Loading...
HomeMy WebLinkAbout2021 May 20 - Follow-Up Report: County of Hawaii Information Technology Asset Management Follow-up Audit Report County of Hawaii seal County of Hawaii Office of the County Auditor County of Hawaii Information Technology Asset Management May 20, 2021 Maxinne Pacheco Acting County Auditor County of Hawaii seal OFFICE OF THE COUNTY AUDITOR 25 Aupuni Street Hilo, Hawaii 96720 telephone number (808) 961-8386 Fax (808) 961-8905 website: http://hawaiicounty.gov e-mail: countyauditor@hawaiicounty.gov Business Address 120 Pauahi Street Suite 309 Hilo, Hawai`i 96720 May 20, 2021 Honorable Maile Mederios David, Council Chair and Members of the Hawaii County Council Hawaii County Council 25 Aupuni Street Hilo, Hawaii 96720 Dear Chair David and Council Members, In accordance with generally accepted government auditing standards and the Hawaii County Charter Section 3-18(d)(3), the Office of the County Auditor has a responsibility to monitor and follow-up on audit recommendations to ensure that audit findings are being addressed through appropriate corrective action and to aid us in planning future audits. We have completed our follow-up audit of the County of Hawaii Information Technology Asset Management (Report No. 2015-01) dated November 12, 2015. The audit objective was to determine if the Department of Information Technology implemented the 2015 IT Asset Management recommendations. We tested eleven recommendations and found that management took corrective action as follows: Status of Recommendations: 4 Implemented Department has fully implemented the audit recommendation 6 In Process Department started or has partially implemented the audit recommendation 1 Not Implemented Department ahs not begun implementation of the recommendation Currently, the Department of Information Technology (DIT) does not own or manage all the County's IT assets. To fully meet best practices, IT asset management should be centralized, DIT should own all IT assets, and use an IT asset management role. Hawai`i County is an Equal Opportunity Provider and Employer These are key elements to successful management of IT assets and without these elements, the County is at an increased risk of security concerns, system instability, helpdesk, and County employee inefficiencies, as well as increased hardware and software costs. Management has generally agreed with the comments and the status of recommendations in this report. We would like to express our sincere appreciation and commend the Department of Information Technology's leadership and staff for their continued efforts to improve information technology asset management and for their assistance, cooperation, and prompt feedback during the follow-up audit process. If you have any questions or concerns about the status of recommendations discussed, please feel free to contact me at 961-8386. Respectfully, Maxinne Pacheco Acting County Auditor CC Mitchell D. Roth, Mayor Lee Lord, Managing Director Jon Henricks, County Clerk Scott Uehara, Director, Department of Information Technology Deanna Sako, Finance Director Report Highlights May 20, 2021 County of Hawaii Information Technology Asset Management Follow-Up Original Audit What we found Two key elements of IT asset management are the centralization of the IT function and the use of an IT asset management role. Without these two elements, the County is at an increased risk of security concerns, system instability, and helpdesk inefficiencies. What we recommended We identified the following recommendations for management to meet best practices: 1. DIT should own all IT assets. Furthermore, an IT asset management role should be established to manage the County's IT assets including: Developing a financial forecast of hardware and software upgrades and replacements; Maintaining an approved software list for standardization; Identifying re-deployable IT assets; Continuing to evaluate leasing as an option; Maintaining a listing of IT assets and the assigned users in a centralized database; Centrally receiving and accepting all IT assets; Reconciling IT assets in the IT asset management inventory; and Ensuring the disposal of IT assets occurs in a secured manner. 2. The County should address gaps in formal written policies and procedures over IT practices. Follow-up Audit In November of 2015, the Office of the County Auditor issued the audit of the County of Hawai‘i Information Technology Asset Management and made eleven recommendations. Management generally agreed with the comments and status of recommendations. Objective To determine if the Department of Information Technology implemented the 2015 IT asset management recommendations. Status of Recommendations We tested eleven recommendations and found that management took corrective action as follows: Implemented: 4 In Process: 6 Not Implemented: 1 Hardware and software Lifecycle management Upgrades & Replacements: (1) In Process Purchase Request & Approval: (1) In Process and (1) Implemented Redeployment of Assets: (1) In Process Leasing: (1) Implemented Hardware and software inventory management Centralized Management System: (1) Implemented and (1) In Process Receiving & Accepting: (1) In Process Annual Physical Inventory: (1) Not Implemented Hardware and Software security Secured Disposal: (1) In Process and (1) Implemented This audit was conducted in accordance with generally accepted government auditing standards. Table of Contents Status of Recommendations ....................................................................................... 