Loading...
HomeMy WebLinkAbout1718-5 Cellular costs - Verizon (Final 3-11-20)bCellular costs – Verizon report #1718-5 March 2020 Cellular Costs – Verizon (Computerized procedures) To request this information in an alternate format, please call (541) 330-4674 or send email to David.Givans@Deschutes.org Deschutes County, Oregon David Givans, CPA, CIA Deschutes County Internal Auditor 1300 NW Wall St Bend, OR 97703 541-330-4674 David.Givans@deschutes.org Audit committee: Daryl Parrish, Chair - Public member Jodi Burch – Public Member Tom Linhares - Public member Scott Reich - Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Nancy Blankenship, County Clerk Nick Lelack, Community Development Director Take a survey by clicking HERE Cellular costs – Verizon report #1718-5 March 2020 TABLE OF CONTENTS: HIGHLIGHTS 1. INTRODUCTION 1.1. Background on Audit …………..……………..……………………………………………. 1 1.2. Objectives and Scope ……………….……..…………….…………….…………..…… 1-2 1.3. Methodology …………………………………….………….……………………………..…… 2 1.4. Background on Cellular costs – Verizon ……….……….………….…………… 3-8 2. FINDINGS and OBSERVATIONS ……………....………………………..…………..… 8-17 3. MANAGEMENT RESPONSES 3.1. County Departments ………………………..…………………..................... 18-23 Cellular costs – Verizon report #1718-5 March 2020 HIGHLIGHTS Why this audit was performed: Computerized procedure audits are periodically performed over different areas. What was recommended: Recommendations include: • updating the cell phone policy to address a number of additional areas; • comparing stipend reports to employees who have County phones; • periodically reviewing plans available to align with design, availability, usage and cost; and • Addressing risk of device access to County information. Cellular Costs - Verizon This audit reviewed cellular costs, usage, and cell phone stipends. Computerized audit procedures can be utilized to extract vendor invoice information and relevant data from County systems. This allows the linkage of payroll information and vendor information, such as identifying employee stipends paid with and any associated cellular phone charges. What was found Analyses of cellular charges (Verizon) indicated a number of underutilized phones and devices. Nine percent (9%) of phones and twenty-two percent (22%) of devices had no usage in the last three months of 2019. These underutilized services are estimated to be costing the County around $44 thousand per year. There are still more devices that have only nominal usage. Some employees received a stipend and had a County phone contrary to policy. This was primarily due to communication issues and is estimated to cost the County around $2 thousand in 2019. Departments are mostly using cost effective contract pricing for devices. Some departments could benefit from changing plans. Policies governing mobile devices should be updated to reflect the risks to the County from the evolving technologies, privacy, and associated compliance risks that come with them. There are also management and business criteria that could be developed to control utilization. Deschutes County Internal Audit Cellular costs – Verizon report #1718-5 March 2020 Page 1 1. Introduction 1.1 BACKGROUND ON AUDIT Audit Authority: The Deschutes County Audit Committee authorized the review of cellular phone costs (computerized procedures) in the Internal Audit Program Work Plan for 2017-2019. This audit was carried over to the Work Plan for 2020-2021. Computerized procedures can be utilized to extract vendor invoice information and relevant data from County systems as well as downloading data from vendor invoicing and usage. Current audit tools allow the linkage of payroll information and vendor information, such as identifying employee stipends paid with and any associated cellular phone charges. 1.2 OBJECTIVES and SCOPE “Audit objectives” define the goals of the audit. Objectives included: 1) Most cost effective cellular contract pricing is being utilized; 2) Unused and/or lost/missing cell phones/lines are still being charged to the County; 3) Assessing whether employees receiving cell phone stipends also have an assigned County cell phone. County cell phone policy (BLDG-02) clearly states that employees cannot receive both; and 4) Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope and timing: The audit had a false start in 2018. The final work was completed in December 2019 through January 2020. All County departments utilizing Verizon cell services were included in the analyses. The analyses of cellular charges and activity spanned 2019 but in some tests shorter time spans were used. Due the significant number of non-phone lines, some work was performed (non phone lines Cellular costs – Verizon report #1718-5 March 2020 Page 2 are for devices including iPads, modems, and jetpacks that use cellular services). Limited analyses performed for modem usage. The audit did not examine department processes and controls governing cell phone and mobile device management and utilization, though some of the discussions with specific departments indicated there were procedures in place in some of them. The audit also excluded a review of the controls regarding monthly cell phone invoice payment processing. 