23
Communication to Those Charged with Governance and Internal Control Related Matters Eugene Water & Electric Board December 31, 2013
Communication to Those Charged with Governance and Internal Control Related Matters
Eugene Water & Electric Board
December 31, 2013
1
COMMUNICATIONTOTHOSECHARGEDWITHGOVERNANCEANDINTERNALCONTROLRELATEDMATTERS
TotheBoardofCommissionersEugeneWater&ElectricBoardDearCommissioners:We have audited the financial statements of Eugene Water & Electric Board (EWEB or theBoard) as of and for the year endedDecember 31, 2013 and have issued our report thereondatedMarch 7, 2014. Professional standards require thatwe provide youwith the followinginformationrelatedtoouraudit.OUR RESPONSIBILITY UNDER AUDITING STANDARDS GENERALLY ACCEPTED IN THEUNITEDSTATESOFAMERICAAsstatedinourengagementletterdatedFebruary5,2014,ourresponsibility,asdescribedbyprofessional standards, is to form and express an opinion about whether the financialstatements preparedbymanagementwith your oversight are fairly presented, in allmaterialrespects, in conformity with U.S. generally accepted accounting principles. Our audit of thefinancialstatementsdoesnotrelieveyouormanagementofyourresponsibilities.Our responsibility is to plan and perform the audit in accordance with generally acceptedauditingstandardsandtodesigntheaudittoobtainreasonable,ratherthanabsolute,assuranceaboutwhetherthefinancialstatementsarefreeofmaterialmisstatement.Anauditoffinancialstatements includes consideration of internal control over financial reporting as a basis fordesigningauditproceduresthatareappropriateinthecircumstances,butnotforthepurposeofexpressing an opinion on the effectiveness of the Board’s internal control over financialreporting. Accordingly, we considered the Board’s internal control solely for the purposes ofdetermining our audit procedures and not to provide assurance concerning such internalcontrol.Wearealsoresponsibleforcommunicatingsignificantmattersrelatedtothefinancialstatementauditthat,inourprofessionaljudgment,arerelevanttoyourresponsibilitiesinoverseeingthefinancialreportingprocess.However,wearenotrequiredtodesignproceduresforthepurposeofidentifyingothermatterstocommunicatetoyou.PlannedScopeandTimingoftheAudit
We performed the audit according to the planned scope and timing previouslycommunicatedtoyouinourplanningmeetingheldduringourinterimfieldwork.
2
SignificantAccountingPoliciesManagementisresponsiblefortheselectionanduseofappropriateaccountingpolicies.Thesignificant accounting policies used by the Board are described inNote 1 to the financialstatements.Thefollowingnewaccountingpolicywasadoptedinthecurrentyear:
Effective January1,2013, theBoardadoptedGASBStatementNo.65, ItemsPreviouslyReported as Assets and Liabilities. The Statement requires reclassification of certainitems previously reported as assets or liabilities to deferred outflows of resources ordeferred inflowsof resources. In addition, certain itemspreviously reported as assetsand liabilities are now recognized as outflows of resources (expenses) or inflows ofresources(revenues).GASBConceptsStatementNo.4,ElementsofFinancialStatements,specifies recognition of deferred outflows and deferred inflows should be limited toinstances specifically identified in authoritativeGASBpronouncements. StatementNo.65 amends items previously classified as assets and liabilities to be consistent withGASBConceptStatementNo.4.StatementNo.65alsolimitstheuseofthetermdeferredinfinancialstatementpresentations.Implementation of Statement No. 65 resulted in the reclassification of unamortizedbondissuancecostsfromanassettoaregulatoryasset(recordedwithinotherassetsontheStatementofNetPosition).Unamortizedlossesonbondrefundingwerereclassifiedfrom a liability to a deferred outflow of resources. Also, deferred sick leave and netpension obligationwere reclassified from regulatory liabilities to deferred inflows ofresourcesatDecember31forthetwoyearspresented.Therewasnoeffectonincomefor2013ornetpositionatthebeginningof2013.
Other than the policy adopted and described above, there were no additional policiesadopted in the current year and no changes in the application of existing policies during2013.WenotednotransactionsenteredintobytheBoardduringtheyearforwhichthereisalackofauthoritativeguidanceorconsensus.Therearenosignificanttransactionsthathavebeenrecognizedinthefinancialstatementsinadifferentperiodthanwhenthetransactionoccurred.
AccountingEstimates
Accounting estimates are an integral part of the financial statements prepared bymanagement and are based onmanagement’s knowledge and experience about past andcurrent events and assumptions about future events. Certain accounting estimates areparticularlysensitivebecauseoftheirsignificancetothefinancialstatementsandbecauseofthepossibilitythatfutureeventsaffectingthemmaydiffersignificantlyfromthoseexpected.Themostsignificantestimatesaffectingthefinancialstatementsareasfollows:
UnbilledRevenue–Unbilledrevenueisameasureofrevenueearnedthroughtheendofthereportingperiodthathasyettobebilled.Thisgenerallyrepresentsaccountswithbillingcyclesthatstart inthereportingyearandendinthesubsequentyear.Wehaveevaluated the key factors and assumptions used to develop unbilled revenue indeterminingthatitisreasonableinrelationtothefinancialstatementstakenasawhole.
3
Allowance for Doubtful Accounts – This represents an estimate of the amount ofaccounts receivable thatwill not be collected.Wehave evaluated the key factors andassumptions used to develop the allowance in determining that it is reasonable inrelationtothefinancialstatementstakenasawhole.
RecoveryPeriods for theCostofPlant –This represents the depreciation of plantassets.Management’sestimateoftherecoveryperiodsforthecostofplantisbasedonregulatory‐prescribeddepreciationrecoveryperiods.Wehaveevaluatedthekeyfactorsand assumptions used to develop the recovery periods in determining that they arereasonableinrelationtothefinancialstatementstakenasawhole.
OtherPost‐employmentBenefitObligations–Thisrepresentstheamountofannualexpense recognized for post‐employment benefits. The amount is actuariallydetermined, with management input. No liability is recognized in EWEB’s financialstatements because the annual required contribution, as actuarially determined, istransferred to an external trust.We have evaluated the key factors and assumptionsusedtodeveloptheannualexpenseindeterminingthatitisreasonableinrelationtothefinancialstatementstakenasawhole.
Mark‐to‐MarketAdjustment–Certainderivativeinstrumentsaremarkedtomarketatyearend.However, the impacttothestatementofrevenues,expenses,andchanges innetassetsisdeferredinaccordancewithGAAP.Wehaveevaluatedthekeyfactorsandassumptions used to develop year‐end amounts and have determined that they arereasonableinrelationtothefinancialstatementstakenasawhole.