1 Hardware and Software Lifecycle Management 1. Upgrades and Replacements .................................................................... 1 2. Purchase Request and Approval ............................................................... 3 3. Redeployment of Assets............................................................................ 4 4. Leasing ...................................................................................................... 5 Hardware and Software Inventory Management 5. Centralized Management System.............................................................. 6 6. Receiving and Accepting ........................................................................... 8 7. Annual Physical Inventory.......................................................................... 9 Hardware and Software Security 8. Secured Disposal..................................................................................... 10 AuditObjective ........................................................................................................... 11 Audit Scope and Methodology .................................................................................. 11 Conclusion .................................................................................................................. 13 Department Response ............................................................................................... 14 Status of Recommendations Hardware and Software Lifecycle Management Recommendation #1. Upgrades and Replacements - Status: In Process We recommend that DIT establish an IT asset manager position to manage the County's IT assets and implement a plan to develop a one through five-year financial forecast of hardware and software upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends, and future needs. While the County has implemented several procedures to better manage IT assets, to fully meet industry best practices and improve the process of upgrading and replacing computers and laptops, the IT asset manager should implement a plan to take ownership of all IT assets. Auditee Action: In September 2019, DIT developed a plan to deploy 310 computers and/or laptops. Due to the COVID-19 pandemic, deployment is ongoing. In November 2020, we discussed the status of recommendations with the current and incoming DIT Director. We worked with the incoming administration to provide a written response to be included in this report. We reviewed the supplemental budget requests and found the IT asset manager position was not established. In January 2021, the new DIT Director stated in his new role he has discretion to realign duties to close gaps in certain processes by dividing up work between DIT sections. He further affirmed he has a goal of developing a five-year hardware and software upgrade and replacement schedule to address this audit recommendation. Additionally, in July 2020, we reviewed a contract authorizing the development of an IT Strategic Plan and Roadmap with the State of Hawaiʻi, Office of Enterprise Technology and the United States Department of Defense, Office of Homeland Security. IT Asset Management Follow-up Audit Status of Recommendations page 1 Auditee Action: DIT attended a series of workshops to learn: • IT Strategy Assess the current state of IT and compare it to the desired future state; Create a roadmap of IT initiatives that will bring IT to the level neededto achieve its goals and fulfill its role to support business objectives; and Establish a strategic roadmap for the next 2-3 years. • Information Security • Disaster Recovery Planning To fully meet best practices, management should prioritize establishing an IT asset manager or equivalent to manage all County-owned IT assets and develop a one through five-year financial forecast of upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends, and future needs as part of their IT Strategic Plan and Roadmap. IT Asset Management Follow-up Audit Status of Recommendations page 2 Recommendation #2. Purchase Request and Approval Status: In Process We recommend DIT implement a policy to maintain an approved software listing and communicate the risks to the departments. The policy should include an annual review of the listing to ensure that software listed is still relevant and does not pose a security concern to the County. A review process should be implemented to respond to requests for software titles that are not currently in the supported software listing. Auditee Action: We reviewed 137 approved and disapproved software listings and found DIT has a process of maintaining an approved software listing and communicates the risk in their Hawai‘i County Security Handbook that provides guidance on, “What you need to know to stay safe while computing, and help protect the County’s IT assets.” To fully meet best practices, DIT should address current software approval processes including an annual review in DIT Employee Policies. We also recommend DIT update the County-Issued Technology Device policy to include prohibiting users from installing non-supported software and adding un-approved devices to the County network. Status: Implemented Auditee Action: We reviewed DIT Employee Policies’ Electronic Resources Policy (March 2020) prohibiting: “Engaging in disruptive