APRIL 2022

IT Asset Management Audit

City Internal Auditor’s Office

FILE#: 2 2 -01
City of College Station
Payroll 2021 1
Executive Summary

Why We Did This Audit

Effective information technology asset management (ITAM) keeps information updated, reduces waste,
and improves utilization. It saves money by helping avoid unnecessary purchases and cutting licensing and
support costs. Increased control also enforces compliance with security and legal policies and reduces risks.
The positive implications on costs and productivity benefit the entire organization. Based on the direction
given by the Audit Committee, an audit of ITAM was included in the Fiscal Year 2022 Audit Plan.

What We Found
There is room for the Information Technology (IT) Department to improve policies, procedures, and
processes related to how technology assets are tracked and managed. Specifically, we found the following
areas of potential improvement related to the purchasing, deployment, storing, and disposal of personal
computers (PCs):

Purchasing records and processes need improvement. It is difficult to accurately identify PC purchases
– which complicates tracking PCs throughout their asset life cycle. In addition, timely entry of the receipt of
PCs into the City’s financial system when they are delivered does not consistently occur. Finally, although
most PCs are purchased centrally through IT, we identified a handful that were not and the justification for
this deviation from City policy was not well-documented.

Asset tracking practices and tools are inadequate. The approach for tracking PCs does not account for
assets that are not connected to the City’s network. As a result, technology asset records maintained by IT
did not reconcile with purchasing records. We found purchasing records of 191 PCs which were unaccounted
for in IT’s asset records.

Assets are not being effectively deployed and managed. IT has not updated their ITAM related policies
for several years. As a result, these polices do not reflect current IT processes and procedures. In addition,
we found the following indicators that PCs are not being effectively deployed and managed across City
Departments: (1) employees commonly being assigned multiple computers, (2) computers not being
timely deployed to end-users, and (3) computers utilized by end-users that are well beyond their scheduled
replacement dates.

Methods for maintenance and retirement of PCs could be enhanced. The City does not have adequate
systems or processes to take a proactive approach to computer maintenance. In addition, the City’s
computer replacement and disposal processes are not timely, well-organized, and accurately recorded. The
City’s policy does not provide clear, precise timeframes for replacing and disposing of old assets. However,
the data security risk of the disposed assets is low due to using data encryption and hard drive shredding
practices.

Payroll 2021 2
Summary of Audit Recommendations
To address the audit findings, there are a few improvements the City could make to better track and
manage its IT assets. They are encompassed in the following audit recommendations:

1. The City should develop a policy stating when it is appropriate to use a purchasing card to make
technology purchases. In addition, a process should be developed to efficiently identify the purchasing
records in Munis of all technology assets.

2. IT should develop a policy and procedure to inspect and receive ordered items in Munis when they
are delivered.

3. There may be a business justification for a technology purchase to not be centralized. In these
instances, the business justification for purchasing an item outside city policy should be clearly
documented. Alternatively, the City could implement a policy establishing the criteria for when
Departments are allowed to make their own technology purchases.

4 .The City should develop new strategies for tracking technology assets at every stage of the asset life
cycle. In developing this strategy, the City should consider new systems, processes, and policies to plan
for technology replacement efficiently and effectively.

5. To get the most output from technology assets, IT should be continuously evaluating user technology
utilization through robust processes and systems. Once IT can accurately track and collect these data,
they should update hardware standards, policies, and procedures to ensure these assets are being
utilized efficiently and effectively – including timely deployment and replacement.

6. IT should develop policies and procedures for computer replacement and disposal which provide
guidelines for (1) determining the disposal method, (2) improving documentation of replaced and
disposed computer assets, and (3) providing objectives related to the timeliness of replacement,
storage, and disposal.

3 Payroll 2021
Table of Contents

Introduction..............................................................................................................................................................5
Audit Objectives...................................................................................................................................................5

Information Technology Asset Management Offers Significant Benefit........................................5

Our Review of ITAM Focused on City Personal Computers (PCs).......................................................6

Findings and Analysis......................................................................................................................................7

The Process to Acquire PCs Could Be Improved......................................................................................7

The Process to Account for PCs Inventory Needs Improvement.......................................................8

Deployment and Management PCs Should Be Improved................................................................... 10

The IT Assets Maintenance and Retirement Process Needs Improvement................................. 12

Scope............................................................................................................................................................................ 15
Methodology ......................................................................................................................................................... 15
Appendix A: Management’s Response............................................................................................ 16

Payroll 2021 4
Introduction
The Office of the City Internal Auditor conducted this performance audit of the City of College Station’s
management of personal computer (PC) assets pursuant to Article III Section 30 of the College Station City
Charter, which outlines the City Internal Auditor’s primary duties.1

A performance audit is an objective, systematic examination of evidence to assess independently the

performance of an organization, program, activity, or function. The purpose of a performance audit is
to provide information to improve public accountability and facilitate decision-making. 2 Performance
audits encompass a wide variety of objectives, including those related to assessing program effectiveness
and results; economy and efficiency; internal control; compliance with legal or other requirements; and
objectives related to providing prospective analyses, guidance, or summary information. A performance
audit of information technology asset management (ITAM) was included in the Fiscal Year 2022 Audit Plan
based on the direction given by the Audit Committee.

