The URL can be used to link to this page

105-Auditor's Report.pdf CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 Table of Contents Page(s) Transmittal Letter ....................................................................................................................................... i Required Communications ........................................................................................................................ 1 Schedule of Comments and Responses ...................................................................................................... 3 Schedule of Uncorrected Adjustments .................................................................................................... 13 City Council City of Cupertino, California In planning and performing our audit of the financial statements of the governmental activities, the business-type activities, each major fund, and the aggregate remaining fund information of the City of Cupertino (City) as of and for the year ended June 30, 2010, in accordance with auditing standards generally accepted in the United States of America, we considered the City’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the City’s internal control. Accordingly, we do not express an opinion on the effectiveness of the City’s internal control. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be significant deficiencies or material weaknesses and, therefore, there can be no assurance that all such deficiencies have been identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be significant deficiencies. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies in internal control, such that there is a reasonable possibility that a material misstatement of the City’s financial statements will not be prevented, or detected and corrected on a timely basis. We did not identify any deficiencies in internal control that we consider to be material weaknesses. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider Item #2010-1 in the City’s internal control to be a significant deficiency. In addition, we noted other matters involving internal controls and its operations that we have reported to management as described in the Schedule of Comments and Responses. The City’s written responses to the comments identified in our audit are described in the Schedule of Comments and Responses. We did not audit the City’s responses and, accordingly, we express no opinion on them. In addition, we have already discussed our comments and recommendations with the City’s management, and we would be pleased to discuss them in further detail at your convenience, to perform any additional study of these matters, or to assist you in implementing these recommendations. Additionally, we have included in this letter a report on communications to the City Council, as required by auditing standards generally accepted in the United States of America. i This communication is intended solely for the information and use of management, the City Council, and others within the organization, and is not intended to be and should not be used by anyone other than these specified parties. Certified Public Accountants Walnut Creek, California November 17, 2010 ii CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 REQUIRED COMMUNICATIONS We have audited the financial statements of the governmental activities, the business-type activities, each major fund, and the aggregate remaining fund information of the City of Cupertino (City) for the year ended June 30, 2010 and have issued our report thereon dated November 17, 2010. Professional standards require that we provide you with information about our responsibilities under generally accepted auditing standards and, Government Auditing Standards and Office of Management and Budget (OMB) Circular A-133, as well as certain information related to the planned scope and timing of our audit. We have communicated such information in our audit plan to you dated June 14, 2010. Professional standards also require that we communicate to you the following information related to our audit. Qualitative Aspects of Accounting Practices Management is responsible for the selection and use of appropriate accounting policies. The significant accounting policies used by the City are described in Note 1 to the City’s basic financial statements. As described in Note 1(n) to the basic financial statements, the City adopted the provisions of Governmental Accounting Standards Board (GASB) Statement No. 51, Accounting and Financial Reporting for Intangible Assets, effective July 1, 2009. The statement requires that all intangible assets not specifically excluded by its scope provisions be classified as capital assets and provides authoritative guidance that specifically addresses the nature of these intangible assets. Intangible assets are disclosed as part of Note 6 to the basic financial statements. We noted no transactions entered into by the City during the year for which there is a lack of authoritative guidance or consensus. There are no significant transactions that have been recognized in the financial statements in a different period than when they occurred except for the restatement of net assets described in Notes 1(n) and 6 to record easements received in prior years in the amount of $16,962,925 as of July 1, 2009. Accounting estimates are an integral part of the financial statements prepared by management and are based on management’s knowledge and experience about past and current events and assumptions about future events. Certain accounting estimates are particularly sensitive because of their significance to the