Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
EM ReportsJ BRAMPTON Audit Committee
Committee of the Council ofbramptonca FlOWef City The Corporation of the City of Brampton
Audit Committee Final
Date: May 2, 2013 Date: JurTC )3-;2olS
File: A05
Subject: CLASS Operations and Application Audit Report
Contact: Andrew Damian, Senior Internal Auditor, Internal Audit Division
Overview:
• Internal Audit assessed the CLASS application system and associated operational processes. The assessment focused on the effectiveness and efficiency of the operations, system and system support;
• The audit was conducted in conformance with the International
Standards for the Professional Practice of Internal Auditing; • Since the last CLASS audit report in 2003, the system has grown from
managing the Recreation Division's recreation programs, facility rentals and fitness memberships, to being used throughout the City for pointof-sale transactions including Brampton Transit ticket purchases;
• Generally, adequate controls are in place except in the area of price adjustments and overrides. Price adjustment and override functionality bypasses system controls, however additional controls have not been implemented to ensure transactions are accurate and appropriate. For example, there is no review or approval of these transactions and significant number of staff have access to perform adjustments and overrides;
• In addition, staff are able to register themselves into City programs and many have access to adjust program costs to zero. There is no management oversight ensuring self-registration transactions are not processed, increasing the risk of errors and/or fraud;
• The audit identified opportunities to improve processes within the CLASS system in the following areas:
• Enhanced management oversight processes around price adjustments, price overrides and self-registrations;
• Enhanced security of personal information; • Enhanced system security controls over passwords, control over
super access generic IDs, and user activity monitoring; • Enhanced system governance controls over the system's life cycle,
system and data ownership processes, and data classification.
E4-1 Final CLASS Operations and Application Audit Report
Recommendations:
1. That the report from Andrew Damian, Senior Internal Auditor, Internal Audit Division, dated May 2, 2013, to the Audit Committee Meeting of June 12, 2013, re: CLASS Operations and Application Audit Report (File A05), be received;
2. Based on the results of this audit, it is recommended that Community Services Management:
1. Enhance management oversight of price adjustments, price overrides and self-registrations to ensure transactions are accurate and appropriate;
2. Protect personal information including credit card information.
It is recommended that Community Services and Financial and Information Services Management:
3. Enhance system security controls to strengthen passwords, restrict access to super access generic IDs and monitor high risk user activity;
4. Enhance system governance by confirming system and data ownership and related responsibilities, classifying data sensitivity, aligning system security with data sensitivity needs, develop a CLASS system roadmap and implement timely system updates and patches.
Page 2 of 9
EM-2» Final CLASS Operations and Application Audit Report
EXECUTIVE SUMMARY
Overall, the controls and processes tested are operating effectively and are generally in compliance with corporate policies, related By-laws, best practices/standards and relevant legislation except in the area of price adjustments and price overrides. In this area, system controls are bypassed and transactions are not reviewed and authorized, and too many users have access to the functionality. In addition, many of the same users also have the ability to register themselves in programs. The audit identified opportunities to further improve a number of controls and processes. The following is a summary of key findings.
Price Adjustments and Overrides
In general controls are not adequate in the area of price adjustments and overrides. The CLASS system has controls in place to ensure that customers are charged the correct fees for program registrations, facility bookings, fitness memberships and other services in accordance with the Council approved User Fee By-law. However, these controls are bypassed when using the price adjustment and override functionality. Internal Audit noted many staff members have the ability to adjust and/or override prices without review and approval by management who are to ensure such transactions are accurate and appropriate.
During the course of the audit an override transaction report and/or a tool (analytical software) to extract data was not available therefore Internal Audit could not make an assessment of the accuracy and adequacy of override transactions.
There are many Community Services staff who have access to perform adjustments and overrides. Of the approximately 630 users, 346 have access that allows them to perform price adjustments and 157 can perform price overrides to at least one of the areas of facility bookings, fitness memberships, point of sale and/or program registration fees. Many staff have access to perform both adjustments and overrides.
