City_of_Akron_07-Summit_ML by warnermendenhall


									                                              MANAGEMENT LETTER

City of Akron
Summit County
166 South High Street
Akron, Ohio 44308

To the City Council:

We have audited the financial statements of the City of Akron, Summit County, Ohio, (the City) in
accordance with Government Auditing Standards, as of and for the year ended, December 31, 2007 and
have issued our report thereon dated July 18, 2008.

Government Auditing Standards require us to report significant internal control deficiencies, fraud, and
illegal acts (including noncompliance with laws and regulations), and also abuse and noncompliance with
contracts and grant agreements that could directly and materially affect the determination of financial
statement amounts. We have issued the required report dated July 18, 2008, for the year ended
December 31, 2007.

Office of Management and Budget Circular A-133 requires that we report all material (and certain
immaterial) instances of noncompliance, significant deficiencies, and material weaknesses in internal
control related to major federal financial assistance programs. We have issued the required report dated
July 18, 2008, for the year ended December 31, 2007.

We are also submitting the following comments for your consideration regarding the City’s compliance
with applicable laws, regulations, grant agreements, contract provisions, and internal control. These
comments reflect matters that do not require inclusion in the reports Government Auditing Standards or
Office of Management and Budget Circular A-133 require. Nevertheless, these comments represent
matters for which we believe improvements in compliance or internal controls or operational efficiencies
might be achieved. Due to the limited nature of our audit, we have not fully assessed the cost-benefit
relationship of implementing these recommendations. However, these comments reflect our continuing
desire to assist your City. If you have questions or concerns regarding these comments please contact
your regional Auditor of State office.

* Indicates a comment repeated from the 2006 financial audit.

                                         Federal Noncompliance Citation

        Procurement and Suspension and Debarment*

        24 CFR 24 indicates non-Federal entities receiving Federal funding from the U.S. Department of
        Housing and Urban Development, are prohibited from contracting with or making subawards
        under covered transactions to parties that are suspended or debarred or whose principals are
        suspended or debarred. Covered transactions include those procurement contracts for goods
        and services awarded under a nonprocurement transaction (e.g., grant or cooperative agreement)
        that are expected to equal or exceed $25,000 or meet certain other specified criteria. All
        nonprocurement transactions (i.e., subawards to subrecipients), irrespective of award amount,
        are considered covered transactions.

                        101 Central Plaza South / 700 Chase Tower / Canton, OH 44702‐1509 
                       Telephone:  (330) 438‐0617          (800) 443‐9272          Fax:  (330) 471‐0001 
City of Akron
Summit County
Management Letter
Page 2

                                Federal Noncompliance Citation (Continued)

      Procurement and Suspension and Debarment* (Continued)

      The non-Federal entity must verify the entity is not suspended or debarred or otherwise excluded.
      This verification may be accomplished by checking the Excluded Parties List System (EPLS)
      maintained by the General Services Administration (GSA), collecting a certification from the
      entity, or adding a clause or condition to the covered transactions with that entity.

          •    During 2007, the City’s Engineering Division and the Housing Rehabilitation Division
               contracted with several companies and subrecipients for the expenditure of Community
               Development Block Grant (CDBG) funds in excess of $25,000.
          •    The City’s Health Department contracted with one subrecipient for the Lead-Based Paint
               Hazard Control Grant. The subrecipient received grant money for several subcontracted
               projects in excess of $25,000.

      The City’s divisions, noted above, failed to maintain evidence documenting EPLS searches were
      performed, certifications were collected from the entities, or clauses/conditions were added to the
      covered transactions with said organizations. AOS verified companies/subrecipients are not on
      the EPLS.

      Each of the City’s divisions responsible for awarding a covered transaction should review the
      EPLS for the contracting entity and attach a copy of the search results to the accepted bid
      documents. Alternatively, the responsible division may collect a compliance certification from the
      contracting entity or add a clause or condition to the covered transaction with the entity.

