For the first time city council has made public its annual audit that reveals a string of concerns about how the city approaches computer and network security, but discloses no significant deficiencies in the city’s books or how St. Albert conducts its business.
At Monday night’s standing committee on finance (SCOF) meeting the city released the management letter from Deloitte & Touche, which details 13 operational recommendations that St. Albert should address to improve its practices and mitigate risk. In previous years the letter has typically been kept confidential.
This is the first year Deloitte & Touche has audited the city’s books. KPMG had been the previous auditor.
Of note is a cluster of recommendations around the security of the city’s computer systems and network, including developing a written security policy, ensuring user access privileges are revoked immediately after an employee leaves the corporation, making passwords longer and requiring users to change passwords after a set period of time.
“I’ll have to disagree with changing passwords every 90 days,” Mayor Nolan Crouse objected. “If my password expires, I start to write it down and stick it on my computer. Then I would carry them in my wallet. So the whole purpose is the best password system is one where I keep it for life.”
Other noted concerns include having an administrator reset incorrect password attempts instead of having a timed reset, better controlling access to the server room and testing the city’s back-ups to ensure that, if needed, they actually work.
“I suppose as the world becomes more reliant on servers and [information technology], and there is hacking going on and identity theft is more common, I guess it would be a category to keep a tighter eye on,” Crouse said in a later interview.
The audit also called for the city to start its own internal audit process, either by hiring an internal auditor, contracting out for one or sharing the expense with other municipalities. Very few committee members seemed willing to entertain the suggestion.
“I’d be surprised that council will want to spend extra money on internal auditing,” Crouse said. “If the external audits started to show a bunch of stuff, then maybe.”
Crouse pointed out that when he asked the auditors at the meeting if they wanted to speak privately with council, they said there was no need.
Other suggestions for improvement include developing a policy for better identifying the nature of the relationship the city has with outside agencies, such as the Arts and Heritage Foundation (AHF), improving how grant money received is documented and maintaining a consistent manual on the city’s practices for accounting procedures.
One that caught the committee by surprise was a discovery that not all departments handle purchase orders identically. The audit found that there is no formalized process to monitor when purchase orders are issued and when they are closed. They found “inconsistent” use of purchase orders in different departments, with orders sometimes being issued after the invoice was received. There is also no consistent policy to correctly identify when goods are received.
“We have to implement our policy a little more stringently,” acting chief financial officer Ed Kaemingh said. “Lots of mistakes have been made.”