Management needs to limit access to the adjustment and override functionality and review and approve the transactions.
Management must ensure that appropriate staff are reviewing and approving adjustment and override transactions weekly and maintain evidence of review and approval on file in order to ensure transactions are accurate and appropriate. Management must develop, approve and implement a CLASS override report to be used to review and approve such transactions and ensure they are accurate and appropriate. Furthermore, management must review CLASS user access and restrict access to price adjustments and override access only to staff who require it for their job role.
Management Oversight
Management oversight is an important control activity that helps to ensure the accuracy and appropriateness of information. The CLASS system allows Community Services staff to register themselves for programs, courses and fitness memberships. It is critical that
Page 3 of 9
e*K Final CLASS Operations and Application Audit Report
strong management oversight activities are in place to monitor activity in order to reduce the risk of fraud and error. Internal Audit noted that there were instances where Community Services employees processed their own program registrations in CLASS even though a Standard Operating Procedure (SOP) is in place indicating self-registrations cannot be performed. In addition, some staff who have the ability to self-register also have adjustment and/or override functionality allowing them to adjust the cost of the program to zero. Internal Audit noted in two instances where an employee registered themselves into programs and adjusted the costs to zero.
Also, the administration of rental amendments did not comply with the relevant SOPs as many rental amendments lacked the required documentation and/or signatures from the client and facility staff. Management needs to review current policies and procedures with staff and implement system and/or manual controls to assist management review activities and ensure that unauthorized transactions are not being processed.
System Security
Internal Audit noted system security weaknesses including segregation of duty concerns with both end-user access and IT staff access.
Several CLASS user roles contain incompatible duties with data entry, modification and authorization activities being performed by the same user role without adequate compensating controls, for example, the "System Administrator" user role. Generic IDs with "super user" roles at the web server, database and the operating system are shared by IT staff to support the system. The integrity of data cannot be relied on without strong preventative access controls that restrict user access and ensure accountability. Also, Internal Audit noted that the CLASS system components did not log and monitor users activity within the database to establish an audit trail for high risk user activity.
Instances of facility staff sharing CLASS system passwords were identified. Also, a review of user access identified that user IDs have been shared between employees. In addition, staff with access to sensitive information and/or cash drawers are not locking their computer terminals when away from their workstations.
Management needs to log and monitor all users with highly privileged IDs and access to sensitive information to help reduce risk of unauthorized activity or errors. Internal Audit recommends enhancing system security controls to restrict generic IDs with super user access. Staff access should be granted based on job role and ensure adequate segregation of duties.
The request for access process to grant system access to staff is not used for all access to the CLASS system. This process helps ensure access is only provided based on job requirements and is authorized. In reviewing user access roles available within the system components it was found that the user roles within the system were not created for individual staff nor approved. We recommend that management ensure users have access (roles) required for their job function and only current roles are used within the system.
Page 4 of 9
BUrS Final CLASS Operations and Application Audit Report
Simple passwords are allowed by the CLASS system so easily guessable passwords can be created. In general, password controls do not comply with strong security practices to protect information stored by the system. It is recommended that management enhance password controls at the web, application and database levels to help reduce the risk of unauthorized access to information.
System Development Life Cycle processes
The system development life cycle (SDLC) and patch management processes help manage system enhancements, updates, fixes, and security patches to ensure system security is strong and system functionality provides the best available customer experiences. Internal Audit noted that processes in place do not ensure that enhancements, updates and security patches are implemented in a timely manner or in some cases at all. When system components are not updated in a timely manner there is risk of weakened system security, increased system support costs, and outdated system functions. Vendor support expired for one system component due to the age of the system and extended vendor support needed to be purchased. Management should ensure the SDLC and patch management processes provide consistent and timely implementation of system enhancements, updates, and security patches.
