BOARD OF SUPERVISORS
BUDGET ANALYST
1390 Market Street, Suite 1025, San Francisco, CA 94102 (415) 554-7642
FAX (415) 252-0461

October 3, 2007

Honorable Tom Ammiano,
and Members of the Board of Supervisors
City and County of San Francisco
Room 244, City Hall
1 Dr. Carlton B. Goodlett Place
San Francisco, CA 94102-4689

Dear Supervisor Ammiano and Members of the Board of Supervisors:

The Budget Analyst is pleased to submit this Management Audit of San Francisco's Information Technology Practices. This management audit of the City's information technology practices was conducted by the Budget Analyst, pursuant to the Board of Supervisors' powers of inquiry as defined in Charter Section 16.114. The purpose of the management audit has been to: (i) evaluate the economy, efficiency and effectiveness of City departments' information technology practices; and (ii) assess the appropriateness of established goals and objectives, strategies and plans to accomplish such goals and objectives, the degree to which such goals and objectives are actually being accomplished, and the appropriateness of controls established to provide reasonable assurance that such goals and objectives will be accomplished.

The management audit was conducted in accordance with Governmental Auditing Standards, 2003 Revision, issued by the Comptroller General of the United States, U.S. Government Accountability Office. The management audit staff presented applicable draft report findings and recommendations to each of the respective City departments included in the audit on August 18, 2007. Subsequent to careful consideration of the additional information provided by each of the departments after submission of our draft report findings and recommendations, the management audit staff prepared the final report. The Department of Telecommunications and Information Services has provided a written response to the Budget Analyst's Management Audit of San Francisco's Information Technology Practices, which is appended to the management audit report, beginning on page 61.

City Department's Information Technology Processes

In FY 2006-2007, the City and County of San Francisco expended more than an estimated $173 million on its information technology systems, including personnel, hardware and software, and contracts with third-party vendors. Yet despite such significant expenditures, the City has very limited central oversight over these information technology expenditures. Instead, City departments are left to develop and implement information technology systems with inconsistent guidance on such things as total cost of new systems; type, quantity, and quality of operating systems and hardware; project management; maintaining inventories; and information security.

Rather than the City taking a forward-thinking approach and implementing systems that coordinate efficiently across departments and that are responsive to the ever-changing industry of information technology, the City continues to let individual departments attempt to maintain basic functionality on their own, barely managing to keep up with a dynamic and exponentially growing industry and the demands of a citizenry that expects more and more with each new technological development.

City departments, and by extension the City overall, place a higher priority on immediate service delivery over long-term information technology systems functionality. As a result, most technological upgrades happen only when required to do so by law or because the existing systems have failed. Departments have little incentive, financial or otherwise, to willingly develop or deploy information technology systems that exceed a bare minimum threshold and few departments have a mature enough approach to their information technology to have the necessary planning processes which would allow them to plan with a long-term approach.

As a result, citywide information technology planning, processes, and projects occur quite differently from department to department, resulting in redundant systems and lost opportunities for best practices improvements as discussed in the following Sections 1 through 6 of this report.

The Committee on Information Technology is the only City body tasked with a leadership role in coordinating departmental efforts in the use of new information technology systems. The Committee on Information Technology is comprised of 10 City employees, including (a) six department heads, one from each of six service areas; (b) the Mayor's Finance Director; (c) the Controller; (d) the Director of the Department of Telecommunications and Information Services; and, (e) one member of the Board of Supervisors. For the past year, the Committee has been chaired by the Director of the Department of Telecommunications and Information Services. The Committee's lack of a specifically planned citywide coordination role pertaining to information technology systems from 2003 through 2006 until its recent reorganization in 2007 has resulted in departments operating with virtually no guidance or direction in the development of their information technology systems.

This report contains six findings and 32 recommendations, of which 29 are directed to the Chair of the Committee on Information Technology or the Director of the Department of Telecommunications and Information Services. Two of the 32 recommendations are directed to the Office of Contract Administration and the Controller respectively. One recommendation is directed to the Board of Supervisors, recommending adoption of an Administrative Code provision establishing a citywide information technology capital planning process under the direction of the Committee on Information Technology, as discussed in Section 4 of this report.