FinancialStatementDisclosures
Thedisclosuresinthefinancialstatementsareconsistent,clear,andunderstandable.Certainfinancial statement disclosures are particularly sensitive because of their significance tofinancialstatementusers.Significantdisclosuresinclude:Note2–PowerRiskManagementandNote17–CommitmentsandContingencies.
AuditAdjustments/PassedAdjustmentsAuditAdjustments – For purposes of this letter, professional standards define an auditadjustment as a proposed correction of the financial statementsmade subsequent to thestart of audit final fieldwork. An audit adjustmentmay or may not indicatematters thatcouldhaveasignificanteffectontheBoard’sfinancialreportingprocess(thatis,causefuturefinancialstatementstobemateriallymisstated).Noauditadjustmentswerenotedontheelectricorwatersystemsinthecurrentyear.
4
PassedAdjustments–Passedadjustmentsarethoseentriesfoundduringthecourseoftheaudit thatmanagementhasdecidedtonotpost to the financialstatementsof theBoard. Ithasbeenconcludedbymanagement,andagreeduponbyMossAdams,thattheadjustmentsareimmaterialtothefinancialstatementsasawhole.Passedadjustmentsareasfollows:
ElectricPassedAdjustments–
o To gross up derivative assets and liabilities for the fair values of optionpremiumsthatwerepreviouslynettedwiththefairvaluesoftheassociatedderivative instruments: $661,758. This is a Statement of Net Positionreclassificationentryonly.
o Tocloseout jobs incommercialoperationatyearend:$530,914.This isaStatementofNetPositionreclassificationentryonly.
o To true up beginning net position for prior year Harvest Wind auditadjustment:$1,518,116.Thisamounthasbeenpostedtothe2013financialstatements.Thispassedentry is thedifferencebetweentheestimatemadeforHarvestWindandtheauditedfinancialstatementswhichwerereceivedafterissuanceofEWEB’s2012financialstatements.
WaterPassedAdjustments–
o Toreclassify theSDC liabilityon theStatementsofNetPosition:$282,849.ThisisaStatementofNetPositionreclassificationentryonly.
o Tocloseworkordersincommercialoperationatyearend:$63,795.ThisisaStatementofNetPositionreclassificationentryonly.
o Tocorrectover‐accrualof invoicepostedatyearend:$84,500.Adjustmentwillbepostedinthe2014financialstatements.
o Totrueupbeginningnetpositionforincorrectunbilledrevenueamountat12/31/12:$283,154.Thiscorrectionhasbeenpostedtothe2013financialstatements. This passed adjustment reflects the fact that this adjustmentshouldhavebeenpostedtothe2012financialstatements.
SignificantDifficultiesEncounteredinPerformingtheAudit
Weencounteredno significantdifficulties indealingwithmanagement inperformingandcompletingouraudit.
DisagreementswithManagement
Forpurposesofthisletter,professionalstandardsdefineadisagreementwithmanagementas a financial accounting, reporting, or auditing matter, whether or not resolved to oursatisfaction, concerninga financial accounting, reporting, orauditingmatter that couldbesignificanttothefinancialstatementsortheauditor’sreport.Wearepleasedtoreportthatnosuchdisagreementsaroseduringthecourseofouraudit.
5
ManagementRepresentationsWe have requested certain representations from management that are included in themanagementrepresentationletterdatedMarch7,2014.
ConsultationwithOtherAccountants
In some cases,managementmaydecide to consultwithother accountants about auditingandaccountingmatters, similar to obtaining a “secondopinion”on certain situations. If aconsultation involves application of an accounting principle to the Board’s financialstatements or a determination of the type of auditor’s opinion thatmay be expressed onthose statements, our professional standards require the consulting accountant to checkwithustodeterminethattheconsultanthasalltherelevantfacts.Toourknowledge,therewerenosuchconsultationswithotheraccountants.
IndependenceMossAdamsisindependentinappearanceandfactwithrespecttoEugeneWater&ElectricBoard.
COMMUNICATIONOFINTERNALCONTROLRELATEDMATTERSInplanningandperformingourauditofthefinancialstatementsofEWEBasofandfortheyearended December 31, 2013, in accordance with auditing standards generally accepted in theUnited States of America,we considered theBoard’s internal control over financial reporting(internalcontrol)asabasisfordesigningourauditingproceduresforthepurposeofexpressingouropiniononthefinancialstatements,butnotforthepurposeofexpressinganopinionontheeffectivenessoftheBoard’s internalcontrol.Accordingly,wedonotexpressanopinionontheeffectivenessoftheBoard’sinternalcontrol.Our consideration of internal control was for the limited purpose described in the firstparagraph andwas not designed to identify all deficiencies in internal control thatmight bematerial weaknesses and therefore, material weaknesses may exist that were not identified.However, as discussed below, we identified certain deficiencies in internal control that weconsidertobeamaterialweakness.Adeficiencyininternalcontrolexistswhenthedesignoroperationofacontroldoesnotallowmanagement or employees, in the normal course of performing their assigned functions, toprevent, or detect and correct misstatements on a timely basis. A material weakness is adeficiency,oracombinationofdeficiencies, ininternalcontrol,suchthatthereisareasonablepossibility that a material misstatement of the entity’s financial statements will not beprevented,ordetectedandcorrectedonatimelybasis.
6
We consider the following deficiencies in the Board’s internal control to be amaterialweakness:
CircumventionofcontrolsDuringthecurrentandprioryearprocedures,wehavenotedaseveralinstanceswhereemployees have been able to circumvent the control structure in place, whetherknowledgeable of the implications of their actions or not. Some of the specific itemsnotedthatpromptedthiscommentareasfollows:
1) Ability for IT employees tomakeunauthorized changes to thepurchasingsystem database, thus bypassing the normal requisitioning approvalprocess.Wenotedaninstancewherethisoccurredinthecurrentyear.Seeadditionaldetailsrelatedtothisinourcommentlabeled,“ITcircumventionofcontrols,”below.
2) Ability for employees to purchase and maintain significant amounts of
inventoryitems,viatheuseofaEWEBcreditcard.Thisallowstheemployeetoavoid thenormal inventorycontrols thatareattached to items thatarepurchasedthroughthewarehouse.Thesecontrolsincluderequiredphysicalinventories of the warehouse, security of the warehouse, and purchasingcontrolsthathelpidentifysignificantpurchasesthatwouldrequireinformalorformalbiddingproceduresperEWEBpolicyandStateofOregonstatute.Asaresultofthisprocess,managementhasrecordedanadjustmentof$2.1millioninthecurrentyearonceallthevariousoffsiteinventoryitemswereidentifiedandrecordedonEWEB’srecords.
