Assessment and Evaluation of the City of Philadelphia’s Information Technology General Controls Fiscal Year 2013

Audit Date: December 4, 2013
Audit Categories
  • Performance
Controller: Alan Butkovitz
Audit Tags
  • Innovation and Technology,
  • Internal Controls,
  • Office of Innovation and Technology (OIT)

Executive Summary

For Immediate Release:
December 4, 2013

Contact: Harvey Rice

Butkovitz Finds City’s IT at Risk
City Controller says there’s no recovery plan in the event of a disruption, disaster

OIT General Controls Review – Fiscal 2013

PHILADELPHIA – City Controller Alan Butkovitz today released an assessment of the Office of Innovation Technology’s (OIT) general controls that found City departments without a recovery plan in the event of a disruption or disaster.

With no formalized recovery plan for Information Technology (IT) services, departments and agencies may not be able to provide required services or to continue operations until the services are restored.

“The OIT needs to communicate with potentially impacted departments to convey the importance of establishing a business continuity plan,” said Butkovitz. “It’s critical that our City’s network of servers and computers are up and running even when there is a disruption.”

In addition, a disaster recovery plan and subsequent testing of the plan have not been formally documented or performed by the OIT for the City’s BASIS2 water billing system. It was also found that backups of BASIS2 were not stored off-site.

“In the event of a disaster, the recovery plan may not work as projected and backups of system data may not be found,” said Butkovitz.

Other conditions include:
• Procedures requiring approval and documentation of changes to the IT system were not consistently followed. Non-compliance with approval and documentation requirements increases the likelihood of unauthorized changes to the city’s IT system.
• A comprehensive IT assessment to identify and track operations and compliance risks was not performed by OIT. As a result, this increases the risk that limited IT resources are not effectively or efficiently deployed in supporting city operations.
• Inactive and terminated employees and contractors were not periodically removed from systems access. Thus, unauthorized users may have had access to sensitive information which could compromise security.

The assessment evaluated IT general controls over key financial-related applications at OIT in connection with the Controller’s Office audit of the City of Philadelphia’s Comprehensive Annual Financial report for the year ended June 30, 2013.