SUMMARY OF PROCEDURES We have performed an internal audit ofthe Erudite Information Technology (IT) Equipment process. Our internal audit isfocused on assessing the adequacy and reasonableness of the internal controlssurrounding the safeguarding of IT equipment including inventory tracking anddisposition. We performed a variety of procedures,including: · Obtaining an understanding of the Company IT equipment proceduresthrough reading Administrative Instruction, Purchasing, Installing, andRelocating Information Technology Equipment; · Obtaining an understanding of the Company IT equipment proceduresthrough interviewing various IT and Accounting Department Personnel; · Testing a sample of computer hard drive disposals and capitalizedIT asset disposals to determine compliance with applicable regulations; · Testing a sample of IT capital assets and low-value equipment todetermine if they were at the locations specified in the system and that theequipment was accurately tagged; and, · Testing a sample of IT equipment purchases to determine if theequipment was accurately tagged and existed at the location specified in thesystem.
If the equipment was for take home use, we tested that a Take HomeEquipment Authorization Form signed by the Department Director and the employeewas on file. Summary of Observations andRecommendations Significant medium or high risk observationsare presented below: 1. IT Equipment Inventory Management:- There was a lack of segregation of duties surrounding IT equipment inventorymanagement. The PC Systems Support Supervisor ordered inventory, receivedinventory, and reconciled the inventory maintained in the IT storage room. 2. IT Take Home Equipment:- Take Home Authorization Forms were notconsistently on file authorizing theissuance of the take home equipment.
Additionally, the Company did not have astandard Take Home Equipment Authorization Form or process. 3. Destruction of Computer Hard Drives:- Computer hard drives were not alwaysdestroyed timely. Additionally,computer hard drive certifications were not sent to the Office of the StateAuditor. 4. Capitalized IT EquipmentTracking:- Several servers were not tagged in anaccessible place; therefore, we wereunable to ensure proper tracking of these items.
Additionally, numerous itemsin the main server room were no longer in use and IT equipment on the fixedassets listing included servers that were capitalized in 2003 which couldpotentially be obsolete. The lower risk observations are included inthe attached detailed report. * * * * * Further detail ofour purpose, objectives, scope, procedures, observations, and recommendationsis included in the internal audit report. In that report, management describesthe corrective action taken for each observation. We received excellent cooperation andassistance from the various departments during the course of our interviews andtesting. We sincerely appreciate the courtesy extended to our personnel.
Erudite Internal AuditInformation Technology Equipment Table of Contents Page INTRODUCTION 1 PURPOSE AND OBJECTIVES 1 SCOPE AND PROCEDURES PERFORMED 1 OBSERVATIONS, RECOMMENDATIONS AND MANAGEMENT RESPONSES 3 Erudite InternalAuditInformationTechnology Equipment Report INTRODUCTION We performed the internal auditservices explained below only to assist Erudite in evaluating the internalcontrols and safeguards in place surrounding Information Technology (IT)equipment. We also examined if equipment was disposed of according to the policiesand applicable state regulations. Since our procedures were applied tosamples of transactions and processes, it is possible that minor issues relatedto the areas tested may not have been identified. Although we have included management’sresponses in our report, we do not take responsibility for the sufficiency ofthese responses or the effective implementation of any corrective action. PURPOSE AND OBJECTIVES Our internal audit focused on theassessment and testing of internal controls encompassing IT equipment includinginventory tracking and disposition. SCOPE AND PROCEDURES PERFORMED In order to gain an understanding of the processes and operationssurrounding IT equipment, we interviewed the following personnel: · Asif Javed, Infrastructure Manager · Muhammad Daniyal, IT Help Desk Supervisor In order to understand the IT Equipmentpolicies and procedures we have read many standard documents by Government ofPakistan and other countries: We performed the following testwork: 1.
Hard Drive Destruction: We obtained a listing computerdisposals processed between July 1, 2016 and April 30, 2017 and selected asample (based on 90% CL, 10% TD) of 21 disposals. For each computer in thesample we tested that: · The hard drive or storage device was erased and sanitizedappropriately; and, · Written certification was sent to the Office of the State Auditor(OSA) at least 30 days prior to disposal stating the computer hard drive hadbeen properly erased; 2. IT Capital Asset Disposals: We obtained a listing of IT capitalasset disposals and selected a sample (based on 90% CL, 10% TD) of 13 assetdisposals. For each capital asset disposal we tested that: · The disposal of the asset was approved by the IT Director and theFixed Assets Review Committee; · A written declaration was submitted to the DFA and/or the StateAuditor 30 days prior to the disposal; · Method of disposal was appropriate; and, · If asset had a net book value of more than $5,000, DFA approvalwas obtained. 3.
