DENVER – Two city agencies haven’t fully implemented recommendations made in three separate reports from Denver Auditor Timothy M. O’Brien, CPA.
This month the Auditor’s Office released follow-up reports on our May 2017 Golf Enterprise Fund Management audit, our July 2017 Personally Identifiable Information in Salesforce audit and our November 2017 Software Asset Management assessment. Our follow-ups show city agencies, particularly the Golf Enterprise Fund, still have a lot of work to address issues we found.
Denver Golf only fully implemented just five of 14 recommendations made in our Golf Enterprise Fund audit.
“I’m disappointed to see so many of our recommendations not fully implemented or not implemented at all — especially after agencies agreed to them,” Auditor O’Brien said. “The city needs to take our recommendations seriously because they help improve stewardship of taxpayer dollars.”
Meanwhile, in the Salesforce Personally Identifiable Information audit, Technology Services fully implemented five out of six recommendations. And Technology Services fully implemented two of the four recommendations in the Software Asset Management assessment, conducted for our office by Deloitte and Touche. Technology Services addressed several important risks through the actions they completed and should continue to address the partially completed recommendations that were originally estimated to be implemented over a year ago.
The Auditor’s Office follows up on every audit to ensure agencies are doing what they said they would.
Golf Enterprise Fund:
Of the 14 recommendations in our May 2017 Golf Enterprise Fund audit, Denver Golf fully implemented five, partially implemented three, and did not implement six at all. The agency had publicly agreed to all 14 recommendations.
“I am frustrated that Denver Golf did not recognize the importance of implementing the majority of our audit recommendations,” Auditor O’Brien said. “Denver Golf agreed to the recommendations at Audit Committee but did not follow through on that promise to the public to make improvements.”
Denver Golf has not yet created a strategic plan and agency officials think it will take through the end of 2020 to finish it. If this occurs, it will be two years from the time of the agency’s originally stated implementation date. Denver Golf says the delay is due to ongoing projects, including the music festival at the Overland Golf Course, and because the agency was waiting for the Department of Parks and Recreation to finalize a 10-year strategic plan.
Other unimplemented recommendations were related to financial procedure documentation, segregation and rotation of duties, and performing accurate counts of assets.
Without a strategic plan, Denver Golf can’t ensure it makes decisions based on a well-defined direction. Further, without financial policies and procedures, employees may not fully understand how to perform certain processes, and the agency risks losing institutional knowledge with the loss of key employees.
“This should’ve been an eagle for Denver Golf,” Auditor O’Brien said. “It looks more like a double bogie.”
Personally Identifiable Information in Salesforce:
The Personally Identifiable Information in Salesforce audit was completed after we found city employees with inappropriate access to sensitive information in Salesforce, a cloud-based customer relationship management software. Auditors found Denver 311 supervisors were able to see citizens’ data such as names, Social Security numbers and birthdates, which other agencies such as the Department of Human Services and the Payroll Division had entered into Salesforce.
Auditors found no evidence information was used inappropriately, and permissions were quickly updated in Salesforce to secure the information. However, we noted other areas of weakness.
Technology Services agreed to all six of our recommendations but has thus far fully implemented five and only partially implemented one. For example, the agency made changes to ensure project documentation is archived and readily available and to ensure user profile security settings are documented and maintained for Salesforce administrators. Technology Services also updated wording on the Denver 311 webpage to discourage citizens from submitting nonrequired sensitive personal data.
However, Technology Services did not provide the role definition and user profile reports to agencies for their review.
Software Asset Management:
Finally, Technology Services fully implemented two of our four recommendations from the Software Asset Management Audit, but only partially implemented two others — despite agreeing to all our recommendations. Notably, the agency has yet to fully implement an automated tool for software-related compliance checks, such as software inventorying and risk-based reconciliations.
“I hope to see more action from the city in the future to fix weaknesses identified in our audits,” Auditor O’Brien said.