Board Report: March 31, 2009
We completed an audit of the Board's compliance with its revised inventory control procedures to strengthen the controls for managing and accounting for BlackBerrys and cell phones throughout the Board. Specifically, we evaluated the controls over the receiving, tracking, securing, and disposing of BlackBerrys and cell phones.
Overall, we found that the IT division has established various controls for BlackBerrys and cell phones, and that the majority of these controls were working effectively. We did not identify any significant discrepancies. Our testing did, however, identify opportunities to improve the existing controls used to manage and account for the devices.
Specifically, we found that (1) all transactions in the Secure Inventory Closet (SIC) are not manually recorded in the SIC transaction log, (2) the log is not periodically reconciled to the monthly "Badge Access" log that electronically records all entries into the closet, and (3) that a surveillance camera positioned outside the SIC does not capture the device-related activities occurring within the SIC. We also found control weaknesses in the segregation of duties, and made additional recommendations concerning the need for improved communications between IT management and the divisions regarding the timely return of devices that are no longer in use. Our report contains three recommendations designed to address these issues, which we believe will help reduce the risk of loss, theft, or unauthorized use of devices.
We provided a copy of our report to the Director of IT for review and comment. The director concurred with our assessment that opportunities exist to further strengthen several controls, and agreed or partially agreed with each of our three recommendations.