CITY AND COUNTY OF - Denver · Accounts Receivable ... Recommendation: ... the City and County of...

Audit Committee, City Council and Management City and County of Denver Denver, Colorado In planning and performing our audit of the financial statements of CITY AND COUNTY OF DENVER (the City) as of and for the year ended December 31, 2016, in accordance with auditing standards generally accepted in the United States of America, we considered the City’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the City’s internal control. Accordingly, we do not express an opinion on the effectiveness of the City’s internal control. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be significant deficiencies or material weaknesses and, therefore, there can be no assurance that all deficiencies, significant deficiencies or material weaknesses have been identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be material weaknesses. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements of the City’s financial statements on a timely basis. A deficiency in design exists when a control necessary to meet a control objective is missing or an existing control is not properly designed so that, even if the control operates as designed, a control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the City’s financial statements will not be prevented or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Audit Committee, City Council and Management City and County of Denver

We observed the following matters that we consider to be deficiencies or material weaknesses. MATERIAL WEAKNESSES 2016-001 The Airport – Cash Management Criteria or Specific Requirement: An effective financial reporting system is an important component of an internal control system that helps ensure transactions are recorded accurately and timely, thereby providing accurate financial data. Denver International Airport (the Airport) is responsible for establishing and maintaining effective internal controls over financial reporting. Specifically, the Airport should have controls in place to ensure the Airport’s cash balances reconcile to the City Treasury’s pooled cash balances to prevent and detect a material misstatement in the financial statements in a timely manner. Condition: The City and County of Denver (CCD) and the Airport have separate and partially integrated financial systems; CCD uses PeopleSoft and the Airport employs AMS. AMS is considered the Airport's financial book of record. The CCD Controller's department performs a monthly reconciliation of the PeopleSoft cash accounts to the respective bank statements. Accordingly, CCD's PeopleSoft system is considered the book of record for Airport cash. During the audit, it was discovered that the Airport was not properly recording cash wires received. Identification of the cash amounts recorded in the Airport’s general ledger did not reconcile to the cash balances maintained and recorded on the City Treasury’s general ledger throughout 2016. Cash recorded in the Airport’s ledger was approximately $1.3 million higher than the City Treasury’s balance. Effect: Multiple entries were proposed and recorded to correct cash balances in the Airport’s general ledger to reconcile to the City Treasury balance. Cause: Airport accounting performs a reconciliation of cash balances between AMS and PeopleSoft monthly. Historically, unidentified reconciling items have been classified by the Airport as timing issues and carried forward monthly. In the prior year, these unidentified reconciling items between the two systems had not risen to a material balance. (A) Cash wires received for management of the Airport's hotel were transferred monthly to the City Treasury's cash pool. During 2016, Airport management discovered that the Airport Accounts Receivable - Collections department would record the cash received and credit revenue instead of accounts receivable. The Airport's General Accounting - Fixed Assets department, also recorded corresponding revenue and expense activity each month in addition to overall changes in hotel-specific account balances as reported by hotel operations management. This resulted in the double-entry of revenue associated with monthly hotel operations. When Airport


management discovered this, they reversed the cash and revenue entries recorded by the accounts receivable department, which eliminated the additional revenue but also eliminated the corresponding cash receipt, thereby understating cash. As 2016 progressed, the general ledger accounting group continued to record accounts receivable from the hotel operations management group. Because cash was not being applied to relieve the accounts receivable balance, this resulted in a growing receivable balance of $13.6 million at December 31, 2016. Also, monthly differences between the City Treasury's balance for cash and the Airport's balance continued to occur, resulting in an accumulated understatement of $13.6 million between the two entities. (B) Cash wires received for sales of Stapleton land were recorded by the Airport twice – once by Accounts Receivable – Collections to record the cash received and once by General Accounting – Fixed Assets as part of the entry for the sale of land. Therefore cash was overstated by the amount of the sale, approximately $12.1 million. (C) During 2016, variance differences in cash between the City Treasury and the Airport were tracked; however, correcting entries were not made by Airport accounting to adjust for these differences. Identification as a Repeat Finding: Not applicable. Recommendation: We recommend departments within Airport accounting communicate on applicable transactions to help ensure transactions are not being double recorded. Additionally, the Airport should prioritize the identification and timely correction of variances identified each month between the City Treasury’s general ledger and the Airport’s general ledger. We also recommend the Airport continue implementation of a training program to cross-train accounting employees on the process of reconciling cash balances to the City Treasury as well as each department’s roles and responsibilities within the accounting cycle. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. See separate report for planned corrective actions. 2016-002 Airport – Financial Reporting Criteria or Specific Requirement: Management is responsible for establishing and maintaining effective internal controls over financial reporting. Documented accounting policies and procedures should be available to all employees that outline all employees’ responsibilities, including cross checks and performance of reviews, involved in preparing accurate accounting data and financial information for interim and year-end financial statements.


