SUMMARY inventory, and reconciled the inventory maintained in the

SUMMARY OF PROCEDURES

 

We have performed an internal audit of
the Erudite Information Technology (IT) Equipment process. Our internal audit is
focused on assessing the adequacy and reasonableness of the internal controls
surrounding the safeguarding of IT equipment including inventory tracking and
disposition.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

We performed a variety of procedures,
including:

 

 

·        
Obtaining an understanding of the Company IT equipment procedures
through reading Administrative Instruction, Purchasing, Installing, and
Relocating Information Technology Equipment;

 

·        
Obtaining an understanding of the Company IT equipment procedures
through interviewing various IT and Accounting Department Personnel;

 

·        
Testing a sample of computer hard drive disposals and capitalized
IT asset disposals to determine compliance with applicable regulations;

 

·        
Testing a sample of IT capital assets and low-value equipment to
determine if they were at the locations specified in the system and that the
equipment was accurately tagged; and,

 

·        
Testing a sample of IT equipment purchases to determine if the
equipment was accurately tagged and existed at the location specified in the
system. If the equipment was for take home use, we tested that a Take Home
Equipment Authorization Form signed by the Department Director and the employee
was on file.

 

 

 

 

 

 

 

 

Summary of Observations and
Recommendations

 

Significant medium or high risk observations
are presented below:

 

1.      IT Equipment Inventory Management:-

 
                                                                           There was a lack of segregation of duties surrounding IT equipment inventory
management. The PC Systems Support Supervisor ordered inventory, received
inventory, and reconciled the inventory maintained in the IT storage room.

 

2.     
IT Take Home Equipment:-

                                                        Take Home Authorization Forms were not
consistently on file authorizing the
issuance of the take home equipment. Additionally, the Company did not have a
standard Take Home Equipment Authorization Form or process.

 

3.      Destruction of Computer Hard Drives:-

                                                                             Computer hard drives were not always
destroyed timely. Additionally,
computer hard drive certifications were not sent to the Office of the State
Auditor.

 

4.     Capitalized IT Equipment
Tracking:-

                                                                        Several servers were not tagged in an
accessible place; therefore, we were
unable to ensure proper tracking of these items. Additionally, numerous items
in the main server room were no longer in use and IT equipment on the fixed
assets listing included servers that were capitalized in 2003 which could
potentially be obsolete.

 

The lower risk observations are included in
the attached detailed report.

 

* * * * *

 

Further detail of
our purpose, objectives, scope, procedures, observations, and recommendations
is included in the internal audit report. In that report, management describes
the corrective action taken for each observation.

 

We received excellent cooperation and
assistance from the various departments during the course of our interviews and
testing. We sincerely appreciate the courtesy extended to our personnel.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Erudite Internal Audit

Information Technology Equipment

 

Table of Contents

 

 

Page

INTRODUCTION

1

PURPOSE
AND OBJECTIVES

1

SCOPE
AND PROCEDURES PERFORMED

1

OBSERVATIONS, RECOMMENDATIONS
AND MANAGEMENT RESPONSES

3

 

 

Erudite Internal
Audit

Information
Technology Equipment

 

Report

 

 

 

INTRODUCTION

 

We performed the internal audit
services explained below only to assist Erudite in evaluating the internal
controls and safeguards in place surrounding Information Technology (IT)
equipment. We also examined if equipment was disposed of according to the policies
and applicable state regulations. Since our procedures were applied to
samples of transactions and processes, it is possible that minor issues related
to the areas tested may not have been identified.

 

Although we have included management’s
responses in our report, we do not take responsibility for the sufficiency of
these responses or the effective implementation of any corrective action.

 

 

PURPOSE AND OBJECTIVES

 

Our internal audit focused on the
assessment and testing of internal controls encompassing IT equipment including
inventory tracking and disposition.