Audit Objective
This audit aims to provide management with assurance that PC inventory and records are complete and
accurate and to evaluate the internal controls throughout the PC life cycle.

Information Technology Asset Management Offers Significant Benefit

ITAM is the process of ensuring an organization’s assets are appropriately accounted for, deployed,
maintained, upgraded, and disposed. IT assets include hardware, software systems, or information the City
of College Station values. This most commonly includes but is not limited to computer related hardware and
software licenses.

IT assets have a finite period of use. To maximize the value the City generates from them, the IT asset
lifecycle should be managed. This generally includes (1) procurement, (2) inventory, (3) deployment, (4)
management, (5) maintenance, and (6) retirement (see Figure 1 below). An important part of ITAM is
applying a consistent process across all lifecycle stages to understand the total cost of ownership and
optimize the use of assets.

1 2 3
Figure 1: IT Asset Life Cycle

PROCUREMENT INVENTORY DEPLOYMENT

Organize purchasing data Account for each IT Assemble, inspect, and
associated with IT assets to asset. Ideally, administer configure IT assets.
have information available QR barcode labels to Assign assets to users.
for future decisions. facilitate asset tracking.

6 5 4
RETIREMENT MAINTENANCE MANAGE
Assess asset value towards Evaluate IT asset quality Get the most output from
the end of useful life. Sell to help determine IT assets by continuously
or dispose of assets. when assets should be checking the value and
fixed or disposed of. performance of IT assets.

Source: Roots Tim (2020), Asset Life Cycle Management: Stages to Success.

1
City of College Station, TX, “Code of Ordinances,” § 30 (2017), 12.
2
U. S. Government Accountability Office, “Government Auditing Standards 2018 Revision (GAO-18-568G)” (2018), 10–17.

5 Payroll 2021
The primary goal of ITAM is to establish and maintain a centralized asset repository that contains a
complete, current, and accurate inventory of all the IT assets in the City. This information helps City officials
understand: (1) what systems and software exist, (2) where components reside, (3) how they are used, (4)
what they cost, (5) to what they are connected, (6) the current phase of their lifecycle, and (7) how they
impact IT and business services.

Best practices suggest leveraging ITAM processes, tools, and operational functions to drive long-term value
and ITAM-related projects to make targeted improvements to the City’s technology asset management
maturity. Therefore, an effective ITAM function should include an asset management repository, data on
both hardware and software components, and a set of processes for maintaining that data. At the most
basic level, an ITAM function must perform the following activities: (1) asset discovery and data capture, (2)
tracking asset changes, (3) asset-lifecycle management, and (4) asset reporting and alerting.

Our Review of ITAM Focused on City Personal Computers (PCs)

The City should be tracking and managing technology assets which have value, require ongoing support,
or could create potential risk to the City if the necessary documentation that shows proper ownership or
licensure is lacking. The first step in managing technology assets is to be able to identify every technology
asset owned by the City. These assets are typically classified into three sections depicted below (see Figure
2).
Figure 2: Information Technology Asset Classification

HARDWARE ASSETS ASSET COMPONENTS SOFTWARE ASSETS

Servers Routers Keyboards Printers Software

Workstations (PCs) Smart phones Mouse Scanners Software licenses
Copiers Tablets Webcams Monitors
Projectors Dock Stations

Source: ManageEngine ServiceDesk Plus (2020), 7 Step Guide to IT Asset Management Success

Compared to all other IT assets, our preliminary review found that IT asset records, processes, policies,
and procedures related to PCs 3 to be the best documented. Given this preliminary finding, we decided to
focus our review on examining only PCs based on the following logic: if the City has not implemented ITAM
principles to track and manage PCs, then the risk that these best practices are not being used to manage
other technology assets is high.

3
For the purpose of this report, personal computers (PC) refer to workstation, desktop computers, laptops, tablets, portable devices, and Toughbooks
(which were all within the scope of our review).