financial statements and because of the possibility that future events affecting them may differ significantly from those expected. The most sensitive estimates affecting the financial statements were: Fair value of investments. The City’s investments are generally carried at fair value, which is defined as the amount that the City could reasonably expect to receive for an investment in a current sale between a willing buyer and a willing seller and is generally measured by quoted market prices. Estimated valuation allowance for loans receivable. The valuation allowance on loans receivable was based on management’s estimate regarding the likelihood of collectability. Valuation for easements. The valuation was based on the City’s public records on the individual easement received and its estimated impact based on industry publications. Useful life estimates for capital assets. The estimated useful lives of capital assets were based on management’s estimate of the economic life of the assets. Valuation of the net other postemployment benefits asset. The net other postemployment benefits asset is the amount that exceeded the City’s actuarially determined annual required contribution, which is based upon certain approved actuarial assumptions. Annual required contributions to pension and other postemployment benefit plans. The City is required to contribute to its pension and other postemployment benefit plans based upon certain approved actuarial assumptions. Workers’ compensation liability. This liabilitywasbased on actuarial evaluations using historical losses and other data. 1 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 REQUIRED COMMUNICATIONS (Continued) We evaluated the key factors and assumptions used to develop the accounting estimates described above in determining that they are reasonable in relation to the City’s financial statements taken as a whole. Difficulties Encountered in Performing the Audit We encountered no significant difficulties in dealing with management in performing and completing our audit. Corrected and Uncorrected Misstatements Professional standards require us to accumulate all known and likely misstatements identified during the audit, other than those that are trivial, and communicate them to the appropriate level of management. The accompanying Schedule of Uncorrected Adjustments summarizes uncorrected misstatements of the financial statements. Management has determined that their effects are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. In addition, none of the misstatements detected as a result of audit procedures and corrected by management were material, either individually or in the aggregate, to each opinion unit’s financial statements taken as a whole. Disagreements with Management For purposes of this letter, professional standards define a disagreement with management as a financial accounting, reporting, or auditing matter, whether or not resolved to our satisfaction, that could be significant to the financial statements or the auditor’s report. We are pleased to report that no such disagreements arose during the course of our audit. Management Representations We have requested certain representations from management that are included in the management representation letter dated November 17, 2010. Management Consultations with Other Independent Accountants In some cases, management may decide to consult with other accountants about auditing and accounting matters, similar to obtaining a “second opinion” on certain situations. If a consultation involves application of an accounting principle to the City’s financial statements or a determination of the type of auditor’s opinion that may be expressed on those statements, our professional standards require the consulting accountant to check with us to determine that the consultant has all the relevant facts. To our knowledge, there were no such consultations with other accountants. Other Audit Findings or Issues We generally discuss a variety of matters, including the application of accounting principles and auditing standards, with management each year prior to retention as the City’s auditors. However, these discussions occurred in the normal course of our professional relationship and our responses were not a condition to our retention. Other Information in Documents Containing Audited Financial Statements Our responsibility for other information in documents containing the financial statements and our report does not extend beyond the financial information identified in our audit report. We do not have an obligation to perform any procedures to corroborate other information contained in these documents. The City includes its financial statements and our report in its Comprehensive Annual Financial Report (CAFR). However, we read the other information in the City’s CAFR and considered whether such information, or its manner of presentation, appearing in the financial statements. Nothing came to our attention that caused us to believe that such information, or manner of its presentation, is materially inconsistent with the information, or manner of its presentation, appearing in the financial statements. 