                                      Noncompliance Citations

1.     Ohio Rev. Code Section 5705.41(D)* requires that no subdivision or taxing unit shall make any
       contract or give any order involving the expenditure of money unless there is attached thereto a
       certificate of the fiscal officer of the subdivision certifying that the amount required to meet the
       obligation has been lawfully appropriated for such purpose and is in the treasury or in the process
       of collection to the credit of an appropriate fund free from any previous encumbrances. This
       certificate need be signed only by the subdivision’s fiscal officer. Every contract made without
       such a certificate shall be void and no warrant shall be issued in payment of any amount due

       There are several exceptions to the standard requirement stated above that a fiscal officer’s
       certificate must be obtained prior to a subdivision or taxing authority entering into a contract or
       order involving the expenditure of money. The main exceptions are: “then and now” certificates,
       blanket certificates, and super blanket certificates, which are provided for in sections
       5705.41(D)(1) and 5705.41(D)(3), respectively, of the Ohio Revised Code.
City of Akron
Summit County
Management Letter
Page 3

                                Noncompliance Citations (Continued)

1.    Ohio Rev. Code Section 5705.41(D)* (Continued)

      1.   “Then and Now” Certificate – If the fiscal officer can certify that both at the time that the
           contract or order was made (“then”), and at the time that the fiscal officer is completing the
           certification (“now”), that sufficient funds were available or in the process of collection, to the
           credit of a proper fund, properly appropriated and free from any previous encumbrance, the
           City can authorize the drawing of a warrant for the payment of the amount due. The City has
           thirty days from the receipt of the “then and now” certificate to approve payment by ordinance
           or resolution.

           Amounts of less than $3,000 may be paid by the fiscal officer without a resolution or
           ordinance upon completion of the “then and now” certificate, provided that the expenditure is
           otherwise lawful. This does not eliminate any otherwise applicable requirement for approval
           of expenditures by the City.

      2.   Blanket Certificate – Fiscal officers may prepare “blanket” certificates for a certain sum of
           money not in excess of an amount established by resolution or ordinance adopted by a
           majority of the members of the legislative authority against any specific line item account over
           a period not running beyond the end of the current fiscal year. The blanket certificates may,
           but need not, be limited to a specific vendor. Only one blanket certificate may be outstanding
           at one particular time for any one particular line item appropriation.

      3.   Super Blanket Certificate – The City may also make expenditures and contracts for any
           amount from a specific line-item appropriation account in a specified fund upon certification of
           the fiscal officer for most professional services, fuel, oil, food items, and any other specific
           recurring and reasonably predictable operating expense. This certification is not to extend
           beyond the current year. More than one super blanket certificate may be outstanding at a
           particular time for any line item appropriation.

       The City’s policy does not subject certain expenditures such as income tax refunds and witness
       fees to the normal certification process prior to incurring the obligation. Our testing of 60 items
       had 12 income tax refunds and witness fees which were not certified. It was found that none of
       the exceptions above were utilized for the items found to be in noncompliance.

       The City should issue a blanket purchase order for refunds and witness fees to certify the
       availability of funds for expenditure. In addition, the City should implement the use of “Then and
       Now Certificates” as further means to certify funds pursuant to Ohio Rev. Code Section

2.    Ohio Rev. Code Section 117.38* requires that GAAP-basis entities must file annual reports
      within 150 days. These reports must be filed on forms prescribed by the Auditor of State. Also,
      the public office must publish a notice in a local newspaper stating that the financial report is
      available for public inspection at the office of the chief fiscal officer.

      The City did not file its annual report for 2006 with the Local Government Service Division (LGS)
      of the Auditor of State’s Office until July 16, 2007, which is after the 150 day requirement. The
      City also did not publish a notice in a local newspaper indicating the report was available for

      The City should file the annual report with LGS within the 150 day requirement and publish a
      notice in the newspaper indicating the report is available for review.
City of Akron
Summit County
Management Letter
Page 4


1.     Stale-dated Checks *

      At December 31, 2007, approximately 815 of the City’s 907 outstanding payroll checks were
      greater than one year old, with some dating as far back as December 14, 1978. Also,
      approximately 446 of the City’s 897 outstanding general depository checks were greater than one
      year old, with the oldest dating back to January 21, 2004. The City does not have a written policy
      regarding the writing off of old or stale checks.

      The City should develop a written policy regarding writing off of old or stale checks following the
      guidance provided for in Auditor of State Management Advisory Services Bulletin 91-11. This
      bulletin indicates that pursuant to Ohio Rev. Code Section 9.39 unclaimed money shall be
      deposited to the credit of a trust fund and shall be retained there until claimed by its lawful owner.
      If not claimed within a period of five years, the money shall revert to the General Fund. The City
      should also consider placing an ad in a local newspaper listing the names of individuals with
      outstanding checks in an effort to clear up these items.

