[ PRINT ]

WPB Internal Audit on David


My comments in Italic.

City Commission Meeting held 4/4/2022. Item 9.1 on the agenda reads:

“Submittal of the following reports from the Internal Auditor’s Office:

1. Parking      Driver and Vehicle Information Database (DAVID) Audit Report
AUD22-01;

2. Police Internal Affairs Audit Report AUD20-05; and

3. Addendum to the Payroll and Overtime Audit Report AUD19-04.

Originating Department: Internal Audit
Staff Recommended Motion: Receive, Approve, and File.”

Background Information:
“The reports were presented to the Audit Committee on March 29, 2022,
where they were approved by the Audit Committee Members. Copies of
the reports have been provided to the Mayor and the City Commissioners.
Fiscal Note:
No fiscal impact.”

3/29/2022 Internal Audit meet with the IA Committee members and presented the findings. I attended via Zoom, and had concerns and questions particularly concerning police overtime.

Below is the first of 3 reports from the WPB Internal Auditor Department which the City Commissioners received, approved and filed on 4/4/2022 without one question being asked or one concern being shown. I have presented parts of the report and the entire report, containing 12 pages can be read below and I ask readers to note how many employee positions are vacant on the Parking Department Organization Chart. (page 4)

Background
“The City’s Parking Department and the Code Enforcement Division utilize personal information that is obtained from the Florida Department of Highway Safety and Motor Vehicles (FLHSMV) to identify or confirm driver or vehicle owner information as related to parking and code violations. In order to utilize the data provided, the City and the FLHSMV entered into a Memorandum of Understanding (MOU) that outlines the City’s obligations to meet internal control measures designed to ensure that confidential personal information is adequately protected from inappropriate access or use.

To access the data from the FLHSMV, the City and its employees utilize an online portal known as DAVID (Driver and Vehicle Information Database) that is managed by the FLHSMV. While FLHSMV owns and manages the DAVID system, the City is required to appoint an Agency Point of Contact (APOC) to administer and perform local services.

Examples of these services include deactivation of terminated users, user access reviews, quality control reviews, and obtaining acknowledgements of the confidentiality of information, including criminal sanctions for confidentiality violations. This audit is a requirement in the MOU agreement and it was conducted to evaluate the internal controls in place to ensure that data provided or received is protected from unauthorized access, distribution, use, modification, or disclosure. We note that in the
MOU, the Parking Department is the primary requesting agency and the Code Enforcement Division is the sub-requesting agency. As such, the Parking Department is responsible for ensuring that all users comply with the MOU requirements. However, the Code Enforcement Division is within the Police Department and the Parking Department does not have authority or oversight over Code Enforcement employees.”

Statement of Scope
“The scope of the audit was from December 1, 2018 to September 30, 2021 (audit period). The audit included tests and reviews of systems, policies, procedures, and processes. Other procedures and reviews outside the audit period were conducted as deemed necessary.”

Statement of Objectives
“The objectives of this audit were to: A. Determine whether the internal controls governing the Parking Department’s access and usage of DAVID data complied with the requirements in the MOU, and B. Determine whether there were any additional opportunities for improvement.”

Statement of Methodology
“The methodologies used to meet the audit objectives included the following:
• Conducting interviews and inquiries of personnel;
• Reviews of relevant agreements, State laws, internal policies and procedures;
• Evaluating and testing internal controls as related to applicable systems;
• Analyzing data, and
• Other audit procedures deemed necessary.
To the extent possible, testing was conducted on the entire population. However, where sampling was employed, we utilized a statistically valid sample that provided a 95% confidence level with a 5% margin of error. As such, these results may be extrapolated to the entire population.”

Opportunities for Improvement

1. “Distribution of DAVID Data . During our review, we found that the Parking Department inappropriately distributed Florida Highway Safety and Motor Vehicle (FLHSMV) DAVID data to the sub-contracting collection agency to assist with collecting on delinquent parking accounts.
Furthermore, we found that the terms of the agreement with the subcontractor did not adequately disclose the applicable laws, security, and confidentiality requirements surrounding DAVID data.”

