Recommendation€¦ · • Audit closing meeting conducted on August 13, 2010. Provided opportunity...

of Report

CA-09-11

City Manager's Office TO: Audit Committee

SUBJECT: Summary of Audit Results – Records Management Audit

Report Number: CA-09-11 File Number(s): 430-03-Clerks Dept.

Report Date: February 18, 2011 Ward(s) Affected: 1 2 3 4 5 6 All

Date to Committee: March 8, 2011 Date to Council: March 21, 2011

Recommendation: For information only

Purpose: Address goal, action or initiative in strategic plan

Establish new or revised policy or service standard

Respond to legislation

Respond to staff direction

Address other area of responsibility

Considering reports from the City Manager and the City Auditor identifying audit issues and the steps taken to resolve them including the adequacy of the management responses to audit concerns

Reference to Strategic Plan:

N/A

Background: This low-risk audit was included in the 2010 audit work as management made a request to include some low risk areas in the annual plan.

Discussion:

Overall Audit Rating – FAIR (details of overall audit ratings are located on page 9 of this report) Summary of Audit Findings & Severity (Measure of Residual Risk)

Category

Total Number of Findings

Number of Findings Considered…

High Medium Low

Records Management Objective & Policy 2 1 0 1

of Report

CA-09-11

Category



High Medium Low

Management & Oversight 2 0 1 1

Strategic Planning & Resource Allocation 1 0 1 0

Operational Procedures, Practices & Systems 3 1 1 1

Staff with Records Management Responsibility 1 0 1 0

Communication 1 0 0 1

Monitoring & Reporting 1 0 0 1

Total 11 2 4 5

Details of Audit Finding Severity Scale are located on page 10 of this report.

The detailed audit report is located on page 4 of this report.

Financial Matters:

• Estimated audit hours for completion: 70 • Actual audit hours required to complete: 73

Additional time spent documenting findings and recommendations.

Communication Matters:

• Audit closing meeting conducted on August 13, 2010.

Provided opportunity for discussion between the City Clerk and the City Auditor.

• Management provided:

comments located on page 12 of this report, and

management action plans located in Appendix A-1 on page 14 of this report.

Management action plans were discussed with management from Clerk‟s Department on February 16, 2011.

• Final report issued to management on February 18, 2011

Conclusion:

Management and staff are committed to developing a strategic plan for records management and implementing the necessary activities to bring that strategic plan to life.

of Report

CA-09-11

Respectfully submitted, Sheila Jones, MBA, CIA, CCSA, CFE City Auditor 905-335-7600 ext. 7872

Approvals: *required

*Department Head

City Treasurer General Manager City Manager

To be completed by the Clerks Department

Committee Disposition & Comments

01-Approved 02-Not Approved 03-Amended 04-Referred 06-Received & Filed 07-Withdrawn

Council Disposition & Comments

01-Approved 02-Not Approved 03-Amended 04-Referred 06-Received & Filed 07-Withdrawn

Appendices: A. Audit Report – Records Management A-1: Details of Audit Findings and Recommendations A-2: Additional Observations (Nominal Severity Rating)

Notifications: (after Council decision)

Name Mailing or E-mail Address

of Report

CA-09-11

Appendix A

AUDIT REPORT

Records Management

Clerk‟s Department

Corporate Services

Issued: February 18, 2011

Distribution: Deb Caughlin, Manager Council Services Angela Morgan, City Clerk cc: Kim Phillips, General Manager Corporate Services Nancy Shea Nicol, City Solicitor Roman Martiuk, City Manager Prepared by: Sheila M. Jones, MBA, CIA, CCSA, CFE, CGAP City Auditor

of Report

CA-09-11

Purpose This report documents the findings and recommendations of the audit of Records Management. Introduction and Background The Clerk‟s Department has overall responsibility for records management in their capacity as a corporate services partner. As such, this department plays a key role in defining the fundamentals and environments within which City departments should operate to support the records management lifecycle (Illustration 1).

