State of Colorado Department of Revenue IT Audit

UNIVERSITY OF COLORADO AT BOULDER

State of Colorado Department of Revenue IT Audit Created by

Jose Giardiello, Robby Mushet, Karin Rosen, Sandra Sifuentes, Douglas Waechter 4/29/2009 This page was intentionally left blank.

Table of Contents

Engagement Summary Engagement Letter………………………………………………….…………………………………………………………………………..………………….……………..… page 7

Audit Plan

Audit Arrangement Summary……………………………………………………………………………………………………………………………………..………..…………. 11

Audit Objectives and Background…………………………………………………………………………………………………………………………………………………….. 12

Audit Scope………………………………………………………………………………………………………………………………….…………………………………….………….… 14

Internal Audit Planning Memorandum……………………………………………………………………………………………….……………...……………………………. 16

Infrastructure Understanding

DOR Infrastructure………………………………………………………………………………………………………………………..…………….……….……………………….…. 23

DOR Information Technology Division Organization Chart……………………………………………..….…………….……………………………………..…..…… 24

Colorado DOR Functional Organization Chart…………………………………………………………………………..………….………………………………..…….….. 25

Acquisition As-is Process Map…………………………………………………………………………………………………………………………….………………...……..….. 26

Installation As-is Process Map………………………………………………………………………………………………………………..………………………………....…….. 27

Maintenance As-is Process Maps..………………………………………………………………………………………………………………………………….……...……….. 28

Disposal As-is Process Map…………………………………………………….………………………………………………………………………………………………..…….… 30

Risk Assessment

Introduction of Risk Assessment………………………………………………………………………………………………………………………………………..…..………… 33

Prioritizing Business Risk……………………………………………………………………………………………………………………………..…………………………………... 35

DOR IT Asset Risk Matrix (Table)……………………………………………………………………………………………..……………………………………………………….. 37

DOR IT Asset Risk Matrix (Graph)…………………………………………………………………………………….…………………………………………….…………………. 38

DOR IT Asset Risk Matrix Summary (Table)…………………………………………………………………….………………….…………………………………………….. 39

DOR IT Asset Risk Matrix Summary (Graph)………………………………………………………………………………….……………………….…………………….…... 40

Controls of Risks……………………………………………………………………………………………………………………….………………………………..……………….…… 41

Control/Risk Matrix………………………………………………………………………………………………………………………………………………………..………………… 42

Tests and Findings

Test Plans………………………………………………………………………………………………………..……………………………………………………………………………….. 45

DOR Test Forms……………………………………………………………………………………………………………………………………………...... …………………. 49

Findings Summary………………………………………………………………………………………………………………………………………………………..………………..… 77

Recommendations

Recommendations and Suggestions……………………………………………………………………………………………………………………………..………………….. 83

Supplementary Documentation This page was intentionally left blank. Engagement Summary This page was intentionally left blank.

Internal Audit Engagement Letter

March 11, 2009

Accounting Information Systems 2

Leeds Schools of Business Boulder, CO 80303

Dear Matthew Morgan,

The Internal Audit Team is planning its audit for the Department of Revenue. The objectives of this audit will be:

 Establish procedures and develop a pilot audit program to be used as a guide and followed in future audits.

 Audit IT assets through its life cycle going from acquisition, installation, maintenance, and ultimately towards disposal.

 Provide risk and control assessments as they relate to managing IT assets, along with recommendations to solve any problem.

 Enhance awareness of inventory management and internal control structure.

The proposed timetable for this audit is as follows:

Start date in the field: February 4, 2009

Estimated weeks to complete: 12

The audit team will include the following members:

Jose Giardiello

Robert Mushet

Sandra Sifuentes

Doug Waechter

Karin Rosen Our goal is to perform an effective and efficient audit. We will need your staff to provide us with documents and procedures upon request.

At the conclusion of our audit, we will discuss audit results and potential recommendations with management of the audited area before scheduling an exit conference with you. Prior to the exit conference, you will receive a draft audit report. After the exit conference, a final audit report will be delivered to you with a request for formal management's responses to include in the audit report.

Our mission is to help you achieve your inventory objectives by providing you information about the effectiveness of internal control and by recommending courses of actions which will improve performance.

If you have any questions about this audit, please do not hesitate to contact us.

Sincerely,

The Inventory Asset Management Team

The Inventory Asset Management Team Audit Plan This page was intentionally left blank.

Audit Arrangement Summary

A well-written audit report is a highly effective tool for management to bring about positive change and to improve controls, risk management, accuracy of information, and the underlying process reviewed. This audit report as should future ones considers the following: Objectives and background  Why and what area was selected for the audit  History of past issues  What are the key aspects, risks and objectives of the area reviewed Scope

 Which facets of operations are included in the scope  Range of the work and when it is performed  What key risks does the work address  Planning memorandum and key concepts  Significant aspects of the infrastructure Findings

 The overall findings from tests and risk matrixes  The severity of the findings  Issues to be addressed and reviewed Recommendations

 What actions must management take to adequately address the audit findings  Track confirmed positive resolutions  Industry best practices

Audit Objectives and Background

Project Purpose:

The main focus of this project is to create a pilot audit plan for the Department of Revenue which they will be able to use in future internal audits. This pilot audit plan will actually be used to audit a piece of the inventory asset management system. Recommendations for possible risks will be included in the audit. The main goal is to enhance awareness of inventory management at the Department of Revenue by enhancing their internal control structure, reducing asset management risk, and creating a guide for future audits.

Background of Project: Jim Marlatt a professor at the University of Colorado in Boulder made contact with Matthew Morgan from the Colorado Department of Revenue (DOR). Matthew Morgan is the Internal Audit Manager of DOR. During their initial contacts they both agreed to use student help to aid the DOR Internal Audit Department in their asset management system. After the project was presented to the students, five of them agreed to work together to help Matthew Morgan and the DOR Internal Audit Department prepare an audit plan.

Past Issue History:

The following list has been created by Matthew Morgan

 There are no previous risk assessments completed by the Internal Audit Section

 There is budget/financial limitations on the department

 There have been security control risks

 Controls around disposition and inventory management could be enhanced

Objectives of DOR:

These objectives have been created by Matthew Morgan

1. Provide a description of current processes to manage software and hardware including how purchases, disposals and transfers managed.

2. Develop a risk assessment as it relates to managing IT assets and develop an audit program that addresses these risks that can be used by the Department’s staff going forward.

Objectives of the Audit team:

1. Establish procedures and develop an audit program to be used as a guide and followed in future audits.

2. Audit IT assets through entire life cycle from acquisition, installation, maintenance, and disposal. 3. Provide risk and control assessments related to the IT asset life cycle, along with recommendations to solve any problems identified.

Audit Scope

Project In-Scope:

1. Develop a pilot internal audit program to provide guidelines for future audits

a. Provide a comprehensive audit plan that can be used by DOR internal auditors in future audits.

b. The audit plan will be delivered in the form of an actual audit of IT assets with supplemental information to show how the internal audit work was actually performed.

2. Execute actual internal audit program

a. Matthew Morgan the Internal Audit Manager of DOR will be provided with an audit of IT assets.

a.i. If the entire audit has been completed and if time permits, the team will perform a second audit of a different IT assets chosen by Matthew Morgan. b. The audit will cover the acquisition, installation, maintenance, and disposal of IT assets.

