The URL can be used to link to this page

Home My WebLink About11.a. Receive Internal Audit reporting for the first half of FY 2021-22 Page 1 of 34 Item 11.a. CENTRALSAN Jdf A- hom CENTRAL CONTRA COSTA SANITARY DISTRICT December 16, 2021 TO: HONORABLE BOARD OF DIRECTORS FROM: BENJAMIN JOHNSON, INTERNALAUDITOR REVIEWED BY: PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE INTERNALAUDIT REPORTS FOR THE FIRST-HALF OF FISCAL YEAR 2021-22 Attached are the FY 2020-21 Payroll Design-only Review and FY 2021-22 Information Technology (IT) Identity and Access Management Review Final Reports. Internal Audit reviewed Central San's payroll process controls, with a focus on the segregation of duties, after the operational system migration to the Oracle Fusion Cloud. Management's responses to our recommendations have been reviewed and have been included in the audit report. Internal Audit plans to perform a traditional operational audit of the payroll process in FY 2021-22, where testing will be conducted to verify that the agreed-upon corrective actions are operationally effective. In addition, Internal Audit partnered with CliftonLarsonAllen (CLA), an external public accounting firm/consultancy, to perform an IT Identity and Access Management Review. This project focused on super-user access /administrator rights, including the controls in place to monitor activity. All the findings identified have been vetted with IT management and corrective action plans are currently being drafted. The actions taken and/or planned are responsive to the observations in the audit reports. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Please see the biannual findings report attached that reflects the status of the findings identified from Quarter 4 FY 2020-21 through the first half of this fiscal year. Prior to the inception of this biannual report, the I nternal Audit Department was able to partner with management and staff to close 10 findings related to prior audits. Although there were four open findings related to payroll when the full-time Internal Auditor position was filled in March 2021, the related processes were reassessed in the payroll review mentioned above. Therefore, the findings report attached reflects the status of all open findings to date. December 16, 2021 Regular Board Meeting Agenda Packet- Page 78 of 216 Page 2 of 34 Strategic Plan Tie-In GOAL THREE:Fiscal Responsibility Strategy 1—Maintain financial stability and sustainability, Strategy 2—Ensure integrity and transparency in financial management ATTACHMENTS: 1. Memorandum and FY 2020-21 Payroll Design-only Review Final Report 09-21-21 2. FY 2021-22 IT Identity and Access Management Review Final Report 09-16-21 3. Internal Audit Biannual Findings Report for the Board of Directors — Close of Q2 FY 2021-22 4. Presentation December 16, 2021 Regular Board Meeting Agenda Packet- Page 79 of 216 Page 3 of 34 Attachment 1 J0. ) CENTRAL SAN CENTRAL CONTRA COSTA • INTERNAL AUDIT REPORTING DATE: December 16, 2021 TO: Board of Directors FROM: Benjamin Johnson, Internal Auditor SUBJECT: INTERNAL AUDIT REPORTING FOR THE FIRST HALF OF FY 2021-22 Enclosed are the FY 2020-21 Payroll Design-only Review and FY 2021-22 IT Identity and Access Management Review Final Reports. Internal Audit reviewed Central San's payroll process controls, with a focus on the segregation of duties, after the operational system migration to the Oracle Fusion Cloud. Management's responses to our recommendations have been reviewed and have been included in the audit report. Internal Audit plans to perform a traditional operational audit of the payroll process in FY 2021-22, where testing will be conducted to verify that the agreed-upon corrective actions are operationally effective. In addition, Internal Audit partnered with CliftonLarsonAllen (CLA), an external consultant, to perform an IT Identity and Access Management Review. This project focused on super-user access / administrator rights, including the controls in place to monitor activity. All the findings identified have been vetted with IT management and corrective action plans are currently being drafted. The actions taken and/or planned are responsive to the observations in the audit reports. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Please see biannual findings report attached that reflects the status of the findings identified from Q4 FY 2020-21 through the first half of this fiscal year. Prior to the inception of this biannual report, the Internal Audit Department was able to partner with management and staff to close 10 findings related to prior audits. Although there were four open findings related to payroll when the full-time Internal Auditor position was filled in March 2021, the related processes were reassessed in the payroll review mentioned Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 1 December 16, 2021 Regular Board Meeting Agenda Packet- Page 80 of 216 Page 4 of 34 Attachment 1 above. Therefore, the findings report attached reflects the status of all open findings to date. Benjamin Johnson Internal Auditor Enclosures Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 2 December 16, 2021 Regular Board Meeting Agenda Packet- Page 81 of 216 Page 5 of 34 Attachment 1 FY 2020-21 PAYROLL DESIGN-ONLY REVIEW FINAL REPORT DATE: September 21, 2021 INTRODUCTION Audit Objective The objective of this engagement was to identify and assess the design of internal controls surrounding the payroll process, with a focus on the segregation of duties. Background The payroll function transferred from Finance to the Human Resources (HR) Division in October 2017, although, Finance still owns a few related processes. In FY 2020-21, Central San migrated most of its operational processes from SunGard to the Oracle Fusion Cloud (Oracle). In partnership with a third-party implementation resource and the IT Division,the Oracle payroll module went live in January 2021. Since implementation, HR and Finance management have worked through numerous challenges in relation to the Oracle system. Management has identified payment calculation errors, reporting limitations, and the inability to view information critical to perform a general ledger reconciliation. Although management and staff have committed a considerable amount of time and effort to manually identify/correct payroll data errors and initiate system improvements, system functionality continues to have certain limitations as of the date of this report. Central San's budgeted salaries, wages and employee benefits net of capitalized overhead and benefits for FY 2021-22: Expense Category Total as of 6/30/20 Salaries &Wages $39,543,191 Benefits& Capital Overhead Credit 11,545,173 OPEB UAAL 2,451,000 Retirement UAAL/Unfunded Liabilities 12,126,016 Additional UAAL Contributions 1,250,000 Total Labor Related Costs including UAAL and 66,915,380 Additional Contributions Source: Central San's FY 2020-21 Budge 1, page The O&M budget was revised on September 2, 2021 to reflect the June pay-off of the pension UAAL. Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 3 December 16, 2021 Regular Board Meeting Agenda Packet- Page 82 of 216 Page 6 of 34 Attachment 1 Audit Scope, Limitations and Methodology Internal Audit plans to perform a traditional operational audit of the payroll process in FY 2021-22. In this review, Internal Audit verified whether internal controls related to the segregation of duties were appropriately designed to address risks surrounding key payroll processes, including: • Hires/additions • Manual checks • Terminations/deletions • Direct deposit • Payroll processing • GL reconciliations • Salary adjustments The review was performed using the following methods: • Reviewed available policies, guidelines, and procedures • Interviewed team members and observed the processes within the scope of the review • Obtained and reviewed evidence of existing controls • Reported on audit results and discussed recommendations INTERNAL AUDIT RESULTS Summary Based on Internal Audit's assessment of the controls designed around the payroll process, with a focus on the segregation of duties, critical improvements to the process are needed to minimize risk to the organization.There is ample opportunity to improve the overall governance over the payroll process. Observations and recommendations were made regarding the following: • Policies and procedures • Personnel and payroll user privileges in Oracle • Payroll data review by an employee with no payroll duties The risk each finding presents to the organization is weighted using the following system: • 1— High Risk • 2—Moderate Risk • 3—Low Risk Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 4 December 16, 2021 Regular Board Meeting Agenda Packet- Page 83 of 216 Page 7 of 34 Attachment 1 Finding 1: Policies and procedures 2—Moderate Risk Policies and procedures surrounding the payroll process have not been updated since the rollout of the Oracle payroll module. Processes and system features have continuously evolved since the payroll module went live in January 2021. Currently, HR regularly emails time reporting/approval instructions to Central San employees.Although an informal payroll process is understood on an individual task level by key staff, there is an overall lack of detailed documentation with respect to key payroll processes. Key Risks: Unclear objectives, roles, and procedures Recommendation: Detailed standard operating procedures (SOP) and policies surrounding the payroll process should be developed, updated as needed, and made available to key staff.The documentation should include which tasks are performed by HR and which are performed by Finance. A detailed SOP would also facilitate cross-training of staff for succession planning and business continuity purposes. Management's Response/Action Plan: Management agrees with this finding and will begin developing new and detailed SOPS related to payroll processing within the new Oracle ERP module(s). Target Date/Responsible: December 1, 2021/Teji O'Malley, HR and OD Manager Internal Audit's Response: Management's action plan and target date appear reasonable. Finding 2: Personnel and payroll user privileges in Oracle 1—High Risk Two HR staff have user privileges that allow them to enter new employees into the Human Capital Management(HCM) personnel module as well as edit data in the payroll module.As a result, it is possible that a single HR employee could create a fictional employee in the system, and through input of specific time entries or payroll system entries, create a payment to that fictitious employee of a specified dollar amount. Other compensating detective controls could be added, but the present situation constitutes a segregation of duties weakness that should be remediated. Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 5 December 16, 2021 Regular Board Meeting Agenda Packet- Page 84 of 216 Page 8 of 34 Attachment 1 Key Risks: Fraud Recommendation: Remove user privileges that allow the ability to add employees to the Oracle system for HR staff performing payroll functions. Management's Response/Action Plan: Management agrees with the finding and will remove access to enter and create new employees/transactions from the HR Analysts and will transfer that access to an Administrative Services Assistant, who will be solely responsible for the entry of any new employees as well as all personnel transactions. A second Administrative Services Assistant will serve as back-up staff and will have access to enter new employees/transactions should the need arise.The two HR Analysts responsible for payroll processing will only review and audit, not enter/edit, all transactions including new employees, prior to the processing of payroll. Target Date/Responsible: September 30, 2021/Teji O'Malley, HR and OD Manager Internal Audit's Response: Management's action plan clearly aims to address key risks by updating controls surrounding the segregation of duties.Action plan and target date reflect a sense of urgency and appear reasonable. Finding 3: Payroll data review by an employee with no payroll duties 1—High Risk HR and Finance do not have the ability to produce detailed reporting within Oracle that provide staff and management critical data elements necessary to perform a robust accuracy review, such as: error rates, calculations, personnel changes, pay rate changes, and manual changes made in the system by HR staff or supervisors editing time reporting. Payroll data is manually reviewed for accuracy by HR staff during the bi-weekly payroll process, however, it is not subsequently reviewed by an employee with no payroll processing responsibilities prior to: A) The direct deposit process—A direct deposit data file is generated by an HR staff person and sent to an IT team member to perform the transaction within the bank's online portal. A bank confirmation is received by the HR staff person and Finance management,which they both reconcile to the payroll register. Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 6 December 16, 2021 Regular Board Meeting Agenda Packet- Page 85 of 216 Page 9 of 34 Attachment 1 B) Printing live checks and making off-cycle payments— Live checks:An HR staff provides payroll register information to Finance to process live checks. Finance management receives a copy of the live checks along with a cover letter for approval.They agree the cover letter to the live check amounts and review the amounts for reasonableness. However,they do not have the proper system access to verify if the amounts are accurate per the personnel records before processing payments. Off-cycle payments:All off-cycle payments are processed through the Oracle system via direct deposit or live check processes and are subject to the process gaps identified above. C) Processing supplemental retirement plan terminal pay contributions —Such contributions are not automatically captured in the Oracle report Finance runs to process retirement benefits.An HR staff person manually tells Finance staff which employees have retired in the pay period and the payment amount. Finance cannot currently generate a report of election changes(for new hires, existing employees, or terminations), and, therefore, cannot independently verify the accuracy of terminal information provided by HR. D) The general ledger(GL) reconciliation process—Finance staff have limited visibility to critical data necessary to perform a traditional payroll GL reconciliation. Instead, a Finance staff runs a payroll journal accounting string error report within the Oracle system and manually corrects any system-generated errors in the GL.The Finance staff is unable to verify whether the figures are accurate, and any changes made to the GL are not reviewed for accuracy by a supervisor before or after being posted. Key Risks: Fraud; inaccurate/late payments; regulatory non-compliance; accounting/reporting inaccuracies Recommendation: Management and staff require the ability to produce more meaningful reporting from the Oracle system that includes the forenamed data elements to effectively validate payroll.The Oracle system does not appear to contain such reports as a standard feature, and such reports would require specific development.A single system-generated report that includes all the necessary elements could serve