3) Ability for employees to receive wage increases without any writtendocumentationmaintained in the employee file to authorize the increase.Seeadditionaldetailsrelated to this inourcomment labeled, “Approvalofpayratechanges,”below.
4) Significantpurchasesbeingmadeonemployeecreditcardsthatseemmoreappropriate forEWEB’s standardPOprocess. Someof these items includepurchases for computers, computer equipment and specialized, high‐costofficechairsforemployees.
Weanalyzedtheimpactoftheaccumulationoftheseitems,alongwiththecontroldeficienciesnotedbelowandhaveconcludedthattheyrisetothelevelofamaterialweakness. In 2014, EWEB is implementing a significant Workorder AssetManagementSystem(WAM). Inorder for the implementationof thissystemtobesuccessful,itisvitalthatappropriateinternalcontrolsarenotonlyputinplace,butfollowedconsistently.
7
As such,we recommendmanagement consider creating a position for an InternalAuditManager.ThispositionwouldreportdirectlytotheGeneralManagerand/orthe Board of Commissioners and would provide several key roles for the Board.First,thispositioncouldprovideriskassessmentoninternalcontrolsandtestingtoensurecontrolsaredesignedand implemented.Second, thisrolecouldprovideanoutlet for employees to report any concerns. We also recommend consideringcontracting outwith an experienced thirdpartywho couldprovide IT‐specializedinternal audit services. This would allow for additional support for the ITdepartmentandall of its employeesas the concerns raised in thisdepartment, asmentioned in the instance noted above, may require an auditor with specialknowledge and experience. We also recommend that management continue toeducateemployeesabout the importanceof internalcontrolsandrequireperiodicethicstrainingtokeyemployeesinvolvedwithinternalcontrols.
ManagementResponse–RogerGray,GeneralManager:Improvinginternalprocesses, controlsand systemshasbeenanon‐goingeffort.We takepastaudit findingsandcontinuetomake improvements. Management initiatedtheWAMprojectwhichcreatedathoroughreviewofmanyoperationalandcontrolsprocesses.TheWAMworkwaswhatledtoManagementfindingtheinventoryissuewhichwasquicklydisclosedandreportedtoMossAdams.In2014wewillensureincreasedfocusanduseofproperinternalcontrolsby:
1) Implementationof theWAMprojectwhichwill result inmoremodernand standard business processes and tightening of internal controls.This system impacts our plant, procurement and inventory processes.Thesemodernbusiness processeswill be reviewedbyBakerTilly andMoss Adams before the system goes live in the fall to ensure properadherencetointernalcontrols.
2) We will provide training to all Managers & Supervisors regardinginternalcontrolsandtheirroleinensuringadherenceandsupport.
3) TrainingforITregardingtheiruniqueroleinsupportingITsystemsandtherelatedinternalcontrols.
EWEB had an Internal Audit Department up until December 31, 1996. Thatdepartment consisted of an internal auditmanager and two staff positions. Inthe 2012 budgeting process, Management proposed reestablishment of aninternalauditorpositionanditwasnotapprovedbecauseofincreasingbudgetconstraints.Inthepast3budgetcycles(2012,13and14),EWEBhascontinuedtoreducepositionsandpersonneltomeetincreasingbudgetandratepressures.Adding an internal auditor position without incremental funds will result inreductionofanotherpositiontooffsetthecost.
8
This may improve performance with respect to internal controls, but it willreduceoperationalperformance.EWEBhasalreadyexperiencedseveralminoroperationalperformanceissuesduetothereductionsmadeinthepast3years.Nonetheless,theGeneralManager(GM)appreciatestherecommendationbyourMoss‐Adams (EWEB’s external auditor) and will take the following actionsduring2014inlightoftheMoss‐Adamsrecommendation.
1) For the 2015 Budget, the GM will again include an internal auditor
position with proposed incremental funding to cover the cost of theposition.Thishasalreadybeenincludinginthe2015financialplanthatiscurrentlybeginproducedbyEWEBstaffandwillbeintroducedtotheBoard under the normal financial planning process (i.e. typicallyintroducedinJulyandapprovedinNovember/Decemberofthecurrentyearforthefollowingyear’sbudget.
2) Asanalternativetoa“pure”internalauditorpositionwhichtheGMdoesnot believe is necessarily a full‐time position on its own, the GM willpropose a “hybrid” position of internal/performance auditor. Thisposition hypothetically could pay for itself because part of aperformanceauditor’s role is to look forperformanceandcostsavingsopportunities. Due to the fact that the GM and Leadership team havealready been cutting costs across the board for several years, there isunlikelytobelowhangingfruitsothelikelihoodofimmediateoffsettingcost savings is low; therefore, the GMwill stillmake a partial fundingincreaseforthe2015budgetforthehybridposition.
3) With respect to the reporting recommendations, EWEB’s currentgovernance structure is not conducive to adding additional EWEBemployees that literally report to the Board. Under present Board‐approvedpolicyonly1EWEBemployee(theGM)reportstotheBoard.However, the General Manager has already discussed with Boardmembersinthepastpossiblemodificationstothispolicytoconformtobettergovernancepractices.Someofthesemodifications(notrequiringBoardapproval)havealreadybeenputinplacebytheGM.Forexample,the Risk Management Committee (RMC) votes are recorded and theChiefFinancialOfficerhasbeen instructed tomakeherdissentingvoteknowntotheBoardifshebelievestheissueismaterialenoughtoraiseto theBoard. TheGMhasalso instructed theCFOandHRManager totake certainmatters to theBoardPresident (bypassing theGM)undercertaincircumstances.InlightofMossAdams’recommendationandtheGM’smodifiedpracticesdescribedabovetheGMwillmakethefollowingrecommendations for policy changes (that are subject to Boardapproval).
9
a. All applicable policies will be modified so that the proposedposition of Internal Auditor (or Internal/Performance Auditor)may communicate directly with the Board President asnecessarytoperformhis/herpositioneffectively. AlthoughthepositionwilladministrativelyreporttotheGM,theGMwillonlyhire or terminate the person in this position (or eliminate theposition) with the concurrence of the Board President. TheBoardPresidentmayseekapprovalfromtheentireBoard.
b. The GM has already instructed the CFO and HR‐Manager tocommunicate certain matters with the Board President undercertain circumstances in order for them to effectively performtheirroles.TheGMwillalsoproposepolicychangessothatthesepositionswillcontinuetoreportadministrativelytotheGM,butwill be treated similarly to the proposed Internal Auditor(Internal/Performance Auditor) for governance reviewpurposes.
c. Because the recommendation by Moss Adams eliminates thecurrent concept of unity of control built in to EWEB’s presentgovernance structure there also needs to be an appropriaterebalanceofaccountabilityintheeventthattheBoardacceptsabusiness recommendation by the Internal Auditor that the GMdisagrees with. In the event that the recommendation of theInternal Auditor creates an adverse financial or operationalimpacttheInternalAuditorandnot theGMwillbeaccountablefortheresult.TheGMwillproposeappropriatemodificationstotheUnityofControlpoliciesaswell.