System Governance
In order to ensure adequate security protection, data integrity and availability it is necessary to formally assign CLASS system ownership and data ownership and outline the respective responsibilities. Internal Audit noted that system ownership has not been defined within the IT Guiding Principles - Security. CLASS system ownership has informally been accepted by Community Services management. Data ownership and responsibilities for the systems have also not been formally assigned, even though Community Services management has informallyassumed ownership of data. The IT Guiding Principles-Security has not provided governance on how to conduct a data classification exercise. It is important for data to be classified as to its level of sensitivity in order to ensure data stored within the system is adequately protected. Community Services has not classified their data as to the level of sensitivity (as indicated within the IT Guiding Principles-Security) in order to determine the appropriate level of security protection required.
It is recommended that Financial and Information Services department enhance the IT Guiding Principles-Security to define system owner and related responsibilities and provide guidance on how to classify system data.
Community Services department and Financial and Information Services department and other stakeholders need to formally agree on the system and data owner for the CLASS system and confirm associated responsibilities. Community Services management needs to complete activities related to the classification of data and the security of sensitive data to ensure adequate data protection.
Page 5 of 9
EH-fc Final CLASS Operations and Application Audit Report
Data Integrity Controls
Input controls over application systems help to ensure data is accurate, complete and authorized. Internal Audit identified input control weaknesses within the CLASS system as it does not provide staff warnings for potential data errors that would identify and prevent duplicate accounts. Customer fields such as phone number and email address are not consistently populated to also help reduce the risk of duplicate accounts. There are over 25,000 potentially duplicate accounts including accounts over five years old.
The process of transferring financial data from the CLASS system to the general ledger system requires manual data adjustments. Security controls permit numerous staff access to the data files with the ability to change or delete records without review and approval. The CLASS system also permits staff to permanently delete records without a trail to monitor such actions. Management needs to enhance data integrity controls for system input, processing and data transfer to enhance the protection of CLASS data.
System Operations
Web and Database logs are not reviewed on a regular basis to ensure that system errors and warnings are addressed in a timely manner to prevent costly maintenance costs. Internal Audit recommends reviewing system monitoring needs to ensure system monitoring is adequate.
The retention of data in the system exceeds the amount of time allowed by the Records Retention By-law. Internal Audit recommends the data retention set up complies with the By-Law.
Approved Business Continuity Plans are not in place and tested to support ongoing operations and timely system recovery should an emergency occur such as system failure and/or unavailability. Backup data is not tested frequently to ensure that data can be restored. Management needs to review these business continuity processes to ensure service can be restored to customers in a timely manner should an emergency situation occur.
Customer Account Management
Community Services staff work with customers to ensure prompt payment for services and avoid overdue accounts. However, Internal Audit noted that the Community Services staff, that performs initial collection activities for facility rentals, is not submitting outstanding amounts to Corporate Collections in accordance with policies and procedures.
There is also no formal policy and/or SOP to govern when payments for program registration and memberships are required. Management must ensure that customer account collection activities comply with policies and procedures. A policy and/or SOP must be developed to ensure consistent payment practices for all purchases. System controls must be aligned to enforce the policy and/or SOP.
Page 6 of 9
Final CLASS Operations and Application Audit Report
BACKGROUND
Over the years the City of Brampton has relied more and more on automated point of sale processes through the CLASS system. The CLASS system was implemented originally for the Community Services Department to manage the Recreation Division's many program offerings, facility rentals and fitness memberships. Since the last internal audit in 2003, the system's point-of-sale module has been rolled out to most of the City's Departments and is used extensively, including for sales of bus tickets and passes. In 2012, approximately $594 million dollars in revenue was processed in CLASS.