Condition: During the 2016 audit, a number of variances between account balances and supporting documentation provided were identified. In the aggregate, the variances identified below could be indicative of a larger internal control issue. The following conditions were noted:

1. Recorded Audit Adjustments: Deferred loss on refunding on 2016A Bond transaction was not recorded properly

($3.0 million) Adjustment to vouchers payable in the amount of ($0.1 million) Elimination of 2015 airline credit true-ups that were not properly reversed ($4.6

million) Entry to correct duplication of accrued interest receivable/payable associated with

the interest rate swaps ($2.6 million)

2. Passed Audit Adjustments: Entry to correct overstatement of disposal of assets ($0.8 million) Entry to correct over-capitalization of interest ($2.5 million) Entry to address unreconciled accounts receivable balance ($1.5 million) Entry to reclassify Build America Bond rebate ($1.4 million)

3. Other items not resulting in recorded or passed audit adjustments:

Investment accounts appeared to carry a negative balance at year-end due to lack of recording monthly revenue allocations

Reclassification between long-term and short-term solar notes receivable was not performed

Bond interest payable per bond issuance did not recalculate properly Adjustment for arbitrage liability was not made at year-end

Effect: As outlined above, there were proposed audit adjustments recorded and other proposed audit adjustments waived by management. Without having documented procedures or formal training, employees may be unaware of their responsibilities or others’ responsibilities, which can create a situation where errors occur and go undetected. Cause: The Airport had not updated formal accounting policies for several years. During 2016, there were errors and omissions throughout the year, which resulted in adjusting entries to be proposed. In addition, there was turnover in several accounting positions during the year. Without updated procedures and a lack of cross-training of other accounting personnel, there was little guidance for the current and new accounting staff to follow to ensure all processes and procedures were addressed throughout the year and at year-end.


Identification as a Repeat Finding: Not applicable. Recommendation: We recommend that the Airport continue to develop and complete written policies and procedures documenting all accounting employees’ roles and responsibilities in relation to accounting procedures, as well as audit workpaper preparation. This will become especially important as the Airport transitions to a new financial accounting system during 2017. We also recommend the Airport continue implementation of a training program to cross-train accounting employees on the roles and responsibilities within the accounting and financial reporting cycles, including a more robust review process of transactions. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. See separate report for planned corrective actions. 2016-003 Single Audit Report – Schedule of Expenditures of Federal Awards Preparation Criteria or Specific Requirement: In accordance with 2 Part 200.510, auditees receiving federal funds must prepare an annual Schedule of Expenditure of Federal Awards (SEFA) detailing the value and type of federal assistance received each year. The federal Office of Management and Budget issues instructions on how to prepare this schedule. Key information to be reported includes the catalog of federal domestic assistance (CFDA) number provided in the federal awards/subaward agreements and associated expenditures incurred in the fiscal year. At the City and County of Denver, the SEFA is prepared by the Controller's Office based on information from the accounting system and additional information provided by the various departments receiving federal funds. Condition: Federal expenditure amounts reported by the Department of Public Works related to the Highway Planning and Construction Cluster had not been reconciled to the general ledger and were found to be inaccurate. Context: One grant within the Highway Planning and Construction Cluster which incorrectly included $5.5 million of expenditures on the SEFA. Total expenditures of $15.8 million originally reported for the Highway Planning and Construction Cluster were reduced by $5.5 million to bring the final expenditures total for the cluster to $10.3 million for the year ended December 31, 2016. Effect: The federal government and pass-through entities rely on the SEFA information to be reported accurately. In addition, accurate SEFA information is relied upon by the auditors in order to perform the major program determination utilized to select the federal programs subjected to single audit procedures. The above condition resulted in an additional major program being selected to meet coverage requirements very late in the audit process.


Cause: Grant management at the City is decentralized and thus departments are responsible for providing the required information to the City's Controller's Office to facilitate the preparation of the SEFA. The Department of Public Works was relying on a series of Excel spreadsheets prepared by department accounting staff to track federal expenditures which were not being periodically reconciled to the general ledger. A detailed review was not completed over these spreadsheets to help ensure accuracy. Identification as a Repeat Finding: Not applicable. Recommendation: We recommend that a more automated system of tracking federal expenditures be implemented, to the extent possible, such as utilizing the general ledger system combined with unique grant identifiers. The new WorkDay system implementation may provide some opportunities for improvement. If Excel spreadsheets continue to be used for the tracking of federal expenditures, the spreadsheets should be reconciled to the general ledger on a regular basis and a detailed supervisor review should be performed. In addition, the Department of Public Works should consider designating a grant manager to oversee all compliance related functions within the department, including the accumulation of total federal expenditures. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. See separate report for planned corrective actions. DEFICIENCIES 2016 D-1 Accounting and Financial Report for Interfund Receivables/Payables Finding: An interfund loan made between the environmental services fund (enterprise fund) and the general fund in fiscal year 2015 was erroneously recorded as a transfer-out/in instead of a receivable/payable. This was discovered by management and corrected in fiscal year 2016 and a receivable was recorded in the enterprise fund and a payable recorded in the general fund with the corresponding adjustment to revenue/expenditure. Therefore at the end of 2016, the receivable/payable were properly stated but revenue/expenditures was overstated. An audit adjustment for $2 million was proposed, and waived by management, to correct the revenue and expenditures and beginning net position/fund balance for this error. Recommendation: We recommend that management improve controls over the review of interfund activity to ensure all such transactions are recorded correctly. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. The Budget Management Office will notify the Controller’s Office Financial Services Division when submitting interfund loan journal entries for client agencies. The Controller’s Office Financial Services Division will communicate with the appropriate client agencies to ensure loan


agreement terms are understood and in compliance with Accounting and Financial Reporting guidelines. Person(s) responsible for implementing: Alexandra Esquibel, Financial Manager, Controller’s Office Financial Services Division. Implementation date: May 31, 2017. 2016 D-2 Capital Asset Reporting Finding: The following errors were noted relating to capital assets:

In fiscal year 2015, a capital asset was inadvertently recorded twice. This error was discovered and corrected by management in the current year by “writing-off” the capital asset as a loss. An audit adjustment was proposed, and waived by management, to properly state expenses in the current year.

