city of cape coral€¦ · transcendent group 2008 city of cape coral – kronos post...

City of Cape Coral City Auditor’s Office ________________________________________________________________ TO: Mayor and Council Members FROM: Dona J. Newman, City Auditor DATE: November 20, 2008 SUBJECT: Kronos Post-Implementation Review Report by Transcendent Group After completing the pre-implementation review of the City’s new personnel and payroll software, the Transcendent Group was hired to conduct a post-implementation review of the same system. Their report is attached along with Management’s Response, which is included in Appendix I. We would like to thank the City Manager, Information Technology Systems Director, Human Resources Director, Financial Services Director, and their staff members for cooperation in the preparation of this report. If you have any questions or concerns, please contact me at 242-3380 or ext. 1380. Attachment Xc: Terry Stewart, City Manager Dolores Menendez, City Attorney John MacLean, ITS Director Wayne Howard, HR Director Mark Mason, Director of Financial Services Linda Senne, Deputy Financial Services Director/Controller (Project Manager) Bonnie Potter, City Clerk

________________________________________________________________________________________________

P O Box 150027 815 Nicholas Pkwy.

Cape Coral, FL 33915-0027 Phone 239-242-3383 Fax 239-242-3384

City of Cape Coral

Kronos Post-implementation Review

November 2008

stefan

TRANSCENDENT GROUP 2008

CITY OF CAPE CORAL – KRONOS POST IMPLEMENTATION REVIEW 1(10)

EXECUTIVE SUMMARY Introduction The City of Cape Coral finalized the implementation of a new Human Resource and Payroll system (Kronos) in March 2008. During the summer/winter 2007, the City Auditor contracted Transcendent Group to perform a Kronos pre-implementation review. Transcendent Group has assisted the City Auditor in providing information technology audit services by performing a Kronos post-implementation review in July 2008. Results The Kronos system and related payroll and HR processes have controls in place to reduce the risk for payroll misstatements that can be material to the City. However, the Kronos system lacks strong access controls allowing an excessive number of City of Cape Coral personnel to have access to multiple functions. This results in insufficient segregation of duties to critical payroll and HR functionality. Therefore, the City needs to rely on mitigating controls to ensure accurate payroll processing which in some areas need to be improved. In addition, some of the initial efficiency objectives of an HR IS system have not yet been accomplished. As part of this review we have identified a total of 12 areas for improvements comprised of the following risk levels:

• 3 high risk • 3 medium risk • 6 low risk.

Two of the high risk areas for improvements above were also identified during the Kronos pre-implementation review but have not been resolved due to system limitations. The remaining issues from the Kronos pre- implementation review have been resolved or are no longer applicable. The areas for improvements identified during this review are further outlined in section 3.3 and in Appendix 1. Furthermore we identified the following business efficiency item to consider: Business Efficiency Item:

1. Utilize Additional Human Resource Functionality in the Kronos System One of the main objectives with the new system was to automate some of the HR processes. In 2006 an HR Review was conducted by Evergreen Solutions and an HR IS solution was recommended (Recommendation #11 “Implement a comprehensive HR IS system”). The HR department has not fully achieved all available efficiencies in the existing system such as; self service module, workflow, etc. The City is in the process of evaluating different options of what that can be implemented with available resources and/or additional consulting hours. With the employee cut-backs in several departments, there seems to be substantial efficiency opportunities with some of the additional HR functions that are available. However, as part of this evaluation the HR department should identify all additional efficiencies that can be accomplished with the existing software and perform a cost benefit analysis for each option. Based on the result of this analysis the City should prioritize the different options and develop a project plan for additional functionality to be implemented.

The total investment to address all the identified areas for improvement are estimated to be approximately $30,000 or less (internal labor cost). With regards to the business efficiency item, utilizing additional HR functionality in the Kronos system, the total investment depends on which functionality items are implemented. However, to perform a comprehensive cost benefit analysis as described would equal to an investment of approximately $6,000-10,000 (internal labor cost). Strengths



Below is a high level description of the key strengths identified as part of the review: Very knowledgeable and dedicated staff in the reviewed departments:

– HR – Payroll – IT.

Comprehensive documentation with step by step instructions in all departments to manage and process payroll and HR, in most areas

Strong Change Management Process Action Plan We suggest each recommendation be assigned to an individual responsible for formalizing the City’s approach, timeline, and required resources. Several of the recommendations will require involvement from several functions but one individual should be assigned as responsible to coordinate the efforts. This approach should be approved by the senior management to assure the risk level is suitable to the City and completed within an acceptable time frame. However, we recommend that the City address the areas for improvement that have been designated as a level one risk and priority I (see table above) as soon as possible. Most of the areas to address will primarily require personnel from the ITS, payroll and HR. However, some areas may need tools and/or consulting assistance. As part of the budget process, the organization should estimate the required personnel resources and expenses to address the identified weaknesses.

./.