Inadditiontotherequiredcommunications,wehaveidentifiedthefollowingmattersforyourconsideration.Ourrecommendationsarebasedonobservationsandtestingduringthecourseofouraudit.TheserecommendationsshouldbeevaluatedbymanagementandtheCommissionersforimplementationandEWEBshouldconductacostbenefitanalysisincludingconsiderationoftherisksfortherecommendedaction.ControlDeficiencies
TimelyreconciliationofbankreconciliationsAt the timeweperformedour interim fieldwork testing inDecember2013,wenotedthat bank reconciliations had only been completed through June 2013. Timelyreconciliationofall cashaccounts is important to ensure that thisdetective control isabletoidentifyerrorsorsuspiciousactivityinatimelymanner.Werecommendthatapolicybeestablishedtorequiremonthlybankreconciliationstobecompletedwithinamonthofthemonthendclose.
10
ManagementResponse–SusanEicher,AccountingandTreasurySupervisor:Accounting has a procedure to complete timely bank reconciliations asmentionedabove.However,duetothe80%turnoverintheAccountingstaffandstaffing shortages in Cash Accounting, the bank reconciliations were notperformedastimelyasnormal.OverthenextyearAccountingwillworkcloselywith Cash Accounting to ensure cash receipt information is timely andAccountingreconcilestheactivityaccordingtopolicy.
Inventorypurchasesoutsideoftheinventorysystem
Duringourdiscussionswithmanagement,wenotedthatemployeeshavetheabilitytopurchase andmaintain significant amounts of inventory items via the use of a EWEBcredit cards or through purchase orders. This may allow the employee to avoid thenormal inventory controls that are attached to items that are purchased through thewarehouseanditemsmaynotberecordedcorrectlyintheinventorysystem,resultinginoverstatementof operatingexpensesandcapital assets.Normal inventorycontrolsincluderequiredphysicalinventoriesofthewarehouse,securityofthewarehouse,andpurchasingcontrolsthathelpidentifysignificantpurchasesthatwouldrequireinformalorformalbiddingproceduresperEWEBpolicyandStateofOregonstatute.Asaresultofthis process, management has recorded an adjustment of $2.1million in the currentyear once all the various offsite inventory items were identified and recorded onEWEB’srecords.Werecommendthatmanagementdiscussinventoryheldoutsideofthewarehouse to determine 1)whether the inventorywould be better held and securedwithin the warehouse, 2) if inventory is to be held outside of the warehouse, whatcontrols will be implemented to ensure the security of the inventory, 3) whatprocedureswillbeestablishedtoensureperiodicphysicalcountsoftheinventoryheldoutsideofthewarehousewillbeperformed,4)whetherinventorypurchasesshouldbepurchased strictly through PO to ensure State purchasing laws are consistentlyfollowed.
Management Response – Todd Simmons, Transmission and DistributionOperationsManager: In the fourth quarter of 2013, as part of theWork andAssetManagement(WAM)project,EWEBstaff,alongwithourWAMconsultants,begantomaptheinventorysysteminordertocreatethe“asis”and“shouldbe”conditionswiththenewsystem.InadditiontotheinventoryinthewarehouseattheRooseveltOperationsCenter(ROC)andinEWEBworkvehicles,staffwastasked to account for any additionalmaterial and supplies in their respectivework groups. Materials were counted and values estimated at the ROC,Substations, Pump Stations, Headquarters, Hayden Bridge Filter Plant,WaltervilleHydroelectricPlant,LeaburgHydroelectricPlant,andCarmenSmithHydroelectricPlant.ThisinformationwassharedwithMossAdamsinthefourthquarterof2013prior to the2013auditandanaccountingentrywasmade torecognizethevalueofthematerialsasofDecember31,2013.
11
The material in all locations were either consumables and therefore notconsideredinventory, inventorymaterialspurchasedforO&Morcapitalwork,materialsandequipmentthatwasaccountedforcorrectlyandincludedinplant,or materials that no longer had any value other than to EWEB (outdated orantiquated equipment andmaterials still onhand as replacement parts). Thismaterial was acquired over the course of business over years or decades byvariouspurchasingpolicies,practices,andprocedures.Someofthematerialwaspurchased and immediately put into plant upon receipt. In some cases thismaterialshouldhavebeenaccountedforas inventory itemssince ithasyet tobe installed in the system or used for O&M work. Some equipment; meters,transformers, pumps, and breakers, are properly accounted for as part of theplant since this equipmentmoves in and out of service. With respect to therecommendationsregardingphysicalstorageofmaterials(i.e.insidewarehouseornot),itisnotphysicallypossibleoroperationallyprudenttoattempttostoreall such materials in the warehouse. However, it is possible through propercontrolsandprocedurestocreateadistributedwarehousewhere inventory isproperly controlled andmonitored. At this time there is an inventory controltask forcedetermining inwhichcategoryeachpieceofmaterialbelongs. Thisinventory control task force, made up of staff from Finance, Operations,Purchasing, Facilities, and Engineering will determine how inventory ispurchased, accounted for, controlled, and cycle countedwithin the newWAMsystemthatisexpectedtogoliveinSeptember2014.
ApprovalofpayratechangesDuring our internal control testing over payroll, we noted that several employeepersonnel filesdidnot includesignedpersonnelaction forms for theemployees'mostrecentpayadjustments.Werecommendthatanapprovedandsignedpersonnelactionformbeincludedineachemployee'spersonnelfileforeachpaychangeimplemented.Inaddition,we identified several errors in theupdatedwage rate spreadsheet includingincorrectwageratesforanumberofemployees.Werecommendthatadetailedreviewofallwageincreasesbeperformedwithafinalreviewbythepayrolldepartmentpriortoinputtingtheupdatedratesintothesystem.
ManagementResponse– Lena Kostopulos, Human Resources Manager: In2013,EWEBconductedacomprehensivestudyandredesignofthecompensationsystemfor its Management, Professional, Technical and Administrative (MAPT) workers.The project entailed a complete redesign of EWEB’s compensation architecture,detailedevaluationofthedutiesandmarketcomparisonofthepayforeachpositionand finally, the placement of each incumbent into the appropriate performance‐basedpaydesignationwithintheirassignedpayrange.
