The URL can be used to link to this page

Home My WebLink About09-24-2025 Audit Ad Hoc Committee Meeting Complete Agenda Packet SPECIAL NOTICE PUBLIC ATTENDANCE & PARTICIPATION AT PUBLIC MEETINGS Audit Ad Hoc Committee Meeting Wednesday, September 24, 2025 4:00 p.m. Your participation is always welcome. OC San offers several ways in which to interact during meetings. You will find information as to these opportunities below. IN-PERSON MEETING ATTENDANCE You may attend the meeting in-person at the following location: Orange County Sanitation District Headquarters 18480 Bandilier Circle Fountain Valley, CA 92708 ONLINE MEETING PARTICIPATION You may join the meeting live via Teams on your computer or similar device or web browser by using the link below: Click here to join the meeting We suggest testing joining a Teams meeting on your device prior to the commencement of the meeting. For recommendations, general guidance on using Teams, and instructions on joining a Teams meeting, please click here. Please mute yourself upon entry to the meeting. Please raise your hand if you wish to speak during the public comment section of the meeting. The Clerk of the Board will call upon you by using the name you joined with. Meeting attendees are not provided the ability to make a presentation during the meeting. Please contact the Clerk of the Board at least 48 hours prior to the meeting if you wish to present any items. Additionally, camera feeds may be controlled by the meeting moderator to avoid inappropriate content. HOW TO PARTICIPATE IN THE MEETING BY TELEPHONE To join the meeting from your phone: Dial (213) 279-1455 When prompted, enter the Phone Conference ID: 542 587 068# All meeting participants may be muted during the meeting to alleviate background noise. If you are muted, please use *6 to unmute. You may also mute yourself on your device. Please raise your hand to speak by use *5, during the public comment section of the meeting. The Clerk of the Board will call upon you by using the last 4 digits of your phone number as identification. NOTE: All attendees will be disconnected from the meeting at the beginning of Closed Session. If you would like to return to the Open Session portion of the meeting, please login or dial-in to the Teams meeting again and wait in the Lobby for admittance. WATCH THE MEETING ONLINE The meeting will be available for online viewing at: https://ocsd.legistar.com/Calendar.aspx SUBMIT A COMMENT You may submit your comments and questions in writing for consideration in advance of the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx or sending them to OCSanClerk@ocsan.gov with the subject line “PUBLIC COMMENT ITEM # (insert the item number relevant to your comment)” or “PUBLIC COMMENT NON-AGENDA ITEM”. You may also submit comments and questions for consideration during the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx. The eComment feature will be available for the duration of the meeting. All written public comments will be provided to the legislative body and may be read into the record or compiled as part of the record. For any questions and/or concerns, please contact the Clerk of the Board’s office at 714-593-7433. Thank you for your interest in OC San! September 16, 2025 NOTICE OF REGULAR MEETING AUDIT AD HOC COMMITTEE ORANGE COUNTY SANITATION DISTRICT Wednesday, September 24, 2025 – 4:00 P.M. Headquarters 18480 Bandilier Circle Fountain Valley, CA 92708 ACCESSIBILITY FOR THE GENERAL PUBLIC Your participation is always welcome. Specific information as to how to participate in this meeting is detailed on the Special Notice attached to this agenda. In general, OC San offers several ways in which to interact during this meeting: you may participate in person, join the meeting live via Teams on your computer or similar device or web browser, join the meeting live via telephone, view the meeting online, and/or submit comments for consideration before or during the meeting. The Regular Meeting of the Audit Ad Hoc Committee of the Orange County Sanitation District will be held at the above location and in the manner indicated on Wednesday, September 24, 2025 at 4:00 p.m. ROLL CALL AUDIT AD HOC COMMITTEE Meeting Date: September 24, 2025 Time: 4:00 p.m. COMMITTEE MEMBERS (4) Jon Dumitru (Orange) Glenn Grandis (Fountain Valley) Bob Ooten (CMSD) John Withers (IRWD) OTHERS Scott Smith, General Counsel STAFF Rob Thompson, General Manager Lorenzo Tyner, Assistant General Manager Wally Ritchie, Director of Finance Kelly Lore, Clerk of the Board ORANGE COUNTY SANITATION DISTRICT Effective 2/11/2025 BOARD OF DIRECTORS Complete Roster AGENCY/CITIES ACTIVE DIRECTOR ALTERNATE DIRECTOR Anaheim Carlos A. Leon Ryan Balius Brea Christine Marick Cecilia Hupp Buena Park Joyce Ahn Lamiya Hoque Cypress Scott Minikus Bonnie Peat Fountain Valley Glenn Grandis Ted Bui Fullerton Jamie Valencia Shana Charles Garden Grove Stephanie Klopfenstein Cindy Ngoc Tran Huntington Beach Pat Burns Gracey Van Der Mark Irvine Melinda Liu Kathleen Treseder La Habra Jose Medrano Rose Espinoza La Palma Debbie Baker Vikesh Patel Los Alamitos Jordan Nefulda Tanya Doby Newport Beach Erik Weigand Michelle Barto Orange Jon Dumitru John Gyllenhammer Placentia Chad Wanke Ward Smith