A capital asset of approximately $11.1 million, that had a net book value of

approximately $2.5 million, was erroneously disposed of in the general ledger system, even though the asset was still in service. This asset was part of a larger capital asset, of which part of the asset was properly disposed of and removed from service. An adjustment was proposed to recognize this asset along with related accumulated depreciation. Management waived recording this at year-end but plans to recognize this asset during fiscal year 2017.

Recommendation: For the past several years, the City has worked to improve internal controls over capital assets and has shown significant progress in this area. Both of these issues resulted from human error. Controls should continue to be enhanced and strengthened to identify and correct these types of errors in a more timely manner. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. The Controller’s Office will continue to improve internal controls related to capital assets. We will increase the communication with the capital asset responsible parties and when appropriate, request and verify additional documentation when submitting an addition or deletion in the city’s financial system. Person(s) responsible for implementing: Alexandra Esquibel, Financial Manager, Controller’s Office Financial Services Division; Jessica Chandler, Controller’s Office Accounting Division.


Implementation date: May 31, 2017. 2016 D-3 The Airport – Passenger Facility Charges (PFC) Finding: During 2016, PFC accounts held at the City Treasury did not generate and collect investment earnings due to the Airport not transferring PFC collections into the PFC fund timely. Therefore, negative investment income was allocated to these funds. As a result, $0 was reported to the Federal Aviation Administration (FAA) during its quarterly reporting in 2016. PFC regulations promulgated by the FAA and within the PFC Audit Guide, require “public agencies keep any unliquidated PFC revenue on deposit in an interest-bearing account or in other interest-bearing instruments used by the public agency’s airport capital fund.” The FAA therefore cautions public agencies that, by depositing their unliquidated PFC revenue in such accounts, they must also accept the risk associated with these investments. According to the PFC Audit Guide, “PFC revenue may be commingled with other public agency airport capital funds only in such interest bearing accounts or instruments…provided the commingling occurs in interest-bearing accounts or instruments used by the public agency’s airport capital fund and the interest on the PFC revenues can be identified.” The FAA will not approve the collection of additional PFCs to recover a public agency’s investment losses. The Airport deposits its PFC collections within the City Treasury’s commingled cash and investment pool. Turnover in the Airport accounting personnel responsible for transferring PFC collections into the specified PFC fund from the City Treasury’s general cash and investment pool resulted in the allocation of negative investment earnings. Upon further research performed during the audit, the Airport was able to identify earnings generated on 2016 PFC collections and make a reclassification entry to move investment income into the PFC interest-bearing account. Recommendation: We recommend the Airport ensure PFC collections are transferred to the appropriate PFC interest-bearing account maintained at the City Treasury on a monthly basis in order to properly reflect the earnings to be reported quarterly to the FAA. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. DEN Finance recognized the issues relating to maintaining the PFC cash balance during 2016 and took corrective steps to reconcile and bring the cash balances into proper place. Incorrect investment earnings were allocated to PFCs during the period in which cash balances were misstated for the PFC fund. Policies and procedures are already in place to ensure such misstatements do not reoccur.


Person responsible for implementing: Rich Van Hess, Senior Manager of Accounting; Joshua Schulz, Senior Manager of Accounting, Denver International Airport. Implementation date: July 31, 2017. INTERNAL CONTROL OVER COMPLIANCE In planning and performing our audit, we considered the City’s internal control over compliance with the requirements that could have a direct and material effect on a major federal program in order to determine our auditing procedures for the purpose of expressing our opinion on compliance and to test and report on internal control over compliance in accordance with OMB Uniform Guidance, but not for the purpose of expressing an opinion on the effectiveness of the City’s internal control over compliance. Accordingly, we do not express an opinion on the effectiveness of the City’s internal control over compliance. Our consideration of internal control over compliance was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control over compliance that might be significant deficiencies or material weaknesses and, therefore, there can be no assurance that all deficiencies, significant deficiencies or material weaknesses have been identified. However, as discussed below, we identified certain deficiencies in internal control over compliance that we consider to be deficiencies. A deficiency in internal control over compliance exists when the design or operation of a control over compliance does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct noncompliance with a type of compliance requirement of a federal program on a timely basis. We observed the following matters that we consider to be deficiencies. 2016 Single Audit-1 Highway Planning and Construction Cluster – Grant Management Finding: During our testing, we observed the following in relation to the grants management process:

The Public Works Department (the Department) has been accepting grant awards without clear understanding or documentation of the responsibilities for specific compliance requirements. This increases the risk of noncompliance occurring as the project managers, as well as others in the department, may not be aware of all the applicable compliance requirements.


In some situations, the pass-through entity may have waived or assumed ownership for certain compliance requirements contradicting the original grant agreement putting the department at risk should the pass-through entity remember things differently.

The Department was not aware of a new Special Test and Provision compliance requirement related to the Administration of Engineering and Design Related Service Contracts. While the department was deemed to ultimately be in compliance, significant effort was required to gather the support from many different locations and personnel.