Illustration 1 “Records and recordkeeping are inextricably linked with any organized activity. It is only through the information an organization records in the normal course of business that it can know what it has done and effectively plan what it will do in the future. As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activity of that organization, including:

• Facilitating and sustaining day-to-day operations • Supporting predictive activities such as budgeting and planning • Assisting in answering questions about past decisions and activities • Demonstrating and documenting compliance with applicable laws, regulations,

and standards.”1 The Clerk‟s Department has a records coordinator position within the Council Services section. This full-time position is responsible for “developing, implementing, maintaining and monitoring the records and information controls systems, techniques and procedures for the City of Burlington”2. In addition to this position, aspects of records retention and disposal are the responsibility of the Customer Service group. The City has an established records retention by-law that guides departments as to the required term of storage for both physical and electronic versions of records. Physical storage of records (in boxes) is outsourced to a third-party provider. The movement of

1 ARMA International. Generally Accepted Recordkeeping Principles.

2 City of Burlington Non-Union Job Evaluation – Records Coordinator

of Report

CA-09-11

boxes to/from the third-party provider is facilitated and monitored by Customer Service in the Clerk‟s Department. As at date of audit, the City had approximately 4930 boxes of records stored in third-party off-site storage facilities and upwards of 75 boxes of records temporarily stored on-site pending shipment to off-site storage. These numbers do not include records that are housed in departments and not sent off-site. Information regarding some elements of records management can be found on COBNet within the Clerk‟s Department webpage. Throughout the planning, fieldwork and reporting phases of the audit, the Clerk‟s Department experienced staff changes in key positions; new City Clerk appointment, manager of Council Services resignation, and new manager of Council Services appointment. These changes had a significant impact on the timelines for development of the management action plans and, subsequently, the considerable delay in issuing the final report. Audit Objectives & Scope This audit was conducted to assess:

• completeness of the records management policy and existence of strategic direction for records management;

• extent to which records management policies and practices are communicated and understood by staff;

• level of compliance to policy regarding records classification, storage, retrieval and destruction;

• effectiveness and efficiency of record keeping processes including the controls to secure and protect records; and

• effectiveness of monitoring and reporting. Specifically, the audit focussed on:

• relevant records management legislation, regulations, by-law, policy and strategy;

• interviews with management and staff (throughout the City) responsible for records management,

• a survey to randomly selected City employees to assess employee awareness of records management practices;

• review of processes related to receipt, storage, retention and disposition of records;

• on-site examination of City premises holding records; • review of job descriptions and performance measures, and • an examination of stored records and retrieval and destruction orders.

The scope of the audit specifically excluded:

• records creation in departments other than Clerks Department • the physical review of third-party provided storage services and facilities, and

of Report

CA-09-11

• access to systems and implementation of data classification security reviewed as part of the General Computer Controls Audit (CA-2-10).

The audit covered the period May 1, 2009 to May 31, 2010. Methodology The audit has been conducted following generally accepted auditing standards. In conducting the audit, the City Auditor has relied upon interviews with and observation of key personnel, examination of information, data, and other documentary evidence and re-testing of controls. The conclusions reached in this report are based upon information available at the time. Audit Framework The records management audit was conducted in alignment with the following framework:

Inherent Risk Profile The management of Clerk‟s Department is responsible for implementing controls that mitigate the following risks (risks before application of controls) in Records Management:

of Report

CA-09-11

Risk Category Inherent

Risk Rating Potential loss due to…

Disasters and Other Events

High • Natural Disaster: fire (natural origin), flood (natural origin)

• Non-Natural Disaster: flood (non-natural origin), fire (non-natural origin), environmental conditions.

• Wilful damage from external sources: arson, explosion

Performance & Responsibility

High • Inaccurate/incomplete job evaluation/mandates • unclear roles and responsibilities • unclear direction as a result of non-existent or

inaccurate operating policies and procedures • Lack of or insufficient training/orientation

regarding records management tools and practices

Privacy and Confidentiality

High • Breach of privacy under MFIPPA • Misuse of confidential information • Unauthorized disclosure of confidential records

Regulatory and legal

High • Non-compliance with records retention by-law • By-law not in alignment with Municipal Act

requirements

Systems Failures High • Data loss • Hardware/software failure • Power outage/disruption • System capacity issues

Vendor and/or Supplier Performance

High • Vendor does not meet service level agreements (e.g. confidentiality of records)

Transaction Capture, Execution and Maintenance

Medium • Records misfiled and/or destroyed in error • Missed deadline or responsibility for

storing/retrieving/disposing of records

Community Trust/Confidence

Medium • Confidential information released to public and highlighted in local media

Efficiency Low • duplication of records and effort • inadequate use of resources

Legend:

High – significant/large/critical impact on City operations, financial results and/or image Moderate – moderate/modest/sensitive impact on City operations financial results and/or image

of Report

CA-09-11

Low – insignificant/little/subtle impact on City operations, financial results and/or image

Role of Clerk’s Department Management Clerk‟s Department Management is responsible for designing internal controls to mitigate the inherent risks noted above and to meet the following objectives:

Safeguarding of assets (including reputation)

Compliance with laws, regulations and corporate policies

Reliability and integrity of financial and operational information

Efficiency and effectiveness of operations.

