The URL can be used to link to this page

Home My WebLink AboutMinutes - January 9, 2007 SSCITY OF LODI INFORMAL INFORMATIONAL MEETING "SHIRTSLEEVE" SESSION CARNEGIE FORUM, 305 WEST PINE STREET TUESDAY, JANUARY 9, 2007 An Informal Informational Meeting ("Shirtsleeve" Session) of the Lodi City Council was held Tuesday, January 9, 2007, commencing at 7:02 a.m. A. ROLL CALL Present: Council Members — Hansen, Hitchcock, Katzakian, Mounce, and Mayor Johnson Absent: Council Members — None Also Present: City Manager King, City Attorney Schwabauer, and City Clerk Johl B. TOPIC(S) B-1 "Discuss Zero -Based Budgeting" City Manager King briefly introduced the subject matter of zero -based budgeting. Budget Manager Kirk Evans provided a PowerPoint presentation (filed) on the subject matter. General topics of discussion included a description of full and modified zero -based budgeting, advantages and disadvantages of zero -based budgeting, the process for full and modified zero -based budgeting, options for full and modified zero -based budgeting, and best management practices. In response to Mayor Johnson, Mr. Evans stated the 80% limit of the modified zero -based budget may occur by taking funding from the current budget, setting the base, and justifying programs above that level. Mr. Krueger stated other considerations are the amount of the shortfall, current resources, and past experiences. Deputy City Manager Krueger provided an overview of the current budget process, scientific citizen surveys to measure the need for services, contracting with an outside service to conduct a performance management review, the possibility of an internal audit of departmental performance management, previous community surveys, the budget committee, and staff's recommendation regarding the same. Discussion ensued between Council Member Hitchcock and City Manager King regarding the ability to ensure every dollar is being used for maximum performance, the tools available to obtain the information, the cost associated with zero -based budgeting, and outside review to perform a management audit. Discussion ensued between Council Member Hitchcock and Mayor Johnson regarding self- evaluation of the City, department review, management audit, and internal determination of what is needed versus what is preferred. Deputy City Manager Krueger stated progress is being made with the reserves and the measurement of the City's well being is done on an annual basis through the budget and adjustments. Mr. Krueger stated currently there is not enough staff to do an internal audit and outside resources may be needed. City Manager King stated staff is consistently looking at management practices. He suggested a performance management audit would be of value, although not popular, to compare services with other cities, review the current structure and monitoring, and determine what level of service is affordable. In response to Mayor Pro Tempore Mounce, City Manager King stated it is possible to do a form of zero -based budgeting every few years, but cautioned against the controversial dialogue and environment that may be involved with preferentially packaging programs that may or may not actually be needed to show a reduction across the board. Continued January 9, 2007 Mayor Johnson suggested reviewing the costs associated with trying a modified zero -based budget with a single department and doing an audit through an outside consultant. Council Member Hansen provided comments regarding conducting a survey, costs regarding personnel, and previous budget reductions at department discretion. Mayor Pro Tempore Mounce stated she views this as an opportunity to try zero -based budgeting at the grass roots level. Council Member Hitchcock suggested Council have an opportunity to review and comment on the citizen survey. City Manager King suggested participating in a citizen satisfaction survey conducted by National Cities in conjunction with the city managers' group. He stated the survey would cost approximately $8,400, the questions are scientifically tested and proven, there is a 5% margin of error, it makes comparisons with other similarly based communities, provides assistance in analyzing results, and if registered by the end of the January, the results will be available in May. B-2 "Receive Report to Management for the Fiscal Year Ended June 30, 2006, from Macias, Gini & O'Connell, LLP" City Manager King briefly introduced the subject matter of the management letter. The general topics covered in the report included the transmittal letter, required communications, current year management comment and recommendation, status of prior year recommendations, and schedule of uncorrected financial statement misstatements. Deputy City Manager Krueger provided an overview of the four areas covered in the letter including Community Development Block Grant monitoring, environmental remediation and reporting, information technology, and fixed assets accounting and cost allocation. In response to Council Member Hansen, Auditor Scott Bruener stated it was necessary to review the information technology function to ensure the safety and accuracy of the financial data so that it is guarded from damage, loss, and unpermitted access. Mr. Krueger stated the City now requires passwords be changed every 90 days as recommended. Auditor Greg Matayoshi stated there have been many positive changes to address the recommendations. In response to Mayor Johnson's question, Mr. Krueger stated Human Resources is providing a list of departing employees to information services and efforts will be made to ensure the information is being shared in a timely manner. In response to Mayor Pro Tempore Mounce's request, Mr. Krueger stated staff will research and provide information, if available, regarding the rationale associated with the City's current debt service. He stated the current status of the debt is provided through the annual budget process and quarterly updates. C. COMMENTS BY THE PUBLIC ON NON -AGENDA ITEMS None D. ADJOURNMENT No action was taken by the City Council. The meeting was adjourned at 8:14 a.m. ATTEST: Randi Johl, City Clerk W AGENDA ITEM 640 1 CITY OF LODI COUNCIL COMMUNICATION N AGENDA TITLE: Zero Base Budgeting Presentation MEETING DATE: January 9, 2007 PREPARED BY: Kirk J. Evans, Budget Manager RECOMMENDED ACTION: Receive report on the Zero Base Budgeting (ZBB) concept. BACKGROUND INFORMATION: At the shirtsleeve session on January 9, staff will present an overview of the Zero Base Budgeting concept. Also discussed will be opportunities outside ZBB for improving departmental operations. These approaches have been and could be employed to evaluate the programs and performance of various City departments and ensure they are running at an efficient level while delivering services effectively, e.g., use of professionals to conduct management analyses, performance reviews, and/or internal audits. A power point