According to the written response provided Director of the Department of Telecommunications and Information Services and beginning on page 61 of this report, the Department agrees with (a) the 29 recommendations directed to the Department of Telecommunications and Information Services and the Committee on Information Technology, and (b) the two recommendations directed to and on behalf of the Office of Contract Administration, and the Controller respectively. In addition, the Director of the Department of Telecommunications and Information Services writes in response to Recommendation 4.1, which recommends that the Board of Supervisors should adopt an Administrative Code provision, establishing a citywide information technology capital planning process under the direction of the Committee on Information Technology, that "The COIT Planning and Budgeting Subcommittee has approved a revised COIT budget technology planning process and budget process which includes the citywide capital technology needs. The Chair of COIT has drafted a set of proposed changes to the administrative code regarding the citywide technology capital planning and budget process. It is anticipated that the proposed administrative code changes will be presented to the Board of Supervisors prior to December 2007."

The Budget Analyst recommends that the Director of the Department of Telecommunications and Information Services, who also serves as the Chair of the Committee on Information Technology, report back to the Government Audit and Oversight Committee in March, 2008 on the status of these recommendations, to ensure that implementation is in fact occurring in a timely manner and in accordance with the findings and recommendations of this report.

Of the $173 million in FY 2006-2007 information technology expenditures, an estimated $90 million is funded by General Fund. Improving the City's information technology practices and performance by just five percent, a realistic and achievable objective, would yield a value of approximately $4.5 million, including direct cost savings and improved effectiveness.

The following sections summarize our findings and recommendations.

1. Information Technology Planning and Purchasing

The City's process for planning and purchasing information technology systems is totally inadequate. Each City department plans for and purchases information technology in a manner specific to each department and independent of other departments. The City's 1996 Strategic Plan for Information Technology recommended that the City assess its information technology systems, including an inventory of all citywide systems, current projects and available technical skills.

However, eleven years later, in 2007, a citywide assessment process still does not exist and, in fact, most City departments have neither (a) policies and procedures for inventorying existing information technology systems; nor, (b) a strategic plan that is either specific to their information technology systems or includes specific information technology objectives.

While most departments report some baseline information technology funding available for maintenance of existing systems, they also report inconsistent funding availability for information technology improvements and upgrades from year to year. This process of erratic and inconsistent funding from year to year has hampered departments' ability to develop information technology systems strategic plans, and project plan timelines; or quantifiable information technology objectives.

For example, the Recreation and Park Department has a Strategic Plan for Information Technology that is approximately three years old which is specific in its analysis and recommendations, but the Recreation and Park Department has not utilized the specific information contained in the Strategic Plan to provide explicit direction for information technology planning and purchasing processes.

Two examples of planning being driven by funding availability are the Department of Human Resources and the Office of the Assessor-Recorder. Although industry standards call for the replacement of computers every three years, the Department of Human Resources replaced no computers in FY 2006-2007 and FY 2007-2008. In FY 2005-2006, the Department of Human Resources, which currently has approximately 150 computers in use, purchased approximately 110 new computers to replace existing computers by leveraging the unexpended balance on its existing work-order with the Department of Telecommunications and Information Services. Were it not for the available balance on the work-order with the Department of Telecommunications and Information Services, the Department of Human Resources claims that it would not have had the funding available for such computer replacement. The Office of the Assessor-Recorder, with approximately 120 computers, has replaced approximately 20, or 16.7 percent, of these computers in the past two years, which is equivalent to an unacceptably high 12-year replacement cycle. The Assessor-Recorder has been authorized 31 new computers in its FY 2007-2008 budget.

In contrast to disparate planning processes across City departments, citywide procurement processes now tend to be more consistent, as a result of a centralized Office of Contract Administration which oversees all information technology purchases and professional services agreements, primarily through the City's Computer Store.