2.     Budgetary Statement Interfund Transfers*

      The (Non-GAAP Basis) Budgetary Comparison Schedules included in the City’s Comprehensive
      Annual Financial Report (CAFR) report in certain funds “Interfund Transfers In”, which aggregate
      to $28,066,417, in total, for which there are no corresponding “Interfund Transfers Out” reported
      on the budgetary basis. This occurred due to certain transactions being accounted for on the
      City’s cash basis (“Banner”) system as expenditures when in fact they were transfers to other
      funds. For the City’s GAAP financial statements, these transactions have been reclassified for
      interfund transfers in and interfund transfers out to balance.

      The budgetary basis of accounting is the basis used by the City on a daily basis and the basis
      under which the City must appropriate its funds. Use of different account classifications between
      the budgetary and GAAP financial statements, makes it difficult for users to understand the
      differences between the two basis of accounting and may impair the overall usefulness of the
      financial statements.

      The City should use the same or similar account classifications on its budgetary and GAAP
      financial statements. Further, they should ensure the aggregate total of transactions identified as
      interfund transfers in can be reconciled to the aggregate total of transactions identified as
      interfund transfers out on both the budgetary and GAAP financial statements.

3.    Capital Assets

      During testing of capital assets we noted the following:

          •   The “Guide to Implementation of Governmental Accounting Standards Board Statement
              34 and Related Pronouncements” indicates for capital assets fully depreciated but still in
              use, the estimated useful lives assigned to capital assets should be reconsidered. During
              a review of capital assets, it was noted a number of assets were reported as fully
              depreciated. If these assets are still in use, their estimated useful lives should be

              The City should review its Governmental and Business-Type capital assets listings and
              determine if all listed assets are still in use. If assets still in use have been fully
              depreciated then the City should reevaluate the useful lives of their capital assets.
City of Akron
Summit County
Management Letter
Page 5

                                    Recommendations (Continued)

3.    Capital Assets (Continued)

          •   The accumulated depreciation balances reported in the capital assets footnote to the
              financial statements reconcile to the City’s GAAP accounting system (GO), but they do
              not reconcile to the City’s capital assets tracking system (Best). Additionally, the capital
              assets footnote was revised by the client approximately six times by the client to properly
              disclose the effects of the current year’s capital assets activities (additions/deletions).
              These client revisions resulted in a net decrease of $31,061,568 for the Governmental
              Activities capital assets balance and a net increase of $395,485 for the Business-Type
              capital assets balance.

              The City should reconcile its capital assets tracking system to its GAAP accounting
              system to ensure the accumulated depreciation balances being reported in the financial
              statements accurately summarize the values of the individual assets reported by the
              capital assets tracking system. Additionally, the City should establish procedures to
              ensure the effects of all capital asset additions and deletions are properly summarized by
              the footnote and the ending footnote balances reconcile to the capital assets tracking

4.    Delegation of Legislative Authority *

      In the case of C. B. Transportation, Inc. v. Butler County Board of Mental Retardation, 60
      Ohio Misc. 71, 397 N.E.2d 781 (C.P. 1979), as well as, Burkholder v. Lauber, 6 Ohio Misc.
      152 (1965), it was held that a board or officer whose judgment and discretion is required, was
      chosen because they were deemed fit and competent to exercise that judgment and discretion
      and unless power to substitute another in their place has been given, such board or officer cannot
      delegate these duties to another. Auditor of State Bulletin 97-010 is consistent with such
      reasoning and states the legislative body of a local government may not delegate its authority to
      establish appropriations. The appropriations process is a function of the legislative authority that
      must be performed by those specific individuals elected to fulfill that responsibility. This bulletin
      also notes that the level at, or above, which a government’s management may not reassign
      resources without legislative approval is known as the “legal level of control”. In Ohio, the “legal
      level of control” is the level (i.e., fund, function, object, etc.) at which the appropriation measure is
      passed by the authority of a local government.

      Ohio Rev. Code Section 5705.14 requires that, except in the case of transfers from the general
      fund, transfers can be made only by resolution of the taxing authority passed with the affirmative
      vote of two thirds of the members. Transfers from the general fund require a resolution passed
      by a simple majority of the board members (i.e., a two thirds vote is not required for general fund
      transfers though a resolution is required).