 

 

SCOPE AND PROCEDURES PERFORMED

 

In order to gain an understanding of the processes and operations
surrounding IT equipment, we interviewed the following personnel:

 

·       
Asif Javed, Infrastructure Manager

 

·       
Muhammad Daniyal, IT Help Desk Supervisor

 

In order to understand the IT Equipment
policies and procedures we have read many standard documents by Government of
Pakistan and other countries:

 

We performed the following testwork:

 

1.        
Hard Drive Destruction: We obtained a listing computer
disposals processed between July 1, 2016 and April 30, 2017 and selected a
sample (based on 90% CL, 10% TD) of 21 disposals. For each computer in the
sample we tested that:

 

·        
The hard drive or storage device was erased and sanitized
appropriately; and,

 

·        
Written certification was sent to the Office of the State Auditor
(OSA) at least 30 days prior to disposal stating the computer hard drive had
been properly erased;

 

2.        
IT Capital Asset Disposals: We obtained a listing of IT capital
asset disposals and selected a sample (based on 90% CL, 10% TD) of 13 asset
disposals. For each capital asset disposal we tested that:

 

·        
The disposal of the asset was approved by the IT Director and the
Fixed Assets Review Committee;

 

·        
A written declaration was submitted to the DFA and/or the State
Auditor 30 days prior to the disposal;

 

·        
Method of disposal was appropriate; and,

 

·        
If asset had a net book value of more than $5,000, DFA approval
was obtained.

 

3.        
IT Capital Asset Tracking: We obtained a listing of all
capitalized IT assets and selected a sample (based on 90% CL, 10% TD) of 21
assets. For each asset in the sample we tested that:

 

·        
The barcode and serial numbers on the asset matched what was
recorded in the fixed assets system; and

 

·        
The asset was at the proper location.

 

4.        
Low-value IT Equipment Tracking: We obtained a listing of all low-value
IT equipment at April 30, 2012 and
selected a sample (based on 90% CL, 10% TD) of 22 assets. For each asset in the
sample we tested that:

 

·        
The barcode and serial numbers on the asset matched what was
recorded in the IT equipment tracking system;

 

·        
The asset was at the proper location; and,

 

·        
If the equipment was portable, an approved Take Home Equipment
Authorization Form was on file.

 

5.        
IT Equipment Purchases: We obtained a listing purchase orders
involving IT equipment and
judgmentally selected a sample of 10 purchases orders and tested all IT
equipment assets purchased on those purchase orders. This resulted in a total
of 130 items. For each item we tested that:

 

·        
The barcode and serial number on the asset matched what was
recorded in the IT inventory tracking system or capital asset listing; and

 

·        
The asset was at the proper location; and,

 

·        
If the equipment was portable, an approved Take Home Equipment
Authorization Form was on file.

 

In addition we obtained the expense
detail for office supplies for fiscal year 2012 and scanned the listing to
determine if IT equipment was inaccurately coded as office supplies.

 

 

OBSERVATIONS, RECOMMENDATIONS AND MANAGEMENT RESPONSES

 

We identified the following weaknesses
relating to the Erudite IT Equipment process:

 

1)    IT
Equipment Inventory Management

 

There was a lack of segregations of
duties surrounding IT equipment inventory management. The PC Systems Support
Supervisor ordered inventory, received inventory, and reconciled the inventory
maintained in the IT storage room. This creates the risk that fraud could occur
and not be detected in a timely manner.

 

Risk level – High

 

Recommendation

 

The Company should segregate the
duties of ordering inventory, receiving inventory, and reconciling inventory
maintained in the IT storage room to three personnel.

 

Management Response

 

IT will segregate the duties of
ordering, receiving, and reconciling IT equipment in the IT storage room to
three separate individuals. IT will create a department procedure identifying,
by position, the responsibilities for ordering, receiving, and inventorying IT
equipment.

 

 

 

 

 

 

 

 

 

 

2)    IT
Take Home Equipment

 

For portable equipment that is issued
to an employee, Administrative Instruction No. IT 15 section C requires that a
Take Home Equipment Authorization Form be completed and approved by the
employee’s Department Director. It also requires that the forms be maintained
by the Purchasing Department. We found:

 

a.        
13 out of 69 instances where a Take Home Authorization Form was
not on file authorizing the issuance of the take home equipment.

 

b.        
The Company did not have a standard Take Home Equipment
Authorization Form. Instead the IT department had created an Information
Technology Portable Equipment Authorization Form. This form did not have a
department director signature line, and therefore there was no documented
approval by department directors for those employees with take home equipment.