2 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES Item # 2010-1 – Significant Deficiency #1 Recording Easements Generally accepted accounting principles require the City to report easements and other donated assets at fair value or estimated fair value at the time of acquisition. During our audit, we noted that the City had not recorded its easements along with its infrastructure assets as required with the City’s implementation of Governmental Accounting Standards Board (GASB) Statement No. 34, Basic Financial Statements - and Management's Discussion and Analysis - for State and Local Governments. As a result, the City’s beginning net assets and capital assets for governmental activities have been restated to correct this error and these balances were increased by $16,962,925. We recommend that the City annually evaluate its easements inventory to ensure that it is properly valued and recorded in its financial statements. Management Response The City concurs. The new GASB Statement No. 51 that went into effect this year clarified the requirement and the City has now complied through this restatement and ongoing evaluation. 3 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-2 – Other Comment #1 Lack of Comprehensive Information Technology General Controls Information technology general controls (ITGC) are intended to establish a framework of control over all aspects of computerized processing related to financial reporting and encompass functions such as the City’s information services organization and division of duties, changes to existing programs, and access to programs and data. ITGC are essential to maintaining the effectiveness of automated application controls over time. While we were obtaining an understanding of the ITGC as part of our audit, we identified certain areas for improvement as follows: 1.IT Strategic Plan – Entity-level computer controls require that IT strategic plans be developed that are closely aligned with the general business objectives of the entity. However, the City does not have a defined process in place to ensure the development of a comprehensive IT strategic plan that is aligned with the goals and objectives of the City as a whole. Without this alignment of goals and priorities for projects, effective and efficient IT project management cannot be assured. Recommendation: The City’s IT Manager, working in conjunction with the City’s Administrative Services Director and other major users of IT services, should be responsible for the development and implementation of an IT Strategic Plan. Alternatively, an IT Steering Committee should be formed, comprised of City Directors and/or major City Department heads. This plan should: Identify and prioritize IT initiatives. Be aligned with the goals and objectives of the City as a whole. Be periodically reviewed by the IT Manager and Administrative Services Director, or an IT Steering Committee, and periodically updated for continued relevance to strategic initiatives. Be periodically reported to City Council or the City Manager’s Office on progress made towards the initiatives. 2.System Acquisition, Development and Program Change Control Management - The objective of this portion of the review is to identify controls that ensure IT systems are acquired appropriately and implemented with minimal risk to the City’s data and assets. The City lacks formal change control management policy and procedures. IT general controls over change control management require that policies and procedures be implemented to ensure that all program changes are managed to ensure the accuracy and integrity of the financial data is maintained. Without this oversight, the City’s financial data is at increased risk of loss, lack of integrity, and inaccurate processing. The City currently tracks any program changes in the help desk application, Track-It. Policies and procedures, however, have not been documented within the City to ensure that program change control management is effectively implemented. Recommendation: The City’s IT Manager should develop and implement policies and procedures to ensure the following: Procedures are utilized to determine the impact of program changes on security, data integrity, performance and availability of the application. Program testing is restricted to an environment separate from production for all financial-related applications. Program updates are effectively managed to ensure the integrity of the program and data. 4 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-2 – (Continued) Procedures are in place to log emergency fixes and this log is regularly reviewed. All program changes are properly approved (by functional users and the IT Division) before they are moved to production. The process of moving programs into production is formal, well-documented, and has sufficient audit trails. Version control procedures properly document the current and a sufficient number of prior versions of each program in production. All program changes are appropriately documented. 3.Computer Operations - The objective of this portion of the review is to identify control issues related to computer operations. This includes the areas of physical security, production processing and back-up and recovery of data. The City IT staffing levels may be insufficient to support the IT functions. General controls require that adequate technical support be available to resolve user and processing problems in a timely manner. Staffing within the City IT office, however, may not be sufficient for the duties and responsibilities being required of the office. The IT office has four FTEs (including the IT manager) to support approximately 165 full-time City employees and approximately 150 part-time employees. Designated backup positions with appropriate skill sets, though, have not been developed. This has sometimes delayed the implementation of IT projects within the City and may place the City at increased risk of diminished IT support services in the future. Recommendation: The Administrative Services Director should have a workload and skill set analysis study performed to determine if there is any deficiency in staffing levels and as well as staff knowledge, skills, or abilities needed to support the City’s financial management systems. Based upon the findings, an appropriate mitigation plan should be developed, including the budgeting of an appropriate amount needed to acquire the personnel and/or training that may be required. 