1.3 METHODOLOGY “Audit procedures are created to address the audit objectives” Audit procedures included: • Review of cellular phone policy (BLDG-2) and Computer, e-mail, and mobile computing device use policy (IT-1); • Review of Verizon contract information • Analyses of cellular charges from Verizon; • Analyses of contract pricing and features used on cell lines; • Analyses of unused cell phones and devices to the County; • Analyses of employees receiving stipends and also assigned a cell phone; and • Discussions with staff on management of cell phone charges. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2011 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) Cellular costs – Verizon report #1718-5 March 2020 Page 3 1.4 BACKGROUND ON CELLULAR COSTS - VERIZON Graph I Vendor composition of FY2020 year to date (thru12/2019) Communication– Phone/Pager by vendor. {Object 450310}. County employees may be assigned a cell phone for use in the course of their employment when it provides an economic, efficient, and secure solution to the County business needs. The other option for departments is to provide a stipend for the business usage of their personal cell phone. Verizon Wireless Cellular Services – County provided phones/devices When reviewing the account category used for most cell phone charges, Verizon represented 79% of the charges to departments. Verizon’s payments are nearly $377 thousand in calendar 2019. The nine other vendors making up the balance provide mostly other types of communication services. Since Verizon cellular services represent the significant vendor, the audit focused on data with this sole vendor. Ninety seven percent (97%) of Verizon charges are posted to the Communications- Phone/Pager account (450310). The three largest County departments with these charges were 9-1-1 County Service District (CSD), Health Services, and the Sheriff’s Office. The County participates through the State of Oregon procurement network using cooperative Cellular costs – Verizon report #1718-5 March 2020 Page 4 Graph II Types of Verizon devices utilized for services (12/2019) purchasing program price agreements from the National Association of State Procurement Officials (NASPO) with Cellco Partnership dba Verizon Wireless. Cellular phones are the predominate type of service obtained from Verizon. Modems are almost exclusively used by 9-1-1CSD with their member agencies. Jetpacks are a way to get cellular service for data services (mobile network and internet services) for staff that might be using a laptop in the field to connect to County resources via internet. Pad and note type devices utilize cellular services and are increasingly being used in certain departments to provide connectivity in the field. The County composition of cellular services in December 2019 included around 472 cellular phone lines; 91 Pad/note devices; and 65 jetpacks. As a percentage of total employees, these represent 39.5%; 7.6%; and 5.4%, respectively. Not all devices are assigned to specific employees as they may be assigned to patrol cars, functions, locations, or groups of staff. A significant percentage of the devices used for phones and pad/note devices are Apple products. There is significant variance in the models and types of products utilized. The County allows departments and employees the flexibility to select devices that best meet their business needs. Some phones are free with the setup of certain plans. Cellular costs – Verizon report #1718-5 March 2020 Page 5 Graph III & IV Composition of brands for phones and Pad/note devices. Graph V 2019 monthly Verizon bills analyzed (by type of device) The County departments across these devices utilizes around 17 different price plans for structuring the services desired. The 2019 charges from Verizon amount to around $391 thousand in services. 52% of which related Cellular costs – Verizon report #1718-5 March 2020 Page 6 TABLE I County Stipend plan (monthly) TABLE II Calendar 2019 County employee cellular phone stipend utilization. to cellular phone charges. Stipends – Employee usage of personal cellular phone The County under the current cellular phone policy (BLDG-2), provides for different levels of stipends. Level Allowance Amount Description 1 $ 25 Infrequent, but necessary cell phone use required during work hours. 2 $ 40 Frequent/daily cell phone contact and use during work hours and any on- call periods (if applicable). Cell phone includes text capability. 