Recommendation: We recommend a more centralized approach to compliance monitoring along with a designated grant compliance manager to ensure that all compliance requirements are being met. Each project should have a compliance file including a checklist outlining who is responsible for each compliance requirement. A review of existing grants should be performed to identify applicable compliance requirements and specific regulations that should be monitored as well as any items that require further clarification from the grantor. Any such clarification should be maintained in writing with the compliance file. In addition, we recommend that the Department annually review the compliance supplement for applicable grants to identify any new requirements and to help ensure compliance. Views of Responsible Officials and Planned Corrective Actions: Management agrees. Public Works will designate an individual to be the Grants Manager. This person will be responsible for understanding all compliance requirements, and will receive the necessary training to address all grant related obligations. For every grant, the Grants Manager will create a document that defines each compliance requirement and who is responsible for ensuring compliance. This person will be required to review the compliance supplement annually to identify any new requirements. The review will be documented. Person responsible for implementing: Lynn Miller Doyle, Supervisor, Public Works Accounting. Implementation date: May 31, 2017. 2016 Single Audit-2 Highway Planning and Construction Cluster – Recording Expenses in Accordance with Generally Accepted Accounting Principles (GAAP) Finding: Per Uniform Guidance section 200.403, for expenditures to be allowable under federal awards, they must meet certain criteria including being recorded in accordance with generally accepted accounting principles (GAAP). During our testing we noted two instances out of 16 selections in which expenditures were not accrued in the correct fiscal year. These purchases were for seven Peterbilt Trash Compactors totaling approximately $184,000 and were isolated to grants from the Regional Air Quality Council which totaled approximately $205,000 of the total $10.3 million reported on the SEFA for the Highway Planning and Construction Cluster.


Recommendation: We recommend that Public Works extend the prescribed year-end cut-off procedures to grant equipment purchased under smaller grants to help ensure that all invoices are applied to the correct fiscal year. When such accruals are identified after the city-wide close period, they should be submitted to the Controller’s Office for consideration to include as an accrual adjustment or not. Views of Responsible Officials and Planned Corrective Actions: Management agrees. Public Works will ensure all grant accrual activity is accounted for properly by creating written year-end accrual procedures. Public Works accounting will send a grant confirmation to all agencies to certify that all grants are identified and are part of the year-end process. Person responsible for implementing: Lynn Miller Doyle, Accounting Supervisor, Public Works. Implementation date: October 31, 2017. 2016 Single Audit-3 City-Wide – Federal Grant Property and Equipment Management: Finding: During our testing and discussions with various Departments within the City, we noted that per Fiscal Accountability Rule 9.2, each department is required to maintain and/or monitor an equipment and property inventory system to track purchased or received items under the grant. Per our review, we noted one or more of the below were missing from the property records provided by the Departments. Per 2 CFR Sections 200.313, the City must have property records which include:

a description of the property the serial number or other identification number the source of funding for the property (including the Federal

award identification number) title holder the acquisition date cost of the property percentage of federal participation in the project costs for

the federal award under which the property was acquired the location of the property use and condition of the property any ultimate disposition data including the date of disposal and

sales price of the property (2 CFR section 200.313(d)(1))


Recommendation: We recommend that each department within the City review the listing of property and equipment acquired under federal grants, and update the listing to ensure the source of funding for the property (including the federal award identification number), percentage of federal participation in the project costs for the federal award under which the property was acquired, and the condition of the property, is incorporated into the listing to be in compliance with Uniform Guidance standards. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. The Controller’s Office will contact agencies that receive equipment and property purchased or received under a federal grant and will ensure that property records are maintained as required under 2 CFR Sections 200.313. Person(s) responsible for implementing: Shanna Tohill, Financial Manager, Controller’s Office Financial Reporting. Implementation date: December 31, 2017. We also observed matters that we consider to be deficiencies that we communicated to management orally. OTHER MATTERS Although not considered material weaknesses, significant deficiencies or deficiencies in internal control over financial reporting, we observed the following matters and offer these comments and suggestions with respect to matters which came to our attention during the course of the audit of the financial statements. Our audit procedures are designed primarily to enable us to form an opinion on the financial statements and, therefore, may not bring to light all weaknesses in policies and procedures that may exist. However, these matters are offered as constructive suggestions for the consideration of management as part of the ongoing process of modifying and improving financial and administrative practices and procedures. We can discuss these matters further at your convenience and may provide implementation assistance for changes or improvements.


2016 OM-1 City-Wide Information Technology Controls Other matter: During our testing over the City-wide information technology internal controls, we noted the following matters:

1. The Technology Services (TS) department does not have a written policy for vendor management. This document is under development. Vendor management policies help to effectively manage the lifecycle of all vendor relationships in order to responsibly steward resources and minimize the inherent risk associated with engaging third parties to perform services.

2. Many of the City’s policies relating to information security and technology have not been reviewed for more than one year. The City’s information security policy, network administration policy, router security policy, cyber incident response policy, and DMZ Real Time Transaction Policy have not been reviewed or revised for more than 10 years.

3. The City’s Technology Services (TS) has a high-level Government Continuity Plan. The

City provided a Disaster Recovery Plan (DRP) for the PeopleSoft system, which has not been revised since 2010. Further, the City has never performed a full backup recovery test for its critical financial operating systems. There was no major backup restoration testing performed for the financial data. The City performs backup recovery when a file or a folder is lost or accidentally deleted but never tested the whole backup system. Whole backup testing needs to be done separately on a regular basis. Best practices suggest that disaster recovery plans should be tested at least once a year while simple backups should be tested much more frequently and whenever there is a major hardware or software change to the backup system.