4.Server Room Protected by a Water-Based Fire Suppression System - Computer operations controls require that physical and environmental systems be implemented to assure IT assets are adequately protected from physical and environmental hazards. The City’s computer room, however, is serviced by a water-based fire-suppression system. This places the City’s IT assets and data at increased risk of water damage should a pipe burst or the fire suppression system be inadvertently activated. Recommendation: The City should budget and plan for the installation of a dry chemical fire suppression system to help ensure that the computer equipment is properly protected from fire hazard. Should implementing a dry chemical fire suppression system be too costly, the City should consider a dry-pipe water-based fire suppressions system. 5.Backup Data Tapes may be Subject to the Same Geographical and Environmental Hazards as the Primary Data Center - Computer general controls require that system and application data is backed up and stored separately. The storage of the backup data should be secured and maintained in an area that is geographically separate from the primary data center so as not to be subject to the same potential geographical and environmental hazards. The City currently stores its backup systems and application data tapes at a facility that is just three miles from the primary data center. This relatively close proximity may place the backup tapes to the same hazards and risks as the primary data center, increasing the risk that the data may not be recoverable in a timely manner. 5 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-2 – (Continued) Recommendation: The City’s IT Manager should investigate the risks posed to the backup tapes being stored in a close proximity to the primary data center. Industry best practices suggest a general distance of 20-30 miles. If the risk is found to be great, the City should find alternative storage services for backup tapes and is sufficiently geographically separated from the primary data center so as not be subject to the same hazards. 6.The City Lacks Formal Business Continuity and Disaster Recovery Plans - General computer operations controls require that an agency have developed and implemented disaster recovery and business continuity plans to provide contingency for unforeseeable events. The City, however, has not developed or documented formal plans on how its financial information and systems would be recovered in the event of a disaster or how the City’s business functions would continue to operate should the electronic data systems be unavailable for an extended period of time. Without comprehensive plans that have been thoroughly tested, the City cannot be assured that its financial systems and data can be restored, or that vital city functions could continue to be performed in the event of a disaster or if the electronic information systems were to be unavailable for an extended period of time. Recommendation: The City’s Administrative Services Director, working with the IT Manager and the other City Directors, should develop a committee for the purpose of developing a comprehensive business continuity plan. Incorporated into the plan should be procedures for the recovery of the electronic systems and data in the event of a disaster or an event that precludes or limits the use of the main data center. Once completed, the recovery plan should be tested periodically and updates made to the plan based upon the findings of the testing. 7.City Lacks IT Performance Metrics - Industry best practices require that the IT function in an organization be periodically assessed against pre-defined metrics in order to assess performance. The City IT office, however, has not established help desk performance measures or service level agreements (SLAs) with the functional user departments. Without defined service metrics and SLAs, the adequacy of technical support cannot be assessed. Recommendation:The City’s IT Manager, working in conjunction with the functional user departments, should work to establish quantitative performance measures and SLAs so that all functional users know of the level of support that can be expected. The performance measures may take the form of system and application availability times, help desk availability times, help desk response times, infrastructure incidents and mean time to resolve, etc. The performance measures should be periodically reported to senior City management and stakeholders. 8.Access to Programs and Data - The objective of this portion of the review is to ascertain those controls used to protect the electronic information from hazards and/or unauthorized persons. A comprehensive IT risk assessment has not been performed. General computer controls over the access to programs and data should require that a mechanism or procedures be in place to identify and react to risks arising from internal and external sources. A comprehensive means to identify IT risks is through the periodic performance of IT risk assessments. While the City has performed some limited assessments related to PCI (Payment Card Industry) compliance efforts, a formal comprehensive and independent IT risk assessment to help identify the risks to the delivery of IT services and the accuracy and integrity of the City’s financial and personnel data has not been conducted. 