Payroll 2021 6
Findings and Analysis
We examined each aspect of the asset life cycle for City of College Station PCs and compared the City’s
processes, policies, and procedures to ITAM best practices. This report summarizes our findings within each
aspect of the technology asset life cycle: (1) procurement, (2) inventory, (3) deployment and management,
and (4) maintenance and retirement.

The Process to Acquire PCs Could Be Improved

Our examination of the process by which PCs are acquired found a few areas of possible improvement.
First, it can be challenging to accurately identify all technology purchases. Second, IT personnel do not
always timely enter that they have received PCs into the City’s financial system when they are delivered.
Finally, although most PCs are purchased centrally through IT, we identified a handful that were not and the
justification for this deviation from City policy was not well-documented.

It is difficult to accurately identify technology purchases. In an efficient and effective ITAM system, all
technology purchases are easy to identify and reconciled to any technology assets at any stage of the asset
life cycle. There are two ways IT purchases can be tracked. First, IT purchases are made either with a City
credit card or through the purchase order (PO) process – thereby creating a record in the City’s financial
system (Munis). Because various accounts are used to acquire IT assets, compiling a complete list of all
PC purchases through Munis can be challenging. Second, some PC purchases can be identified through
vendor websites. Although data from vendor websites were helpful, relying completely on this data has the
following disadvantages (1) it is limited to only certain vendors, (2) it is only able to access purchases made
by the IT Department, and (3) it requires the asset’s serial number which may not be available.4

Risk (medium): The full benefits of ITAM cannot be realized if purchasing records of all technology
assets cannot be easily identified and reconciled to IT asset records. In addition, purchases made
through the PO process generally have stronger internal controls than those made on City credit cards.

Recommendation: The City should develop a policy stating when it is appropriate to use a purchasing
card to make technology purchases. In addition, a process should be developed to efficiently identify
the purchasing records in Munis of all technology assets.

PCs are not always being timely received in Munis. Once an ordered computer is delivered by a vendor,
IT personnel should enter the receipt quantity and amount as soon as possible in the City’s financial system
(Munis)5. The receipt of quantities ordered is part of the “three-way match” internal control of the accounts
payable process. Three-way match in accounts payable allows you to match vendors’ invoices with POs
and received quantities of goods or services before the invoices are processed and paid. It automates the
verification of these documents to ensure that an invoice should be paid.

We did not find any instances where invoices were paid prior to IT entering the receipt in Munis; however,
there are still some risks associated with not timely entering the receipt of delivered items into Munis.
Although Munis allows the user to receive separate quantities ordered as they are delivered, IT personnel
often wait until all items on a PO are delivered before they make the receiving entry in Munis. As a result,
computers are often deployed prior to the receiving entry being made.

Risk (high): Because IT currently does not have an asset management system capable of effectively
tracking the asset through the entire life cycle of the asset, there is a risk that receipt information could
be inaccurate. This could result in the City paying for technology assets which have not actually been
delivered.

Recommendation: IT should develop a policy and procedure to inspect and receive ordered items in
Munis when they are delivered.
4
On the Dell website, an account holder can also use purchase order number which can be helpful.
5
Munis 2017.1 Manual, Receiving Training Manual, P.2
7 Payroll 2021
Most PCs are purchased centrally through IT. We found 32 computers and iPads purchases between 2015
and 2021 which were not acquired by IT staff. To put this into perspective, we identified 1,996 PC purchases
during this same period.

Per City policy, Departments are required to coordinate all technology or software-related purchase
requests with the IT Department. Once reviewed and agreed upon, technology purchases should be
initiated by the IT Department. This policy has the potential to help ensure that (1) acquired technology
assets are compatible with City standards and existing infrastructure, (2) all costs are properly considered,
(3) unnecessary duplication of capabilities is avoided, and (4) the proposed equipment or software does not
interfere with the operation of existing systems or create any undue risk to City resources.

The value of the policy depends on the (1) efficacy by which it is being enforced, and (2) extent to which the
other ITAM best practices have been implemented. The exceptions we found are described in Table 1.

Table 1: PC and iPad Purchases not Made by IT

Purchase Unit Total Canceled Cancel

Department Make & Model Qty
Date Price Amount Amount Qty
Fire Department HP Pavilion 1/21/16 1 430 430 - -
Electric Toshiba Satellite 2/23/16 1 1,030 1,030 - -
Fire Department Microsoft Surface 7/13/16 1 500 500 - -
Fire Department Apple iPad 1/21/16 1 590 590 - -
Fire Department Apple iPad 9/20/17 2 528 1,056 - -
Finance Apple iPad 1/7/22 1 330 330 - -
Communications Apple iMac 3/29/21 1 3,863 3,863 - -
Electric Dell XPS 15 12/14/21 1 1,799 1,799 - -
Electric HP EliteBook 850 7/14/16 2 1,796 3,592 3,592 2
Electric IBM Lenovo ThinkPad 3/10/20 3 1,003 3,009 - -
Electric IBM Lenovo ThinkStation 1/27/21 9 1,203 10,831 - -
Electric IBM Lenovo ThinkStation 1/27/21 7 1,269 8,881 - -
Electric IBM Lenovo ThinkPad 1/27/21 2 1,283 2,567 - -

