Controls for Access Cards Used for City Buildings(.9~ MtAMI BEACH
BUDGET AND PERFORMANCE IMPROVEMENT
Internal Audit Division INTERNAL AUDIT REPORT
TO:
VIA:
FROM:
Jimmy L. Morales, City Manager ~
John Woodruff, Budget and Pe~o~nce Improvement Director
James J. Sutter, Internal Audita~
DATE:
AUDIT:
PERIOD:
February 11, 2014
Controls for Access Cards Used for City Buildings
October 1, 2009 through April 30, 2012
This report is the result of a regularly scheduled operational audit over the controls for access cards
used for City Buildings under the programming control of the Property Management Division. This
report does not cover the security access to the Police Department and the Parking Department's
Coin Room which are handled separately by these respective departments.
INTRODUCTION
All City employees have employee identification (ID) cards which can be programmed to allow
access to selected City buildings. However, not all City buildings are set up to accept access cards
for entry into the buildings or departments. The following City buildings have access cards readers
under the programming control of the Property Management Division: City Hall, 555 Building, 777
Building, Fire Station #2, Fire Station #3, Fire Station #4, Terminal Island (Fleet and Sanitation
Divisions), Scott Rakow Youth Center, City Hall Garage, Historic City Hall, Public Works Yard, Bass
Museum, Information Technology (IT) Department, Convention Center and Property Management.
Within these buildings, there are different access group zones in which the employees are given
access in accordance with their job responsibilities as determined by their department director.
When an employee is hired by the City, the employee is given an employee Identification card which
serves as an access card to the department they work in or to other departments if so directed by
the department director. The Property Management Division is in charge of ensuring that the
employee is given the proper accessibility in accordance with what the department director has
indicated on the CMB Identification and I or Access Card form.
PURPOSE
The purpose of this audit is to determine whether sufficient internal controls are in place over access
to City Buildings and access thereto is restricted in accordance with management's criteria and that
procedures are established, authorized, and maintained in accordance with management's policy.
:"i
·I
OVERALL OPINION ~
. 1
While internal controls over access to City buildings have improved, our review of the City's 1
ID/access cards revealed that there are areas in need of improvement.
• Consideration should be given to the Human Resources Department to issue ID/access
cards. Operational procedures for ID/access cards need to be established.
We are committed to providing excellent public service and safety to all who live, work, and play in our vibrant, tropical, historic community.
Internal Audit Report
Controls for Access Cards Used for City Buildings
February 11, 2014
• The Property Management Division should consider restructuring the city's access zones.
• The Property Management Division should establish better guidelines in processing
terminated employees as "inactive" verrus "deleted".
• Access listings should be given periodically to all department directors to review for proper
access to their respective areas.
• The Human Resources Department should timely collect ID/access cards from terminated
employees. The Employee Exit Check List needs to be updated
• Keys to City offices should be better controlled or phased out in lieu of installation of access
pads.
SCOPE
1. Confirm that the City's access card internal control process and implemented segregation of
duties are sufficient.
2. Confirm that the access given to employees agrees to those requested/approved by the
Department Director.
3. Confirm that policies and procedures over these processes exist and are followed.
4. Confirm that access cards are turned in at the end of employees' employment with the City
and deactivated timely.
5. Confirm that any changes made to the employee's ID/access card are authorized in writing
by the Department Director.
6. Confirm that restrictions are in place as to limit access to only authorized department
personnel after working hours.
7. Confirm appropriate supporting documentation exists foriD/access cards issued.
FINDINGS, RECOMMENDATIONS AND MANAGEMENT RESPONSES
1. Finding: City Access Cards Internal Controls Lack of Citywide Standard Operating Procedures
Employee ID/access card duties are currently shared by several departments; Human
Resources, the originating department for requesting employee ID cards, followed by the Police
Records Division which issues employee ID cards, and the Property Management Division which
programs building access to the employee ID cards.