6 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-2 – (Continued) Recommendation: The City’s IT Manager should plan and budget for an independent IT risk assessment to be performed on the department’s functions. The risk assessment should focus on identifying all of the possible risks to the City IT department, the delivery of IT services and the accuracy and integrity of the City’s financial and personnel data. The risk assessment should quantify the likelihood of an event, the impact of the event and the mitigating controls that would address the possible risk. The risk assessment should also include network penetration testing to ascertain the vulnerabilities of the City’s computer network from hacking attempts. 9.Network and Application Password Standards Have not been Defined - General computer controls require that access to the IT network and applications be properly controlled. While the City has some password standards electronically enforced, they are not standardized or formally documented within written policy or procedures. Without formal requirements, password configuration standards may change based on administrator preference, rather than adherence to a City risk assessment or best practices. Recommendation: The City’s IT Manager, working with the Administrative Services Director, should develop and implement a formal administrative procedure requiring the use of passwords for accessing the City IT network and all financial applications. The administrative procedures should clearly define the minimum password configuration standard. Example: Minimum of eight characters Contains at least two numeric or special characters Expires after 45-60 days Five invalid logons will lock the account 10.Periodic Reviews of Application Authorization Roles Have not been Performed - Controls to ensure application user accounts are configured with appropriate authorization roles help agencies ensure that the electronic financial system is enforcing a proper segregation of duties. Within the City, however, there is no policy or procedure established to ensure user authorization roles are periodically reviewed for currency and appropriateness. Without this assurance, the City is at increased risk of fraud, waste and abuse. Recommendation: The City’s IT Manager, working with the City’s Finance Director, should develop and implement formal written policies and procedures to ensure that user accounts and roles within the financial applications are periodically reviewed, particularly after any update or patch is applied, to ensure the user accounts are up to date and enforce a proper segregation of duties. 11.Network and Application Administrative Accounts should be properly Authorized and Controlled - General computer controls over the access to programs and data require that network and application administrator accounts be properly authorized and controlled. Within the City, however, a single shared network administrator account is used by both the IT Manager and the Network Administrator. This increases the likelihood that should inappropriate activity occur within the network, it will not be able to be tracked back to a single individual. Recommendation: The City’s IT Manager should establish and implement policy defining which IT staff positions require network administrator access (Domain, Enterprise, Schema). Additionally, the policy should state that shared accounts will not be used within the network or applications. 7 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-2 – (Continued) Management Response The City’s responses to the recommendations listed above are as follows: 1.City Lacks an IT Strategic Plan - The City concurs with the recommendation. Staff supports the creation of an Information Technology Committee as the first step towards updating the Tech 2000 Plan, Cupertino’s IT Strategic Plan, to reflect the current goals and objectives of the City as a whole. The plan will be incorporated into the work program with annual updates done in conjunction with the budget process. 2.City Lacks Formal Change Control Management Policy and Procedures - The City concurs with the recommendation. Although the city never does any development on the financial server, there is a process in place for how the updates are accomplished. They include: Request the update from proprietary vendor; Receive preliminary documentation for the changes required and how they will be implemented; Make changes and/or approve preliminary documentation Receive detailed specifications; Develop in-training/testing of the database; Move tested application into production. Although logging is manual as of today, the city is currently implementing a contract for a log management and correlation product that will allow us to audit all changes to any system throughout the City automatically and without IT’s ability to change raw data. In addition, all requests for changes to the City firewall will go to the IT manager with the understanding that security implications will be discussed with IT staff prior to any changes made. 3.IT Staffing Levels may be Insufficient to Support the IT Functions - The City concurs with the recommendation and has expressed these concerns in light of new PCI compliance requirements. The 2010-11 Budget includes an appropriation for an RFP for a managed security service provider only. IT department would welcome a study to ensure we are staffed sufficiently for the amount of end users, computer and application systems that we support. With the current PCI/HIPAA Compliance initiatives creating an immense workload for current IT staff, this may also help support staff augmentation by hiring or contracting services for such things as security management. In the meantime, projects will be approved only if staffing is available. 