as the single source of truth for both divisions. Please see our recommended process below: Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 7 December 16, 2021 Regular Board Meeting Agenda Packet- Page 86 of 216 Page 10 of 34 Attachment 1 • Utilizing the Oracle report, HR staff can review for personnel information accuracy, including timekeeping, when processing payroll. • Finance can be notified after the review is complete and a Finance team member can perform a reasonableness review of the personnel information and any manual changes to the system, as well as a detailed review of the payment calculations. • Once the report is reviewed and it is approved by Finance management, it can be sent to HR management for a final, high-level reasonableness review. • Once HR management notifies Finance of their approval, a GL reconciliation can be performed, which should be reviewed for accuracy by a supervisor in Finance before and after any changes are posted. • Payment transactions can then be made by designated Finance team members utilizing updated system information. Improving system access (allowing relevant Finance staff visibility into the relevant Oracle modules) is essential in allowing Finance staff to perform a proper GL reconciliation, a critical component of the payroll process. In addition, any changes made to the GL should be reviewed by a supervisor before and after being posted. Segregation of duties should always be maintained and with each level of review, if there are questions, coordination should be made with appropriate staff to provide further clarity or to make corrections in the system. We strongly recommend all payment transactions are performed by Finance using information direct from the Oracle system to minimize the risk of either human error or fraud. In addition, key staff performing accuracy reviews in both divisions should have a trained back-up staff. HR Division Management's Response/Action Plan: HR management agrees with the findings but is recommending a different review process than what is detailed above. Since HR will be assigning all personnel transaction data entry to one Administrative Services Assistant, the other Administrative Services Assistant will be responsible for maintaining a Personnel Action Form (PAF) log within HR detailing each transaction in any given pay period. Once those transactions have been entered and payroll processed, an HR Analyst responsible for processing payroll will extract an Oracle report that details all transactions in any given pay period (new hires, pay adjustments,terminations, etc.).The Oracle report and a copy of the PAF log and will be routed via DocuSign to another HR Analyst within the division with no payroll responsibilities for review and then to the HR Manager for final review. Target Date/Responsible: Completed as of August 1, 2021/Teji O'Malley, HR and OD Manager Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 8 December 16, 2021 Regular Board Meeting Agenda Packet- Page 87 of 216 Page 11 of 34 Attachment 1 Internal Audit's Response: Internal Audit has reviewed the Personnel Action Form (PAF) log and Oracle report for the pay period ending July 3, 2021.There is evidence that the documentation was signed by the HR Analyst processing payroll, another HR Analyst with no payroll responsibilities, and the HR Manager.These controls, as they are designed, appear to mitigate key risks surrounding the segregation of duties. Internal Audit has closed this portion of the finding for design effectiveness. Finance Division Management's Response/Action Plan: Finance management agrees with the findings but proposes slightly different solutions to address certain risks in consideration of limited resources and prioritization of divisional staff time and objectives.A combination of inter- divisional protocol changes as well as system modifications are being explored to address the findings listed previously. Regarding protocol changes, Finance and HR have agreed the payroll payment processing and reconciliation functions should be more fully transitioned to the Finance Division. While HR will continue to be responsible for processing payroll and preparing the payroll register, Finance shall be responsible for auditing the payroll register(employing a "risk-based" approach) and administering the timely payment of payroll obligations such as: employee direct deposits, employee manual checks, IRS withholding taxes, EDD withholding taxes, retirement contributions, etc. Finance has also been working with IT and the ERP implementation consultants (Emtec) on system modifications to address several of the concerns noted previously. While Oracle Fusion Cloud currently does not have a standard user role that allows Finance to access HCM data in a view- only capacity to facilitate payroll register audit needs, IT and Emtec are working on developing several custom payroll reports that can be independently generated by authorized Finance staff. Custom reports will include information on HCM changes in specified timeframes such as: new hires, pay changes,terminations/retirements, and benefit election changes. Emtec is also exploring the possibility of preventing the same person that generates the payroll journal entry from also being able to post/approve it to ensure any edits are reviewed by a second party.This functionality does not appear to be available with the standard Oracle product and may necessitate some system customizations. Should a systematic control such as this not be available or feasible, Finance will implement a manual process to ensure edits to the system-generated payroll journal entry are reviewed and approved by a supervisor. There are two areas where Finance management disagrees slightly with recommended actions and proposes alternative mitigating controls.The first Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 9 December 16, 2021 Regular Board Meeting Agenda Packet- Page 88 of 216 Page 12 of 34 Attachment 1 is regarding the proposed recommendation for a detailed review of payment calculations included in the payroll register and the second is regarding a proposed approval of the payroll register by Finance management prior to approval by HR management. Finance management believes the recommended detailed review of payment calculations in the payroll register should be redefined to focus on the areas of risk to better prioritize the use of limited staff time. Unlike manual processes, once configured correctly,the outputs from the payroll subledger are system-generated and should be mathematically correct.This can be further validated through the upcoming phase II payroll internal audit. Accordingly,the review of detail calculations will be concentrated on areas where there is manual intervention or system overrides and focus on changes such as new hires,terminations/retirements, pay changes, and benefit election changes. As the HR Division possesses primary ownership of the payroll function, it does not seem appropriate that Finance's approval of the payroll register should precede that of HR Management's. Following HR management's approval of the payroll register, it should be turned over to Finance for an independent review and reconciliation of the information followed by the funding and payment process. Any concerns or potential errors identified by Finance should be promptly communicated to HR for further investigation and corrections, if applicable. Target Date/Responsible: November 1, 2021/ Kevin Mizuno, Finance Manager Internal Audit's Response: Management's action plan addresses key risks related to the segregation of duties while accommodating the operational