Citywide Information Technology Purchases Follow-Up

Illustration of a credit card being presented against IT background.

The Technology Services agency fully implemented two recommendations made in the original audit report. Technology Services partially implemented three others but did not implement one recommendation.

Recommendation graphic: 2 implemented, 3 partially, 1 not implemented

Remaining Risks

The recommendations Technology Services did not fully implement present several lingering risks. Among them:

  • Technology Services and the Controller’s Office did not change workflows to improve data quality, which would allow for efficient technology purchase monitoring when a purchase card or expense reimbursement is used. Instead, Technology Services is using data directly from the purchasing card provider for its technology purchases monitoring processes. By not improving workflows, Technology Services risks poor internal data quality, which may limit its ability to identify employees who use purchase cards to buy unauthorized technology.

  • Technology Services did not update its policies and procedures to define “technology purchase” and “on the network.” Without a clear definition of a “technology purchase,” employees may unwittingly violate Technology Services’ requirements. In addition, lack of a clear definition of “on the network” may result in an independent agency incorrectly concluding technology purchasing requirements do not apply to it.

  • Technology Services did not address technology purchase expense reimbursements. Without updated and defined policies and procedures, employees may use expense reimbursements incorrectly, which could result in technology purchases that conflict with Executive Order No. 18 guidance.

  • The Controller’s Office purchase card guidelines allows technology purchases, which conflicts with Executive Order No. 18 and Technology Services policies on approved methods of buying technology. Due to the conflict between internal policies and Executive Order No. 18, an employee could purchase technology and violate Executive Order No. 18 guidance.

  • Although Technology Services did develop and provide training to educate city employees about approved methods to purchase technology, it has not documented the training requirement in policy or established a method to monitor the training completion rate and content understanding. Without an educated workforce, employees could purchase technology using a purchasing card, which is not allowed under Executive Order No. 18.

Auditor's Letter

December 5, 2024

In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, we have a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits.

In May 2023, we audited Citywide Information Technology Purchases and found risks involving employees’ use of purchase cards and expense reimbursements for unauthorized technology purchases. Technology Services agreed to implement all six recommendations.

We recently followed up and found the Technology Services agency fully implemented two recommendations, partially implemented three, and did not implement one recommendation.

Although the Technology Services agency has made some progress, it did not fully address all the risks associated with our original findings. Specifically, the agency did not enhance data entry workflows to increase the efficiency of technology purchases monitoring paid with a purchase card or expense reimbursement. We also found Technology Services and Controller’s Office policies and procedures for technology purchases have conflicting guidance on how to buy technology. Lastly, Technology Services did develop training and a plan to educate city employees about approved methods to purchase technology, but requirements are not formally documented in a policy. Technology Services provided training and will monitor purchases but will not place any measures in place to prevent purchases other than policy directives. Consequently, we may revisit these risk areas in future audits to ensure the city takes appropriate corrective action.

We appreciate the leaders and team members at Technology Services who shared their time and knowledge with us throughout the audit and the follow-up process. Please contact me at 720-913-5000 with any questions.

Denver Auditor's Office

Auditor's Signature
Timothy O'Brien, CPA

Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor

Denver Auditor's Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter

Auditors Office Logos for Footer: Denver Auditor, Denver Labor

Back to top