TABLE OF CONTENTS

EXECUTIVE SUMMARY..................................................................................................................................................... 1 1 INTRODUCTION.......................................................................................................................................................... 4

1.1 OVERALL PROJECT DESCRIPTION .......................................................................................................................... 4 1.2 DESCRIPTION OF SCOPE AND METHODOLOGY ....................................................................................................... 4

2 KRONOS ....................................................................................................................................................................... 5 2.1 INTRODUCTION...................................................................................................................................................... 5 2.2 KRONOS HR AND PAYROLL SYSTEM..................................................................................................................... 5 2.3 SUPPORTING IT ENVIRONMENT – ITS DEPARTMENT............................................................................................. 6

3 RESULTS AND CONCLUSION .................................................................................................................................. 7 3.1 INTRODUCTION...................................................................................................................................................... 7 3.2 RESULTS................................................................................................................................................................ 7

3.2.1 Identified Strengths .......................................................................................................................................... 8 3.3 IDENTIFIED AREAS FOR IMPROVEMENT ................................................................................................................. 8 3.4 ACTION PLAN ...................................................................................................................................................... 10

Appendix 1 Areas for Improvement



1 INTRODUCTION

1.1 Overall Project Description The City of Cape Coral finalized the implementation of a new Human Resource and Payroll system (Kronos) in March 2008. During the summer/winter 2007, the City Auditor contracted Transcendent Group to perform a Kronos pre-implementation review. Transcendent Group has assisted the City Auditor in providing information technology audit services by performing a Kronos post-implementation review in July 2008. The objective of the review was to ensure that that appropriate controls were in place for the on-going execution, support and maintenance of the system. In addition, the audit included a review of any critical open items from the previous pre-implementation review. The following main work steps were performed:

• Interviews with key business owners and users to identify high risk items • Gained an overall understanding and analysis of key business operations, supporting technology,

information flows, and general IT processes • Identification of automated and manual controls over the HR and payroll processes • Testing of control operating effectiveness to ensure controls are operating as intended • Identification of gaps in the control environment and quality of mitigating controls, if any • Developed practical and cost effective recommendations for identified areas for improvement.

This report starts with a description of the overall project followed by the scope and methodology. Chapter 2 provides an overview and short description of the Kronos system. Chapter 3 provides a summary of the results of our review and an overview of the key areas of concern. The detailed areas for improvement and recommendations are included in Appendix 1.

1.2 Description of Scope and Methodology The scope of this Kronos post implementation review focused on the identification and effectiveness of automated and manual controls for payroll and HR processing as well as tests of operating effectiveness. The review entailed reviewing the following main controls:

General IT Controls – Change Management

Application Related Controls – Security Controls (access rights) – Audit Logging and Monitoring – Interface Controls

Assess efficiencies of the systems (between IT and manual processes) Review appropriateness of segregation of duties • Ensure proper checks and balances are in place to verify the accuracy of payroll processing

Identified controls and procedures were reviewed based on defined criteria for sound internal control and management. These criteria are defined in internationally accepted standards such as: ISO 27000-series, COBIT, and industry guidelines and requirements such as National Institute of Standards and Technology (NIST). The resulting weaknesses were discussed and validated by key stakeholders and summarized in this report and attached appendix.



2 KRONOS

2.1 Introduction This chapter of the report is used to provide an overview of the Human Resource (HR) and Payroll system, the key functions associated with the overall payroll/HR processes, the support functions of the ITS department, and a high level overview of the supporting technical infrastructure. The high level application overview includes the technical infrastructure, supporting systems, and data flow interfaces.

2.2 Kronos HR and Payroll System The Kronos HR and Payroll system is the City’s primary system used to create employee paychecks. The system was implemented to provide a more robust application than the current HTE payroll system that would support the HR, Benefits, and Payroll process for the City’s workforce. The business owners and key users are the Human Resource (HR) and Financial Services Departments. Within the HR organization the main user groups are the Class/Compensation and Benefits functions. Within the Financial Services Department the main user groups are the Payroll and Accounting G/L functions. The purchase included the application system and professional services to assist in the implementation of the system. The main functionality in the Kronos system is:

Kronos Human Resources – This application component is used to store and process employee information and employee benefit information that will be used in the processing of the City’s payroll. It will also store employee accruals and Paid Time Off amounts.

Kronos Payroll – This application component will process the payroll and payment to the employees. It will also create the financial information for loading into the General Ledger system.

The Kronos system resides on a Microsoft Windows 2003 operating system and Microsoft SQL 2005 database. The servers are maintained in the ITS data center on the second floor of City Hall. The new system has several interfaces into the application comprised of both inbound and outbound interfaces. Some of the major interfaces are as follows:



Inbound Interfaces:

• Excel spreadsheets from Police&Fire and Charter Schools • Kronos Time and Attendance for all other City employees

Outbound Interfaces:

• Payroll financial information to the HTE general ledger • File to the bank for payroll payments • Employee information back to the Kronos Time and Attendance application for new employees and

changes to employee information

2.3 Supporting IT Environment – ITS Department The ITS Department is a centralized function within the City of Cape Coral. The data center is physically located at City Hall on the second floor. The ITS Department is headed up by a director and subordinate managers with responsibilities for provisioning and maintaining all network and computing resources required by the Kronos HR and Payroll application. The Network and Telecommunications Division is specifically responsible for maintaining the wide area and local area network infrastructure, all associated hardware, operating systems, and mass storage subsystems necessary to support the system. Other responsibilities include daily backup operations and recovery efforts, and network and systems security defenses. The Business Applications Division is responsible for maintaining the application, associated databases, and logical security to the application. Other responsibilities include testing and installing Kronos application new releases and updates. Individuals in the Business Applications Division have been assigned primary responsibility for maintaining and supporting the application.