Santa Ana Johnathan Ryan Hernandez Jessie Lopez Seal Beach Lisa Landau Ben Wong Stanton David Shawver John D. Warren Tustin Ryan Gallagher Austin Lumbard Villa Park Jordan Wu Kelly McBride Sanitary/Water Districts Costa Mesa Sanitary District Bob Ooten Art Perry Midway City Sanitary District Andrew Nguyen Tyler Diep Irvine Ranch Water District John Withers Dan Ferons Yorba Linda Water District Tom Lindsey Gene Hernandez County Areas Board of Supervisors Doug Chaffee Janet Nguyen AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, September 24, 2025 - 4:00 PM Huntington Beach Room Headquarters 18480 Bandilier Circle Fountain Valley, CA 92708 (714) 593-7433 ACCOMMODATIONS FOR THE DISABLED: If you require any special disability related accommodations, please contact the Orange County Sanitation District (OC San) Clerk of the Board’s office at (714) 593-7433 at least 72 hours prior to the scheduled meeting. Requests must specify the nature of the disability and the type of accommodation requested. AGENDA POSTING: In accordance with the requirements of California Government Code Section 54954.2, this agenda has been posted outside OC San's Headquarters located at 18480 Bandilier Circle, Fountain Valley, California, and on the OC San’s website at www.ocsan.gov not less than 72 hours prior to the meeting date and time above. All public records relating to each agenda item, including those distributed less than 72 hours prior to the meeting to a majority of the Board of Directors, are available for public inspection with the Clerk of the Board. AGENDA DESCRIPTION: The agenda provides a brief general description of each item of business to be considered or discussed. The recommended action does not indicate what action will be taken. The Board of Directors may take any action which is deemed appropriate. MEETING RECORDING: A recording of this meeting is available within 24 hours after adjournment of the meeting at https://ocsd.legistar.com/Calendar.aspx or by contacting the Clerk of the Board. NOTICE TO DIRECTORS: To place items on the agenda for a Committee or Board Meeting, the item must be submitted to the Clerk of the Board: Kelly A. Lore, MMC, (714) 593-7433 / klore@ocsan.gov at least 14 days before the meeting. For any questions on the agenda, Board members may contact staff at: General Manager: Rob Thompson, rthompson@ocsan.gov / (714) 593-7110 Asst. General Manager: Lorenzo Tyner, ltyner@ocsan.gov / (714) 593-7550 Director of Communications: Jennifer Cabral, jcabral@ocsan.gov / (714) 593-7581 Director of Engineering: Mike Dorman, mdorman@ocsan.gov / (714) 593-7014 Director of Environmental Services: Lan Wiborg, lwiborg@ocsan.gov / (714) 593-7450 Director of Finance: Wally Ritchie, writchie@ocsan.gov / (714) 593-7570 Director of Human Resources: Laura Maravilla, lmaravilla@ocsan.gov / (714) 593-7007 Director of Operations & Maintenance: Riaz Moinuddin, rmoinuddin@ocsan.gov / (714) 593-7269 AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, September 24, 2025 CALL TO ORDER ROLL CALL: Clerk of the Board PUBLIC COMMENTS: Your participation is always welcome. Specific information as to how to participate in a meeting is detailed in the Special Notice attached to this agenda. In general, OC San offers several ways in which to interact during meetings: you may participate in person, join the meeting live via Teams on your computer or similar device or web browser, join the meeting live via telephone, view the meeting online, and/or submit comments for consideration before or during the meeting. INFORMATION ITEMS: 1.2025-4478INTERNAL AUDIT UPDATE RECOMMENDATION: Information Item. Originator:Wally Ritchie Agenda Report IT Governance Internal Audit Report Presentation Attachments: OTHER BUSINESS AND COMMUNICATIONS OR SUPPLEMENTAL AGENDA ITEMS, IF ANY: ADJOURNMENT: Adjourn the Audit Ad Hoc Committee meeting. AFFIDAVIT OF PUBLICATION I hereby certify under penalty of perjury and as required by the State of California, Government Code § 54954.2(a), that the foregoing Agenda was posted online at www.ocsan.gov, in the lobby, and outside the main door of Orange County Sanitation District Headquarters at 18480 Bandilier Cir. Fountain Valley, CA 92708 not less than 72 hours prior to the meeting date and time above. All public records relating to each agenda item, including those distributed less than 72 hours prior to the meeting to a majority of the Board of Directors, are available for public inspection with the Clerk of the Board. /s/ Kelly A. Lore, MMC Clerk of the Board September 16, 2025 Page 1 of 1 AUDIT AD HOC COMMITTEE Agenda Report Headquarters 18480 Bandilier Circle Fountain Valley, CA 92708 (714) 593-7433 File #:2025-4478 Agenda Date:9/24/2025 Agenda Item No:1. FROM:Robert Thompson, General Manager Originator: Wally Ritchie, Director of Finance SUBJECT: INTERNAL AUDIT UPDATE GENERAL MANAGER'S RECOMMENDATION RECOMMENDATION: Information Item. BACKGROUND Orange County Sanitation District (OC San)selected the audit firm of Vasquez +Company LLP to provide audits of various OC San programs and processes as selected by the Audit Ad Hoc Committee.Most recently,the Audit Ad Hoc Committee selected IT governance.The auditors will provide an update of those efforts. RELEVANT