needs of the divisions involved. Taking into consideration the anticipated challenges of making significant changes to the Oracle system, the action plan and target date appear reasonable. Internal Audit Reporting Memorandum and FY 2020-21 Payroll Design-only Review Final Report 10 December 16, 2021 Regular Board Meeting Agenda Packet- Page 89 of 216 Page 13 of 34 Attachment 2 IT Identity and Access Management Central Contra Costa Sanitary District September 16, 2021 This document and the information contained within is considered Proprietary&Confidential and NOT to be reproduced, duplicated or disclosed without expressed written consent by CliftonLarsonAllen LLP. December 16, 2021 Regular Board Meeting Agenda Packet- Page 90 of 216 Page 14 of 34 Attachment 2 Table of Contents Executive Summary 3 Objective 3 Scope 3 Approach 5 Control Results and Benchmarking 7 Recommendations 9 References 17 _(J—yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 2 December 16, 2021 Regular Board Meeting Agenda Packet- Page 91 of 216 Page 15 of 34 Attachment 2 Executive Summary Objective The objective of the IT Identity and Access Management was to identify gaps in the current control environment that could put Central Contra Costa Sanitary District (the Organization) data (by type) at risk including: • Financial Data • Employee Data • Intellectual Property • Confidential Consumer Data Deficiencies in control design or effectiveness that could negatively impact the confidentiality or integrity of Central Contra Costa Sanitary District data or availability of critical systems are identified within this report with recommendations for remediation. CLA performed this engagement in accordance with the Statement of Standards for Consulting Services issued by the American Institute of Certified Public Accountants. This engagement is not an assurance audit as defined by professional standards and should not be construed as such. Scope The scope of this review was focused on the following domains: Control Domain Section 1 Access Management Section 2 Data Security and Privacy Section 3 Endpoint Security Section 4 Physical Security of IT Assets Section 5 HR Security Section 6 Log and Event Management _(J—yb Create Opportunities ©2021 Clifton LarsonAllen LLP 3 December 16, 2021 Regular Board Meeting Agenda Packet- Page 92 of 216 Page 16 of 34 Attachment 2 Application reviews focused on system infrastructure for the following applications: Business . .se D. • A-Oracle Fusion Core Application Financial Data Proprietary Externally Internally B-Office 365 Business Use Application Proprietary Proprietary Externally Externally _(J—yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 4 December 16, 2021 Regular Board Meeting Agenda Packet- Page 93 of 216 Page 17 of 34 Attachment 2 Approach Overview To achieve the project objectives, CLA conducted the IT Identity and Access Management Review by interviewing staff, reviewing documentation provided by Central Contra Costa Sanitary District, and observing current processes and procedures within the Organization. BPtt PractirP As a basis for the review, current processes and procedures specific to information technology within the Organization were compared to Best Practice controls outlined in CLA's Information Technology and Systems Management Work Programs.The work programs were initially developed based on the guidelines of regulatory requirements and have since been revised to incorporate elements of COBIT, COSO, ITIL, Info-Tech Research Group, and NIST 800-53 Revision 5. Controls proven to be important based on experience of the Cybersecurity group staff within CLA have also been included in the work programs. CLA's controls are categorized as either required, essential or recommended. • A required control is either stated or implied by regulatory guidance as an expected practice. • An essential control is stated or implied by other authoritative guidance as expected practice. • A recommended control is considered by CLA as an industry best practice. Risk and Lw,'L.W.,-...,..ya.. Overall risk is determined based on the magnitude of the impact of an event after consideration of the Organization's controls and the likelihood that event would negatively impact the Organization. Controls specific to each control domain and topic were reviewed, risk was determined as follows: Inherent Risk—determined based on the probability of the defined risk(threat) risk with subjective consideration of the impact. Inherent Risk is calculated based on the following: . . Low Low Low Low Medium Medium Low High Medium Medium Low Low Medium Medium Medium Medium High High High Low Medium High Medium Medium High High High _(J—yb Create Opportunities ©2021 Clifton LarsonAllen LLP 5 December 16, 2021 Regular Board Meeting Agenda Packet- Page 94 of 216 Page 18 of 34 Attachment 2 Control Risk—determined based on the evaluation of each current control's design, effectiveness, strength and likelihood of failure. Control Risk is determined based on the following: Control Risk Definition Critical Immediate potential to impact availability, integrity or confidentiality (no control) High Potential to impact availability, integrity or confidentiality (weak control) Medium Intermittent potential to impact availability, integrity or confidentiality (control exists but not enforced) Low Controls are in place and operating effectively- however inherent risk exists Residual Risk—determined by subjectively evaluating the extent Control Risk could reduce Inherent Risk. Residual Risk assumes the Organization has not taken action on the Recommended Remediation to reduce the overall risk to the Organization. Residual Risk is determined based on the following: Residual Risk Definition Critical Immediate potential to impact availability, integrity or confidentiality (Controls cannot be designed appropriately or be effective on a consistent basis) High Potential to impact availability, integrity or confidentiality (Controls are not designed appropriately or be effective on a consistent basis) Intermittent potential to impact availability, integrity or confidentiality Medium (Controls are designed appropriately and can be effective on a consistent basis but can be bypassed or overlooked) Low Controls are in place and operating effectively- however inherent risk exists Remedir 'CO. As a result of the issue(s) identified, remediation recommendations were provided to improve the position of the Organization related to the defined security or technology management topic. Each recommendation was subjectively assigned an effort that indicates the level of effort associated with implementing the remediation as follows: PeriodPriority Review Identification of Mitigating Controls Critical Within 10 Days Within 30 Days High Within 30 Days Within 30-60 Days Medium Within 90 Days Within 90- 120 Days Recommendations are based on "best practice" and can be addressed Low Within 120 Days as time permits to determine if additional controls should be implemented. _(J—yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 6 December 16, 2021 Regular Board Meeting Agenda Packet- Page 95 of 216 Page 19 of 34 Attachment 2 Control Results and Benchmarking CLA evaluated 46 controls and rated each control by effectiveness. Effective controls earn 100% of the points, Mostly Effective earns 80%, Partially Effective earns 50% and Not Effective controls earn 0%. The maturity score by control domain and in total represents the Organization's maturity in Information Security Management. Scores for each control were summarized by domain as follows: Control Domain Maturity Score Access Management 82.05% Data Security