state of colorado department of revenue it...

University of Colorado at Boulder

State of Colorado Department of Revenue IT Audit

Created by

Jose Giardiello, Robby Mushet, Karin Rosen, Sandra Sifuentes, Douglas Waechter

4/29/2009

This page was intentionally left blank.

Table of ContentsEngagement Summary

Engagement Letter………………………………………………….…………………………………………………………………………..………………….……………..… page 7

Audit Plan

Audit Arrangement Summary……………………………………………………………………………………………………………………………………..………..…………. 11

Audit Objectives and Background…………………………………………………………………………………………………………………………………………………….. 12

Audit Scope………………………………………………………………………………………………………………………………….…………………………………….………….… 14

Internal Audit Planning Memorandum……………………………………………………………………………………………….……………...……………………………. 16

Infrastructure Understanding

DOR Infrastructure………………………………………………………………………………………………………………………..…………….……….……………………….…. 23

DOR Information Technology Division Organization Chart……………………………………………..….…………….……………………………………..…..…… 24

Colorado DOR Functional Organization Chart…………………………………………………………………………..………….………………………………..…….….. 25

Acquisition As-is Process Map…………………………………………………………………………………………………………………………….………………...……..….. 26

Installation As-is Process Map………………………………………………………………………………………………………………..………………………………....…….. 27

Maintenance As-is Process Maps..………………………………………………………………………………………………………………………………….……...……….. 28

Disposal As-is Process Map…………………………………………………….………………………………………………………………………………………………..…….… 30

Risk Assessment

Introduction of Risk Assessment………………………………………………………………………………………………………………………………………..…..………… 33

Prioritizing Business Risk……………………………………………………………………………………………………………………………..…………………………………... 35

DOR IT Asset Risk Matrix (Table)……………………………………………………………………………………………..……………………………………………………….. 37

DOR IT Asset Risk Matrix (Graph)…………………………………………………………………………………….…………………………………………….…………………. 38

DOR IT Asset Risk Matrix Summary (Table)…………………………………………………………………….………………….…………………………………………….. 39

DOR IT Asset Risk Matrix Summary (Graph)………………………………………………………………………………….……………………….…………………….…... 40

Controls of Risks……………………………………………………………………………………………………………………….………………………………..……………….…… 41

Control/Risk Matrix………………………………………………………………………………………………………………………………………………………..………………… 42

Tests and Findings

Test Plans………………………………………………………………………………………………………..……………………………………………………………………………….. 45

DOR Test Forms……………………………………………………………………………………………………………………………………………..................…………………. 49

Findings Summary………………………………………………………………………………………………………………………………………………………..………………..… 77

Recommendations

Recommendations and Suggestions……………………………………………………………………………………………………………………………..………………….. 83

Supplementary Documentation

3

Engagement Summary


6

Internal Audit Engagement LetterMarch 11, 2009

Accounting Information Systems 2

Leeds Schools of Business

Boulder, CO 80303

Dear Matthew Morgan,

The Internal Audit Team is planning its audit for the Department of Revenue. The objectives of this audit will be:

Establish procedures and develop a pilot audit program to be used as a guide and followed in future audits.

Audit IT assets through its life cycle going from acquisition, installation, maintenance, and ultimately towards disposal.

Provide risk and control assessments as they relate to managing IT assets, along with recommendations to solve any problem.

Enhance awareness of inventory management and internal control structure.

The proposed timetable for this audit is as follows:

Start date in the field: February 4, 2009

Estimated weeks to complete: 12

7

The audit team will include the following members:

Jose Giardiello

Robert Mushet

Sandra Sifuentes

Doug Waechter

Karin Rosen

Our goal is to perform an effective and efficient audit. We will need your staff to provide us with documents and procedures upon request.

At the conclusion of our audit, we will discuss audit results and potential recommendations with management of the audited area before scheduling an exit conference with you. Prior to the exit conference, you will receive a draft audit report. After the exit conference, a final audit report will be delivered to you with a request for formal management's responses to include in the audit report.

Our mission is to help you achieve your inventory objectives by providing you information about the effectiveness of internal control and by recommending courses of actions which will improve performance.

If you have any questions about this audit, please do not hesitate to contact us.

Sincerely,

The Inventory Asset Management TeamThe Inventory Asset Management Team

8

Audit Plan


10

Audit Arrangement Summary

A well-written audit report is a highly effective tool for management to bring about positive change and to improve controls, risk management, accuracy of information, and the underlying process reviewed.

This audit report as should future ones considers the following:

Objectives and background

Why and what area was selected for the audit

History of past issues

What are the key aspects, risks and objectives of the area reviewed

Scope

Which facets of operations are included in the scope

Range of the work and when it is performed

What key risks does the work address

Planning memorandum and key concepts

Significant aspects of the infrastructure

Findings

The overall findings from tests and risk matrixes

The severity of the findings

Issues to be addressed and reviewed

Recommendations

What actions must management take to adequately address the audit findings

Track confirmed positive resolutions

Industry best practices

11

Audit Objectives and Background

Project Purpose:

The main focus of this project is to create a pilot audit plan for the Department of Revenue which they will be able to use in future internal audits. This pilot audit plan will actually be used to audit a piece of the inventory asset management system. Recommendations for possible risks will be included in the audit. The main goal is to enhance awareness of inventory management at the Department of Revenue by enhancing their internal control structure, reducing asset management risk, and creating a guide for future audits.

Background of Project:

Jim Marlatt a professor at the University of Colorado in Boulder made contact with Matthew Morgan from the Colorado Department of Revenue (DOR). Matthew Morgan is the Internal Audit Manager of DOR. During their initial contacts they both agreed to use student help to aid the DOR Internal Audit Department in their asset management system. After the project was presented to the students, five of them agreed to work together to help Matthew Morgan and the DOR Internal Audit Department prepare an audit plan.

Past Issue History:

The following list has been created by Matthew Morgan

There are no previous risk assessments completed by the Internal Audit Section

There is budget/financial limitations on the department

There have been security control risks

Controls around disposition and inventory management could be enhanced

12

Objectives of DOR:

These objectives have been created by Matthew Morgan

1. Provide a description of current processes to manage software and hardware including how purchases, disposals and transfers managed.

2. Develop a risk assessment as it relates to managing IT assets and develop an audit program that addresses these risks that can be used by the Department’s staff going forward.

Objectives of the Audit team:

1. Establish procedures and develop an audit program to be used as a guide and followed in future audits.

2. Audit IT assets through entire life cycle from acquisition, installation, maintenance, and disposal.

3. Provide risk and control assessments related to the IT asset life cycle, along with recommendations to solve any problems identified.