Overall Audit Rating - FAIR Legend: Overall Audit Rating

Rating Description

Excellent (Green)

• No internal control weaknesses noted. • Good adherence to laws, regulations, and policies. • Good control environment. • Operations are considered efficient and effective.

Good (Yellow)

• Several low and/or one or two medium findings. • Minor contraventions of policies and procedures with compensating controls in place. • No violation of laws. • Minor opportunities for improvement in efficiency and effectiveness.

Fair (Orange)

• Many medium findings and/or one or two high findings. • Several contraventions to policy. • Minor violations of regulations/laws with minimal impact to City. • Moderate opportunities for improvement in efficiency and effectiveness.

Weak (Red)

• Several high findings and some medium and/or low findings • Controls weak in one or more areas. • Noncompliance with policies put the City at risk. • Violation of law/regulation put the City at risk. • Substantial opportunities for improvement. • Operations are considered consistently inefficient and/or ineffective

This conclusion is only applicable to the function/area of this audit. It reflects the professional judgment of the Office of the City Auditor based on a comparison of situations as they existed at the time against audit criteria as identified in the scope of the audit. This conclusion is intended to provide reasonable assurance regarding internal controls. There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls may provide only reasonable assurance with respect to City operations. Summary of Audit Findings & Severity (Measure of Residual Risk)

Category



High Medium Low

Records Management Objective & Policy 2 1 0 1

Management & Oversight 2 0 1 1

Strategic Planning & Resource Allocation 1 0 1 0

Operational Procedures, Practices & Systems 3 1 1 1

of Report

CA-09-11

Category



High Medium Low

Staff with Records Management Responsibility 1 0 1 0

Communication 1 0 0 1

Monitoring & Reporting 1 0 0 1

Total 11 2 4 5

Legend: Audit Finding Severity Scale

Severity Details

High (Red)

• Key control does not exist, is poorly designed or is not operating as intended • Serious non-compliance to policy or regulation • May result in immediate or material loss/misuse of assets, legal/regulatory action,

material financial statement misstatements, etc. • Indicates a serious business control weakness/deficiency requiring immediate action

Medium (Yellow)

• Key controls are partially in place and/or are operating only somewhat effectively • Some non-compliance to policy or regulation • May negatively affect the efficiency and effectiveness of operations and/or financial

reporting accuracy. • Indicates a business control concern requiring near-term action be taken

Low (Green)

• Key controls are in place, but procedures and/or operations could be enhanced. • Minor non-compliance to policy or regulation • May result in minor impact to operations. • Indicates a business control improvement opportunity for which longer-term action may

be acceptable

Nominal • Housekeeping

Refer to Appendix A-1 for details of the audit findings and recommendations. Overall Comments • The City‟s records management program

has not kept pace with the technological advances that have affected the records lifecycle. A key element in a records management program of the 21st century is the inclusion of digital media including but not limited to email, websites, internet histories, instant messaging and voice mail.

requires senior management involvement and support to demonstrate the importance of preserving business records to meet the needs of accountability and transparency in business decisions.

is not adequately documented through operating procedures to provide corporate guidance to staff regarding the records lifecycle.

• Management has identified a key person dependency risk and related succession

planning issue associated with the current tenured Records Coordinator. Management must continue its efforts to develop an appropriate strategy to mitigate the impact of this risk.

• It is worthy to note the Customer Service staff in the Clerk‟s Department has initiated

a review of the records stored off-site. Discrepancies and omissions of information

of Report

CA-09-11

in transmittal records and challenges with box numbers led to a review of the processes for managing and monitoring off-site storage and destruction. In addition, staff is actively engaged in increasing the use of technology (Excel spreadsheets, vendor‟s web-site functionality, etc.) to improve the efficiency of the tasks and activities.

