funds
   (RROF) and environmental certification, except for exempt activities under 24 C.F.R. Section 58.34
   and categorically excluded activities under section 58.35(b).

    Program funds approximating $6,628 (projected to be $30,332) for one project was spent prior to
    HUD's approval of the RROF and environmental certification. HUD subsequently approved all these
    projects. A key control in the disbursement process is to ensure projects are approved prior to the
    release of funds. To improve controls over federal disbursements the City should monitor the status
    of its RROF’s to ensure that CDBG funds are not obligated or expended before HUD’s approval of the
    RROF’s.
                        101 Central Plaza South / 700 Chase Tower / Canton, OH 44702 1509
                       Telephone: (330) 438 0617       (800) 443 9272    Fax: (330) 471 0001
                                             www.auditor.state.oh.us
City of Akron
Summit County
Management Letter
Page 2

                                 Federal Noncompliance Citations (Continued)

2. Procurement and Suspension and Debarment*

    24 C.F.R. 24 indicates non-Federal entities receiving Federal funding from the U.S. Department of
    Housing and Urban Development, are prohibited from contracting with or making subawards under
    covered transactions to parties that are suspended or debarred or whose principals are suspended or
    debarred. Covered transactions include those procurement contracts for goods and services
    awarded under a nonprocurement transaction (e.g., grant or cooperative agreement) that are
    expected to equal or exceed $25,000 or meet certain other specified criteria. All nonprocurement
    transactions (i.e., subawards to subrecipients), irrespective of award amount, are considered covered
    transactions.

    The non-Federal entity must verify the entity is not suspended or debarred or otherwise excluded.
    This verification may be accomplished by checking the Excluded Parties List System (EPLS)
    maintained by the General Services Administration (GSA), collecting a certification from the entity, or
    adding a clause or condition to the covered transactions with that entity.

    During 2004, the City’s Engineering Division awarded a contract in excess of $25,000 for the
    Elizabeth Parkway Project which used HOPE VI Federal grant funds during 2008. Additionally,
    during 2008, the City’s Engineering, Housing Rehabilitation, and Comprehensive Planning Divisions
    contracted with several companies and/or subrecipients for the expenditure of Community
    Development Block Grant (CDBG) funds and Home Investment Partnership Program (HOME) funds
    each in excess of $25,000.

    The City’s divisions, noted above, failed to maintain evidence documenting EPLS searches were
    performed, certifications were collected from the entities, or clauses/conditions were added to the
    covered transactions with said organizations. However, we verified the companies and subrecipients
    are not on the EPLS.

    Each of the City’s divisions responsible for awarding a covered transaction should review the EPLS
    for the contracting entity and attach a copy of the search results to the accepted bid documents.
    Alternatively, the responsible division may collect a compliance certification from the contracting entity
    or add a clause or condition to the covered transaction with the entity.

3. 7 C.F.R. 3016, part 20(b)(1)-(2) requires grantees and subgrantees to maintain accurate, current,
   and complete disclosure of the financial results of financially assisted activities must be made in
   accordance with the financial reporting requirements of the grant or subgrant. Grantees and
   subgrantees must maintain records which adequately identify the source and application of funds
   provided for financially-assisted activities. These records must contain information pertaining to grant
   or subgrant awards and authorizations, obligations, unobligated balances, assets, liabilities, outlays
   or expenditures, and income.

    The City received two advances of program revenue for the Special Supplemental Nutrition Program
    for Women, Infants, and Children (WIC) dated November 8, 2007 and December 7, 2007 for
    $128,980 each. However, these transactions were not posted until January 9, 2008 and March 12,
    2008, respectively. This delay in recording revenues to the fund and account could lead to loss of
    revenues in interest earned and does not provide an accurate fund balance at month end for financial
    reporting purposes.