presentation will be provided for the City Council at the shirtsleeve which contains more detailed information. _C vans, Budget Manager APPROVED / 1 Blair City Manager 0 Zero -Base Budgeting— Two Approaches ■ First Approach —Full Zero -Base Budgeting ■ Zero -based budgeting can be regarded as a system that requires all departments to defend all of their programs and justify their continuation each year. Each department prepares a series of "decision packages" that describe - and justify - each of the department's programs in detail. ■ For each program, the departments show: various levels of service that could be provided with different levels of funding - including zero funding; alternative courses of action; and consequences of funding the service at different levels, or not funding it at all. From Budget Manual for Texas Cities — Appendix C: Alternative Methods of Budgeting by Susan Combs 2 ��' w, ftT.. a 2, go N h7-�-�A - -'- ■ Second Approach - Modified Zero -Base Budgeting ■ In governments that have attempted ZBB, the original concept that all programs be "zeroed out" proved too burdensome. ■ Process has been modified so decision packages are prepared at varying funding levels, e.g., set a departmental target expenditure of 80% to cover mandatory programs. Then incrementally add to this amount, selected programs that are more discretionary in nature. From Little Budget Book — a Portable Budgeting Guide for Local Government by Len Wood 3 ■ Focuses attention on the base budget (previously approved programs) as well as the increment. ■ Identifies relative priority of programs. ■ Forces managers to look at various funding levels and the possible consequences of those actions. From Little Budget Book — a Portable Budgeting Guide for Local Government by Len Wood 4 'MI 0110 06 0 9 we 21 4� on, cr�4-O.-AN's 2 ■ Requires a massive amount of paperwork if implemented in total — adds to time and effort involved in budgeting. ■ Difficulties in identifying suitable performance measures and decision criteria. ■ Accounting for individual decision packages can result in a tremendous expansion of the record keeping system. ■ In an attempt to shield their budget from cuts, departments may rank vulnerable programs as high while ranking programs they know are not likely to be cut, as low. From Little Budget Book and Chartered Institute of Public Finance and Accountancy (CIPFA) website_ 5 ■ First Approach -Full Zero Base Budgeting ■ Step 1 — break departments into a series of programs. Departments must create "decision packages" for each program by providing specific program activity descriptions, its goals and objectives, measurement of performance, costs, benefits and alternative courses of action for each decision package. ■ Step 2 — attach dollar amounts to each decision package. ■ Step 3 — rank the decision packages according to priority. 9 ■ Second Approach - Modified Zero Base Budgeting a.k.a. Service -level budgeting ■ Full ZBB requires documenting personnel and expense requirements that are readily accepted as necessary. ■ Modified ZBB begins with a base greater than zero. ■ Appropriate starting point may be 80 or 85% of current spending levels. From in part www.caltax.org/ZeroBase.pdf California Taxpayer's Association website 7 ■ Second (cont.) Approach - Modified Zero Base Budgeting ■ High-priority requests above this level could be identified to restore part or all of the current year's service levels. ■ Desirable new programs could be considered for funding. ■ Council may be presented choice of reducing current operations in favor of a new program. 9 Zero -Base Budgeting - Options Full ZBB: • Full ZBB City-wide would require departments to perform a significant amount of analysis - resources currently do not exist for full implementation. More staffing would be needed to fully implement in each department. • A cost/benefit analysis would show that full ZBB would be more costly than the benefits produced. • Time element is crucial. For the FY 2007-08 Budget it is unlikely that adoption would be possible by 6/30/07. • Not aware of any city/entity that has proceeded with full implementation. 9 Zero -Base Budgeting - Options Second Approach -Modified ZBB for one department annually: ■ Police, Fire, or Parks &Recreation are departments that provide a range of services conducive to being structured in the form of decision packages. ■ Parks & Recreation is not an ideal candidate given the lack of staff available to perform needed analyses. 10 Other Options— Continuewith best Management Practices ■ Continue with Current Budget Process. ■ Utilize current public administration practices. ■ Cost efficiency reviews for all departments in relation to services as requested by citizens. ■ Outside reviews of performance by Performance Management Experts. 11 Other Options— Continuewith best Management Practices ■ Identify options for reducing inefficiencies. ■ Continue to establish and refine performance measures for all departments. ■ Community Services Survey. ■ Budget Committee reviews. 12 t3.2 CITY OF LODI COUNCIL COMMUNICATION TM AGENDA TITLE: Receive Report to Management for the Fiscal Year Ended June 30, 2006 from Macias Gini and O'Connel MEETING DATE: January 9, 2007 PREPARED BY: Deputy City Manager RECOMMENDED ACTION: Receive and discuss Management Report. BACKGROUND INFORMATION: The City's Auditor Macias Gini and O'Connel submitted their report to Management on January 3, 2007. That draft report was given to City Council on January 3, 2007. However, there was no discussion of the issues raised in the report at the time the Comprehensive Annual Financial Report was presented by the auditors. There are no major findings in the Report to Management but we would like to give City Council the opportunity to ask questions of the auditors and City staff on Tuesday morning. Many of the comments in the report relate to the Information Services Division. The Information Services Manager and staff from the Financial Services Division will be available to answer questions on the issues raised in the Reportto Management. FISCAL IMPACT: None at this time FUNDING: Not applicable. r qJe�s R. Krueger, Deputy City Manage Attachments: Final Report to Management for the Fiscal Year Ended June 30, 2006 APPROVED: 1 Blau, City Manager CITY OF LODI, CALIFORNIA Report to Management For the Fiscal Year Ended June 30, 2006 CITY OF LODI, CALIFORNIA Report to Management For the Fiscal Year Ended June 30, 2006 Table of Contents Page(s) TransmittalLetter...............................................................................................................................1 Required Communications................................................................................................................ 2-4 Current Year Management Comment and Recommendation.................................................................. 5 Status of Prior Year Recommendations........................................................................................... 