Bureau of Audit
Follow-Up Audit Report on the Development and Implementation of the Paperless Office System by the Human Resources Administration
April 21, 2010
AUDIT REPORT IN BRIEF
This follow-up audit determined whether the Human Resources Administration (HRA) has implemented the nine recommendations made in a previous audit entitled Audit Report on the Development and Implementation of the Paperless Office System by the Human Resources Administration (Audit No. 7A04-099, issued May 2, 2005).
The 2005 audit evaluated whether the development of the Paperless Office System (POS) followed a formal system development methodology, meets the initial business and operational requirements, was designed to allow future enhancements and upgrades, was procured in accordance with City Charter provisions and Procurement Policy Board Rules, and has been incorporated into the HRA’s disaster recovery plan.
The 2005 audit found that POS was not completed on time and did not meet HRA’s initial business and operation requirements. In addition, the agency disaster recovery plan was inadequate and did not incorporate POS. There was incomplete information about the manner in which the contract was procured. Furthermore, HRA lacked written policies and procedures to ensure that POS user accounts are adequately controlled. Finally, the information presented about POS in the Mayor’s Management Report (MMR) gave the false impression that POS development was progressing smoothly.
Audit Findings and Conclusions
The current follow-up audit disclosed that of the nine recommendations made in the previous audit, HRA implemented six recommendations, partially implemented one, and did not implement one. We found one recommendation to be no longer applicable. HRA has implemented changes in the following areas: POS is currently linked to several of its own agency systems, the State systems, and other City agency systems; HRA incorporated a tracking system to monitor POS enhancement phases, which includes the testing phase; HRA has complied with the City’s procurement rules. In addition, based on the POS user survey, users are generally satisfied with the system. HRA has an adequate disaster recovery plan that includes POS and a written policy and procedure for POS. HRA has developed policies and procedure to ensure that user accounts are adequately controlled; however, some POS users are listed as inactive employees. Also, HRA did not engage an independent quality-assurance consultant for system development. Finally, the recommendation regarding inclusion of complete POS data in the MMR is no longer applicable since the MMR format has changed significantly since 2005.
To address the outstanding issues from the previous audit that still exist, we recommend that HRA officials:
- Employ an independent quality-assurance consultant in future systems developments to oversee and monitor HRA’s entire systems development process from its inception.
- Periodically review the status of inactive user accounts and terminate access where appropriate.