13

Audit Scope

Project In-Scope:

1. Develop a pilot internal audit program to provide guidelines for future audits

a. Provide a comprehensive audit plan that can be used by DOR internal auditors in future audits.

b. The audit plan will be delivered in the form of an actual audit of IT assets with supplemental information to show how the internal audit work was actually performed.

2. Execute actual internal audit program

a. Matthew Morgan the Internal Audit Manager of DOR will be provided with an audit of IT assets.

i. If the entire audit has been completed and if time permits, the team will perform a second audit of a different IT assets chosen by Matthew Morgan.

b. The audit will cover the acquisition, installation, maintenance, and disposal of IT assets.

3. Provide evaluation of process and control design, as well as testing methods to determine the operating effectiveness of controls.

a. Provide a prioritized risk assessment

b. Verify control procedures exist for all risks

4. Provide solutions and recommendations to improve flagged procedures

a. Recommend formal control procedures that are documented and tested frequently

14

b. Offer recommendations to address the findings

Project Out-of-Scope:

Provide a description of information technology infrastructure

Planning for hardware and software upgrades

The Department consolidation of multiple tax processing systems into a single, integrated system

Physical inventory count

The Lottery Division

Examination of current budget allocation

Full understanding of legal and state compliance

Colorado State Titles and Registration (CSTAR)

Approval stage of an IT asset during its acquisition

The audit of mobile IT devices (cell phones, USB drives)

Memorandum: Internal Audit Planning 15

To: Matt Morgan

Date: Monday, February 18, 2009

Company: Department of Revenue

From: DOR Asset Management Student Audit Team

Internal Audit Team Members:

Name E-mail Contact Phone #

Jose Giardiello [email protected] (720) 982-6563

Sandra Sifuentes [email protected]

(303) 746-5555

Doug Waechter [email protected] (715) 572-0503

Karin Rosen [email protected] (507) 236-0773

Robby Mushet [email protected] (415) 233-0616

Duration of the Audit:

The internal audit will begin with our first meeting with Matt Morgan the Internal Audit Manager on February 4th, and will end with a final presentation of our finding on April 29th. It is anticipated that the final draft of the deliverable will be presented on April 29th, the date of our presentation to the client.

Location of the Internal Audit:16

The audit will take place in any of the Front Range Department of Revenue locations necessary to attaining the audit objectives laid out in this document.

Key Department of Revenue Contacts:

Contact Position Company E-mail Contact Phone #

Matt Morgan

Internal Audit Manager

Department of Revenue

[email protected] (303) 866-3803

Lou Ennis Desktop Support Manager


[email protected] (303) 205- 1380

Roy Mitze Warehouse Logistics/ Program Asst



Maria Armenta

Budget Analyst



Vanessa Jozef

IT Pro Department of Revenue


Alison Roberts

IT Pro Department of Revenue


Standard Definitions for Internal Audits:

17

The following definitions are provided by the COSO Internal Control – Integrated Framework. The SEC and PCAOB have acknowledged that the COSO framework is a suitable framework for purposes of evaluating internal audits.

Risk Assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.

Control Environment – Sets the tone of an organization, influencing the control consciousness of its people. This is the foundation for all other components of internal control, providing discipline and structure.

Information and Communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.

Internal Controls – It is a process, a means to an end, not an end in itself. It is affected by people. Internal controls can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

Audit Plan Models:

The following models were used to establish the DOR IT audit and audit plan.

The Global Technology Audit Guide (GTAG): Developing an IT Audit Plan by the institute of Internal Auditors

Guide to Internal Audit: Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function, second edition created by Protiviti

Protiviti Risk Assessment Workshop Presentation.ppt template

Deliverables:

18

The project deliverables will consist of the following:

Audit Arrangement Summary Audit Objectives and Background Audit Scope Internal Audit Planning Memorandum Infrastructure Understandings As-is process maps Risk assessments Audit Findings and Report Recommendations and Best Practices Work Papers/Testing Documentation Meeting Minutes

It is planned that the above deliverables will be split into two phases. The first deliverable will consist of the audit plan and will be delivered on February 25th and the second will be delivered on April 29th, which will contain all of the audit findings.

Schedule:

19

Date Task

February 4th, 2009 Field work at client

February 18th, 2009 Review audit plan, understand and map processes

February 25th, 2009 First deliverable due, work on as-is process maps

March 4th, 2009 Field work at client, work on as-is process maps

March 11th, 2009 Field work at client, do the “walk-through,” finish as-is process maps, Turn in Upgraded first deliverable

March 18th, 2009 Begin Risk Assessment

April 6th 2009 – April 15th 2009

Finish Risk Assessment, test for controls, audit IT asset and finish the audit

April 22nd 2009 Present draft presentations for feedback

April 29th 2009 Final presentations to the client and final deliverable due

May 6th 2009 Present final presentation at the DOR

20

Infrastructure Understanding


22

DOR Infrastructure

Getting started in the right perspective is crucial in creating a successful Audit Plan. Having fundamental knowledge of the organization’s infrastructure, will help auditors assess unique risk and how technology supports existing models. Auditors can use different internal resources to identify and understand the organization, some of which include:

Vision statements

Strategic plans

Organization charts

As-is Process Maps

After becoming familiar with the organization, the next step is to identify key processes and significant applications that are critical to the success of the Department of Revenue.

Key ProcessesThe following processes are in relevance with an IT asset life cycle within DOR.

1. Acquisition

2. Installation

3. Maintenance

4. Disposal

Significant ApplicationsThe following applications are frequently used within DOR.

Altiris – This application specializes in service-oriented management software, allowing organizations to manage IT assets.

Problem Solve – A program in which technicians can view ongoing tribulations with IT assets, log solutions, and archive each problem.

23

Risk Assessment


32

Introduction of Risk Assessment

The risk and controls matrix is a tool used in the scoping stage of an IT audit to detect risks and mitigate controls in a specific procedure. For the Department of Revenue the asset management team examined the risks and controls associated with continuity and assessed, categorized, and prioritized the current infrastructure within the risk and controls matrix.

Definition of Business Risk:

The level of exposure to uncertainties that the enterprise must understand and effectively manage as it achieves its objectives and created value.

It is not just about threats; there is an upside as well as a downside.

Risk is not about a single point estimate.

Exposure and uncertainty are important factors.

Things to Consider:

Risk is a fact of life; life is constantly changing and is uncertain.

All management is essentially risk management.

Many risk management activities are well defined and accountability has been assigned. For risks that have not been defined/assigned, risks can “slip between the cracks” and/or be managed inconsistently due to individual perceptions of the significance of the risk.