6-18 Schedule of Uncorrected Financial Statement Misstatements...............................................................19 City Council City of Lodi, California We have audited the financial statements of the City of Lodi, California (City) for the year ended June 30, 2006, and have issued our report thereon dated November 22, 2006. Professional standards require that we provide you with information related to our audit. That information is included in the Required Communications section of this report. Also, in planning and performing our audit of the financial statements of the City for the year ended June 30, 2006, we considered the City's internal controls in order to determine our auditing procedures for the purpose of expressing an opinion on the financial statements, and not to provide assurance on internal control over financial reporting. During our audit for the fiscal year ended June 30, 2006, we became aware of a certain matter that represents an opportunity for strengthening the City's internal control and operational efficiency. The Current Year Management Comment and Recommendation section of this report summarizes our comment and recommendation regarding the matter. We also followed up on those matters we became aware of during the previous year's audit. Those matters are included in the Status of Prior Year Recommendations section of this report. This report does not affect our report dated November 22, 2006, on the basic financial statements of the City. This letter is intended solely for the information and use of City Council and management and is not intended to be and should not be used by anyone other than these specified parties. We would like to thank the City's management and staff for the courtesy and cooperation extended to us during the course of our engagement. We have discussed our comments and suggestions with management and would be pleased to discuss them further. Certified Public Accountants Sacramento, California November 22, 2006 1 CITY OF LODI, CALIFORNIA Report to Management Required Communications For the Fiscal Year Ended June 30, 2006 I. The Auditor's Responsibility Under U.S. Generally Accepted Auditing Standards and OMB Circular A-133 As stated in our engagement letter dated July 16, 2003, our responsibility, as described by professional standards, is to plan and perform our audit to obtain reasonable, but not absolute, assurance about whether the basic financial statements are free of material misstatement and are fairly presented in accordance with U.S. generally accepted accounting standards. Because an audit is designed to provide reasonable, but not absolute assurance and because we did not perform a detailed examination of all transactions, there is a risk that material misstatements may exist and not detected by us. In planning and performing our audit, we considered the City's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinions on the basic financial statements and not to provide assurance on the internal control over financial reporting. We also considered internal control over compliance with requirements that could have a direct and material effect on a major federal program in order to determine our auditing procedures for the purpose of expressing our opinion on compliance and to test and report on internal control over compliance in accordance with OMB Circular A-133. As part of obtaining reasonable assurance about whether the City's basic financial statements are free of material misstatement, we performed tests of the City's compliance with certain provisions of laws, regulations, contracts aid grants, noncompliance with which could have a direct and material effect on the determination of basic financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit. Also, in accordance with OMB Circular A-133, we examined, on a test basis, evidence about the City's compliance with the types of compliance requirements described in the U.S. Office of Management and Budget Circular A-133 Compliance Supplement applicable to each of its major federal programs for the purpose of expressing an opinion on the City's compliance with those requirements. While our audit provides a reasonable basis for our opinion, it does not provide a legal determination on the City's compliance with those requirements. II. Significant Accounting Policies Management has the responsibility for the selection and use of appropriate accounting policies. In accordance with the terms of our engagement letter, we will advise management about the appropriateness of accounting policies and their application. The significant accounting policies used by the City are described in Note 1 to the financial statements. No new accounting policies were adopted and the application of existing policies was not changed during the year ended June 30, 2006. We noted no transactions entered into by the City during the year that were both significant and unusual, and of which, under professional standards, we are required to inform you, or transactions for which there is a lack of authoritative guidance or consensus. 2 CITY OF LODI, CALIFORNIA Report to Management Required Communications (Continued) For the Fiscal Year Ended June 30, 2006 III. Accounting Estimates Accounting estimates are an integral part of the financial statements prepared by management and are based on management's knowledge and experience about past and current events and assumptions about future events. Certain accounting estimates are particularly sensitive because of their significance to the financial statements and because of the possibility that future events affecting them may differ significantly from those expected. The most sensitive estimates affecting the financial statements were (1) depreciation, (2) allowance for doubtful accounts, (3) compensated absences, and (4) self-insurance liability. We evaluated the key factors and assumptions used to develop those estimates in determining that they are reasonable in relation to the financial statements taken as a whole. IV. Audit Adjustments For the purposes of this report, professional standards define an audit adjustment as a proposed correction of the financial statements that, in our judgment, may not have been detected except through our auditing procedures. An audit adjustment may or may not indicate matters that could have a significant effect on the City's financial reporting process (that is, cause future financial statements to be materially misstated). In our judgment, none of the adjustments we posed, whether recorded or unrecorded by the City, either individually or in aggregate, indicate matters that could have a significant effect on the City's financial reporting process. In addition, the attached schedule summarizes uncorrected misstatements of the financial statements. Management has determined that their effects