The Human Resources Department will give newly hired employees a CMB Identification and I
or Access Card form to take to the Police Records Division to have their picture taken and the
ID/access Card created. The Police Records Division has set aside specific operating hours of
Monday, Wednesday or Friday between 9am and 2pm. The Records Division is not to issue an
ID/access card unless the form has the proper approvals and is completely filled out. The
original form is maintained by the Police Records Division. The Property Management Division
will receive via email the completed CMB Identification and I or Access Card form with a front
and back copy of the issued employee I D. The Property Management Division will then program
the employee ID card in accordance with the stated terms on the CMB Identification and I or
Access Card form. In addition, the Property Management Division uses the same form for lost,
Page 2 of 7
Internal Audit Report
Controls for Access Cards Used for City Buildings
February 11, 2014
deteriorated, or replacement ID/access cards.
Internal Audit reviewed this process and noted inefficiencies in the processing of these
ID/access cards. In addition, there are no written standard operating procedures concerning the
issuance and maintenance of ID/access cards.
Recommendation(s):
In order to gain operational efficiencies, the Human Resources Department should look into
purchasing similar equipment to create the ID/access cards which would help minimize the
employee lost productivity from having the employee travel to the Police Property Division during
their restrictive hours. Meanwhile, Police Department employees can continue to be processed
by the Police Records Division. It is further recommended that the CMB Identification and I or
Access Card form already signed by the department directors be maintained in the Human
Resources' employee files with a copy of the ID/access card. Property Management should only
accept the original forms signed by department directors and not copies as the department
director may make changes and might feel that the person may not need the same current
access. Also, the automation of this process should be explored. The new ID Management
System for User Administration implemented by the City's Information Technology Department
(I.T.) should be examined to determine if this or a similar system could be implemented to
control and process ID/access cards. Finally, citywide standard operating procedures for
ID/access cards should be written and distributed
Management Response (Human Resources):
Human Resources administration agrees with the recommendation to implement the issuance of
ID/access cards by the Human Resources Department. The Human Resources Department is
of the opinion that all employee ID cards should be issued by the department. The speed with
which this can be implemented is dependent upon the resolution of some outstanding matters or
the appropriate budgetary allocation to purchase the required equipment.
Staff has already held meetings with internal stakeholders to identify best practices and plan the
transition of ID card issuance from the Police Department to Human Resources. Immediately
upon assuming responsibility for issuing ID cards, Human Resources will maintain records in
individual personnel files as recommended.
Staff in the Human Resources Department is working on a standard operating procedure. In
addition to issuing cards during the entire business day rather than during specific hours on
selected days, the intent is make this part on the on boarding process more employee friendly.
Currently anyone who obtains a new ID card must physically go to the Property Management
and Parking Departments to have their cards activated. Human Resources is working with both
departments so that when a card is issued, it is also activated without the employee having to go
anywhere else. It will be a one-stop shop.
Toward making the onboarding process more user friendly, effective and efficient, the Human
Resources Department will also include in its standard operating procedure, the process
required to ensure new employees also have their information technology (software/hardware)
and other communications devices (telephone) in place and active prior to them reporting to
work.
Management Response (Property Management):
The division agrees with the findings and recommendations. Original forms signed and dated by
the Director will ensure information is current and authentic. Property Management and Human
Page 3 of 7
Internal Audit Report
Controls for Access Cards Used for City Buildings
February 11,2014
Resources will engage the IT department to examine the automation aspects of the process.
Once all aspects of the process are determined and agreed upon, procedures will be developed
and distributed to all departments.
2. Finding Listing Access Discrepancies per zone.
Currently, the Property Management Division has all of the ID/access cards programmed by
zones. Over time, many zones were created for the various City buildings and separate areas
within these buildings according to the Property Control Coordinator which are confusing and
unnecessary but continue to be recorded on the access card system. For example, a master
system report was received containing employee names and access capabilities to the City
departments and City buildings. Subsequent testing found that a total of 13 employees were
not in the correct home department which provides them with access to other departments or
areas that are not warranted.