4. We observed that there was no security check that prevents visitors from accessing the

TS department. Anyone who wants to enter the TS department can step out at the 3rd floor elevator and enter the TS department without any security check or without being escorted. There are several open spots within the offices where any person can gain access into the City’s LAN system. The office is also not secure for after-hours access. Anyone with knowledge of LAN systems could hypothetically intercept data and/or attempt to access any devices located on the local subnet or any other that permit traversing. In its December 2016 audit report, the City Auditor’s Office also indicated a concern in the existence of unsecured network folders containing PII.

5. The City utilizes several servers that are run on Windows 2003 operating system.

Windows 2003 operating system is no longer supported by Microsoft and security patches are not available. The City decided to do custom-fixes and protect using firewall until it discontinues using these servers. While all of the financial production systems within scope of our procedures, such as PeopleSoft Financial, GenTax and OASIS, are


operating on servers utilizing the still supported Windows 2008 operating system, the servers using Windows 2003 are at greater security and operating risk as Microsoft no longer supports the Windows 2003 operating system and after July 2015, Microsoft no longer issues fixes or updates for this operating system

Recommendations:

1. We recommend that the City develop and approve a comprehensive policy for vendor management and control. Vendor management policies must at a minimum, address vendor risk assessment, vendor due diligence, contract management, and vendor supervision. We also recommend management implement a periodic after-award review of hosted vendors, which may include a review of the SSAE 16 reports.

2. Security issues like threats, risks, and vulnerabilities as well as the response and preparedness mechanism are constantly changing. We recommend that the City regularly update its policies and procedures.

3. We recommend management establish a detailed, entity wide disaster recovery policy to

limit system downtime in the event of a disaster. We also recommend for a regular full test of the financial backup data to ensure recovery and effective business continuity would be possible when needed. As much as possible, the test should duplicate the conditions the City will face when data restore is actually needed, which means a complete restoration of all financial data to a second system with an identical configuration.

4. The City has a physical security policy that prevents physical access to information

processing, storage areas, and their supporting infrastructure. We recommend management implement physical access control to the City’s IT processing offices to prevent, detect and minimize the effects of unauthorized or unintended access.

5. We recommend the City’s TS department assess the utilization of the servers running the

Windows 2003 operating system and after considering the cost of upgrading these servers against the potential risks of having these servers running an unsupported operating system, upgrade these servers as appropriate.

Views of Responsible Officials and Planned Corrective Actions:

1. We agree with the finding. A draft Vendor Management Policy has been created and is in the review process as noted in the finding. The Vendor Management Policy will be approved and published as part of the ongoing policy updates referenced in our response to finding on policy updates. In addition, TS has a comprehensive vetting process and technical requirements document for all cloud solution vendors based on the Cloud


Security Alliance Cloud Controls Matrix that has been in place since 2014 and was updated in April 2017. The technical requirements document provides the basis for evaluating the information security maturity and compatibility of vendors providing cloud or hosted services. This review process includes requesting SSAE 16 reports.

2. We agree with the finding. The Governance, Risk, and Compliance team has drafted

approximately 20 individual Information Security policies to replace the outdated policies. These policies are in varying stages of the review process and will be approved, communicated, and published by year-end 2017. In addition, there is an Information Governance Committee in place comprised of key stakeholders across the City that is currently addressing policies and procedures as part of its mission. The Information Governance Committee is working with City agencies to establish a strategic framework for managing policies, communications, and executive orders as appropriate.

3. We agree with the finding. The TS department is currently developing a Disaster Recovery Program Roadmap and policy with full implementation completed in 12-18 months. As part of the comprehensive DR roadmap, TS is creating an IT DR testing process and schedule.

4. We agree with the finding. Access to the City’s data centers are controlled by badged

doors and there are cameras in place for monitoring. In addition, TS is initiating a project to install badge readers for the main access doors on the third floor within the department and will complete the installation by end of 2017.

To remediate access to PII as discovered in the PII audit performed by the City’s Auditors Office, TS has completed the access permission and file share cleanup for one agency and is continuing to develop a strategy to ensure network shares are configured appropriately to limit access to PII for the remainder of agencies. Overall, there are approximately 300 root shares containing 150 TB of data across 100 million files throughout the City. As each agency has varying needs, they will be remediated one by one.

5. We do not agree with the finding. As updated in the System of Understanding, only

Windows 2008 servers exist in the production environment impacting financial statements. All in scope systems reside on servers running Windows 2008.

Person(s) responsible for implementing: Tricia Scherer, IT Governance Manager, Technology Services; James Stoner, Information Security Manager, Technology Services; Chris Hagan, IT Manager – Data Center, Technology Services. Implementation date: December 31, 2017 and December 31, 2018.


2016 OM-2 The Airport – Information Technology Controls Other Matter: During our testing of information technology internal controls and the Airport we noted the following:

1. The Airport’s IT department does not have formal written policies and procedures for vendor management. Vendor management policies can help effectively manage the lifecycle of all vendor relationships in order to responsibly steward resources and minimize the inherent risk associated with engaging third parties to perform services.

2. The Airport’s change management policy, remote access use policy, technology policy for patch management for Microsoft operating systems, the acceptable use policy, the data center governance, standards, recommended practices, and gap analysis documents provided to us were not approved by a responsible official. Similarly, the problem management policy which was approved in 2014 was not reviewed for more than a year. In addition, the Airport does not have an approved System Development Life Cycle (SDLC). The document provided for our review was on a draft stage.