are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. V. Disagreements with Management For purposes of this letter, professional standards define a disagreement with management as a matter, whether or not resolved to our satisfaction, concerning a financial accounting, reporting or auditing matter that could be significant to the basic financial statements or the auditor's report. We are pleased to report that no such disagreements arose during the course of our audit. VI. Consultations with Other Independent Accountants In some cases, management may decide to consult with other accountants about auditing and accounting matters, similar to obtaining a "second opinion" on certain situations. If consultation involves applications of an accounting principle to the governmental unit's financial statements or a determination of the type of auditor's opinion that may be expressed on those statements, our professional standards require the consulting accountant to check with us to determine that the consultant has all the relevant facts. To our knowledge, there were no such consultations with other accountants. 3 CITY OF LODI, CALIFORNIA Report to Management Required Communications (Continued) For the Fiscal Year Ended June 30, 2006 VII. Issues Discussed Prior to Retention of Independent Auditors We generally discuss a variety of matters, including the application of accounting principles and auditing standards, with management each year prior to retention as the City's auditors. However, these discussions occurred in the normal course of our professional relationship and our responses were not a condition to our retention. VIII. Difficulties Encountered in Performing the Audit We encountered no significant difficulties in dealing with management in performing our audit. C! CITY OF LODI, CALIFORNIA Report to Management Required Communications (Continued) For the Fiscal Year Ended June 30, 2006 CITY OF LODI, CALIFORNIA Report to Management Current Year Management Comment and Recommendation For the Fiscal Year Ended June 30, 2006 ADMINISTRATION OF THE COMMUNITY DEVELOPMENT BLOCK GRANT Condition Through our single audit inquiries and observations, a lack of segregation of duties within the Community Development Department involving the administration and disbursement of the Community Development Block Grant (CDBG) program funds presents a weakness in controls. Currently, budgets, compliance review requirements, and approval of grant expenditures are all performed by the Community Improvement Manager. The preparation of and the review and approval of documents should be segregated Recommendation We recommend that the duties involving the preparation, processing, authorization, and reporting of CDBG grant activities and related documents should be segregated to strengthen controls over the administration of the CDBG program. Management Response The reason for the condition is due to budget restraints and lack of staff. Management would like for a segregation of the preparation of documents by staff and the review and approval performed by management. Cel CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 ENVIRONMENTAL REMEDIATION 1'nnditinh The Governmental Accounting Standards Board (GASB) issued a Preliminary Views (PV) document on issues related to Accounting and Financial Reporting for Pollution Remediation Obligations on March 25, 2005. This document is proposing that once any one of five specified obligating events occurs, governments would be required to estimate the components of expected pollution remediation outlays and determine whether outlays for those components should be accrued as a liability or, if appropriate, capitalized when goods and services are acquired. Recommendation With the City's ongoing environmental contamination remediation issue, we recommend that the City be aware of and review this possible new future GASB standard and ensure that the City be positioned to implement this standard if and when it becomes effective. 2005 Management Response The City is aware of this PV and plans to analyze its impact on the City's financial statements, so the City's well-positioned if and when it becomes effective. Current Year Status The GASB issued Statement No. 49 — Accounting and Financial Reporting for Pollution Remediation Obligations in November 2006. The requirements of this Statement are effective for financial statements for periods beginning after December 15, 2007, with neasurement of pollution remediation liabilities required at the beginning of that period so that beginning net assets can be restated. However, governments that have sufficient objective and verifiable information to apply the expected cash flow technique to measurements in prior periods are required to apply the provisions retroactively for all such prior periods presented. Therefore, the current year status is unchanged. Current Year Management Response The City is aware of this PV and should have plenty of time to implement this since it is not effective until fiscal year 2008-09. INFORMATION TECHNOLOGY (IT) Information Technology Administration — Policies and Procedures Condition Administrative policies and procedures exist covering certain areas cf IT, but lack sections dealing with network security, password protection and configuration, and confidentiality of information. Recommendation 7 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 The City should consider appending the current administrative policies and procedures to include sections pertaining to computer network security, password protection and configuration, and confidentiality of information. 2005 Management Response A new Electronic Media Use Policy has been drafted and is in the process of being approved. The new policy is reported by Information Systems (IS) management to address the areas of computer network security, passwords, and confidentiality of information. Current Year Status Considered implemented. Current Year Management Response New password protection policy bas been implemented in accordance with previous recommendation. Information Technology Administration — New -Hire Training Condition New -hire training for the City is not properly documented to include an introduction of IT policies and procedures. New -hire training is the first introduction an employee has to the City's operations and can be an effective method of communicating all pertinent IT policies and procedures. An Information Security Handbook has been completed and is currently under review by the City Manager's office. The City's IS management reported that the handbook is designed to be distributed to all current and new employees and contains information specific to this finding. Recommendation The City should continue with efforts to review and implement the Information Security Handbook and disseminate the information to all current and new employees. A statement of understanding should also be signed by employees confirming receipt and acceptance of the policies. 