or malicious activities such as unauthorized software, hardware, or data modification.” “Installing or downloading software not approved and/or licensed to the County.” IT Asset Management Follow-up Audit Status of Recommendations page 3 Recommendation #3. Redeployment of Assets Status: In Process We recommend that once the IT asset manager position has been established, DIT should implement a process to identify redeployable assets and to establish County-wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time. The redeployment of computers and software licenses is often cost-effective, minimizes unnecessary purchases, reduces over purchasing of assets and reduces data security risks. Auditee Action: We reviewed 426 equipment transfer records and found DIT partially meets best practices because they: Identify and tag usable hardware and software through department transfers and helpdesk ticket requests. Redeploy local or cloud-based software licenses (Microsoft/Adobe) when computers become inoperable, or user separates from the County. Identify computers and laptops that could be redeployed because of County-wide computer upgrade and replacement initiatives. Track equipment on loan with an In/Out log. To fully meet best practices, DIT should address current redeployment processes including establishing a County-wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time in DIT Employee Policies. In January 2021, the new DIT Director stated they will redeploy usable IT assets within the three to five-year warranty period. Figure 1 Items tagged for redeployment Photo courtesy Office of the County Auditor IT Asset Management Follow-up Audit Status of Recommendations page 4 Recommendation # 4. Leasing Status: Implemented We recommend DIT continue to evaluate leasing as an option to procure computers and software licenses for the County. We also reviewed yearly subscriptions for software licenses for: Adobe VIP (Value Incentive Program) Adobe Sign Microsoft ESRI (software mapping) IT Asset Management Follow-up Audit Status of Recommendations page 5 Hardware and Software Inventory Management Recommendation # 5. Centralized Management System Status: Implemented We recommend DIT track users in a centralized database. Not tracking users in a centralized database may increase the County's security exposure since DIT may not be able to determine if computers are in use or locate assets. In addition, DIT may have difficulty holding employees accountable for the protection of assets and inappropriate activities. Unused computers are candidates for redeployment and may unnecessarily consume software licenses. From a software compliance perspective, software end-user licensing agreements can be tied to users instead of computers, and DIT may not be able to determine the appropriate license counts without knowing the assigned users. The fixed assets inventory system is not accessible to DIT and the automated network and software inventory system is not used to track the user. Auditee Action: We observed Lansweeper, an automated software program used to monitor asset data information, network security, software updates, and patches for: 1,408 users 1,449 devices Flagging computers/devices not seen in the network in the last 30/60/90 days Flagging users’ access upon separation from the County every two weeks Flagging and redeploying local or cloud-based software licenses (Microsoft/Adobe) when computers become inoperable, or user separates from the County Blocking at-risk devices from the network Pushing out security updates and patches Restricting most user’s administrative rights. Reporting discrepancies to department IT liaisons IT Asset Management Follow-up Audit Status of Recommendations page 6 Therefore, we recommend that once the IT asset manager position is established, DIT should implement a plan to identify a centralized database that has the ability to track users whether it is the fixed assets inventory system, the automated network and software inventory system, or another IT asset management inventory system. After a product has been identified, the IT asset manager should implement County-wide written procedures to centrally track users for all IT assets. Status: In Porcess Auditee action: We observed DIT staff using Lansweeper to track asset data information for over 1400 users and devices connecting to the network to ensure the network is safe. To fully meet best practices, the IT asset manager should implement County-wide written procedures to centrally track users for all IT assets in applicable DIT Employee Policies and/or IT Strategic Plan and Roadmap. IT Asset Management Follow-up Audit Status of Recommendations page 7 Recommendation #6. Receiving and Accepting Status: In Process We recommend DIT implement a plan to centrally receive and accept all IT assets to ensure DIT is aware of new computers or software before they are introduced into the County environment. DIT is aware of new computers and software because they: • Coordinate County-wide computer update and replacement initiatives/Refresh. • Restrict most user's administrative rights. • Require users to submit a helpdesk ticket for hardware/software installation and/or configuration to the network. • Require users to submit a Custom Technology Request Form for all other non-price term agreement equipment and software requests. To fully meet best practices, DIT should implement a plan to centrally