and Privacy 95.20% Endpoint Security 100.00% Physical Security of IT Assets 86.88% HR Security 86.36% Log and Event Management 95.71% Average Score 86.07% _(J—yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 7 December 16, 2021 Regular Board Meeting Agenda Packet- Page 96 of 216 Page 20 of 34 Attachment 2 The results of the review process indicated that the following residual risks are present within the control domains under review: 6 5 ■Critical ■High Medium ■Low 2 1 'Jam 0 Detail to support these conclusions is contained within the remaining section of the report. Within each domain, the control segments that were identified as Critical, or High Risk gaps represent the most significant threat to the Organization.These issues require either Critical or High Priority attention by management. Additional Medium and Low Risk gaps are also identified and require review by management to determine a remediation strategy. Effective controls are shown to demonstrate overall effectiveness of the tested domain. _(J7C) Create Opportunities ©2021 Clifton LarsonAllen LLP 1 8 December 16, 2021 Regular Board Meeting Agenda Packet- Page 97 of 216 Attachment 2 Recommendations Domain: Access Management Best Practice: Appropriate administration of network user accounts is a critical element of a secure environment.The user account provisioning process should be adequately supported by structured procedures that can be monitored by management, and segregated from personnel with other pervasive or sensitive duties. Individuals authorized to add/delete/modify user access should be selectively restricted to ensure only approved requests are processed. Network access should be based on business need, and require a valid username and password that establishes group memberships and authorization. Employees should be instructed on the importance of password confidentiality. In addition, In order for the Organization to appropriately manage business applications, organization-wide risk and controls should be evaluated and applied based upon the criticality and risk of the application. The Organization should establish a standard for limiting and reviewing administrator access based upon the risk rating. The Organization should implement role-based access for the application, establish a new hire, change of access, and termination procedure for the application, and establish a user access and privilege review process. Domain:Access Management Control Objective Results Priority and Recommendation Users,processes,and devices are authenticated prior Control Rating:Partially Effective Remediation Priority:Medium to being granted system access. Inherent Risk:High Residual Risk:Medium Comments:The Organization has an access Recommendation:CLA recommends that an access management guideline that is distributed to all management policy or procedure be documented employees that have network access. However, and includes standards for role-based access and the policy in place does not include standards of role changes. It should also outline how those segregation of duties,role change procedures,and changes should be approved and documented the use of access checklists. In addition,CLA within the Organization.Consideration for E&Mftl identified that three(3)of the five(5)new user segregation of duties should be outlined as well. In samples did not have acknowledgement of the addition,this document should be reviewed and access management guideline policy documented. signed by all new employees. -(]37b Create Opportunities ©2021 CliftonLarsonAllen LLP 9 December 16, 2021 Regular Board Meeting Agenda Packet- Page 98 of 216 Attachment 2 Control Objective Results Priority and Recommendation User access grants to systems and information is Control Rating:Partially Effective Remediation Priority:Medium approved by appropriate authorities. Inherent Risk:Medium Residual Risk:Medium Comments:The Organization has established a Recommendation:CLA recommends that new user formal process to request access for new access includes a documented request process that employees. However,the new hire form does not includes approval and retention requirements. formally document who is approving the access for the new employee. Control Objective Results Priority and Recommendation User accounts for temporary users are configured with Control Rating:Partially Effective Remediation Priority:High appropriate expiry dates. Inherent Risk:High Residual Risk:High Comments:The Organization removes accounts for Recommendation:CLA recommends that network users in a timely manner for employees.However, accounts that are no longer needed be disabled CLA identified six(6)accounts belonging to third immediately,added to a disabled accounts group, party users that were enabled and had not logged and removed on a standard timeframe based on into the account for the past three(3)years.These the criticality of the account. accounts had'password never expired'enabled. Control Objective Results Priority and Recommendation User access privileges are regularly reviewed for Control Rating:Partially Effective Remediation Priority:Medium appropriateness. Inherent Risk:Medium Residual Risk:Medium Comments:Per review of the domain Recommendation:CLA recommends that all administrative listing,CLA was informed that no domain accounts that are not specifically assigned formal documentation is maintained to identify the to an individual(i.e.,service accounts)be purpose of service accounts that have domain documented and approved by management. administration access along with an annual Service accounts should be reviewed at least approval.CLA identified one(1)user in the annually to identify accounts that are not needed administrative listing whose access was deemed as or expired.The various departments within the inappropriate. Organization should review users within their department and communicate those changes to IT during the access review. -(]37b Create Opportunities ©2021 CliftonLarsonAllen LLP 10 December 16, 2021 Regular Board Meeting Agenda Packet- Page 99 of 216 Attachment 2 Control Objective Results Priority and Recommendation Access Management(App-Office 365) Control Rating:Partially Effective Remediation Priority:High Inherent Risk:High Residual Risk:High Application user access is reviewed least annually Comments:The Organization has not formally Recommendation:CLA recommends a review be ensure all user accounts are valid andd appropriate andd performed a review of network access that ensures performed at least annually to validate that that permissions granted in each role have been network access rights are appropriate to all accounts belong to active employees or current reviewed and remain appropriate. Documentation of individuals within the Organization. vendors,and that access matches job the review and associated changes is retained. responsibilities,and accounts are consistently defined.This review should include all service accounts and ensure only appropriate accounts are remained active.The various departments within the Organization should review users within their department and communicate those changes to IT during the access review. Control Objective Results Priority and Recommendation Access Management(App-Oracle Fusion) Control Rating:Partially Effective Remediation Priority:High Inherent Risk:High Residual Risk:High Application user access is reviewed least annually Comments:The Organization has not formally Recommendation:CLA recommends a review be ensure all user accounts are valid andd appropriate andd performed a review of user access within Oracle performed at least annually to validate that that permissions