View Highlights (pdf)
View Report (pdf)
ActiveNet is a recreation management software used primarily by Community Services. It is used for cashiering, facility reservations, membership management, program or class scheduling and registration. The City Auditor’s Office contracted with IT audit specialists from Myers & Stauffer LC to conduct the audit. ActiveNet is a Software-as-a-Service application, which means that the vendor is responsible for hosting the application and storing and securing the City’s data. ActiveNet also processes credit card payments made through its cashiering system.
Overall, the audit found that application controls were reasonably designed and implemented and identified several areas where the Technology Group can strengthen its practices. Policies and procedures regarding system access controls could be expanded and formalized to ensure that: system permissions are aligned with the documented permissions matrix that has been reviewed by stakeholders, training is completed prior to authorizing access, and generic and stale user accounts are reviewed and deactivated if necessary. Also, as a cloud-based application accessible from any internet-enabled device, policies should be established regarding staff’s off-site use of the application, and procedures should be reviewed for timely removal of terminated employees’ access.
As well, improvements can be made in:
- policies and training to protect personally identifiable information (PII),
- vendor security compliance reporting requirements being regularly monitored and enforced,
- additional activity reports being obtained,
- system controls requiring supervisor approval of refunds being activated,
- incident response plans being formalized, and
- data loss prevention monitoring.