• Through interviews, it was noted that the retention by-law is the “go to” document for staff to determine retention periods.

Key Issues and Recommendations The overall rating of FAIR for this Records Management is the result of the following key issues: 1. A corporate records management policy is not documented and approved and

existing procedures do not address digital media records retention and storage.

“A high-level policy that articulates the principles and objectives for good records management should: • acknowledge records as an important business asset • acknowledge sound recordkeeping as a fundamental function of government

agencies and the responsibility of all staff • outline the main aims of recordkeeping and indicate how good recordkeeping will

help the agency to achieve its key objectives • identify the core principles for good recordkeeping.” 3

2. The scope of records management responsibility (i.e. corporate and departmental) is

not clearly articulated and is open to interpretation.

Clarity of roles and responsibilities is a fundamental element of an effective control environment.

3. An overall strategic plan to implement an effective records management program is not defined. Implementation of Image Site is not supported by a rollout plan. “A strategic approach to records management involves: gaining an understanding of the agency‟s business, identifying records management needs and risks, assessing the adequacy of the existing recordkeeping environment and practices, developing a strategic plan to ensure records management objectives and needs are addressed.”4

4. Standard operating procedures are not documented to support the corporate records

management program (i.e. how staff is expected to comply with corporate policy).

3 Victorian Auditor-General‟s Office, Records Management Checklist (2008): 4.

4 Victorian Auditor-General‟s Office.

of Report

CA-09-11

Operating procedures are a critical source of information for activities within a decentralized environment (i.e. where departments have responsibility for operating within corporate guidelines).

5. Some contents of the records retention by-law are not internally consistent or in compliance with municipal legislation. Consistency and compliance with regulations are critical to ensure effective retention and destruction decisions.

6. A corporate orientation program for records management does not exist. Orientation introduces new employees to corporate policies and practices and sets the corporate standards which employees are expected to meet.

Closing Comments Records management is an important function within any organization. “The preservation of the records of government for example, ensures it can be held accountable for its actions, that society can trace the evolution of policy in historical terms, and allows access to an important resource for future decision making.”5 Management and staff of the Clerk‟s Department have demonstrated their commitment to continuous improvement through the identified action plans. A strategic plan will provide a solid foundation from which management and staff can gain an understanding and awareness of the records management function. It will also provide management with a mechanism to focus resources, as appropriate, on record management activities. I would like to thank the management and staff of the Clerk‟s Department and other departmental staff interviewed for the cooperation and support extended to me during this audit. Management Comments

5 The National Archives of Scotland, http://www.nas.gov.uk/recordKeeping/recordsManagement.asp

Clerks management looks forward to developing a corporate records management plan with a strategic plan, revitalized policies, by-laws, procedures and training. With the dramatic growth in electronic records over the past decade it is time to broaden the definitions, documentation and support provided for the corporation‟s valuable record assets. The deliverables committed to through the records management audit will be presented in stages from May 2011 with a policy template update to December 2011 with the records management and strategic plans. After approval of the plans an implementation roll-out will occur throughout 2012. Any initiatives that can be addressed prior to the approval of the plans are underway and will be completed by Fall 2011.

of Report

CA-09-11

Appendices: A-1. Details of Audit Findings and Recommendations A-2. Additional Observations (Nominal Severity Rating)

of Report

CA-09-11

Appendix A-1 – Details of Audit Findings and Recommendations

No. Audit Finding Risk Category & Severity Rating Recommendations Management Action Plan

Records Management Objective & Policy

1. A corporate records management policy is not documented and approved. In addition, the current retention by-law (passed in 2005) and other documentation that does exist to explain records management does not clearly identify how digital media is to be addressed. A policy is a written description of the City‟s stance on a particular subject and its response to specific situations. For example, the policy would state the objectives, responsibility and authority and scope of its records management program. Documented policies: • guide managerial decision making (e.g.

setting priorities, etc.). • helps promote consistency in responses by

providing a common reference point. Lack of documented policy may result in: • Inconsistent application of process and

procedures implemented to ensure compliance

• Confusion regarding corporate and departmental responsibilities

• Inability to respond to a request for information (e.g. FOI, e-discovery, etc.)