    In addition, 7 C.F.R. section 246.15 (a) and 31 C.F.R. part 205 requires that any interest earned on
    advances by the local government grantee is required to be submitted promptly, but at least quarterly,
    to the Federal agency. Up to $100 per year may be kept for administrative expenses.
City of Akron
Summit County
Management Letter
Page 3

                                  Federal Noncompliance Citations (Continued)

3. 7 C.F.R. 3016, part 20(b)(1)-(2) (Continued)

     The WIC program receives advances of program revenue, and on each quarterly and final
     expenditure report, disclosed a positive “Available Grant Fund Balance.” However, no interest was
     reported or posted to the program fund until December. The City recorded interest earned of $47.81
     on December 2, 2008 and $5,922.30 on December 31, 2008 for a total of $5,970.11 that should have
     been reported and submitted to the Federal grantor. The City may retain $100 of the interest earned
     for administrative expenses and remit the remaining $5,870.11 back to the Federal Grantor. This
     amount was subsequently remitted on April 3, 2009.

     To assist in recording grant funds, the health department should send a copy of the draw request to
     the Treasury department to help identify the receipt to the proper account.

     To facilitate a more accurate calculation of a month end fund balance and interest earned, interest
     should be calculated each quarter, and remitted to the Federal grantor promptly. The Health
     Department should notify the City Treasury when an advance is expected for prompt posting of
     revenue.

                                         Noncompliance Citations

1.      Ohio Rev. Code Section 5705.41(D)* requires that no subdivision or taxing unit shall make any
        contract or give any order involving the expenditure of money unless there is attached thereto a
        certificate of the fiscal officer of the subdivision certifying that the amount required to meet the
        obligation has been lawfully appropriated for such purpose and is in the treasury or in the process
        of collection to the credit of an appropriate fund free from any previous encumbrances. This
        certificate need be signed only by the subdivision’s fiscal officer. Every contract made without
        such a certificate shall be void and no warrant shall be issued in payment of any amount due
        thereon.

        There are several exceptions to the standard requirement stated above that a fiscal officer’s
        certificate must be obtained prior to a subdivision or taxing authority entering into a contract or
        order involving the expenditure of money. The main exceptions are: “then and now” certificates,
        blanket certificates, and super blanket certificates, which are provided for in sections
        5705.41(D)(1) and 5705.41(D)(3), respectively, of the Ohio Revised Code.

        1.   “Then and Now” Certificate – If the fiscal officer can certify that both at the time that the
             contract or order was made (“then”), and at the time that the fiscal officer is completing the
             certification (“now”), that sufficient funds were available or in the process of collection, to the
             credit of a proper fund, properly appropriated and free from any previous encumbrance, the
             City can authorize the drawing of a warrant for the payment of the amount due. The City has
             thirty days from the receipt of the “then and now” certificate to approve payment by ordinance
             or resolution.

             Amounts of less than $3,000 may be paid by the fiscal officer without a resolution or
             ordinance upon completion of the “then and now” certificate, provided that the expenditure is
             otherwise lawful. This does not eliminate any otherwise applicable requirement for approval
             of expenditures by the City.
City of Akron
Summit County
Management Letter
Page 4

                               Noncompliance Citations (Continued)

1.    Ohio Rev. Code Section 5705.41(D)* (Continued)

      2.   Blanket Certificate – Fiscal officers may prepare “blanket” certificates for a certain sum of
           money not in excess of an amount established by resolution or ordinance adopted by a
           majority of the members of the legislative authority against any specific line item account over
           a period not running beyond the end of the current fiscal year. The blanket certificates may,
           but need not, be limited to a specific vendor. Only one blanket certificate may be outstanding
           at one particular time for any one particular line item appropriation.

      3.   Super Blanket Certificate – The City may also make expenditures and contracts for any
           amount from a specific line-item appropriation account in a specified fund upon certification of
           the fiscal officer for most professional services, fuel, oil, food items, and any other specific
           recurring and reasonably predictable operating expense. This certification is not to extend
           beyond the current year. More than one super blanket certificate may be outstanding at a
           particular time for any line item appropriation.

       The City’s policy does not subject certain expenditures such as income tax refunds and witness
       fees to the normal certification process prior to incurring the obligation. Five of thirty (16.7%)
       items tested were not certified prior to commitment and 3 of the 5 exceptions were income tax
       refunds. It was found that none of the exceptions above were utilized for the items found to be in
       noncompliance.

       The City should issue a blanket purchase order for refunds and witness fees to certify the
       availability of funds for expenditure. In addition, the City should implement the use of “Then and
       Now Certificates” as further means to certify funds pursuant to Ohio Rev. Code Section
       5705.41(D).

