CC 03-20-2018 Exhibit Item No. 7 - Memorandum on Internal Control Required CommunicationsCrowe Horwath .
CC 03-20-2018 Item No. 7
~knw,f Y:>
Crowe Horwath LLP
Independe nt ~...1em ber Cro\ve Horwath Internat ional
INDEPENDENT AUDITOR'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING
AND ON COMPLIANCE AND OTHER MATTERS BASED ON AN AUDIT OF FINANCIAL
STATEMENTS PERFORMED IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS
To the Honorable Mayor and City Council
City of Cupertino , California
We have audited , in accordance with the auditing standards generally accepted in the United States of
America and the standards applicable to financial audits contained in Government Auditing Standards
issued by the Comptroller General of the United States, the financial statements of the governmental
activities, the business-type activities, each major fund , and the aggregate remaining fund information of
City of Cupertino, California (City) as of and for the year ended June 30, 2017 , and the related notes to the
financial statements, which collectively comprise the City 's basic financial statements , and have issued our
report thereon dated March 1, 2018 .
Internal Control Over Financial Reporting
In planning and performing our audit of the financial statements, we considered City's internal control over
financial reporting (internal control) to determine the audit procedures that are appropriate in the
circumstances for the purpose of expressing our opinions on the financial statements , but not for the
purpose of expressing an opinion on the effectiveness of City's internal control. Accordingly, we do not
express an opinion on the effectiveness of Gi,ty 's internal control.
A deficiency in internal control exists when the design or operation of a control does not allow management
or employees, in the normal course of performing their assigned functions , to prevent , or detect and correct,
misstatements on a timely basis . A material weakness is a deficiency, or a combination of deficiencies, in
internal control such that there is a reasonable possibility that a material misstatement of the entity 's
financial statements will not be prevented , or detected and corrected on a timely basis . A signifioant
deficiency is a deficiency , or a combination of deficiencies, in internal control that is less severe than a
material weakness, yet important enough to merit attention by those charged with governance.
Our consideration of internal control was for the limited purpose described in the first paragraph of this
section and was not designed to identify all deficiencies in internal control that might be material
weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may
exist that were not identified. We did identify certain deficiencies in internal control , described in the
accompanying schedule of findings and responses as items 2017-001, 2017-002 and 2017-003 that we
consider to be material weaknesses.
1.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether City 's financial statements are free of material
misstatement, we performed tests of its compliance with certain provisions of laws , regulations, contracts ,
and grant agreements , noncompliance w it h which could have a direct and material effect on the
determination of financial statement amounts. However, provid ing an opinion on compliance with those
provisions was not an objective of our audit, and accordingly , we do not express such an opinion . The
results of our tests disclosed no instances of noncompl iance or other matters that are required to be
reported under Government Auditing Standards
The City's Response to Findings
The City 's response to the findings identified in our audit are described in the accompanying schedule of
findings and responses. The City 's response was not subjected to the auditing procedures applied in the
audit of the financial statements and , accordingly , we express no opin ion on it.
Purpose of this Report
The purpose of this report is solely to describe the scope of our test ing of internal control over financial
reporting and compliance and the results of that testing , and not to provide an opinion on the effectiveness
of the entity's internal control or on compliance. This report is an integral part of an audit performed in
accordance with Government Auditing Standards in considering the entity 's internal control and
compliance. Accordingly , this communication is not su itab le for any other purpose .
Costa Mesa , California
March 1, 2018
CJTuJ1 Hnw~ Urf
Crowe Horwath LLP
2 .
CITY OF CUPERTINO, CALIFORNIA
SCHEDULE OF FINDINGS AND RESPONSES
YEAR ENDED JUNE 30 , 2017
2017-001 -INFORMATION SYSTEM CONTROLS
Criteria: Internal controls over information systems are a key component of an organization's control
envi ronment. Entities should have internal controls including policies and procedures regarding user
access , change management , and back-up and recovery . Where adequate segregation of duties cannot
be employed via system access restr ictions , detective and mon itor ing review controls should be established
that adequately mitigate such risks . Such controls enable entities to increase efficiency by reducing manual
processes and improving the accuracy and quality of the data used across those informat ion systems . Such
controls are also important to prevent erroneous and fraudulent transactions or entry to systems .
Condition: We evaluated system access to the City's Active Directory as well as the financial reporting
system , New World Systems (NWS). The Act ive Di rectory authenticates and authorizes all users and
computers in a Windows doma in type network-assigning and enforcing security policies for all computers
and installing or updating software . For example, when a user logs into a computer that is part of a Windows
domain , Active Directory checks the submitted password and determines whether the user is an authorized
user.