Recommendation(s)
The Property Management Division should review all zones and determine which ones could be
eliminated. Where necessary, the zones should be renamed in accordance to the department
with specific general zones where every employee is allowed to have access. In addition, a
listing of all employees should be provided by the Property Management Division to the
department directors for their review to ensure that all individuals that have access to their
departments during and after normal working hours have been approved.
Management Response (Property Management):
The division agrees with the findings and recommendations. All zones will be reviewed in an
effort to consolidate the same. Each zone will be given a name in accordance with the
department to include specific general zones where every employee is allowed access. Once
these zones are determined, a listing of all employees that has access to their department
during and after hours is reviewed and approved by the department director.
3. Finding: City Identification/Access Card deactivation
Once an employee leaves or is terminated from the City, Human Resources notifies the Property
Management Division to deactivate the employee access card via several methods. Employees'
termination reports containing names and ID numbers to be deactivated are forwarded biweekly
to the Property Management Division. If it is an emergency, the Property Management Division
is notified via email or called by the department director or Assistant City Manager, to have the
employee deactivated immediately.
A random selection of 50 employee names were selected out of the 627 names listed on the
termination reports and traced to the inactive listing provided by the Property Management
Division to verify that all terminated employee names were inactivated. However, difficulties
were encountered in tracing all of the names to the inactive list. After speaking to Property
Control Coordinator, the reason is once the person has been deactivated and then deleted there
is no report that can be run with deleted names. In lieu of this testing, the employees on the
termination list were traced to the active list to determine whether they were still active. None of
the inactive employees tested were listed in the active listing.
Recommendation ( s)
Property Management Division should work with the vendor to ensure that records are available
for all employees accessing all areas for at least three years. Procedures should be developed
by Property Management as to how to properly record "inactive" verses "deleted" employees.
These reports should be kept for future reference and audits. In addition, any other concerns
Page 4 of 7
Internal Audit Report
Controls for Access Cards Used for City Buildings
February 11,2014
regarding the access card system should be addressed.
Management Response (Property Management):
The division agrees with the findings and recommendations. Property Management will work
with the Vendor to address maintaining and ensuring availability of records for all employees
accessing all areas for a period of at least three years. Procedures will be developed to properly
record and warehouse records naming "inactive" status vs. "deleted" status for employees. In
addition, Property Management will work with the Vendor to address all other areas of concern
regarding the card access system.
4. Finding: Access to City Departments
A listing of all City employees was traced to the active access list from the Property Management
Division and the employee's access to their individual department as well as to City Hall was
verified. We randomly selected 50 of 520 employees and traced ne employee's names from
the Human Resources listing to the Active Access Listing for April 2012. Fifteen of the
employees were not found in the active list but were in the termination listing, six had access to
City Hall in accordance with the Directors original request, and twenty-nine had access to City
Hall only during regular working hours. It was also noted that prior to April2012 employees who
has access to City Hall 24/7 also had access to the City Manager's Office. However, changes
were made to limit some individuals' access to the City Managers Office from only 8:30am to
6:00pm while others were authorized by the City Manager or his designee to have access 24/7.
No other exceptions were noted. All City departments should restrict access to only authorized
individuals that need access.
Recommendation( s)
The Property Management Division should periodically provide access listings to all department
directors to review for proper access to their respective areas. This should include providing a
report to the City Manager or designee to ensure that only authorized employees have access to
that location for the 24/7 authority.
Management Response (Property Management):
The division agrees with the findings and recommendations. Once procedures are defined and
agreed upon, Property Management will periodically provide access listings to all department
directors to review for proper access to their respective areas. Property Management will submit
to the City Manager or designee a report defining entrance by authorized employees to the City
Managers suite on a periodic basis.
5. Finding Employee Exit Conferences
The Human Resources Department has exit meetings with employees prior to their leaving City
employment. This meeting might take place two weeks before or the same day of their
departure date. Currently, there is a CMB Employee Exit Checklist form of all the items that
employees must return to the City prior to leaving. We took a sample of fifteen employees and
the following was observed. The Human Resources Department leaves it up to the individual
department to collect the employee ID/access card, along with other items such as telephones
and computers. There were times in which the department does not return the employee's
ID/access card to the Human Resources.