3. There was no major backup restoration testing performed for the financial data during 2016. The Airport performs backup recovery when a file or a folder is lost or accidentally deleted but never tested the whole backup system. Best practices suggest that disaster recovery plans should be tested at least once a year while simple backups should be tested much more frequently and whenever there is a major hardware or software change to the backup system.

Recommendations:

1. We recommend that the Airport’s IT department develop and implement a

comprehensive policy and procedure for vendor management, which addresses vendor risk assessment, vendor due diligence, contract management, and vendor supervision.

2. We recommend that the Airport formalize and approve all aforementioned policies in order for the documents have a legal acceptability.

3. We recommend that the Airport implement the best practices utilized in the industry and

perform disaster recovery plan testing regularly. As much as possible, the test should duplicate the conditions the Airport will face when data restore is actually needed, which means a complete restoration of all financial data to a second system with an identical configuration.


Views of Responsible Officials and Planned Corrective Actions:

1. Vendor Management responsibilities are sanctioned and managed by the City Attorney’s Office (CAO) and Denver Purchasing Division (DPD). The Airport’s Business Technologies Division’s – Business Management section only supports Vendor Management functions as defined by CAO and DPD policy and the Airport’s Business Management Division. The Airport’s Business Management section can furnish additional information on their procedures and the related data they facilitate, at this time however they do not have the proper authority to develop a comprehensive DIA Vendor Management policy.

2. The Airport’s Business Technologies Division is presently in contract negotiation with

our ServiceNow solution provider to add a Governance Risk and Compliance (GRC) Module with Document Management functionality. These new enhancements, combined with professional services and proper implementation, will provide the semi-automated document review processes and actionable approval workflows required to more effectively manage period reviews by those individuals with authoritative approval.

3. Recently the Airport’s Business Technologies has completed a Disaster Recovery

Initiative, which identified a list of the mission-critical processes and systems, along with their Recovery Time Objectives and Recovery Point Objectives. This information, combined with the implementation of a GRC module with compliance tasking functionality, will be used to operationalize periodic financial data restore plan testing.

Views of Responsible Officials and Planned Corrective Actions Person(s) responsible for implementing: Tim Coogan, Chief Information Security Officer, Denver International Airport. Anticipated completion date: January 1, 2018. 2016 OM-3 The Airport – Retainage Payable Finding: Many large construction projects include a provision for retainage which is withheld from invoices throughout the life of the project and ultimately paid upon project completion. As the costs withheld are incurred during the project they are recorded as a liability. Generally, the amount recorded as a liability would be traceable to specific invoices from specific contractors. During 2016, the Airport modified their approach of retainage payable recognized at year-end. This change calculated retainage based on an overall level rather than at the individual project level. While this change did not result in any identified material variances, in order to facilitate


project management, retainage should be tracked by project to ensure the Airport has an adequate retainage reserve liability at completion. This will become increasingly more important as the Airport converts to a new general ledger system and begins a significant new major capital program. Recommendation: We recommend the Airport record retainage as incurred and ensure the amount withheld is tracked by project rather than in total. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. Retainage has not historically been tracked at the project level, but continues to be tracked at the contract level of detail. The Workday system will have retainage functionality and will allow tracking of retainage payable by project; DEN plans to utilize the system functionality to track at this level. Additionally, as DEN updates Standard Operating Procedures for the Workday system, specific procedures for tracking retainage payable will be included. Person(s) responsible for implementing: Joshua Schulz, Senior Manager of Accounting, Denver International Airport. Implementation date: December 31, 2017. 2016 Single Audit OM-4 Homeland Security – Subrecipient Considerations Finding: Beginning in 2017, the Homeland Security Department (the Department) revised its policies and procedures relating to recipients of equipment under the grant. The revised policies and procedures will now consider such recipients to be formal subrecipients assuming many of the related compliance requirements. Previously, the City maintained primary responsibility for compliance and the recipient was simply a beneficiary of the equipment. The change in nature of these subrecipient agreements may also impact policies and procedures surrounding equipment and inventory management. Recommendation: We recommend that the Department perform a full policy and procedure review, to ensure that any proposed changes in treatment of grant funds are compliant with the requirements under Uniform Guidance, including, but not limited to equipment and inventory management, subrecipient monitoring, and procurement. Additionally, we recommend that the Department formally update existing contracts and agreements with recipients as necessary, to include all of the Uniform Guidance requirements. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. The Office of Emergency Management is in the process of updating policies for the Urban Area Security Initiative Grant program. As a part of this update we will work with the City controller’s office and the State of Colorado to ensure compliance with the Uniform Guidance.