Transaction Capture,

Execution and Maintenance

Privacy &

Confidentiality

Regulatory & Legal

Community

Trust & Confidence

High (Red)

Document and approve a corporate Records Management policy. This policy could include: • objectives and/or purpose

of the records management program

• description of the scope (e.g. physical and digital records) of the records management program

• description of corporate and departmental responsibilities within the records management program (e.g. who is authorized to approve destruction, who is authorized to change retention limits, etc.)

• delegation of authority to a specified position to coordinate and maintain the program

• exemptions policy (if any) and/or program suspension

• annual policy review date, • etc.

Comment: Agree Action Plan: Clerks will develop a corporate records management policy that will incorporate the appropriate existing policies. This work is in progress. Note: City of Burlington records are currently maintained in compliance with the required legislation (e.g. Municipal Act 2001, MFIPPA), the City‟s current policies, by-laws and Uniform File Plan. The Record Retention By-law does outline how to handle electronic records. FOIs have been handled in a timely manner with over 200 processed in 2010. Responsibility: Records Coordinator Target Date: December 1, 2011

of Report

CA-09-11


• Non-compliance with regulatory requirements • Increased costs associated with keeping

outdated documents

2. Recordkeeping obligations are not always identified & acknowledged in other key policies (i.e. IT policies) Cross referencing between mission critical policies supports consistent application of policies and procedures.



Low

(Green)

Include a cross reference to the records management policy in key policies such as IT policies specifically those related to digital media.

Comment: Agree Action Plan: Clerks will develop a policy template for all staff to use. When completed communication and training opportunities will be provided to all appropriate staff. Responsibility: Records Coordinator Target Date: May 30, 2011

Management & Oversight

3. Scope of records management responsibility is unclear. Job descriptions within the Clerk‟s Department indicate responsibility for the records management program. However, interpretation of the scope of these responsibilities suggests responsibility applies only to records inside of Clerk‟s control (i.e. agendas, minutes, by-laws, etc.) and boxes that come into Clerk‟s for off-site storage and not the corporate perspective of records management (i.e. corporate guidance for all departments).


Medium (Yellow)

Update job evaluations to reflect scope of approved records management policy.

Establish performance metrics to support achievement of corporate records management objectives

Comment: Disagree The current job descriptions for the various Clerks staff clearly designate the department‟s corporate responsibility for records: • Manager of Council Services -

Administer the ongoing effectiveness of the municipal records management program and provide corporate leadership with regard to records management initiatives,

of Report

CA-09-11


Lack of clarity regarding the scope of records management responsibilities may result in: • inability to define corporate direction or

provide for corporate education and awareness

• confusion regarding corporate and departmental responsibilities.

including training and education. • Records Coordinator - Develop,

implement and maintain a corporate records management program, including both active and inactive records. Develop, implement and maintain Records‟ section information resources in City data bases.

• Customer Service Coordinator - Co-ordinate scheduling of staff who provide voice and in-person records assistance to City Hall customers

• Customer Service Clerk - Searches files and assembles corporate records as required by City staff and members of the public, including retrieving inactive records from storage and annual corporate records purge (recycle and shredding) based on Records Retention By-law.

These responsibilities are understood by the various staff but due to the increasing volume of information and media choices for information collection there is a lack of resources to provide the needed corporate level of training and guidance for records management. This gap will be more fully identified

of Report

CA-09-11


in the Records Management strategic plan.

Action Plan: No action to be taken Auditor’s Note: Recent turnover in managers has provided an opportunity to clearly establish the scope and interpretation of responsibilities.

4. Key performance indicators are not established for records management program. Performance indicators are measures commonly used to help an organization define and evaluate various aspects of a program including effectiveness and efficiency. For example, retrieval rate of data, level of customer satisfaction (formally or informally), budget variances, budget savings, etc.

Efficiency

Low (Green)

Establish key performance indicators for the corporate records management program

Embed KPIs in performance evaluations for employees responsible for records management.