2.     Ohio Rev. Code Section 5705.36(A)(2) allows all subdivisions to request increased amended
       certificates of estimated resources and reduced amended certificates upon determination by the
       fiscal officer that revenue to be collected will be greater or less than the amount in the official
       certificate of estimated resources.

       Ohio Rev. Code Section 5705.36(A)(4) requires obtaining a reduced amended certificate if the
       amount of the deficiency will reduce available resources below the current level of appropriation.

       The total appropriations made during a fiscal year from any fund must not exceed the amount
       contained in the Certificate of Estimated Resources or the Amended Certificate of Estimated
       Resources which was certified prior to making the appropriation or supplemental appropriation.
City of Akron
Summit County
Management Letter
Page 5

                                  Noncompliance Citations (Continued)

2.      Ohio Rev. Code Section 5705.36(A)(2) (Continued)
        For 9 of the 13 funds selected for testing, the City had appropriations that exceeded the available
        resources as follows:

                                                                                              Available Resources
      Fund                                            Total                Available           Vs. Appropriations
     Number         Fund Name                     Appropriations          Resources           Excess /(Deficiency)
      1000          General                        $164,111,148          $160,954,512                 ($3,156,636)
      2025          CIP Operating                    36,917,115            36,912,688                      (4,427)
      2080          Community
                    Development                        9,893,957             5,089,263                 (4,804,694)
      4050          Road and Bridge
                    Improvement                       11,786,912             8,728,910                (3,058,002)
      4170          Public Parking                    18,227,762            16,317,162                (1,910,600)
      5000          Water                             46,156,099            39,084,387                (7,071,712)
      5005          Sewer                             52,547,900            38,424,543               (14,123,357)
      5030          Off-Street Parking                 5,288,877             5,228,900                   (59,977)
      6005          Liability Self Insurance          27,693,312            21,363,365                (6,329,947)

3.      Ohio Rev. Code Section 117.38* requires that GAAP-basis entities must file annual reports
        within 150 days. These reports must be filed on forms prescribed by the Auditor of State. Also,
        the public office must publish a notice in a local newspaper stating that the financial report is
        available for public inspection at the office of the chief fiscal officer.

        The City did not file its annual report for 2007 with the Local Government Service Division (LGS)
        of the Auditor of State’s Office until August 13, 2008, which is after the 150 day requirement. The
        City also did not publish a notice in a local newspaper indicating the report was available for
        review.

        In addition, the City did not file its annual report for 2008 until August 4, 2009.

        Although the City was granted a waiver for both years, the City should file the annual report with
        LGS within the 150 day requirement and publish a notice in the newspaper indicating the annual
        financial report is available for review. For further guidance, see Auditor of State Bulletin 2008-
        001.

                                               Recommendations

1.      Outstanding and Stale-dated Checks*

        The following reconciling items were noted as of December 31, 2008:

              x   Approximately 858 of the City’s 887 outstanding payroll account checks were greater
                  than one year old, with some dating as far back as December 14, 1978.
              x   Approximately 613 of the City’s 1,193 outstanding general depository checks were
                  greater than one year old, with the oldest dating back to January 21, 2004.
              x   Personal information, such as social security numbers, were included on the payroll
                  outstanding check lists.
City of Akron
Summit County
Management Letter
Page 6

                                    Recommendations (Continued)

1.     Outstanding and Stale-dated Checks* (Continued)

      The City should develop a written policy for removing old or stale-dated checks from the
      accounting system following the guidance provided for in Auditor of State Management Advisory
      Services Bulletin 91-11. This bulletin indicates that pursuant to Ohio Rev. Code Section 9.39
      unclaimed money shall be deposited to the credit of a trust fund and shall be retained there until
      claimed by its lawful owner. If not claimed within a period of five years, the money shall revert to
      the General Fund. Furthermore, social security numbers should be redacted from the
      outstanding check list. The City should also consider listing the names of the individuals on their
      website to clear stale dated items.