12
TheevaluationandfinalassignmentofpaywasconductedinpartnershipwithHR and the supervisor and manager of each job. The placement of each ofindividualintheirsubjectpayrangewasmadebythesupervisor/managerwiththeguidanceoftheassignedHRrepresentativeforthepurposeoforganization‐widecalibration.
The project was a full replacement of the previous system and resulted in alarge number of changes. The approach was to review entire groupings ofemployees (by section or function) at the same time with the final outcomebeing an individual pay assignment agreed upon by the supervisor, managerandHRrepresentative.
o The HR representative recorded the final decision in a masterspreadsheet.
o Prior to implementation, the spreadsheet was sent to thesupervisor/manager of each of the subject groups. While there wasverbalagreementandanexchangeofe‐mailsurroundingeachchange,therewasnoexplicitstatementofapprovalinallcases.
o Importantly, an independent process anddetermination reviewof themarket matches and salary level disposition for each position wasconductedbyMillimanConsulting.
Now that the project has been completed, it is unlikely that EWEB willundertakeanothermassreviewintheforeseeablefuture.However,intheeventthat does occur or if similar adjustments to an entire groupwere to bedone,EWEBwill includeasteprequiringadocumentedapprovalforeachindividualtransaction.
EWEBwillupdateproceduraldocuments in theSalarySettingPracticesPolicytoensureanyfuturepaychangesareappropriatelydocumented.
EWEBacknowledgestherewereerrorsascitedbytheauditors.ErrorswerebroughttoHR’sattentionandthroughadditionalauditingandreconciliationaformulaerrorinthewageratespreadsheetandanincorrectwagerangemid‐point factorwerediscovered.The supervisor/managers of affected employees were notified, with the supervisorvalidating the corrections and communicating the changes to their respectiveemployees.Intheeventofanotherlargescalechangeaffectingwagerates,theprocesswill includeanauditwithreviewbyPayroll,HR’sSeniorBusinessAnalyst, theProjectmanageranddataentrypersonnel.
Breachof$5,000procurementthresholdDuringour internal control testingoverdisbursements,wenotedabreachofEWEB's$5,000 threshold for small procurements. The original purchase orderwas under the$5,000threshold,however,thepurchaseorderwasamendedwithachangeorderwhichbrought the total PO amount up above EWEB’s small procurements threshold.
13
Per EWEB's small procurements rule 3‐0265(1), amendments to small procurementswhich will cause breach of the $5,000 threshold may not increase the total contractpricetogreaterthan$6,000.Therefore,thiswasoutsideofEWEB'spolicies,andonceitwasclear that the$5,000thresholdwas indangerofbeingbreached,3quotesshouldhavebeensoughtinordertocomplywithEWEBpolicy.WerecommendthatemployeesbeeducatedonhowtocomplywithEWEB'sprocurementrules.We also recommend that EWEB implement procedures to evaluate disbursementsthroughouttheyearforcompliancewiththeprocurementthresholds.
ManagementResponse–GailMurray,PurchasingandRiskManager:Duringtheyear,thePurchasingstaffbecameawareoftheabovebreach.WhenthebreachwasdetectedthedepartmentstaffwasaskedtocompleteaFindingstoSupportBreachof $5,000, which is the Small Procurement Threshold. The breach was thenapproved by the Leadership Team member for that department. After furtherinvestigation by purchasing staff, this instance was determined to be unfoundedsincethepurchasewasPersonalServiceswork,whichdoesnotrequiresolicitationof bids unless the scope of work exceeds $150,000. However, in the course ofinvestigatingthebreachcited,purchasingstaffdiscoveredapurchaseofgoodsthatthatwasdeterminedtobeabreachoftheSmallProcurementthreshold.
OverthenextyearPurchasingwillprovideadditionaltrainingtohelpeducatestaffregarding thresholds and purchasing policies. In addition, future breaches ofprocurement thresholds will be noted and included on the Board’s quarterlycontractreport.
TimelinessofconservationloanreceivablereconciliationDuringtheprocessofauditingconservationloansreceivable,wenotedthatalthoughtheaccounthadbeenreconciledtotheconservationloanssystematyearend,ithadn’tbeenreconciled prior to that since February 2013. Through the year end reconciliationprocess, accounting personnel noted that there were loans that were assignedincorrectly to expense FERC accounts rather than receivables. As a best practice, werecommendthat loandetailbereconciled to thegeneral ledgeronamonthlybasisbythe personnel responsible for maintaining the conservation loan system so that allerrorsmaybereconciledinatimelymanner.
Management Response – Mark Freeman, Customer Service and EnergyManagementServicesManager:Perrecommendations fromMossAdams, loanreconciliationwill occur on amonthly basis by the personnel responsible formaintainingandadministeringEWEB’s loanprogram.Currently, thatpersonisEWEB’sLoanAdministrator.AnewprocesswillbedevelopedtoreviewtheloanprogramtoensureallofEWEB’sloansconformtoEWEBprogramrequirements.
14
ITcircumventionofcontrolsItwasnotedthattherewasanissuewhereinternalcontrolswerecircumventedbyITpersonnelbasedonrequestsfromusers.ARequisitionwasalteredafteritwasinitiallyentered, without the appropriate approval. The value of the requisitionwas changeddirectlyinthedatabasebasedonarequestmadeinpassingwithoutthoughtabouttheissue with circumvention of controls. In most cases it is not appropriate to addressissues in this manner, however, there may be times when business needs maynecessitateaquickoremergencyfix.Insuchcases,documentationoftheactionstakenandtheformalapprovalofthoseactionsshouldberetained.Inadditiontomakingsurethat all requests get documented and approved, consideration should be given togeneratingreportsonaregularbasisthatshowsactivityperformedwithinthesystemsbyITpersonnelwithrespecttotransactions.
ManagementResponse–MattSayre,InformationTechnologyManagerandRoger Gray, General Manager: EWEB acknowledges there was acircumventionofcontrols.ThedocumentchangedwasarequisitionwhichhadnotyetbeenprocessedtothePurchaseOrderstage.Thechangewastoa ‘unitprice’value.The‘unitprice’defaultvalueis0;thisvaluewaschangetoa1.Theeffectwastochangearequisitionthathadbeenapprovedwitha$0valuetoa$9,000value.
The IS Department will work with Financial Services to ensure all necessaryinternalcontrolsaredocumentedandunderstoodbystaff.Inaddition,in2014Staff will develop a report that supports Internal Controls and details anyadministrativechangesto the financialsystems, to theFinanceDepartment. ISpersonnelhavebeencoachedandcounseledonthismatterastotheimportanceand implications ofmodifying financial systems outside of proper proceduresandtheimportanceofcontrols.