STANDARDS ·Conduct audits to determine if OC San operations are being conducted in an economical and efficient manner ·Conduct audits to establish whether specific government programs are effective in meeting their stated goals and objectives ·Conduct audits to determine if OC San is following policies and procedures in conducting operations ADDITIONAL INFORMATION Vazques +Company LLP performed an independent assessment of OC San’s IT Governance to ensure appropriate internal controls and processes. The following key domains were covered for this assessment: ·IT Governance and Risk Management ·Program Change Management ·User Access Management ·IT Operations ·Cyber and Physical Security Orange County Sanitation District Printed on 9/15/2025Page 1 of 2 powered by Legistar™ File #:2025-4478 Agenda Date:9/24/2025 Agenda Item No:1. ATTACHMENT The following attachment(s)may be viewed on-line at the OC San website (www.ocsan.gov)with the complete agenda package: ·IT Governance Internal Audit Report ·Presentation Orange County Sanitation District Printed on 9/15/2025Page 2 of 2 powered by Legistar™ Orange County Sanitation District IT Governance Audit September 2025 Orange County Sanitation District IT Governance Audit September 2025 September 15, 2025 To the Management and Board of Directors Orange County Sanitation District Fountain Valley, CA 92708 Dear Ladies and Gentlemen: We are pleased to present the results of the Information Technology (IT) Governance Audit conducted for the Orange County Sanitation District (OC San) covering the period from June 1, 2024, to May 31, 2025. This audit was performed in accordance with the internal audit plan and was designed to evaluate the effectiveness of OC San’s IT governance framework, cybersecurity practices, and related internal controls. The audit procedures and methodology were developed with consideration of the results of the enterprise-wide risk assessment process and the approved audit plan. This report summarizes our observations and offers valuable insight into the current state of OC San’s IT governance environment, highlighting both strengths and opportunities for improvement. This report is intended solely for the information and use of Management and the Board of Directors of OC San. It is not intended to be, and should not be, used by any other parties without prior authorization. We appreciate the opportunity to support OC San in its continued efforts to strengthen its IT governance and cybersecurity resilience. Very truly yours, VASQUEZ & COMPANY, LLP Roger A. Martinez Partner Orange County Sanitation District Table of Contents PAGE EXECUTIVE SUMMARY 1 OBJECTIVE & SCOPE 1 METHODOLOGY 1 AREAS OF STRENGTHS RESULT OF INTERNAL CONTROL ASSESSMENT 2 2 Observation 1 3 Observation 2 Observation 3 4 5 Orange County Sanitation District IT Governance Audit Report September 2025 1 EXECUTIVE SUMMARY Vasquez & Company, LLP (Vasquez) was engaged by the Orange County Sanitation District (OC San) to assess OC San’s Information Technology Governance and its related processes and controls. The evaluation focused on the effectiveness of the design and implementation of current processes, procedures, and internal controls within the IT Department. The assessment covered IT processes within the defined scope and included a review of OC San’s documented policies and procedures, interviews with key IT personnel, testing of the design and implementation of IT and cybersecurity practices, and examination of relevant supporting documentation. The review identified both strengths and areas for improvement, along with associated risks. As a result, three (3) key observations were presented, each accompanied by recommendations aimed at enhancing risk management and supporting the achievement of OC San’s operational goals. OBJECTIVE & SCOPE The purpose of this engagement was to conduct an internal evaluation of OC San’s Information Technology and Cybersecurity governance, controls, and their compliance with established policies and procedures. The scope of the assessment focused on key technology and cybersecurity components based on NIST (National Institute of Standards and Technology) Cybersecurity Framework 2.0. Test of design and effectiveness focused on the “critical applications” identified by management: JD Edwards, Active Directory, and SentinelOne. The following key domains were covered by this assessment: • IT Governance and Risk Management • Program Change Management • User Access Management • IT Operations • Cyber and Physical Security METHODOLOGY 1. Reviewed OC San’s control environment, including key business processes and critical IT systems as it relates to IT Governance. 