2.     Budgetary Statement Interfund Transfers*

      The (Non-GAAP Basis) Budgetary Comparison Schedules included in the City’s Comprehensive
      Annual Financial Report (CAFR) report in certain funds “Interfund Transfers In”, which aggregate
      to $20,881,633, in total, for which there were no corresponding “Interfund Transfers Out” reported
      on the budgetary basis. As a result, certain transactions were accounted for on the City’s cash
      basis (“Banner”) system as expenditures rather than transfers to other funds. For the City’s
      GAAP financial statements, these transactions have been reclassified for interfund transfers in
      and out to balance.

      The budgetary basis of accounting is the basis used by the City on a daily basis and the basis
      under which the City must appropriate its funds. Use of different account classifications between
      the budgetary and GAAP financial statements, makes it difficult for users to understand the
      differences between the two basis of accounting and may impair the overall usefulness of the
      financial statements.

      The City should use the same or similar account classifications on its budgetary and GAAP
      financial statements. Further, they should ensure the aggregate total of transactions identified as
      interfund transfers in can be reconciled to the aggregate total of transactions identified as
      interfund transfers out on both the budgetary and GAAP financial statements.

3.    Delegation of Legislative Authority*

      In the case of C. B. Transportation, Inc. v. Butler County Board of Mental Retardation, 60
      Ohio Misc. 71, 397 N.E.2d 781 (C.P. 1979), as well as, Burkholder v. Lauber, 6 Ohio Misc.
      152 (1965), it was held that a board or officer whose judgment and discretion is required, was
      chosen because they were deemed fit and competent to exercise that judgment and discretion
      and unless power to substitute another in their place has been given, such board or officer cannot
      delegate these duties to another. Auditor of State Bulletin 97-010 is consistent with such
      reasoning and states the legislative body of a local government may not delegate its authority to
      establish appropriations. The appropriations process is a function of the legislative authority that
      must be performed by those specific individuals elected to fulfill that responsibility. This bulletin
      also notes that the level at, or above, which a government’s management may not reassign
      resources without legislative approval is known as the “legal level of control”. In Ohio, the “legal
      level of control” is the level (i.e., fund, function, object, etc.) at which the appropriation measure is
      passed by the authority of a local government.
City of Akron
Summit County
Management Letter
Page 7

                                       Recommendations (Continued)

3.    Delegation of Legislative Authority* (Continued)

      Ohio Rev. Code Section 5705.14 requires that, except in the case of transfers from the general
      fund, transfers can be made only by resolution of the taxing authority passed with the affirmative
      vote of two thirds of the members. Transfers from the general fund require a resolution passed
      by a simple majority of the board members (i.e., a two thirds vote is not required for general fund
      transfers though a resolution is required).

      Section 62 of the City’s 2008 appropriation ordinance (Ordinance 134-2008, passed March 17,
      2008) (the Ordinance), provides, “that [appropriation] transfers of sums of $15,000 or less, within
      the classes of disbursements listed in this ordinance, are hereby authorized and approved by City
      Council as transferred upon the approval of the Director of Finance”.

      Although we noted no appropriation adjustments made without the formal approval of the City
      Council during 2008, Section 62 of the Ordinance appears to give the Director of Finance the
      authority to adjust appropriations at the “legal level of control” which is contrary to the guidance of
      Auditor of State Bulletin 97-010.

      Furthermore, Section 65 of the Ordinance provides “that the Finance Director is hereby
      authorized to transfer funds….”

      Under section 65, the Director of Finance made inter-fund transfers during the year the details
      (amount and funds) of which were not approved by Council in the minutes. Such broad provision
      as that in section 65 amounts to delegation of authority. Ohio Rev. Code Section 5705.14,
      requires a majority vote of the taxing authority for all transfers.

      The City should consult with their legal counsel to determine in what manner the verbiage of
      Sections 62 and 65 should be revised for the City’s future appropriation and transfer resolutions.

4.     Credit Card Expenditures*

      Auditor of State Bulletin 2003-005 Expenditure of Public Funds/Proper “Public Purpose”
      indicates that governmental entities may not make expenditures of public monies unless they are
      for a valid public purpose. There are two criteria that demonstrate whether an expenditure is for a
      public purpose.