Criteria

“Per the Memorandum of Understanding (MOU), Section IV, “Statement of Work”, the Requesting Party agrees to:
• Refrain from assigning, sub-contracting, or otherwise transferring its rights, duties, or obligations under this MOU, without the prior written consent of the Providing Agency,
• Not share, provide, or release any DAVID information to any law enforcement, other governmental agency, person, or entity not a party otherwise subject to the terms and condition of this MOU, and
• Protect and maintain the confidentiality and security of the data received from the Providing Agency in accordance with this MOU and applicable state and federal law.”

Cause

“Parking was not aware of the MOU requirements that prohibit the sharing of DAVID data without prior written consent of the FLHSMV. Additionally, Parking did not inform the Office of the City Attorney of the sub-contracting/third party distribution of DAVID data, prior to establishing an agreement for the collection of delinquent Parking citations.”

Effect

“Transferring DAVID data obtained from the FLHSMV to a sub-contracting collection agency without consent violates the terms of the MOU. More importantly, it increases the risk of inappropriate access to confidential information that could be misused.
Furthermore, this may leave the City susceptible to litigation and reputational damage, due to inappropriate distribution of personal identifiable information.”

Business Justification for Searches
Condition
“During the audit period, there were 14 users with DAVID access, of which 10 users performed searches. The 10 users conducted a total of 3,131 searches. We reviewed a statistically valid sample1 of 343 searches and found that for 94 (27%) searches performed, the Parking Department was unable to provide a business justification or other supporting documentation to validate whether the DAVID searches were for a legitimate business purpose. We also found the following DAVID search activities:
• 85 of 94 (90%) searches were performed within Parking, and
• 9 of 94 (10%) searches were performed within the Code Enforcement Division.

It should be noted that while a process for documenting business justifications for DAVID searches exist, we found that this process was not being consistently followed. Further, the Parking Department does not have oversight or authority over Code Enforcement staff because Code Enforcement is within the Police Department. This presents challenges for the Parking Department to enforce the MOU requirements or monitor the access and use of the DAVID data.”

Criteria

“Per the MOU, Section V, “Safeguarding Information”, the parties mutually agree that information exchanged will not be used for any purposes not specifically authorized by this MOU. The MOU further states that unauthorized use includes, but is not limited to, queries not related to a legitimate business purpose, personal use, or the dissemination, sharing, copying, or passing of this information to unauthorized persons.”
Cause

“As related to the Parking Department, there was insufficient oversight of DAVID users to ensure that a business justification was documented or other support was maintained, for each search performed. As related to Code Enforcement, the Parking Department did not have the authority or oversight of the Code Enforcement Division to ensure that searches had a documented business justification.”
Effect

Failure to document a business justification or maintain other supporting documentation to justify searches performed in DAVID could result in the Parking Department’s inability to demonstrate to the FLHSMV that the searches are in fact legitimate and for a business purpose. Further, this increases the risk of inappropriate searches being performed. Finally, there is a heightened risk to the City of being liable for unauthorized access or misuse of confidential personal information, as well as a loss of public confidence.”

Access Termination
Condition

“During the audit period, DAVID access was added and/or removed for 14 users within the Parking Department. We reviewed access termination and found that the Parking Department did not deactivate DAVID user access in a timely manner for 4 (28%) employees with a terminated or transferred status. Their access remained active for 8 to 886 days. The following table provides the details of what we found:” Please see page 11 for Table,Criteria, Cause and Effect.

The Internal Auditor’s findings demonstrate that the city administration lacks the ability to properly train and monitor employees assigned to the parking department. Fault and blame for lack of over-site is attributable to the Mayor as Chief Executive and the City Administrator, Faye Johnson.

Previously a story was posted on WPB Watch that 275 WPB employees resigned between 4/1/2019 until 9/30/2021. If you missed the story you can read it below. How many employees were from the Parking Department, gone and not replaced?
https://wpbwatch.com/2021/10/city-employees-resigning-why/

Read the entire Internal Auditors Report Below. This is a great example of why the IA Dept. is so critical to the city. It finds the problems so the City can repair the damage. Let’s hope they do.

Parking DAVID Audit Report AUD22-01

The End