City Council on April 29 and 30, 2009, adopted the following:

 

1.         City Council request the City Manager to direct management staff to regularly review and evaluate the adequacy of internal controls within their area of responsibility.  Where appropriate, action be taken to strengthen controls, with a view to preventing and detecting instances of fraud and other wrongdoing.

The Audit Committee recommends that:

 

1.         City Council request the City Manager to direct management staff to regularly review and evaluate the adequacy of internal controls within their area of responsibility.  Where appropriate, action be taken to strengthen controls, with a view to preventing and detecting instances of fraud and other wrongdoing.

The Audit Committee:

 

1.         requested the City Manager to report to the Audit Committee:

 

            a.         on the policy changes required in order to allow for recoveries made as a result of investigations by the Auditor General to be allocated to a general reserve fund, instead of being returned to the subject division where the losses occurred; and

 

            b.         with policy guidelines respecting termination of employees due to integrity issues, such as the ones described in the 2008 Fraud and Waste Hotline report; and

 

2.         requested the Auditor General to consider reporting to the Audit Committee:

 

            a.         for its next meeting, on incidents, by division, agency, board or commission, which have substantiated complaints; and

 

            b.         with any follow-up information respecting the Manulife Financial issues.

 

The Audit Committee met in closed session to consider this Item as it relates to:

 

1.         personal matters about identifiable individuals, including municipal or local board employees;

2.         labour relations and employee negotiations; and

3.         litigation or potential litigation affecting the municipality or local board.

In June 2000, Audit Committee requested that the Auditor General submit an annual report on the status of fraud and related matters.  This report represents the Auditor General’s eighth annual report on the activities of the Fraud and Waste Hotline Program for the period of January 1, 2008 to December 31, 2008.

 

Managing the risk of fraud or other wrongdoing must be a continuous and collective effort involving all levels of staff.  The primary responsibility for maintaining appropriate internal controls to prevent and detect wrongdoing remains with divisional management.

 

The risk of fraud and wrongdoing is an inherent part of conducting business in all organizations including the public sector.

 

Often fundamental and basic internal controls that help reduce the risk of wrongdoing are overlooked when controls are not regularly reviewed.  Inadequate internal controls are a primary contributing factor to the occurrence of fraud while the lack of management review and the override of existing controls are also factors.

 

Corrective controls, such as improved policies and procedures, are key to remedying problems that are discovered ensuring that future wrongdoing is better prevented and detected, especially in areas subject to greater levels of risk.

 

In 2008, based on our review of complaints, a number of substantiated complaints may have been mitigated through the active application of internal controls, policies and procedures.  In these cases, basic controls were disregarded and their effectiveness not actively monitored.  The recommendation made in this report will re-emphasize management’s responsibility to regularly review and re-evaluate internal controls.

City Council on April 29 and 30, 2009, adopted the following:

 

1.         City Council request the City Manager, in consultation with the Chief Information Officer, to give consideration to the establishment of an IBMS governance model which provides for senior management approval and prioritization of all IBMS related projects.  The governance model follow the process recently established in relation to the development of SAP projects.

 

2.         City Council request the City Manager, in consultation with the Chief Information Officer, to require that divisions identify business risks relating to the IBMS Information Technology System.  The Chief Information Officer review all such risks and ensure strategies and processes are in place to address all such risks.

 

3.         City Council request the City Manager, in consultation with the Chief Information Officer and divisions, to develop IBMS performance measures.  Such measures be used to monitor ongoing performance.  Where performance does not meet such measures, corrective action be taken.

 

4.         City Council request the City Manager and the Chief Information Officer, as part of the IBMS governance process, to give priority to the development of IBMS business continuity plans.  Such plans should include disaster and recovery planning.

 

5.         City Council request the City Manager, in consultation with the Chief Information Officer, to develop and formalize service level agreements for information technology services provided to City divisions by the Information and Technology Division.

 

6.         City Council request the City Manager, in consultation with the Chief Information Officer, to review current levels of training available to IBMS users, and solicit input from divisional users in relation to training effectiveness.  Deficiencies in regard to training identified by users be appropriately addressed.

 

7.         City Council request the City Manager, in consultation with the Chief Information Officer, to  develop and implement a change management protocol for IBMS.  Such a protocol take into account the SAP change management protocol.

 

8.         City Council request the City Manager, in consultation with the Chief Information Officer, to  develop security plans, standards and related staff responsibilities for managing and overseeing IBMS security.

 

9.         City Council require the City Manager, in consultation with the Chief Information Officer, to conduct periodic reviews of current IBMS user security to ensure access is compatible with user roles.  Such review should also include an analysis of the last date of use.  Dormant users should be eliminated from system access.

 

10.       City Council request the Chief Information Officer to develop formal written procedures for granting, changing or removing IBMS user access.

 

11.       City Council request the City Manager and the Chief Information Officer to develop as a priority an electronic interface between IBMS and the City’s SAP Financial System.  Such an interface would reduce the requirement for manual analysis and processing.

 

12.       City Council request the City Manager, in consultation with the Chief Information Officer and the City Clerk, to review the record retention policy for all IBMS related records.  Such a review include the establishment of policies and procedures for archiving IBMS records.