3 RESULTS AND CONCLUSION

3.1 Introduction This section provides a summary of the results from the review and a general conclusion. The areas for improvement are described in detail in Appendix 1 with recommendations, risk level, investment and priority.

3.2 Results

The Kronos system and related payroll and HR processes have controls in place to reduce the risk for payroll misstatements that can be material to the City. However, the Kronos system lacks strong access controls allowing an excessive number of City of Cape Coral personnel to have access to multiple functions. This results in insufficient segregation of duties to critical payroll and HR functionality. Therefore, the City needs to rely on mitigating controls to ensure accurate payroll processing which in some areas need to be improved. In addition, some of the initial efficiency objectives of an HR IS system have not yet been accomplished. As part of this review we have identified a total of 12 areas for improvements comprised of the following risk levels:

• 3 high risk • 3 medium risk • 6 low risk.

Two of the high risk areas for improvements above were also identified during the Kronos pre-implementation review but have not been resolved due to system limitations. The remaining issues from the Kronos pre- implementation review have been resolved or are no longer applicable. The areas for improvements identified during this review are further outlined in section 3.3 and in Appendix 1. Furthermore we identified the following business efficiency item to consider: Business Efficiency Item:

1. Utilize Additional Human Resource Functionality in the Kronos System One of the main objectives with the new system was to automate some of the HR processes. In 2006 an HR Review was conducted by Evergreen Solutions and an HR IS solution was recommended (Recommendation #11 “Implement a comprehensive HR IS system”). The HR department has not fully achieved all available efficiencies in the existing system such as; self service module, workflow, etc. The City is in the process of evaluating different options of what that can be implemented with available resources and/or additional consulting hours. With the employee cut-backs in several departments, there seems to be substantial efficiency opportunities with some of the additional HR functions that are available. However, as part of this evaluation the HR department should identify all additional efficiencies that can be accomplished with the existing software and perform a cost benefit analysis for each option. Based on the result of this analysis the City should prioritize the different options and develop a project plan for additional functionality to be implemented.



3.2.1 Identified Strengths Below is a high level description of the key strengths identified as part of the review:

Very knowledgeable and dedicated staff in the reviewed departments: – HR – Payroll – IT.

Comprehensive documentation with step by step instructions in all departments to manage and process payroll and HR, in most areas

Strong Change Management Process

3.3 Identified Areas for Improvement The identified areas of improvement and recommended actions are presented below: Risk classification Each area has been risk classified according to the following criteria: 1. High risk level. Risk represents a high likelihood and significance to the City. High risk of fraud, security

breach, access to or destruction of confidential data, or financial impact to the operations of the City. Very critical to the City’s efficiency and to the fulfillment of the goals of the operation in the short and long-term.

Assessment of Likelihood

Ass

essm

ent o

f Sig

nific

ance

Risk Matrix Table

Low

Low

Moderate

Low

Moderate

Moderate

High

HighHigh

Assessment of Likelihood

Ass

essm

ent o

f Sig

nific

ance

Risk Matrix Table

Low

Low

Moderate

Low

Moderate

Moderate

High

HighHigh

Management’s Response to Business Efficiency Item #1 The Human Resources department will together with the ITS department analyze the different available options to launch the self service modules and other critical HR functionality in Kronos. However, we are currently in the process to potentially changing the financial system and this new system may include payroll and HR functionality. As part of our analysis we will consider the different options related to Kronos HR functionality and a potential new financial system with payroll and HR functionality.



2. Moderate risk level. Risk represents a moderate level of likelihood and significance to the City. Moderate risk of security breach, access to or destruction of data, or impact to the operations of the City. Critical to a good internal control, efficiency and reliability in the City’s operations.

3. Low risk level. Risk represents a lower likelihood and significance to the City. Still essential for a good internal control, efficiency and reliability in the City’s operations.

Responsibility The areas of responsibility for each area of improvement have been defined as follows: A. City Leadership / City Council B. Payroll/Financial Services Department C. HR Director D. ITS Director E. System Vendor (Kronos) This classification of responsibility is based on the City’s current organizational structure, best practices, and legal requirements. Investment We have estimated the total investment needed to act on the recommendation according to the following scale: $ < $3,000 $$ $3,000-$10,000 $$$ $10,001-$25,000 The cost is based on an assumed internal cost of $55 per hour. Priority For each recommendation we provide the suggested priority level for implementing mitigating controls for each improvement item as support for the creation of an action plan. The following categories are used: I Immediate action II Project to be initiated or completed within 6 months III Action within 18 months



Classification of Risk, Responsibility and Priority Level for Recommendations Regarding the Kronos Post Implementation Review at the City of Cape Coral