receive and accept all IT assets and/or address current receiving and accepting processes to ensure DIT is aware of new computers or software before they are introduced into the County environment in DIT Employee Policies. IT Asset Management Follow-up Audit Status of Recommendations page 8 Recommendation # 7. Annual Physical Inventory Status Not Implemented We recommend DIT periodically reconcile IT assets listed on the Fixed Asset Detail Report with the automated network and software inventory system to ensure all IT assets are properly recorded and included in the annual physical inventory. Any discrepancies should be investigated and resolved immediately. Auditee Action: We corroborated with DIT staff and reviewed the County’s inventory records and found DIT performs physical inventory of only their departments IT assets. To fully meet best practices, DIT should conduct periodic County-wide physical inventory to ensure all IT assets are properly recorded and included in the annual physical inventory. IT Asset Management Follow-up Audit Status of Recommendations page 9 Hardware and Software Security 8. Secured Disposal Status In Process We understand that the Director of IT plans to issue a memo with the “Electronic Records Destruction Policy for Computer and Electronic Media" to the Department heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction. We recommend the County review this policy at least annually and update accordingly. Auditee Action: We reviewed the DIT Employee Policies Electronic Data Storage Destruction Policy (March 2020) and found the policy was periodically reviewed but not updated accordingly. To fully meet best practices, DIT should address the transfer of all obsolete hard drives to DIT for destruction including annual review process in DIT Employee Policies. We also understand that the current computer deployment location is temporary. However, if DIT continues to use the facility, we recommend that additional physical security controls be implemented to safeguard IT assets and media from loss or theft. Status: Implemented Auditee Action We verified additional physical security controls to safeguard IT assets and media from loss or theft, specifically we: Observed security camera system and safeguarding practices in place at Schultz Siding office and baseyard. Reviewed 82 disposal records and three police reports to confirm there were no redeployed items in DIT’s custody that were stolen. Compared Equipment Disposal Forms to Certificates of Disposal and found no exceptions. Observed manual hard drive crusher used to destroy obsolete hard drives and media tapes at secured location. Figure 2 Manual Hard Driver Crusher Photo courtesy Office of the County Auditor IT Asset Management Follow-up Audit Status of Recommendations page 10 Audit Objective The objective of this follow-up audit was to determine if the Department of Information Technology implemented the 2015 IT asset management recommendations. Audit Scope and Methodology To verify the Department of Information Technology implemented the IT asset management recommendations, we: • Corroborated information with appropriate staff to follow-up on the responses to audit recommendations • Performed tests of controls • Reviewed applicable source documents: Inventory Procedures Manual dated 1-1-83 DIT Employee Policies dated 12-31-16, revised 7-1-17, and 3-23-2020 Electronic Resources Policy Password Policy E-Mail Retention Policy Electronic Data Storage Destruction Policy Mobile Device Policy Social Media Policy Memorandum of Understanding for the County of Hawaii Department of Information Technology's Strategic Plan and Roadmap 6-18-2020 Statement of Work: IT Strategy, Information Security, and Disaster Recovery Planning Workshops for County of Hawaii Windows Upgrade and Deployment Strategies dated 9-11-19 Project Data Criteria dated 10-2-19 Information Technology Information Security Handbook Standard Operating Procedures for County Devices Approved/disapproved software listings Loaner equipment In/Out logs Inventory records including department transfers and disposals 2015 - 2019 Price Term Agreements for Computer Equipment Supplemental Budget Requests Council Resolutions and Communications Other as needed information from December 2015 to January 2021 • Conducted site visits to verify monitoring, redeployment, and safeguarding practices at Waiakea Office Plaza and Schultz Siding Office. IT Asset Management Follow-up Audit Audit Objective, Scope and Methodology page 11 The scope of the audit was limited to departments that the Department of Information Technology supports. The audit excluded the Department of Water Supply, Police Department, Office of Housing and Community Development, Office of the Prosecuting Attorney, and the Office of Aging. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. IT Asset Management Follow-up Audit Audit Objective, Scope and Methodology 112 Conclusion We sincerely thank the Department of Information Technology's leadership and staff for their cooperation during our follow-up work and for their efforts in working toward implementing and partially implementing most IT asset management recommendations, such as: ➢ Lifecycle management for hardware and software upgrades and replacements ➢ Purchase request and approval maintaining approved software listing and communicating the risks to departments updating County-Issued Technology Devise policy prohibiting users from installing non-supported software and adding un-approved devices to the County network ➢ Redeployment of assets ➢ Evaluating leasing as an option to procure computers and software licenses ➢ Tracking users in a centralized database ➢ Centrally receiving and accepting all IT assets to ensure DIT is aware of new computers or software before they are introduced into the County environment ➢ Secure disposal Annual review of secured disposal policy Additional physical security controls to safeguard IT assets from loss or theft. Opportunities exist to fully meet best practices, such as DIT should: ➢ Centralize the IT asset management function ➢ Own all IT assets and establish an IT asset management role Develop a one through five-year financial forecast of upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends, and future needs. ➢ Conduct periodic physical inventory to ensure all County IT assets are properly recorded and included in the annual physical inventory. ➢ Address gaps in Employee Policies to address: Current software approval processes including annual review Current redeployment processes including the retrieval of computers and software licenses that were installed on computers that were replaced or idle for an extended period of time. Implement County-wide written procedures to centrally track users for all IT assets Centrally receive and accept all IT assets and/or current receiving and accepting processes, and Transfer of all obsolete hard drives to DIT for destruction including an annual review process. IT Asset Management Follow-up Audit Conclusion page 13 Department Response Mitchell D. Roth Mayor Lee Lord Managing Director Scott Uehara Director County of Hawaii Department of Information Technology 1990 Kinoole Street, Suite 105 Hilo, Hawaii 96720 Telephone (808) 932-2960 Fax (808) 961-8089 May 18, 2021 Acting County Auditor Maxinne Pacheco 25 Aupuni Street Hilo, Hawaii 96720 To Maxinne Pacheco: You will find the Department of Information and Technology's response letter to the Hawaii County Audit for 2021. Should there be any questions or concerns, please feel free to contact me. Sincerely, Scott Uehara Department of Information Technology, Director 1990 Kinoole Street, Suite 4105 Hilo, HI 96720 4808-932-2975 Scott.Uehara@hawaiicounty.gov County of Hawai'i is an Equal Opportunity Provider and Employer. IT Asset Management Follow-up Audit Department Response page 14 Hardware and Software Lifecycle Management 1. Upgrades and Replacements (Status: In Process) Recommendation: Recommended that DIT establish an IT asset manager position to manage the County's IT assets and implement a plan to develop a one through five year financial forecast of hardware and software upgrades and replacements for each of the departments by analyzing the historical information on the County's IT environment, current trends and future needs. While the County has implemented several procedures to better manage IT assets, to fully meet industry best practices and improve the process of upgrading and replacing computers and laptops, the IT asset manager should implement a plan to take ownership of all IT assets. Response: An IT asset management position was recommended in the November 12, 2015 audit and is being recommended again in the November 30, 2020 audit. In the November 12, 2015 audit report, management of hardware and software lifecycle, inventory, financial and security procedures were compared against the Best Practices Library published by the International Association of Information Technology Asset Managers. Managing Information Technology assets across the County is an important issue that must be addressed. In order to manage the overall life cycle of these assets, the finances, inventory, and contractual/risk management responsibilities are required. The IT Asset Manager (ITAM)will have many different roles to play. They will be not only short term, but long-term goals. The position will also introduce best practices that provide value to the County as a whole. The simplest way to summarize the importance of this role is with the saying, "If you are not managing your technology, you are not managing your business." By Dr. Barbara Rembiesa. While DIT moves towards investigating the ITAM position, questions still need to be answered, such as: • Will the ITAM be financially responsible for missing assets, when this position does not have total physical accountability for assets? • As technology moves forward with mobile technology, how will asset control account for equipment which are routinely moving? • Will inventory auditing be conducted in tandem or asynchronous from yearly and administrative audits? 