2005 Management Response Information Systems management agrees with the recommendation. Current Year Status We observed the issuance of the Information Security Handbook as previously recommended, however, we were unable to verify that the statement of understanding was signed by employees confirming receipt and acceptance of policies. Therefore, we consider the condition in process of being implemented Current Year Management Response Information Security Handbook has been published. Logical Security — Security Administration Condition N. CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 The security administration function is not a documented role with defined responsibilities. Recommendation The job description for the Information Systems Manager should be updated to include the security administrator function with a defined role and responsibilities. In this way the expectations of the role and the associated responsibilities are clearly defined for all personnel. 2005 Management Response City IS management report that a recommendation has been made to the City Manager, including new language to be included in the IS Manager job description, in response to this recommendation. Current Year Status In process of being implemented. Current Year Management Response Appropriate language has been submitted to the Internal Services Director/Deputy City Manager and the job description has been changed in accordance with the recommendation. Logical Security — Failed Logon Attempts Condition Three failed logon attempts will lock out the user from the network for five minutes. While the five minute disabling period provides a level of control over unauthorized system access, it still leaves the system vulnerable to repeated attempts over an extended period of time and could be enhanced. Recommendation While a measure of control exists to address repeated unauthorized access attempts, the City should consider increasing the disabling period to 15-30 minutes to enhance security. 2005 Management Response Information Systems management agrees that a lockout period of more than five minutes can be done and may be useful. Steps will be taken to implement this recommendation. Current Year Status Considered implemented. Current Year Management Response After five unsuccessful logon attempts the user is locked out for 30 minutes. Logical Security - Passwords Condition Passwords for the network are only required to be non -zero in length and six to 10 characters for the AS400 and applications. There are no expiration periods for passwords on the network, AS400, or applications. Periodic changing of passwords provides an increased level of security on the network and applications. There is no set number of changes required until a password can be reused. Recommendation Password security for the City's network and financial applications should be enhanced by: we CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 o Establishing a minimal configuration standard for the network, AS400, and applications for a password length of at least 6 characters containing both alphas and numerics. o Instituting and enforcing an expiration period for passwords. o Configuring the network, AS400, and application to allow only a minimal number (e.g. 5) of password changes before a password can be reused. 2005 Management Response Information Systems management agrees in principle with the recommendation. There are several reasons the IS Division has not implemented such requirements and restrictions. The Graphical User Interface (GUI) version of the AS400 interface will not easily allow users to change their expired passwords, and most of the IBM users rely on the (M. The likely result would be some users being locked out of the system for extended periods of time and a significant amount of time being spent re -enabling user accounts. Current Year Status We observed the implementation of the password security for the City's network, establishing a minimal configuration standard for password length of at least 6 characters containing both alphas and numberics; enforcement of password expiration period; and the minimal number of password changes (i.e., 4) before a password can be reused. Although, the password security enhancements for the AS400 applications were incorporated into the Password Policy, physical observation of the password security enhancements was not verified, therefore, we considered the AS400 password security enhancements as in process. Current Year Management Response Passwords now expire every 90 days and new ones must comply with password conventions addressing length, reuse, and complexity. Logical Security — Automatic Log Off Condition There is no automated function to log a user off the network after a set period of inactivity. An open network account with no activity creates the risk of unauthorized usage by someone other than the account owner and should be curtailed whenever possible by automatically logging off an account after a period of inactivity. Recommendation The City should consider enhancing their network security by implementing an auto logout period for network connections. Alternatively, desktop screensavers with the password protection activated could be forced down through the network domain. Instituting password protected screen savers should not pose a risk of data loss. 2005 Management Response Information Systems management agrees in principle with the recommendation. The main reason this procedure has not been implemented is that it must be done enterprise -wide. The Information Systems Division will research the possibility of pushing screensaver password requirements to end users and implement accordingly. Current Year Status 10 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 Considered implemented. Current Year Management Response Password -protected screensavers now launch on all city PCs after 15 minutes of inactivity. Logical Security — Departing Employees Condition There is not an official policy and associated procedures outlining the timely notification of the network and applications managers of a departing employee, contractor or temporary worker. Disabling or removing the accounts of inactive users in a timely manner is essential to inhibit malicious activity on the computer systems. Prior Year Recommendation The City should develop an official policy and procedure to ensure that the network manager and the financial application managers are notified in a timely manner whenever there is a departing employee, contractor or temporary worker with an active user account to the computer systems. 