While City departments often utilize the same software applications, departments have their own software licenses, potentially resulting in higher than necessary licensing costs citywide. An effort by the Department of Telecommunications and Information Services to consolidate Oracle software licenses in 1998 resulted in increased centralized costs because many more licenses were purchased from Oracle than were required. Documentation provided by the Department of Telecommunications and Information Services to the Budget Analyst shows that, while the Department of Telecommunications and Information Services projected a first-year need of no more than 728 licensed users, the agreement entered into with Oracle had a minimum requirement of 1,000 licensed users in the first year. In fact, the Department of Telecommunications and Information Services represents that the City had only 500 total users in the first year of the agreement, or 50 percent less than the 1,000 licenses purchased from Oracle. Additionally, according to the Department of Telecommunications and Information Services Database Administrator's written notes regarding discussions with City department information technology managers about the Oracle licenses, the Committee on Information Technology "had pressure from Oracle to get things done".

The Department is again discussing with Oracle a citywide license agreement, but has begun discussions without directly engaging the other applicable City departments in the process. This method of negotiating with the vendor without directly engaging all applicable City departments creates an inherent disconnect between departments' needs and what the Department of Telecommunications and Information Services can offer.

The Airport had a contract with Alcatel, a private firm, to provide after-hours and weekend Help Desk information technology, which was awarded through a competitive bidding process in early 2006. In March of 2006, the Airport received Proposition J certification of such contract by the Controller that demonstrated that the contract costs would be less than Civil Service costs but the Airport withdrew this Proposition J certification. Thereafter, the Airport transferred the Alcatel contract into the Airport's existing contract with the San Francisco Terminal Equipment Company, LLC, or SFOTEC. Because SFOTEC is a not-for-profit entity and not a City agency, the Airport avoided the requirement that the Board of Supervisors approve the Controller's Proposition J certification of the Alcatel contract, although services provided to the Airport under the Alcatel contract did not change. Prior to transferring the Alcatel contract into the existing SFOTEC agreement, the Airport was invoiced by and made payments directly to Alcatel. Under the new arrangement, Alcatel invoices SFOTEC, which passes the invoice along to the Airport. The Airport subsequently submits payment for the invoiced amount to SFOTEC, which passes along the Airport's payment to Alcatel.

Such a practice amounts to a direct circumvention of the requirement that, prior to finalizing such a contract, the Board of Supervisors must approve the Controller's Proposition J certification, which stipulates that the costs of contractual services are less costly than the costs would be if such services were provided in-house by Civil Service employees.

2. Information Technology Project Management

The City lacks a consistent method to plan for and implement information technology projects, whether within City departments or among several City departments. The City does not currently have a working strategic plan for information technology. Until now, the Committee on Information Technology, which is intended to provide leadership and coordination to City departments, has not provided an effective process to plan and prioritize information system projects. A draft framework for a new system for prioritizing projects, which was released at the Committee on Information Technology's March 23, 2007 meeting while this management audit was in progress does not include any citywide technology goals and criteria for selecting projects.

Nor do City departments have a process for planning, financing and implementing information technology projects between departments, resulting in inefficient information technology processes and delays in implementing needed systems. For example, although the Assessor-Recorder and Treasurer-Tax Collector rely on similar data, these departments do not currently have an integrated system. Rather, they exchange data every few weeks, which needs to be corrected of errors or incorrect data, re-structured, and analyzed by each department, resulting in inefficient use of staff time.

Also, implementation of the Permit Tracking System has been delayed for at least two years primarily due to staff turnover, and lack of coordinated planning between the Department of Building Inspection and the Planning Department. In 2005 the Planning Department conducted a business process review but had to place the project on hold due to staff turnover in the Department of Building Inspection. In 2006 the Department of Building Inspection updated the Department's portion of the Permit Tracking System without consulting the City Planning Department. The Department of Building Inspection does not have an estimated date for implementation of the Permit Tracking System.

Consequently, the Planning Department will continue to lack automatic access to building permit data required for Planning Department functions.