      First, the expenditure is required for the general good of all inhabitants and second, the primary
      objective of the expenditure is to further a public purpose, even if an incidental private end is
      advanced.

      The City holds consumer credit cards which were issued to the Mayor, Council President, the
      Purchasing Agent, and Deputy Mayor for Economic Development to purchase meals, and
      incidental related travel expenses for users attending approved seminars, conferences or other
      educational programs. The City’s Credit Card Policy provides in part, “User has responsibility to
      sign receipt at time of purchase and return customer copy of receipt along with supporting
      documentation (itemized receipt, list of registrants or attendance, etc.) that adequately explains
      the nature of the expense to the Mayor’s staff or Clerk of Council to reconcile the bank
      statement.”
City of Akron
Summit County
Management Letter
Page 8

                                       Recommendations (Continued)

4.     Credit Card Expenditures* (Continued)

      During our testing, we noted the City had total credit card charges of $102,910. There is $11,272
      ($3,494 were for meal expenses) of this total that do not have sufficient supporting documentation
      to determine if expenditures incurred were for a proper public purpose.

      Failure to obtain itemized receipts and invoices for credit card purchases increases the risk that
      public monies could be used for an improper public purpose.

      The City should require all officials and employees to submit itemized receipts and provide
      adequate supporting documentation for all purchases to comply with the City’s Credit Card policy
      and demonstrate whether an expenditure is for a public purpose.

5.     Medical Self-Insurance Fund Net Assets Deficit*

      The City’s Medical Self-Insurance Fund, an internal service fund, is used to account for the
      financing of medical insurance coverage provided to City employees on a cost-reimbursement
      basis. As of December 31, 2008, the City’s Medical Self-Insurance Fund reported a net assets
      deficit of $8,498,511, which is an increase in the deficit balance by $876,198 from the prior year
      end.

      The City should review the current contributions and projected cost of claims to ensure the
      account is adequately funded.

6.     Supplemental Schedule of Expenditures of Federal Awards

       The City received a sub-grant from the Akron Metropolitan Housing Authority (AMHA) for HOPE
       VI (CFDA 14.866) grant funds for the Elizabeth Park revitalization project. The City received
       reimbursement from AMHA over the past three years but did not report the grant award and
       expenditures until fiscal year end 2008.

       The City should develop procedures to ensure that amounts reported on its Supplemental
       Schedule of Expenditures of Federal Awards are complete and accurately reflect the City’s
       expenses related to all Federal Awards. Failure to report financial activity on the Schedule of
       Federal Awards could result in loss of future grant funding.

7.     Master Income Tax Filers Listing (Tax ID Table)

       It was the practice of the City’s Income Tax Department to obtain a listing of Ohio tax filers and
       check this against active City of Akron accounts. However, this check has not been done for the
       past few years. During our testing of the City’s Active Accounts listing of income tax filers, 10 of
       the 25, or 40% of the accounts selected to test, were non-filers. Three of the ten non-filers
       required follow-up work by the City’s income tax department. Two of the three accounts should
       have been closed and deleted from the master listing. For the third exception, the individual was
       a State income tax filer, and therefore, follow up should have been noted and updated on the
       master listing.
City of Akron
Summit County
Management Letter
Page 9

                                       Recommendations (Continued)

7.     Master Income Tax Filers Listing (Tax ID Table) (Continued)

       The Income Tax Department Master Tax ID Table should be updated annually and inactive
       accounts should be removed timely. Non-filers showing active as Ohio Tax filers from the State
       of Ohio should have notations that follow-up work was done, and the list should include the
       current status of all accounts.

8.     Income Tax Reconciliations

       The Income Tax Division generally reconciles the general depository and clearing account
       Electronic Fund Transfers income tax deposits to the applicable taxpayer account each month.
       However, this reconciliation was only performed through June 30, 2008.

       The City should continue to perform monthly reconciliations to individual accounts to ensure all
       accounts are properly credited.

9.     Court - Cash Reconciliations

       The clerks responsible for preparing and reviewing the bank to book cash reconciliations did not
       date or initial/sign cash reconciliations to document their review. To document adequate controls
       are in place, the preparer should sign and date the reconciliation, then the person reviewing
       should also initial and date that it was compared to the balances on the ledgers for accuracy.