Person(s) responsible for implementing: Linda Bonesteel, Denver UASI Program Manager, Mayor’s Office of Emergency Management Homeland Security. Implementation date: September 30, 2017. 2016 OM-5 The Airport – Great Hall Renovation and Significant Construction Projects The Airport has entered into negotiations with a developer to coordinate and execute the renovation of the Airport’s terminal, Great Hall. As phases of the Great Hall are completed, assets will be transferred to the Airport to capitalize as the Airport will own these assets. The Airport and developer will negotiate an overall not-to-exceed fee where the developer will complete construction within the negotiated price. In discussions with the Airport’s management, the developer is expected to maintain all detailed documentation to support the accounting and reporting of construction costs. Information is anticipated to be provided at a summary level from the developer to the Airport to support the final accounting of costs. Management requested general guidance of evidence needed to be maintained by the Airport in order to adequately support the asset cost. We recommended and continue to recommend the Airport obtain as much detail as possible to adequately support the valuation and useful lives of the capital assets. In addition, this detail should provide adequate detail to allow the Airport to track the assets to ensure proper disposal when the time arrives. Views of Responsible Officials and Planned Corrective Actions: We agree with the finding. The Great Hall is a P3 project currently in negotiation. The transaction structure will be unique in aviation, which prompted us to proactively engage BKD to understand the accounting and reporting requirements. As a result of these meetings, reporting requirements have been included in the Great Hall Partners contract negotiations. The airport does not anticipate any issues once the project commences or as Great Hall assets enter service. Person(s) responsible for implementing: Joshua Schulz, Senior Manager of Accounting, Denver International Airport. Implementation date: December 31, 2018. 2016 OM-6 Cyber Security The increasing value of electronic protected health information (ePHI), payment card data and intellectual property (e.g. trade secrets) is driving more organizations of all sizes to prepare for the potential of a cyberattack. Hackers and cyber-thieves have become adept at pilfering


confidential information, using ransomware to extort money and leveraging social engineering techniques to trick employees into wiring funds. As a first step to improving their cyber-readiness, companies need to perform a cybersecurity risk assessment to determine the current state of cybersecurity processes, controls and technology. This effort can determine how well the City can prevent, detect and respond to cyber-attacks. Key to the assessment process is choosing an appropriate framework against which the City may be evaluated. In fact, two nationally recognized organizations have developed cybersecurity frameworks. The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework to assist organizations manage cybersecurity-related risk more effectively. The NIST Cybersecurity Framework provides a prioritized, flexible, repeatable and a cost-effective approach that can be used in any industry or organization. Once the framework has been chosen, we recommend that management consider performing a cybersecurity assessment to gauge the overall readiness and maturity of existing controls and perform appropriate testing of the IT infrastructure and employee awareness. 2016 OM-7 New Accounting Pronouncements GASB Statement No. 75, Accounting and Financial Reporting for Postemployment Benefits Other Than Pension (GASB 75) GASB 75 replaces the requirements of GASB Statement No. 45, Accounting and Financial Reporting by Employers for Postemployment Benefits Other Than Pensions. GASB 75 requires governments to report a liability on the face of the financial statements in accordance with the following:

Employers that are responsible only for OPEB liabilities for their own employees and that provide OPEB through a defined benefit OPEB plan administers through a trust that meets specified criteria will report a net OPEB liability (the difference between the total OPEB liability and the assets accumulated in trust to make the benefit payments)

Employers that participate in a cost-sharing OPEB plan that is administered through a

trust that meets specified criteria will report a liability equal to the employer’s proportionate share for the collective OPEB liability for all employers participating in the plan


Employers that do not provide OPEB through a trust that meets specified criteria will report the total OPEB liability for their own employees

GASB 75 requires more extensive note disclosures and required supplementary information (RSI) about the OPEB liabilities. GASB 75 is effective for fiscal years beginning after June 15, 2017 and requires restatement of any prior years presented, if practical. While GASB 75 is not effective until the City’s fiscal year ending December 31, 2018, we recommend the City begin assessing the potential impact on the financial statements of this statement and begin the process of communicating this impact with those charged with governance and other stakeholders. Similar to the adoption of GASB Statement No. 68, Accounting and Financial Reporting for Pensions, the adoption of GASB 75 will require advance coordination with plans and actuaries so that the required information is available. GASB Statement No. 80, Blending Requirements for Certain Component Units (GASB 80) GASB 80 amends Statement No. 14, The Financial Reporting Entity, to add an additional criterion for reporting a component unit through the blending method. If a component unit is a not-for-profit corporation and the primary government is the sole corporate member, the component unit should be blended. GASB 80 is effective for the City’s fiscal year ending December 31, 2017. GASB Statement No. 83, Certain Asset Retirement Obligations GASB 83 addresses accounting and financial reporting for certain asset retirement obligations (AROs). An ARO is a legally enforceable liability associated with the retirement of a tangible capital asset. A government that has legal obligations to perform future asset retirement activities related to its tangible capital assets should recognize a liability based on the guidance in this Statement. This Statement establishes criteria for determining the timing and pattern of recognition of a liability and a corresponding deferred outflow of resources for AROs. This Statement requires that recognition occur when the liability is both incurred and reasonably estimable. The determination of when the liability is incurred should be based on the occurrence of external laws, regulations, contracts, or court judgments, together with the occurrence of an internal event that obligates a government to perform asset retirement activities. GASB 83 is effective for the City’s fiscal year ending December 31, 2019. Earlier application is encouraged.