granted in each role have been Fusion to ensure access rights are appropriate to defined accounts remain necessary,access reviewed and remain appropriate. Documentation of all individuals within the Organization. matches job responsibilities,and accounts are the review and associated changes is retained. consistently defined. Control Objective Results Priority and Recommendation Access Management(App-Oracle Fusion) Control Rating:Partially Effective Remediation Priority:High Administrator activity is logged,monitored,and Inherent Risk:High Residual Risk:High reviewed by an independent party not associated withCtl SP-IA 22 Comments:The Organization currently does not Recommendation:CLA recommends that the process.This includes any third party monitoring formally review administrator activity on a periodic administrator activity within Oracle Fusion be activity that has access to the application. basis within Oracle Fusion. reviewed periodically.This review should be performed by an independent party not associated with the process. Create Opportunities ©2021 CliftonLarsonAllen LLP 11 December 16, 2021 Regular Board Meeting Agenda Packet- Page 100 of 216 Attachment 2 Control Objective Results Priority and Recommendation Access Management(App-Office 365) Control Rating:Partially Effective Remediation Priority:Low Application user access is reviewed at least annually to Inherent Risk:Low Residual Risk: Low ensure all user accounts are valid and appropriate and Comments:The Organization has not formally Recommendation:CLA recommends a review be that permissions granted in each role have been performed a review of user access within Office performed at least annually to validate that reviewed and remain appropriate. Documentation of 365 to ensure access rights are appropriate to all defined accounts remain appropriate. the review and associated changes is retained. individuals within the Organization. 41 Control Objective Results Priority and Recommendation Access Management(App-Office 365) Control Rating:Partially Effective Remediation Priority:Low Administrator activity is logged,monitored,and Inherent Risk:Low Residual Risk: Low reviewed by an independent party not associated with Comments:The Organization currently does not Recommendation:CLA recommends that the process formally review administrator activity on a periodic administrator activity within Office 365 be basis within Office 365. reviewed periodically.This review should be performed by an independent party not associated with the process. Domain: Data Security and Privacy Best Practice: Data Security and Privacy involves the data archival and/or deletion including electronic data communication/transmissions and data at rest (in storage).The Organization should maintain policies/standards/procedures, and design controls that support in protecting the availability, confidentiality, and integrity of data. -(j7b Create Opportunities ©2021 CliftonLarsonAllen LLP 12 December 16, 2021 Regular Board Meeting Agenda Packet- Page 101 of 216 Attachment 2 Domain: Data Security and Privacy Control Objective Results Priority and Recommendation Data is only shared externally through approved Control Rating:Mostly Effective Remediation Priority:Low methods. Inherent Risk:Medium Residual Risk: Low Comments:The Organization currently allows Recommendation:CLA recommends that a web users to access their personal email accounts content filter be applied to restrict the usage of within the network. No web content filtering is personal email sites and file sharing sites.This will currently in place to restrict the use of personal reduce the risk of potential sensitive data being email sites. stored or sent to third parties that are not appropriate. Control Objective Results Priority and Recommendation Data Security&Privacy Control Rating:Mostly Effective Remediation Priority:Low Domain administrator accounts are specifically Inherent Risk:Medium Residual Risk: Low assigned to individuals and are used only when needed Comments:The Organization has domain Recommendation:CLA recommends that a web for administrative purposes.Administrator accounts administrator accounts assigned to individuals and content filter be applied to restrict the usage of are not used for email,office documents,or other only used for administrative purposes. However, personal email sites and file sharing sites.This will general purposes,and are prevented from directly the Organization currently allows domain reduce the risk of potential sensitive data being accessing the internet. administrators to directly access the internet. stored or sent to third parties that are not appropriate. Domain: Endpoint Security Best Practice: The objective of endpoint security is to protect an Organization's network, and all major host types including servers, workstations, laptops, mobile devices, databases, network devices, and multifunction printers. Controls should be implemented to detect and block potential attacks at all endpoints. Controls effective, no recommendations. -(j7b Create Opportunities ©2021 CliftonLarsonAllen LLP 13 December 16, 2021 Regular Board Meeting Agenda Packet- Page 102 of 216 Attachment 2 Domain: Physical Security of IT Assets Best Practice: Controls should be designed to provide reasonable assurance that physical access to areas where organization technology assets are located is limited to appropriate and authorized personnel. Environmental controls are intended to protect all organization assets including computer hardware,software, and account holder information that is either electronic or on printed documents from environmental hazards. Domain: Physical Security of IT Assets Control Objective Results Priority and Recommendation Entry to the data center and network closets provide Control Rating:Mostly Effective Remediation Priority:Low individual accountability.Alerts or a regular review of these systems are performed. Inherent Risk:Medium Residual Risk: Low Comments:The Organization's data center is Recommendation:CLA further recommends that locked,and only authorized personnel are able to data center physical access reviews be performed access the center. Reports can be generated to every 6 to 12 months. ensure all access is appropriate.However,there is currently no formal review of these reports being performed on a periodic basis. Control Objective Results Priority and Recommendation Video surveillance captures entry/exit and internal Control Rating:Partially Effective Remediation Priority:Medium activity to the data center. Inherent Risk:Medium Residual Risk:Medium Comments:The Organization currently does not Recommendation:CLA recommends cameras be have video surveillance in the data center to installed to identify anyone entering or exiting a ensure entry and internal activity is appropriate. systems area(within the data center),as well as internal activity,to ensure suspicious or malicious activity is captured.Video records should be retained for a defined period of time within OLM11111111k, accordance to incident response procedures and data retention policies. -(]37b Create Opportunities ©2021 CliftonLarsonAllen LLP 14 December 16, 2021 Regular Board Meeting Agenda Packet- Page 103 of 216 Attachment 2 Domain: HR Security Best Practice: User security programs should start with the new hire process, ensuring that all employees are subjected to a background and credit history check.The Organization should periodically re-evaluate employee backgrounds for those in sensitive roles to ensure the company is aware of any employee-related risks that arise during their employment. Employees should be trained in appropriate data handling