Source: Purchase Orders obtained from Munis

Risk (low): Over 98% of computers purchased between 2015 and 2021 were centrally purchased by IT.
Of the less than 2% that were purchased by other Departments, 78% were purchased by the Electric
Department. Although there may be good justification for Electric or other Departments to operate
outside the City’s technology purchasing guidelines, this justification was not well documented in
purchasing records we were able to identify.

Recommendation: There may be a business justification for a technology purchase to not be

centralized. In these instances, the business justification for purchasing an item outside City policy
should be clearly documented. Alternatively, the City could implement a policy establishing the criteria
for when Departments are allowed to make their own technology purchases.

The Process to Account for PCs Inventory Needs Improvement

We found the City’s IT assets tracking approach is not effective since it does not account for assets that are
not connected to the City network. As a result, technology asset records maintained by IT did not reconcile
with purchasing records.
Payroll 2021 8
Asset management practices and tools are inadequate to account for IT assets throughout their life
cycle. Since April 2021, the City has used an ITAM solution called Lansweeper to gather hardware and
software information of computers and other devices on the City’s network. Although IT’s utilization of this
tool has resulted in significant improvement in their tracking of technology assets, the use of Lansweeper as
the primary method to plan for computer replacement has limitations because it only tracks assets which
have touched the City’s network. Therefore, the following technology assets may not be accounted for
through Lansweeper:

1. Assets which have been purchased and delivered but not yet deployed.
2. Assets which have been replaced but have not been timely disposed.
3. Assets which have been deployed but have not been used on the City’s network.

Given the limitations described above, we found that identifying all technology assets within the City’s
current system and processes is time-consuming, labor-intensive, and incomplete.

IT does not have accurate and complete records of deployed PCs. This is confirmed because PC
purchases do not perfectly reconcile to IT asset records. Documentation obtained from the City’s financial
system (Munis) appears to indicate that there were significantly more purchases of PCs than what can be
identified through asset records maintained by IT.6 Table 2 summarizes these results.

Table 2: Asset Purchases That Do Not Reconcile to IT Asset Records (rounded to hundredth)

Estimated Unit Purchase Cost Estimated Total Purchase Cost

Make & Model Qty
Average Min Max Average Min Max

Apple iMac 2 5,400 3,900 6,800 10,800 7,800 13,600

Apple iPad 16 700 300 2,000 11,200 4,800 32,000
Apple MacBook 1 2,500 2,300 2,800 2,500 2,300 2,800
Dell Latitude 28 1,400 1,000 2,300 39,200 28,000 64,400
Dell Optiplex 16 700 700 1,000 11,200 11,200 16,000
Dell Precision 3 1,800 1,000 2,500 5,400 3,000 7,500
Dell XPS 1 1,900 1,800 2,000 1,900 1,800 2,000
HP EliteBook 51 1,300 800 3,000 66,300 40,800 153,000
HP EliteDesk 28 800 700 1,000 22,400 19,600 28,000
HP Z4 Workstation 6 1,800 1,800 1,900 10,800 10,800 11,400
HP Zbook 3 2,100 1,600 2,900 6,300 4,800 8,700
IBM Lenovo 20 1,200 1,000 1,300 24,000 20,000 26,000
Microsoft SurfaceBook 6 1,500 500 2,500 9,000 3,000 15,000
Panasonic Toughbook 10 3,500 2,500 4,600 35,000 25,000 46,000

Total: 191 26,600 19,900 36,600 256,000 182,900 426,400

Source: Purchase Orders obtained from Munis

6
Although Lansweeper is the primary repository of technology asset records, we were also able to obtain some records from vendor websites.