Comment: Disagree There is currently one KPI that has been identified in the annual corporate budget reporting process - # of FOI requests. Based upon the last corporate strategic plan there was no identified need to expand this area of reporting. Any budget variances and savings are reported within the current budget review process. Action Plan: With the development of the Records Management Policy and strategic plan additional KPIs will be investigated and presented to management as options to expand this area of reporting. Responsibility:

of Report

CA-09-11


Manager of Council Services Target Date: December 1, 2011

Strategic Planning & Resource Allocation

5. An overall strategic plan to implement an effective records management program is not defined. Implementation of Image Site is not supported by a rollout plan. Strategic planning enables the City to identify the legislative and other requirements that have an impact on recordkeeping, internal and external stakeholders and their recordkeeping requirements, and the City‟s recordkeeping risks and priorities and the resources required to implement such a plan. Lack of an overall strategic plan may result in: • An ineffective records management

program • Inappropriate procedures and practices • Duplication of effort, resources and

information



Privacy &

Confidentiality

Regulatory & Legal

Community

Trust & Confidence

Medium (Yellow)

Once a policy for records management is developed, develop a strategy to ensure the policy is consistently applied across the organization.

Develop an implementation and roll-out plan for the use of Image Site including provision of guidance on retention of physical documents.

Comment: Agree Action Plan:

A strategic business area plan will be developed in conjunction with the Records Management Policy and presented to Senior Management and Council for approval. Presenting the policy and the plan together will provide a clear picture of the initiatives to be achieved thorough implementation of the new policy and training of staff as well as the on-going maintenance and support.

At the same time a review of the Image Site project plan will be completed and an updated implementation plan will be developed in conjunction with the appropriate departments.

Responsibility: Manager of Council Services

of Report

CA-09-11


Target Date: December 1, 2011

Operational Procedures, Practices & Systems

6. Standard operating procedures are not documented to support the corporate records management program (i.e. how staff is expected to comply with corporate policy). Information that is available is limited to Image Site, the uniform file plan and storage, retention and destruction of records. Information from the off-site vendor6 indicates • the City has a total of 4930 stored off-site • 1191 boxes have:

undefined retention periods

been retained from a period beginning in 1992

an approximate total storage cost of $41,000 from the beginning of the period to 2010.

It is possible that some of these records would be subject to permanent retention in which case, the cost is unavoidable.

It is equally possible that some of these records could have been destroyed after a period of time, in which case, the cost would have been avoided.

• 69 of 135 checked out of the off-site storage have remained checked out for a period



Regulatory &

Legal

Disaster & Other Events

High (Red)

Document key tasks and activities already in place

Document and implement key tasks and activities to support elements of the records management program not currently in place.

Comment: Disagree All current records management work by the Clerks Department is supported with documented procedures/processes that are available on COBNet or are in the T:Clerks directory. (e.g. COBNet -Electronic Records Management – Imagesite, T:Clerks - records transfer and retrieval, Handling FOI requests, indexing and posting by-laws, corporate filing). Major improvements have been made with the move to a new commercial storage provider in Fall 2010. City staff now create the tracking information record into the computer system and ensure that are required information is provided, which was not being done with the previous provider. The undefined retention period boxes were generally created over 10 years ago prior to the Record Retention By-law‟s creation. Investigation is in

6 Full Inventory - July 2010 - Iron Mountain Analysis Report

of Report

CA-09-11


extending from February 26, 1992 to April 30, 2009.

Total costs charged by the off-site vendor for the space reserved for these boxes are approximately $702.

Areas not covered by procedure include but are not limited to: • What documents are to be scanned into

Image Site and the time to be scanned. • What action to take regarding storage,

retention and destruction of paper documents scanned into Image Site.

Currently, both the paper and electronic documents are being stored for as long as indicated in the retention by-law. The cost of electronic storage is significantly lower than paper storage. Also, electronic documents may be stored in more than one directory/drive resulting in duplication of information and unnecessary backup of information.

• guidance for staff on when to suspend the retention schedule.

• How digital records are to be handled and • Appropriate environmental conditions for

safe storage. As a result of discrepancies and omissions noted in transmittal forms and box numbers, staff in the Clerk‟s Dept. is currently revising internal processes to manage and monitor the storage and retrieval of records to/from off-site

process for the resolution of these undefined and checked out boxes Once updated they are being processed based upon the current Record Retention By-law. At this time staff has been able to support the requests for information needed for discovery. Paper and electronic records – Clerks has been directed by a legal opinion in 2005 that both paper and electronic records should be retained. Clerks will revisit this with Legal to validate the applicability of this opinion based upon current technology and legal needs. Action Plan:

The status of paper copies of scanned documents is an outstanding matter that does need to be addressed and will be included in the strategic plan.

