The URL can be used to link to this page

Home My WebLink AboutStaff report 10394 City of Palo Alto (ID # 10394) Policy and Services Committee Staff Report Report Type: Action Items Meeting Date: 6/11/2019 City of Palo Alto Page 1 Summary Title: ERP Planning Audit Status Title: Staff Recommends the Policy and Services Committee Recommend the City Council Accept the Status Updates of the Audits on Recommendations From the ERP Planning: Information Technology Data Governance Audit From: City Manager Lead Department: IT Department Recommendation Staff recommends that the Policy and Services Committee recommend that the City Council accept attached Status of Audit Recommendations resulting from the City Auditor’s ERP Planning: Information Technology and Data Governance Audit. Background The City Auditor’s Office issued an audit, ERP Planning: Separation of Duties on June 13, 2018. The full audit report can be found here. The City Auditor’s Office issued an audit, ERP Planning: Information Technology and Data Governance on June 13, 2018. The full audit report can be found here. Discussion Staff has provided status updates on the audits in Attachment A. Out of the four recommendations from the Information Technology and Data Governance Audit, two of the recommendations have been completed. The open recommendations include adoption of IT Governance Framework and adoption of Data Governance Framework. The Information Technology Department anticipates that the remaining recommendations should be completed by December 31, 2020 and 2nd Quarter of 2020 respectively. The open recommendations for the Separation of Duties Audit include design and definition of profiles and roles according to the concept of least privileges as identified in the ERP design phase. The SAP ERP technical upgrade scope has been finalized and the tentative timeline to begin the design phase is around the 4th Quarter of 2019. Staff City of Palo Alto Page 2 anticipates that the remaining recommendation should be completed by the 4th Quarter of 2021. Attachments:  Attachment A - Status Update on ERP Planning Information Technology and Data Governance STATUS OF AUDIT RECOMMENDATIONS ERP Planning: Information Technology and Data Governance – ISSUED 6/13/18 Page 1 The City Manager has agreed to take the following actions in response to the audit recommendations in this report. The City Manager will report progress on implementation six months after the Council accepts the audit report, and every six months thereafter until all recommendations have been implemented. Recommendation Responsible Department(s) Original Response and Target Date Current Status (Complete, In Progress, or Not Started) Implementation Update and Expected Completion Date Finding 1: Better information technology governance can help ensure that IT systems, including the new ERP system, support City goals, and objectives 1.1. Assign roles and responsibilities for IT governance (e.g., “chief governance officer”) to an existing City position that reports or could potentially report directly to the City Manager or the Chief Information Officer. The roles and responsibilities should include:  Ensuring that City departments and stakeholders who are the users of the City’s information systems are included in governance processes and decision making, including decisions to address security risks.  Ensuring that there is a process to validate the accuracy and completeness of key IT reports that are used in decision making or reporting (e.g., the City’s document that shows decisions on addressing risks identified in the Coalfire report; decisions regarding departmental roles and Information Technology Concurrence: Agree Target Date: 12/31/2019 Action Plan: The IT Department implemented IT Governance citywide in 2012 and since then it has been rightsized to reflect the evolving needs of the City. The roles and responsibilities for a leader in IT governance have already been assigned to an individual who reports to the Chief Information Officer (CIO). The IT Department agrees that work is required to address gaps in our city IT governance processes today including leadership roles, communications, reporting, and decision-making. Complete June 2019 Management Update: Currently a resource reporting to Chief Information Officer (CIO) is assigned to this role in a full-time capacity. The roles and responsibilities of this individual are clearly defined to enhance the existing processes, address gaps in the governance process while taking into account the three recommendations mentioned in 1.1. STATUS OF AUDIT RECOMMENDATIONS ERP Planning: Information Technology and Data Governance – ISSUED 6/13/18 Page 2 Recommendation Responsible Department(s) Original Response and Target Date Current Status (Complete, In Progress, or Not Started) Implementation Update and Expected Completion Date responsibilities for the new ERP system).  Ensuring that governance covers all key aspects of the City’s information systems (e.g., ensuring that the IT Department has policies and procedures to address the use, organization, security, and access rights for the City’s network drive). 1.2. Adopt an industry standard IT Governance framework, such as COBIT, and a process assessment and rating or maturity model, such as the COBIT 5 process assessment model. Create a plan to achieve a process capability model of 3 (i.e., “established”) or higher for:  IT staffing and funding  IT governance roles and responsibilities  Aligning IT with departments' priorities  Measuring and monitoring IT governance outcomes  Identifying and mitigating IT risks Information Technology Concurrence: Agree Target Date: 12/31/2019 Action Plan: IT Department agrees to identify and adopt an appropriate, rightsized, industry-recognized, IT governance framework. The IT Department working with the City Manager’s Office will determine the appropriate level of IT Governance maturity required for enabling organizational success. In progress June 2019 Management Update: IT Department is currently in process of identifying and evaluating industry standard IT Governance Frameworks with emphasis on COBIT 5. The learnings from this process will form the basis for the plan to address recommendations mentioned in 1.2. Expected Completion Date: 4QTR 2020 STATUS OF AUDIT RECOMMENDATIONS ERP Planning: Information Technology and Data Governance – ISSUED 6/13/18 Page 3 Recommendation Responsible Department(s) Original Response and Target Date Current Status (Complete, In Progress, or Not Started) Implementation Update and Expected Completion Date Finding: 2: Better citywide data governance will lead to better data in the new ERP system 2.1. Assign roles and responsibilities for data governance (e.g., a “chief data governance officer”) to an existing position that reports or could potentially report directly to the City Manager or the Chief Information Officer. Information Technology Concurrence: Agree Target Date: 7/1/2019 Action Plan: In January 2017, the IT Department hired a qualified data analyst with responsibility for citywide data governance. The role currently reports up through the Chief Information Officer (CIO). The IT Department agrees to request elevation of this role from City Council to a more senior classification to reflect the increased responsibilities expected as a result of implementing an industry-standard data governance framework. Complete June 2019 Management Update: IT has promoted an existing resource as Data Governance Program Manager in a full time capacity reporting to Chief Information Officer (CIO). 2.2. Adopt an industry standard data governance framework, such as the DAMA-DMBOK, and a process maturity model, such as the COBIT 5 process assessment model. Create a plan to achieve a process capability model of 3 (i.e., “established”) or higher for:  Inventory  Integrity  Migration Information Technology Concurrence: Agree Target Date: 12/31/2019 Action Plan: The IT data lead will work to implement the citywide data strategy that is currently being developed and is part of the FY19-21 IT strategy. Adoption of a standard data governance framework was already identified as a goal in this plan. IT Department agrees to identify and adopt In progress June 2019 Management Update: Data Governance Program Manager is currently working on City wide Data Strategy Framework and roadmap to align with the FY19-21 IT strategy. IT has also hired a consultant who will be working closely with Data Governance Program Manager and IT Enterprise team to assist with ERP data standardization. The next step would be to liaison with CMO and other departments to identify appropriate Data Governance levels. STATUS OF AUDIT RECOMMENDATIONS ERP Planning: Information Technology and Data Governance – ISSUED 6/13/18 Page 4 Recommendation Responsible Department(s) Original Response and Target Date Current Status (Complete, In Progress, or Not Started) Implementation Update and Expected Completion Date  Security & Access  Legal Compliance  Availability  Usability an appropriate, rightsized, industry- recognized, data governance framework. The IT Department working with the City Manager’s Office will determine the appropriate level of data governance maturity required for enabling organizational success. Expected Completion Date: 2QTR 2020