ITopportunitiesforbusinessprocessimprovements–part1Duringtheauditperiod,EWEBunderwentasignificantprojecttoreplacethehardwareunderlyingtheOraclesystems.Theprojectbroughttolightsomeissuesthatshouldbeassessed.First,therewasturnoverintheLinuxAdministratorpositionmidwaythroughtheprojectwhichhighlightedissuesrelatedtothepositionexperiencingagooddealofturnover.EWEBshoulddeterminewhetherthereareissuesrelatedtocompensationorotherfactorsthathaveresultedintheturnoverwhichshouldbeaddressed.Second,thedepartureof theadministratorbrought to light the lackofdocumentationaround thefunctionsperformedbytheposition.EWEBshoulddevelopadequatedocumentationofthefunctionsperformedbytheLinuxAdministratortoactasaninsurancepolicyagainstongoingturnover.
Management Response – Matt Sayre, Information Technology Manager: There has been high turnover specifically with regard to the LinuxAdministrator position. In 2013 the Information Services Department, inpartnershipwithHumanResources,placed theposition inanappropriatepayrangeduringaclassandcompensationstudy.
15
In 2013 Information Services also re‐wrote the position description and re‐classifiedthepositionfromaLinux&NetworkAdministratorItoamoreseniorLinux&NetworkAdministratorIIposition.Comparingthepositiontomarketaswellasre‐classifyingthepositionfromaItoaIIincreasedthecompensationtoanappropriatelevel.Thepositionwas filled inearly2014andthe incumbenthasbeenassignedanindividual goal to complete Linux server build documentation, applicationinstallation documentation, and storage configuration documentationassociatedincalendaryear2014.
ITopportunitiesforbusinessprocessimprovements–part2AnissuefromtheprojecttoreplacethehardwareunderlyingtheOraclesystemsrelatedtoServiceLevelAgreementswiththird‐partyvendors.Theprojectteamhadmadesomeassumptions regarding the level of support they should expect from their vendors,particularly with respect to when that support is available. EWEB should be sure todocument an understanding of SLAs and should consider enhancing vendormanagementpracticestoreviewSLAsonaregularbasis,assessingvendorperformanceagainstthemtoensurethatthevendorsremainacceptablebusinesspartners.
Management Response – Matt Sayre, Information Technology Manager:EWEB recognizes that comprehensive SLAs for both external and internalhosted systems are crucial in achieving our Information Servicestransformationgoals froma legacy systemstructure to a servicesdeliverystructure. The Information Services department has embraced the bestpracticesframework,InformationTechnologyInfrastructureLibrary(ITIL),for all new and upgraded hardware and software services. InformationServices has trained and certified over 60% of I.S. employees in the ITILmodel. Prior to promoting new systems, replacements or upgrades tooperations, the Information Services Department now follows the ITILServicesTransitionprocesswhichrequiresareviewandvalidationofSLAs.The SLA will clarify support performance levels as well as contractenforcement. This informationwill be stored in a SharePoint location andrevieweduponeachcontractrenewal.
PriorYearMattersInternalControlStructure
ReviewofmetersetupDuringourdiscussionswithmanagement,wenoted thatupwardsof$300,000 innewloanshadbeen issued to commercial customers as a result of under‐billings to10‐15commercialaccounts.
16
Theunder‐billingswerecausedby impropermeter setup that resulted inamultiplierbeingusedthatwasmuchlowerthanwhatwasrequiredforthetypeofaccountbeingserviced.Thesetupofthesemeterswasnotreviewedforaccuracyinatimelymannerandmonthspassedwithoutmanagementdetecting theunderlying issue.The lackofatimelyreviewoftheinstallationandpropersetupofthesemetersresultedinadditionalloansthatthecustomershaveagreedtopaybackinthefuture.Werecommendthatapolicybeestablishedandimplementedtorequiresomeoneotherthanthepersoninstallingthemeter, toreviewtheworkperformedandtheattributessetupinthebillingsystemtoensuretheappropriateusageisbeingcalculated.
2013Update–Weinterviewedpersonnelinthemetershopinthecurrentyearandnoted that procedures have been established to ensure that new meter setup isreviewedbyanemployeeotherthanthepersoninstallingthemeter.Webelievethisissuehasbeenappropriatelyresolvedinthecurrentyear.
AnonymouswhistleblowerhotlineDuring several of our discussions with personnel at varying levels throughout theorganization, we noted a perceived apprehension regarding the willingness tocommunicate internal control and ethics concerns for fear of having personalrepercussionsiftheinformationisleakedtothewrongperson.Wealsonotedthattheorganizationdoesnothaveamethodinplaceforemployeestosafely,andanonymouslyreport suspicious activity occurring inside the organization. We recommend that awhistleblowerhotlineservicebeutilizedsothatemployees feelcomfortablereportingissuesinasafeandanonymousmanner.Usingathirdpartyvendorforthisservicewillhelpimprovethelikelihoodofanonymityandemployee’sperceivedsafety.
2013Update –Management has taken steps to address this issue in the currentyear through two actions. First, management updated the internal disputeresolutionandwhistleblowingpolicytohelpemployeesdeterminetheappropriatecourse of action when they have a concern. Second, EWEB held training for itsmanagersandsupervisors toeducate themonEWEB’spoliciesandproceduresaswellasethicalbusinesspractices.However,throughourcurrentyearconversationswith several of the employees throughout the organization, we have noted acontinued trendof employees concerned about the lack of anonymous outlets forreporting internal control or ethics concerns. We have included in arecommendation for an Internal Audit Manager within our material weaknesscommentabove,whichwe feelwould fullyaddress this commentaswell. Seeourrecommendationabove.
EWEBCreditCardsDuring our discussions with EWEB personnel and through review of credit cardstatements,we noted one case inwhich a supervisorwas using an employee's creditcard to make purchases, and then approving that employee's credit card statement.
17
Werecommend thateachemployee'scredit cardbeusedonly forpurchasesmadebythatspecificemployee,asrequiredbycurrentpolicy,andthatasupervisorormanagerreview and approve the charges before being submitted for payment. Any purchasesshouldalsobemadebytheappropriatepersonnelandgothroughthenormalprocesstoensurecompliancewithEWEBpolicy.
2013Update–Wehavediscussedthisissuewiththeemployeeandnotedthattheissuehasbeenresolvedinthecurrentyear.However,westillbelievethattheriskforadditionalissueslikethisispresentgiventhenumberofemployeeswithEWEBcreditcardscoupledwiththecurrentcreditcardpolicy.Werecommenddecreasingthenumberofemployee’swithaccesstoEWEBcreditcardsandrevisitingthecreditcard policy to ensure that the credit card limits assigned, and the types of itemsallowed to be purchased are appropriate to achieve a stronger level of internalcontrols.