3. Provide evaluation of process and control design, as well as testing methods to determine the operating effectiveness of controls.

a. Provide a prioritized risk assessment

b. Verify control procedures exist for all risks

4. Provide solutions and recommendations to improve flagged procedures

a. Recommend formal control procedures that are documented and tested frequently

b. Offer recommendations to address the findings

Project Out-of-Scope:

 Provide a description of information technology infrastructure

 Planning for hardware and software upgrades

 The Department consolidation of multiple tax processing systems into a single, integrated system

 Physical inventory count

 The Lottery Division

 Examination of current budget allocation

 Full understanding of legal and state compliance

 Colorado State Titles and Registration (CSTAR)

 Approval stage of an IT asset during its acquisition

 The audit of mobile IT devices (cell phones, USB drives) Memorandum: Internal Audit Planning

To: Matt Morgan

Date: Monday, February 18, 2009

Company: Department of Revenue

From: DOR Asset Management Student Audit Team

Internal Audit Team Members:

Name E-mail Contact Phone # Jose Giardiello [email protected] (720) 982-6563 Sandra Sifuentes [email protected] (303) 746-5555 u Doug Waechter [email protected] (715) 572-0503 Karin Rosen [email protected] (507) 236-0773 Robby Mushet [email protected] (415) 233-0616

Duration of the Audit: The internal audit will begin with our first meeting with Matt Morgan the Internal Audit Manager on February 4th, and will end with a final presentation of our finding on April 29th. It is anticipated that the final draft of the deliverable will be presented on April 29th, the date of our presentation to the client.

Location of the Internal Audit:

The audit will take place in any of the Front Range Department of Revenue locations necessary to attaining the audit objectives laid out in this document.

Key Department of Revenue Contacts:

Contact Position Company E-mail Contact Phone #

Matt Internal Audit Department [email protected] (303) 866-3803 Morgan Manager of Revenue

Lou Ennis Desktop Department [email protected] (303) 205- 1380 Support of Revenue Manager

Roy Mitze Warehouse Department [email protected] (303) 205- 5651 Logistics/ of Revenue Program Asst

Maria Budget Department [email protected] (303) 205- 5718 Armenta Analyst of Revenue s

Vanessa IT Pro Department [email protected] (303) 205- 1386 Jozef of Revenue

Alison IT Pro Department [email protected] (303) 205- 8340 Roberts of Revenue Standard Definitions for Internal Audits:

The following definitions are provided by the COSO Internal Control – Integrated Framework. The SEC and PCAOB have acknowledged that the COSO framework is a suitable framework for purposes of evaluating internal audits.

 Risk Assessment – This component is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.  Control Environment – Sets the tone of an organization, influencing the control consciousness of its people. This is the foundation for all other components of internal control, providing discipline and structure.  Information and Communication – This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.  Internal Controls – It is a process, a means to an end, not an end in itself. It is affected by people. Internal controls can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

Audit Plan Models:

The following models were used to establish the DOR IT audit and audit plan.

 The Global Technology Audit Guide (GTAG): Developing an IT Audit Plan by the institute of Internal Auditors  Guide to Internal Audit: Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function, second edition created by Protiviti  Protiviti Risk Assessment Workshop Presentation.ppt template

Deliverables: The project deliverables will consist of the following:

 Audit Arrangement Summary  Audit Objectives and Background  Audit Scope  Internal Audit Planning Memorandum  Infrastructure Understandings  As-is process maps  Risk assessments  Audit Findings and Report  Recommendations and Best Practices  Work Papers/Testing Documentation  Meeting Minutes

It is planned that the above deliverables will be split into two phases. The first deliverable will consist of the audit plan and will be delivered on February 25th and the second will be delivered on April 29th, which will contain all of the audit findings.

Schedule:

Date Task February 4th, 2009 Field work at client February 18th, 2009 Review audit plan, understand and map processes February 25th, 2009 First deliverable due, work on as-is process maps March 4th, 2009 Field work at client, work on as-is process maps March 11th, 2009 Field work at client, do the “walk-through,” finish as-is process maps, Turn in Upgraded first deliverable March 18th, 2009 Begin Risk Assessment April 6th 2009 – April Finish Risk Assessment, test for controls, audit IT asset and 15th 2009 finish the audit April 22nd 2009 Present draft presentations for feedback April 29th 2009 Final presentations to the client and final deliverable due May 6th 2009 Present final presentation at the DOR Infrastructure Understanding This page was intentionally left blank.

DOR Infrastructure

Getting started in the right perspective is crucial in creating a successful Audit Plan. Having fundamental knowledge of the organization’s infrastructure, will help auditors assess unique risk and how technology supports existing models. Auditors can use different internal resources to identify and understand the organization, some of which include:

 Vision statements  Strategic plans  Organization charts  As-is Process Maps After becoming familiar with the organization, the next step is to identify key processes and significant applications that are critical to the success of the Department of Revenue.

Key Processes The following processes are in relevance with an IT asset life cycle within DOR.

1. Acquisition

2. Installation

3. Maintenance

4. Disposal Significant Applications The following applications are frequently used within DOR.

 Altiris – This application specializes in service-oriented management software, allowing organizations to manage IT assets.

 Problem Solve – A program in which technicians can view ongoing tribulations with IT assets, log solutions, and archive each problem.

Risk Assessment This page was intentionally left blank.

Introduction of Risk Assessment

The risk and controls matrix is a tool used in the scoping stage of an IT audit to detect risks and mitigate controls in a specific procedure. For the Department of Revenue the asset management team examined the risks and controls associated with continuity and assessed, categorized, and prioritized the current infrastructure within the risk and controls matrix. Definition of Business Risk: The level of exposure to uncertainties that the enterprise must understand and effectively manage as it achieves its objectives and created value.

 It is not just about threats; there is an upside as well as a downside.

 Risk is not about a single point estimate.

 Exposure and uncertainty are important factors. Things to Consider:

 Risk is a fact of life; life is constantly changing and is uncertain.

 All management is essentially risk management.

 Many risk management activities are well defined and accountability has been assigned. For risks that have not been defined/assigned, risks can “slip between the cracks” and/or be managed inconsistently due to individual perceptions of the significance of the risk. Identifying Business Risks:

 Think about risks from the point of view within DOR, considering goals and objectives.

o Identify Inherent Risks

o Must identify risks that are inherent in the organization regardless of the internal controls

 Whether the risk is being controlled is only known until it is tested. Questions to Identify Risks:

 Where do you devote considerable internal effort in order to control?

 What areas receive considerable management reporting?

 Where have you devoted significant resources?

 What wouldn’t you want on the front page of the newspaper?

 What are key obstacles to taking advantage of opportunities?

 What do other States do better?

 What keeps you up at night?  What do people complain about within the organization?

 If you could fix one thing at the company, what would it be?

Prioritizing Business Risks

Two variables of Business Risk:

1. Significance

o How big of an impact would this risk have if it were to occur?

o Impact could be in many areas, including financial, reputation, human resources, etc.

2. Likelihood

o Consider how likely it is that this risk would actually occur given the inherent uncertainties in your business.

o Don’t consider the mitigating effects of internal controls. Significance Scale: You can rank the ‘significance’ of your key business risks using the scale described below.