9 Payroll 2021
Potential causes for the results summarized in Table 2 are as follows:
• Dell, HP, and Microsoft computers make up 74.3% of the computers summarized in Table 2. These
computers were either (1) lost or stolen, (2) deployed without having ever logged onto the network, or
(3) disposed without having adequate documentation of the disposal.
• Apple products, summarized in Table 2, make up 10% of the computers. Apple products cause issues
with the City’s network due to their platform security and operating system. As a result, IT has made a
business decision to not have these computers connected to the City’s network.
• IBM Lenovo computers make up 10.5% of the computers summarized in Table 2. These computers were
purchased by the Electric Department for their SCADA system, which manages the City's electric utility
infrastructure. To protect from the threat of cyberattack on this critical infrastructure and to comply
with federal energy regulations, these computers are not on the City’s network.
• Panasonic Toughbooks make up 5.2% of the computers summarized in Table 2. As of January 2022, we
were able to identify 97 Toughbooks purchased between 2017 and 2021. Ten of these computers were
purchased in 2017. Given the nature and use of these computers, it is not unreasonable to assume that
10 Toughbooks were disposed of slightly before their planned replacement (i.e., 5-year useful life).

Risk (high): The risk that technology assets are lost, stolen, or non-optimally utilized significantly
increases if technology assets cannot be tracked efficiently and accurately. There are also potential
risks related to data security if technology assets fall into the wrong hands. These security risks are
somewhat mitigated due to City computers being locked out of the system if they have not logged onto
the City’s network in the past 90 days.

Recommendation: The City should develop new strategies for tracking technology assets at every
stage of the asset life cycle. In developing this strategy, the City should consider new systems,
processes, and policies to plan for technology replacement efficiently and effectively.

Deployment and Management PCs Should be Improved

Because technology rapidly changes, the City should be frequently reviewing and updating computer
hardware standards. When done effectively, these policy and procedures updates are based on information
obtained through proper analysis of how PCs are deployed and utilized throughout the City.

The City’s hardware standards, policies, and procedures need to be updated. The Department of
Information Technology end-user hardware and software standards for all City users of PCs are documented
in a policy last updated in 2016. Some of the stated goals of these standards are as follows: (1) Aid in the
alignment, consistency, and modernization in the selection and design of business solutions across the
City. (2) Control costs associated with software licensing and maintenance, hardware, services, training, and
integration. (3) Ensure designated technology will be supported by IT as applicable, and that the selection
is in alignment with IT goals, objectives, and strategic direction. (4) Reducing the number of platform
configurations in use to enable allocated resources to better support the information systems under
management.

The benefits which can be achieved when ITAM best practices are implemented align with these stated
objectives. However, the City’s hardware standards need to be updated. Not only do they reference
hardware that is no longer acquired but it also is deficient in some areas. For example, it lacks (1) an
inventory management policy, (2) criteria specifying exceptions to policy, or (3) a deployment and
maintenance strategy.

Payroll 2021 10
There are indicators that PCs are not being effectively deployed and managed. For example, we found
the following: (1) employees commonly being assigned multiple computers, (2) computers not being
timely deployed to end-users, and (3) computers used by end-users that are well beyond their scheduled
replacement dates.

1. Employees assigned multiple computers. We identified 52 employees assigned more than one
computer when the assigned computers were still within the 3-year warranty date. However, there
are several active computers on the system that fall out of this range. Therefore, the actual number
of users with more than one assigned computer is likely much larger. Within the past year, IT has
implemented an informal strategy of replacing desktops with laptops with the goal of reducing the
number of employees assigned to multiple computers.

2. Computers not timely deployed. Adequate records to determine the length of time it takes for
computers to be deployed to end-users are not available for most currently deployed PCs. However,
we were able to analyze the deployment of 142 Dell computers–which are among some of the most
recent computer acquisitions. Of these computers, 42 had been deployed while 100 were sitting in
storage waiting to be deployed (as of February 2022). For the 42 computers which had already been
deployed, only 1 computer took longer than 2 months to be deployed. For the 100 Dell computers
waiting to be deployed, there were 10 which had been sitting in storage for over three months (see
Table 3 below for a more detailed breakdown). It takes on average approximately 10 days to deliver
items to the buyer after it is shipped, and three-year warranties on these computers begin once they
are shipped. The primary causes of these delays are the prioritizing service requests on deployed
computers and the inefficiency of the deployment process.

Table 3: Dell Computer Deployment

(Time between date delivered and date first seen in Lansweeper)
Deployed Not Deployed
Range Number of Percent of Average Number of Percent of
Average Days
(In Days) Computers Total Days Computers Total
91 to 120 0 0% 0 10 10% 110
61 to 90 1 2.4% 64 18 18% 77
31 to 60 26 61.9% 47 71 71% 47
1 to 30 15 36.7% 17 1 1% 24
Total: 42 100% 37 100 100% 58

Source: Dell Website and Lansweeper as of 02/24/22

3. Computers not timely replaced. Excluding the Panasonic Toughbooks used primarily in public safety
vehicles, City policy dictates that computers should be replaced every four years. As of February 24,
2022, there are 245 City computers which appear to not have been timely replaced. A breakdown of
these computers categorized by the year in which they were purchased is detailed in Table 4. Most of
these computers seem to be actively used by employees across City Departments.