3 $ 75 Frequent daily cell phone use during and after work hours. Phone must have text and email capability and be connected to the County's email system. Cell phone number provided to County staff and customers, as appropriate. After hour use is expected. Exempt positions only. The plan developed by the County provides additional monies with increasing usage. Monthly Allowance Count Count % Payments Amount % $ 25 76 28% $ 18,128 14% $ 40 103 38% 42,743 32% $ 75 91 34% 73,293 55% TOTALS 270 100% $ 134,164 100% During 2019, there were 270 employees who received the cellular phone stipend. The direct cost to the County was $134 thousand and most of the cost was with the $75 stipend. There were a number of on-call and part time employees who received the stipend. Employees receiving stipends represents about 23% of the 2019 employees. Cellular costs – Verizon report #1718-5 March 2020 Page 7 Graph VI 2019 Monthly stipend amounts (rounded) Graph VII 2019 Monthly combined stipend and phone amounts (rounded) During 2019 there appeared to be a significant decline (~36%) in monthly stipend amounts. All stipend groups declined, but the greatest decline (~43%) was in the $75 stipend amounts and the least decline in the $40 stipend (~23%). Anecdotally, a large department indicated that some of their staff were moving to County phones due to regulatory requirements to protect sensitive information on their personal phones. Another large department moved a number of their staff off of stipends to County phones. Note the relatively consistent overall cost for phone stipends and cell phones. Cellular costs – Verizon report #1718-5 March 2020 Page 8 Cellular phone elements from Graph V and Graph VI are combined into Graph VII to show the overall cost to the County of stipends or County provided phones. The combined stipend cost and the cell phone charges have declined slightly (~2%) in overall monthly costs and the costs average close to $28 thousand a month. 2. Findings and Observations The audit included limited procedures to understand some of the controls around cell phone charges. No significant deficiencies were found in this audit. A significant deficiency is defined as an internal control deficiency that could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. The findings noted were primarily compliance and efficiency matters. Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. 2.1 FINDINGS AND OBSERVATIONS Analyses indicated a number of underutilized County provided phones and devices. The analyses of County paid cellular lines yielded a number of observations on usage. It was determined that two separate analyses were needed to combine activity in minutes (talk, message, and roaming) to activity with data. Some phones or cellular devices (note devices and jetpacks) can Cellular costs – Verizon report #1718-5 March 2020 Page 9 Graph VIII County Cellular PHONE usage in minutes and data (Oct, Nov, Dec 2019) Graph IX County Cellular DEVICE usage in minutes and data (Oct, Nov, Dec 2019) use either or both of these services. This analyses were performed for the last quarter of 2019. Nearly 12% of the lines (phone and cellular devices) in the fourth quarter of 2019 analyzed for minutes and data usage were inactive with no usage. Many more lines had lower activity as well. Some of the no usage lines related to suspended lines. A couple of lines (7% of those terminated) were not timely 9% of phones had no minute and no data usage 22% of cellular devices had no minutes and no data usage Cellular costs – Verizon report #1718-5 March 2020 Page 10 The County cell phone policy (BLDG-2) was last updated in March 2016. disconnected from services and resulted in some additional charges. Some of the lower use lines related to interns, volunteers, and other partner agency staff. Some departments are utilizing team phones to leverage and provide for a group of people’s needs. In discussion with staff, some departments established equipment redundancy to rotate in if equipment fails or is needed in emergency situations. These cellular devices often have no usage. The County pays on average $40 per month for each cellular line. Sometimes lines are suspended instead of being disconnected. Suspended line charges will restart after the initial 90 days of suspension. Sometimes the department will want to keep the phone number and wants to reassign it, but sometimes the lines need to be disconnected. The County cell phone policy (BLDG-2) outlines the practices for stipend and County supplied phones and was last updated in March 2016. The policy statement indicated it is to provide cost effective use but does not clearly identify criteria for selecting the best plan or establish criteria/guidance on when an employee needs or is required to have access to a cell phone. The County’s policy does not currently address usage after the phones are assigned. Overall most of the lines were being terminated in a reasonable manner. Some, however, were missed. So improving the systems for handling the termination of lines when employees leave would eliminate paying for lines of departing employees. Some managers of phones haven’t identified the actual user of a phone in account maintenance as sometimes Verizon assigns the manager to the line. Verizon accounts normally have one name associated per line. The underutilized phones and devices amounted to $3,600 per month and an annual estimated impact of $44 thousand if all of these phone