Level Descriptor Business Impact Description

7,8,9 Major Very significant financial loss and ultimately could jeopardize the ability of the organization to continue without major changes. May require regulatory communication. Very significant efficiency problems. Very high public scrutiny.

4,5,6 Moderate Financial loss is moderate, could be significant, and may require public disclosure. Management involved with issue and focused on completing it within a timely manner. Efficiency problems are moderate. Public scrutiny is moderate to none.

1,2,3 Insignificant Little financial loss. May not require attention of management. Process changes likely not required in response to risk occurrence. Little efficiency problems. No public scrutiny.

Likelihood Scale: You can rank the ‘likelihood’ of your key business risks using the scale described below.

Level Descriptor Business Impact Description

7,8,9 Probable The future event or events are expected to occur in most circumstances.

4,5,6 Possible The chance of the future event or events is more than remote but less than probable.

1,2,3 Remote The future event or events may occur only in exceptional circumstances.

Risk category and placement: After identifying the inherent risks within the Department of Revenue, the risks were ranked within a Significance/Likelihood Scale. The risk chart and matrix is detailed on the following page. Risk Matrix

Sig nif Lik ica eli nc ho List of Risks e od Control System Processes KEY R1 - Reporting confusion 4.5 8.0 Significance R2 - Unclear duties 6.5 8.5 Major 9 R3 - Non-standardized practices 7.0 8.5 High 7 R4 - Non-collaboration with the accounting department 7.5 9.0 Significant 5 R5 - Segregation of duties 9.0 4.0 Moderate 3 Spread Sheet Issues Insignificant 1 R6 - Spreadsheet location/multiplicity 3.0 7.0 R7 - Lack of confirmation/verification of spreadsheets 6.5 6.0 Likelihood R8 - Design of spreadsheet 3.0 7.0 Almost Certain 9 R9 - Access to spreadsheets 7.0 5.0 Probable 7 PII Liability Reasonably Possible 5 R10 - PII Becomes exposed 9.0 5.5 Unlikely 3 Non-Budget Purchases Remote 1 R11 - Non-approved purchases 3.5 3.0 R12 - Delivery of assets 3.0 5.0 R13 - Pro-card controls 3.0 3.5 Misplacement/Storage Issues R14 - Warehouse security access 7.0 5.0 R15 - Surplus Storage 3.5 6.5 R16 - Misplacement of assets (outside warehouse) 7.0 7.0 R17 - Untagged assets 4.0 4.5 Software Controls R18 - Licensing storage inefficiency 3.0 8.0 R19 - Software copyright violation 5.0 8.0 Hard Copy Documentation R20 - Lack of hard copy sign offs 8.5 7.0 R21 - Hard copies are incomplete 8.5 7.0 R22 - Hard copy security 8.5 7.0 Risk Matrix - Summary

Signi fican Likeli List of Risks ce hood 1 - Control System Processes 6.90 7.60 2 - Spread Sheet Issues 4.88 6.25 3 - PII Liability 9.00 9.00 4 - Non-Budget Purchases 3.17 3.83 5 - Misplacement/Storage Issues 5.38 5.75 6 - Software Controls 4.00 8.00 7 - Hard Copy Documentation 8.50 7.00

Significance Likelihood Major 9 Almost Certain High 7 Probable Significant 5 Reasonably Possible Moderate 3 Unlikely Insignificant 1 Remote

Controls of Risks

In order to address and mitigate all of the risks identified and prioritized, a list of controls was generated and added to the risk matrix. Regardless of whether the risk was being controlled, it was only known until it is tested. Controls were identified based on the following:

 Controls were identified throughout the as-is process, and thus recorded in the as-is process maps  Often times several risks are mitigated by one control activity  Manual and automated controls were both identified  Controls could be preventive (stop risk from occurring)  Controls could be detective (identify risk that has occurred)  Controls could be corrective (correct risk that has occurred)  Controls were a link between the inherent risks and the actually process

The control/risk matrix is detailed on the following page.

Test and Findings This page was intentionally left blank.

Test Plans

A high-quality audit report has overall findings from audit tests and control tests. These tests are highly effective tools for management to bring about positive change and to improve controls. During the Department of Revenue IT asset management audit, tests performed and planned pertained to:  The controls which are inherent in the highly likely and very significant risks.  Above a six in the Likelihood risk prioritizing scale.  Above a six in the Significance risk prioritizing scale.  The IT asset life cycle- acquisition, installation, maintenance, disposal.  Randomly chosen IT asset sample size  In-scope and out-of-scope testing  Controls 11, 12, 13, 15, 16, and 21 were not tested as it moved away from IT asset management and or the related risks were not significant enough.  Control 5 test was omitted from the deliverable due to insufficient evidence.

Each test is designed to test specific controls and contains all observations, results, and recommendations. The testing of IT assets through the IT asset life cycle was intertwined in the testing of specific controls. The information included in the tests is as follows:

Process: Which section of the IT asset life cycle the control takes place.

Control Activity: Description of the control.

Control # and Associated Risk: What control/risk it is as reference to the control/risk matrix.

Risk/Control Type: Identifies the priority of the key control, since all tests are associated with highly likely and very significant risks, all the risk/control types are primary.

Assigned To: Whom or what department has the most frequent interaction with the control.

Closed Date: The date of when the audit ends.

Frequency: The fiscal period for the test, all of the tests were done in the annual fiscal period which ends in June.

Control Objective: Defines the control. Walkthrough Documentation: Documentation most likely viewed and tested for that control.

Operating Effectiveness – Test Steps: Planned audit steps and questions before execution of the actual test.

Test Performed By: Every one of the Audit Team or Internal Auditing office involved and executing the test.

Approved By: Internal Auditing Manager whom approved the test.

Date of Validation: Date during which the test took place.

Completed By: The primary person in-charge of completing the test form.

Sample Details: Details about the sample.

Period Tested: The preliminary period test.

Validation Results/Findings: Observations and findings during the audit.

Effective Control:

Yes: The control effectively mitigates the risk

No: The control is missing or it does not mitigate the risk

N/A: Not applicable

Other: Other or the control will effectively mitigate the risk after small modifications to the current process

Comments / Recommendations: Further explanation and recommendations if applicable.

The tests are on the following pages. This page was intentionally left blank. DOR Test Forms

Acquisition Storage of IT asset Process Control Activity hard copies Control # and C1 Risk/Control Type Primary Assoc. Risks R 7, 21, 22, 23 Assigned To Budget To securely store and complete the IT Closed Date 4/29/09 Control Objective acquisition asset (RFS purchase orders) hard Frequency Annual copies.