*Risk

Areas for Improvement H M L Responsibility

Investment

Priority

1. Access Rights – Users and Password Limitations B,C,D,E $ I 2. Access Rights – System Administrators and Generic

accounts B,C, D,E $ I

3. Audit Log Settings B,C,D,E $ I 4. Separation of Duties (Certain Payroll Data Entries) B, D $ I 5. Reconciliation of Certain Data Entries - Benefit &

Compensation C,D $ II

6. Excel Spreadsheets (Charter School, Police & Fire) B $$ II 7. Restore of Backups D $ II 8. In-house Developed Crystal Reports B,C,D $ III 9. Monitoring Tool Transaction Log D $ II 10. Configuration Management/System Documentation D $ III 11. Security Policies D $ II 12. Departmental Standard Operation Procedures (SOPs) A $ II

* See Risk Matrix Table above to explain risk levels which are based on likelihood and significance. See appendix 1 for a detailed description of observations, identified risk and recommendation. The total investment to address all the identified areas for improvement are estimated to be approximately $30,000 or less (internal labor cost). With regards to the business efficiency item, utilizing additional HR functionality in the Kronos system, the total investment depends on which functionality that is decided to be implemented. However, to perform a comprehensive cost benefit analysis would equal to an investment of approximately $6,000-10,000 (internal labor cost).

3.4 Action Plan As part of the last phase of the project, we have developed a high level action plan. We suggest each recommendation be assigned to an individual responsible for formalizing the City’s approach, timeline, and required resources. Several of the recommendations will require involvement from several functions but one individual should be assigned as responsible to coordinate the efforts. This approach should be approved by the senior management to assure the risk level is suitable to the City and completed within an acceptable time frame. However, we recommend that the City address the areas for improvement that have been designated as a level one risk and priority I (see table above) as soon as possible. Most of the areas to address will primarily require personnel from the ITS, payroll and HR. However, some areas may need tools and/or consulting assistance. As part of the budget process, the organization should estimate the required personnel resources and expenses to address the identified weaknesses. To ensure our independence in this process Transcendent Group will not provide any consulting assistance to the City for any of the weaknesses identified in the Appendix section of this report. ./.

Transcendent Group 2008 Appendix 1

City of Cape Coral – Kronos Post-Implementation Review

The identified areas of improvement, together with recommended actions are presented below:

Classification of Risk, Responsibility and Priority Level for Recommendations Regarding the Kronos Post

Implementation Review at the City of Cape Coral

*Risk Areas for Improvement H M L

Responsibility

Investment

Priority

1. Access Rights – Users and Password Limitations B,C,D,E $ I 2. Access Rights – System Administrators and Generic

accounts B,C, D,E $ I

3. Audit Log Settings B,C,D,E $ I 4. Separation of Duties (Certain Payroll Data Entries) B, D $ I 5. Reconciliation of Certain Data Entries - Benefit &

Compensation C,D $ II

6. Excel Spreadsheets (Charter School, Police & Fire) B $$ II 7. Restore of Backups D $ II 8. In-house Developed Crystal Reports B,C,D $ III 9. Monitoring Tool Transaction Log D $ II 10. Configuration Management/System Documentation D $ III 11. Security Policies D $ II 12. Departmental Standard Operation Procedures (SOPs) A $ II

* See Risk Matrix Table in the main report to explain risk levels which are based on likelihood and significance. Each area for improvement is described in detail on the following pages:


City of Cape Coral – Kronos Post-Implementation Review

INDEX OF RECOMMENDATIONS

1. Access Rights Users and Password Limitations .................................................................................. 3 2. Access Rights – System Administrators and Generic Accounts ........................................................ 5 3. Audit Log Settings.................................................................................................................................... 6 4. Separation of Duties (Certain Payroll Data Entries)............................................................................ 8 5. Reconciliation of Certain Data Entries Benefit & Compensation ...................................................... 9 6. Excel Spreadsheets Containing Payroll Information for the Charter School & Police/Fire ........ 10 7. Restore of Backups ................................................................................................................................. 11 8. In-house Developed Crystal Reports................................................................................................... 12 9. Monitoring Tool Transaction Log ........................................................................................................ 13 10. Configuration Management/System Documentation ...................................................................... 14 11. Security Policies ...................................................................................................................................... 15 12. Departmental Standard Operating Policy & Procedures (SOPs) .................................................... 16


City of Cape Coral – Kronos Post-Implementation Review 3 (16)

1. Access Rights Users and Password Limitations

AREA:

LEVEL OF RISK: High RISK There is a risk that HR/Payroll and IT users may intentionally or accidentally edit data they are not authorized to modify because of excessive access rights and limited segregation of duties within the system. Due to the fact that ITS changes the passwords, there is a risk for unauthorized changes and insufficient audit trail.

OBSERVATION The Kronos system has several security limitations as outlined in this report (see also recommendation 2 and 3). Kronos does not allow setting up read only access for the typical user due to inherent system limitations. Therefore, HR/Payroll users have write/update access to application data that is not required as part of their job function. The fact that the application is inflexible in setting access rights means that many HR/Payroll users are assigned “Manager” accounts and have full access to everything in the system. This results in insufficient segregation of duties to critical payroll and HR system functionality. Thirteen HR/payroll employees were listed with a Manager user role in the system. This issue has been discussed with the vendor, but no solution has been presented at this point. The Kronos application has several limitations regarding password management. Users cannot change their own passwords instead, staff in the ITS department must manually change the user passwords. Furthermore, Kronos cannot enforce password policies, which means a dependency exist to system administrators to manually follow the password policy when assigning passwords. Furthermore, the following three accounts were identified as no longer needed: Bmaine, Jschwinn, PS/ddye. One of these was reported as already disabled. All of these accounts were reported to be removed during the time of the audit.

