The URL can be used to link to this page

Home My WebLink About10 Audit management letter recommendations Agenda Item # 10 Public Utility District il WORKSHOP To: Board of Directors From: Mary Chapman Date: August 20, 2008 Subject: Review of Audit Management Letter Recommendations Status 1. WHY THIS MATTER IS BEFORE THE BOARD Staff has reviewed the audit recommendations from the 2007 annual audit. This item is for the purpose of reviewing the status of those recommendations with the Board. 2. HISTORY Each year the auditors issue a management letter at the end of the audit. In the letter they take the opportunity to make recommendations to improve internal controls and/or operating procedures. 3. NEW INFORMATION Attached is a detailed list of the audit recommendations with staff's response. The audit recommendations include the following areas: A.Information Technology - recommendations to improve password security, adding users and monitoring user's rights. B.Documenting Automated Overhead Allocations - the auditor's 2006 recommendation included improving documentation of the automated overhead allocation process and monitoring the results each month. C.Reporting - recommendation to continue to improve management reporting information. D.Internal Controls - the comments relate to VKs having to provide assistance on the accounting of the power purchase transactions, removing the SEEA contract transactitons from the District's records and assistance in preparing the audit report. E.Audit Adjustments - District staff will review complex adjusting journal entries with the auditors prior to the annual audit. 4. FISCAL IMPACT The fiscal impact associated with implementating the audit recommendations are deminimus and will be covered using existing budgets. 5. RECOMMENDATION Review the report and provide comment. Mary Ch man Mic ael D. Holley Administrative Services Manager General Manager The following items are Virchow Krause recommendations from the 2007 annual audit: 8-14-08 INFORMATION TECHNOLOGY(IT) GENERAL CONTROLS Logical and Physical Access Security The District is highly reliant on critical systems and the security that governs them. While logical restrictions are in place, such as requiring a unique ID and password to access the system, best practices indicate that other steps are necessary to ensure the integrity of data. We recommend the following: • Enforce length and character restrictions for passwords. Length and character restrictions provide an additional level of security to help protect data and systems. Best Practices suggest passwords should be changed every 45 days, require a minimum of 6 characters, require strong passwords (combination of alphanumeric, numeric and special characters), and passwords should be remembered so users can't reuse recent passwords. Response: District staff has developed an IT Standard Practices Procedure. Among many areas of security, this procedure addresses the development, maintenance and use of "strong passwords". This Procedure has been reviewed in the Administrative Services Department. It will be fully implemented in the Administrative Services Department by August 31, 2008. All other departments accessing the network and/or the I VUE systems need to review and implement the IT Standard Practices Procedures. • Enforce consistent use of a form (paper or electronic) to facilitate adding new employees, modifying existing employee access, and removing access for terminated employees. Approval must be granted by an authorized individual before any changes occur. Response: We have developed a form that will be used to add all new employees to the network and/or the NISC billing and accounting systems. This form will authorize the network administrator and/or the NISC system administrators to set up each employee giving him/her rights to various software applications and designate the employee's level of security. These forms will be approved by the employee's immediate supervisor, the department head, the network administrator and the administrative services manager. • Develop a process to periodically review list of user access rights to the network and significant applications for appropriateness. This is typically done on an annual basis and eliminates the possibility that user privileges are inappropriate for user responsibilities. Response: This process of formally reviewing network security and NISC system security has begun and will be completed by December 31 St and each year thereafter. The review will become part of the District's intemal audit preparation procedures and will be reviewed by the Administrative Services Manager each year. PRIOR YEAR COMMENTS AND STATUS: Documentation of Automated Overhead Allocation Process During 2006, the District staff spent a considerable amount of time amount of time and effort automating the allocation of overhead costs to expense accounts and work orders. This process improved staff efficiency. VK auditors recommended that the staff develop documentation for this automated process and that the staff develop a process to review these allocations monthly. In 2007, the auditors acknowledged that the District implemented a control to reconcile and review the overhead allocation on a monthly basis. Additional Comment: The Finance and Accounting Manager should review the auditors 2006 comments and make sure that the documentation and review processes are adequate to ensure proper accounting procedures are being followed and that there are appropriate internal controls over the process. Monthly Financial Reporting for Ongoing District Management The auditors commended the board for its desire to review the detailed reports on a monthly basis and suggested ways to help them evaluate the District's financial performance given the volume of detailed reports that are provided. They recommended the following: • It is important for the board to review the disbursement records and feel comfortable with the purpose and payees included on these records. • Two additional monthly reports are recommended: 1) The first is a budget to actual or variance analysis. This report would look at significant categories of revenues and expenses and compare the monthly activity and the year to date activity to the District budget and provide explanations for variances over a pre-determined threshold. For example, revenues may vary due to usage patterns or changes in the number of customers. The kwh or gallon or customer number changes can be provided to support the change in revenues from the budgeted expectation. Similarly, if distribution expenses are lower than budgeted as the result of a mild winter and less overtime required for line repairs that fact should be noted. Again, this report would be at higher level, not an account by account level. 2) The second type of report that can be very beneficial to the board is an executive analysis type report. This would be a standard report that includes key ratios and metrics for financial stability. This report could include items such as unrestricted funds on hand and the number of months of operating costs that these would cover, restricted fund balances and a comparison to required funding, debt coverage ratios, operating revenues or expenses per full time equivalent, customer or kwh or gallon. Historical information could be used to create benchmarks for the District in each of these areas which would allow management to see quickly if current operations are meeting the desired expectations in these key areas or not. The auditors noted additional reviews being performed by management in 2007. We continue to stress the importance of management's involvement in the review process as the District continues to enhance its current internal control procedures. Additional Comment: The accounting staff has for many years provided management and the board explanations for with a budget to actual or variance analysis. The part that has be�mented a monthly budget review variances over apre-determined threshold. Michael s to Holley has mmonthly budget performance review reporting requirement requiring department he provide a commenting on ye ar-to-date ear-to-date budgets that are over or under 5% and$10,000 of the budgeted line items. During 200 , the accounting department developed a series of ratios for the Board which were phe Boaresented rd to the Board based on the 2007 financial records. An updated presentation was presented est in future at the end of June, 2008. We will make sure to continue to address au suggestions presentations. INTERNAL CONTROLS A material weakness is a significant deficiency, or combination of significant deficiencies, that results in will be more than a remote likelihood that a material misstatement of the financial statements ndeficienciesf prevented or detected by the entity's internal control. We believe that the 9 constitute material weaknesses. FinancialReporting Re orting — During the 2007 audit we noted material journal entries not detected by staff or management. Financial Reporting — During the 2007 audit the auditor provided significant assistance to management during the preparation of the financial statements. Respon se: The Finance and Accounting Manager has established a direct contact with e Farquhar h of the NCPA Accounting Office in order to receive updated tions that take accurate lace accounting monthly. information These financial month relating to the NCPA power contract on�fnin the District's general ledger rather than just being transactions are now bung recorded each recordedy at year end. As a result, there should be no delay in receiving accurate accounting transaction information at the end of the year. The B J oard has just authorized removing all Stampede Energy Exchange Agreement (SEA) make required transactions from the District records including opening up a separate checking account to receive a SEEA contract deposits and payments. Bob M escher will be reviewing current audit disclosure standards to make sure that we d not rely any on Virchow Krause or any future auditing firm to assist with the preparation of any of the auditother part of the audit. COMMUNICATIONS TO AUDIT COMMITTEE OR ITS EQUIVALENT Audit Adjustments See response to above internal control item. The accounting staff will review all significant district activity during the year and verify the accuracy of the journal entries at year end.