ManagementResponse–GailMurray,PurchasingandRiskManager:Thecreditcard policy is in the process of being updated to mirror policies of other localgovernmentagenciesandfindingsastheresultofthisaudit.Trainingwilloccuronthe new policy and the use of credit cards. We are in agreement that too manyemployees have credit cards that are not necessarily needed for their day to daywork.Wewillworkwithdepartments on reducing the number of credit cards aswellasthedollarlimitsassociatedwiththecardstolessenourriskexposure.
CustomerServiceBillingSystem
CustomerAdjustmentsReportDuring our review of the controls surrounding customer adjustments and review ofthoseadjustments,wenotedthatalistingofcustomeradjustmentsisrunonamonthlybasis and reviewed by someone other than the person making the adjustments.However, we noted that the listing was large and containedmuchmore informationthanisneededtoverifyadjustments.Thepersonreviewingthelistingstatedthatsheisnot able to thoroughly review all the adjustments to determine that they wereappropriate and booked by authorized personnel. In addition, we noted that anyadjustmentsrecordedby theCityofEugenearenot reviewedduring thisprocess.Werecommend that the format and parameters used to run the adjustments report berevisitedtoensurethatamorestreamlineduser‐friendlyreportisproducedthatcanbereviewedinamoreefficientandeffectivemanner.WealsorecommendthatthereviewoftheadjustmentsreportincludetheCityofEugeneadjustmentstoensurethattheyareappropriateandrestrictedtothesewerportiononly.
2013Update–Throughourcurrentyearprocedures,wenotedanupdatedreportformatthatisrunelectronicallytoassistthebillingdepartmentinmoreefficientlyreviewing billing adjustments. EWEBpolicy states that all adjustments over $300shouldbereviewedonamonthlybasistoensurethattheyareappropriateandhavesupportingnotesinthecustomerinformationsystem.However,althoughthisissuehasbeenpartiallyresolved,wenotedafewremainingissues.
18
First, we noted a segregation of duties issue since the person responsible forreviewing themonthly adjustments report also has access to record adjustments.Second, no adjustments under $300 are reviewed, which may leave a significantfraudrisktotheorganizationsincemostresidentialcustomerbillswouldbebelowthisamount.
Management Response – Mark Freeman, Customer Service and EnergyManagementServicesManager:
Requests foradjustmentsreceivedinBillingControlare initiallyreviewedandapprovedfromaninternalcontrolperspective,beforeprocessing.Questionableadjustmentsarebroughttomanagementforseparatereview/inquiry/approval.
EWEB does not have a “Customer Adjustments Policy”. Customer Servicedepartmentsdevelopedandnowusea“ConflictofInterestStatement”whichisannuallycoveredanddocumentedwithalCSstaff.
Going forward, EWEB will implement a mitigated control, to provide asegregatedreviewoftheinitialreviewer’swork.
Goingforward,EWEBhasremovedthe$300thresholdandwillrandomlyselect25‐30adjustmentsmonthlytoaudit.
CustomerAdjustmentAccessControlsDuringourreviewofthecontrolssurroundingcustomeradjustmentsandthroughourIT testingprocedures,wenoted thatanyonewithread‐writeaccess to theCISsystemcouldrecordadjustments.Wealsonoted thata listingofpersonnelwhohasaccess totheCISsystemisnotroutinelyreviewedandthereforepersonnelthatmovedfromthecustomer service department to another department still may have access to postadjustmentstocustomeraccounts.OurITproceduresrevealedthatover200usershaveaccess to the billing system and most have the ability to record adjustments. Werecommendthatmanagementimplementcontrolstoreviewcurrentaccesstothebillingsystem and restrict read‐write access to only the individuals authorized to recordadjustments in the billing / customer service department or other authorizeddepartments.Accesstothesystemshouldbereviewedonaperiodicbasistoensurethataccesstothesystemisappropriate.
2013Update – During our current procedures,we noted that a new class called“adjustments”wasestablishedandEWEBallowedemployeesaccess to this grouponly if they required the ability tomake adjustments. These employees consistedprimarily of customer service representatives. EWEB has also developed a newreport to identify theamountofadjustmentsmadebyeach individual.Webelievethisissuehasbeenappropriatelyresolvedinthecurrentyear.
CustomerAdjustmentsPolicyDuringourreviewoftheprocessusedtorecordadjustments,wenotedthatalthoughapolicyforrecordingadjustmentsispresent,itisnotfollowedonaconsistentbasisandtherefore adjustments are not reviewed and approved prior to being recorded.
19
Wealsonotedthatthepolicydoesnotincludeprovisionsforthedollarthresholdsthateachemployeeisallowedtorecord.Werecommendthatmanagementupdatethepolicyto incorporate provisions for which employee positions are allowed to recordadjustments. The policy should also establish thresholds for the amounts that eachposition can record and should also specifywho is authorized to reviewandapprovethoseadjustmentspriortobeingrecorded.Theseprovisionsshouldbeimplementedsuchthatadjustments,overaspecifieddollarthreshold,arepreparedandapprovedbyseparateindividualstoensuretheappropriatesegregationofduties.
2013 Update – See 2013 update to “Customer Adjustments Report” commentabove,whichaddressesbothcomments.
WorkOrderandAssetManagement
WorkOrderDocumentationConsistencyDuring our review of work orders, we noted that the documentation maintained toexplainandsupportthereasonforsignificantvariancesfrombudget/estimatedifferssignificantlyfromjobcoordinatortojobcoordinator.Often,nodocumentationexistsinthe jobpackets toexplain thereason forsignificantvariances frombudget/estimate,and only limited comments in the Work Tracking system are maintained to explainvariancesat theproject level.Asabestpractice,werecommendworkingwith the jobcoordinators todevelopacloseoutsheet todocumentwhentheworkwascompletedand why the job was over / under budget (if applicable). It may be helpful to set athresholdforwhenthesecontrolsneedtobeappliedasnotalljobsrequirethisdetailedlevelofmonitoring.
2013 Update – Through our discussions with engineering and operationspersonnel, we noted that the organization has established a threshold of$50,000forrequiringauniformclose‐outdocument.However, thispolicywasin the process of being implemented during our audit and our work ordersample selectionsdidnot include anyworkorders thatwere subjected to thenewuniformcloseoutform.Werecommendthatmanagementcontinuetoworkon implementing theuniform closeout form to ensure that a consistent set ofanalysesandcloseoutproceduresbefollowed.