RECOMMENDATION We recommend that CCC work with Kronos to have them commit to address these serious security flaws in the system in future releases. We understand that CCC has discussed the issue with the vendor without any formal commitment at this point. To increase the pressure on the vendor, we recommend sharing the results of this audit with them as well as providing suggested changes/concerns to the Kronos user group. Due to the fact that many HR/Payroll and some IT users have full access rights to the system, we recommend that other mitigating controls be strengthened. All changes to critical data should be reviewed through the audit trail reports (see recommendation 3). However, due to the fact that the audit trail reports (see recommendation #3) are missing critical changes, the City should consider ongoing reviews of weekly payroll processing for reasonableness to assure that unauthorized changes are not performed.

CCC has a policy outlining regular reviews on user accounts (IT-SD-06-05) and access rights to identify obsolete accounts, etc. We recommend a formal review is performed on a regular basis according to the policy.



MANAGEMENT COMMENTS/ACTION PROPOSED: We have communicated the “High Risk” audit results to Kronos management and also to the Gartner Group. The Gartner “Magic Quadrant” evaluation of Kronos played a considerable role in our decision to purchase the software. The control short comings in the way security is set up in this system is not true enterprise class and as a result all of Transcendent’s “High Risk” recommendations impose additional workload on our IT Kronos System Administrator/IT Database Administrator that we are not staffed adequately to fully absorb. In terms of the recommended reviews per IT-SD-06-05 the only thing we can do is periodically print a listing of the users and associated roles for Payroll and HR staff to validate that the people still need access. This report itself is not available as a standard report and we will need to develop a custom report. In term of limiting access for valid users – can not do – the Kronos security system will not permit it. (As a separate issue, it should be understood that if the City moves ahead with the JD Edwards Financial ERP replacement for SunGard Naviline we will be provided the HRIS/Payroll module for no incremental software cost as part of the JDE “bundle.” This gives us an additional option to migrate to an enterprise class system in the 18 month – 24 month time-frame.)



2. Access Rights – System Administrators and Generic Accounts

AREA:

LEVEL OF RISK: High RISK Kronos database system accounts may potentially be easily compromised and used to access the entire database resulting in unauthorized disclosure of data or tampering with data.

OBSERVATION We have reviewed the Kronos database accounts (listed in Security Matrix 05_07_2008.xls). As part of this review we identified the following issues: The database system administrator and other generic system accounts passwords have not been changed. It is unclear if these passwords are Kronos system default passwords or what password policy is used. It is also unclear if these passwords are stored in system configuration files, in plain text or encrypted. This is Kronos standard configuration and the vendor recommends to not change the passwords. Some of these accounts belong to the group DB_OWNER that is assumed to have full access to the database. Not changing passwords on a regular basis conflicts with best practices for password management. This is especially important related to these types of accounts with very critical access rights/ privileges.

RECOMMENDATION We recommend the following for system administrator and generic system accounts: • Investigate how Kronos system passwords are stored and managed • Ensure that strong passwords are in place • Ensure that no default passwords are used, that can be derived or are shared with other

Kronos installations • Ensure that Kronos employees do not have access to the passwords (e.g. people who

installed the software) • All passwords should be changed on a regular basis. Work with Kronos to establish

how this can be best achieved. (See also recommendation #1.)

MANAGEMENT COMMENTS/ACTION PROPOSED: Taking the “bullets” in order: • Kronos account information for, HRMSSelfService and HRMSLogging, is stored encrypted in the system Registry itself. Kronos strongly advises

against changing established accounts installed at implementation by the Kronos system. • Strong passwords ARE in place for user accounts, but are manually assigned by the IT Administrator. • We will investigate the point made on default passwords further with Kronos. • Kronos employees are not provided direct access to the system. If they need access they get it indirectly by the System Admin signing on &

following instructions on the phone. • We agree to an annual change cycle. As covered parenthetically in the response to #1 above, the City would likely be best served by ultimate

migration from this system to a true enterprise class system.



3. Audit Log Settings

AREA:

LEVEL OF RISK: High RISK Currently, there is risk that the logging is not in accordance with the system owners requirement or in agreement with the City’s retention policy. Furthermore, there is a risk that intentional or unintentional changes may not be detectable due to lack of logs or not reviewing the logs. Finally, intentional or unintentional changes may not be traceable to the user that made the change.