11 Payroll 2021
 Table 4: Deployed Computers Purchased Prior to 1/1/18

Date Last Seen in Lansweeper Breakdown by Computer Category

Purchase Assigned to Not Locked per

9/2021 – 12/20217 1/2022 Total Total
Year Employees Assigned8 Policy

2011 1 2 3 2 1 0 3
2012 1 0 1 1 0 0 1
2013 1 3 4 1 2 1 4
2014 0 13 13 12 1 0 13
2015 2 21 23 19 2 2 23
2016 9 53 62 61 0 1 62
2017 15 124 139 102 25 12 139

Total: 29 216 245 198 31 16 245

Source: Lansweeper as of 02/24/22 includes HP, Dell, Lenovo PCs

Risk (high): Capturing and analyzing data related to technology assets is essential to developing
appropriate hardware and software standards, policies, and procedures. Because IT does not track
assets throughout their entire life cycle, they are unable to effectively analyze the effectiveness and
efficiency of asset acquisition and deployment across the entire City. This has resulted in computer
assets not only being deployed untimely but also not being timely replaced.

Recommendation: To get the most output from technology assets, IT should be continuously
evaluating user technology utilization through robust processes and systems. Once IT can accurately
track and collect these data, they should update hardware standards, policies, and procedures to
ensure these assets are being utilized efficiently and effectively – including timely deployment and
replacement.

The IT Assets Maintenance and Retirement Process Needs Improvement

The City does not have adequate systems or processes to take a proactive approach to computer
maintenance. In addition, the City’s computer replacement and disposal processes are not timely, well-
organized, and accurately recorded. However, the data security risk of the disposed assets is low due to
using data encryption and hard drive shredding practices.

IT’s approach to technology maintenance is largely reactive. Computers connected to the City’s network
receive periodic software updates to reduce security vulnerabilities, to fix bugs or crashes, and to ensure
compatibility with other updated technologies. Outside of these periodic updates, maintenance technology
assets appear to be mostly reactive. Issues with software or hardware are reported by end-users through
IT’s ticketing system. IT’s system and processes are not currently designed for proactive monitoring –
which means identifying potential issues within IT infrastructure and applications before users notice
and complain and initiating actions to avoid the issue from becoming user noticeable and operational
impacting.

Only one PC was last time seen in April 2021

7

Examples of computers not assigned to employees include workstations in the College Station Library, Fire Stations, Emergency Operation Center,
8

Utility Substations, HR Training room, CMO meeting room, and Dispatch.

Payroll 2021 12
IT should be maintaining an accurate replacement schedule for major technology assets. According
to City policy, IT should be centrally managing and budgeting for the replacement and maintenance of
technology assets citywide. The purpose of replacement schedules is to balance both the business needs
and budget capacity of the City. According to current policy, Panasonic Toughbook computers (primarily
utilized in public safety vehicles) should be replaced every five years while all other computers should be
replaced every four years.

City policy dictates that IT is responsible for disposing of technology assets. According to City policy,
computers should be replaced regardless of their condition at the end of their predetermined useful lives.
The replacement schedule is generated from the Lansweeper dataset, and the process is initiated and
managed fully by IT. Departments, only in rare cases, request the replacement of damaged assets through
IT’s ticketing process. Figure 3 describes the IT asset replacement and disposal process.

Figure 3: IT Asset Replacement of Disposal Process

Recycled/Destroyed
Taken to Landfill
or vendor destroys
or recycles

1. Departments 2. Computers 3. Superficial Auctioned

notified of collected & hard evaluation Sent to Fiscal to
computer drives removed to of asset advertise & auction
replacement be shredded later condition to: to highest bidder

4. Hard drives stored Used as Loaner

until shredded Stored until request
internally at CSU or for temporary
vendor destroys deployment

Source: Interviews with IT staff and asset disposal guideline

IT should ensure timely, transparent, and cost-efficient disposal of computer assets. According to
City policy, technology assets should be disposed of in one of five ways: (1) recycled, (2) auctioned, (3)
traded-in, (4) destroyed, or (5) donated to charity. IT is responsible for choosing the most cost-effective
and environmentally friendly method to dispose of technology assets. However, IT does not have clearly
defined procedures to determine the most optimal disposal method. For example, we found that (1) the
condition of replaced computers are not evaluated upon return, (2) asset disposals are often untimely, (3)
disposal records are incomplete, and (4) disposal method determinations are inconsistently applied. Table 5
summarizes how IT managed 2019 to 2021 replaceable assets.