IT Capital Asset Tracking: We obtained a listing of allcapitalized IT assets and selected a sample (based on 90% CL, 10% TD) of 21assets. For each asset in the sample we tested that: · The barcode and serial numbers on the asset matched what wasrecorded in the fixed assets system; and · The asset was at the proper location. 4. Low-value IT Equipment Tracking: We obtained a listing of all low-valueIT equipment at April 30, 2012 andselected a sample (based on 90% CL, 10% TD) of 22 assets. For each asset in thesample we tested that: · The barcode and serial numbers on the asset matched what wasrecorded in the IT equipment tracking system; · The asset was at the proper location; and, · If the equipment was portable, an approved Take Home EquipmentAuthorization Form was on file.
5. IT Equipment Purchases: We obtained a listing purchase ordersinvolving IT equipment andjudgmentally selected a sample of 10 purchases orders and tested all ITequipment assets purchased on those purchase orders. This resulted in a totalof 130 items. For each item we tested that: · The barcode and serial number on the asset matched what wasrecorded in the IT inventory tracking system or capital asset listing; and · The asset was at the proper location; and, · If the equipment was portable, an approved Take Home EquipmentAuthorization Form was on file. In addition we obtained the expensedetail for office supplies for fiscal year 2012 and scanned the listing todetermine if IT equipment was inaccurately coded as office supplies. OBSERVATIONS, RECOMMENDATIONS AND MANAGEMENT RESPONSES We identified the following weaknessesrelating to the Erudite IT Equipment process: 1) ITEquipment Inventory Management There was a lack of segregations ofduties surrounding IT equipment inventory management.
The PC Systems SupportSupervisor ordered inventory, received inventory, and reconciled the inventorymaintained in the IT storage room. This creates the risk that fraud could occurand not be detected in a timely manner. Risk level – High Recommendation The Company should segregate theduties of ordering inventory, receiving inventory, and reconciling inventorymaintained in the IT storage room to three personnel.
Management Response IT will segregate the duties ofordering, receiving, and reconciling IT equipment in the IT storage room tothree separate individuals. IT will create a department procedure identifying,by position, the responsibilities for ordering, receiving, and inventorying ITequipment. 2) ITTake Home Equipment For portable equipment that is issuedto an employee, Administrative Instruction No. IT 15 section C requires that aTake Home Equipment Authorization Form be completed and approved by theemployee’s Department Director.
It also requires that the forms be maintainedby the Purchasing Department. We found: a. 13 out of 69 instances where a Take Home Authorization Form wasnot on file authorizing the issuance of the take home equipment. b. The Company did not have a standard Take Home EquipmentAuthorization Form.
Instead the IT department had created an InformationTechnology Portable Equipment Authorization Form. This form did not have adepartment director signature line, and therefore there was no documentedapproval by department directors for those employees with take home equipment. c. These forms were not maintained by the Purchasing Department andinstead the IT Department was maintaining these forms.
d. Upon separation there was no process to ensure take home equipmentwas returned to the Company. Risk level – Moderate Recommendation There are various departments thatrequire take home equipment authorization, and therefore the Company shouldcreate a standard Take Home Equipment Form to ensure consistency, properapprovals are obtained, and information is documented in a consistent manner.Additionally, a process should be implemented to ensure that a Take HomeAuthorization Form is completed prior to the issuance of any take homeequipment.
The Company should consider which department would be mostappropriate for maintaining Take Home Authorization Forms. Management Response IT will add a Department Directorsignature line to the IT Portable Equipment Authorization Form and make sureforms are on file for all IT Take Home Equipment. IT will ensure the DepartmentDirector’s signature is obtained before the Take Home equipment is issued.
ITwill also request a change to Administrative Instruction No. IT 15 section C toreflect that copies of IT Portable Authorization forms will be maintained bythe IT department. 3) Destructionof Computer Hard Drives The Company was not submitting therequired written certification to OSA for the disposal of computer hard drives.With regard to hard drive disposals we observed the following: a.
Computer hard drives were not always destroyedtimely. Six out of 21 computers tested were removed from the IT equipmentlisting and set for disposal; however, as of our 4 Field work these computers were stillresiding at the respective departments. The average amount of time sinceremoval from the equipment listing was approximately 268 days.
b. All 21 computer disposals tested had adisposal form on file with a signed affidavit by the Chief Information Officerattesting that the computer hard drive was destroyed in accordance with NMACrequirements; however, this notification was not sent to the OSA. Risk level-Moderate Recommendation Computer hard drives removed from theIT equipment listing should be destroyed immediately. This will help ensuresensitive information is removed from hard drives that are no longer tracked onthe IT equipment listing. To ensure compliance with NMACrequirements, Company IT should re-engineer the asset disposal process toensure that written certifications are sent to the OSA at least 30 days priorto the disposal of the asset. Management Response IT will create a department procedurethat outlines how computer hard drives will be removed and destroyed before theasset is taken off the IT equipment listing.
This procedure will also includethe requirement to provide a written certification to OSA. The IT Departmentwill have this procedure implemented by September 2012. 4) CapitalizedIT Equipment Tracking According to AdministrativeInstruction No.
24, as capital equipment is purchased it should be tagged andadded to the capital asset listing and tracked/inventoried on a regular basis.There were several servers that were not tagged in an accessible place;therefore, we were unable to ensure proper tracking of these items. Numerousitems in the main server room were no longer in use, including a serverpurchased in 2009 for $42,000, and IT equipment on the fixed assets listingincluded servers that were capitalized in 2003 and could potentially beobsolete and no longer in use.