Walkthrough Documentation 1. RFS forms 2. Receiving Documentation 3. Approval Packets 4. Payment voucher

Operating Effectiveness - Test Steps 1. Evaluate storage of IT acquisition forms. 2. Verify forms are complete. 3. Check that all documentation is done similarly. Test Performed By Sandra Sifuentes, Jose Approved By Matthew Morgan Giardiello Date of Validation 4/10/09 Completed By Jose Giardiello Asset RFS # Sample Details 11963 11908 11899 11914  What is being tested? 12030 12083  What is the population? (List the entire population or reference where the population sample gathered from a Population of 45 source.) completed orders  How were items chosen? Items chosen by random number generator in excel Period Tested From July 2008 To February 2009

Validation Results/Findings 1) There is clear organization when it comes to the storage of IT hard copy acquisition forms 2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office 3) All RFS# tested had proper sign offs/authorizations 4) All RFS# tested had complete receiving documentation, approval packets, and payment vouchers 5) RFS#11899 had proper supplement information in the form of RFS#11899A 6) RFS#11963 was found in its proper place although it had last year’s date, but it was correct due to the fiscal year date 7) A Hardware RFS# was chosen randomly during the test, RFS#12083, it was tested and the findings show proper documentation including the packing slip from the Warehouse, signatures, pro-card forms and payment vouchers

_x_Yes __ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations

Operating Effectiveness Effective organization and storage Comments Templates are used for RFS form, which is effective in maintaining proper and similar documentation All RFS# had digital copies of the physical forms, which were recorded in a secure global spreadsheet (refer to test/control #2)

Recommendations None

Acquisition Updated RFS Process Control Activity Spreadsheet Control # and C2 Risk/Control Type Primary Assoc. Risks R 2,3,6,7,8,9,22 Assigned To Budget RFS documents are being consolidated and Closed Date 4/29/09 Control Objective being kept up to date in Frequency Annual a global spreadsheet.

Walkthrough Documentation 1. RFS forms 2. Receiving Documentation 3. Approval Packets 4. Payment voucher 5. Global Spreadsheet

Operating Effectiveness - Test Steps 1. Check for access to spreadsheet. 2. Test for completion of spreadsheet. 3. Check that correct people have access global spreadsheet.

Test Performed By Sandra Sifuentes, Jose Approved By Matthew Morgan Giardiello, Matthew Morgan Date of Validation 4/10/09 Completed By Jose Giardiello

Asset RFS # Sample Details 11963 11908  What is being tested? 11899 11914  What is the population? (List the entire 12030 12083 population or reference where the population sample gathered from a Population of 45 source.) completed orders  How were items chosen? Items chosen by random number generator in excel Period Tested From July 2008 To February 2009

Validation Results/Findings 1) Everyone at the DOR can view the global spreadsheet within the intranet 2) Only 5 people can make changes to the spreadsheet, those 5 people have a password to be able to make changes 3) The password has not been changed at all since its creation 4) Remote connectivity checked with Matt Morgan, people without passwords cannot make changes and can only save a copy of the spreadsheet 5) All RFS# were found in the spreadsheet All RFS# had all the documentation the hardcopies had 6) RFS#11899 had proper supplement information in the form of RFS#11899A 7) A Hardware RFS# was chosen randomly during the test, RFS#12083, it was tested and the findings show all the proper copies of hardcopy documentation 8) CIO needs to approve all orders above $10,000 9) The spreadsheet is kept up to date by the budget staff only to what they know/work on…i.e. budget __Yes __ No __ N/A Effective Control _X_ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness Effective control except password has not been changed at all since its creation and spreadsheet is not fully updated Comments Control #1 and #2 are connected, since very few people can change the spreadsheet the hardcopies must match the copies in the intranet, which in our tests they do Recommendations Change the global spreadsheet password regularly Have one consolidated spreadsheet that is frequently updated

Installation Verification of asset Process Control Activity during receiving phase Control # and C 3 Risk/Control Type Primary Assoc. Risks R 7, 14, 21, 22, 23 Assigned To Warehouse Logistics Assets are being properly accounted for Closed Date 4/29/09 Control Objective and kept up to date in Frequency Annual a global document.

Walkthrough Documentation RFS forms Receiving Documentation Updated document with received asset

Operating Effectiveness - Test Steps 1. Check RFS forms match receiving forms. 2. Check for proper signatures in regards to the receiving of an asset. 3. Test for completion of spreadsheet.

Test Performed By Karin Rosen, Jose Approved By Matthew Morgan Giardiello, Doug Waechter Date of Validation 4/17/09 Completed By Jose Giardiello

Asset RFS # Sample Details 11963 11908  What is being tested? 11899 11914  What is the population? (List the entire 12030 12083 population or reference where the population sample gathered from a Population of 45 source.) completed orders  How were items chosen? Items chosen by random number generator in excel Period Tested From July 2008 To February 2009

Validation Results/Findings 1) All RFS forms are copies of the global spreadsheet 2) All RFS forms kept in the warehouse are copies of the first 2-3 pages of the RFS packets kept in the budget office 3) Once an assets is delivered, the packing slip gets put into the corresponding RFS packet 4) Not all assets that arrive have packing slips, this is a third party malfunction not a DOR one Those assets without a packing slip are held in the warehouse until they are claimed by someone, only then will the RFS packets be completed 5) Once asset is received, the global spreadsheet (the budget one) gets updated (date added of when asset is received) 6) All RFS# tested matched the receiving forms including RFS#12083 (the hardware RFS that was randomly chosen during the test for control #1) _x_Yes __ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness Missing packing slips is not a DOR control failure Comments Templates are used for RFS form, which is effective in maintaining proper and similar documentation Recommendations Since packing slips are used as a “signature” to verify a received asset which sometimes assets don’t have, use other verification methods (beyond the global spreadsheet verification)

Installation Who receives the Process Control Activity asset? Control # and C4 Risk/Control Type Primary Assoc. Risks R 2, 3, 5, 11, 12, 13 Assigned To Warehouse To verify who receives the purchased item Closed Date 4/29/09 Control Objective when first delivered to Frequency Annual the warehouse.

Walkthrough Documentation

1.Asset packing slip

Operating Effectiveness - Test Steps

1. Determine who receives the asset when first delivered. 2. Check for documentation and signatures that verify the delivery 3. Confirm this process is done in a timely manner 4.

Test Performed By Doug Waechter, Karin Approved By Mathew Morgan Rosen Date of Validation 4/17/2009 Completed By Karin Rosen

Sample Details  What is being tested? Warehouse logistics

Period Tested From July 2008 To February 2009

Validation Results/Findings 1) Personnel from the warehouse receive the asset along with the packing slip.

2) They have the packing slip signed by the warehouse manager.

3) The equipment is then left in the warehouse until it is tagged and given to the user. The packing slip is stored with the RFS# form in hardware or software binders.

4) There seemed to be no specific assignment as to who receives the asset or when the slip needs to be signed by the warehouse manager.

__Yes __ No __ N/A Effective Control _X_ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Operating Effectiveness There is documentation that is kept to verify that the warehouse has received the asset but there is no specific process for receiving an asset.

Recommendations There should be a specific, documented order about how an asset is received. There should be guidelines on how quickly a packing slip needs to be signed by the warehouse manager.

Installation Proper Documentation Process Control Activity and recording for licenses Control # and C6 Risk/Control Type Primary Assoc. Risks R 1,2,3,6,7,8,9,18,19 Assigned To Budget and Technicians To securely complete and store the proper Closed Date 4/29/09 Control Objective licensing records, electronic and hard Frequency Annual copies.

Walkthrough Documentation 1. RFS forms 2. Approval Packets 3. License Certificate

Operating Effectiveness - Test Steps 1. Evaluate storage of IT Licenses. 2. Verify forms are complete. 3. Check that all documentation is done similarly.

