The URL can be used to link to this page

Home My WebLink AboutItem 03 - Audit �� _ MEMO TO: HONORABLE MAYOR AND MEMBERS OF THE CITY COUNCIL FROM: BRUNO RUMBELOW, CITY MANAGER �� MEETING DATE: APRIL 1, 2008 SUBJECT: FILING OF ANNUAL CITY AUDIT RECOMMENDATION: A representative from Deloitte &Touche, the City's auditing firm will make a presentation to the City Council filing the annual audit report in compliance with the City Charter, Article 3, Section 3.14. BACKGROUND: The audit firm of Deloitte & Touche completed the audit of the City's FY 2007 financial statements in compliance with the requirements of the City Charter,Article 3, Section 3.14. The auditor's opinion letter states that the financial statements of the City of Grapevine present fairly the financial position of the City. The opinion rendered is an "unqualified opinion", meaning that there were no material exceptions found to the fairness criteria under which the records were audited. The management letter notes some recommendations relative to information technology, particularly the finance system. The audit committee asked that we address those recommendations in a memo. The memo is attached. We are following those recommendations, as appropriate. In addition, the management letter notes some discrepancies in record keeping relative to Heritage Foundation contributions. These were simply discrepancies between recordkeeping in finance and at the CVB. Modifications have been made to the process so that there is less confusion among internal departments and only one set of books is kept regarding contributions. The audit also includes an audit of Tax Increment Financing Districts (TIFs 1 & 2) and a single audit of all Federal Grant Awards. Some issues were noted in the letter to management related to grant reimbursements, particularly filing reimbursement requests with the appropriate agencies in a timely manner. Staff will work with all agencies to be sure that this process is improved. The auditor is filing his report with the City Council. No formal action on the part of the Council is required. � �� MEMORANDUM CITY OF GRAPEVINE, TEXAS TO: Tommy Hardy FROM: John Jennery � }'� SUBJECT: DELOITE INFORMATION TECHNOLOGY AUDIT REPORT COMIV�NTS DATE: MARCH 27, 2008 A. Access to, control over, and accountability for City finance Application: 1. All vendors restricted from complete access to databases and svstem administration- IT has been working on this item and all it lacks is the administrative tasks of contacting third party vendors and getting them setup with new individual accounts for each user in their organization. This will be completed by 07/31/08. 2. Access activity monitored by City IT and restricted - Same status as above item. 3. Contractual a�reements for access and security liabilities—IT has a rough draft of agreement and City attorney is working on it. 4. Service level A.greements with all third parties—IT recommends not doing this due to high cost and low benefits. Application performance has not been an issue for the City. B. City oversight of Change Control Process: 1. Verify Chan�e control safeguards at 3rd party vendar—IT recommends not doing this at this time due to high costs and relatively low risks. 2. Application needs separate development test and�roduction environments—This would have benefits; however, due to the time to implement,the one time cost, and ongoing costs, staff feels it would be better to monitor existing application and address additional applications if needed in the future. 3. Third party vendors restricted from chan e�Ls in production environrnent—IT is currently working on a better change control process that has all application updates scheduled in advance and with communications with application users. This should be in place This year. 4. Third part�programmers not allowed to access production environment—Not practical due to sma113id party vendors not having separate support and programmer staff. C. Business Continuity/disaster Recovery Testing: IT has been working on a new revised disaster recovery strategy that leverages newer technology to more quickly respond to disasters and with a minimum of lost production. This will take at least twelve months to get fully tested and documented. D. Testing of Database and operating system Changes: 1. Setup test environment for any DB2 OS updates—Same comment as B2 above good benefits but very costly. 2. Setup approvals for DB2 and OS chan�es—This is happening now to a certain extent and needs to be formalized. This will be formalized this year. E. Use of Computer accounts: 1. Im�,lement individual user accounts for 3`d party vendors—This will be completed by 07/31/08. 2. Improve enforcement of established procedures for Citv Staff—This will be completed by 07/31/08. F. IT Strategic Planning: IT is already doing formal strategic planning. G. Password Controls in Financial Application: STW Inc. is rolling out the suggested password controls in the next major update scheduled to be applied in May 2008.