lines could be eliminated. Cost for employee lines that should have been terminated when the employee left was approximately $700 for the months carried through December 2019. There were some lines that didn't readily match with employee names. Without proper names on the lines, it is difficult to track at termination and to manage use. Cellular costs – Verizon report #1718-5 March 2020 Page 11 It is recommended for the County to consider updating the Cell Phone Policy to address management and expectations around utilization. This would include monitoring and routine assessment as to whether an employee truly needs the device/phone, what services, and what plan best fits their intended usage. It is recommended for account managers to use the suspend feature cautiously as the charges will start up after 90 days. It is recommended as part of the employee exit process, that any County purchased cellular services be discontinued or transitioned. It is recommended for the account managers to assign County phones individually using the official employee name when possible. Note: Detailed data was provided to the larger departments to further scrutinize the activity of their cellular lines. A couple of stipends required additional review. An analyses was performed that combined employee payroll data with data from Verizon billings by line and by month. This determined if there were any employees with a County phone and a stipend. The analysis was able to identify a number of transitional occurrences where staff were in the process of adding a stipend or eliminating a stipend while having a County phone. It also identified some conditions that required action. Those were brought to the attention of the associated departments. Though the analyses was not perfect, as some lines were not named the same as the employee records, we were able to determine some employees weren't the person associated with the phone. Recommendation 1 Recommendation 2 Recommendation 4 Recommendation 3 Cellular costs – Verizon report #1718-5 March 2020 Page 12 These needed to be eliminated or assigned to the correct person by the account manager. The analyses did match up some 6% of the stipend employees to have an overlap with cellular phone and stipend. Some of the overlaps were corrected during the year and would be expected. The analysis brought about half of those as unresolved issues to the attention of the departments for review. Some departments have been recently reviewing stipends against cell phone assignments. Some stipends took a long time to be turned off due to communication issues between departments. One department unilaterally removed all stipends for employees in December as they had signed those employees up for County phones. Overall cost to the County for the employee stipends occurring in 2019 while having a County phone was around $2 thousand in stipends paid. It is recommended for the County departments (in particular the Verizon account managers) to periodically receive a stipend report and review to make sure the individuals are not using a County provided phone. Note: Prior recommendation to update the names for lines which would aide in this type of analysis. This analyses would not cover employees who have access to a group phone. County departments are mostly using cost effective cellular contract pricing. The County utilizes over 17 cellular contract pricing plans. The plans vary based on desired service levels and anticipated usage. Some departments have recently moved to available first responder plans which can include unlimited data and minutes at a price of $39.99. In reading the availability of this plan, other County departments were identified that could make use of the plan. Recommendation 5 Cellular costs – Verizon report #1718-5 March 2020 Page 13 Plan pricing can vary significantly and can impact the nature of the equipment. Some departments were not aware of the new pricing plans and whether they were available to them. With the significant number of County cellular lines and services it is possible cellular costs incurred through effective plan selection could be reduced. It is recommended for departments to periodically review their cellular plans by line to align them with plan design, device, availability, usage, and cost. County policies need to be updated for cellular phones/devices. The County’s policies for cellular mobile devices look like they could be updated to address some of the issues for using your own devices as well as business practices for obtaining County owned devices/phones. Inherently, the stipend phones require much less oversight and policy than the County owned phones. However, the current trend has been to reduce stipends and increase County owned phones (See Graph VI and Graph VII). The County’s policies for cellular phones and mobile computing devices are presented in the Cellular phone policy (BLDG-2) and Computer, e-mail, and mobile computing device use policy (IT-1). The cellular phone policy outlines the practices for stipend and County