Over the past six years, although several reports on the City's information technology infrastructure have recommended that the City create and adopt project management standards and tools to guide project implementation in departments, the Committee on Information Technology has not developed such standards. As a result, City departments lack guidelines to ensure efficient and effective information technology project management.

The Committee on Information Technology needs to take the lead in planning for the City's information technology systems, and coordinating projects and funding citywide and between departments. The Committee on Information Technology should also serve as a forum for City departments to exchange information and develop information technology project management policies and procedures.

3. The Justice Information Tracking System (JUSTIS)

The Justice Information Tracking System, or JUSTIS, is a project that was initiated in 1997, or 10 years ago. The purpose of the original JUSTIS project prior to 2003 was to (a) replace the City's existing, and outdated, Court Management System, which allows the City's criminal justice departments to share and track criminal justice information, such as arrests and convictions, (b) implement an integrated data warehouse, and (c) implement case management systems for individual criminal justice departments. However, the Sheriff's Department and the Police Department's case management systems were not part of the original JUSTIS project.

The original JUSTIS project was expected to take three years to complete at an estimated cost ranging from $14 million to $15 million. From 1997 to 2007, the JUSTIS project scope has increased to include the Sheriff's Jail Management System and the Police Record Management System and development of a centralized hub, connecting the Sheriff, Police, District Attorney, Public Defender, Adult Probation, and Juvenile Probation case management systems to allow sharing of criminal justice information. Yet, ten years later, the JUSTIS project is still not completed and by the end of FY 2007-2008, the JUSTIS project is expected to have cost more than $25.5 million, which is approximately $10.5 million or 70 percent more than the original estimated cost of $15 million.

Governance of the JUSTIS project was reorganized in 2003, more clearly defining the oversight role of the JUSTIS Governance Council, establishing a Technical Steering Committee, and assigning the Mayor's Office of Criminal Justice as the executive sponsor. The Governance Council retained a consultant, IT Project Methods, to facilitate the JUSTIS project. As a result, the goals of the project were more clearly defined, and a master project plan was developed,

However, a primary component of a successful information technology project - an executive sponsor - has still not been realized. Although the Mayor's Office of Criminal Justice was designated as the executive sponsor by the JUSTIS Governance Council, the Mayor's Office of Criminal Justice has never successfully implemented this role. The Mayor's Office of Criminal Justice has had four directors since 2003 and significant turnover in its finance and other staff. As a result, JUSTIS has lacked a single person or entity that is accountable for the JUSTIS project's successful completion.

Nor have any of the entities responsible for JUSTIS - the Department of Telecommunications and Information Services, the Mayor's Office of Criminal Justice, or the Governance Council identified and assigned a City project manager to oversee development of the JUSTIS project. Although an outside consultant, IT Project Methods, has assumed many project management functions, the consultant lacks the authority and accountability of an in-house City project manager.

Further, the JUSTIS project has lacked strong budget management from the beginning. At various times the Department of Telecommunications and Information Services and the Mayor's Office of Criminal Justice have been responsible for the JUSTIS budget. Originally, the JUSTIS budget was commingled with the Court Management System budget, overseen by the Court Management System Committee, and tracked by the Department of Telecommunications and Information Services. The Mayor's Office of Criminal Justice took over budget management of the JUSTIS project in FY 2004-2005 but lacked financial staff and never implemented a financial tracking system, resulting in transfer of budget management for the JUSTIS project to the Department of Telecommunications and Information Services. Throughout the JUSTIS project's ten-year history, problems have occurred in budget management, tracking grants and paying invoices. Operating and development costs have been inappropriately combined in each year's budget, due to the expectation each year that the development phase was near completion with only operating costs remaining. Because components of the JUSTIS project were not completed in the expected timeframe, costs that were initially budgeted as "operating" were in fact "development" costs.

Although the JUSTIS hub connection and server consolidation are expected to be completed in FY 2007-2008, timelines to connect the departments' case management systems have not been met and full project implementation is not ensured in this fiscal year. Thus many of the goals of the project, including information sharing, criminal justice data mapping, improved reporting and analysis, and decommissioning of the Court Management System, have not been met. This is significant because actual project expenditures through FY 2006-2007 were nearly $16.8 million of the total $25.5 million appropriation.