Identifying Business Risks:

Think about risks from the point of view within DOR, considering goals and objectives.

o Identify Inherent Risks

o Must identify risks that are inherent in the organization regardless of the internal controls

Whether the risk is being controlled is only known until it is tested.

33

Questions to Identify Risks:

Where do you devote considerable internal effort in order to control?

What areas receive considerable management reporting?

Where have you devoted significant resources?

What wouldn’t you want on the front page of the newspaper?

What are key obstacles to taking advantage of opportunities?

What do other States do better?

What keeps you up at night?

What do people complain about within the organization?

If you could fix one thing at the company, what would it be?

34

Prioritizing Business Risks

Two variables of Business Risk:

1. Significance

o How big of an impact would this risk have if it were to occur?

o Impact could be in many areas, including financial, reputation, human resources, etc.

2. Likelihood

o Consider how likely it is that this risk would actually occur given the inherent uncertainties in your business.

o Don’t consider the mitigating effects of internal controls.

Significance Scale:

You can rank the ‘significance’ of your key business risks using the scale described below.

Level Descriptor Business Impact Description

7,8,9 Major Very significant financial loss and ultimately could jeopardize the ability of the organization to continue without major changes. May require regulatory communication. Very significant efficiency problems. Very high public scrutiny.

4,5,6 Moderate Financial loss is moderate, could be significant, and may require public disclosure. Management involved with issue and focused on completing it within a timely manner. Efficiency problems are moderate. Public scrutiny is moderate to none.

1,2,3 Insignificant Little financial loss. May not require attention of management. Process changes likely not required in response to risk occurrence. Little efficiency problems. No public scrutiny.

35

Likelihood Scale:

You can rank the ‘likelihood’ of your key business risks using the scale described below.

Level Descriptor Business Impact Description

7,8,9 Probable The future event or events are expected to occur in most circumstances.

4,5,6 Possible The chance of the future event or events is more than remote but less than probable.

1,2,3 Remote The future event or events may occur only in exceptional circumstances.

Risk category and placement:

After identifying the inherent risks within the Department of Revenue, the risks were ranked within a Significance/Likelihood Scale.

The risk chart and matrix is detailed on the following page.

36

Risk Matrix

List of Risks

Sign

ifica

nce

Like

lihoo

d

Control System Processes KEYR1 - Reporting confusion 4.5 8.0 SignificanceR2 - Unclear duties 6.5 8.5 Major 9R3 - Non-standardized practices 7.0 8.5 High 7R4 - Non-collaboration with the accounting

department 7.5 9.0 Significant 5R5 - Segregation of duties 9.0 4.0 Moderate 3

Spread Sheet Issues Insignificant 1R6 - Spreadsheet location/multiplicity 3.0 7.0 R7 - Lack of confirmation/verification of

spreadsheets 6.5 6.0 Likelihood R8 - Design of spreadsheet 3.0 7.0 Almost Certain 9R9 - Access to spreadsheets 7.0 5.0 Probable 7

PII Liability Reasonably Possible 5R10 - PII Becomes exposed 9.0 5.5 Unlikely 3

Non-Budget Purchases Remote 1R11 - Non-approved purchases 3.5 3.0 R12 - Delivery of assets 3.0 5.0R13 - Pro-card controls 3.0 3.5

Misplacement/Storage Issues R14 - Warehouse security access 7.0 5.0R15 - Surplus Storage 3.5 6.5R16 - Misplacement of assets (outside warehouse) 7.0 7.0R17 - Untagged assets 4.0 4.5

Software Controls R18 - Licensing storage inefficiency 3.0 8.0R19 - Software copyright violation 5.0 8.0

Hard Copy Documentation R20 - Lack of hard copy sign offs 8.5 7.0R21 - Hard copies are incomplete 8.5 7.0R22 - Hard copy security 8.5 7.0

37

Risk Matrix - Summary

List of Risks Sign

ifica

nce

Like

lihoo

d

1 - Control System Processes 6.90 7.602 - Spread Sheet Issues 4.88 6.253 - PII Liability 9.00 9.004 - Non-Budget Purchases 3.17 3.835 - Misplacement/Storage Issues 5.38 5.756 - Software Controls 4.00 8.007 - Hard Copy Documentation 8.50 7.00

KEY

Significance LikelihoodMajor 9 Almost Certain 9

High 7 Probable 7Significant 5 Reasonably Possible 5Moderate 3 Unlikely 3

Insignificant 1 Remote 1

39

Controls of Risks

In order to address and mitigate all of the risks identified and prioritized, a list of controls was generated and added to the risk matrix. Regardless of whether the risk was being controlled, it was only known until it is tested. Controls were identified based on the following:

Controls were identified throughout the as-is process, and thus recorded in the as-is process maps

Often times several risks are mitigated by one control activity Manual and automated controls were both identified Controls could be preventive (stop risk from occurring) Controls could be detective (identify risk that has occurred) Controls could be corrective (correct risk that has occurred) Controls were a link between the inherent risks and the actually process

The control/risk matrix is detailed on the following page.

41

Test and Findings


44

Test Plans

A high-quality audit report has overall findings from audit tests and control tests. These tests are highly effective tools for management to bring about positive change and to improve controls. During the Department of Revenue IT asset management audit, tests performed and planned pertained to:

The controls which are inherent in the highly likely and very significant risks.

Above a six in the Likelihood risk prioritizing scale. Above a six in the Significance risk prioritizing scale. The IT asset life cycle- acquisition, installation, maintenance, disposal. Randomly chosen IT asset sample size In-scope and out-of-scope testing

Controls 11, 12, 13, 15, 16, and 21 were not tested as it moved away from IT asset management and or the related risks were not significant enough.

Control 5 test was omitted from the deliverable due to insufficient evidence.

Each test is designed to test specific controls and contains all observations, results, and recommendations. The testing of IT assets through the IT asset life cycle was intertwined in the testing of specific controls. The information included in the tests is as follows:

Process: Which section of the IT asset life cycle the control takes place.

Control Activity: Description of the control.

Control # and Associated Risk: What control/risk it is as reference to the control/risk matrix.

45

Risk/Control Type: Identifies the priority of the key control, since all tests are associated with highly likely and very significant risks, all the risk/control types are primary.

Assigned To: Whom or what department has the most frequent interaction with the control.

Closed Date: The date of when the audit ends.

Frequency: The fiscal period for the test, all of the tests were done in the annual fiscal period which ends in June.

Control Objective: Defines the control.

Walkthrough Documentation: Documentation most likely viewed and tested for that control.

Operating Effectiveness – Test Steps: Planned audit steps and questions before execution of the actual test.

Test Performed By: Every one of the Audit Team or Internal Auditing office involved and executing the test.