The CLASS system consists of application, telephone and web components. The system is comprised of the following modules:
Application System
• Accounting • Facility • Information Management (Reports) • Membership • Point of Sale (POS) • Program Registration
Telephone
• Interactive Voice Registration (IVR)
Web
• Internet Registration
Page 7 of 9
EM--S Final CLASS Operations and Application Audit Report
OBJECTIVE AND SCOPE
The objectives of this audit were to: • Examine and evaluate the adequacy and effectiveness of internal controls and
processes related to the CLASS system including the application, database, operating system and network layers;
• Evaluate compliance with established policies, best practices, procedures, By-laws, and legislation;
• Develop recommendations to assist management.
The scope of the audit included the following areas of the CLASS system: • Web server layer - operating system security, web server security, secure
communication controls, access controls, patch management and incident management;
• CLASS application layer (including Interactive Voice Registration (IVR), Internet Registration) - data entry controls, data transmission controls, data integrity controls and access controls;
• Database, operating system and network layer - database security vulnerabilities, operating system security, account and password controls, user access, backup and recovery processes, encryption strategy, network communication controls;
• Sales transactions, refunds and cancelled transactions in the POS module; • Program registrations and contracts processed in the Program Registration module; • Facility bookings, rental contracts and amendments processed in the Facility
module;
• Process of reviewing accounts receivable and collection of outstanding amounts in the Accounting module.
The audit period covered June 2011 to November 2012.
The scope of the review excluded the following: • Manual journal entries and journal entry adjustments in the Accounting module; • Accuracy and completeness of general ledger account balances in the Accounting
module;
• Setting up new general ledger accounts and maintaining the chart of accounts in the Accounting module;
• Information Management (Reports) module; • Membership module.
Page 8 of 9
Final CLASS Operations and Application Audit Report
CONCLUSION
Internal Audit conducted an assessment of the CLASS application system and its operational processes focusing on the effectiveness and efficiency of the operations, system and system support. Overall, adequate controls are in place with the exception of price adjustments and overrides and the audit identified a number of opportunities to improve controls and processes including:
• Enhancing management oversight processes around price adjustments, price overrides and self-registrations;
• Enhancing the security of personal information; • Enhancing system security controls over passwords, control over super access
generic IDs, and user activity monitoring; • Enhancing system governance controls over the system's life cycle, system and
data ownership processes, and data classification.
Catherjne-Spe nee Director, Internal Audit
Appendices:
Appendix A - Detail Findings Appendix B - Closed Session Information - see Closed Session Agenda Item J re: The
Security of the property of the municipality or local board - Internal Audit review matter - Observations #1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 17
Report authored by: Ryan Sparkman, Internal Auditor Robert Witkowski, Senior IT Auditor
Page 9 of 9
E4-/o Final CLASS Operations and Application Audit Report
APPENDIX A - DETAIL FINDINGS
System Governance
Observation #12- System and Data Ownership
It is necessary to assign an individual or group with the role of system and data owner to ensure adequate security protection, data integrity and data availability over systems. Internal Audit reviewed the CLASS system's ownership and responsibilities and identified the following:
System Ownership:
• The IT Guiding Principles-Security does not define or establish a requirement for a system owner to be assigned or outline related responsibilities;
• System ownership for the CLASS system has not been formally assigned nor have responsibilities been documented. Informally, according to the Supervisor of Community Services Business Systems, Community Services has assumed system ownership;
Data Ownership:
• Data ownership and related responsibilities for the CLASS system has not been formally assigned. According to the Supervisor of Community Services Business Systems, their area has assumed the data ownership role for Community Services clients including other department's data.
Implementing the following recommendations will help decrease the risk of inappropriate system activity and unauthorized data access.
Recommendations #12
It is recommended that Financial and Information Services Management:
12.1 Update IT Guiding Principles - Security document to require all systems formally assign a system owner and define the related responsibility;
12.2 Ensure all new systems implemented have clear and formally identified system and data owners and document respective responsibilities;
It is recommended that Community Services Management and Financial and Information Services Management jointly:
12.3 Formalize system and data ownership and confirm with all CLASS stakeholders. The ownership roles and responsibilities should be updated in the system support plan.