Test Performed By Sandra Sifuentes, Approved By Matthew Morgan Doug Waetcher, Karin Rosen Date of Validation 4/12/09 Completed By Sandra Sifuentes

Sample Details Asset RFS #  What is being tested? 11963 11908 11899 11914 12030  What is the population? (List the entire sample gathered from a Population of 45 orders population or reference where the population completed source.) Items chosen by random number generator in  How were items chosen? excel Period Tested From July 2008 To February 2009

Validation Results/Findings 1) There is clear organization when it comes to the storage of IT hard copy license certificates

2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office

3) All RFS# tested had proper sign offs/authorizations

4) All RFS# tested had complete license documentation

5) Both, budget employees and technicians, had copies of electronic and hardcopy licenses in their records

Comments / Recommendations Operating Effectiveness Effective organization and storage

Comments Templates are used for RFS packets, which is effective in maintaining proper licensing documentation

Recommendations None

Installation Warehouse Process Control Activity spreadsheet is complete Control # and C7 Risk/Control Type Primary Assoc. Risks R 2,3,6,7,8,9,14,15,21,22 Assigned To Warehouse To confirm that the global warehouse Closed Date 4/29/09 spreadsheet is Control Objective complete with all Frequency Annual information pertaining to new assets.

Walkthrough Documentation 1. Asset RFS forms 2. Global spreadsheet

Operating Effectiveness - Test Steps 1. Randomly select 5 RFS numbers from list 2. Verify that the information on the RFS forms matches the information on the global spreadsheet 3. Check to see if the spreadsheet is correctly filled out for complete life cycle of an asset. 4. Confirm that uniform process is being used for entire spreadsheet

Test Performed By Karin Rosen, Doug Approved By Matthew Morgan Waechter, Jose Giardiello Date of Validation 4/17/09 Completed By Jose Giardiello

Sample Details Asset RFS #  What is being tested? 11963 11908 11899 11914  What is the population? (List the entire 12030 12083 population or reference where the sample collected from a population of 45 completed population source.) orders  How were items chosen? Items chosen by random number generator in excel Period Tested From July 2008 To February 2009

Validation Results/Findings 1) The randomly selected RFS# were found in the hardware or software binders kept by the warehouse manager.

2) The information on the spreadsheet matched the information on the hard copies.

3) The spreadsheet was correctly filled out. However, the spreadsheet was not updated after the asset was disposed of.

4) The “order status” and “est. delivery date” columns were uniformly filled out. However, there were some columns filled out incorrectly by different departments. __Yes _x_ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Operating Effectiveness

This control is somewhat effective because the spreadsheet information matches the information on the hard copies. However, there are no set guidelines for how the spreadsheet should be filled out and the spreadsheet was not filled out after disposal.

Recommendations

Set guidelines for the global spreadsheet on how each column should be filled out. Give examples of the specific information that should be going into each category and when a signature or initials is necessary. Confirm that the spreadsheet is updated after equipment is disposed of.

Installation- Desktop Software Storage and Process Control Activity Software Re-installation Control # and C 8 Risk/Control Type Primary Assoc. Risks R 2, 3, 7, 16, 21, 22 Assigned To Enterprise Services Software ordered before the new system Closed Date 4/29 was implemented is Control Objective being stored safely and Frequency Constant licenses are being recorded accurately.

Control Activity Walkthrough Documentation 1) Software ordered before new process was All documents should be included in the packet in implemented is recorded on Desktop_Licensing.xls the software cabinet at capitol hill location. on intra web and installation disk is stored in secure 1) Purchase Order cabinet at capitol hill location. 2) Payment Voucher 2) Any requests for installation of the software should be recorded on the spreadsheet and the 3) License Transfer Form hard copy documentation should be included in the hardcopy packet in the cabinet with the software.

Operating Effectiveness - Test Steps 1. Observe the security of software and associated hardcopy. 2. Find hardcopies associated with assets chosen from the spreadsheet. 3. Look for: purchase order, payment voucher, and license transfer form in the hard copy packet. 4. Ensure that the information on the hard copy matches the information from the spread sheet. 5. Ensure that the installation CD for the chosen software can be found in the cabinet.

Test Performed By Beth Williams Approved By Mathew Morgan Date of Validation 4/22/09 Completed By Robert Mushet

State ID tag: Sample Details  What is being tested? 425-70633- Microsoft access 2000 VUP 425-28428- Adobe Acrobat v4.0  How many items tested? 425-70842- Crystal Decisions Crystal Reports v9.0 Period Tested From July 2008 To April 2009

Validation Numbers correlate to the test steps above: Results/Findings 1) Storage of Software seems secure but hardcopies are not in the cabinet. 2) Hard copies are not in cabinet; also unable to find the specific software in the cabinet. 3) None of the software in the cabinet had any of the following items. Per Rick Dean, five or so years ago they started a project to gather all of this information. They wanted to incorporate their tracking with the software Altris but that never happened due to someone creating a special report for that to work. Currently, they do not keep this information together. 4) No hard copies were found. The specific software was not found. 5) Older or newer versions were in the cabinet but not the specific one selected. The Adobe version was located but not for the specific one selected. There is a chance that some of the software selected was put on a server and then DOR purchased multiple licenses for installing on many computers.

Effective __ Yes _x_ No __ N/A Control? __ Other, please specify in comments section below

Management Response Rick Dean suggested talking to Lou Ennis who is in charge of Altris to try and track these applications through Altris instead. May have to look for the purchase order, payment voucher, etc. in Accounting and Financial Services (AFS).

Comments / Recommendations Operating Effectiveness This control does not seem to be effective. We knew this would be the case before testing it. The process only relates to software ordered before the new ordering process was implemented, a little over a year ago, and is currently only used for specialty software. Comments No further follow up was done for the related control. The issue does not seem significant enough to warrant any more testing: the risks associated with this control is that 1) someone reorders a piece of old software because it cannot be located (possible likely hood but low significance) 2) a license key is used more than once to install an old piece of software (possible likelihood low significance: DOR can uninstall if there is a complaint from manufacturer). Recommendations A comprehensive software and license storage system is incorporated to manage both the old and the new software.

Installation Completion and Process Control Activity storage of IT work orders Control # and C9 Risk/Control Type Primary Assoc. Risks R 20, 21 Assigned To Technicians To securely complete and store the IT Closed Date 4/29/09 Control Objective installation work orders, electronic and Frequency Annual hard copies.

Walkthrough Documentation RFS forms Approval Packets Work Order Request Form Global Drive

Operating Effectiveness - Test Steps Evaluate storage of IT Work Order Forms. Verify forms are complete. Check that all documentation is done similarly. Check Global Drive for updated installation status.