Approved By: Internal Auditing Manager whom approved the test.

Date of Validation: Date during which the test took place.

Completed By: The primary person in-charge of completing the test form.

Sample Details: Details about the sample.

Period Tested: The preliminary period test.

Validation Results/Findings: Observations and findings during the audit.

46

Effective Control:

Yes: The control effectively mitigates the risk

No: The control is missing or it does not mitigate the risk

N/A: Not applicable

Other: Other or the control will effectively mitigate the risk after small modifications to the current process

Comments / Recommendations: Further explanation and recommendations if applicable.

The tests are on the following pages.

47


48

DOR Test Forms

Process Acquisition Control Activity Storage of IT asset hard copies

Control # andAssoc. Risks

C1

R 7, 21, 22, 23

Risk/Control Type Primary

Assigned To Budget

Control Objective

To securely store and complete the IT acquisition asset (RFS purchase orders) hard copies.

Closed Date 4/29/09

Frequency Annual

Walkthrough Documentation

1. RFS forms

2. Receiving Documentation

3. Approval Packets

4. Payment voucher

Operating Effectiveness - Test Steps

1. Evaluate storage of IT acquisition forms.

2. Verify forms are complete.

3. Check that all documentation is done similarly.

Test Performed By Sandra Sifuentes, Jose Giardiello

Approved By Matthew Morgan

Date of Validation 4/10/09 Completed By Jose Giardiello

Sample Details

What is being tested?

What is the population? (List the entire population or reference where the population source.)

How were items chosen?

Asset RFS #

11963 11908 11899 11914

12030 12083

sample gathered from a Population of 45 completed orders

Items chosen by random number generator in excel

49

Period Tested From July 2008 To February 2009

50

Validation Results/Findings 1) There is clear organization when it comes to the storage of IT hard copy acquisition forms

2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office

3) All RFS# tested had proper sign offs/authorizations

4) All RFS# tested had complete receiving documentation, approval packets, and payment vouchers

5) RFS#11899 had proper supplement information in the form of RFS#11899A

6) RFS#11963 was found in its proper place although it had last year’s date, but it was correct due to the fiscal year date

7) A Hardware RFS# was chosen randomly during the test, RFS#12083, it was tested and the findings show proper documentation including the packing slip from the Warehouse, signatures, pro-card forms and payment vouchers

Effective Control

_x_Yes

__ No

__ N/A

__ Other, please specify in comments section below

(If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

51

Comments / Recommendations

Operating Effectiveness

Effective organization and storage

Comments

Templates are used for RFS form, which is effective in maintaining proper and similar documentation

All RFS# had digital copies of the physical forms, which were recorded in a secure global spreadsheet (refer to test/control #2)

Recommendations

None

Process Acquisition Control Activity Updated RFS Spreadsheet


C2

R 2,3,6,7,8,9,22


Assigned To Budget

Control ObjectiveRFS documents are being consolidated and being kept up to date in a global spreadsheet.

Closed Date 4/29/09

Frequency Annual

52


1. RFS forms

2. Receiving Documentation

3. Approval Packets

4. Payment voucher

5. Global Spreadsheet


1. Check for access to spreadsheet.

2. Test for completion of spreadsheet.

3. Check that correct people have access global spreadsheet.

Test Performed By Sandra Sifuentes, Jose Giardiello, Matthew Morgan



Sample Details




Asset RFS #

11963 11908

11899 11914

12030 12083



53


54

Validation Results/Findings 1) Everyone at the DOR can view the global spreadsheet within the intranet

2) Only 5 people can make changes to the spreadsheet, those 5 people have a password to be able to make changes

3) The password has not been changed at all since its creation

4) Remote connectivity checked with Matt Morgan, people without passwords cannot make changes and can only save a copy of the spreadsheet

5) All RFS# were found in the spreadsheet

All RFS# had all the documentation the hardcopies had


7) A Hardware RFS# was chosen randomly during the test, RFS#12083, it was tested and the findings show all the proper copies of hardcopy documentation

8) CIO needs to approve all orders above $10,000

9) The spreadsheet is kept up to date by the budget staff only to what they know/work on…i.e. budget

Effective Control

__Yes

__ No

__ N/A

_X_ Other, please specify in comments section below


55

Comments / RecommendationsOperating Effectiveness

Effective control except password has not been changed at all since its creation and spreadsheet is not fully updated

Comments

Control #1 and #2 are connected, since very few people can change the spreadsheet the hardcopies must match the copies in the intranet, which in our tests they do

Recommendations

Change the global spreadsheet password regularly

Have one consolidated spreadsheet that is frequently updated

56

Process Installation Control Activity Verification of asset during receiving phase


C 3

R 7, 14, 21, 22, 23


Assigned To Warehouse Logistics

Control ObjectiveAssets are being properly accounted for and kept up to date in a global document.

Closed Date 4/29/09

Frequency Annual


RFS forms

Receiving Documentation

Updated document with received asset


1. Check RFS forms match receiving forms.

2. Check for proper signatures in regards to the receiving of an asset.

3. Test for completion of spreadsheet.

Test Performed By Karin Rosen, Jose Giardiello, Doug Waechter



Sample Details




Asset RFS #

11963 11908

11899 11914

12030 12083



57


Validation Results/Findings 1) All RFS forms are copies of the global spreadsheet

2) All RFS forms kept in the warehouse are copies of the first 2-3 pages of the RFS packets kept in the budget office

3) Once an assets is delivered, the packing slip gets put into the corresponding RFS packet

4) Not all assets that arrive have packing slips, this is a third party malfunction not a DOR one

Those assets without a packing slip are held in the warehouse until they are claimed by someone, only then will the RFS packets be completed

5) Once asset is received, the global spreadsheet (the budget one) gets updated (date added of when asset is received)

6) All RFS# tested matched the receiving forms including RFS#12083 (the hardware RFS that was randomly chosen during the test for control #1)

Effective Control

_x_Yes

__ No

__ N/A




Missing packing slips is not a DOR control failure

Comments

Templates are used for RFS form, which is effective in maintaining proper and similar documentation

Recommendations

Since packing slips are used as a “signature” to verify a received asset which sometimes assets don’t have, use other verification methods (beyond the global spreadsheet verification)

58

Process Installation Control Activity Who receives the asset?


C4

R 2, 3, 5, 11, 12, 13


Assigned To Warehouse

Control ObjectiveTo verify who receives the purchased item when first delivered to the warehouse.

Closed Date 4/29/09

Frequency Annual


1.Asset packing slip


1. Determine who receives the asset when first delivered.

2. Check for documentation and signatures that verify the delivery

3. Confirm this process is done in a timely manner

4.