OBSERVATION Audit logs for the system are defined in the database. The current database audit log settings has been defined by the ITS department and have not been officially approved or signed off by business users or system/process owners. We understand that ITS has tried to gather information from the vendor about the specific log setting and will have the vendor on-site to further discuss/evaluate the settings. For example, it is not known if all data entries in the system through “history” or “batch” are logged. Based on our review of existing audit trail reports there is no logging of these transactions. The function referred to as “Kronos History” is used for correcting errors/retroactive adjustments for prior periods. An excessive number of HR/payroll users have access to the History function. There are some tasks that only can be performed in History. Lack of a full audit trail in combination with excessive access rights for HR/Payroll users (recommendation #1) is a serious internal control weakness.

RECOMMENDATION We recommend that the City further investigate and improve log settings in Kronos. Based on the result, the log settings should be formally documented and the system owners for the Kronos system (HR & Payroll) need to formally agree and sign off on the audit log settings and the available audit trail reports. There are several critical items that should be taken into account during this process:

• The business should be involved in the discussion and communicate their needs to ITS • It is not a good idea to log all fields because of the potential impact on system performance.

Instead, the focus should be placed on critical data and master files. Audit logs are a good tool for research purposes. The organization should consider generating exception reports when critical data and master files are changed. The reports should be reviewed to ensure the changes are valid. If they are not, then the logs are valuable in researching who made the change, the date, before values, etc. Furthermore, if the system cannot provide the required audit logging or logs reports, the City needs to implement additional controls around the types of transactions that are not logged. For example, the software tool ACL could be used to perform continuous audits for these types of transactions, for large variations, etc. See also recommendation #1 regarding working with Kronos to address these problems in future releases/patches. Lastly, we recommend to further limit the number of users who have access to “history” function and batch function on business need only basis, if possible.



MANAGEMENT COMMENTS/ACTION PROPOSED: We have worked with the vendor to better understand the current log options. We have activated all loggings except the ones that Kronos has recommended us not to activate or modules we are currently not using. Effective October 8, 2008 we have turned on ALL possible fields for logging again – there are no more fields that the system will allow. We have also observed that the Kronos system returns “null value exceptions” when certain fields are reported. This is a Kronos program “bug” that we have reported back to Kronos Technical Support.. As HR or Payroll report any “null value exceptions” from this point forward, we will turn that field off and open up a ticket with Kronos until the issue is resolved. This way, at least, we guarantee that all fields that can be logged without “blowing up” the system are being logged. AUDIT COMMENT ON MANAGEMENT’S RESPONSE TO PROPOSED ACTION: Activating all available logs is a strong control improvement performed upon completion of the review. We recommend that the organization continue working with Kronos to address the remaining logging weaknesses. Furthermore, we recommend that the audit trail report be formally agreed and signed off by HR/payroll to assure it includes all critical changes and if not update the audit trail report and/or open a ticket with Kronos for resolution. We believe this would be a prudent control improvement and in the City’s best interest for ensuring the accuracy of processing.



4. Separation of Duties (Certain Payroll Data Entries)

AREA:

LEVEL OF RISK: Medium RISK Currently, there is a risk incorrect or unauthorized changes can be made to critical payroll information. The lack of procedures could allow transactions to be entered into the system that are not proper or in other cases transactions could be entered without receiving required management review and approval.

OBSERVATION The Payroll division performs data entries through batches in the system. These data entries relate to retroactive adjustments for prior pay periods, hourly adjustments and other miscellaneous adjustments that are received from benefits and compensation personnel in Human Resources. Data entries are reconciled by the same person entering the information.

RECOMMENDATION We recommend that a reconciliation of the entered information (audit trail report) and supporting documentation is performed by an individual other than the person performing the data entry in Kronos. Furthermore, we recommend the formalization of the reconciliation procedures. The procedures should outline such items as: who should perform the review, how it should be performed, how it should be documented, and how exceptions should be handled and approved, etc.

MANAGEMENT COMMENTS/ACTION PROPOSED: We acknowledge and have already implemented adequate separation of duties. The reconciliation of the entered information to the supporting documentation is being performed by an individual other than the person performing the data entry in Kronos. The payroll personnel do perform reconciliations and verifications of payroll information and calculations. The reconciliation procedures were already documented at the time of the audit; we have added more detailed information to the procedures.



5. Reconciliation of Certain Data Entries Benefit & Compensation

AREA:

LEVEL OF RISK: Medium RISK Currently, there is a risk the audit trail report used for the reconciliation can be generated with the wrong parameters resulting in incorrect reconciliations or adjustments. In addition, lack of formalized procedures increase the risk for incorrect reconciliations and employees may not be aware of their roles and responsibilities, and necessary steps may not be performed.

OBSERVATION All changes performed by the benefit and compensation functions are reviewed by a person other than the one that performed the data entry. Currently, there is no formalized, written procedure for who should perform the review, how it should be performed, how it should be documented, how exceptions should be handled and approved etc. The audit trail report used for the reconciliation does not contain any information about the criteria of the report. The audit trail report can be easily mis-configured and not include all transactions without the reviewer knowing transactions may be missing.

RECOMMENDATION We recommend that the reconciliation procedure be formalized. The procedures should outline such items as: who should perform the review, how it should be performed, and how it should be documented, how exceptions should be handled and approved, etc. Furthermore, we recommend that modifications be made to the audit trail report to include the criteria for the report (dates, tables, users, entities, departments, etc) stated on the generated report.