New procedures will need to be created to support the Records Management Policy and strategic business area plan. These procedures will include staff responsibilities, review schedule and approvals.

of Report

CA-09-11


storage. Standard operating procedures are a source of guidance and direction for staff and are effective training tools. Lack of standard procedures may result in: • records not being available as required by

legislation, by-law and policy • inability to defend a claim or respond to e-

discovery • inconsistent practices across departments • loss of document integrity and • increased operating costs.

Responsibility: Records Coordinator, and Customer Service Coordinator, Customer Service Clerk – dependent upon area of designated responsibility Target Date: December 1, 2011

7. The records retention by-law is not internally consistent regarding length of retention for certain records and is not in compliance for records related to the election. For example:

Item

Retention Period

Finance HR

Employee Records & Termination Files

7 yrs Permanent

Insurance Claims 7 yrs after settlement

7 yrs

Item Clerks Planning &

Building

Parkway Belt 2 yrs after decision

Permanent

Site Plans 2 yrs Permanent

Item Existing Required

Audit Reports (Election)

until the Clerk‟s

the clerk shall retain



Regulatory &

Legal

Medium (Yellow)

Review and update retention by-law to ensure internally consistent and in compliance with legislation

Benchmark by-law to other like municipalities with a view to classify documents according to their business function thereby eliminating the need to repeat in each department (Refer to City of Oakville, City of Hamilton, City of Toronto, etc.)

Comment: Disagree – Client Department Records The identified discrepancies are for different types of records pertaining to the same subject topic. E.g. Finance maintains payroll records and general insurance claims while Human Resources maintains all other employee records and employee insurance claims. The description is clear to the operating departments that are handling these matters. If the Auditor required it, additional wording could be provided in the by-law to clarify these differences. Additionally, new legislation and

of Report

CA-09-11


declaration of official results &

completion of recount,

challenge or legal

proceeding if required

until the members of

the council or local board elected at the next regular

election have taken office

Inconsistent retention requirements may result in: • duplication of records • inadvertent destruction of records and • increased cost of records retention

annual best practices discussions for Records are held with the Area and Regional Clerks e.g. Oakville, Halton Hills, Milton and Region of Halton. Changes have been implemented when required. Auditor’s Note: The City Auditor does not require additional wording. Management must satisfy themselves regarding the clarity of the information contained in the by-law. Agree - Election Compliance The current by-law needs to be updated to reflect the new election act legislation that was introduced in 2010. Action Plan: Update Records & Retention By-law for election matters. Responsibility: City Clerk Target Date: October, 2011

8. Active Directory Groups for Image Site are not reviewed regularly to ensure access privileges still required.


Execution & Maintenance

Review active directory groups at least annually.


of Report

CA-09-11


As staff move between positions in the City, they may no longer require levels of access or privileges granted under previous positions. Access and privileges within applications should be on a “business need only” basis. Lack of review may result in staff maintaining access and privileges that are unrelated to current business needs and cause a lack of segregation of duties.

Low

(Green)

All City of Burlington staff with approved computer IDs have view access to the approved information and the removal of their IDs is handled by ITS. Clerks Dept. handles the approval of „write‟ access to Image Site.

A process to review these IDs and their privilege will be created to ensure there is no inappropriate access. It is our plan to do this review on a semi-annual basis as this group of users is not large. We will review the new Purchase Card audit plans and implement those processes that are applicable.

Responsibility: Clerks Technology Analyst Target Date: April 1, 2011

Staff with Records Management Responsibility

9. A corporate orientation program for records management does not exist. Training for Image Site and uniform file plan is provided on an “as requested” basis. Department- specific training is the responsibility of department staff.


Privacy &

Confidentiality

Medium

Establish an introduction to records management program that can be presented on a standalone basis or can be included in a broader corporate orientation program.

Comment: Agree A new employee handbook contains records retention information and references.

of Report

CA-09-11


While training on Municipal Freedom of Information and Protection of Privacy Act incorporates some elements of records management, there is no program to orient staff on the expectations of the corporate records management program. Lack of a corporate orientation program may result in: • Inconsistent records management practices • Loss of corporate standards for records

management, and • Increased cost of records management.

(Yellow) Action Plan:

Orientation and training are critical to the successful compliance to policies and procedures. Once the Records Management Policy is approved, the accompanying orientation and training plan will be implemented as part of the Strategic Business Area Plan (item #5). The training will be included in the annual corporate training plan and orientation information.