2. Assessed risk factors associated with key IT processes and critical systems: a. Alignment with Business Goals b. Risk Management c. Change Management d. Information Security e. Technology Obsolescence f. Transparency and Accountability g. IT Vendor Management Orange County Sanitation District IT Governance Audit Report September 2025 2 3. Conducted an IT governance assessment, evaluating compliance with IT and cybersecurity policies and procedures across the following sub-domains: a. IT Risk Assessment Activities b. IT Strategic Planning c. Information Security Awareness Training and Programs d. IT Vendor and Third-party Risk Management e. Change Management Processes f. User Provisioning, Modification, Termination, and Periodic Access Reviews g. Anti-virus, Firewall, and Patch Management h. Backup and Recovery Procedures i. Data Protection Measures j. Incident Management Processes k. Physical Security Controls 4. Performed controls testing and evaluation to determine the effectiveness of existing IT controls. AREAS OF STRENGTH The assessment, which focused on critical systems and key IT and cybersecurity domains, revealed that key controls tested are operating effectively as designed and are aligned with OC San’s IT operations and risk management strategies. Below are the notable areas of strength: 1. OC San has implemented key cybersecurity controls such as antivirus, firewall, and patch management systems. These measures contribute to a robust defense against cyber threats and demonstrate proactive risk mitigation. 2. OC San has shown clear recognition of their exposure to emerging IT and cybersecurity risks. The IT Department remains attentive to identified threats and focuses its efforts on initiatives that contribute to the integrity of OC San’s IT environment. OC San’s openness to formalizing its policies, updating documentation and enhancing segregation of duties shows a proactive stance in strengthening internal controls. 3. While some documents are recommended to be formalized, the presence of internal IT guidelines demonstrates OC San’s awareness of standardized processes and controls, to ensure that these align with organizational goals, security standards and regulatory requirements. RESULT OF INTERNAL CONTROL ASSESSMENT While no significant deficiencies or material weaknesses were identified during the audit, some areas were noted where IT Governance practices can be enhanced to further improve IT oversight and align with leading practices. Each observation is accompanied by practical recommendations designed to strengthen existing controls, clarify roles and responsibilities and enhance policy implementation. The following details the observations, the suggested recommendations and Management's responses: Orange County Sanitation District IT Governance Audit Report September 2025 3 Observation #1: During the walkthrough performed for program change management, and as later confirmed with IT Management, it was determined that there was no segregation of duties between the functions of code development and promotion of code to Production within the JD Edwards application. It was also noted that no independent review process was in place to ensure that no unauthorized, inadequate, or excessive changes were promoted to Production. In addition, testing of sample changes implemented during the audit period revealed instances where segregation of duties was not consistently observed. Specifically, there were instances where the same individual acted as both developer and tester or as both developer and implementer, which weakens the control over the change management process: 1. Normal Change a. CHG0032024 – The Developer and Tester were the same person. 2. Standard Change a. CHG0031864 & CHG0031650 – The Developer and Implementer were the same person. Risk Rating: Medium Risk Description: When a single individual performs a combination of the three key change management functions - development, testing and implementation - there is an increased risk that unauthorized, inadequate, or excessive changes may be implemented in the Production environment, whether due to error or potential fraud. Recommendation: 1. Consider assigning the functions of code development, testing, and promotion to Production to different personnel. 2. If segregation of duties is not feasible due to the nature of the organization or for other reasons, consider assigning other personnel to perform activities such as a pre-deployment or post-deployment check to mitigate the risks of unauthorized changes being deployed to Production. Given the crucial nature of development, testing, and implementation to Production activities, segregating these three responsibilities is essential to minimizing the risk of unauthorized, inadequate, or excessive changes due to fraud or errors. When segregation is not practical, using audit trails to track all change activities and requiring an independent review can serve as effective compensating controls. OC San’s Response: When feasible, OC San Supervision will assign different personnel to the development, testing and implementation of changes to production systems. Optimally, the testing will be performed by the end user to verify that the change has been implemented successfully. If the prior two options are not feasible, IT will perform a post-deployment check. Orange County Sanitation District IT Governance Audit Report September 2025 4 Observation #2: During the operating effectiveness test of change management controls, no evidence was provided to support the following key testing details related to four (4) sampled change requests: a. Developer b. Date Submitted for Testing c. Actual Testing Date d. Tested By e. Testing Result The four sample tickets identified were: a. Normal Change – CHG0032024 