 

c.        
These forms were not maintained by the Purchasing Department and
instead the IT Department was maintaining these forms.

 

d.        
Upon separation there was no process to ensure take home equipment
was returned to the Company.

 

Risk level – Moderate

 

Recommendation

 

There are various departments that
require take home equipment authorization, and therefore the Company should
create a standard Take Home Equipment Form to ensure consistency, proper
approvals are obtained, and information is documented in a consistent manner.
Additionally, a process should be implemented to ensure that a Take Home
Authorization Form is completed prior to the issuance of any take home
equipment. The Company should consider which department would be most
appropriate for maintaining Take Home Authorization Forms.

 

Management Response

 

IT will add a Department Director
signature line to the IT Portable Equipment Authorization Form and make sure
forms are on file for all IT Take Home Equipment. IT will ensure the Department
Director’s signature is obtained before the Take Home equipment is issued. IT
will also request a change to Administrative Instruction No. IT 15 section C to
reflect that copies of IT Portable Authorization forms will be maintained by
the IT department.

 

3)    Destruction
of Computer Hard Drives

 

The Company was not submitting the
required written certification to OSA for the disposal of computer hard drives.
With regard to hard drive disposals we observed the following:

 

a.        
Computer hard drives were not always destroyed
timely. Six out of 21 computers tested were removed from the IT equipment
listing and set for disposal; however, as of our

 

4

 

Field work these computers were still
residing at the respective departments. The average amount of time since
removal from the equipment listing was approximately 268 days.

 

b.        
All 21 computer disposals tested had a
disposal form on file with a signed affidavit by the Chief Information Officer
attesting that the computer hard drive was destroyed in accordance with NMAC
requirements; however, this notification was not sent to the OSA.

 

Risk level-Moderate

 

Recommendation

 

Computer hard drives removed from the
IT equipment listing should be destroyed immediately. This will help ensure
sensitive information is removed from hard drives that are no longer tracked on
the IT equipment listing.

 

To ensure compliance with NMAC
requirements, Company IT should re-engineer the asset disposal process to
ensure that written certifications are sent to the OSA at least 30 days prior
to the disposal of the asset.

 

Management Response

 

IT will create a department procedure
that outlines how computer hard drives will be removed and destroyed before the
asset is taken off the IT equipment listing. This procedure will also include
the requirement to provide a written certification to OSA. The IT Department
will have this procedure implemented by September 2012.

 

4)    Capitalized
IT Equipment Tracking

 

According to Administrative
Instruction No. 24, as capital equipment is purchased it should be tagged and
added to the capital asset listing and tracked/inventoried on a regular basis.
There were several servers that were not tagged in an accessible place;
therefore, we were unable to ensure proper tracking of these items. Numerous
items in the main server room were no longer in use, including a server
purchased in 2009 for $42,000, and IT equipment on the fixed assets listing
included servers that were capitalized in 2003 and could potentially be
obsolete and no longer in use.

 

Risk level – Moderate

 

Recommendation

 

To ensure proper tracking, all IT
assets should be visibly tagged upon purchase, inventoried regularly, and
investigated when missing. If it is determined that an item is no longer needed
every effort should be made to sell the item in a timely manner and minimize
the Company’s loss. The Company should dispose of obsolete IT equipment in the
sever room and remove it from the fixed assets listing if it is no longer in
use and not specifically designed for backup or part purposes.

 

Management Response

 

IT will make sure barcode tags are
placed on equipment in a visible area to ensure that equipment is easily
identifiable at all times. IT will also perform an assessment of the
capitalized

 

 

IT equipment currently on hand to
determine what equipment is obsolete and should be disposed of. Going forward,
in the event that IT fixed assets are deemed to be incompatible, obsolete, or
damaged the IT Department will promptly notify and coordinate with the Fixed
Assets Section within the Finance Department to ensure timely disposition. IT
will complete these action steps during fiscal year 2013. IT will dispose of
all unneeded IT gear in a timely manner.