ManagementResponse–MelDamewood,EngineeringManager:Engineeringhasestablisheduniformclose‐outdocumentsforallCapitaldrivenprojectsover$50,000 in2013.The initialphaseof thisworkwas focusedsolelyonprojectsgenerated andmanaged out of the Engineering Dept. Thework orders foundlacking the documentation were projects generated from other departments,whichwere not included in the initial scope of the close‐out standardization.The remainder of the coordination will occur in 2014, and include allDepartmentsofEWEB that generate capital drivenwork. Implementationwillbecompletedbytheendoftheyear.
20
WaterDepartmentExceptionReportingDuring ourwalkthrough of exception/validity reports, we determined that thewaterdepartmentdoesnotreviewthelistingofzero‐readmeters.Wedidnotethatthebillingdepartmentrunsazero‐readreportforthewaterdepartment(approximatelymonthly).However, we believe the best practice recommendation below would improve thecontrols in this area and make them consistent with the practices of the electricdepartment. As a best practice, the zero‐read exception report should be run by thewaterdepartmentonat leastaweeklybasissimilartothetreatmentofzeroreadsfortheelectricdepartment.
2013Update–Wenoted thatnoconsumptionreport isnowbeingutilizedasone of thewater system exception reports and therefore, this issue has beenresolved.
PriorYearITMattersInformationTechnologyMatters
ITFinancialStatementActiveDirectoryDuring the IT examination, a user extract of theActiveDirectory (AD)was comparedagainst a listing of current employees. This comparison identified numerous ADaccounts forpersonsnot includedon thecurrentemployee list. Itwasalsonoted thatEWEB does not conduct formal access reviews on a regular basis. The goal of thesereviewswouldbe twofold: 1‐ to ensure that accounts for terminated employees havebeendisabled,and2‐toensurethatpermissionsandaccessrightsareappropriateforeach user’s job responsibilities, and that the systems are configured to help ensureproper segregationofduties. It is recommended thatEWEBdistributeuser listings tomanagers to verify the access rights of direct reports. This should happen at leastannually,anditisrecommendedthisbeconductedsemi‐annually.
2013 Update – During the current year IT examination, we performed similarprocedures and identified 11 AD accounts and 4 CIS accounts for persons on theinactive employee list. We do not believe this issue has been resolved andrecommendthatEWEBdistributeuserlistingtomanagerstoverifyaccessrightstodirectreportsonatleastanannualbasis.
ITOtherMattersAccessManagementaroundRe‐org/ReductioninForce:Therewassomeconcernoverthe re‐organization activities that occurred during July 2012. Through inquiry andobservationoftrackingspreadsheetsthefollowingwasnoted:
i. During the re‐org, service desk tickets were created for all changed
rolesii. Inaddition,aspreadsheetwaspreparedthatlistedallchangesincluding
lay‐offstoensurethataccesswasmanagedappropriately
21
PotentialIssues:Giventheactiveaccountsnotedforusersnotonthecurrentemployeelistandthe lackof formalreviews, it ispossible that theremaybesomeaccessrightsthat have not beenmanaged appropriately. This risk is low given the effort put intoplanningthere‐organization.
2013Update–See2013updatetoITactivedirectorycommentabove
ITOpportunitiesforPotentialBusinessProcessImprovement‐NetworkItwasreportedthatEWEBstillmaintainstwodistinctcorenetworkoperatingsystems‐Novell and Windows AD network operating systems. The organization has notcompletelymigratedoffoftheNovellsystemandsetsupuseraccountsinbothdomaincontrollers. Users login utilizingNovellwhich passes the credentials on toAD,whereOutlook has replaced GroupWise as the email system. This situation requires themaintenanceofmultiple systems thatdo the same thing,but alsoposes riskswhen itcomestoterminatingusers.Also,itwasreportedthatpasswordsettingsfortheNovelloperating system are somewhat weak, requiring only six characters minimum, nostrength characteristics, and change every six months. It is recommended that theorganizationphaseNovellout completely if there isnota strongargument tokeep it,and that Active Directory group policy be used to enforce stronger passwordrequirements. Best practices typically include 8‐character minimums, strengthcharacteristicspertainingtocaseorspecialcharacters,theforcedchangeofpasswordsatinitialloginandevery90days,andthemaintenanceofpasswordhistorysothatuserscannotre‐usepriorpasswords.Inaddition,accessreviewprocessesshouldbeexaminedtoensurethatallsystemswhereactiveuseraccountshadbeencreatedareaddressed.AprojectlistedonthecurrentprojectlistingforIThasbeendefinedtoretireNovell,buttheprojecthasnotyetbeencompleted. Inaddition, itwasalsonotedthat thecurrentActive Directory group policy related to password configurations does not require aminimum age for passwords. It is recommended that EWEB modify this setting torequirepasswordstobeusedforaminimumperiodoftimeoncetheNovelretirementproject has been completed. Otherwise, when prompted to change their passwordsevery110days,userscouldsimplychangetheirpasswordrepeatedlyuntiltheyareableto use the same password again.While this scenario is not likely, the possibility thatuserscancircumventtheforcedpasswordchangestillexists.
2013Update–Managementwasable todiscontinueuseofNovellduring thelastauditperiod.Webelievethisissuehasthereforebeenresolved.
22
IT Opportunities for Potential Business Process Improvement – ElectronicCommerceTransactionsEWEBprocesseselectroniccommercetransactionsovertheInternet.However,arecentprojectwascompletedtooutsourcetheElectronicBillPaymentstoa third‐party.Thiswill allow EWEB to offload significant risk associated with a bulk of the cardtransactions. However, there are still credit card transactions that EWEB managesdirectlythemselves,particularlyatthecustomerservicecenter.Processing even a few credit card transactions exposes EWEB to the compliancerequirementsfromthePaymentCardIndustry(PCI)DataSecurityStandards(DSS).Perinquirywith the ITManagerand reviewof thecurrentproject listing,PCI compliancehas been defined as a project goal and is underway. It is recommended that EWEBcontinue with this process to identify all processes and functions wherein EWEBhandlescredit/debitcarddataofcustomers.
2013Update –Managementwasable toprovidemultiple reportsaroundPCIcompliance.ThereportsaddressEWEB’scomplianceandnon‐compliancetoPCIstandards, aswell as address structured goals towork towards over thenextfiscalyear.Webelievethisissueshasbeenappropriatelyresolvedinthecurrentyear.
TheBoard’swrittenresponsestothematerialweaknessandotherrecommendationsidentifiedinourauditwerenotsubjectedtotheauditingproceduresappliedintheauditofthefinancialstatementsand,accordingly,weexpressnoopiniononit.
*****Thiscommunication is intendedsolely for theuseof theBoardandmembersofmanagementandisnotintendedtobeandshouldnotbeusedbyanyoneotherthanthesespecifiedparties.Sincerely,Portland,OregonMarch7,2014