Test Performed By Doug Waechter, Karin Rosen

Approved By Mathew Morgan

Date of Validation 4/17/2009 Completed By Karin Rosen

Sample Details


Warehouse logistics

59


Validation Results/Findings 1) Personnel from the warehouse receive the asset along with the packing slip.

2) They have the packing slip signed by the warehouse manager.

3) The equipment is then left in the warehouse until it is tagged and given to the user. The packing slip is stored with the RFS# form in hardware or software binders.

4) There seemed to be no specific assignment as to who receives the asset or when the slip needs to be signed by the warehouse manager.

Effective Control

__Yes

__ No

__ N/A

_X_ Other, please specify in comments section below




There is documentation that is kept to verify that the warehouse has received the asset but there is no specific process for receiving an asset.

Recommendations

There should be a specific, documented order about how an asset is received. There should be guidelines on how quickly a packing slip needs to be signed by the warehouse manager.

60

Process Installation

Control Activity Proper Documentation and recording for licenses


C6

R 1,2,3,6,7,8,9,18,19


Assigned To Budget and Technicians

Control Objective

To securely complete and store the proper licensing records, electronic and hard copies.

Closed Date 4/29/09

Frequency Annual


1. RFS forms

2. Approval Packets

3. License Certificate


1. Evaluate storage of IT Licenses.

2. Verify forms are complete.

3. Check that all documentation is done similarly.

Test Performed By Sandra Sifuentes, Doug Waetcher, Karin Rosen


Date of Validation 4/12/09 Completed By Sandra Sifuentes

Sample Details




Asset RFS #

11963 11908 11899 11914 12030

sample gathered from a Population of 45 orders completed


61


62

Validation Results/Findings 1) There is clear organization when it comes to the storage of IT hard copy license certificates



4) All RFS# tested had complete license documentation

5) Both, budget employees and technicians, had copies of electronic and hardcopy licenses in their records

Effective Control

_x_Yes

__ No

__ N/A



63



Comments

Templates are used for RFS packets, which is effective in maintaining proper licensing documentation

Recommendations

None


Control Activity Warehouse spreadsheet is complete


C7

R 2,3,6,7,8,9,14,15,21,22



Control Objective

To confirm that the global warehouse spreadsheet is complete with all information pertaining to new assets.

Closed Date 4/29/09

Frequency Annual

64


1. Asset RFS forms

2. Global spreadsheet


1. Randomly select 5 RFS numbers from list

2. Verify that the information on the RFS forms matches the information on the global spreadsheet

3. Check to see if the spreadsheet is correctly filled out for complete life cycle of an asset.

4. Confirm that uniform process is being used for entire spreadsheet

Test Performed By Karin Rosen, Doug Waechter, Jose Giardiello



Sample Details




Asset RFS #

11963 11908 11899 11914

12030 12083

sample collected from a population of 45 completed orders


65


66

Validation Results/Findings 1) The randomly selected RFS# were found in the hardware or software binders kept by the warehouse manager.

2) The information on the spreadsheet matched the information on the hard copies.

3) The spreadsheet was correctly filled out. However, the spreadsheet was not updated after the asset was disposed of.

4) The “order status” and “est. delivery date” columns were uniformly filled out. However, there were some columns filled out incorrectly by different departments.

Effective Control

__Yes

_x_ No

__ N/A



67



This control is somewhat effective because the spreadsheet information matches the information on the hard copies. However, there are no set guidelines for how the spreadsheet should be filled out and the spreadsheet was not filled out after disposal.

Recommendations

Set guidelines for the global spreadsheet on how each column should be filled out. Give examples of the specific information that should be going into each category and when a signature or initials is necessary. Confirm that the spreadsheet is updated after equipment is disposed of.

Process Installation- Desktop Software Control Activity Software Storage and

Re-installation


C 8

R 2, 3, 7, 16, 21, 22


Assigned To Enterprise Services

Control Objective

Software ordered before the new system was implemented is being stored safely and licenses are being recorded accurately.

Closed Date 4/29

Frequency Constant

68

Control Activity Walkthrough Documentation

1) Software ordered before new process was implemented is recorded on Desktop_Licensing.xls on intra web and installation disk is stored in secure cabinet at capitol hill location.

2) Any requests for installation of the software should be recorded on the spreadsheet and the hard copy documentation should be included in the hardcopy packet in the cabinet with the software.

All documents should be included in the packet in the software cabinet at capitol hill location.

1) Purchase Order

2) Payment Voucher

3) License Transfer Form


1. Observe the security of software and associated hardcopy.

2. Find hardcopies associated with assets chosen from the spreadsheet.

3. Look for: purchase order, payment voucher, and license transfer form in the hard copy packet.

4. Ensure that the information on the hard copy matches the information from the spread sheet.

5. Ensure that the installation CD for the chosen software can be found in the cabinet.

Test Performed By Beth Williams Approved By Mathew Morgan

Date of Validation 4/22/09 Completed By Robert Mushet

Sample Details


How many items tested?

State ID tag:

425-70633- Microsoft access 2000 VUP

425-28428- Adobe Acrobat v4.0

425-70842- Crystal Decisions Crystal Reports v9.0

69

Period Tested From July 2008 To April 2009

70

Validation Results/Findings

Numbers correlate to the test steps above:

1) Storage of Software seems secure but hardcopies are not in the cabinet.

2) Hard copies are not in cabinet; also unable to find the specific software in the cabinet.

3) None of the software in the cabinet had any of the following items. Per Rick Dean, five or so years ago they started a project to gather all of this information. They wanted to incorporate their tracking with the software Altris but that never happened due to someone creating a special report for that to work.

Currently, they do not keep this information together.

4) No hard copies were found. The specific software was not found.

5) Older or newer versions were in the cabinet but not the specific one selected. The Adobe version was located but not for the specific one selected. There is a chance that some of the software selected was put on a server and then DOR purchased multiple licenses for installing on many computers.

Effective Control?

__ Yes _x_ No __ N/A


71

Management ResponseRick Dean suggested talking to Lou Ennis who is in charge of Altris to try and track these applications through Altris instead. May have to look for the purchase order, payment voucher, etc. in Accounting and Financial Services (AFS).

72


This control does not seem to be effective. We knew this would be the case before testing it. The process only relates to software ordered before the new ordering process was implemented, a little over a year ago, and is currently only used for specialty software.

Comments

No further follow up was done for the related control. The issue does not seem significant enough to warrant any more testing: the risks associated with this control is that 1) someone reorders a piece of old software because it cannot be located (possible likely hood but low significance) 2) a license key is used more than once to install an old piece of software (possible likelihood low significance: DOR can uninstall if there is a complaint from manufacturer).