and protection procedures. Part of appropriate data protection is understanding and affirming confidentiality and acceptable use policies. Employees should have information security awareness training annually to ensure employees understand the risks and threats likely to impact them and the organization, how to prevent and report incidents. Domain: HR Security Control Objective Results Priority and Recommendation During onboarding,employees are provided with Control Rating:Partially Effective Remediation Priority:Medium awareness of security training and responsibilities and must sign all agreements as needed. Inherent Risk:Medium Residual Risk:Medium Comments:The Organization provides acceptable Recommendation:CLA recommends specific and use and security policies to all new hires. However, effective security awareness training for existing employees and new employees are not employees upon hire and at least once each year required to complete security awareness training. thereafter.Training should consist of a management-approved blend of in person training or web training.Training topics should evolve with threats,but at a minimum should address: Password strength and confidentiality Document destruction Locking and Logging Off Computers Social Engineering and Phishing Data Loss Risks(Removable Media,Email,Third- Party Storage Sites,Social Media Posts) -Acceptable Use Create Opportunities ©2021 CliftonLarsonAllen LLP 15 December 16, 2021 Regular Board Meeting Agenda Packet- Page 104 of 216 Attachment 2 Domain: Log and Event Management Best Practice: Logging and monitoring are key elements in information security that involve the tools and mechanisms that provide a record of events related to IT systems and processes.They provide the data and diagnostic tools that allow the Organization to investigate and respond to significant events and security access issues. Controls should be implemented that include analysis and alerts/triggers for high-risk activities and suspicious access behaviors, and procedures for reviewing and retaining access log records. Domain: Log and Event Management Control Objective Results Priority and Recommendation Alerts should be generated for suspicious behaviors Control Rating:Mostly Effective Remediation Priority:Low related to the network or key systems.Alerts should cover the following events: Inherent Risk:Medium Residual Risk: Low The creation or modification of user accounts Comments:The Organization has alerts generated Recommendation:The Organization has alerts Consecutive invalid password attempts on multiple for suspicious behaviors related to the network. generated for suspicious behaviors related to the user IDs from the same IP However,the alert for attempts to access disable network. However,the alert for attempts to access -Attempts to access disabled accounts accounts is currently not enabled. disable accounts is currently not enabled. -(]37b Create Opportunities ©2021 CliftonLarsonAllen LLP 16 December 16, 2021 Regular Board Meeting Agenda Packet- Page 105 of 216 Page 29 of 34 Attachment 2 References — NIST Special Publication 800-30 Risk Management Guide for Information technology Systems, September 2012 — NIST Special Publication 800-39 Managing Information Security Risk, March 2011 — NIST Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, December 2016 — NIST Special Publication 800-53 Revision 5 Security and Privacy Controls for Federal Information Systems and Organizations, September 2020 Center for Internet Security Controls Version 7.1,April 2019 — Info-Tech Research Group IAM Initiative Tool, November 2020 Create Opportunities ©2021 Clifton LarsonAllen LLP 1 17 December 16, 2021 Regular Board Meeting Agenda Packet- Page 106 of 216 Page 30 of 34 Attachment 3 i Internal Audit Biannual Findings Report for the Board of Directors–Close of Q2 FY 2021-22 Current as of:11.29.21 Board of Directors meeting date:12.16.21 Prepared by:Benjamin Johnson,Internal Auditor General Category of Observations Total Risk Rating Total Need for documentation of procedures or updates 3 •Highlight Legend 1-High Risk 6 Segregation of duties 2 Past Due 2-Moderate Risk 6 IT-related controls 13 High Risk 3-Low Risk 6 General process and/or control improvements 0 Closed FY Total to Date 18 Automation opportunities 0 Finding Risk Rating Observation Executive Finding Title Report Name Number Finding Description (Residual) Category Department Owner Manager Report Date Due Date Date Closed 1 Policies and procedures FY 2020-21 Payroll Design-only Review 1 Policies and procedures surrounding the payroll process 2 Need for Human ResourcesTeji Bailey 09.21.21 3293.-2-b have not been updated sincethe rollout ofthe Oracle documentation O'Malley (Original) payroll module. of procedures or updates 01.31.22 (Extended) 2 Payroll data review by an FY 2020-21 Payroll Design-only Review 3 HR and Finance do not have the ability to produce 1 Segregation of Human Resources; Teji Bailey; 09.21.21 HR- HR employee with no payroll detailed reporting within Oracle that provide staff and duties Finance O'Malley; Lelber 08.01.21 08.01.21 duties management critical data elements necessary to Kevin (Closed) perform a robust accuracy review.Payroll data is Mizuno Finance- manually reviewed for accuracy by HR staff during the 33,01,2-1 Finance- bi-weekly payroll process,however,it is not (Original) 11.12.21 subsequently reviewed by an employee with no payroll 01.31.22 (Partially processing responsibilities prior to key processes. (Extended) Closed- Change sto the GL are now reviewed by Finance Manager) 3 SP-IA.01-Access FY 2021-221T Identity and Access 1 The Organization has an access management guideline 2 Need for Information Huie Leiber 09.16.21 TBD Management Management Review that is distributed to all employees that have network documentation Technology access.However,the policy In place does not include of procedures or standards of segregation of duties,rale change updates procedures,and the use of access checklists.In addition, CLA identified that three(3)of the five(5)new user samples did not have acknowledgement of the access ,agement guideline policy documented. 4 SP-A.05-Access FY 2021-221T Identity and Access 2 The Organization has established a formal process to 2 Need for Information Huie Leiber 09.16.21 TBD Management Management Review request access for new employees.However,the new documentation Technology hire form does not formally document who is approving of procedures or the access for the new em toe u dates 55P-IA.07-Access FY 2021-221T Identity and Access 3 The Organization removes accounts for users in a 1 IT-related Information Hule Lelber 09.16.21 TBD Management Management Review timely man—for employees.However,CLA identified controls Technology six(6)accounts belonging to third party users that were enabled and had not logged into the account for the past three(3)years.These accounts had'password never expired'enabled. 6 SP-IA.12-Access FY 2021-2217 Identity and Access 4 Per review of the domain administrative listing,CLA was 2 IT-related Information Huie Leiber 09.16.21 TBD Management Management Review informed that no formal documentation is maintained controls Technology to identify the purpose of service accounts that have domain administration access along with an annual approval.CLA identified one(1)user in the administrative listing whose access was deemed as inappropriate. 7SP-IA.20-Access FY 2021-221T Identity and Access 5 The Organization has not formally performed areview 1 IT-related Information Hule Lelber 09.16.21 TBD Management(App- Management Review of network access that ensures network access rights controls Technology Office 365) are appropriate to all individuals within the Organization. 