Test Performed By Sandra Sifuentes, Approved By Matthew Morgan Doug Waetcher, Karin Rosen Date of Validation 4/15/09 Completed By Sandra Sifuentes

Sample Details Asset RFS #  What is being tested? 11963 11908 11899 11914 12030  What is the population? (List the entire sample gathered from a Population of 45 of population or reference where the population orders completed source.) Items chosen by random number generator in  How were items chosen? excel Period Tested From July 2008 To February 2009

Validation Results/Findings 1) There is clear organization when it comes to the storage of IT hard copy acquisition forms 2) All RFS# tested were properly stored in their perspective locations and securely stored in the proper office 3) All RFS# tested had proper sign offs/authorizations 4) All RFS# tested had complete receiving documentation, approval packets, and payment vouchers 5) RFS#11899 had proper supplement information in the form of RFS#11899A 6) RFS#11963, RFS#11908A (orders in 2008) were not complete – missing IT work request forms and signoffs – in pending status 7) A transfer of software RFS# was chosen randomly during the test, RFS#58750, it was tested and the findings show proper documentation including request forms, signatures, and date of completion _x_Yes __ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness Effective organization and storage

Comments Templates are used for IT work request form, which is effective in maintaining proper documentation

Recommendations Maintain a consistent deadline for IT PROs to return completed work order form

Installation Verification between Process Control Activity tags and spreadsheet Control # and C10 Risk/Control Type Primary Assoc. Risks R 6,7,8,9,17 Assigned To IT department To verify that the computer tag numbers Closed Date 4/29/09 Control Objective match the numbers stored on the Frequency Annual spreadsheet.

Walkthrough Documentation Computer tag numbers from spreadsheet Tag numbers on the computers

Operating Effectiveness - Test Steps 1. Randomly chose 5 tag numbers from the global spreadsheet. 2. Check to find the tag numbers match the physical tag on the computers. 3. Confirm the correct user of the computer is entered into the spreadsheet.

Test Performed By Sandra Sifuentes, Approved By Mathew Morgan Doug Waechter, Karin Rosen Date of Validation 4/15/2009 Completed By Karin Rosen

Sample Details Computer tag numbers  What is being tested? 70633 77875  What is the population? (List the entire 71809 71775 population or reference where the population 71587 source.) Items chosen by random number generator in  How were items chosen? excel Period Tested From July 2008 To February 2009

Validation 1) There was a list of computer tag numbers that was complete and Results/Findings filled out correctly. 2) The spreadsheet showed the users of the tagged computers

3) All five, randomly selected, tag numbers matched the physical tag number on the computers and the users matched what was recorded in the spreadsheet.

70633 Margaret Youngman 77875 Brian Shell 71809 Kathy Beesing 71775 Michelle Lane 71587 Martin Kinney

Operating Effectiveness This control seems effective. The tags and user names were properly recorded on the spreadsheet and matched the physical asset and user.

Comments none

Recommendations none

Maintenance Testing of Patches & Process Control Activity Upgrades C 14, 18, 19 Control Type Primary Control # R 1, 2 Assigned To Technician To ensure the IT asset have the appropriate Closed Date 4/29/09 patches and upgrades Control Objective as recommended by the manufacturer and as Control Frequency Annual determined by technicians.

Walkthrough Documentation

All documentation is contained in the Altiris system

Operating Effectiveness - Test Steps

1. Determine where technician find out about patches and upgrades. 2. Evaluate how technician determine if the patch or upgrade is appropriate. 3. Determine the methodology used for defining a super user tester. 4. Check for completeness of the documentation associated with patches and upgrades

Test Performed By Douglas Waechter, Approved By Matt Morgan Karin Rosen, Sandra Sifuentes Date of Validation 4/15/09 Completed By Douglas Waechter

Sample Details Do to the nature of the Altiris system the sample was the entire system.  What is being tested?

Period Tested From July 2008 To February 2009

Validation 1) Information about patches and upgrades are sent out through email Results/Findings by the manufacturer. Microsoft patches and upgrades are checked daily and updated monthly. 2) Technicians evaluate the patches and upgrades based on their knowledge of the operational needs of the IT system. 3) Super users are select as needed by the technicians. They are selected for their willingness to participate and their expertise with a specific application. Due to the level of expertise needed, this selection is done for each patch or upgrade.

4) Documentation is stored in the Altiris system for each computer and its history of patches and upgrades. The system automatically pushes patches and upgrades to the appropriate systems. _X_ Yes __ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness The Alitris system is recognized as an industry standard for managing the type of computer system that the DOR operates. The technicians appear to be well trained and confident in their ability to use the system to keep IT assets up to date.

Comments Hard copies of patches and upgrades are currently not being kept. It would be impractical to do so for a system as large as the DOR.

Recommendations Technicians should define in writing what they are looking for in a super user.

Disposal Policy to determine if Process Control Activity equipment has a hard drive Control # and C 17 Risk/Control Type Primary Assoc. Risks R 3 Assigned To Warehouse Control Objective To determine if a piece Closed Date 4/29/09 of equipment that is ready to be disposed of Frequency Annual has a hard drive in it.

Walkthrough Documentation Spreadsheet listing IT assets

Operating Effectiveness - Test Steps 1. Look at global spreadsheet to determine if piece of equipment has hard drive 2. Remove hard drive from equipment and record on global spreadsheet and hard drive spreadsheet 3. Check each piece of equipment to be sure the spreadsheet was not filled out incorrectly or the equipment contains more then one hard drive.

Test Performed By Jose Giardiello, Doug Approved By Mathew Morgan Waechter, Karin Rosen Date of Validation 4/17/2009 Completed By Karin Rosen Sample Details Spreadsheet listing IT assets  What is being tested? Period Tested From July 2008 To February 2009

Validation Warehouse personnel checks each piece of equipment waiting to be Results/Findings disposed of, for a hard drive

If equipment contains a hard drive it is removed by the warehouse manager

__Yes _x_ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness This control is very ineffective. There is no documentation that says if a piece of equipment contains a hard drive or not.

Recommendations It should be recorded on the global spreadsheet when the asset is first received whether or not it contains a hard drive. The warehouse can then refer to this spreadsheet along with checking each piece of equipment to be sure a hard drive is not left in a disposed of asset. It should also be recorded on the global spreadsheet when a hard drive is removed from an asset.

Disposal Post-spreadsheet Process Control Activity Reported, Tracked and Verified Control # and C20 Risk/Control Type Primary Assoc. Risks R 1,2,4,6,7,8,9,18,19 Assigned To Warehouse Logistics To keep global spreadsheet up to date Closed Date 4/29/09 after the disposal of an Control Objective asset and to insure the proper personnel were Frequency Annual informed of the disposal.

Walkthrough Documentation Global Spreadsheet

Operating Effectiveness - Test Steps 1. Test for completion of spreadsheet or any other reporting documentation. 2. Check reporting after disposal.

Sample Details Post disposal documentation  What is being tested? Period Tested From July 2008 To February 2009

Validation 1) After the disposal of an asset there is no global reporting Results/Findings

2) The global spreadsheet does not get updated after the disposal of an asset

3) After the disposal of an asset, no upper management is informed/confirmed of the disposal (warehouse manager is the one doing the disposal so there is zero confirmations)

__Yes _X_ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness Not effective, because other departments don’t know if an asset got disposed off

Recommendations There needs to be confirmations of the disposal to upper management (if the warehouse manager continues to be the only one doing the disposal, otherwise have someone in charge of the disposal who would report to the warehouse manager) and other departments, have sign-offs and a column in the spreadsheet for disposal (or have one consolidated spreadsheet that is frequently updated)

Disposal Procedures for hard Process Control Activity drive disposal C22, 23 Risk/Control Type Primary Control # and R 5, 7, 10, 14, 15, 20, Assoc. Risks 21, 22 Assigned To Warehouse To verify proper reporting and Closed Date 4/29/09 Control Objective authorization procedures for hard drives taken to Frequency Annual third party for disposal.