 

13.       City Council request the Chief Information Officer to obtain a copy of the System source code for the current release of the System software and ensure future releases are accompanied with System software under the terms of the agreement.

 

14.       City Council request the City Manager to conduct a review of related System users in the City and its Agencies, Boards and Commissions and update the existing software maintenance contract as required.

 

15.       City Council request the City Manager to ensure staff from business units perform the procedure for revising service fees maintained in IBMS and that the process be appropriately documented.

 

16.       City Council request the Chief Information Officer to report to the Audit Committee by February 2010, on the progress of the establishment of an information technology governance structure for the Integrated Business Management System (IBMS) and on the other recommendations made in the Auditor General's report dated January 16, 2009.

 

17.       City Council request that Members of Council be included in:

 

1.         the long-range strategic plan, performance measures and business integrity plan for the Integrated Business Management System (IBMS); and

 

2.         the opportunities for improvement relating to user training and processes for making changes to the system.

The Audit Committee recommends that:

 

1.         City Council request the City Manager, in consultation with the Chief Information Officer, to give consideration to the establishment of an IBMS governance model which provides for senior management approval and prioritization of all IBMS related projects.  The governance model follow the process recently established in relation to the development of SAP projects.

 

2.         City Council request the City Manager, in consultation with the Chief Information Officer, to require that divisions identify business risks relating to the IBMS Information Technology System.  The Chief Information Officer review all such risks and ensure strategies and processes are in place to address all such risks.

 

3.         City Council request the City Manager, in consultation with the Chief Information Officer and divisions, to develop IBMS performance measures.  Such measures be used to monitor ongoing performance.  Where performance does not meet such measures, corrective action be taken.

 

4.         City Council request the City Manager and the Chief Information Officer, as part of the IBMS governance process, to give priority to the development of IBMS business continuity plans.  Such plans should include disaster and recovery planning.

 

5.         City Council request the City Manager, in consultation with the Chief Information Officer, to develop and formalize service level agreements for information technology services provided to City divisions by the Information and Technology Division.

 

6.         City Council request the City Manager, in consultation with the Chief Information Officer, to review current levels of training available to IBMS users, and solicit input from divisional users in relation to training effectiveness.  Deficiencies in regard to training identified by users be appropriately addressed.

 

7.         City Council request the City Manager, in consultation with the Chief Information Officer, to  develop and implement a change management protocol for IBMS.  Such a protocol take into account the SAP change management protocol.

 

8.         City Council request the City Manager, in consultation with the Chief Information Officer, to  develop security plans, standards and related staff responsibilities for managing and overseeing IBMS security.

 

9.         City Council require the City Manager, in consultation with the Chief Information Officer, to conduct periodic reviews of current IBMS user security to ensure access is compatible with user roles.  Such review should also include an analysis of the last date of use.  Dormant users should be eliminated from system access.

 

10.       City Council request the Chief Information Officer to develop formal written procedures for granting, changing or removing IBMS user access.

 

11.       City Council request the City Manager and the Chief Information Officer to develop as a priority an electronic interface between IBMS and the City’s SAP Financial System.  Such an interface would reduce the requirement for manual analysis and processing.

 

12.       City Council request the City Manager, in consultation with the Chief Information Officer and the City Clerk, to review the record retention policy for all IBMS related records.  Such a review include the establishment of policies and procedures for archiving IBMS records.

 

13.       City Council request the Chief Information Officer to obtain a copy of the System source code for the current release of the System software and ensure future releases are accompanied with System software under the terms of the agreement.

 

14.       City Council request the City Manager to conduct a review of related System users in the City and its Agencies, Boards and Commissions and update the existing software maintenance contract as required.

 

15.       City Council request the City Manager to ensure staff from business units perform the procedure for revising service fees maintained in IBMS and that the process be appropriately documented.

The objective of this audit was to determine whether the City’s management and oversight of the Integrated Business Management System (IBMS) ensures the reliability, integrity and confidentiality of information produced and maintained by the system.

 

For IBMS to serve the City efficiently and effectively improvements in management and oversight are required.  The establishment of an IBMS information technology governance structure will go along way in helping to coordinate IBMS related decision-making and change management.

 

Implementation of a long range strategic plan, performance measures and a business continuity plan will also ensure coordinated growth and development for system users and ensure reliable service to IBMS user divisions.  There are also opportunities for improvement relating to user training, process for making changes to the system, security management and administration of software licences.

 

Although recommendations in this report focus on improving existing controls and administration of IBMS related resources the recommendations may be relevant to information technology systems throughout the City and its Agencies, Boards, Commissions and Corporations and should be reviewed, evaluated and implemented as deemed appropriate.

City Council on April 29 and 30, 2009, adopted the following:

 

1.         City Council receive the 2007 audited financial statements and management letter of Leaside Memorial Community Gardens Arena.

The Audit Committee recommends that:

 

1.         City Council receive the 2007 audited financial statements and management letter of Leaside Memorial Community Gardens Arena.

City Council on April 29 and 30, 2009, adopted the following:

 

1.         City Council approve the 2007 audited financial statements and management letters of the three Business Improvement Areas attached as Appendices A-1 to C-2.

The Audit Committee recommends that:

 

1.         City Council approve the 2007 audited financial statements and management letters of the three Business Improvement Areas attached as Appendices A-1 to C-2.