85P-IA.21-Access FY 2021-221T Identity and Access 6 The Organization has not formally performed a review 1 IT-related Information Hule Lelber 09.16.21 TBD Management(App- Management Review of user access within Oracle Fusion to ensure access controls Technology Oracle Fusion) rights are appropriate to all individuals within the Organization. 9SP-IA.22-Access FY 2021-221T Identity and Access 7 The Organization currently does not formally review 1 IT-related Information Huie Lelber 09.16.21 TBD Management(App- Management Review administrator activity on a periodic basis within Oracle controls Technology Oracle Fusion) Fusion. 10 SP-A.23-Access FY 2021-221T Identity and Access 8 The Organization has not formally performed a review 3 IT-related Information Huie Leiber 09.16.21 TBD Management(App-Office Management Review of user access within Office 365 to ensure access rights controls Technology 365) are appropriate to all individuals within the Organization. 11 SP-IA.24-Access FY 2021-221T Identity and Access 9 The Organization currently does not formally review 3 IT-related Information Huie Leiber 09.16.21 TBD Management(App-Office Management Review administrator activity on a periodic basis within Office controls Technology 365) 365. 12 SP-DS.01-Data Security&FY 2021-221T Identity and Access 10 The Organization currently allows users to access their 3 IT-related Information Huie Leiber 09.16.21 TBD Privacy Management Review personal email accounts within the network.No web controls Technology content filtering is currently in place to restrict the use of personal email sites. 135P-DS.02-Data Security FY 2021-221T Identity and Access 11 The Organization has domain administrator accounts 3 IT-related Information Huie Leiber 09.16.21 TBD Privacy Management Review assigned to individuals and only used for administrative controls Technology Purposes.However,the Organization currently allows domain administrators to directly access the internet. 14 SP-PS.03-Physical FY 2021-221T Identity and Access 12 The Organization's data center is locked,and only 3 IT-related Information Huie Leiber 09.16.21 TBD Security of IT Assets Management Review authorized personnel are able to access the center. controls Technology Reports can be generated to ensure all access is appropriate.However,there is currently no formal revi w of these reports being performed on a periodic basis. 15 SP-PS.05-Physical FY 2021-221T Identity and Access 13 The Organization currently does not have video 2 IT-related Information Huie Leiber 09.16.21 TBD Security of IT Assets Management Review surveillance in the data center to ensure entry and controls Technology internal activity is appropriate. 16 SP-HR.01-HR Security FY 2021-221T Identity and Access 14 The Organization provides acceptable use and security 2 IT-related Information Huie; Leiber 09.16.21 TBD Management Review policies to all new hires.However,existing employees controls Technology O'Malley and new employees are not required to complete security awareness training. 17 SD-EM.02-Log and Event FY 2021-221T Identity and Access 15 The Organization has alerts generated for suspicious 3 IT-related Information Huie Leiber 09.16.21 TBD Management Management Review behaviors related to the network.However,the alert for controls Technology attempts to access disable accounts is currently not ,,bled. 1 Personnel and payroll FY 2020-21 Payroll Design-only Review 2 Two HR staff have user privileges that allow them to 1 Segregation of Human Resources Teji Bailey 09.21.21 0940.23 10.05. 7 .ser privileges in Oracle enter new employees into the Human Capital duties O'Malley (Original) Management(HCM)personnel module as well as edit data in the payroll module. 10.29.21 7Extended December 16, 2021 Regular Board Meeting Agenda Packet- Page 107 of 216 Page 31 of 34 Attachment 4 r INTERNAL AUDIT REPORTING FOR THE FIRST HALF OF FISCAL YEAR 2021 -22 Board of Directors Meeting December 16, 2021 Benjamin Johnson, Internal Auditor M- 0 CENTPAL SAN 1 FY 2020-21 PAYROLL DESIGN-ONLY REVIEW FINAL REPORT ISSUED 09/21/21 • Background • HR and Finance have worked through numerous challenges related to ERP implementation as it relates to the payroll process • Although management and staff have committed a considerable amount of time and effort to manually identify/correct payroll data errors and initiate system improvements, system functionality continues to have certain limitations as of the date of the audit report • Scope of the review • Reviewed the design of controls to assess whether they help meet the objectives of the organization • Will review the operating effectiveness of controls (a traditional operational audit) in Q4 of this fiscal year 401 2 - r 2 December 16, 2021 Regular Board Meeting Agenda Packet- Page 108 of 216 Page 32 of 34 FY 2020-21 PAYROLL DESIGN-ONLY REVIEW FINAL REPORT ISSUED 09/21/21 •Audit results • Three findings reported • Need for policies and procedures surrounding this process—Moderate Risk—Due date extended • Inappropriate Oracle user privileges noted for two HR staff—High Risk— Closed for design effectiveness • Lack of payroll data review by an employee with no payroll duties—High Risk—Due date extended and partially closed for design effectiveness • Next steps • Management is working closely with ERP implementer to increase system functionality and enhance the payroll process • Internal Audit will continue to follow-up with management to track remediation progress ■ 3CENTRALSAN 3 FY 2021 -22 IT IDENTITY AND ACCESS MANAGEMENT REVIEW FINAL REPORT ISSUED 09/16/21 • Background • Internal Audit partnered with CliftonLarsonAllen (CLA), an external consultant, to perform this review • This process has not been previously reviewed by Internal Audit • Scope of the review • This project focused on super-user access/administrator rights, including the controls in place to monitor activity, specifically as they relate to: • Oracle Fusion Cloud • Microsoft Office 365 4 CENTRALSAN fi 4 December 16, 2021 Regular Board Meeting Agenda Packet- Page 109 of 216 Page 33 of 34 FY 2021 -22 IT IDENTITY AND ACCESS MANAGEMENT REVIEW FINAL REPORT ISSUED 09/16/21 •Audit results • 15 findings reported • High Risk: 4 • Moderate Risk: 5 • Low Risk: 6 • Next steps • All findings have been vetted with IT management and corrective action plans are being drafted as of late-November 2021 • Internal Audit will continue to follow-up with management to track remediation progress 5 5 INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE BOARD OF DIRECTORS CLOSE OF Q2 FY 2021-22 • Cumulative results • 2 audit reports issued • 18 findings reported • 1 finding is closed for design effectiveness • Risk rating • High Risk:6 findings • Moderate Risk:6 findings • Low Risk:6 findings 6 — 6 16 6 December 16, 2021 Regular Board Meeting Agenda Packet- Page 110 of 216 Page 34 of 34 INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE BOARD OF DIRECTORS CLOSE of Q2 FY 2021-22 • Cumulative results (Continued) • Observation categories • Need for documentation of procedures or updates: 3 findings • Segregation of duties: 2 findings • IT-related controls: 13 findings • General process and/or control improvements: No current findings • Automation opportunities: No current findings • Current and future projects • The FY 2021-22 Accounts Payable Audit is near conclusion as of the date of this presentation • The Asset Inventory Review and Payroll Operational Audit are scheduled to be performed in Q3 and Q4 of this fiscal year, respectively 7 r KMWW 7 December 16, 2021 Regular Board Meeting Agenda Packet- Page 111 of 216