Recommendations

A comprehensive software and license storage system is incorporated to manage both the old and the new software.


Control Activity Completion and storage of IT work orders


C9

R 20, 21


Assigned To Technicians

Control Objective

To securely complete and store the IT installation work orders, electronic and hard copies.

Closed Date 4/29/09

Frequency Annual

73


RFS forms

Approval Packets

Work Order Request Form

Global Drive


Evaluate storage of IT Work Order Forms.

Verify forms are complete.

Check that all documentation is done similarly.

Check Global Drive for updated installation status.

Test Performed By Sandra Sifuentes, Doug Waetcher, Karin Rosen


Date of Validation 4/15/09 Completed By Sandra Sifuentes

Sample Details




Asset RFS #

11963 11908 11899 11914 12030

sample gathered from a Population of 45 of orders completed


74


75

Validation Results/Findings 1) There is clear organization when it comes to the storage of IT hard copy acquisition forms



4) All RFS# tested had complete receiving documentation, approval packets, and payment vouchers


6) RFS#11963, RFS#11908A (orders in 2008) were not complete – missing IT work request forms and signoffs – in pending status

7) A transfer of software RFS# was chosen randomly during the test, RFS#58750, it was tested and the findings show proper documentation including request forms, signatures, and date of completion

Effective Control

_x_Yes

__ No

__ N/A



76



Comments

Templates are used for IT work request form, which is effective in maintaining proper documentation

Recommendations

Maintain a consistent deadline for IT PROs to return completed work order form

77

Process Installation Control Activity Verification between tags and spreadsheet


C10

R 6,7,8,9,17


Assigned To IT department

Control Objective

To verify that the computer tag numbers match the numbers stored on the spreadsheet.

Closed Date 4/29/09

Frequency Annual


Computer tag numbers from spreadsheet

Tag numbers on the computers


1. Randomly chose 5 tag numbers from the global spreadsheet.

2. Check to find the tag numbers match the physical tag on the computers.

3. Confirm the correct user of the computer is entered into the spreadsheet.

Test Performed By Sandra Sifuentes, Doug Waechter, Karin Rosen



Sample Details




Computer tag numbers

70633 77875

71809 71775

71587


78


79


1) There was a list of computer tag numbers that was complete and filled out correctly.

2) The spreadsheet showed the users of the tagged computers

3) All five, randomly selected, tag numbers matched the physical tag number on the computers and the users matched what was recorded in the spreadsheet.

70633 Margaret Youngman

77875 Brian Shell

71809 Kathy Beesing

71775 Michelle Lane

71587 Martin Kinney

Effective Control

_x_Yes

__ No

__ N/A



80



This control seems effective. The tags and user names were properly recorded on the spreadsheet and matched the physical asset and user.

Comments

none

Recommendations

none

81

Process Maintenance Control Activity Testing of Patches & Upgrades

Control # C 14, 18, 19

R 1, 2

Control Type Primary

Assigned To Technician

Control Objective

To ensure the IT asset have the appropriate patches and upgrades as recommended by the manufacturer and as determined by technicians.

Closed Date 4/29/09

Control Frequency Annual


All documentation is contained in the Altiris system


1. Determine where technician find out about patches and upgrades.

2. Evaluate how technician determine if the patch or upgrade is appropriate.

3. Determine the methodology used for defining a super user tester.

4. Check for completeness of the documentation associated with patches and upgrades

Test Performed By Douglas Waechter, Karin Rosen,

Sandra Sifuentes

Approved By Matt Morgan

Date of Validation 4/15/09 Completed By Douglas Waechter

Sample Details


Do to the nature of the Altiris system the sample was the entire system.

82



1) Information about patches and upgrades are sent out through email by the manufacturer. Microsoft patches and upgrades are checked daily and updated monthly.

2) Technicians evaluate the patches and upgrades based on their knowledge of the operational needs of the IT system.

3) Super users are select as needed by the technicians. They are selected for their willingness to participate and their expertise with a specific application. Due to the level of expertise needed, this selection is done for each patch or upgrade.

4) Documentation is stored in the Altiris system for each computer and its history of patches and upgrades. The system automatically pushes patches and upgrades to the appropriate systems.

Effective Control

_X_ Yes

__ No

__ N/A




The Alitris system is recognized as an industry standard for managing the type of computer system that the DOR operates. The technicians appear to be well trained and confident in their ability to use the system to keep IT assets up to date.

Comments

Hard copies of patches and upgrades are currently not being kept. It would be impractical to do so for a system as large as the DOR.

Recommendations

Technicians should define in writing what they are looking for in a super user.

83

Process Disposal

Control Activity Policy to determine if equipment has a hard drive


C 17

R 3



Control ObjectiveTo determine if a piece of equipment that is ready to be disposed of has a hard drive in it.

Closed Date 4/29/09

Frequency Annual


Spreadsheet listing IT assets


1. Look at global spreadsheet to determine if piece of equipment has hard drive

2. Remove hard drive from equipment and record on global spreadsheet and hard drive spreadsheet

3. Check each piece of equipment to be sure the spreadsheet was not filled out incorrectly or the equipment contains more then one hard drive.

Test Performed By Jose Giardiello, Doug Waechter, Karin Rosen



Sample Details

What is being tested?Spreadsheet listing IT assets

84



Warehouse personnel checks each piece of equipment waiting to be disposed of, for a hard drive

If equipment contains a hard drive it is removed by the warehouse manager

Effective Control

__Yes

_x_ No

__ N/A




This control is very ineffective. There is no documentation that says if a piece of equipment contains a hard drive or not.

Recommendations

It should be recorded on the global spreadsheet when the asset is first received whether or not it contains a hard drive. The warehouse can then refer to this spreadsheet along with checking each piece of equipment to be sure a hard drive is not left in a disposed of asset. It should also be recorded on the global spreadsheet when a hard drive is removed from an asset.

85

Process Disposal

Control Activity Post-spreadsheet Reported, Tracked and Verified


C20

R 1,2,4,6,7,8,9,18,19



Control Objective

To keep global spreadsheet up to date after the disposal of an asset and to insure the proper personnel were informed of the disposal.

