Citywide Information Technology Purchases

Illustration of a credit card being presented against IT background.

Objective 

To assess how well the city’s Technology Services agency enforces Executive Order No. 18 by administering, implementing, and communicating requirements to city leaders and employees — particularly those who buy technology services and equipment on behalf of the city.

Background

Technology Services was established by Executive Order No. 18. The agency is responsible for reviewing and approving all technology purchases to ensure the continued operations and security of the city.

Why this matters

City agencies that bypass Technology Services’ approval when purchasing technology are violating Executive Order No. 18. This noncompliance not only puts the security of the city’s data at risk, but it also wastes taxpayer dollars through missed opportunities for bulk discounts.

Findings

FINDING 1 – City agencies bypass necessary approval for information technology purchases when they use purchase cards and expense reimbursements

  • Technology Services’ policies and procedures for hardware and software do not address technology purchases or any exceptions for making a technology purchase.

  • The city’s system of record does not prevent city employees from buying technology with a purchase card.

FINDING 2 – Technology Services lacks detailed citywide guidance for technology purchases

Technology Services has not documented and communicated requirements to city agencies related to technology purchases. Specifically, it has not:

  • Defined what constitutes a technology purchase.
  • Defined what Technology Services considers “on the network.”
  • Developed standard steps for approving technology purchases.

Additionally, Technology Services is not coordinating with the Department of General Services about what information should be communicated to city agencies as it relates to technology purchases.

Recommendations

1.1 Determine when purchase cards can be used – The city’s Technology Services agency should revise policy and procedure to reflect when a purchase card can be used to make technology purchases.

Agency Response: Agree, Implementation Date – Dec. 31, 2023

1.2 Develop workflows for technology purchases – The city’s Technology Services agency should work with the Controller’s Office to determine requirements for monitoring and ensuring preapproval of technology purchases. Options include:

  • Developing a catalog of preapproved technology purchase types in ServiceNow that connects with Workday’s workflows.
  • Standardizing memo line entries with codes to better flag technology purchases or create flags based on keywords in Workday.
  • Adding spending categories that trigger Technology Services reviews of purchase card reconciliations and expense reimbursement requests in Workday.
  • Creating a required checkbox for purchase card reconciliations or employee reimbursement requests that requires city employees to attest that no technology was purchased.

Agency Response: Agree, Implementation Date – Dec. 31, 2023 

2.1 Clarify policies and procedures for technology purchases – Once workflows are determined, as outlined in Recommendation 1.2, the city’s Technology Services agency should:

  • Refine its relevant policies and procedures.
  • Develop supplemental procedures to address city employees’ roles and responsibilities for technology purchases — both for agencies on the network and Technology Services personnel.
  • Finalize and approve these policies and procedures.

Agency Response: Agree, Implementation Date – Dec. 31, 2023

2.2 Update documentation for technology purchases – The city’s Technology Services agency should change its policies and procedures to define “technology purchases” and “on the network” to ensure compliance with Executive Order No. 18. This change should include guidance on when purchase cards and expense reimbursements can to be used for technology purchases and it should better define what technology purchases require preapproval from Technology Services.

Agency Response: Agree, Implementation Date – Dec. 31, 2023

2.3 Update guidance for when purchase cards can be used for technology purchases – Following Recommendation 1.1, the city’s Technology Services agency should work with the Controller’s Office to update credit card usage policies and procedures to reflect when purchase cards can be used for technology purchases.

Agency Response: Agree, Implementation Date – Dec. 31, 2023

2.4 Develop and conduct training on technology purchases – Once recommended process, policy, and procedural changes have been implemented as described in recommendations 1.2 and 2.2, the city’s Technology Services agency should work with the Department of General Services to develop a required training and periodic refresher, specifically for those personnel responsible for technology purchases citywide. This should include:

  • Definitions for technology categories, how to purchase technology on purchase cards, and what receipts are required for out-of-pocket reimbursements.

Once training has been developed, Technology Services should develop a communications plan to disseminate Executive Order No. 18 and Technology Services’ policies and procedures for technology purchases annually to applicable staff who make citywide technology purchases. This training should also discuss security, data protection and privacy, and financial resources risks when agencies bypass Technology Services’ preapproval of technology.

Agency Response: Agree, Implementation Date – Dec. 31, 2023 

Auditor's Letter

May 18, 2023

We audited citywide information technology purchases to assess whether agencies, departments, and other branches of government in the city are following Executive Order No. 18 requirements when making technology purchases. I now present the results of this audit.

The audit found agencies are not following the required protocols to obtain approval for information technology purchases made using a city-issued purchase credit card or when requesting reimbursement after making a technology purchase. Furthermore, the audit found the city’s Technology Services agency has not developed sufficient citywide guidance for technology purchases and has not communicated and trained staff on these requirements in partnership with the Department of General Services. Allowing these purchases could lead to waste and abuse of city funds and expose the city to security vulnerabilities.

By implementing recommendations for stronger policies, review processes, definitions of technology purchases, and training, Technology Services will be better able to prevent city agencies from bypassing Technology Services’ approval of information technology purchases.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We appreciate the leaders and team members in Technology Services who shared their time and knowledge with us during the audit. Please contact me at 720-913-5000 with any questions.

Denver Auditor

Auditor's Signature
Timothy O'Brien, CPA

Tim_mug.png

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor

 


Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditor´s Office Logos for Footer

Back to top