During our assessment of the City's informat ion system controls , we noted the following :
Financial Reporting System/Active Directory
• The City 's Finance Manager and Accountant II mainta in super user access to the financial reporting
system , in addition to operational roles in the t1ormal course of business. Super user access
includes the ability to add/modify/delete user accounts as well as assign security privileges to user
accounts .
• The City's information and technology (IT) and finance departments do not have a process to
evaluate the propriety of changes to user access within the financial report ing system . For example ,
the City 's IT and finance departments are not able to provide evidence that access was removed
from NWS in a timely manner. We selected a sample of 5 out of 44 terminated employees during
the period reviewed . While we can confirm that user access has been removed from NWS as of
the date of fieldwork, neither the IT department or the finance departments maintained records
indicating the date. that user access was removed .
Policies and Procedures
• The City's information technology policies and procedures have not been recently updated to reflect
the practices that are currently in use. It is unknown when the City last reviewed the IT policies and
procedures. For example, areas such as the disaster recovery plan and internet ac cess and use
monitoring policy , are no longer applicable to the City due to changes in hardware , software and/or
management structure , yet are still presented therein .
Cause:
Financial Reporting System/Active Directory
• Super user access was granted to the 2 individuals , as management had not yet identified a
position w ithin the City , but outside the finance department, which could permanently fulfill th is role.
As of June 15 , 2017 , super user access was removed from the users identified during testing.
• User access requests for the financ ial reporting system are informal, typically verbal or through
email. The City does not have a mechanism for tracking when user access is changed. Within the
financial reporting system, the City has not yet identified the key reports which should be utilized to
evaluate changes made to user access.
3.
CITY OF CUPERTINO, CALIFORNIA
SCHEDULE OF FINDINGS AND RESPONSES
YEAR ENDED JUNE 30 , 2017
2017-001 -INFORMATION SYSTEM CONTROLS (Continued)
Policies and Procedures
• With regard to the City's IT policies and procedures , there have been systematic changes to the
City's disaster recovery plan, and other IT areas which have not yet been carried forward into the
City's written policies . ·
Effect:
Financial Reporting System/Active Directory
Improper user access could result in fraudulent and/or unauthorized transactions being recorded in the
City's financial reporting system , where management would not be able to detect such activity.
Policies and Procedures
Outdated policies and procedures may not provide the City a mechanism to restore critical information
systems should there be a disaster recovery event. Further, in the event that key IT employees separate
from the City , outdated policies and procedures may deter the City 's ability to smoothly transition
responsibilities to successors .
Recommendation:
Financial Reporting System/Active Directory
• The City should establish written policies and procedures which provide for the appropriate levels
of user access based on the relative roles and responsibilities within the financial reporting system .
A best practice is to provide the lowest level of access based on operational need . Further, we
recommend the City perform a systematic review and maintain documentation of user's access
rights within the financial reporting system, to ensure that a) there are not users with super user
access who also have the ability to perform operational functions within the financial reporting
system and b) users access roles are only for those functions which are necessary to perform in
the normal course of business.
Policies and Procedures
• We recommend that the City update its policies and procedures to reflect current conditions and
establish a process to ensure periodic review occurs. IT policies should be reviewed and approved
by management or those charged with governance on a periodic basis .
Management's Response and Planned Corrective Action: Management agrees with auditor's
recommendation and has already drafted a policy for the purpose of ensuring user access is effectively
managed in the New World financial reporting system to maintain internal controls and segregation of
duties. This policy emphasizes control procedures over granting and changing user access to the system
as well as periodic reviews (monthly and annually) of users who have access to the system. In addition,
management has already removed super-user access from all employees within the finance department.
4.
CITY OF CUPERTINO, CALIFORNIA
SCHEDULE OF FINDINGS AND RESPONSES
YEAR ENDED. JUNE 30 , 2017
2017-002 -TIMELY PROCESSING OF BANK RECONCILIATIONS
Criteria: A bank reconciliation is used to compare the records of the City to those of the bank , to see if
there are any differences between those two sets of records for cash transactions. Perform ing timely bank
reconciliations is critical to the accurate financial reporting of the City . In addit ion , the bank reconciliation
cannot be considered complete until it has been reviewed and approved , and where applicable , changes
to the City 's financial records have been processed.