Closed Date 4/29/09

Frequency Annual


Global Spreadsheet


1. Test for completion of spreadsheet or any other reporting documentation.

2. Check reporting after disposal.




Sample Details

What is being tested?Post disposal documentation

86



1) After the disposal of an asset there is no global reporting

2) The global spreadsheet does not get updated after the disposal of an asset

3) After the disposal of an asset, no upper management is informed/confirmed of the disposal (warehouse manager is the one doing the disposal so there is zero confirmations)

Effective Control

__Yes

_X_ No

__ N/A




Not effective, because other departments don’t know if an asset got disposed off

Recommendations

There needs to be confirmations of the disposal to upper management (if the warehouse manager continues to be the only one doing the disposal, otherwise have someone in charge of the disposal who would report to the warehouse manager) and other departments, have sign-offs and a column in the spreadsheet for disposal (or have one consolidated spreadsheet that is frequently updated)

87

Process Disposal Control Activity Procedures for hard drive disposal


C22, 23

R 5, 7, 10, 14, 15, 20, 21, 22



Control Objective

To verify proper reporting and authorization procedures for hard drives taken to third party for disposal.

Closed Date 4/29/09

Frequency Annual


1) List of removed hard drives recorded by DOR

2) List of disposed of hard drives recorded by GRX

3) Verified form with signatures from DOR and GRX


1. Compare all numbers on list of removed hard drives with list of disposed of hard drives to ensure that every hard drive removed and given to GRX was disposed of

2. Verify that transfer forms were properly signed and kept

3. Verify that disposal of hard drives was watched by a DOR employee

Test Performed By Jose Giardiello, Doug Waechter, Karin Rosen



88

Sample Details




Hard Drive numbers

17201721819

LAK20736

LAK41776

Items chosen by random during audit

89


90


1) There was a hand written list of hard drive numbers that had been removed

2) There was a computer-generated list from the GRX containing numbers from the hard drives that had been disposed of.

3) We chose three random hard drive numbers from the GRX list to confirm that they were on the DOR list. We found all three numbers on the list.

4) We then checked that the number of DOR hard drives given to the GRX matched the number that was on the GRX’s list of disposed hard drives. This was the most time efficient way of checking that the lists were complete.

5) There was a transfer form signed by the warehouse manager confirming the hard drives were properly transferred and were destroyed under the supervision of a DOR employee.

Effective Control

__Yes

_x_ No

__ N/A



91


This control seems somewhat effective however, it is not very efficient. There need to be checking every single number from the DOR list to the GRX list.

Recommendations

The most convenient way to check the numbers from the DOR to the GRX would be to keep the numbers on an excel spreadsheet. The GRX could email their list to the DOR and the numbers could be checked once they were put in order. The easiest way to get the hard drive numbers on an excel spreadsheet would be to use a bar code scanner. This car code scanner could record all the numbers and could easily be transferred to the computer.

92

Process Disposal

Control Activity Verification Form – is surplus property checked/tracked


C24, 25

R 20,21,22



Control Objective

To properly document and track surplus to limit misuse/pilferage/confusion

Closed Date 4/29/09

Frequency Annual


1. Surplus packets

2. Authorized surplus lists


1. Check for surplus packets and vouchers

2. Test for completion of packets




Sample Details

What is being tested?Post disposal documentation

93



1) Surplus packets had a seven digit state tag and were not referenced by RFS numbers

2) Warehouse manager/program assistant created the list of assets that were in the surplus packets

3) Out of three packets tested only one had a Declaration of Surplus (list of surplus) which was generated by someone other than the warehouse manager

4) Authorized signatures came from warehouse manager and the Declaration of Surplus

5) Two out of the three did not have signatures

Effective Control

__Yes

__ No

_X_ N/A




There are no previous job duties or standards

Control could be effective if the Declaration of Surplus was included in all the surplus packs

Recommendations

Track surplus with RFS numbers, to continue the tracking from acquisition to disposal and surplus

Use the Declaration of Surplus form as a reference in the surplus packets

Track surplus packets with dates

Segregate the duties around the surplus responsibility

Use the Declaration of Surplus to check the DOR list of surplus with the warehouse list of surplus, create that control and always have the Declaration in each surplus packet.

94

Findings Summary

After analyzing the results from our tests of the DOR controls we found the following:

45% of controls tested were found to be effective33% of controls tested were found to be ineffective22% of controls tested were found to be mostly effective with exceptions

Specific areas of concern:

Spreadsheets: In general there is a chaotic distribution of spreadsheets and information, this creates gaps in information and may allow for mismanagement of assets. This concern is illustrated by the ineffectiveness of these controls:

Control 2: Updated RFS Spreadsheet- The security of the global drive RFS spreadsheet was questionable because the password was not changed

95

regularly. Control 7: Warehouse Spreadsheet is Complete- There is no defined

policy regarding updates to the spreadsheet and the spreadsheet is not updated to indicate the disposal of assets.

Control 20: Post-spreadsheet Reported, Tracked and Verified- There is no policy in place to record the disposal of assets in a global location.

Receiving the assets: The policy regarding sending all IT assets through the warehouse is sometimes ignored. Assets have the potential to be delivered to other areas of the organization, skipping the tagging and recording process at the warehouse. This concern is illustrated by the ineffectiveness of this control:

Control 4: Who Receives the Asset? - There is documentation kept to verify that the warehouse has received the asset, but there is no specific process for receiving an asset.

Software license storage and transfer: Our tests showed mixed results about the recording and transfer of software licenses. Our test of the current process suggested it is sound, but our test of the older software suggested that system is flawed. It is the opinion of the auditors that, although the test demonstrated the process is sound, it really is not. There are multiple spreadsheets where software license are stored, this creates risk and inefficiency in finding licenses for use. The controls tested regarding this concern are:

Control 6: Proper Documentation and Recording for Licenses- This control was shown to be effective by our tests.

Control 8: Software Storage and Re-installation- This control was shown to be ineffective by our tests.

96

Proper disposal of assets (especially hard drives): The controls for disposal and keeping records for disposal seem strong; however information about the disposal of assets is not shared with the other departments in the system. Furthermore, the storage of hard drives before they go to destruction could be greatly improved. Our major concern is that the ineffective controls pose an opportunity for leakage of sensitive information contained on hard drives. This concern is illustrated by our testing of these controls:

Control 17: Policy to Determine if Equipment has a Hard Drive- The lack of policy means that a surplus asset may be disposed, containing a hard drive with sensitive information.

Control 22 and 23: Procedures for Hard Drive Disposal- The control seems effective, but it is inefficient because of the disposal document organization, this may present errors in verifying the document.

Control 20: Post Disposal Spreadsheet, Assets are Reported, Tracked and Verified- Records of the disposal of an asset is never sent to another location outside the warehouse for verification and approval.

97


98

Recommendations & Suggestions


100

Recommendations and Suggestions

Recommendations:

Recommendations were researched to repair the controls that were deemed the least effective though the testing phase. Knowledge Leader and internet searches were used to research the best practices regarding IT asset management systems.