10.    Program Change Control (Municipal Court) *

       The use of documented application maintenance procedures is vital to help ensure adequate
       control throughout the program change process. Control is provided through the use of
       standardized policies and procedures which include authorization and tracking of program
       changes, as well as segregation of duties.

       In some instances, program changes are completed, tested, and moved into the production
       environment by the same individual. In addition, all three data processing department personnel
       have full access to both the test and production environments. With this level of access and the
       lack of segregation of duties, there is the risk that unauthorized or inappropriate program changes
       may occur.

       The program change control process should include a segregation of duties whereby completed
       program changes are documented as approved by a data processing department employee other
       than the programmer who completed the change. Once approved, an individual other than the
       programmer who made the change should move the code into the production environment. Not
       all data processing employees should have access to perform all aspects of the change control
       process. Access should be granted based on the portion of the change control process the
       employee will perform.
City of Akron
Summit County
Management Letter
Page 10

                                       Recommendations (Continued)

11.    System Development/Purchase Methodology* (City of Akron)

       The selection and subsequent implementation of a purchased system should follow a systematic
       methodology to ensure a new system will meet the users’ needs and be installed in a manner to
       allow for a smooth transition between systems. Results of testing performed should be retained
       for post implementation analysis. Although the City does not have a formal system development /
       purchase methodology, steering committee approval is needed for major purchases of hardware
       or software. However, this practice has not been developed into a formal policy, and does not
       address implementation concerns.

       The City should develop a template to provide a comprehensive development and purchasing
       methodology to be used in future implementation projects throughout all City departments. The
       methodology would include guidance for the following types of implementations:

       In-house developed systems
       x Management and user input and approval of design specifications.
       x Management and user approval of testing requirements.
       x Management and user approval to move newly developed systems into the live environment.
       x Procedures for the conversion of data.
       x User and technical training and documentation.

       Vendor purchased systems
       x Preparation of a request for proposal (RFP).
       x Evaluation of responses and the selection of a vendor system relating to the RFPs.
       x Data conversion procedures.
       x User and technical training and documentation.

12.    Application Upgrade, and Program Change Procedures* (City of Akron)

       The documentation of application maintenance procedures is vital to help ensure adequate
       control is maintained throughout the program change process. Written procedures help to ensure
       that computer application updates and modifications are authorized, tested, installed correctly,
       and meet management’s requirements and deadlines.

       The City uses informal procedures for requesting changes to in-house supported applications or
       applying patches provided for the vendor supported applications. Without effective change
       controls, unauthorized changes may be made, changes may not be sufficiently tested, changes
       and fixes may not be installed correctly, and changes may not meet the needs of the user, all of
       which may affect the stability of the application.

       The City should establish policies and procedures governing the process by which changes and
       patches are made to applications. The policies and procedures should address authorization,
       testing, transfer of changes into the live environment, and documentation of changes. In addition,
       control points should be developed to ensure compliance with the newly developed policies and
       procedures.
City of Akron
Summit County
Management Letter
Page 11

                                       Recommendations (Continued)

13.    Security Policies and Procedures* (City of Akron and Municipal Court)

       With the computerization of financial reporting processes and the movement toward larger and
       more open computer networking models, organizations must make computer security a top
       priority. Information access issues must be addressed by management to ensure that both the
       organization’s computer resources and data are protected. Typically, management develops
       security policies to define the risks associated with the computer environment and to define the
       procedures necessary to mitigate those risks.

       Security policies and procedures have not been developed by the City of Akron or by the
       Municipal Court. Although some procedures for administering user access are in place, they are
       not part of an overall framework used to address security concerns.

       Comprehensive information security standards and policies should be developed and applied to
       all computer environments, and should be communicated to all employees. The policies and
       procedures should address the known security risks associated with the computer environment at
       the City and the Municipal Court. At a minimum, policies and procedures should address the
       following:

       x   Proper use of the City of Akron and Municipal Court computer systems.
       x   Confidentiality of information (i.e. passwords, resident information and financial data), in
           electronic as well as hardcopy format.
       x   System implementation and security change control guidelines.
       x   Security control standards (password controls; login procedures, etc.).
       x   Remote access standards.
       x   Virus protection policies.
       x   Adherence to software licensing agreements.
       x   Documentation of the penalties for violation of the security policies.
       x   Termination procedures for removal of access privileges of transferred or terminated
           employees.