b. Normal Change – CHG0031965 c. Standard Change – CHG0031872 d. Standard Change – CHG0031631 Risk Rating: Medium Risk Description: The absence of evidence to support the testing procedures for each change request increases the risks of unverified deployment of changes to Production. This can potentially lead to higher project costs, delays, and security-related challenges. Recommendation: Retain evidence of testing procedures performed for each change request. At a minimum, the following details must be clearly stated in the supporting documentation: a. Developer b. Date Submitted for Testing c. Actual Testing Date d. Tested By e. Testing Result If it is not feasible to retain the above documentation within the change request tickets, consider creating a separate repository to store and maintain all relevant supporting documentation. Retaining complete documentation of testing procedures is essential to prevent OC San from incurring heavy delays and experiencing security issues arising from Production changes that do not function as intended, which can ultimately lead to additional costs. Maintaining a complete change log is also key to identifying opportunities to improve efficiency within the change management process. Orange County Sanitation District IT Governance Audit Report September 2025 5 OC San’s Response: Change management in IT is documented in the IT Service Management (ITSM) solution. Modifications to the ITSM change management module will be implemented and will require the developer’s name, date submitted for testing, actual testing date, the tester’s name, and the test results be entered prior to closing the change request. Staff will have the ability to attach screenshots to support the change request. OC San management believes the risk is partially mitigated by reviewing all changes on a weekly basis during the Change Advisory Board (CAB) meeting. The CAB mitigates risk by bringing multiple perspectives into decision-making, enforcing structured reviews, ensuring contingency planning, and aligning changes with business needs. Every change request reviewed by the CAB goes through a formal risk/impact analysis. This ensures consideration of: o Business continuity o Cybersecurity implications o System dependencies o Regulatory compliance o Timing considerations o Rollback plan Observation #3: We noted the following observations regarding OC San’s IT policies and guidelines: 1. A formal board-approved IT policy and IT guidelines exist, covering the following areas: a. User Access Management b. Program Change Management c. Disaster Recovery d. Incident Response e. Information Security However, not all the documents relating to the above are current or show evidence of their most recent review. 2. Although the Wireless/Electronic Communications/Acceptable Use of IT policy mentions the use of passwords within OC San, it does not define specific password settings in any written policy or guidelines document. Risk Rating: Low Risk Description: Without clear, formally documented, and approved policies and procedures, confusion may arise regarding the appropriate processes, controls, and procedures to be followed. The lack of uniform guidelines increases the risk of inconsistent application of control procedures across teams, particularly within the OC San’s critical IT processes. Orange County Sanitation District IT Governance Audit Report September 2025 6 Recommendations: 1. Conduct regular reviews of IT policies/guidelines (typically on an annual basis) and formally document the results and any updates to ensure they remain reflective of OC San’s IT practices. 2. Consider revisiting the scope of each policy/guideline to determine whether the following key IT processes are adequately covered: a. User Access Management (including password management) b. Program Change Management c. IT Risk Management d. Backup and Restoration e. Disaster Recovery Plan/Business Continuity Plan f. Incident Handling/Problem Management g. Information Security Policy (if separate from the above) Based on the above, existing policies/guidelines may be merged or new ones developed and clearly classified either as board-approved policies or IT team guidelines. Developing and maintaining comprehensive policies and guidelines for key IT areas is essential in ensuring consistent and efficient implementation of IT practices across OC San. Establishing a periodic review and approval process for IT policies and guidelines helps determine if these are reflective of current processes and remain relevant to address the evolving IT risk environment. In addition, by establishing a formal review and approval process for policies and procedures, control owners will have a higher sense of responsibility over compliance with established controls. OC San’s Response: An ITSM ticket will be created with an annual reoccurrence and assigned to the IT Manager to review the IT policies and guidelines. All policies and guidelines will have notations identifying the last date changed and reviewed. Where applicable, IT processes will be added and updated to the OC San Wireless Electronic Communications policy. New IT guidelines will be created to cover key IT processes. ***** This communication is