4.Server Room Protected by a Water-Based Fire Suppression System - The City concurs with the recommendation. After discussing the logistics of changing out our fire suppression system in the main datacenter with the Public Works Dept., the following has been determined: County Fire requires that an evaluation of any change to our current suppression system. A rough estimate for a 10x10 room Halogen Battalion System would cost the city upwards of $20k. The Department will request this item in conjunction with our 2010-11 mid-year budget adjustment process. 8 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-2 – (Continued) 5.Backup Data Tapes may be Subject to the Same Geographical and Environmental Hazards as the Primary Data Center - The City concurs with the finding but not the recommendation. Advancement to the City’s Disaster Recovery (DR) efforts has already been addressed in the 2010-11 Budget. We currently are receiving quotes for Cloud services to host several of the City’s mission critical applications and data which would provide a remote location (farther than 30 miles) and possibly replace our current tape system (and its supply cost and maintenance). 6.The City Lacks Formal Business Continuity and Disaster Recovery Plans - The City concurs with the finding and has already completed much of the documentation needed for a Business Continuity Plan in conjunction with the PCI Gap Analysis project. City staff will evaluate city assets, assign priority to each and develop a comprehensive plan for its survival or replacement during a disaster. 7.City Lacks IT Performance Metrics - The City does not concur with the recommendation. Due to our size and the assured feedback from our users, it is an easy task to ascertain and measure our performance. Supplementing the above are the help-desk logs denoting date of request and resolution. In addition, the survey feature available with the new help desk system will help with feedback and service level. 8.A Comprehensive IT risk assessment has not been performed - The City concurs with the finding but believes we have implemented the recommendation. A PCI Gap Analysis was just completed, which listed the Compliance tasks associated with the biggest risk for the city, which is credit card acceptance. Much of the assessment was based on National Institute of Standards and Technology (NIST) guidelines which is also a standard amongst many of our other Public Agency peers. IT is in the process of maturing its security posture by developing relative policy, procedures, control systems, hardware and software acquisitions that would align us to these vetted standards. 9.Network and Application Password Standards Have Not Been Defined - The City concurs with the recommendation and is currently implementing a formal Password Policy. 10.Periodic Reviews of Application Authorization Roles Have Not Been Performed - The City concurs with the finding. Finance or IT staff will review user roles in the financial system on at least an annual basis using effective internal control concepts. For the number of users this City has, development of formal policies and procedures over this review may not be cost-beneficial. 11.Network and Application Administrative Accounts Should Be Properly Authorized and Controlled - The City concurs with the recommendation and believes our forthcoming Security Policy will formally outline roles and responsibilities and how assignments are made and managed. 9 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-3 – Other Comment #2 - Low and Moderate Income Housing Fund Excess Surplus Calculation California Community Redevelopment Law (Health & Safety Code) §33334.12(g)(1) defines excess surplus to mean any unexpended and unencumbered amount in an agency’s Low-Mod Fund that exceeds the greater of $1,000,000 or the aggregate amount deposited into the Low-Mod Fund during the preceding 4 fiscal years. As of June 30, 2010, the Redevelopment Agency’s Low and Moderate Income Housing Fund (Housing Fund)’s excess surplus is computed as follows: Total TaxSum of TaxTotal IncrementsIncrements inUnencumbered FiscalDeposited inHousing Fund fromBalance in HousingExcess Year (FY)Housing FundPrevious 4 FYsFund at End of FYSurplus 2005/200646,419$ -$ 2006/200746,819$ -$ 2007/200855,067$ -$ 2008/2009307,170$ -$ 2009/2010455,475$ 842,707$ -$ Based on the Housing Fund’s fiscal year 2010/2011 budget, the Redevelopment Agency is projected to increase its fund balance at the end of year and be close to having an excess surplus. When agencies have an excess surplus it must either: (1) transfer excess surplus to the local county housing authority within one year or (2) spend or encumber all the remaining excess surplus within two additional years from the time limit given to transfer funds to the county housing authority. If excess surplus is not eliminated within three years, penalties apply. Excess surplus penalties, per Section 33334.12(e), include: (1) limiting an agency’s actions such as preventing the agency from encumbering and spending its funds and (2) charging the agency’s other (non- housing) funds an amount equal to 50 percent of the amount of excess surplus that must be deposited to the Low-Mod Fund. As the City’s Redevelopment Agency accumulates funds for its future housing programs, it should consider plans to utilize these restricted funds within the time requirements. Management Response The City concurs with the recommendation. 