In summary, the JUSTIS project and budget have been open-ended, with neither a firm completion date nor project budget, and as noted above, the project is still not complete, has been extended by an estimated seven years beyond the original three-year project timeline, and will cost at least an estimated $10.5 million or 70 percent more than the original project cost of $15 million.

4. Information Technology Resources

The City's current procedures to allocate information technology staff and other resources to individual departments are highly inefficient. Staffing and resource decisions are made on a department-by-department basis without consideration of the City's overall information technology needs.

In the absence of a Citywide plan for information technology staff or criteria to identify staffing needs, City departments hire information technology staff outside of the budget and civil service classification process. Consequently, departments frequently assign staff to work out of class or hire information technology staff into vacant non-information technology positions. For example, according the Information Technology Director in the Department of Public Health, the Department of Public Health is hindered by not being able to change classifications or reclassify vacancies to meet department needs; many staff are working out of class because their skills have developed over time without having been promoted, and there is a noticeable loss of staff to other departments.

Information technology position responsibilities change due to technology shifts, but departments do not redefine position responsibilities and train incumbents to meet these responsibilities. The Budget Analyst found in prior management audits of the Public Utilities Commission in August 2005 and the Department of Public Works in January 2007 that information technology staff skills were not aligned with the departments' information technology needs.

As noted above, the Committee on Information Technology failed to function effectively from 2003 through 2006 and has only been reconstituted in 2007. Consequently, the City has lacked information technology planning, coordination and guidance.

City departments plan for their information technology projects in the absence of a citywide plan or criteria for implementing technology, often implementing systems that are underutilized, inefficient, or incompatible. For example, the Department of Administrative Services and the Department of Public Works, which are both part of the General Services Agency, have incompatible payroll systems as previously discussed in the Budget Analyst's management audit of the Department of Public Works. Both the Port and the Public Utilities Commission implemented maintenance management systems that were poorly utilized, as noted in the Budget Analyst's previous management audit reports, of April 2004 and August 2005 respectively. Further, the Port implemented an Oracle financial system that is incompatible with the City's general ledger system, FAMIS. The management audit recommendations to improve the Port's information technology functions were estimated to result in $405,000 in annual savings.

The Committee on Information Technology needs to assume a more formal role in developing a citywide information technology plan and serving as a forum to exchange information.

5. Information Systems Security

No City department or entity is responsible for overseeing the City's information systems security, resulting in inconsistent and inadequate system security in City departments. Only 14 of 55 City departments, or 25.4 percent, have information system security plans, and of these 14 departments, the plans are often incomplete. Of these 14 departments' security plans, seven or 50 percent lacked at least one of the three elements of an effective security program, including (a) system architecture, (b) planning and (c) implementation, and five, or approximately 36 percent, lacked any of these three elements. As a result there is an unacceptably high level of risk that the City's information systems could be compromised through unauthorized access.

In a review of ten City departments¹, only four had assessed the vulnerability of their information systems to unauthorized access. These vulnerability assessments found that department employees entered confidential data into their personal data drives; vendors and contractors had broad access to department information systems; and the public had broad access to the internet on public access computers. According to one department's Information Technology Director, although the department maintains important public and financial records, the department lacks sufficient resources to ensure that the department's information is secure and protected from unauthorized access to financial records.

None of the ten City departments consistently implemented policies and practices to protect their systems' security. Although one department has a policy to install and update anti-virus software on each workstation and server, the department's review of its own practices found that not all workstations and servers had current security patches and anti-virus definitions, leaving the workstations vulnerable to unauthorized access or virus infection.

The City lacks a specific personnel classification that is responsible for departments' information system security functions or a set of core competencies required for information technology positions. Nine separate civil service classifications are responsible for security management, although information system security management is not included in the job description, skills or functions for most of these classifications.