Recommendation
Employee ID/access card items should be collected by Human Resources at time of the exit
meeting. A copy of the checklist with all items returned should be kept in the employee's file,
along with the employee id/access card. Item such as computers, cellular phones and other
Page 5 of 7
Internal Audit Report
Controls for Access Cards Used for City Buildings
February 11,2014
items that belong to the Information Technology Department should be collected by the
employee's department and returned, all police officer items should be collected by the Police
Department and the ID/access card sent to the Human Resources Department. Another
suggestion might be if the individual department would like to continue covering the checklist
with the employee, then a Human Resources employee should be at that exit meeting collecting
those items required by their department
In addition, the Employee Exit Check List needs to be updated since some of the individual
items have changed.
Management Response (Human Resources):
The Human Resources Department is in agreement with the recommendation to update the
check list and will take immediate action to do so. Currently ID cards are shredded but in the
future a copy will be made and placed in the exting employee's personnel file.
The recommendation that a Human Resources representative be present at the exit meeting
where items are recovered by the department is accepted to the extent that staffing allows such
participation. Additionally, a standard operating procedure will be developed to ensure
departmental representatives are aware of their respective roles in the employee exit process.
The individual department needs to retain responsibility for recovering City equipment issued by
the department and other items such as, but not limited to, keys, cell phones, credit cards,
business cards, tape records and video recorders. Human Resources staff may not be privy to
the fact that these were issued, therefore, is not is a position to ensure they are recovered.
6. Finding Keys to City Offices
Currently all offices in City Hall have keys to the front door of their department. In conversation
with Property Management, they have no comprehensive listing of which employees have keys
to departments, because keys were given to those who were requested by the employee's
department director. This may have resulted in keys being issued to all within a particular
department. Recently some departments have had the keys replaced and Property
Management Division has kept records as to who has keys to those areas.
Recommendation
When an employee leaves employment with the City, the department director or Human
Resources Department should ensure that any issued keys are returned. In addition, it might be
an option for all departments to utilize access pads rather than keys for access to their
department. This serves as security for after hours and it will eliminate issuing or replacing keys
every time a new employee is hired or the key is lost. Keys to City buildings should be restricted
and only issued to necessary employees and vendors. Guidelines should be established on
who should be issued keys to City buildings. In addition, a master listing should be prepared for
those individuals who currently have City l€ys.
Management Response (Human Resources):
The Human Resources Department is in agreement with this recommendation and included
related comments in its response to finding number 5.
Management Response (Property Management):
The Division agrees with the findings and recommendations. The long term goal for the City
should be through the use of a card access system. In the interim, Keys to City buildings should
be restricted and issued to necessary employees and vendors. Guidelines must be established
on who should be issued keys and how this process will be executed through the City. Last,
Page 6 of 7
Internal Audit Report
Controls for Access Cards Used for City Buildings
February 11, 2014
Property Management will begin to document all key request, specifically, who the keys were
issued to and who approved the same. This information should prove useful when an employee
leaves the employ of the City and the City requires keys returned upondeparture.
EXIT CONFERENCE
A meeting was held to discuss the audit report and to solicit management responses noted above.
Attendees were Kathie Brooks, Assistant City Manager, Sylvia Crespo-Tabak, Human Resources
Director, Anthony Kaniewski, Property Management Division Director, James Sutter, Internal Auditor
and Laura Franco-Rubines, Assistant Internal Auditor. Management responses were subsequently
received and incorporated within the report. All were in agreement with the contents of this report.
(Audit performed by Laura Franco-Rubines, Assistant Internal Auditor)
F:IOBPI\$AUD\INTERNAL AUDIT FILES\DOC12-13\REPORTS-FINAL\Id-Access Cards. doc
cc: Kathie G. Brooks, Assistant City Manager
Sylvia Crespo-Tabak, Human Resources Director
Eric Carpenter, Public Works Director
Anthony Kaniewski, Property Management Director
Page 7 of 7