10 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-4 – Other Comment #3 - Implementation of GASB’s Fund Balance Reporting and Government Fund Type Definitions Statement In February 2009, the GASB issued Statement No. 54, Fund Balance Reporting and Governmental Fund Type Definitions (GASB 54). GASB 54 significantly changes the accounting and financial reporting for the City’s fund balance classifications and categorization of individual funds. Under previous standards, the City’s governmental fund balances were organized into three categories: reserved, unreserved, and designated. The new standard replaces these with five classifications, establishing a hierarchy that is based on the extent to which spending constraints restrict how a government can use the funds. The five new classifications are: Nonspendable fund balance. This includes amounts that are not in a spendable form, such as inventory or prepaid expenses. It also includes amounts that are required to be maintained intact, such as the principal of an endowment fund. Restricted fund balance. This includes amounts that can be spent only for the specific purposes stipulated by external providers, such as grant providers or bondholders, as well as amounts that are restricted constitutionally or through legislation. In other words, these are funds that are restricted by authorities outside the City itself, and these restrictions may be changed or lifted only with their consent. Committed fund balance. This includes amounts that can be used only for specific purposes that are determined by a formal action of the City Council. These commitments may be changed or lifted, but only by the same formal action that was used to impose the constraint originally. Assigned fund balance. This classification applies to amounts that are intended for specific purposes, as expressed by the City Council or authorized official. It also applies to the remaining resources in any governmental fund other than the General Fund. Unassigned fund balance. This is the residual classification for the General Fund and includes all amounts not contained in the other classifications. Unassigned amounts are technically available for any purpose. In addition, if there is a deficit balance in another governmental fund, it will be reported as a negative amount in that fund’s unassigned classification. Positive unassigned amounts are reported only in the General Fund. This standard also provides guidance for classifying stabilization (“rainy day”) amounts on the face of the balance sheet and would require disclosure of certain information about stabilization arrangements in the notes to the financial statements. In addition, the definitions of individual governmental fund types have been clarified whereby the City’s use of special revenue funds and capital project funds may be recast. This standard clarifies that special revenue funds are created only to report revenue sources that are restricted or committed to a specified purpose. Additional restrictions related to the classification of a special revenue fund and clarifications of the use of debt service and capital projects funds have been identified and an analysis of the City’s funds is recommended. 11 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF COMMENTS AND RESPONSES (Continued) Item # 2010-4 – Other Comment #2 (Continued) The City will be required to implement GASB 54 by the fiscal year ending June 30, 2011. Some steps that the City should perform in order to implement GASB 54 include the following: Update the City’s fund balance policy. The policy should consider items such as the criteria for committed and assigned fund balances; the appropriate level of unrestricted fund balance to be maintained in the General Fund; circumstances for which restricted, committed, assigned, and unassigned amounts will be spent down; and a policy for replenishing deficiencies. Analyze the purposes and revenue sources of special revenue funds to ensure that these funds fall within the new special revenue fund type definition. Review the purposes of capital projects and debt service funds to ensure that these funds fall within the new fund type definition. Update chart of accounts and begin classifying fund balance amounts and prepare reports for the new financial reporting and disclosure requirements. Management Response The City concurs and is in the process of implementing the pronouncement. 12 CITY OF CUPERTINO Report to the City Council Fiscal Year Ended June 30, 2010 SCHEDULE OF UNCORRECTED ADJUSTMENTS Opinion UnitAdjustment DescriptionDebitCredit Current Year PAJEs Other remaining fundsCapital Outlay37,419$ Other remaining fundsAccounts Payable$ 37,419 Government-wide - governmentalCapital assets 37,419$ Government-wide - governmentalAccounts Payable$ 37,419 To record capital outlay expenditures / capital asset addition from accrual for FY 2010. Government-wide - governmentalVarious Expenses91,912$ Government-wide - governmentalClaims liability$ 91,912 To record estimated year-end general claims liability at June 30, 2010. Various - majority General FundInterest receivable186,260$ Various - majority General FundInterest revenues$ 186,260 Various - majority General FundInterest revenues366,693$ Various - majority General FundBeginning Fund Balance366,693$ To record the interest receivable for the City's pool cash and investment. General FundSales tax revenues131,220$ General FundBeginning Fund balance131,220$ To reflect the impact on beginning fund balance for the adjustment to the FY 2009 sales tax liability to Insight Enterprise. 13