GASB Statement No. 84, Fiduciary Activities The objective of this Statement is to improve guidance regarding the identification of fiduciary activities for accounting and financial reporting purposes and how those activities should be reported. GASB 84 establishes criteria for identifying fiduciary activities of all state and local governments. The focus of the criteria generally is on (1) whether a government is controlling the assets of the fiduciary activity and (2) the beneficiaries with whom a fiduciary relationship exists. Separate criteria are included to identify fiduciary component units and postemployment benefit arrangements that are fiduciary activities. An activity meeting the criteria should be reported in a fiduciary fund in the basic financial statements. Governments with activities meeting the criteria should present a statement of fiduciary net position and a statement of changes in fiduciary net position. An exception to that requirement is provided for a business-type activity that normally expects to hold custodial assets for three months or less. GASB 84 is effective for the City’s fiscal year ending December 31, 2019. Earlier application is encouraged. GASB Statement No. 85, Omnibus 2017 The objective of this Statement is to address practice issues that have been identified during implementation and application of certain GASB Statements. This Statement addresses a variety of topics including issues related to blending component units, goodwill, fair value measurement and application, and postemployment benefits (pensions and other postemployment benefits [OPEB]). Specifically, this Statement addresses the following topics:

Blending a component unit in circumstances in which the primary government is a business-type activity that reports in a single column for financial statement presentation

Reporting amounts previously reported as goodwill and “negative” goodwill Classifying real estate held by insurance entities Measuring certain money market investments and participating interest-earning

investment contracts at amortized cost Timing of the measurement of pension or OPEB liabilities and expenditures recognized

in financial statements prepared using the current financial resources measurement focus Recognizing on-behalf payments for pensions or OPEB in employer financial statements Presenting payroll-related measures in required supplementary information for purposes

of reporting by OPEB plans and employers that provide OPEB


Classifying employer-paid member contributions for OPEB Simplifying certain aspects of the alternative measurement method for OPEB Accounting and financial reporting for OPEB provided through certain multiple-

employer defined benefit OPEB plans. GASB 85 is effective for the City’s fiscal year ending December 31, 2018. Earlier application is encouraged. GASB Statement No. 86, Certain Debt Extinguishment Issues The primary objective of this Statement is to improve consistency in accounting and financial reporting for in-substance defeasance of debt by providing guidance for transactions in which cash and other monetary assets acquired with only existing resources—resources other than the proceeds of refunding debt—are placed in an irrevocable trust for the sole purpose of extinguishing debt that holds monetary assets that are essentially risk-free. This Statement also improves accounting and financial reporting for prepaid insurance on debt that is extinguished and notes to financial statements for debt that is defeased in substance. This Statement establishes essentially the same requirements for when a government places cash and other monetary assets acquired with only existing resources in an irrevocable trust to extinguish the debt. However, in financial statements using the economic resources measurement focus, governments should recognize any difference between the reacquisition price (the amount required to be placed in the trust) and the net carrying amount of the debt defeased in substance using only existing resources as a separately identified gain or loss in the period of the defeasance (i.e. not deferred). For governments that extinguish debt, whether through a legal extinguishment or through an in-substance defeasance, this Statement also clarifies that any remaining prepaid insurance related to the extinguished debt be included in the net carrying amount of that debt for the purpose of calculating the difference between the reacquisition price and the net carrying amount of the debt. GASB 86 is effective for the City’s fiscal year ending December 31, 2018. Earlier application is encouraged. GASB Statement No. 87, Leases In June 2017, GASB published Statement No. 87, Leases. This Statement was the result of a multi-year project to reexamine the accounting and financial reporting for leases. The new Statement establishes a single model for lease accounting based on the principle that leases


represent the financing of the right to use an underlying asset. Specifically, GASB 87 includes the following accounting guidance for lessees and lessors: Lessee Accounting: A lessee will recognize a liability measured at the present value of payments expected to be made for the lease term, and an intangible asset measured at the amount of the initial lease liability, plus any payments made to the lessor at or before the beginning of the lease and certain indirect costs. A lessee will reduce the liability as payments are made and recognize an outflow of resources for interest on the liability. The asset will be amortized by the lessee over the shorter of the lease term or the useful life of the asset. Lessor Accounting: A lessor will recognize a receivable measured at the present value of the lease payments expected for the lease term and a deferred inflow of resources measured at the value of the lease receivable plus any payments received at or prior to the beginning of the lease that relate to future periods. The lessor will reduce the receivable as payments are received and recognize an inflow of resources from the deferred inflow of resources in a systematic and rational manner over the term of the lease. A lessor will not derecognize the asset underlying the lease. There is an exception for regulated leases for which certain criteria are met, such as airport-aeronautical agreements. The lease term used to measure the asset or liability is based on the period in which the lessee has the noncancelable right to use the underlying asset. The lease term also contemplates any lease extension or termination option that is reasonably certain of being exercised. GASB 87 does not apply to leases for intangible assets, biological assets (i.e. timber and living plants and animals), service concession agreements or leases in which the underlying asset is financed with conduit debt that is reported by the lessor. Additionally, leases with a maximum possible term of 12 months or less are excluded. GASB 87 is effective for the City’s fiscal year ending December 15, 2020. Early application is encouraged. It is anticipated that leases would be recognized using the facts and circumstances in effect at the beginning of the period of implementation. While several of these standards are not effective in the short-term, we recommend the City begin assessing the potential impact on the financial statements of all of these statements and begin the process of communicating this impact with those charged with governance and other stakeholders. Management’s written response to the deficiencies and material weaknesses identified in our audit has not been subjected to the auditing procedures applied in the audit of the financial statements, and accordingly, we express no opinion on it.


This communication is intended solely for the information and use of Management, members of the City Council, the members of the Audit Committee and is not intended to be and should not be used by anyone other than these specified parties.

May 26, 2017

CITY AND COUNTY OF - Denver · Accounts Receivable ... Recommendation: ... the City and County of...

Documents

Transcript of CITY AND COUNTY OF - Denver · Accounts Receivable ... Recommendation: ... the City and County of...