supplied phones and was last updated in March 2016. The IT-1 policy governs the usage of mobile computing devices and was last updated in July 2012. This policy does address smart phones and mobile computing devices such as an iPad. Since both of these policies were developed, there are now many more types of devices being utilized by County departments. Recommendation 6 Cellular costs – Verizon report #1718-5 March 2020 Page 14 County cellular devices now include various iPads, Galaxy notes, and jetpacks. Some of the questions that do not appear to be fully addressed in policy include: County phones/devices • What are the business practices around obtaining County devices? o What are criteria and decision process for selecting the best cellular plans? o What follow-up on usage is performed? • How much usage is deemed adequate to sustain usage? • How do we make these devices secure for their intended uses? • What restrictions and requirements are placed on software and operation of the device? • If this is a phone assigned to a specific person, what is their role and does that come with some inherent restrictions and requirements placed on software and operation of the device? • How does the County enforce the applications and usage of applications on the devices setup? • How much management is required from departments? • Does the applicability statement need to be widened for usage by non-County employees? Stipend - employee phones • What are appropriate levels of payment for incremental usage of an employee’s phone? o Should the highest level of stipend ever be more than providing a County phone? o Should there be value associated with the reduced level of administration support? • What restrictions and requirements are placed on software and operation of the device? • How do we make these devices secure for their intended County use? • What is the employee’s role and does that come with some inherent restrictions and requirements placed on software and operation of the device? The County is providing more than cellular phones with devices ranging from iPads and Galaxy notes as well as jetpacks that provide a data hotspot for the user. As indicated in the background section, the County composition of cellular services include 472 cellular phone lines; 91 Pad/note devices; and 65 jetpacks. The use of the cellular devices has been increasing with newer software programs used by departments and by adapting to technology that can be used in the field. These devices have the Cellular costs – Verizon report #1718-5 March 2020 Page 15 TABLE III Full estimated cost to County of stipend levels potential for providing significant work efficiencies and productivity. However, there has been no universal approach to how to safeguard County data and information that can be accessed from outside device and computers. The County, through the state contract, has significant leverage in obtaining a very low cost phone and plan. The average phone line paid for by the County is around $40. Often the phone is available at little to no cost. This is significantly below the estimated cost of two of the three stipends. The most used County cellular plans have unlimited data and minutes. Similarly, many employees have phone plans with unlimited or sufficient data and minutes for incidental County usage. It is not the intent of the stipend to pay more than the business usage of the phone. It seems reasonable the County should not pay more than it costs the County to provide a phone. Paying a stipend to utilize employee personal phones for County business, provides a convenience benefit for an employee and the County. However, stipended phones are not always a good fit for all employees due to exempt status and nature of work performed. Stipend $ 75 $ 40 $ 25 Hypothetical $40 stipend cost $ 31 Payroll Taxes 6 3 2 2 PERS 18 9 6 7 Estimated cost $ 99 $ 52 $ 33 40 Table III shows that there is a much higher inherent costs to the stipend (from associated benefits) than the stipend alone. Therefore the $75 and $40 stipends are inherently more costly to the County than providing phones. The breakeven for a $40 cost is a $31 stipend. This indicates that we should reconsider the use of stipends at these higher levels for the incremental usage of employee phones. The stipends do reduce County administrative oversight needed, but with employee phones we may not be able to address the required protections. Cellular costs – Verizon report #1718-5 March 2020 Page 16 The County's use of cellular services has proliferated with new devices that become part of the business processes for some operations. It is not clear that departments have re-evaluated the usage of devices after rolling them out, as there are a number of low usage lines across phones and devices. In addition, a number of departments have increased responsibility for protecting information (such as HIPAA). New software and technologies are constantly becoming available. Centrally, legal and information technology guidance is needed guide departments and the County