For the interim, training will continue on an „as-requested‟ basis as there are not adequate staff resources to address this.

Responsibility: Records Coordinator Target Date: First Quarter 2012, after Records Management Policy is approved.

Communication

10. Changes to practices and processes are not always communicated to staff with records management responsibilities. Also, the importance of recordkeeping is not always promoted to staff.



Regulatory &

Establish periodic communication (i.e. COBNet update, email broadcast, FOCUS notice, etc.) to keep the guiding principles of records management in staff


Electronic communication of changes to existing records

of Report

CA-09-11


Communication of changes (e.g. new procedures, revised legislation, etc.) is important to ensure that the City can effectively secure and preserve municipal records. Lack of a corporate orientation program may result in: • Inconsistent records management practices • Loss of corporate standards for records

management, and • Increased cost of records management.

Legal

Low (Green)

and management‟s line of sight.

management practices and processes will be communicated to city staff with records management starting as soon as the Records Coordinator validates who these individuals are in the organization.

In the past there was a corporate operational team that represented records management throughout the city. The option to re-implement this team will be explored with Senior Management. This option will strengthen the focus on records management and ensure communication is directed to the appropriate individuals.

An on-going in-depth communication plan will be part of the Strategic Business Area Plan and implemented after its approval.

Responsibility: Records Coordinator Target Date: First quarter 2012

of Report

CA-09-11


Monitoring & Reporting

11. Processes to monitor the level of service received from the third party vendor are not well understood by staff dealing with the vendor. Staff responsible for dealing with the vendor invoices is diligent in ensuring invoiced charges are legitimate, accurate and complete. However, there is no mechanism to track or report other service delivery expectations (i.e. on-time pick-up/delivery, correctness of box/file retrieval, etc.) Lack of a vendor monitoring may result in less than satisfactory service levels going unnoticed.

Vendor and/or Supplier

Performance

Low (Green)

Establish and monitor appropriate vendor performance metrics to ensure service delivery meets contractual obligations.

Comment: Disagree

With the change of vendor for our off-site record storage service in Fall 2010, staff has a better understanding of the service expectations for the city. This vendor was chosen by the Halton Cooperative Purchasing Group and if we wish to change any aspects of the contract it will need to go back to the group for agreement and implementation.

Staff have implemented a regular schedule for pick-up and delivery, a tracking system regarding any issues, which have been two minor items, corrected within an hour and have experienced exceptional service delivery at this time. Burlington staff will continue to monitor this matter and if there are any issues report them to the Manager of Council Services for resolution.

Action Plan: No action to be taken

of Report

CA-09-11


Auditor’s Note: The recent change in service providers has generated the opportunity to set expectations early in the relationship.

Appendix A-2 – Additional Observations (Nominal Severity Rating)

Observation Recommendations

• While out of scope for the Records Management audit, it is noted that the Records Coordinator has responsibility for maintenance of the Corporate Policy Manual. There is no guidance on what is to be contained in the manual, who is responsible for review and update of the policies and how departments are to advise of updates or new policies for inclusion. The result is a corporate policy manual that contains out of date policies and changes to policies that are reflected on Department web pages and not in the corporate policy manual.

• Develop, communicate and implement a protocol for the maintenance and update of the Corporate Policy Manual to include but not be limited to:

• Establishing ownership of policies (i.e. position) • Process for publishing and communicating updates and new

corporate policy • Timelines for policy review

Action Plan: As noted in item 2, a corporate policy template will be developed and staff will receive communication and training. At the same time, the Records Coordinator will review and update the processes for maintaining the Corporate Policy Manual and provide training to staff on this matter.

• A number of boxes containing legal records are stored in the basement storage room that may contain: • outdated information and therefore, should be destroyed, or • information that is to be maintained permanently and therefore

should be stored off-site in secure, environmentally protected space.

• Review contents and retain/store or destroy as required. Action Plan: These items will be reviewed and processed as directed by the Record Retention By-law by September 1, 2011.

Recommendation€¦ · • Audit closing meeting conducted on August 13, 2010. Provided opportunity...

Documents

Transcript of Recommendation€¦ · • Audit closing meeting conducted on August 13, 2010. Provided opportunity...