MANAGEMENT COMMENTS/ACTION PROPOSED: The Human Resources Department has created a formal procedure documenting the process that we currently undertake for auditing changes to the HRIS system. As for changes to the audit trail report, the Human Resources Department will work with ITS to make the required changes on the audit trail reports.



6. Excel Spreadsheets Containing Payroll Information for the Charter School & Police/Fire

AREA:

LEVEL OF RISK: Medium RISK Currently, there is a risk for incorrect or unauthorized changes to payroll information.

OBSERVATION Pay period data (hours) from the Police & Fire and Charter Schools are emailed to the payroll division to be uploaded to the Kronos system. The upload to the Kronos system is reconciled to the Excel spreadsheet by the same person performing the upload causing a separation of duties issue.

RECOMMENDATION We recommend the City consider a different solution instead of using Excel spreadsheets to improve the control environment. Other options could be a new automated interface, manual entries in into the I-series time and attendance system by the time keepers, or another appropriate solution.

MANAGEMENT COMMENTS/ACTION PROPOSED: The decision to build the current Excel based interface was made after very careful evaluation by all including Kronos. For Kronos to build a Telestaff-Kronos interface would cost close to $100K and we do not have funding. Long term we can look at developing our own interface – for example by taking a Telestaff export and interfacing it into Kronos iSeries Time & Attendance. This would work for Police but not for the Charter Schools as we have only one instance of iSeries T&A, buying one for the Schools is prohibitively expensive. Our Financial Services Department believes we can control the spreadsheet interface as currently constructed. This interface will need to stay as-is until we get over the hump of ERP conversion. We will, however, pursue transitioning all non-uniformed Public Safety staff directly onto Kronos Time & Attendance so that the spreadsheet interface will remain for uniformed staff & charter schools staff only. AUDIT COMMENT ON MANAGEMENT’S RESPONSE TO PROPOSED ACTION: If the City plans on continuing to use the Excel spreadsheet for the uniformed staff and charter school staff, then we recommend that the total numbers of hours per period be reconciled with an independent report from the Telestaff system or another independent source and is included in the documentation of the reconciliation. We believe this would be a prudent control and in the City’s best interest for ensuring the accuracy of processing.



7. Restore of Backups

AREA:

LEVEL OF RISK: Low RISK Currently, there is a risk the City may not be able the restore the system in the event of a disaster or as a result of data corruption or loss. Staff unfamiliar with the backup solution many not have sufficient information to complete a restore. This introduces a dependency on key employees to succeed with a system restore.

OBSERVATION A test restore of the backups was performed in January 2008 (scope and result was not fully documented and could not be verified). No test restore of backups have been performed since the payroll system was implemented in March 2008. A new test restore has been planned for the fall 2008. The backup and recovery policy is comprehensive but the hands-on procedure for recovering a tape backup (section 6.2) is lacking details.

RECOMMENDATION We recommend that a restore test of the Kronos system be performed as planned during the fall. Furthermore, the test should be well documented with the scope of the test, results, and lessons learned. We also recommend that regular restore tests be performed of the Kronos system. The frequency of tests should be agreed to by the system owners (HR & Payroll) Furthermore, the backup and recovery procedures for backup tapes could be improved by adding additional details to the procedures.

MANAGEMENT COMMENTS/ACTION PROPOSED: The whole exercise of restoring database is undertaken frequently as we build test environments from the production environment. We are still planning to completely roll over the production server to another server in November as part of the exercise of building a replication environment in the EOC. We will add more detail to the Wintel back-up procedures.



8. In-house Developed Crystal Reports

AREA:

LEVEL OF RISK: Low RISK Lack of a formalized change management process increases the risk that generated reports could include errors and/or are not updated as part of system changes.

OBSERVATION The system contains several standard reports and the organization has the ability to create additional reports using the Crystal Reports writing tool. Currently, there is no change management process in place for the creation or changing of these reports causing a risk for incorrect reports.

RECOMMENDATION We recommend that key reports used for critical business functions be included in the change management process (i.e. tested and locked for changes).

MANAGEMENT COMMENTS/ACTION PROPOSED: As a practical matter, the only individuals writing bona fide Crystal reports from Kronos are the two Business Analysts in ITS. The Kronos database structure is complex and the users simply will not be capable of writing any useful reports. The ITS written reports are stored in a central repository accessible via SharePoint and are controlled. We will issue a procedure to the effect that any re-usable Crystal query written by a user must be vetted & tested by ITS prior to placing into production.



9. Monitoring Tool Transaction Log

AREA:

LEVEL OF RISK: Low RISK The performance statistics may be useful for troubleshooting system incidents and disruptions. Lack of logging statistics for longer period of time may make troubleshooting and monitoring less efficient.

OBSERVATION A monitoring tool is installed on one of the system administrators PC. This tool gathers performance and transaction log statistics on the Kronos system. It was noted in the logs that no statistics were gathered during a two week period in May. This coincided with a system administrator vacation in which his PC was turned off causing the statistics gathering to stop.

RECOMMENDATION We recommend that the monitoring software be moved to a server, or if that is not functionally feasible, ensure that the PC is not turned off.