in assuring that technologies, software, data, and security are aligned to reduce County risk. Some departments leverage the use of free phones (available in some cellular plans) that come with a new line of service as well as using available upgrades to replace lost, stolen, broken or old technology. In addition, the buyback program can provide additional resources to offset expenses. The County can maximize utilization through monitoring and adjustment of the stipends and County issued phones. The County could also do more to address data risk through establishing sufficient protections for usage of phones/devices. It is recommended for the County to consider updating policies regarding cellular devices to improve adherence to policy, reduce costs, and reduce risks. The policy improvements should consider addressing: • relationship of stipend levels to the cost of cellular phone services to the County; • developing plan selection criteria for business needs aligned with anticipated usage to right size costs; • developing legal and information technology framework to assure that technologies, data, and security are aligned and appropriate given the rise in new technologies and software; • criteria for selecting between employee phone (stipend) and County owned phone; • monitoring and modification of plan levels (including elimination of devices) for actual usage below anticipated; • utilizing free devices and upgrades to maintain the level of technology as well as getting Recommendation 7 Cellular costs – Verizon report #1718-5 March 2020 Page 17 credits for devices sold back. • establishing when devices require mandatory applications and restrictions from modification for protecting data; and • addressing applicability of policy to non-employee users. It is recommended the County consider how to address the risks that come with allowing mobile device access or external computer access to internal County information and who and how the risks will be mitigated. It is recommended the County provided forms for cell phone allowance be updated to reflect any updated policy language. Recommendation 9 Recommendation 8 Cellular costs – Verizon report #1718-5 March 2020 Page 18 3. Management responses County Administration Tom Anderson, County Administrator Cellular costs – Verizon report #1718-5 March 2020 Page 19 Continued - County Administration County Counsel David Doyle A few points. (1) All county phone users – actual phone and stipend folks – should be aware that cell phone logs are subject to public records production; also, voicemail messages and text messages, if they concern county matter, and if they are actually on the phone at time of a request, are most likely subject to public records production (2) If the vendor will supply a smart phone with services, at cost that is less than the stipend that we pay to employees, why not convert 100% to county supplied phones? Cellular costs – Verizon report #1718-5 March 2020 Page 20 Chief Financial Officer Greg Munn Good analysis. Two things on my “list” since arriving here related to cell phone stipends. 1. It is possible to run stipends through AP instead of payroll. I made that change at the ESD and it saved the organization some money (payroll tax/PERS). The impact here would be significant as we spend a lot more on stipends. 2. At some point we should ask the question whether we should pay stipends or not. Any more (almost) a cell phone is a tool of the trade and very common. I think a periodic review of the usage needs of stipend receivers vs policy is a good idea. It seems like an area that we wouldn’t want to have any discrepancies. {IRS MEMO to field examination operations dated 9/14/2011 – Interim Guidance on Reimbursement of Employee Personal Cell Phone Usage in light of Notice 2011-72} INTERNAL AUDITOR COMMENT: Great suggestion. It is possible the stipends could be considered nontaxable based upon additional research on this matter. Cell phone stipends provided for business use of personal phone could be nontaxable to the employee if • The stipend is not meant to be compensation; • Required by employer to carry out business; • The personal cell phone plan is sufficient for business needs; • Reimbursement amount should not exceed actually charges incurred to maintain the cell phone; and • Employee must return any excess or it would be deemed taxable. Employer may treat stipends as taxable and the employee could claim a personal tax deduction or the employer could treat as non-taxable and not include it in wages (and not subject to associated payroll tax and fringe benefit costs). The later would provide the least cost to the County. Cellular costs – Verizon report #1718-5 March 2020 Page 21 Road Department Chris Doty, Road Department Director I would like to supply comments specific to the stipend portions of the audit. The Road Department almost exclusively utilizes and prefers the stipend program, for a variety of reasons. It is not just convenience of not carrying two cell phones; it is the reliability of reaching someone