2005 Management Response Information Systems management agrees with this recommendation. Such a policy would likely be developed and advanced by someone not in the IS Division. Current Year Status Considered unchanged. Current Year Recommendation Information Systems management, working in conjunction with the City's human resources division, should work to implement the policy and procedures first noted in our 2005 management letter. In addition, the Information Systems division should conduct and audit of all user logons to the network and the AS 400 applications to ensure that only current and valid personnel have access. Current Year Management Response Same condition exists as far as we know. Logical Security — Access Rights Condition There is no policy and procedure to ensure that all system and application access rights are authorized and up-to-date. All users must complete a written application, signed by their supervisor, the respective department head and IS Manager, in order to be issued a user account for the AS400 or any systems hosted by the IBM. The user accounts remain active until revoked. While this addresses the initial issuance of user accounts and their associated authorization level, it does not address the control objective of ensuring that all access rights are up-to-date. Personnel may move between positions wherein the authorizations for those positions are not the same. Currently, reviews only check for obsolete accounts and do not address existing accounts for appropriateness. 11 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 Recommendation The IS Division should establish procedures to periodically review the lists of system and application users to ensure that access rights are authorized and up-to-date. In addition, the process for approving authorization to access the financial application should be reviewed to ensure that only authorized persons are given the proper access to the system. This could include a review of persons by the Director of Finance. 2005 Management Response Information Systems management believes the current level of review is sufficient, given the number of authorized signatures required to obtain a user account. Periodic reviews are made to ensure that no obsolete accounts exist. Accounts will also be reviewed for appropriateness. Current Year Status Through our observation, we could not verify that a) a policy and procedure had been implemented to ensure that all system and application access rights are authorized and are up-to-date; b) logs or checklists documenting periodic reviews of user access rights to ensure proper authorization and that these access rights are up-to-date. Therefore, we considered the condition unchanged. Current Year Management Response User lists are periodically reviewed by ISD to identify obsolete accounts and user appropriateness. Accounting System Development and Maintenance Condition While most procedures for the accounting system development and maintenance are in place, they are not formally documented. Having the policies, procedures and standards formally documented should address any ambiguity in implementation and reliance upon only a few key individuals. Program changes are not always initiated, lbsted and approved by the functional users before being applied to the production system. The IS Division Programmer is not restricted from making changes in the production environment and is also responsible for transporting changes and updates from the test environment to the production system. Recommendation Official policies, procedures and standards for the accounting system development and maintenance should be documented and maintained. These policies, procedures and standards should ensure that: o All new programs and changes are initiated and approved by the appropriate user management. o The impact of new programs and updates are assessed in a test environment before implementation in the production system. o Programmers do not have update access to the production system, except for emergency fixes. o Any emergency fix in the production system is properly logged. o Program testing is reviewed and approved by someone other than the programmer. o The process of moving programs into the production system is formal, well documented, and performed by someone independent from programming. 2005 Management Response 12 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 City IS management staff report that a new Documentation system (DOCS) has been implemented for use by ISD staff members. The system is a repository for system assignments, location of source code files, etc. Management report that current staffing does not allow for implementation of some of these recommendations. Current Year Status The prior year's recommendation has been partially implemented, namely all new programs and changes are initiated and approved by the appropriate user management. However, the City feels that current staffing does not provide sufficient redundancy to allow the type of system testing and implementation as recommended. Risks of continued operation without the proper change management oversight include the inadvertent alteration or deletion of financial data or having the financial system unavailable for an extended period of time. Current Year Management Response System documentation is largely complete. Current staffing does not provide sufficient redundancy to allow the type of system testing and implementation recommended. Packaged Accounting Software and Systems Software — Selection Method Condition There is not currently a documented system and application software selection method outlined for the City. Recommendation The City should document their system and application software selection processes and ensure that the following areas are addressed: o Business needs, o Technical requirements, o Analysis/comparison of several products o Implementation issues, including conversion, and o Cost/benefit analysis The City should pursue the needs assessment for the new financial and billing system as noted below, but the procedures for system and application acquisition should be documented. 2005 Management Response The Information Systems Manager has recommended to upper management that a qualified consultant be hired to examine the city's business, technical and user needs as part of the process of selecting a replacement for the city's current financial and billing systems software. Current Year Status In process of being implemented. Current Year Management Response A staff committee has been impaneled to conduct in-house needs assessment related to ERP replacement. 13 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 In addition to conducting a needs assessment, the committee will provide recommendations related to what the process and policy issues are in making the assessment of the needs for an ERP replacement. This process will be documented by the Information Systems Division. Packaged Accounting Software and Systems Software — Test Environment Condition The IS Division has implemented a test environment for application software, but not for system software. Update and patches are being applied directly to the production system. Recommendation Procedures to test updates to system software should be implemented, either on a separate machine or as a partition with the current AS400, to ensure that updates and upgrades are not applied directly to the production system without proper testing beforehand. 