14.    Logical Access Controls* (City of Akron)

       Logical access controls are vital to help ensure access is restricted to only those individuals who
       require such access to perform their job functions. User authentication and intrusion detection
       controls are typically instituted to reduce the risk of unauthorized access to computer resources.
       Similarly, controls over security or system configuration capabilities restrict access to a small
       number of users with direct responsibility for the system.

       The City has instituted some limited authentication and intrusion detection controls. Passwords
       are required to access the network and application resources; however, these passwords are not
       changed on a periodic basis. Controls over the composition of passwords are also not used for
       network or application resources. Login attempts are monitored in the Windows NT domain
       environment and configuration settings lock out user accounts after three failed logon attempts.
       However, application servers for the Banner financial application within the NT domain and the
       Linux server do not have logon controls implemented.
City of Akron
Summit County
Management Letter
Page 12

                                        Recommendations (Continued)

14.    Logical Access Controls* (City of Akron) (Continued)

       In addition, six MIS support staff, as well as two individuals who support smaller Windows NT
       domains, have been provided with domain administrative access for the City’s Windows NT
       network. The file access permissions for specific files on the Windows NT application servers
       permit access above the read level by general users.

       Weak authentication and intruder detection controls increase the risk of unauthorized access to
       computer resources. The provision of administrative access to many individuals increases the
       risk that this access could be used inappropriately. If access is obtained or inappropriately used,
       these unauthorized users could create or alter financial transactions that could affect the financial
       statements.

       To address these concerns, the City is implementing a new network operating system. At the
       end of the fiscal period, 40 percent of the users were under the new operating system where
       password length and login requirements are present.

       The City should review the current user authentication and intruder detection controls used by the
       various systems throughout the City. Where applicable, password and login controls should be
       strengthened. Password minimum lengths should be at least six characters and password
       expiration intervals should be no more than 30 days for system users with high level privileges
       and 90 days for general users. Login parameters should be consistently implemented to “lock
       out” a user account after three login failures. The lock out period should be designed to
       discourage attempts to guess a user’s password. Ideally, the account should remain locked until
       a system administrator unlocks the account. The City should also review the accounts with
       administrative access to determine if the access provided is commensurate with the account
       owner’s job function. This access should be limited to as few individuals as possible.

15.    Disaster Recovery Planning* (City of Akron and Municipal Court)

       The creation and use of a comprehensive, disaster recovery plan minimizes the risk of loss of
       data and minimizes the risk that computer operations important for the functioning of the City will
       not be restored in a timely, cost effective manner after a disastrous event. The City of Akron and
       the Municipal Court have not created a disaster recovery plan. Without a disaster recovery plan,
       the City and Court could incur substantial costs in attempting to retrieve and recreate pertinent
       financial information for internal and external purposes.

       A disaster recovery plan should be developed to:

       x   Address the hardware, software and communication needs for processing at the alternate
           site, as well as develop a priority list for application processing.
       x   Identify key personnel necessary for processing at an alternate site. Establish training for the
           key personnel and allow for the periodic testing of the transfer of processing to the alternate
           site.
       x   Establish a manual backup process to bide the organization over to the point that crucial
           systems can be recovered. The backup process should address personnel, hardware and
           software requirements as well as the manual flow of paper transactions through the
           necessary authorization trail.
City of Akron
Summit County
Management Letter
Page 13

                                         Recommendations (Continued)

15.     Disaster Recovery Planning* (City of Akron and Municipal Court) (Continued)

        In addition, the City of Akron and Municipal Court should:

        x   Prepare a structured test of the plan, periodically test the plan, formally address the results of
            the test, and update the plan based on the results. There should be an appropriation for this
            testing in each yearly budget.
        x   Distribute a copy of the plan to all key employees and store the plan off-site with the back-up
            tapes.

We intend this report for the information and use of the City Council and management.




Mary Taylor, CPA
Auditor of State

August 25, 2009

								
To top