Table 5: Management of Replaceable Assets

Scheduled Recycled/
Auctioned Still in Use Stored Unidentified Total
Replacement Destroyed
2019 6 21 12 20 140 199
2020 2 24 7 16 96 145
2021 0 0 143 12 36 191
Total 8 45 162 48 272 535

Source: Multiple data sources obtained from IT and through conducting assets inventory

13 Payroll 2021
Replacement and disposal records are incomplete and inaccurate. Between 2019 and 2021, IT planned
to replace 535 computers that were purchased before 2018. Replacement records do not indicate which
assets were auctioned, recycled/destroyed, or kept in the storage. In addition, we found that systems and
processes for tracking computer replacement and disposal to be inadequate which resulted in inaccurate
or incomplete records. Therefore, we were unable to verify the disposal of 272 computers from the
replacement schedule.

We were unable to verify an adequate chain of custody process when computers are replaced and collected
for disposal. The only document that confirms whether the asset was returned to the IT department is
the replacement schedule. However, we also identified at least 13 computers9 actively being used by
Departments when IT records appeared to indicate that they had been replaced and returned to IT.
Moreover, IT does not have guidelines that would define how long Departments are allowed to keep old
computers after replacing them with new ones.

Computers are not being timely disposed. As of January 2022, we found 309 computers and tablets in
storage waiting to be disposed. Only 121 of those assets were documented on the replacement schedules
between 2019 and 2021. We were unable to identify the exact purchase year of all these assets. However, a
breakdown of HP computers stored for disposal can be seen in Figure 4.

Figure 4: HP Computers Stored for Disposal by Purchase Year (as of January 2022)
40
35
35
30
25 22 23 22
20 18 18 19
15
10
7 5
5 1
0
2011 2012 2013 2014 2015 2016 2017 2018 2019 NA
Source: Asset inventory results and HP website

Shredding of hard drives does not occur timely. IT removes hard drives from all computers identified
for disposal. Hard drives are stored until they are either shredded internally by IT personnel or a vendor
is employed to perform this service. In both cases, IT creates a list of shredded or physically destroyed
hard drives. However, since there was no complete list of owned hard drives, we were not able to confirm
whether the records of shredded hard drives were complete. Besides, IT does not have a policy that would
define the timeline of hard drive physical destruction. We discovered multiple boxes of hard drives in the
storage room that were not accounted for by IT.

Risk (low): Although there is a risk that computers scheduled for disposal can be lost or stolen, the
value of these assets may be immaterial due to their age.10 Therefore, data security is a greater
potential risk. However, these risks are mitigated because IT encrypts the hard drive of all City
computers. In addition to encryptions, IT physically destroys hard drives to avoid data leakage from the
City.

Recommendation: IT should develop policies and procedures for computer replacement and disposal
which provide guidelines for (1) determining the disposal method, (2) improving documentation of
replaced and disposed computer assets, and (3) providing objectives related to the timeliness of
replacement, storage, and disposal.
9
We verified that these 13 computers are not being used as loaner computers.
10
On average, PCs are sold on auction for less than $100.
Payroll 2021 14
Scope
The City Internal Auditor’s Office conducted this performance audit in accordance with Generally Accepted
Government Auditing Standards (GAGAS). Those standards require that the audit team plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.

Audit fieldwork was conducted from November 2021 through February 2022. The audit scope encompassed
PC inventories and IT asset management practices in place as of February 2022. More precisely, we studied
all deployed PCs as of February 24, 2022, PC purchase transactions from 2015 to 2022, stored PCs as of
January 31, 2022, and replaced and disposed computers between 2019 and 2021. The audit’s focus is on
systems and practices used in the governance, management, control, and oversight of PCs throughout their
lifecycle.

Methodology
To meet the audit objective, we performed the following steps:
• Researched leading practices related to ITAM.
• Reviewed policies and procedures related to ITAM and compared them to the best practices.
• Interviewed staff from the IT Department to obtain a detailed understanding of their ITAM practices.
• Performed data analytics, by combining data from applicable sources such as Munis, PC
manufacturers’ official websites, and the IT Department to identify inaccurate records and
opportunities for improvements.
• Performed walkthroughs of PC acquisition, deployment, storing, and retirement processes to gain
an understanding of the function and to evaluate the design and effectiveness of the processes
and internal controls. More precisely, we performed a detailed analysis of the mentioned areas and
created corresponding asset records:

• Acquisition – created the list of all PC purchases made on a pcard and on a Purchase Order
(PO) by IT and other Departments from 2015 to 2022. To identify the number of missing PCs,
we reconciled the obtained list with deployed, stored, and disposed PCs’ datasets. To check the
completeness and accuracy of the created list of Dell PC purchases made from 2020 to 2022, we
compared it with the purchases data generated from the Dell website.