Condition: Prior to beginning the interim audit procedures for the fiscal year ended June 30 , 2017, we
noted that the predecessor auditor reported (among other condit ions) material unreconciled variances
between the financial records of the bank and the financial records of the City . During our interim
procedures , we noted that the City has been continuously evaluating the accuracy of the underlying
financial activity included in the bank reconciliation information in order to have confidence in the data
interfacing with the financial reporting system . The City had engaged another CPA firm to assist with this
process and ensure that the bank reconciliation process is completed from December 2014 through the
current fiscal year, and that process was completed in August 2017 .
Cause: The City implemented its new financial reporting system in the previous fiscal period. As a result ,
the bank reconciliation process Was not completed timely and fell beh ind schedule in prior years .
Effect: Transact ions which have not been reviewed could be recorded incorrectly, and not corrected in a
timely manner.
Recommendation: We recommend the City cont inue its process of reviewing its bank reconciliations and
clearing except ions by posting correcting entries to the general ledger , when necessary . Th is will result in
more accurate financial reporting.
Management's Response and Planned Corrective Action:
During fiscal year 2016-2017 , the City allocated significant resources to ensure the bank reconciliation
comments that were noted in the prior year financ ial statement audit were resolved in a t imely manner.
Prior to the commencement of fieldwork for the fiscal year 2016-2017 audit, the City completed its bank
reconciliations; however, because the City required to address differences noted in prior reporting months ,
they could not be completed within thirty (30) days subsequent to the reporting period end. Since
addressing the bank reconciliation-related comments noted in the fiscal year 2015-2016 aud it, the City has
been completing and rev iewing its monthly bank reconciliations in a timely manner.
5.
CITY OF CUPERTINO, CALIFORNIA
SCHEDULE OF FINDINGS AND RESPONSES
YEAR ENDED JUNE 30, 2017
2017-003 -PRIOR PERIOD RESTATEMENTS FOR PENSIONS AND CAPITAL ASSETS
Criteria: Financial Statements prepared in accordance with GASB Statement No . 34 must include activities
related to capital assets . Reporting of capital assets on financial statements requires management to track
and monitor cap ital assets activities including those classified as construction in progress. All costs incurred
relating to construction of entity-owned assets must be accounted and classified under construction in
progress in the appropriate fund. Also, in consideration of the City 's net pension liability arid related
deferred inflows and outflows of resources , National Council on Governmental Accounting (NCGA)
Statement 1, Governmental Accounting and Financial Reporting Principles, paragraph 42 , as amended,
requires that long-term liabilities that are directly related to and expected to be paid from those funds be
reported in the statement of net position or statement of fiduciary net position, respectively .
Condition: During the fiscal year, the City identified instances in its capital asset records where certain
capital assets were reported in the incorrect opinion units as well as construction in progress in prior year
was not reported. In addition , in prior years, the City did not properly allocate its net pension liab ility,
deferred outflows of resources o r deferred inflows of resources to its internal service funds . As a result , the
City reported prior period restatements in the applicable opinion units for all material adjustments.
Cause: The cause for the capital asset prior period restatement appears to be manual errors in the record
keeping for cap ital assets in prior years , which the City corrected during the fiscal year ended June 30 ,
2017 . The cause for the pension restatement was the C ity not properly cons idering the guidance within
NCGA Statement 1 when reviewing the allocation of its pension liabilities, deferred outflows of resources
and deferred inflows of resources in prior years to ensure material allocations to applicable opinion units
were presented correctly.
Effect: Approx imately $327 ,000 in cap ital assets were not recorded in the Recreat ion Program Enterprise
Fund in previous years. Also, $1,267,056 in net pens ion liability , $162,743 in deferred outflows of resources
and $80 ,330 in deferred inflows of resources were not recorded in the Information Technology Internal
Service Fund.
Recommendation: We recommend that the City continue its monitoring of capital asset records to ensure
proper recording of these items in its financial statements. This includes implementing procedures to timely
identify capital asset activ ity as either expenses or construction in progress and that cap ital assets are
recorded in their correct fund. We also recommend that annual pension calculations be reviewed to ensure
proper allocation to applicable opinion units .
Management's Response and Planned Corrective Action:
Management agrees with auditor's recommendation and will continue the mon it oring of capital asset
records to ensure proper recording of these items in the C ity 's financial statements. The City is currently
implementing a new fixed assets module in fiscal year 2017-2018 that will assist in the monitoring,
maintenance, and reporting of the fixed assets-related activities of the City . Furthermore , management will
be prov iding the training necessary for the proper identification and recording of capitalizable costs . In
regards to the finding related to pension allocation, the City also agrees and will ensure all pens ion-related
activities are properly allocated to the appropriate opinion unit on an on-going basis.
6.
'