Walkthrough Documentation 1) List of removed hard drives recorded by DOR 2) List of disposed of hard drives recorded by GRX 3) Verified form with signatures from DOR and GRX

Operating Effectiveness - Test Steps 1. Compare all numbers on list of removed hard drives with list of disposed of hard drives to ensure that every hard drive removed and given to GRX was disposed of 2. Verify that transfer forms were properly signed and kept 3. Verify that disposal of hard drives was watched by a DOR employee

Test Performed By Jose Giardiello, Doug Approved By Mathew Morgan Waechter, Karin Rosen Date of Validation 4/17/2009 Completed By Karin Rosen

Sample Details Hard Drive numbers  What is being tested? 17201721819  What is the population? (List the entire LAK20736 population or reference where the population source.) LAK41776  How were items chosen? Items chosen by random during audit Period Tested From July 2008 To February 2009

Validation 1) There was a hand written list of hard drive numbers that Results/Findings had been removed 2) There was a computer-generated list from the GRX containing numbers from the hard drives that had been disposed of. 3) We chose three random hard drive numbers from the GRX list to confirm that they were on the DOR list. We found all three numbers on the list. 4) We then checked that the number of DOR hard drives given to the GRX matched the number that was on the GRX’s list of disposed hard drives. This was the most time efficient way of checking that the lists were complete. 5) There was a transfer form signed by the warehouse manager confirming the hard drives were properly transferred and were destroyed under the supervision of a DOR employee.

__Yes _x_ No __ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness This control seems somewhat effective however, it is not very efficient. There need to be checking every single number from the DOR list to the GRX list.

Recommendations The most convenient way to check the numbers from the DOR to the GRX would be to keep the numbers on an excel spreadsheet. The GRX could email their list to the DOR and the numbers could be checked once they were put in order. The easiest way to get the hard drive numbers on an excel spreadsheet would be to use a bar code scanner. This car code scanner could record all the numbers and could easily be transferred to the computer.

Disposal Verification Form – is Process Control Activity surplus property checked/tracked Control # and C24, 25 Risk/Control Type Primary Assoc. Risks R 20,21,22 Assigned To Warehouse Logistics To properly document and track surplus to Closed Date 4/29/09 Control Objective limit misuse/pilferage/confu Frequency Annual sion

Walkthrough Documentation 1. Surplus packets 2. Authorized surplus lists

Operating Effectiveness - Test Steps 1. Check for surplus packets and vouchers 2. Test for completion of packets

Sample Details Post disposal documentation  What is being tested? Period Tested From July 2008 To February 2009

Validation 1) Surplus packets had a seven digit state tag and were not referenced Results/Findings by RFS numbers 2) Warehouse manager/program assistant created the list of assets that were in the surplus packets 3) Out of three packets tested only one had a Declaration of Surplus (list of surplus) which was generated by someone other than the warehouse manager 4) Authorized signatures came from warehouse manager and the Declaration of Surplus 5) Two out of the three did not have signatures

__Yes __ No _X_ N/A Effective Control __ Other, please specify in comments section below (If not in compliance with required practice, provide further explanation below (e.g. Action Taken, reference to Action Plan created, etc.)

Comments / Recommendations Operating Effectiveness There are no previous job duties or standards Control could be effective if the Declaration of Surplus was included in all the surplus packs

Recommendations  Track surplus with RFS numbers, to continue the tracking from acquisition to disposal and surplus  Use the Declaration of Surplus form as a reference in the surplus packets  Track surplus packets with dates  Segregate the duties around the surplus responsibility  Use the Declaration of Surplus to check the DOR list of surplus with the warehouse list of surplus, create that control and always have the Declaration in each surplus packet.

Findings Summary After analyzing the results from our tests of the DOR controls we found the following:

45% of controls tested were found to be effective 33% of controls tested were found to be ineffective 22% of controls tested were found to be mostly effective with exceptions

Specific areas of concern:

Spreadsheets: In general there is a chaotic distribution of spreadsheets and information, this creates gaps in information and may allow for mismanagement of assets. This concern is illustrated by the ineffectiveness of these controls:

 Control 2: Updated RFS Spreadsheet- The security of the global drive RFS spreadsheet was questionable because the password was not changed regularly.  Control 7: Warehouse Spreadsheet is Complete- There is no defined policy regarding updates to the spreadsheet and the spreadsheet is not updated to indicate the disposal of assets.

 Control 20: Post-spreadsheet Reported, Tracked and Verified- There is no policy in place to record the disposal of assets in a global location. Receiving the assets: The policy regarding sending all IT assets through the warehouse is sometimes ignored. Assets have the potential to be delivered to other areas of the organization, skipping the tagging and recording process at the warehouse. This concern is illustrated by the ineffectiveness of this control:

 Control 4: Who Receives the Asset? - There is documentation kept to verify that the warehouse has received the asset, but there is no specific process for receiving an asset.

Software license storage and transfer: Our tests showed mixed results about the recording and transfer of software licenses. Our test of the current process suggested it is sound, but our test of the older software suggested that system is flawed. It is the opinion of the auditors that, although the test demonstrated the process is sound, it really is not. There are multiple spreadsheets where software license are stored, this creates risk and inefficiency in finding licenses for use. The controls tested regarding this concern are:

 Control 6: Proper Documentation and Recording for Licenses- This control was shown to be effective by our tests.

 Control 8: Software Storage and Re-installation- This control was shown to be ineffective by our tests.

Proper disposal of assets (especially hard drives): The controls for disposal and keeping records for disposal seem strong; however information about the disposal of assets is not shared with the other departments in the system. Furthermore, the storage of hard drives before they go to destruction could be greatly improved. Our major concern is that the ineffective controls pose an opportunity for leakage of sensitive information contained on hard drives. This concern is illustrated by our testing of these controls:  Control 17: Policy to Determine if Equipment has a Hard Drive- The lack of policy means that a surplus asset may be disposed, containing a hard drive with sensitive information.

 Control 22 and 23: Procedures for Hard Drive Disposal- The control seems effective, but it is inefficient because of the disposal document organization, this may present errors in verifying the document.

 Control 20: Post Disposal Spreadsheet, Assets are Reported, Tracked and Verified- Records of the disposal of an asset is never sent to another location outside the warehouse for verification and approval.

This page was intentionally left blank.

Recommendations & Suggestions This page was intentionally left blank.

Recommendations and Suggestions

Recommendations:

Recommendations were researched to repair the controls that were deemed the least effective though the testing phase. Knowledge Leader and internet searches were used to research the best practices regarding IT asset management systems.

General best practices: The most relevant document found was "IT Asset Management: How to Improve the Business of IT", by Colleen O’Donnell. The article laid out four hallmarks of the best-in-class IT asset management programs these hallmarks are:

1) A central repository that contains detailed financial, contractual and physical information on assets, coupled with discovery/inventory tools that cover all the disparate platforms within the environment (hardware, network, software). 2) Processes, procedures, and policies around this information to keep it current, with people assigned responsibility/accountability for this task. 3) A well-structured and measured organization enabled to support the ongoing operational management processes and activities of the organization. 4) Perhaps most importantly, these programs have the buy-in and support of upper management.

In order to abide by the first hallmark, the DOR should compile the information found on their individual employee’s IT inventory spreadsheets into one comprehensive spreadsheet.