after-hours and weekends when it is their personal phone. As the transportation system is a quasi- utility (24/7/365 service), this is very important to us. It is also provides for customer service opportunities during after-hours and weekends; customers rarely expect an after-hours or weekend response and their expectations are exceeded when they are contacted by a government agency outside of traditional business hours. I support all of the recommendations contained in the audit but do want to note there are many positive aspects of maintaining a properly administered stipend program that were not necessarily noted in the audit (but presumably will be noted in the fulfillment of the recommendations). Thank you for the opportunity to comment. Health Services Chris Weiler, Operations Manager County technology, data or process related policies that rely on silo’d Department implementation are fundamentally at risk because there is no universal coordination and/or support between Departments. Case in point, cell phones are computers. Health Services can make decision how PHI is protected within the Department but the risk to control data is real if there is no coordination. Take email for example as long as the County allows outlook.deschutes.org to be accessed by any private device, Protected Health Information (PHI) emails can be accessed regardless what Health Services as a Department does to protect PHI. Consider when Health Services devices restrict access and data back up to the iCloud but the Sheriff Department may Cellular costs – Verizon report #1718-5 March 2020 Page 22 Continued Chris Weiler allow iCloud back up. When these County Departments communicate to each other, even if they use County issued cell phones, PHI may end up in the iCloud because one Department treats cell phones (or computers) differently. As you are aware, the iCloud is not HIPAA compliant and managed by a third party. Cell phones, tablets or any device that can access networks or the internet are not universally managed by the County. Instead Departments are asked to manage and support these devices with some Departments having no subject matter experts to manage the responsibilities. However, to actually manage all risks and to create uniform expectations that can be reasonably supported, Health Services and other Departments would benefit from a County wide approach to managing cell phones and many other hardware and software solutions including cell phone applications. Consideration to allow private cell phones to be used for County business is not sufficiently vetted. Until the County explores what other technologies are used, particularly by the private sector, to control their data, Departments will be increasingly burdened by considerable cost and staff time to manage cell phones. Unless the use of private cell phones is not considered, the County will be in a chronic cycle to manage cell phones, applications, technology changes, and the asset acquisition to disposal process. There may be an opportunity to avoid this logistical responsibility by offering new solutions that will work using private cell phones or equipment that will meet County expectations to control data. Employee privacy and practical expectations to keep a County cell phone on hand are universal issues that should be addressed as such. The employment expectation to carry a County cell phone especially for exempt employees or after normal work hours is not universally understood. Allowing private cell phones to substitute for County issued equipment is an option and should be explored by the County and not by Department. Cellular costs – Verizon report #1718-5 March 2020 Page 23 Continued Chris Weiler Health Services will directly financially and operationally benefit from County-wide coordination and support into this issue because of the size and scope of our Department’s reliance on cell phones, applications and other like equipment. Community Development Department Sherri Pinner, Senior Management Analyst I reread the report and agree with your recommendations. Recommendation #1 - We perform a periodic review of our phone lines and usage in an effort to avoid overcharges. Recommendation #2 - We use the suspend feature when needed, but I’m not sure if staff realize the phone is reinstated after 90 days. I’ll copy {staff} on this email as {they} monitor our phone lines. Recommendation #3 – We reissue phone when staff are terminated. Recommendation #4 – We identify staff names on the Verizon account. Recommendation #5 – I request a report annually during the budget process. More frequent would be appreciated. Recommendation #6 – We monitor our phone usage to avoid overcharges. Recommendation #7 – Policy improvements would be a benefit. Recommendation #8 – Agree Recommendation #9 – Agree. Cellular costs – Verizon report #1718-5 March 2020 Page 24 {End of Report} Please take a survey on this report by clicking on the attached link: https://www.surveymonkey.com/r/Cell_Phone_Analyses If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.