Audit of Salt Lake County Public Works Operations Payroll
Scope
The scope of the audit was from September 1, 2021, to August 31, 2022.
Objectives
The audit objectives were to provide reasonable assurance that the internal controls in place are adequate and effective and that the payroll processes comply with all applicable fiscal ordinances, policies, and procedures. Areas of audit focus included the processes and procedures for the following:
- Onboarding of new employees
- Timekeeping
- Special allowances paid through payroll
- Overtime and compensatory time
- Reconciliations of payroll time and expenditures
- Offboarding of terminated employees
Report Highlights
Use of Former Employee’s Login Credentials
We identified a critical security lapse within Public Works Operations. Staff used a former employee’s login credentials to access their computer and generate reports for 110 days after their termination. This violated Salt Lake County’s IT security policy, which mandates timely termination of access and prohibits sharing login credentials. This practice creates accountability issues and weakens the overall security culture within the department.
Background Checks and Drug Tests Not Conducted or Not Conducted Before the Start of Employment
From a sample of 17 employees hired during the audit period, one employee was required to have a background check based on their job title. However, no background check was obtained. All 17 employees were required to pass a drug test. All 17 had a passing drug test on file, however seven (41%) employees started work prior to the drug test results.
Access Termination Requests Not Submitted Timely
From a sample of 19 employees that terminated during the audit period, we noted that an ePAR to remove one employee’s timekeeping access was not submitted until 107 days has passed. In addition, network access removal was not requested for four of the 19 (21%) employees. Three of the four were later removed by the Information Technology Division, but one of the four accounts had not been removed.
For two (11%) of the 19 employees, network access termination requests were not timely, and were made an average of 67.5 days after the employee’s last day.