2. Purchase Request and Approval (Status: In Process) Recommendation: Recommended that DIT implement a policy to maintain an approved software listing and communicate the risks to the departments. The policy should include an annual review of the listing to ensure that software listed is still relevant and does not pose a security concern to the County. A review process should be implemented to respond to requests for software titles that are not currently in the supported software listing. Response: DIT does manage a list of approved and unapproved software listing. It is agreed that a policy should be created to address baseline standards for the review process of software. County of Hawai'i is an Equal Opportunity Provider and Employer. IT Asset Management Follow-up Audit Department Response page 15 3. Redeployment of Assets (Status: In Process) Recommendation: Was recommended that once the IT asset manager position has been established, DIT should implement a process to identify redeployable assets and to establish County-wide formal written redeployment procedures to retrieve computers and software licenses that were installed on computers that were replaced or idle for an extended period of time. The redeployment of computers and software licenses is often cost effective, minimizes unnecessary purchases, reduces over purchasing of assets and reduces data security risks. Response: DIT continues efforts to utilize assets capable of supporting user requirements and aligning with established security requirements. The Coronavirus pandemic required DIT to quickly adjust to work reassignments and this caused some assets to fall out of compliance for redeployment. 4. Leasing Recommendation: Recommended that DIT continue to evaluate leasing as an option to procure computers and software licenses for the County. Response: Agree with recommendation and implementation of leasing. 5. Centralized Management System (Status: In Process) Recommendation: Recommended that DIT track users in a centralized database. Not tracking users in a centralized database may increase the County's security exposure since DIT may not be able to determine if computers are in use or locate assets. In addition, DIT may have difficulty holding employees accountable for the protection of assets and inappropriate activities. Unused computers are candidates for redeployment and may unnecessarily consume software licenses. From a software compliance perspective, software end-user licensing agreements can be tied to users instead of computers, and DIT may not be able to determine the appropriate license counts without knowing the assigned users. The fixed assets inventory system is not accessible to DIT and the automated network and software inventory system is not used to track the user. Therefore, we recommend that once the IT asset manager position is established, DIT should implement a plan to identify a centralized database that has the ability to track users whether it is the fixed assets inventory system, the automated network and software inventory system, or another IT asset management inventory system. After a product has been identified, the IT asset manager should implement County-wide written procedures to centrally track users for all IT assets. Response: The majority of software licenses have been migrated from device assignments to being assigned to users. User tracking will need to account for all device and license types as some employees have stationary assets in their office environment, and also have mobile assets which will require additional tracking of the asset and software associated. To aide DIT in tracking users, we need assistance from all County departments to timely notify DIT of employee changes. County of Hawai'i is an Equal Opportunity Provider and Employer. IT Asset Management Follow-up Audit Department Response page 16 6. Receiving and Accepting (Status: In Process) Recommendation: Recommended that DIT implement a plan to centrally receive and accept all IT assets to ensure DIT is aware of new computers or software before they are introduced into the County environment. Response: DIT will work on a policy and process with the Finance department to accurately account for all computer purchases to ensure that all assets will be centrally received. To move forward with this recommendation, DIT will need a warehouse or location to physically store assets while waiting for configuration and deployment. 7. Annual Physical Inventory (Status: Not Implemented) Recommendation: Recommended that DIT periodically reconcile IT assets listed on the Fixed Asset Detail Report with the automated network and software inventory system to ensure all IT assets are properly recorded and included in the annual physical inventory. Any discrepancies should be investigated and resolved immediately. Response: The Coronavirus pandemic has introduced new challenges to inventory assets as many devices have remained off, and thusly automated network scans have not been fully successful with ascertaining if assets are still in place. Without additional staff, dedicated to asset management, this will remain on ongoing issue. 8. Secured Disposal (Status: In Process) Recommendation: We understand that the Director of IT plans to issue a memo with the "Electronic Records Destruction Policy for Computer and Electronic Media" to the Department heads and managers requiring the transfer of all obsolete hard drives to DIT for destruction. Recommend the County review this policy at least annually and update accordingly. We also understand that the current computer deployment location is temporary. However, if DIT continues to use the facility, we recommend that additional physical security controls be implemented to safeguard IT assets and media from loss or theft. Response: We will request a secured facility and container to ensure assets and media are safeguarded from theft and/or loss. As a County, a review and agreement must be congruent on a record retention policy to include electronic documents and media. County of Hawai'i is an Equal Opportunity Provider and Employer. IT Asset Management Follow-up Audit Department Response page 17