Risk level – Moderate Recommendation To ensure proper tracking, all ITassets should be visibly tagged upon purchase, inventoried regularly, andinvestigated when missing. If it is determined that an item is no longer neededevery effort should be made to sell the item in a timely manner and minimizethe Company’s loss. The Company should dispose of obsolete IT equipment in thesever room and remove it from the fixed assets listing if it is no longer inuse and not specifically designed for backup or part purposes.
Management Response IT will make sure barcode tags areplaced on equipment in a visible area to ensure that equipment is easilyidentifiable at all times. IT will also perform an assessment of thecapitalized IT equipment currently on hand todetermine what equipment is obsolete and should be disposed of. Going forward,in the event that IT fixed assets are deemed to be incompatible, obsolete, ordamaged the IT Department will promptly notify and coordinate with the FixedAssets Section within the Finance Department to ensure timely disposition.
ITwill complete these action steps during fiscal year 2013. IT will dispose ofall unneeded IT gear in a timely manner. 5) Low-valueIT Equipment Tracking IT equipment was not always assignedto the correct employee or location in the inventory tracking system.
30 out of152 items tested were assigned to the incorrect employee or location and eightof these items could not be located within the Company. Risk level – Low Recommendation A periodic inventory count should beconducted diligently to ensure IT equipment is adequately tracked andmonitored. All items that cannot be located during the count should beinvestigated timely. For take home equipment, a notification should beperiodically sent to employees requesting confirmation of equipment that is inhis/her possession.
Additionally, an IT Asset Transfer Form should be completedwhenever assets are reassigned from one department or employee to another.These transfers should be updated in the IT inventory system and the retentionof the transfer forms should be centralized and delegated to specificpersonnel. Overall, these steps will help identify misappropriation, increaseaccountability, and ensure that the inventory system is updated accurately andtimely. Management Response IT will work with Management to updateAdministrative Instruction No. IT 15 to reflect the detailed instructions forconducting the periodic inventory of all IT equipment and the detailedprocedures for updating the IT Inventory system.
The IT Department will alsoprovide training on the updated procedures to the IT Liaisons within eachdepartment. Additionally, IT will remind all Company departments that inaccordance with Administrative Instruction No. IT 15B IT equipment must only beinstalled and relocated by IT Department staff. The IT Department will havethese action steps completed during fiscal year 2013. 6) ITEquipment Purchases Departments are instructed to submitpurchase orders for IT equipment using designated expense accounts so that equipmentcan be properly approved and tracked by the IT department.
We noted severalpurchases of IT equipment were purchased using the office supplies expenseaccount. As a result the IT department was not able to properly barcode andrecord the equipment in the IT inventory system. There is the risk thatmisappropriation of IT equipment could occur and not be detected in a timelymanner. 6Risk level – Low Recommendation The Company should implement a processto periodically review expense accounts such as office supplies to ensure thatdepartments are not ordering equipment that should be recorded and tracked inthe IT inventory system. This will help ensure departments are not circumventingthe current workflow for purchasing IT equipment which increases the risk fortheft of IT equipment. Additionally, the Company should remind the departmentsabout the importance of ordering IT equipment through the designated expenseaccounts and following the current workflow.
Management Response The IT department is working with thePurchasing department to assign mandatory commodity codes to all line items inthe purchasing module of the SAP ERP system which will identify items beingpurchased of an IT nature and route the request to the CIO for review andapproval/disapproval. This will also prohibit items from being purchased froman inappropriate account, such as office supplies, and will assure that allitems are properly inventoried and barcoded. 7) CapitalAsset Disposals We found one instance out of 13 wherean IT asset was disposed of; however, documentation could not be located tosupport the OSA or DFA was notified prior to disposal. We also identified oneinstance where a disposal notification was not sent until after the disposal. Risk level – Low Recommendation The Company FixedAssets Section should consider creating a disposal checklist to ensure that allState Statutes and Company policies and procedures have been followed prior tothe disposal of an asset. The checklist and all supporting source documentsshould be centrally filed for reference.
This will help ensure all requiredcommunications and procedures have been performed prior to the disposal ofcapitalized assets. Management Response The Fixed Assets Manager has updatedthe Master Surplus Listing which will be used as a checklist, to betterdocument the compliance with State Statutes and Company policies. The FixedAssets Manager will review and verify that the disposal follows procedures. Declaration requests and approvaldocuments have been placed in a tabbed monthly binder to allow for quickreference.
The staff will review that all capitalassets have been approved or pending approval by DFA and the State Auditorbefore final disposition. * * * * * This report is intended for theinformation and use of Erudite Company management, the audit committee, membersof the board of commissioners of Erudite Company and others within theorganization. However, this report is a matter of public record, and onceaccepted its distribution is not limited. We received excellent cooperation andassistance from the various departments during the course of our interviews andtesting.
We sincerely appreciate the courtesy extended to our personnel.