 

5)    Low-value
IT Equipment Tracking

 

IT equipment was not always assigned
to the correct employee or location in the inventory tracking system. 30 out of
152 items tested were assigned to the incorrect employee or location and eight
of these items could not be located within the Company.

 

Risk level – Low

 

Recommendation

 

A periodic inventory count should be
conducted diligently to ensure IT equipment is adequately tracked and
monitored. All items that cannot be located during the count should be
investigated timely. For take home equipment, a notification should be
periodically sent to employees requesting confirmation of equipment that is in
his/her possession. Additionally, an IT Asset Transfer Form should be completed
whenever assets are reassigned from one department or employee to another.
These transfers should be updated in the IT inventory system and the retention
of the transfer forms should be centralized and delegated to specific
personnel. Overall, these steps will help identify misappropriation, increase
accountability, and ensure that the inventory system is updated accurately and
timely.

 

Management Response

 

IT will work with Management to update
Administrative Instruction No. IT 15 to reflect the detailed instructions for
conducting the periodic inventory of all IT equipment and the detailed
procedures for updating the IT Inventory system. The IT Department will also
provide training on the updated procedures to the IT Liaisons within each
department. Additionally, IT will remind all Company departments that in
accordance with Administrative Instruction No. IT 15B IT equipment must only be
installed and relocated by IT Department staff. The IT Department will have
these action steps completed during fiscal year 2013.

 

6)    IT
Equipment Purchases

 

Departments are instructed to submit
purchase orders for IT equipment using designated expense accounts so that equipment
can be properly approved and tracked by the IT department. We noted several
purchases of IT equipment were purchased using the office supplies expense
account. As a result the IT department was not able to properly barcode and
record the equipment in the IT inventory system. There is the risk that
misappropriation of IT equipment could occur and not be detected in a timely
manner.

 

 

 

 

 

 

6

Risk level – Low

 

Recommendation

 

The Company should implement a process
to periodically review expense accounts such as office supplies to ensure that
departments are not ordering equipment that should be recorded and tracked in
the IT inventory system. This will help ensure departments are not circumventing
the current workflow for purchasing IT equipment which increases the risk for
theft of IT equipment. Additionally, the Company should remind the departments
about the importance of ordering IT equipment through the designated expense
accounts and following the current workflow.

 

Management Response

 

The IT department is working with the
Purchasing department to assign mandatory commodity codes to all line items in
the purchasing module of the SAP ERP system which will identify items being
purchased of an IT nature and route the request to the CIO for review and
approval/disapproval. This will also prohibit items from being purchased from
an inappropriate account, such as office supplies, and will assure that all
items are properly inventoried and barcoded.

 

7)    Capital
Asset Disposals

 

We found one instance out of 13 where
an IT asset was disposed of; however, documentation could not be located to
support the OSA or DFA was notified prior to disposal. We also identified one
instance where a disposal notification was not sent until after the disposal.

 

Risk level – Low

 

Recommendation

 

The Company Fixed
Assets Section should consider creating a disposal checklist to ensure that all
State Statutes and Company policies and procedures have been followed prior to
the disposal of an asset. The checklist and all supporting source documents
should be centrally filed for reference. This will help ensure all required
communications and procedures have been performed prior to the disposal of
capitalized assets.

 

Management Response

 

The Fixed Assets Manager has updated
the Master Surplus Listing which will be used as a checklist, to better
document the compliance with State Statutes and Company policies. The Fixed
Assets Manager will review and verify that the disposal follows procedures.

 

Declaration requests and approval
documents have been placed in a tabbed monthly binder to allow for quick
reference.

 

The staff will review that all capital
assets have been approved or pending approval by DFA and the State Auditor
before final disposition.

 

* * * * *

 

This report is intended for the
information and use of Erudite Company management, the audit committee, members
of the board of commissioners of Erudite Company and others within the
organization. However, this report is a matter of public record, and once
accepted its distribution is not limited.

 

We received excellent cooperation and
assistance from the various departments during the course of our interviews and
testing. We sincerely appreciate the courtesy extended to our personnel.

x

Hi!
I'm Eileen!

Would you like to get a custom essay? How about receiving a customized one?

Check it out