Information Technology as Part of an Airport’s Annual Financial Audit
By Sheila A. Dugan, C.M.
Florida statutes require the city of Naples Airport Authority (NAA) to publish a complete set of financial statements that conform with Generally Accepted Accounting Principles and
are audited by a firm of licensed certified public
accountants. Historically, this audit did not include
information technology (IT) in the scope of work. In
2009, however, the audit firm notified the NAA that
it would conduct an IT audit.
The results of this first IT audit not only
were frustrating to NAA managers but also
led to a management letter from the audit
firm recommending improvements to the IT
environment as it related to financial operations.
Little did we realize when we began implementing
the recommendations that we also would provide
added security for our entire IT environment.
The less-than-stellar results of the first IT
audit prompted immediate reaction from upper
management. Our executive director was adamant,
making it very clear to the NAA staff, “New
procedures will be developed and implemented,
and management will ensure compliance by all.”
The NAA’s IT expertise was limited, written
IT procedures were very basic, and the IT staff
was one person, responsible for all of the NAA’s
IT needs. It was clear that outside assistance was
needed. A firm with a broad range of IT expertise
was brought onboard through a competitive-
selection process. The selected consulting firm was
well qualified to recommend and help implement
up-to-date IT security enhancements, equipment
assessments and control procedures.
The consultant stressed the importance of
involvement from other NAA departments in
writing new IT control procedures. Staff members
from finance, facilities and human resources all had
parts to play. The IT manager was familiar with the
NAA’s IT assets and took the lead in developing
the technical aspects of the procedures. Because
the finance director and IT manager were familiar
with the accounting software applications and
procedures related to purchasing, capitalization,
depreciation and surplus property, they assisted in
writing and reviewing IT procedures that fell into
these areas, as well as modifying existing finance
procedures as needed. The facilities director knew
the NAA’s physical plant and provided oversight to
the IT manager. Human resources had a substantial
role in this process, as many of the procedures
were integrated into the NAA’s personnel manual,
and some required employee-acknowledgement
documentation for personnel files.
During periodic meetings, the team discussed
how to handle procedures that could affect users
of the IT systems. Some examples are: password
protocols for computers and handheld devices were
made consistent for all employees; tighter Web filter
controls were implemented; and user access and
access levels for financial software were tightened.
The team then presented recommendations
to the executive director for his input before
procedures were finalized and implemented.
The IT manager, working with the consultant,
made the necessary technical changes and updates
to the IT systems and general applications.
The finance director and finance manager
adjusted employee access and access levels and
implemented password-security protocols for the
financial software. Human resources disseminated
specific procedures to staff and ensured the
required signed documents were returned. Each
NAA manager and director was responsible for
training his or her respective department and
answering related questions.
Since access to both financial and non-financial
applications and information was based on the
least-privilege principle, the IT manager, finance
director and finance manager were prepared
to assist staff when they were unable to access
information necessary to complete their job duties.
This proved to be the most difficult portion of the
implementation phase, as some staff perceived the
limit on access as a lack of trust. It took patience
and understanding from both management and
staff to work through the access issues.
One of the most important issues was control
of accounting-application access by IT versus the
finance department. Before the first IT audit, the
IT manager had full access to all IT equipment,
systems and applications. This created a situation
in which one person had “the keys to the kingdom”
and unintentionally could make a change that
could impact the reliability of the financial data.
Under the new protocols, when IT requires access
to install updates or security patches to the financial