SAN DIEGO WORKFORCE PARTNERSHIP, INC. SAN DIEGO, CALIFORNIA
MANAGEMENT LETTER JUNE 30, 2013
2 The Board of Directors of
San Diego Workforce Partnership Inc. Members of the Board:
In planning and performing our audit of the basic financial statements of the San Diego Workforce Partnership (SDWP), in accordance with auditing standards generally accepted in the United States of America, we considered the SDWP’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinions on the basic financial statements, but not for the purpose of expressing an opinion on the effectiveness of the SDWP’s internal control. Accordingly, we do not express an opinion on the effectiveness of the SDWP’s internal control.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
Our consideration of internal control was for the limited purpose described in the first paragraph and was not designed to identify all deficiencies in internal control that might be deficiencies, significant deficiencies, or material weaknesses. We did not identify any deficiencies in internal control that we consider to be material weaknesses, as defined above. However, material weaknesses may exist that have not been identified.
In conjunction with performing the audit of SDWP’s financial statements for the year ended June 30, 2013, we followed up on the status of implementation of audit recommendations which were made during the year ended June 30, 2012. Please refer to the Status of Prior Year Observations and Recommendations beginning on page 3.
This communication is intended solely for the information and use of the SDWP’s Board of Directors, its audit committee, management, and its federal awarding agencies and pass-through entities and is not intended to be and should not be used by anyone other than these specified parties.
March 26, 2014 Los Angeles, California
SAN DEIGO WORKFORCE PARTNERSHIP, INC Status of Prior Year Observations and Recommendations
Year Ended June 30, 2013
3
MC-12-01 – Fundware and Windows Network Account User Password Security Condition
Stringent security over password management is vital to ensuring system access is effectively controlled. Such password controls include the aging of passwords to force their periodic change and password character string complexity to prevent easy guessing of passwords by a system intruder. However, the invalid password attempt account lockout policies are not enabled for the Workforce Partnership’s Fundware accounting application and network. As a result, a system intruder can easily guess a user’s password to gain unauthorized access to sensitive data or system resources.
Recommendation
We recommend that management implement a domain wide strong password policy that includes invalid password attempt account lockout functionality for the Workforce Partnership’s Fundware accounting application and network.
Status
Implemented: Password security controls enabled for the network (Windows) and the MIP accounting application via enabling MIP’s Windows password authentication function.
MC-12-02 – IT Policies and Procedures Condition
Documented IT procedures aid with ensuring standards for operating information systems are effectively communicated and are adhered to in a consistent manner. They also help ensure information systems are managed and operated in compliance with an organization’s policy. However, the following IT processes have not been documented:
Change Management
Computer Operations (to include problem management) Information Security Management
Recommendation
We recommend the following be documented for the SDWP’s IT operations:
Change Management
Computer Operations (to include problem management) Information Security Management
4 MC-12-02 – IT Policies and Procedures (continued) Status
Partially Implemented: Security policy documented (i.e., E-Media Policy). However, change management and computer operations policies not documented.
Management Response
The SDWP IT department will address all recommendations by June 30, 2014.
1. Computer Operations. Status: Partially implemented. Final review of our computer operations documentation will be complete by June 30, 2014.
2. Document change management procedure. Status: Not implemented. The change management policy will be included in the Computer Operations documentation when it is finalized (see Item 1 above).
3. Information Security Management: Status: implemented. IT implemented improvements to password security (i.e., complexity, automatic expiration) based on audit recommendations and industry best practices. The policy is documented in the SDWP E-Media policy.
MC-12-03 – Cash and Due to/from Reconciliation Condition
The SDWP records the operating cash of all of its funds including the Fiduciary Funds, into the General Fund’s cash account. Due to/from accounts among these Funds are recorded to track the Fund’s cash activities. However, the accounting system does not provide detailed reports by Fund that indicates which fund(s) the due to/from is associated with. Currently, the financial statements present only a total amount for the “due to/from” by fund, but it does not provide information as to which fund(s) it is due to/from.
Recommendation
We recommend that the SDWP establish a reporting structure, either within the accounting system or through excel spreadsheets, that will provide a detailed indication by Fund of which fund(s) the due to/from is associated with. In addition, it is our recommendation to separately account for the cash activities of its Fiduciary Funds.
Status
Implemented. SDWP established a separate reporting structure to provide a detailed indication Fund of which fund(s) the due to/from is associated with.
SDWP’s fiduciary responsibility for the Workforce Funder’s Collaborative funds ended on December 31, 2013. For future fiduciary transactions, SDWP will be opening a separate bank account to account for the cash activities of fiduciary funds separately from the General Fund’s cash account.
SAN DEIGO WORKFORCE PARTNERSHIP, INC Status of Prior Year Observations and Recommendations
Year Ended June 30, 2013
5 MC-12-04 – Outstanding Checks over 120 days Condition
During our cash audit procedures for the SDWP’s operating cash account, we noted that five (5) checks were outstanding over 120 days.
Check # Check Date Check Amount 1 83921 7/30/10 $ 172.93 2 85865 3/17/11 $ 2.28 3 85960 6/1/11 $ 13.80 4 86702 6/16/11 $ 14.79 5 87331 9/12/11 $ 300.00 Recommendation
We recommend that the SDWP perform necessary investigation procedures to ensure all checks are followed up after outstanding over 90 – 120 days. Checks that are outstanding and unclaimed after a set timeframe should be filed with the State of California (State) as unclaimed property in accordance with the proper procedures required by the State.
Status