This will improve the asset management system by:

a) Reducing time spent by employee’s in locating specific assets b) Ensure assets are more secure by making the information about them easier to access. c) Compiling software licenses into one location so the availability of licenses can be easily determined.

In order to abide by the second hallmark, the DOR should refer to the process maps in this document to chronicle the duties necessary to accomplish the task of managing their IT assets. They can then create documents for each position in their organization laying out duties and responsibilities of the individual employed in this position. This will improve the asset management system by:

a) Ensuring that specific individuals are responsible for specific duties. This will make sure every duty is being fulfilled and ensure there is accountability in the process. b) Making the process more efficient; each employee knows specifically what they should be accomplishing. c) Advertising who is responsible for which aspects of the process so personnel know who to go to when they need a specific piece of information.

In order to accomplish the third hallmark, the DOR should define their duties and processes, assign these duties and processes to specific employees, and create a comprehensive spreadsheet with built-in, quantifiable, indicators. These tasks were recommended to accomplish the first two hallmarks and will accomplish the third hallmark by:

a) Adding performance indicators and ensuring the advice is incorporated into the processes. b) Performance indicators will also ensure that each individual is accomplishing their duties which are documented in the employee packets. In order to accomplish the fourth objective the DOR must ensure that management is informed, involved, and supportive of these changes. The fourth hallmark will accomplish:

a) Organization wide support for the new process. b) Less resistance to changes in the system. c) Ensures an easier conversion to the new system.

Other/ Specific recommendations:

There are four recommendations that could be easily implemented at the DOR to greatly improve the security and efficiency of their IT asset management program:

1) Purchasing storage locker, chain, and lock to store hard drives before they are destroyed. During the testing we observed lacking controls surrounding the security of hard drives that could, potentially, contain sensitive information. 2) Purchasing a barcode scanner, compatible with Microsoft Excel, to record the hard drives as they come into the warehouse. This electronic list will be easier to compare to the disposal list obtained from GRX after destruction of the hard drives. This ensures that the list of hard drives with sensitive information is less prone to tempering and errors. 3) Altering the regulation stating that only the CIO can authorize the pickup of abandoned assets to allow technicians to pick up these assets as well. There is a tendency at the DOR for employees to dispose of obsolete IT assets by storing them in offices or hallways. This leaves assets prone to theft and misplacement. In order to reduce this risk, technicians should be able to pick up abandon inventory and store it until the owner abandons or reclaims the asset.

This page was intentionally left blank. Supplementary Documents This page was intentionally left blank. AGENDA

STATE OF COLORADO DEPARTMENT OF REVENUE January 21, 2009 Meeting called by Internal Audit Team Location: Classroom 320 – Leeds School of Business Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Project Overview Topic 2 Meet Clients Discussions Topic 3 Questions Gather Team Contacts

Additional Instructions: The audit team will provide client with documents that will be used during meeting. AGENDA

STATE OF COLORADO DEPARTMENT OF REVENUE February 4, 2009 12:00- 2:00 pm Meeting called by Internal Audit Team Location: Department of Revenue - Denver, CO Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Expectations Scope of Audit Topic 2 Meeting with Budget Department Team Procedures Questions Topic 3 Wrap Up Suggestions from Client and Advisor Questions

STATE OF COLORADO DEPARTMENT OF REVENUE February 17, 2009 8:00-9:00am Meeting called by Internal Audit Team Location: Professor Marlatt’s Office S450G – Leeds School of Business Attendees: Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Steps for the Audit Process Maps Questions Topic 2 Acquisition of Materials White Pad and Easel

Additional Instructions: Spoke with professor before meeting with client. AGENDA

STATE OF COLORADO DEPARTMENT OF REVENUE February 18, 2009 9:30- 12:00 pm Meeting called by Internal Audit Team Location: Department of Revenue - Lakewood, CO Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Overview with Client Topic 2 Meeting with Mike Lichvar – Enterprise Services Manager Introduction and Procedures Process Map Topic 3 Steve McCarthy- Elect Engineer Introduction and Procedures Process Map- Shipping and Receiving Topic 4 Lou Ennis- IT Desktop Support Manager Introduction and Procedures Process Map- Maintenance Questions Topic 5 Mark Buckingham and David Loewi- CIO Introduction and Project Discussion

STATE OF COLORADO DEPARTMENT OF REVENUE March 4, 2009 9:00- 12:00 pm Meeting called by Internal Audit Team Location: Department of Revenue – Lakewood, CO Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Overview with Client Topic 2 Meeting with Alison Roberts Introduction and Procedures Process Map Topic 3 Meeting with Vanessa Jozef Introduction and Procedures Process Map Topic 4 Meeting with Jane Henderson Introduction and Procedures Process Map Topic 5 Closing Discussions Final Questions

Additional Instructions: The audit team will provide client with documents that will be used during meeting. Sandra will be writing process steps on white board for visualization.

AGENDA

STATE OF COLORADO DEPARTMENT OF REVENUE March 11, 2009 9:00- 12:00 pm Meeting called by Internal Audit Team Location: Department of Revenue – Lakewood, CO Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Review Walk through Plan with Client Topic 2 Set-up Lay Out Process Maps in Asset Life Cycle Order Discuss maps with visitors Topic 4 Closing Discussion Final Questions

STATE OF COLORADO DEPARTMENT OF REVENUE March 18, 2009 9:00- 12:00 pm Meeting called by Internal Audit Team Location: Department of Revenue – Denver, CO Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Overview of Risk Assessment Topic 2 DOR IT Asset Risk Matrix Reviewed Risk Averages- Significance and Likelihood Defined and categorized each risk with Client Topic 3 Client’s Suggestions Ranked risks Reorganized and Added to list of risks Topic 4 Closing Discussion Final Questions Further contact arranged

STATE OF COLORADO DEPARTMENT OF REVENUE April 10, 2009 10:00- 12:00 pm Meeting called by Internal Audit Team Location: Department of Revenue - Lakewood, CO Attendees: Sandra Sifuentes, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Overview with Client Topic 2 Testing Meeting with Maria Armenta, Jane Henderson, Brad Denning and Cindy Witka Test RFS# Controls Test licensing Controls Test global drive Controls Topic 3 Compile Information Discuss test results

STATE OF COLORADO DEPARTMENT OF REVENUE April 15, 2009 9:30- 12:00 pm Meeting called by Internal Audit Team Location: Department of Revenue - Lakewood, CO Attendees: Sandra Sifuentes, Karin Rosen, Robby Mushet, Jose Giardiello, Doug Waechter

Topic 1 Introduction Overview with Client Topic 2 Testing Meeting with Vanessa Jozef, Brandon and Maria Armenta Test RFS sheet Controls Test super user controls Topic 3 Wrap Up Overview of testing results

STATE OF COLORADO DEPARTMENT OF REVENUE April 17, 2009 10:00- 11:00 pm Meeting called by Internal Audit Team Location: Department of Revenue - Lakewood, CO Attendees: Karin Rosen, Jose Giardiello, Doug Waechter

Topic 1 Introduction Meeting with Roy Mitze Topic 2 Testing Test spreadsheet and acquisition controls Test hard drive and disposal controls Test warehouse security

Additional Instructions: The audit team will provide client with documents that will be used during meeting.