intended solely for the information and use of OC San’s Management and Board of Directors and is not intended to be, and should not be, used by anyone other than these specified parties. Glendale, California September 15, 2025 www.vasquez.cpa 655 N Central Avenue, Suite 1550 • Glendale, California 91203-1437 • +1.213.873.1700 IT Governance Audit Results INTERNAL AUDIT SERVICES September 24, 2025 1 2IT Governance Risk Factors and Scope 3Audit Program Framework 4Audit Results Summary 5Observation 1 6Observation 2 7Observation 3 8Questions 9Contact Information /Table of Contents 2 Audit ScopeRisk Factors The following procedures were performed to assess the actions taken by Orange County Sanitation District (OC San) to address the identified IT Governance Risk Factors: a. Inspected Strategic Plans, IT Roadmaps, and Governance structures to confirm whether IT initiatives are prioritized and executed in alignment with business objectives. b. Assessed the design and effectiveness of established IT Policies and Procedures by testing control areas such as Access Management, Program Change Management, and IT Operations. c. Reviewed the processes for selecting, managing, and monitoring third-party vendors to ensure that due diligence is performed and that vendors are regularly evaluated. d. Reviewed OC San’s IT processes for continuously monitoring risks such as cybersecurity threats, compliance issues, and performance failures. In-scope Systems: JD Edwards, Active Directory, SentinelOne Covered Period: June 01, 2024 - May 31, 2025 Alignment with Business Goals Risk Management Change Management Information Security Technology Obsolescence Transparency and Accountability IT Vendor Management / IT GOVERNANCE RISK FACTORS AND SCOPE 3 Vasquez & Company (Vasquez) developed an IT Governance Audit work program to assess OC San's IT Governance and Risk Management Controls. Vasquez leveraged NIST Cybersecurity Framework 2.0 (CSF 2.0), which is structured around six core Functions: Govern, Identify, Protect, Detect, Respond, and Recover. The NIST CSF 2.0 served as the basis of our assessment, encompassing five (5) areas within the scope of the audit: 1. IT Governance and Risk Management 2. Program Change Management 3. User Access Management 4. IT Operations 5. Cyber and Physical Security / AUDIT PROGRAM FRAMEWORK 4 / AUDIT RESULTS SUMMARY DescriptionCategoryIT Process Observe Segregation of Duties Between Change Developers, Testers, and ImplementersMediumProgram Change Management Retain Evidence of Testing Procedures Performed Per Change RequestMedium Develop, Review, and Update IT Policies and GuidelinesLowIT Governance and Risk Management Based on the results of the procedures performed, the controls tested are operating effectively as designed,except for the following observations: Notes: •High – An observation of potential significance to the overall control environment; Affects multiple systems/components; Impact is pervasive; Requires the immediate attention of management to define a priority action plan for its resolution (within 3 months). •Medium – An observation of moderate significance to the overall control environment; Affects one system/component; Impact is not pervasive; Requires the near-term attention of management and an agreed program for its near-term resolution (6 months to 1 year). •Low – An efficiency or administrative observation of lesser significance; Does not warrant immediate attention; However, requires an agreed program for ultimate resolution,depending on the organization’s assessment. Based on our assessment, the identified deficiencies in OC San’s internal controls did not constitute significant deficiencies or material weaknesses. 5 1 /IT AUDIT OBSERVATIONS & RECOMMENDATIONS Observe Segregation of Duties Between Change Developers, Testers, and ImplementersDescription MediumCategoryProgram Change ManagementIT Process RisksObservations Lack of Segregation of Duties in the Change Management process increases the risk of having unauthorized, inadequate, or excessive changes implemented in Production due to fraud or errors. It was determined that code development, testing, and promotion of code to Production in the JD Edwards application were not segregated. Recommendations 1. If feasible, assign the functions of code development, testing, and promotion to Production to different personnel. 2. Implement pre-deployment or post-deployment checks to mitigate risks of unauthorized changes being deployed to Production. 6 2 /IT AUDIT OBSERVATIONS & RECOMMENDATIONS Retain Evidence of Testing Procedures Performed Per Change RequestDescription MediumCategoryProgram Change ManagementIT Process RisksObservations Missing key change information increases the risks of unverified deployment of changes to Production, potentially leading to higher costs, project delays, and security issues. Insufficient evidence was provided to support the following key testing details for four (4) sample change requests: a. Developer b. Date Submitted for Testing c. Actual Testing Date d. Tested By e. Testing Result Recommendations Retain evidence of development and testing procedures performed for each change request. If the information cannot be retained in the ticketing system, consider creating a separate repository. 