Currently, the Department of Emergency Management, Fire Department, and Police Department participate jointly in the e911 system, but lack a formal decision-making process to determine how each department could link the City's administrative applications and the e911 system more efficiently without compromising system security.

This has resulted in (a) duplicate systems requiring manual extraction of data in the Fire Department, resulting in an estimated additional $70,000 annually in unnecessary costs and (b) segmented system applications and databases which fragment work flow and increase data entry and duplication errors, in the Police Department, resulting in unspecified additional unnecessary costs.

The Committee on Information Technology should develop decision-making guidelines for City departments that share information systems to allow more efficient management of these systems. This is especially important as the need for City departments to share systems increases in order to provide better public services.

6. Information Technology Systems Inventory Management

There are no citywide policies, procedures, or standards for safeguarding and accounting for computer equipment, or for replacing computer equipment. Although the Committee on Information Technology and the Department of Telecommunications and Information Services are responsible to provide information technology leadership, they have not provided guidelines to City departments for better management of their information technology inventory.

Consequently, City departments lack uniform standards for maintaining and reporting on computer equipment inventories, and therefore, a central agency, such as the Department of Telecommunications and Information Services or the Committee on Information Technology, cannot access inventory information on a citywide basis for better management of citywide information technology systems. Computer equipment inventory reports from 13 City departments² varied significantly in the information that they provided, ranging from (a) those reports which only provided basic information, such as the equipment vendor, serial number, and model, to (b) those reports which provided additional information such as the name of the staff person assigned to each computer, the operating system version, and the date of equipment deployment.

Larger City departments, such as the Municipal Transportation Agency and Public Utilities Commission, have formal asset management tools to maintain and manage information technology systems and equipment. However, most City departments lack a formal method to manage their information technology assets, impairing their ability to forecast replacement cycles and future financing requirements.

Enterprise departments, such as the Airport and the Department of Building Inspection, with a consistent revenue stream, are able to replace or upgrade their information technology systems on a regular basis. However, General Fund-supported departments generally have much longer replacement cycles than enterprise departments. For example, the Fire Department has a 400 megahertz, Windows 95 desktop in its administrative office that takes several minutes just to load the computer's basic operating system. By contrast, every desktop computer within the Department of Building Inspection is less than one year old.

Because older equipment is only able to operate using older operating systems and older versions of applications, those departments with older computers generally support a greater number of operating system types and application types. For example, the Fire Department supports Microsoft Office versions 97, 2000, and 2003, and, therefore, Fire Department information technology staff must be able to support Microsoft Windows versions 95, 98, 2000, and XP, resulting in inefficient use of staff time.

The Department of Telecommunication and Information Services' Written Response

The Department of Telecommunication and Information Services provided a written response to the Budget Analyst on October 2, 2007, which begins on page 61 of the management audit report.

• In its written response, the Department agrees with all 29 recommendations directed to the Director of the Department of Telecommunications and Information Services or the Chair of the Committee on Information Technology. On page 1 of the written response, the Director states that "The audit recommendations are supportive of work underway by COIT and DTIS85Our responses are focused on the actions underway to implement the recommendations at the end of each chapter." In the written response, the Department has stated that 21 of the 29 recommendations are underway.
  
  Nevertheless, as we have recommended above, the Director of the Department of Telecommunications and Information Services, who also serves as the Chair of the Committee on Information Technology, should report back to the Government Audit and Oversight Committee in March, 2008 on the status of these recommendations, in order to ensure that implementation is in fact occurring in a timely manner and in accordance with the findings and recommendations contained in this report.

• On page 1 of the written response, the Director states that, "This report does not recommend changing the current City policy of technology autonomy of the departments. Therefore the responsibility for the implementation of COIT policy and guidelines will remain the direct responsibility of the individual departments." On page 3 of the written response, the Director states that, "It is clear that implementation is not just the responsibility of the Chair of the Committee on Information Technology or the Director of the Department of Telecommunications and Information Services. Rather, it is the responsibility of all departments and staff to support and work toward a common goal". On page 5 of the written response, the Director states that, "While most of the recommendations make good business sense, the report puts the responsibility of implementation of these recommendations either with COIT and/or DTIS. However, it does not address the overarching fact that neither COIT nor DTIS, by administrative code, or practical application, have the authority over citywide technology staff, project, budgets, policy, or performance".
  
