Preliminary Follow-up: An Audit of Salt Lake County Public Works Operations Payroll

Auditor's Letter

December 4, 2025

In line with generally accepted government auditing standards and the established policies of the Auditor’s Office, as authorized by Utah Code Title 17, Chapter 19a, “County Auditor,” Part 2, “Powers and Duties,” we maintain our responsibility to monitor and ensure that audit recommendations are addressed by county agencies through appropriate corrective action, which is also instrumental in shaping future audits.

This communication serves as the preliminary follow-up report for An Audit of Salt Lake County Public Works Operations Payroll, following the original audit report issued in August 2024. The original audit identified six findings with 14 recommendations. The purpose of this review was to evaluate the progress management made in addressing the findings and recommendations aimed at enhancing operational efficiency and compliance.

Public Works Operations management fully implemented eight of the 14 audit recommendations, three recommendations were still in progress, two recommendations were not implemented, and one recommendation was closed. By implementing recommendations such as ensuring that background checks and drug testing are completed timely for new hires and eliminating the storage of employee badges next to the clock-in area, management has demonstrated a commitment to addressing the risks identified in the initial audit.

It is important to note that one of the two non-implemented recommendations (Recommendation 1.1) carries a Critical risk rating. The original audit identified significant security concerns related to shared login credentials, and the recommended supplemental training was designed to directly address this risk. While management implemented alternative procedures to reduce reliance on shared credentials, the underlying risk remains because employees may still not fully understand the dangers of password sharing. Critical risk recommendations represent the highest level of exposure to the County. Although the decision to implement corrective actions ultimately rests with management, the Auditor’s Office emphasizes the importance of fully mitigating this risk to protect County systems and data.

Public Works Operations successfully mitigated the risks associated with one of the 14 original audit recommendations. This recommendation was closed because Public Works Operations now requires all employees to enter their employee IDs when clocking in and out.

Further work is critical to fully address the remaining risks related to calculating retro-payment amounts, requesting prompt access removals for terminated employees, and documenting a review process for TimeClock Plus (TCP) report reconciliations. The Auditor’s Office will commence a secondary follow-up audit no sooner than May 2026 to verify compliance in these areas. We underscore the heightened risks stemming from the non-implementation of two recommendations concerning enhanced security training and multi-factor authentication yet recognize that the final decision to address these risks rests with management.

We performed this audit in accordance with Generally Accepted Government Auditing Standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions.

We extend our appreciation to Public Works Operations management for their cooperation during this process. The enclosed follow-up report summarizes the current status of the recommendations. Should you have any questions or require further discussion, please do not hesitate to contact me at 385-468-7200.

Chris Harding, CPA, CFE, CIA
Salt Lake County Auditor