Pagel of 12
Final CLASS Operations and Application Audit Report
Manaigement Actioil No. Department
12.1 Financial
and
Information
Services
12.2 Financial
and
Information
Services
12.3 Community Services and
Financial
and
Information
Services
Plan
Action Plan
Agree with recommendation.
The recommendation will be
addressed by establishing and reviewing IT Guiding Principles Application and Data and include recommendations to provision for system owner and related responsibilities.
Agree with recommendation.
The recommendation will be
addressed by undertaking a review of CAB Approval Processes to ensure this is clearly documented when applications/solutions are introduced to the environment.
Agree with recommendation.
Community Services will work with Financial and Information Services to
formalize system and data ownership and confirm with all CLASS
stakeholders. The ownership roles and responsibilities will be updated in the system support plan.
Responsibility
Target Completion Date
Responsibility: Manager, IT Architecture & Planning
Target Completion Date:
Dec 31, 2013
Responsibility: Manager, IT Network & Technical Services
Target Completion Date:
Dec 31, 2013
Responsibility: FIS Senior Manager, IT Solutions Delivery & Community Services, Supervisor of Business Systems
Target Completion Date:
Dec 31st 2013
Page 2 of 12
EU-rx Final CLASS Operations and Application Audit Report
Data Integrity Controls
Observation #15 - System Data Inputs
Internal Audit assessed the system input controls related to the CLASS application system that ensures all data is accurate and complete. Internal Audit identified the following issues:
• System data input controls are weak. The system does not provide staff warnings of potential data input errors that would confirm name and address to help prevent duplicate accounts;
• Data fields that can be used to help identify whether customers were previously set up in the system are not consistently entered, such as phone number or email address;
• Staff have a document to guide them on "creating an account" however, the document does not define data input standards so that data is being entered into the system in a consistent manner;
• There is a system report available that identified potential duplicate accounts. The CLASS report identifies over 25,000 accounts that may be duplicate customer accounts. Some accounts were set up over 5 years ago. There is no evidence to support timely review is performed to identify duplicate accounts and appropriate action is taken and approved.
Implementing the following recommendations will help reduce the occurrence of inaccurate or inconsistent data.
Recommendations #15
It is recommended that Community Services Management:
15.1 Evaluate system input controls available and implement controls that will enhance the accuracy and consistency of data;
15.2 Develop manual data input standards, document and communicate to staff;
15.3 Ensure that the duplicate account report is reviewed in a timely manner and appropriate action is taken and approved.
Page 3 of 12
E4-I3 Final CLASS Operations and Application Audit Report
Management Action Plan
No. Department
15.1 Community Services
15.2 Community Services
15.3 Community Services
Action Plan
• Agree with recommendation. Community Services Management will evaluate system input controls available and implement controls where available that will enhance the
accuracy and consistency of data. • Agree with recommendation.
Community Services Management will develop manual data input standards, document and communicate to staff.
• Agree with recommendation. Community Services will ensure that the duplicate account report is reviewed in a timely manner and appropriate action is taken and approved.
Responsibility
Target Completion
Date
Supervisor, Business Systems
August 31, 2013
Supervisor, Business Systems
August 31, 2013
Supervisor, Business Systems
September 30, 2013
Page 4 of 12
E4-I4Final CLASS Operations and Application Audit Report
Data Integrity Controls
Observation #16 - CLASS to General Ledger Interface Process
Internal Audit assessed the controls that help ensure the accuracy and completeness of data being transferred from CLASS application system to the general ledger. Internal Audit identified the following issues:
• The process to transfer CLASS information into the general ledger system is not fully automated and therefore requires staff to manually load a file into the general ledger system. The file generated by the CLASS system contains data the general ledger system will not accept and therefore requires manual adjustments;
• The manual data adjustments processed are not logged, reviewed or approved;
• Several staff have access to modify the data but this is not part of their job responsibilities. This is a repeat control weakness identified in the 2003 Report on CLASS and Point of Sale (POS) Internal Control Audit - Phase 1 Report.