7 3 /IT AUDIT OBSERVATIONS & RECOMMENDATIONS Develop, Review, and Update IT Policies and GuidelinesDescription LowCategoryIT Governance and Risk ManagementIT Process RisksObservations Lack of uniform guidelines increases the risk of inconsistent application of control procedures across teams, particularly within OC San’s critical IT processes. 1. Not all the IT Policies and Guidelines are current or show evidence of their most recent review 2. Specific password settings are not defined in any written policy or guideline Recommendations Review policies and guidelines periodically (typically annually) and document the results or any suggested changes to ensure they remain reflective of OC San’s IT practices. Part of the periodic review should include assessing the need to create new documentation, IT policies and guidelines, to address evolving IT risks. 8 / Questions Vasquez + Company LLP has over 55 years of experience in performing audit, accounting, and consulting services for all types of private companies, nonprofit organizations, and governmental entities. We are clients of the Aprio Professional Services+ Practice. As a client, we have access to the Professional Services+ Collaborative, a globally connected community that provides access to an ecosystem of capabilities, collaboration and camaraderie to help professional services firms grow and thrive in a rapidly changing business environment. As a participant in the PS+ Collaborative, we have the opportunity to interact and share best practices with other professional services firms across the U.S. and Canada. /Contact Information 9 www.vasquez.cpa Roger Martinez, CPA O: +1.213.873.1703 ram@vasquezcpa.com Arcely Peran, CPA O: +1.213.873.1731 aperan@vasquezcpa.com Jason Tagasa, CISA O: +1.213.873.1773 jtagasa@vasquezcpa.com 10 Thank you for your time and attention. ORANGE COUNTY SANITATION DISTRICT COMMON ACRONYMS ACWA Association of California Water Agencies LOS Level Of Service RFP Request For Proposal APWA American Public Works Association MGD Million Gallons Per Day RWQCB Regional Water Quality Control Board AQMD Air Quality Management District MOU Memorandum of Understanding SARFPA Santa Ana River Flood Protection Agency ASCE American Society of Civil Engineers NACWA National Association of Clean Water Agencies SARI Santa Ana River Interceptor BOD Biochemical Oxygen Demand NEPA National Environmental Policy Act SARWQCB Santa Ana Regional Water Quality Control Board CARB California Air Resources Board NGOs Non-Governmental Organizations SAWPA Santa Ana Watershed Project Authority CASA California Association of Sanitation Agencies NPDES National Pollutant Discharge Elimination System SCADA Supervisory Control And Data Acquisition CCTV Closed Circuit Television NWRI National Water Research Institute SCAP Southern California Alliance of Publicly Owned Treatment Works CEQA California Environmental Quality Act O & M Operations & Maintenance SCAQMD South Coast Air Quality Management District CIP Capital Improvement Program OCCOG Orange County Council of Governments SOCWA South Orange County Wastewater Authority CRWQCB California Regional Water Quality Control Board OCHCA Orange County Health Care Agency SRF Clean Water State Revolving Fund CWA Clean Water Act OCSD Orange County Sanitation District SSMP Sewer System Management Plan CWEA California Water Environment Association OCWD Orange County Water District SSO Sanitary Sewer Overflow EIR Environmental Impact Report OOBS Ocean Outfall Booster Station SWRCB State Water Resources Control Board EMT Executive Management Team OSHA Occupational Safety and Health Administration TDS Total Dissolved Solids EPA US Environmental Protection Agency PCSA Professional Consultant/Construction Services Agreement TMDL Total Maximum Daily Load FOG Fats, Oils, and Grease PDSA Professional Design Services Agreement TSS Total Suspended Solids gpd gallons per day PFAS Per- and Polyfluoroalkyl Substances WDR Waste Discharge Requirements GWRS Groundwater Replenishment System PFOA Perfluorooctanoic Acid WEF Water Environment Federation ICS Incident Command System PFOS Perfluorooctanesulfonic Acid WERF Water Environment & Reuse Foundation IERP Integrated Emergency Response Plan POTW Publicly Owned Treatment Works WIFIA Water Infrastructure Finance and Innovation Act JPA Joint Powers Authority ppm parts per million WIIN Water Infrastructure Improvements for the Nation Act LAFCO Local Agency Formation Commission PSA Professional Services Agreement WRDA Water Resources Development Act ORANGE COUNTY SANITATION DISTRICT GLOSSARY OF TERMS ACTIVATED SLUDGE PROCESS – A secondary biological wastewater treatment process where bacteria reproduce at a high rate with the introduction of excess air or oxygen and consume dissolved nutrients in the wastewater. BENTHOS – The community of organisms, such as sea stars, worms, and shrimp, which live on, in, or near the seabed, also known as the benthic zone. BIOCHEMICAL OXYGEN DEMAND (BOD) – The amount of oxygen used when organic matter undergoes decomposition by microorganisms. Testing for BOD is done to assess the amount of organic matter in water. BIOGAS – A gas that is produced by the action of anaerobic bacteria on