      Section 62 of the City’s 2007 appropriation ordinance (Ordinance 128-2007, Passed March 26,
      2007) (the Ordinance), provides, “that [appropriation] transfers of sums of $15,000 or less, within
      the classes of disbursements listed in this ordinance, are hereby authorized and approved by City
      Council as transferred upon the approval of the Director of Finance”.

      Although we noted no appropriation adjustments made without the formal approval of the City
      Council during 2007, Section 62 of the Ordinance appears to give the Director of Finance the
      authority to adjust appropriations at the “legal level of control” contrary to the guidance of Auditor
      of State Bulletin 97-010.
City of Akron
Summit County
Management Letter
Page 6

                                      Recommendations (Continued)

4.    Delegation of Legislative Authority * (Continued)

      Section 65 of the Ordinance provides “that the Finance Director is hereby authorized to transfer

      Under section 65, the Director of Finance made inter-fund transfers during the year the details
      (amount and funds) of which were not approved by Council in the minutes. Such broad provision
      as that in section 65 amounts to delegation of authority. Ohio Rev. Code Section 5705.14,
      requires a majority vote of the taxing authority for all transfers.

      The City should consult with its legal counsel to determine in what manner the verbiage of
      Sections 62 and 65 should be revised for its future appropriation and transfer resolutions.

5.     Travel Reimbursements *

       The City’s travel policy, effective October 1, 2006, indicates employees will be reimbursed for
       meals at a per diem amount of $8 for breakfast, $12 for lunch, and $23 for dinner without receipt
       documentation. For 14 of the 25 (56%) employee reimbursements tested, the employee was
       reimbursed for meals at the per diem rates without presenting detailed receipts supporting the
       meal purchases.

       The City should consider amending the travel policy to include providing detailed itemized
       receipts to ensure it is reimbursing employees for only items they purchased up to the
       reimbursable rate as set forth in the Auditor of State Bulletins 2004-002 and 2003-005. Any per
       diem amounts paid with no supporting receipts should be included on the employee’s year end
       form W-2 as a taxable fringe benefit.

6.     Credit Card Expenditures *

      Auditor of State Bulletin 2003-005 Expenditure of Public Funds/Proper “Public Purpose”
      indicates that governmental entities may not make expenditures of public monies unless they are
      for a valid public purpose. There are two criteria that demonstrate whether an expenditure is for a
      public purpose.

      First, the expenditure is required for the general good of all inhabitants and second, the primary
      objective of the expenditure is to further a public purpose, even if an incidental private end is

      The City’s Credit Card Policy provides in part, “User has responsibility to sign receipt at time of
      purchase and return customer copy of receipt along with supporting documentation (itemized
      receipt, list of registrants or attendance, etc.) that adequately explains the nature of the expense
      to the Mayor’s staff or Clerk of Council to reconcile the bank statement.”

      The City holds consumer credit cards which were issued to the Mayor, Council President, the
      Purchasing Agent, and Deputy Mayor for Economic Development to purchase meals, and
      incidental related travel expenses for users attending approved seminars, conferences or other
      educational programs. During our testing, we noted that itemized receipts were available for
      approximately $30,000 of $97,914 in total credit card expenditures tested. Although a summary
      of usage was provided for the Mayor and Council President’s credit card, detailed receipts
      supporting the charges were not available for review with the City’s policy.
City of Akron
Summit County
Management Letter
Page 7

                                      Recommendations (Continued)

6.     Credit Card Expenditures * (Continued)

      Failure to obtain itemized receipts and invoices for credit card purchases increases the risk that
      public monies could be used for improper public purpose. In addition, purchases could be made
      contrary to the City’s Travel Policy and Credit Card Policy. We obtained affidavits from City
      Officials for the other tested expenditures indicating the expenditures were for a proper public

      The City should require all officials and employees to follow the City’s Credit Card Policy and
      Travel Policy and provide adequate supporting documentation for all purchases.

7.     Accounts Payable

      As a part of the financial reporting process, the City reports a liability for accounts payable by
      reviewing non-payroll checks over $5,000 paid in the subsequent fiscal year. If the transaction
      represents an invoice paid for services or supplies received for the fiscal year being reported, the
      amount is included in accounts payable. If the transaction represents an invoice paid for services
      or supplies received for the subsequent reporting year, the amount is excluded from accounts
      payable. Additionally, some transactions represent services or supplies received in both fiscal
      years, therefore only a partial amount of the transaction is reported in accounts payable.
      Transactions between the City and other governments are not included as accounts payable, but
      as “due to other governments.”