Implementing the following recommendations will help reduce the risk of inaccurate data.
Recommendations #16
It is recommended that Community Services Management and Financial Information Services:
16.1 Review the reason for general ledger file data incompatibility with the general ledger system, if feasible eliminate the need for manual data adjustments when transferring general ledger data between systems. In the event, manual adjustments cannot be eliminated implement a process to ensure changes to file are reviewed for accuracy and are authorized;
16.2 Develop, document, approve and communicate a secure adjustment process that ensures that any data adjustments are logged, reviewed and approved;
16.3 Ensure that access to the general ledger file is restricted to only staff that need access to carry out their job responsibilities and incompatible duties do not exist. Where access is required for a business reason, develop, implement and document and maintain on file compensating controls to monitor and evaluate transactions where users are required to perform incompatible duties.
Page 5 of 12
Final CLASS Operations and Application Audit Report
Management Action Plan
No. Department
16.1 Community Services and
Financial
and
Information
Services
16.2 Community Services and
Financial
and
Information
Services
16.3 Community Services and
Financial
and
Information
Services
Action Plan
Agree with recommendation.
Community Services and Financial and Information Services will work
together to address the recommendation as written.
Agree with recommendation.
Community Services and Financial and Information Services will work
together to address the recommendation as written.
Agree with recommendation.
Community Services and Financial and Information Services will work
together to address the recommendation as written.
Responsibility
Target Completion Date
Responsibility: FIS Senior Manager, IT Solutions Delivery & Community Services, Manager, Business Services
Target Completion Date:
May 31, 2013
Responsibility: Senior Manager, IT Solutions Delivery & Community Services, Manager, Business Services
Target Completion Date:
May 31, 2013
Responsibility: Manager, IT System Operations & Community Services, Manager, Business Services
Target Completion Date:
May 31, 2013
Page 6 of 12
£14-1W Final CLASS Operations and Application Audit Report
System Operations
Observation #18- Data Retention Compliance
Data retention requirements define the period of time data is required to be kept by each department to ensure they meet business requirements and comply with the Records Retention By-law (163-2008). Internal Audit noted the following:
• The system data retention configurations do not comply with the requirements of the Records Retention By-law.
Implementing the following recommendations will reduce the risk of non-compliance with the Records Retention By-Law and potential privacy implications.
Recommendation #18
It is recommended that Community Services Management:
18.1 Ensure data residing in the CLASS system is in compliance with the Records Retention By-Law and business requirements.
Management Action Plan
No. Department Action Plan Responsibility
Target Completion Date
18.1 Community • Agree with the recommendation. Supervisor, Business Services System limitations currently exist. Systems
Community Services will contact the vendor and ask that this July 31, 2013 functionality be added in future releases. Community Services will investigate compensating controls utilized by other municipalities and implement where feasible.
Page 7 of 12
Final CLASS Operations and Application Audit Report
Business Continuity
Observation #19- Business Continuity Processes
Every critical business process should have a business continuity plan to ensure that its information system is available to support and enable the business to function during an emergency. Internal Audit's assessment of the business continuity plan observed the following:
• Community Services documented a component of a business continuity plan. However, a business continuity plan and an application disaster recovery plan has not been developed, documented or tested for critical processes supported by the CLASS system;
• Recovery testing of backup data does not occur on an annual or regular basis. The last testing of backups occurred in 2008.
Implementing the following recommendations will reduce the risk of critical service disruptions.
Recommendations #19
It is recommended that Community Services Management:
19.1 Develop, approve and test business continuity plans and application disaster recovery plan for processes supported by the CLASS system.