General best practices:

The most relevant document found was "IT Asset Management: How to Improve the Business of IT", by Colleen O’Donnell. The article laid out four hallmarks of the best-in-class IT asset management programs these hallmarks are:

1) A central repository that contains detailed financial, contractual and physical information on assets, coupled with discovery/inventory tools that cover all the disparate platforms within the environment (hardware, network, software).

2) Processes, procedures, and policies around this information to keep it current, with people assigned responsibility/accountability for this task.

3) A well-structured and measured organization enabled to support the ongoing operational management processes and activities of the organization.

4) Perhaps most importantly, these programs have the buy-in and support of upper management.

In order to abide by the first hallmark, the DOR should compile the information found on their individual employee’s IT inventory spreadsheets into one comprehensive spreadsheet.

This will improve the asset management system by:

a) Reducing time spent by employee’s in locating specific assets

101

b) Ensure assets are more secure by making the information about them easier to access.

c) Compiling software licenses into one location so the availability of licenses can be easily determined.

In order to abide by the second hallmark, the DOR should refer to the process maps in this document to chronicle the duties necessary to accomplish the task of managing their IT assets. They can then create documents for each position in their organization laying out duties and responsibilities of the individual employed in this position. This will improve the asset management system by:

a) Ensuring that specific individuals are responsible for specific duties. This will make sure every duty is being fulfilled and ensure there is accountability in the process.

b) Making the process more efficient; each employee knows specifically what they should be accomplishing.

c) Advertising who is responsible for which aspects of the process so personnel know who to go to when they need a specific piece of information.

In order to accomplish the third hallmark, the DOR should define their duties and processes, assign these duties and processes to specific employees, and create a comprehensive spreadsheet with built-in, quantifiable, indicators. These tasks were recommended to accomplish the first two hallmarks and will accomplish the third hallmark by:

a) Adding performance indicators and ensuring the advice is incorporated into the processes.

b) Performance indicators will also ensure that each individual is accomplishing their duties which are documented in the employee packets.

102

In order to accomplish the fourth objective the DOR must ensure that management is informed, involved, and supportive of these changes. The fourth hallmark will accomplish:

a) Organization wide support for the new process.b) Less resistance to changes in the system.c) Ensures an easier conversion to the new system.

Other/ Specific recommendations:

There are four recommendations that could be easily implemented at the DOR to greatly improve the security and efficiency of their IT asset management program:

1) Purchasing storage locker, chain, and lock to store hard drives before they are destroyed. During the testing we observed lacking controls surrounding the security of hard drives that could, potentially, contain sensitive information.

2) Purchasing a barcode scanner, compatible with Microsoft Excel, to record the hard drives as they come into the warehouse. This electronic list will be easier to compare to the disposal list obtained from GRX after destruction of the hard drives. This ensures that the list of hard drives with sensitive information is less prone to tempering and errors.

3) Altering the regulation stating that only the CIO can authorize the pickup of abandoned assets to allow technicians to pick up these assets as well. There is a tendency at the DOR for employees to dispose of obsolete IT assets by storing them in offices or hallways. This leaves assets prone to theft and misplacement. In order to reduce this risk, technicians should be able to pick up abandon inventory and store it until the owner abandons or reclaims the asset.

103


104

Supplementary Documents


106

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUE

January 21, 2009

Meeting called by Internal Audit Team

Location: Classroom 320 – Leeds School of Business

Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction

Project Overview

Topic 2 Meet Clients

Discussions

Topic 3 Questions

Gather Team Contacts

Additional Instructions:

The audit team will provide client with documents that will be used during meeting.


February 4, 2009

12:00- 2:00 pm


Location: Department of Revenue - Denver, CO

Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter


Expectations

Scope of Audit

Topic 2 Meeting with Budget Department Team

Procedures

Questions

Topic 3 Wrap Up

Suggestions from Client and Advisor

Questions



ii


February 17, 2009

8:00-9:00am


Location: Professor Marlatt’s Office S450G – Leeds School of Business

Attendees: Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Steps for the Audit

Process Maps

Questions

Topic 2 Acquisition of Materials

White Pad and Easel


Spoke with professor before meeting with client.

iii

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEFebruary 18, 20099:30- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter


Overview with Client

Topic 2 Meeting with Mike Lichvar – Enterprise Services Manager

Introduction and Procedures

Process Map

Topic 3 Steve McCarthy- Elect Engineer


Process Map- Shipping and Receiving

Topic 4 Lou Ennis- IT Desktop Support Manager


Process Map- Maintenance

Questions

Topic 5 Mark Buckingham and David Loewi- CIO

Introduction and Project Discussion



iv

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEMarch 4, 20099:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue – Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter



Topic 2 Meeting with Alison Roberts


Process Map

Topic 3 Meeting with Vanessa Jozef


Process Map

Topic 4 Meeting with Jane Henderson


Process Map

Topic 5 Closing Discussions

Final Questions


The audit team will provide client with documents that will be used during meeting. Sandra will be writing process steps on white board for visualization.

v

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEMarch 11, 20099:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue – Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter


Review Walk through Plan with Client

Topic 2 Set-up

Lay Out Process Maps in Asset Life Cycle Order

Discuss maps with visitors

Topic 4 Closing Discussion

Final Questions



vi

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEMarch 18, 20099:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue – Denver, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter


Overview of Risk Assessment

Topic 2 DOR IT Asset Risk Matrix

Reviewed Risk Averages- Significance and Likelihood

Defined and categorized each risk with Client

Topic 3 Client’s Suggestions

Ranked risks

Reorganized and Added to list of risks

Topic 4 Closing Discussion

Final Questions

Further contact arranged



vii

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEApril 10, 200910:00- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Sandra Sifuentes, Robby Mushet, Jose Giardiello, Doug Waechter



Topic 2 Testing

Meeting with Maria Armenta, Jane Henderson, Brad Denning and Cindy Witka

Test RFS# Controls

Test licensing Controls

Test global drive Controls

Topic 3 Compile Information

Discuss test results



viii

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEApril 15, 20099:30- 12:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter



Topic 2 Testing

Meeting with Vanessa Jozef, Brandon and Maria Armenta

Test RFS sheet Controls

Test super user controls

Topic 3 Wrap Up

Overview of testing results



ix

AGENDASTATE OF COLORADO DEPARTMENT OF REVENUEApril 17, 200910:00- 11:00 pmMeeting called by Internal Audit TeamLocation: Department of Revenue - Lakewood, COAttendees: Karin Rosen, Jose Giardiello, Doug Waechter


Meeting with Roy Mitze

Topic 2 Testing

Test spreadsheet and acquisition controls

Test hard drive and disposal controls

Test warehouse security



x