  As noted on page iii of this report's Introduction Section, the Committee on Information Technology is the only City body tasked with a leadership role in coordinating the City's departmental efforts in the use of information technology systems. Further, as noted on page iii of the Introduction Section, the Department of Telecommunications and Information Services has positioned itself as a service provider to departments for their information technology needs. Therefore, the Budget Analyst has directed this report's recommendations to either the Chair of the Committee on Information Technology or the Director of the Department of Telecommunications and Information Services, depending on whether the recommendation is intended to provide policy and oversight or operational improvements, to ensure that a specific official is responsible for implementation.
  
  However, on page iv of this report's Introduction Section, the Budget Analyst states that, "The City departments will need to be responsible for implementing three key recommendations - developing information technology strategic plans, conducting information systems security assessments, and implementing information technology inventory policies and procedures. Therefore, the Budget Analyst recommends that each City department report to the Board of Supervisors during the FY 2008-2009 budget review on the status of (a) preparing their information technology strategic plans, (b) conducting information systems security assessments and implementing security procedures, and (c) implementing information technology inventory policies and procedures." Further, as noted on page 1 of the Attachment to this transmittal letter, containing the management audit report's recommendations, the Budget Analyst has clearly identified that Priority 3 recommendations "are directed to City departments and are specific to intra-department and inter-department information technology projects or planning for projects and systems. Therefore, the respective City departments should demonstrate implementation of these recommendations when requesting funding for projects and implementation of information systems."

• In the written response, the Director of Telecommunications and Information Services has stated that implementation of three recommendations may require additional funding as follows:
  
  In response to Recommendation 1.1, recommending that the Chair of the Committee on Information Technology, "request each City department to develop an information technology-specific strategic plan which provides specific, quantifiable goals within a timeline that the department can check against actual outcomes," the Director of Telecommunications and Information Services states that, "This initiative may require additional funding in FY 08-09 to provide expert training to each department staff in the development of department technology plans."
  
  In response to Recommendation 1.6, recommending that the Director of Telecommunications and Information Services, "develop a process to continually solicit feedback from City departments in order to determine the most-appropriate technological offerings of any enterprise license agreement and then negotiate lower license costs by aggregating all City departments' total information technology needs", the Director of Telecommunications and Information Services states that, "DTIS will solicit input from departments on specific product and contract needs as part of the business case development process for each of the COIT approved enterprise agreements. This may require additional funding in FY 08-09 as the staff position requested by DTIS in the FY 07-08 budget process to focus on enterprise agreement contracts was not funded."
  
  In response to Recommendation 6.4, recommending that the Chair of the Committee on Information Technology, "request all City departments' directors to maintain information technology inventories consistent with the Committee on Information Technology's standards", the Director of Telecommunications and Information Services states that, "The cost associated will the implementation of any tools to meet this requirement will be included as part of the COIT FY 08-09 budget process."

If the Department of Telecommunications and Information Services requests additional resources in the FY 2008-2009 budget to implement these recommendations, the Department will need to provide additional justification for such requests, including identifying process improvements, efficiency gains, or cost savings resulting from such requests.

We would like to thank the staff of the Department of Telecommunications and Information Services, and various representatives from other City departments for their cooperation and assistance throughout this management audit.

Respectfully submitted,

Harvey M. Rose

Budget Analyst

1 These ten departments are: Treasurer/Tax Collector, Assessor/Recorder, Elections, Recreation and Park, General Services Agency, Human Services Agency, Building Inspection, Planning, Public Health, and Fire.

2 These 13 departments include: Fire, Juvenile Probation, Airport, Municipal Transportation, Building Inspection, Planning, Human Services, Public Health, Recreation and Park, Assessor-Recorder, Treasurer-Tax Collector, Elections, and Human Resources.