2005 Management Response The recommendation has merit, under ideal conditions. The IS Division will research the possibility of partitioning the current system to allow for system software testing. Additionally, Information Systems management feels that current testing practices do not present an unacceptable level of risk to the city or the IBM computing environment. Current Year Status Condition unchanged Standard IT management practice requires the testing of any updates before application to the production environment. Current Year Recommendation As a minimum, the City should have a documented process for applying patches and updates which includes audit trails. The City must also have a back -out plan documented. In addition, it should also be policy that business functions that may be affected by system software updates should receive advance notice of the scheduled implementation procedures. Current Year Management Response Because the cost for setting up a test environment might be considered prohibitive, the IS division is developing alternative approaches to implementing software changes including in depth involvement and testing by experts from the departments for which software changes are to be made. Computer Operations — Guidance and Continuity Condition Computer operations policies, procedures, and standards are not officially documented to provide official guidance and continuity to computer operations. Recommendation The IS Division should develop and officially document computer operations policies, procedures, and standards. 14 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 2005 Management Response City IS management reported that the operations desk has thoroughly documented procedures related to the processes and activities of that station. At the same time, the Information Systems Manager has begun the process of compiling an IS Division Policy and Procedures book that will address standards and operating procedures. Current Year Status Considered implemented. Current Year Management Response Computer operations policies and procedures lave been officially documented in accordance with the recommendation. Computer Operations — Computer Room Condition The City has moved the computer room which now has a separate dedicated air conditioning system, Uninterrupted Power Supply (UPS) and generator. The room is secured with standard lock and key controlled by the IS Division staff and facilities maintenance. An intrusion alarm system and temperature and water alarms have been installed and are monitored by a local security company. The room is equipped with a sprinkler system for fire suppression. Recommendation The IS Division should consider replacing the water sprinkler system with a dry fire suppression system. If local building ordinance requires the use of a water based system, the City should consider a dual system with a pre -action type sprinkler. 2005 Management Response It is agreed that a dry fire suppression system would be better than water sprinklers. However, cost may be prohibitive. Current Year Status Condition unchanged. Current Year Management Response Same condition exists. Computer Operations — Disaster Preparedness/Business Continuity Plans Condition The City currently has no disaster preparedness or business continuity plans in place. Recommendation The City should work to develop a comprehensive disaster preparedness and business continuity plan. The plan, upon completion, should be thoroughly tested and provisions made for periodic reviews of the 15 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 plan. 2005 Management Response The City IS manager reported that the Division is in the process of developing a disaster recovery and business continuity plan. Current Year Status In process of being implemented The City has developed a comprehensive disaster preparedness plan, however, we could not verify whether the plan has been thoroughly tested. Current Year Management Response First draft completed. Computer Operations — Service Level Agreements Condition Service level agreements between the IS Division and the user departments are not in place. Help -desk services are provided, but without documented policies and agreements, an acceptable level of service cannot be properly defined. Recommendation Service level agreements between the user departments and the IS Division should be instituted to define the level of service to be expected. 2005 Management Response Information Systems management agrees with this recommendation. Current Year Status In process of being implemented. Management expects to implement the recommendation during the fiscal year 2007-2008 budget process. Current Year Management Response Project is underway and service level agreements will be implemented as part of implementing an Internal Services Fund for Information Services in fiscal year 2007-08. Computer Operations — Unauthorized Use of Software Condition There are no procedures in place to ensure that there is no unauthorized use of software within the City. Recommendation The IS Division should institute official procedures for the review of software installed on computers at least yearly. The City should make efforts to protect itself from the liability of employees using unauthorized software. An alternative to the physical review of installed software is to require administrator privileges on network computers in order to install any software. liG CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 2005 Management Response The policing of installed software on users' PCs is not done currently, nor is it considered practical at this time. Current Year Status While we recognize that the City has taken steps to protect itself from the liability of employees using unauthorized software on City computers, the City will remain at risk for the liability of having city computer assets using unauthorized or unlicensed software, in absence of formal procedures in place to ensure there is no unauthorized use of software within the City. We will consider the prior year condition as unchanged. Current Year Management Response New computers are now configured with modified rights that do not allow installation of software. When old equipment is repaired or when service calls are made by Information Service's staff, inspections are made to determine if there is any unauthorized software. For old computers this procedure will be expanded to include random inspections by IS staff for unauthorized software use. Computer Operations — Read -Write Access to the JDE Application Condition It was noted during our review that read-write access to the JDE application is limited to select Finance and IT Divisions personnel. Other City departments may have only read access to the application. As such, any PO or obligating document must be done manually and then submitted to the Finance Division. Having the individual departments conduct their purchasing outside of the financial application can create situations where departments spend money for which they may not have the budget. City IS management reported that an updated purchasing policy has been passed by the City Council and is scheduled for implementation. Recommendation It is recommended that a review be conducted specific to the Purchasing/Accounts Payable function. The City should continue with efforts to implement the new purchasing policy, ensuring that all department POs are managed within the financial application and that budgeted funds are available. 