      During testing of accounts payable we noted several errors which included the following:

      •   Three transactions were fully or partially improperly excluded from accounts payable.
      •   One transaction was partially improperly included in accounts payable.
      •   We noted four transactions classified as accounts payable should have been
          classified as due to other governments.
      •   We noted two transactions not included as due to other governments should have been
          included as due to other governments.
      •   The City made adjustments for two fund classification errors, including one adjustment to
          the Community Learning Center Fund.

      The City should review all checks over $5,000 paid in the subsequent year, and determine if they
      represent services or supplies provided for the current year or the subsequent year. When
      reviewing each transaction, the City should determine if the entire amount should be included or
      excluded from accounts payable. Additionally, the City should not include transactions with other
      governments in accounts payable; they should be included separately in “due to other

8.     Reviewing the Work of a Specialist

      A consulting and claims administration company administers the City’s Worker’s Compensation
      insurance coverage by processing, investigating, and reserving claims on behalf of the City.

      The Company provided the City with a spreadsheet detailing the estimated long-term liability
      necessary to pay Worker’s Compensation claims, which the City used to accrue the liability on the
      financial statements. The spreadsheet provided to the City contained errors, resulting in an
      original understatement of the liability of $2,274,406. The Company ultimately provided the
      correct information and the City made the adjustment to the financial statements.
City of Akron
Summit County
Management Letter
Page 8

                                        Recommendations (Continued)

8.     Reviewing the Work of a Specialist (Continued)

       It is the responsibility of the City to review work provided by the specialist. The City should check
       the mathematical accuracy of the spreadsheet and compare the current and previous year’s
       spreadsheet for evidence the spreadsheet was updated.

9.    Medical Self-Insurance Fund Net Assets Deficit

       The City’s Medical Self-Insurance Fund, an internal service fund, is used to account for the
       financing of medical insurance coverage provided to City employees on a cost-reimbursement
       basis. As of December 31, 2007, the City’s Medical Self-Insurance Fund reported a net assets
       deficit of $7,622,313.

       The City should review the current contributions and projected cost of claims to ensure the
       account is adequately funded.

10.    Accounting Records for Lead-Based Paint Hazard Control Grant

       The project advisor for the Lead-Based Paint Hazard Control Grant maintains all accounting
       records pertaining to the grant including invoices, grant budget, cash request reports, etc. During
       our testing of cash reimbursement requests, we could not easily trace the amounts from each
       category on the SF-269 reports that are submitted for reimbursement to the underlying files kept
       by the project advisor for the 2007 first quarter cash request. The project advisor indicated that
       the reason for the difference was due to some adjustments that were made, and identified the
       adjustments to us in the files she maintains. The project advisor had difficulty at first showing the
       adjustments because she does not keep a separate record of adjustments. We were satisfied
       after seeing the adjustments that were made that the City did not request more money from HUD
       on their SF-269 report than they had spent.

       The project advisor for the Lead- Based Paint Hazard Control Grant should maintain accounting
       records in a way that can easily identify the cost categories on the SF-269 report. A separate
       record should be kept of adjustments, if required, in order for the underlying records to tie to the
       SF-269 report. The record of adjustments should indicate the reason and amount of the
       adjustment and should be easily identifiable in the underlying records.

11.    Reconciling Items

       At December 31, 2007, the City reported $386,644 in unrecorded deposits greater than one
       month old, with some dating as far back as February 5, 2007.

       The City should implement procedures requiring its various division’s to notify the Treasury
       Division all deposits made in a timely manner. At a minimum, the notifications should indicate the
       transaction amounts, dates, sources, and correct fund-account codes. This will help ensure the
       City’s receipts are recorded in the correct periods and the month-end bank reconciliations are
       accurate and complete.

       As of the report date, the City indicated only $4,370 remained unrecorded from 2007.
City of Akron
Summit County
Management Letter
Page 9

                                      Recommendations (Continued)

12.    Strategic Planning *

      A long range strategic plan is an effective tool for assessing the needs of the organization and
      coordinating the resources necessary to meet those needs. The plan should include the
      projected hardware, software and personnel necessary to meet the needs of the organization.
      Long range planning reduces the risk of the development of data processing operations that are
      inefficient or are inconsistent with the goals of the City.