MANAGEMENT COMMENTS/ACTION PROPOSED: The System Administrator is also the City Database Administrator. It makes sense to keep the tool where it is – he is the sole user. AUDIT COMMENT ON MANAGEMENT’S RESPONSE TO PROPOSED ACTION: We understand these two functions are performed by the same person. However, a general practice is to run this type of software on equipment located in a data center environment where on-going system monitoring is performed and less likely for a shutdown.



10. Configuration Management/System Documentation

AREA:

LEVEL OF RISK: Low RISK Lack of formal configuration management and system documentation causes dependency on key personnel and may increase the time and cost required for maintenance, disaster recovery and incident management.

OBSERVATION Formal Configuration Management and technical system documentation were not available in all areas. There are plans for using a CA software tool for a Configuration Management Database (CMDB) as part of the ITS department’s ITIL initiative. The department has already implemented a strong change management process which will be directly integrated with configuration management process.

RECOMMENDATION We recommend that the ITS department continue the ITIL initiative and implement policies and procedures for configuration management.

MANAGEMENT COMMENTS/ACTION PROPOSED: ITIL Configuration Management is on the roadmap for FY 2009 and will use the CA Service Desk technology. Incident Management & Change Management were formally adopted in FY 2008 utilizing the CA service Desk product.



11. Security Policies

AREA:

LEVEL OF RISK: Low RISK Lack of comprehensive policy and procedures for security administration increases the risk that access to critical system and data is not in accordance with managements’ intentions.

OBSERVATION 1. ITS Policy: Periodic Review of User Access IT-SD-06-05 As a result of reviewing the policy the following areas for improvements were noted: The purpose of the policy states that access should be granted on a business need only basis. However, the procedures 4.2 and 4.3 do not include review of access rights on a business need only basis and for external users. The current procedure only includes review of terminated employees and transfers. The policy states that the periodic review of user access rights are performed by the ITS system administrator and the Departmental Application Administrator. The policy does not state a requirement that the review has to be approved by the system owner. This is important because from a best practice perspective, the system owner should approve the access rights for a user instead of the ITS system administrator and the Departmental Application Administrator. 2. ITS Policy Notification of Terminated and Transferred employees IT-SD-06-04, ITS Policy: Request for Network and Application Access for new users IT-SD-06-02. As a result of reviewing the policies the following area for improvement was noted: The above two policies include interim processes for setting up new users, removing access for terminated employees and changing access rights for transferred employees. The interim procedures do not include the Kronos system. However, we understand that there is an informal process in place similar to the interim process.

RECOMMENDATION We recommend that the City improve the procedures in the mentioned policies to include reviews of access rights on a business need only basis (access to functionality and data), external users, and to include Kronos in the interim process for setting up new users, removing access for terminated employees and changing access rights for transferred employees. Furthermore, we recommend that the periodic review of the access rights for business critical systems to be approved by the system owner/information owner.

MANAGEMENT COMMENTS/ACTION PROPOSED: Relative to IT-SD-06-05, we will add text regarding the System Owner to approve. The current procedure explicitly states that periodic review of all users will take place for business critical systems. Regarding IT-Sd-06-02, we will remove reference to any application system & simply reference the “ITS New User/Change User Profile” form on Sharepoint which does, in fact, contain Kronos.



12. Departmental Standard Operating Policy & Procedures (SOPs)

AREA:

LEVEL OF RISK: Low RISK Documented procedures are a key control for improving the likelihood of management’s expectations being met on a daily basis with regards to the operations of the business.

OBSERVATION This post implementation review included a review of policies and procedures related to payroll and benefit processing from the HR department and the Payroll division (Finance department). Although the department/division had comprehensive procedures, they lacked version number, date of approval, formal approval, etc. It was difficult to assure that the reviewed version was the latest and approved version. Currently, the departments do not have a formalized process for approving, storing, updating, and distributing departmental SOP’s. We also understand there is no City approved template for SOPs.

RECOMMENDATION We recommend that the Financial Services and HR Departments formalize the process for approving, storing, updating, and distributing departmental standard operation procedures (SOP’s). Furthermore, we recommend the City, as a whole, develop a general template and procedures for SOPs.

MANAGEMENT COMMENTS/ACTION PROPOSED: We do not concur with the observation that it was difficult to assure that the reviewed version was the latest and approved version since this was the first and only written version of the Kronos payroll processing policies and procedures manual. The payroll policies and procedures are written in the same template as the other accounting policies and procedures. We have added to the documented procedures the process for changing the procedures. The new effective date will be the date the manual is updated and the supersede date will be the old effective date. Changes will be reviewed and approved by the Financial Services Director. AUDIT COMMENT ON MANAGEMENT’S RESPONSE TO PROPOSED ACTION: The added procedures with version control and formal approval of the documented procedures is an improvement performed upon completion of the review. The procedures related to storage of the approved procedures could be further improved by considering a process to scan the approved version (or lock the approved version for changes) and store the formal approved version on the intranet/department file folder. A response of the development of a general template and procedures for SOPs for the City as a whole was not provided and should be assigned to the City Management team for response.

city of cape coral€¦ · transcendent group 2008 city of cape coral – kronos post...

Documents