2005 Management Response Users are granted read-write privileges as warranted. Many departments are now inputting their own requisition and purchasing data, and users are being granted access rights commensurate with their needs. Current Year Status In process of being implemented. Current Year Management Response No change. Users are granted read-write privileges, as warranted and approved by management. All departments have been trained on the use of JD Edwards purchasing. Not all departments have been utilizing JD Edwards software for purchasing yet. This will be a requirement as part of the service level 17 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 agreements to be implemented in fiscal year 2007-08. Other Matters During the time under audit, the City's IS Division was a sub -office to the City Manager's office and not on par with other City departments, such as Finance and Human Resources. The concern this structure created was that the IS Division was reporting to a functional user or did not have the organizational status of their functional users. This structure had the potential to create conflicts of interest and project planning concerns. However, since year-end, the City has undergone an organizational restructuring. Now, Finance and Human Resources have become divisions, along with the IS Division, of the new Internal Services Department, which report to the new Deputy City Manager. Now that the IS Division is on par with the Finance and Human Resources divisions, it appears that this concern has been addressed. In summary, our review of general computer controls of the financial application at the City found that most of these conditions do not preclude the City from a basic level of assurance. Therefore, efforts should be made to either implement the recommendations when staffing and/or funding is available or look for other controls that can be instituted that will strengthen controls. However, the City should address the physical protection of computer assets in the computer room before a basic level of assurance is warranted. CAPITAL ASSETS Condition During our audit of the City's financial statements for the year ended June 30, 2004, we noted that the acquisition and construction of capital assets is maintained on a spreadsheet, outside of the City's accounting system, which can lead to inaccurate recording and depreciation of capital assets. Recommendation We recommend that the City place into operation the JDE fixed asset module that records the City's capital assets and automatically calculates depreciation. The system would support the City's deprecation method and automatically post accumulated depreciation expense to the General Ledger module for a specified accounting period. The system provides methods to track assets, their beginning cost, current value, and method of depreciation. Some of the advantages include: 1. Flexible Asset Numbering System — an unlimited number of assets can be maintained. The assets can be grouped by many types of categories for reporting purposes. 2. User Defined Asset Control - Accumulated depreciation, depreciation expense and asset master accounts can be user specified for each asset. 3. Reports - variety of reports can be produced including a listing of all assets by type, category and description, method of depreciation, and all other information maintained in the master file. The module could be programmed to also print reports listing assets with original cost and current book value plus calculated depreciation for a specified period. CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 To reduce operating overhead, the City should consider hiring temporary staff for data entry into the capital assets module. 2004 Management Response When Finance migrated to the JDE General Accounting system in 1997, the implementation of all the modules was prioritized. The Fixed Asset module at the time was at the lowest priority. The task of converting the asset files in JDE requires set up and data entry that the current personnel can not accommodate without overtime or part time help. In light of the current budget cut demands from management, the implementation of the Fixed Asset module is recommended to be deferred at this time. 2005 Status Condition unchanged. 2005 Management Response This condition/recommendation will be addressed in the upcoming budget. Current Year Status Condition unchanged. Current Year Management Response Due to other priorities, this recommendation has not been implemented; lack of staffing is a big hindrance to this implementation, but the City will start the process when vacancies in Accounting are filled. FTA INDIRECT COSTS Condition We noted, during our review of the fiscal year 2003/2004 Federal Transit Administration (FTA) apportionment, that management had originally decided to use the apportionment to cover indirect costs. Per our review of FTA guidelines, grantees who intend to seek FTA reimbursement for indirect costs must prepare a cost allocation plan that has been approved by the FTA or another cognizant Federal agency. Further inquiry determined that the cost allocation plan has not been approved in the prescribed manner. Recommendation We recommend that the City perform a review of all grants and make the determination if indirect costs can be applied against grant funds. 2004 Management Response The Finance Department and Transit will work together in the development of a comprehensive cost allocation plan that will be submitted to FTA for approval. The City will also look into the other grants to determine if indirect costs can be reimbursed once a cost allocation plan is established. 2005 Status 19 CITY OF LODI, CALIFORNIA Report to Management Status of Prior Year Recommendations (Continued) For the Fiscal Year Ended June 30, 2006 Condition unchanged. 2005 Management Response This condition/recommendation will be addressed in the upcoming budget. Current Year Status Condition unchanged. Current Year Management Response The City is looking into retaining a consultant to prepare a cost allocation plan.