      In addressing this need the City has established a City wide strategic planning committee with a
      mission of addressing issues like long range planning. Additionally, a request for proposal (RFP)
      has been created and bids are being accepted for assistance in drafting a comprehensive
      strategic plan.

      The City should continue with its plans to develop a comprehensive strategic plan. It should
      encompass City wide technology needs over an extended period of time. The plan should be
      implemented, revised and updated as forecasted growth and objectives change.

13.    System Development Methodology / Purchase Methodology *

      The selection and subsequent implementation of a purchased system should follow a systematic
      methodology to ensure a new system will meet the user’s needs and be installed in a manner to
      allow for the smooth transition between systems. Results of testing performed should be retained
      for post implementation analysis.

      During the audit period the City implemented a newly purchased system. The City performed
      testing to ensure the application functioned correctly and that application data was correctly
      converted from the existing system. Although these steps were taken, they were not part of an
      overall methodology, and little documentation was retained for post implementation analysis.

      Based upon their experience with this recent implementation, the City should develop a template
      to provide a comprehensive development and purchasing methodology to be used in future
      implementation projects throughout all City departments. The methodology would include
      guidance for the following types of implementations:

              In-house developed systems
           • Management and user input and approval of design specifications.
           • Management and user approval of testing requirements.
           • Management and user approval to move newly developed systems into the live
           • Procedures for the conversion of data.
           • User and technical training and documentation

                Vendor purchased systems
           •   Preparation of a request for proposal (RFP).
           •   Evaluation of responses and the selection of a vendor system relating to the RFPs.
           •   Data conversion procedures.
           •   User and technical training and documentation.
City of Akron
Summit County
Management Letter
Page 10

                                      Recommendations (Continued)

14.    Application Upgrade, and Program Change Procedures *

      The documentation of application maintenance procedures is vital to help ensure adequate
      control is maintained throughout the program change process. Written procedures help to ensure
      that computer application updates and modifications are authorized, tested, installed correctly,
      and meet management’s requirements and deadlines.

      The City uses informal procedures for requesting changes to in-house supported applications or
      applying patches provided for the vendor supported applications. Without effective change
      controls, unauthorized changes may be made, changes may not be sufficiently tested, changes
      and fixes may not be installed correctly, and changes may not meet the needs of the user, all of
      which may affect the stability of the application.

      The City should establish policies and procedures governing the process by which changes and
      patches are made to applications. The policies and procedures should address authorization,
      testing, transfer of changes into the live environment, and documentation of changes. In addition,
      control points should be developed to ensure compliance with the newly developed policies and

15.    Security Policies and Procedures (City of Akron and Municipal Court) *

      With the computerization of financial reporting processes and the movement toward larger and
      more open computer networking models, organizations must make computer security a top
      priority. Information access issues must be addressed by management to ensure that both the
      organization’s computer resources and data are protected. Typically, management develops
      security policies to define the risks associated with the computer environment and to define the
      procedures necessary to mitigate those risks.

      Security policies and procedures have not been developed by the City of Akron or by the
      Municipal Court. Although some procedures for administering user access are in place; they are
      not part of an overall framework used to address security concerns.

      Comprehensive information security standards and policies should be developed, and applied to
      all computing environments and should be communicated to all employees. The policies and
      procedures should address the known security risks associated with the computing environment
      at the City and the court. At a minimum, policies and procedures should address the following:

                 •    Proper use of the City of Akron and Municipal Court computer systems.
                 •    Confidentiality of information (i.e. passwords, resident information and financial
                      data), in electronic as well as hardcopy format.
                 •    System implementation and security change control guidelines.
                 •    Security control standards (password controls; login procedures, etc.).
                 •    Remote access standards.
                 •    Virus protection policies.
                 •    Adherence to software licensing agreements.
                 •   Documentation of the penalties for violation of the security policies.
                 •   Termination procedures for removal of access privileges of transferred or
                     terminated employees.
City of Akron
Summit County
Management Letter
Page 11

                                       Recommendations (Continued)

16.    Logical Access Controls *

      Logical access controls are vital to help ensure access is restricted to only those individuals who
      require such access to perform their job functions. User authentication and intrusion detection
      controls are typically instituted to reduce the risk of unauthorized access to computer resources.
      Similarly, controls over security or system configuration capabilities restrict access to a small
      number of users with direct responsibility for the system.