It is recommended that Financial and Information Services Management:
19.2 Ensure backups are tested on a regular basis to ensure backup data can be used to restore data when needed.
Page 8 of 12
Final CLASS Operations and Application Audit Report
Management Action Plan
No. Department Action Plan
19.1 Community Services
19.2 Financial
and
Information
Services
• Agree with recommendation. Community Services Management will enhance current documentation and develop, approve and test business continuity plans and application disaster recovery plans for processes supported by the CLASS system.
Agree with recommendation.
The recommendation will be
addressed by undertaking a review of practices and process' to ensure they are up to date and that a recovery verification testing is executed on an annual basis.
Responsibility
Target Completion Date
Policy Advisor
December 31, 2013
Responsibility: Manager, IT Network & Technical Services
Target Completion
Date:
Sep 30, 2013
Page 9 of 12
Final CLASS Operations and Application Audit Report
Customer Account Management
Observation #20 - Overdue Accounts
Community Services staff work with customers to ensure prompt payment for services. Customer accounts with outstanding balances are to be referred to Corporate Collections if initial collection activities are unsuccessful. Internal Audit noted the following:
• Community Services staff are not referring customer accounts with outstanding balances to Corporate Collections in accordance with Policy 13.11.0- Collection Policy and the Rental Collection Process SOP. There were instances where: • Non-affiliated community groups with outstanding balances are being submitted
to Corporate Collections between 2 - 4 months from the due date instead of within the required 10 business days;
• Affiliated community groups with outstanding balances are not being submitted to the Corporate Collections, instead of within the required 30 days;
• The CLASS system allows account balances for program registration and memberships to be overridden by City staff rather than ensuring payment is made at the time of purchase. There is no formal policy or SOP to govern when payments for Community Services program registration and memberships are required.
Implementing the following recommendations will help reduce the risk of financial losses.
Recommendations #20
It is recommended that Community Services Management:
20.1 Implement management oversight activities to ensure that customer accounts with outstanding balances are being submitted to Corporate Collections in accordance with policies and procedures;
20.2 Develop, approve and implement a payment policy and/or SOP to ensure consistent payment practices for all purchases. Align system controls to enforce the policy or SOP.
Page 10 of 12
E4-20 Final CLASS Operations and Application Audit Report
Management Action Plan
No. Department Action Plan Responsibility
Target Completion Date
20.1 Community • Agree with recommendation. Manager, Business Services Community Services will Services
implement management oversight activities to ensure that customer April 30, 2013
accounts with outstanding balances are being submitted to Corporate Collections in accordance with policies and procedures
20.2 Community • Agree with recommendation. Policy Advisor
Services Community Services will develop, approve and implement a August 31, 2013
payment policy and/or SOP to ensure consistent payment practices for all purchases and will, within the limitations of the
system, align system controls to enforce the policy or SOP.
Page 11 of 12
EU-21 Final CLASS Operations and Application Audit Report
Employee Benefits
Observation #21 - Fitness Membership Discounts
The City provides a benefit to employees for fitness memberships at City recreational facilities. Employees receive a 50% discount on the cost of annual memberships unless otherwise stated in a collective agreement. Internal Audit noted the following:
• The benefit is not equitably applied as Community Services staff receive a 100% discount on the cost of annual fitness memberships;
• Although during 2012 budget deliberations Council reviewed and approved funding of the discounted fitness memberships, there is no evidence of the 50% and 100% discounts being approved by Community Services or Council. Also, these rates are not reflected in the User Fee Bylaw;
• The 50% employee fitness membership discount is not clearly identified on the City's portal except on the form used to apply for the discount. In addition, this form does not indicate that Community Service's staff should receive a 100% discount.
Implementing the following recommendation will ensure practices are consistent across the organization.
Recommendation #21
It is recommended that Community Services Management:
21.1 Document and approve employee fitness membership discount benefits for staff to ensure consistency.
Management Action Plan No. Department Action Plan Responsibility
Target Completion Date
21.1 Community • Agree with recommendation. Policy Advisor Services Community Services
Management will Document and August 31, 2013
approve employee fitness membership discount benefits for staff.
Page 12 of 12