• Deployment – to check the timeliness of the PC deployment, we compared the actual delivery
dates to the date when PCs first time were connected to the City network. We did this test for
selected Dell computers deployed since April 2020.

• Inventory – conducted a physical inventory of the PCs kept in old and new storage rooms and
created the inventory records as of January 27, 2022 and January 31, 2022, respectively.

• Replacement and Disposal – analyzed 2019-2021 PC and MDT replacement schedules and
created from these datasets the list of potentially disposed assets by reconciling it with existing
incomplete disposed asset records, and also, with stored, deployed, and auctioned datasets.
Besides, analyzed in more detail old assets auction practices.

15 Payroll 2021
Appendix A: Management Response Summary
The following summarizes the recommendations issued throughout this report. The auditors found that
staff and the Department were receptive and willing to make improvements to controls where needed.
Management has provided their response to each recommendation.

Management Response Summary

1. The City should develop a policy stating when it is

appropriate to use a purchasing card to make technology Expected
Risk:
purchases. In addition, a process should be developed to Concur Completion:
Medium
efficiently identify the purchasing records in Munis of all 1/1/2023
technology assets.

IT and Fiscal Services will coordinate to develop policies and procedures Responsibility:
Plan of
to provide a clear roadmap for departments purchasing technology with Chief Information
Action:
a purchasing card. Officer

Expected
Risk: 2. IT should develop a policy and procedure to inspect and
Concur Completion:
High receive ordered items in Munis when they are delivered.
10/1/2022

Responsibility:
Plan of IT will develop an internal procedure for inspection and receiving items
Chief Information
Action: purchased using the Munis system.
Officer

3. There may be a business justification for a technology

purchase to not be centralized. In these instances, the
business justification for purchasing an item outside City Expected
Risk:
policy should be clearly documented. Alternatively, the City Concur Completion:
Low
could implement a policy establishing the criteria for when 10/1/2022
Departments are allowed to make their own technology
purchases.

IT will coordinate with all department heads and CMO and identify Responsibility:
Plan of
specific circumstances where a department can purchase technology Chief Information
Action:
items without involvement of IT. Officer

4. The City should develop new strategies for tracking

technology assets at every stage of the asset life cycle. Expected
Risk:
In developing this strategy, the City should consider new Concur Completion:
High
systems, processes, and policies to plan for technology FY24
replacement efficiently and effectively.

The IT department will pursue a software solution with the ability to

Responsibility:
Plan of track and manage the entire life cycle of each asset. IT policies and
Chief Information
Action: processes will be updated and or developed to ensure the visibility and
Officer
insight of each IT asset.

Payroll 2021 16
 5. To get the most output from technology assets, IT should
be continuously evaluating user technology utilization
through robust processes and systems. Once IT can Expected
Risk:
accurately track and collect these data, they should update Concur Completion:
High
hardware standards, policies, and procedures to ensure FY25
these assets are being utilized efficiently and effectively –
including timely deployment and replacement.

IT will use the same IT Asset Management system for asset lifecycle
Responsibility:
Plan of tracking to measure asset utilization. Future asset purchases can be
Chief Information
Action: based on historical usage of the asset. Historical usage can be used to
Officer
develop appropriate hardware standards for expected future needs.

6. IT should develop policies and procedures for computer

replacement and disposal which provide guidelines
Expected
Risk: for (1) determining the disposal method, (2) improving
Concur Completion:
Low documentation of replaced and disposed computer assets,
FY24
and (3) providing objectives related to the timeliness of
replacement, storage, and disposal.

IT will coordinate with Fiscal Services to develop policies and procedures

Responsibility:
Plan of with the goal of improving asset disposal tracking. These policies and
Chief Information
Action: procedures will also include the lifecycle tracking capabilities in the IT
Officer
Asset Management system to be purchased in FY24.

17 Payroll 2021
 Audit Team
Ty Elliott
City Internal Auditor
Ana Mazmishvili
Assistant City Internal Auditor
Tarek Natsheh
Internal Audit Intern

The Office of City Internal Auditor was established in accordance

with the City of College Station Charter as an independent
office reporting to City Council to help establish accountability City Auditor
and improve City services. The Office of City Internal Auditor is Ty Elliott
responsible for conducting performance audits of Departments,
offices, boards, activities, and agencies of the City and providing
recommendations for improvement.
Office of the
City Internal Auditor
979.764.6269
telliott@cstx.gov
cstx.gov/AuditReports

Payroll 2021 18
cstx.gov/AuditReports

Payroll 2021 19