Exhibit 2

B FLORIDA

BERTHA W. HENRY, County Administrator 115 S. Andrews Avenue, Room 409 •Fort Lauderdale, Florida 33301 • 954-357-7362 • FAX 954-357-7360

MEMORANDUM

TO: Mayor and Board of County Co

DATE: April 21, 2016

SUBJECT: Response to County Auditor's Review of User Access to Kronos Enterprise Time and Attendance System

We have reviewed the above-referenced County Auditor's report and the following is Management's response to its findings and recommendations.

Finding 1: "Kronos Administrators can perform all system functions without appropriate monitoring."

Recommendation: "Require that the permissions granted to the 'Kronos Administrators' F AP [Function Access Profiles] be reviewed with the vendor to restrict activity to only that required for the performance of job responsibilities and reduce segregation of duties conflicts. Since this F AP will continue to have access to sensitive and high risk functions, monitoring controls should be implemented to monitor the activity of these accounts."

Response: Agree. Enterprise Technology Services conferred with the vendor and adjusted the Kronos Administrator role access to reduce the potential for inappropriate activity by Kronos Administrators.

Finding 2: "Employee access to the Kronos application was not appropriately restricted based on employee job responsibilities. "

Recommendation: "Require a periodic review of FAPs [Function Access Profiles] and assigned employees to ensure that user access remains commensurate with job responsibilities. "

Response: Agree. Enterprise Technology Services staff corrected the five Function Access Profiles issues identified in the report and updated the remaining active F APs to address this recommendation. Quarterly, Enterprise Technology Services will review employee roles with user agencies.

Broward County Board of County Commissioners Mark D. Bogen· Beam Furr• Dale V.C. Holness• Marty Kiar •Chip LaMarca •Stacy Ritter• Tim Ryan· Barbara Sharief • Lois Wexler

www. broward. org

Management Response to Review of User Access to Kronos Enterprise Time and Attendance System April 21, 2016 Page 2

Finding 3: "Terminated employees accounts were not deactivated from Kronos immediately upon termination as required by County policy. "

Recommendation: "Review employee separation procedures to ensure that all terminated employee access is revoked immediately upon termination as required by County policy. "

Response: Agree. Enterprise Technology Services has added a notice in the biweekly automated Kronos payroll notification with language reminding agencies of the importance of timely processing of BC-102s so separated employees are paid correctly and their system access discontinued. To expedite the employee separation process, agencies will be required to immediately notify Human Resources via e-mail of the separated employee's name and effective date. Next, Human Resources will complete the Self Service portal to notify the appropriate parties of the employee's separation, including Payroll Central.

CmTently, in order to avoid overpayment of salaried employees, supervisors have been advised to remove the schedule from the employee's time card as this will cause the system not to process the payment of any work hours. For an hourly employee, as no "in" or "out" punches exist in the timecard, the system will not process the payment of any work hours. Looking forward, with the upcoming implementation of Phase 2 of the Enterprise Resource Planning project, we anticipate that the timely processing of employment actions, including terminations, will be addressed through system workflow rules.

Finding 4: "Changes to system integrated pay and work rules and historical edits were not reviewed for unauthorized or inappropriate activity. "

Recommendation: "Design and implement a periodic review of user activity logs, based on risk, to ensure that high risk activity that occurs outside of the regular timecard approval process (pay rule, historical edits) is authorized and appropriate. "

Response: Agree. The Kronos system's Pay Rule Audit Trail report allows users the ability to view changes made to pay rules. A process has been established where the Human Resources Division will provide authorization for pay rule changes to Kronos Administrators based on approved collective bargaining agreements, Administrative Code, or other pay rule changes. On a monthly basis, Human Resources will run the Pay Rule Audit Trail report to verify any changes to the pay rules have been authorized.

Regarding historical edits, Payroll Central has established a procedure for payroll liaisons providing direction on how to submit historical edits. Each Payroll Liaison will now send a spreadsheet of requested historical edits to Payroll Central, and Payroll Central' s staff will review and enter the corrections into the Cyborg system. The spreadsheet is maintained by each respective Payroll Liason and Payroll Central for balancing and auditing purposes with each payroll processed. In addition, Payroll Liaisons will have a signed copy at the division level indicating approval from the employee's supervisor.

Management Response to Review of User Access to Kronos Enterprise Time and Attendance System April 21, 2016 Page 3

Finding 5: "Kronos timecards were not consistently approved before payroll processing as required by County Procedures. "

Recommendation: "Require that the ... EasyPay timecard approval process be followed to eeforce time card wor'/if/,ow approval. In addition ... each agency be required to follow-up on time cards that were not approved prior to processing payroll to ensure that they were accurate. "

Response: Agree. Currently, an e-mail is sent on the last Friday of the pay period to all payroll liaisons and supervisors utilizing the Kronos time keeping system reminding them to approve timecards.

Please note that in some instances the employee may not be available to sign off on their timecard due to absence from the office. In such cases, the supervisor would review the employee's timecard for accuracy and is able to make any edits as necessary before signing off by the 1 O:OOam deadline on payroll Monday. The payroll liaison also reviews the timecards to insure that the employees' hours are correct. At either of these stages, any discrepancies can be addressed with the employee, if necessary. In addition, once Payroll Central has run the preliminary report, agency liaisons are required to review any discrepancies that have been identified. Although on occasion there may be exceptions, regardless of whether the employee has personally signed off on his or her timecard, there are checks and balances in place to insure accuracy.

To enhance the timecard approval process, additional tools were made available by Enterprise Technology Services' Kronos Administrator on April 11, 2016, to enable departmental representatives to monitor and enforce time card approvals within their agencies. Enterprise Technology Services has also created a Timecard Approval Audit Genie (report), along with two "Hyperfinds" (filters) to identify employees and supervisors who did not approve time cards during a given pay period. These reports are designed to assist agency management with monitoring the separate approval processes and will provide an opportunity for agency management to address employees not approving their time cards. In addition, within 45 days, a management process will be developed that will provide documentation verifying that agency authorities have followed-up with employees not approving their time cards, certifying that the payroll amounts processed for unapproved timecards are accurate. The documentation will indicate that approving authorities and payroll liaisons corrected inaccurate information through the formal historical edits process. A copy of the documentation will be maintained by the payroll liaison. Over time, we believe that the requirement for approving authorities to validate unapproved timecards provides a significant motivator for ensuring employee compliance with timecard approval requirements.

We believe these actions effectively address the issues identified in the report. Please do not hesitate to contact John Bruno, Director of Enterprise Technology Services, if you have any questions.

C: Evan Lukic, County Auditor Joni Annstrong Coffey, County Attorney