      The City has instituted some limited authentication and intrusion detection controls. Passwords
      are required to access the network, application servers, and application resources, but these
      passwords are not changed on a periodic basis. Controls over the composition of passwords are
      also not used. Login attempts are monitored in the Windows NT domain environment and
      configuration settings lock out user accounts after three logon attempts. Application servers
      within the NT domain and the Linux server do not have logon controls implemented.

      Five MIS support staff, as well as three individuals who support smaller Windows NT domains,
      have been provided with domain administrative access for the City’s Windows NT network. The
      file access permissions for specific files within the Windows NT application servers permitted
      access above the read level by general users.

      Weak authentication and intruder detection controls increase the risk of unauthorized access to
      computer resources. The provision of administrative access to many individuals increases the
      risk that this access could be used inappropriately. If access is obtained or inappropriately used,
      these unauthorized users could create or alter financial transactions that could affect the financial

      The City should review the current user authentication and intruder detection controls used by the
      various systems throughout the City. Where applicable, password and login controls should be
      strengthened. Password minimum lengths should be at least six characters and password
      expiration intervals should be 30 days for system users with high level privileges and 90 days for
      general users. Login parameters should be consistently implemented to “lock out” a user account
      after three login failures. The lock out period should be designed to discourage attempts to guess
      a user’s password. Ideally, the account should remain locked until a system administrator
      unlocks the account. The City should also review the accounts with administrative access to
      determine if the access provided is commensurate with the account owner’s job function. This
      access should be limited to as few individuals as possible.

17.    Disaster Recovery Planning (City of Akron and Municipal Court)*

      The creation and use of a comprehensive, disaster recovery plan minimizes the risk of loss of
      data and minimizes the risk that computer operations important for the functioning of the City will
      not be restored in a timely, cost effective manner after a disastrous event. The City of Akron and
      the Municipal Court have not created a disaster recovery plan. Without a disaster recovery plan,
      the City and Court could incur substantial costs in attempting to retrieve and recreate pertinent
      financial information for internal and external purposes.
City of Akron
Summit County
Management Letter
Page 12

                                       Recommendations (Continued)

17.    Disaster Recovery Planning (City of Akron and Municipal Court)*(Continued)

      A disaster recovery plan should be developed which:

             •   Addresses the hardware, software and communication needs for processing at the
                 alternate site, as well as develops a priority list for application processing.

             •   Identifies key personnel necessary for processing at an alternate site. Establishes
                 training for the key personnel and allows for the periodic testing of the transfer of
                 processing to the alternate site.

             •   Establishes a manual backup process to bide the organization over to the point that
                 crucial systems can be recovered. The backup process should address personnel,
                 hardware and software requirements as well as the manual flow of paper transactions
                 through the necessary authorization trail.

      In addition, the City of Akron and Municipal Court should:

             •   Prepare a structured test of the plan, periodically test the plan, formally address the
                 results of the test, and update the plan based on the results. There should be an
                 appropriation for this testing in each yearly budget.

             •   Distribute a copy of the plan to all key employees and store the plan off-site with the
                 back-up tapes.

18.    Program Change Control (Municipal Court) *

      The use of documented application maintenance procedures is vital to help ensure adequate
      control throughout the program change process. Control is provided through the use of
      standardized policies and procedures which include authorization and tracking of program
      changes, as well as segregation of duties.

      In some instances, program changes are completed, tested, and moved into the production
      environment by the same individual. In addition, all three data processing department personnel
      have full access to both the testing and production environments. With this level of access and the
      lack of segregation of duties, there is the risk that unauthorized or inappropriate program changes
      may occur.

      The program change control process should include a segregation of duties whereby completed
      program changes are documented as approved by a data processing department employee other
      than the programmer who completed the change. Once approved, an individual other than the
      programmer who made the change should move the code into the production environment. Not all
      data processing employees should have access to perform all aspects of the change control
      process. Access should be granted based on the portion of the change control process the
      employee will perform.
City of Akron
Summit County
Management Letter
Page 13

We intend this report for the information and use of the City Council and management.

Mary Taylor, CPA
Auditor of State

July 18, 2008

To top