organic waste matter in a digester tank that can be used as a fuel. BIOSOLIDS – Biosolids are nutrient rich organic and highly treated solid materials produced by the wastewater treatment process. This high-quality product can be recycled as a soil amendment on farmland or further processed as an earth-like product for commercial and home gardens to improve and maintain fertile soil and stimulate plant growth. CAPITAL IMPROVEMENT PROGRAM (CIP) – Projects for repair, rehabilitation, and replacement of assets. Also includes treatment improvements, additional capacity, and projects for the support facilities. COLIFORM BACTERIA – A group of bacteria found in the intestines of humans and other animals, but also occasionally found elsewhere, used as indicators of sewage pollution. E. coli are the most common bacteria in wastewater. COLLECTIONS SYSTEM – In wastewater, it is the system of typically underground pipes that receive and convey sanitary wastewater or storm water. CERTIFICATE OF PARTICIPATION (COP) – A type of financing where an investor purchases a share of the lease revenues of a program rather than the bond being secured by those revenues. CONTAMINANTS OF POTENTIAL CONCERN (CPC) – Pharmaceuticals, hormones, and other organic wastewater contaminants. DILUTION TO THRESHOLD (D/T) – The dilution at which the majority of people detect the odor becomes the D/T for that air sample. GREENHOUSE GASES (GHG) – In the order of relative abundance water vapor, carbon dioxide, methane, nitrous oxide, and ozone gases that are considered the cause of global warming (“greenhouse effect”). GROUNDWATER REPLENISHMENT SYSTEM (GWRS) – A joint water reclamation project that proactively responds to Southern California’s current and future water needs. This joint project between the Orange County Water District and OCSD provides 70 million gallons per day of drinking quality water to replenish the local groundwater supply. LEVEL OF SERVICE (LOS) – Goals to support environmental and public expectations for performance. N-NITROSODIMETHYLAMINE (NDMA) – A N-nitrosamine suspected cancer-causing agent. It has been found in the GWRS process and is eliminated using hydrogen peroxide with extra ultra-violet treatment. NATIONAL BIOSOLIDS PARTNERSHIP (NBP) – An alliance of the NACWA and WEF, with advisory support from the EPA. NBP is committed to developing and advancing environmentally sound and sustainable biosolids management practices that go beyond regulatory compliance and promote public participation to enhance the credibility of local agency biosolids programs and improved communications that lead to public acceptance. PER- AND POLYFLUOROALKYL SUBSTANCES (PFAS) – A large group (over 6,000) of human-made compounds that are resistant to heat, water, and oil and used for a variety of applications including firefighting foam, stain and water-resistant clothing, cosmetics, and food packaging. Two PFAS compounds, perfluorooctanesulfonic acid (PFOS) and perfluorooctanoic acid (PFOA) have been the focus of increasing regulatory scrutiny in drinking water and may result in adverse health effects including developmental effects to fetuses during pregnancy, cancer, liver damage, immunosuppression, thyroid effects, and other effects. PERFLUOROOCTANOIC ACID (PFOA) – An ingredient for several industrial applications including carpeting, upholstery, apparel, floor wax, textiles, sealants, food packaging, and cookware (Teflon). PERFLUOROOCTANESULFONIC ACID (PFOS) – A key ingredient in Scotchgard, a fabric protector made by 3M, and used in numerous stain repellents. PLUME – A visible or measurable concentration of discharge from a stationary source or fixed facility. PUBLICLY OWNED TREATMENT WORKS (POTW) – A municipal wastewater treatment plant. SANTA ANA RIVER INTERCEPTOR (SARI) LINE – A regional brine line designed to convey 30 million gallons per day of non-reclaimable wastewater from the upper Santa Ana River basin to the ocean for disposal, after treatment. SANITARY SEWER – Separate sewer systems specifically for the carrying of domestic and industrial wastewater. SOUTH COAST AIR QUALITY MANAGEMENT DISTRICT (SCAQMD) – Regional regulatory agency that develops plans and regulations designed to achieve public health standards by reducing emissions from business and industry. SECONDARY TREATMENT – Biological wastewater treatment, particularly the activated sludge process, where bacteria and other microorganisms consume dissolved nutrients in wastewater. SLUDGE – Untreated solid material created by the treatment of wastewater. TOTAL SUSPENDED SOLIDS (TSS) – The amount of solids floating and in suspension in wastewater. ORANGE COUNTY SANITATION DISTRICT GLOSSARY OF TERMS TRICKLING FILTER – A biological secondary treatment process in which bacteria and other microorganisms, growing as slime on the surface of rocks or plastic media, consume nutrients in wastewater as it trickles over them. URBAN RUNOFF – Water from city streets and domestic properties that carry pollutants into the storm drains, rivers, lakes, and oceans. WASTEWATER – Any water that enters the sanitary sewer. WATERSHED – A land area from which water drains to a particular water body. OCSD’s service area is in the Santa Ana River Watershed.