IT Performance Audit: Links to Published Audit Reports 

Updated: Monday July 03, 2006


Alberta - Auditor General

Arizona - Office of the Auditor General

Arkansas - Division of Legislative Audit

British Columbia - Office of the Auditor General

California - Bureau of State Audits

Colorado - Office of the State Auditor

Delaware - Office of Auditor of Accounts

European Union - The Court of Auditors

Florida - Auditor General

Georgia - Department of Audit & Accounts

Guernsey - States of Guernsey Audit Commission

Hawaii - Office of the Auditor

Idaho - Office of Performance Evaluations

Illinois - Auditor General

Kansas - Legislative Division of Post Audit

Kentucky - The Auditor of Public Accounts

Louisiana - Legislative Auditor

Maryland - Office of Legislative Audits

Massachusetts - Auditor of the Commonwealth of Massachusetts

Michigan - Office of the Auditor General

Minnesota - Office of the legislative Auditor

Missouri - Office of the Missouri State Auditor

Montana - Legislative Audit Division

Nebraska - Auditor of Public Accounts

Nevada - Legislative Counsel Bureau, Audit Division

New Jersey - Office of the State Auditor

New South Wales - Audit Office of New South Wales

New York State - Office of the State Comptroller

Newfoundland and Labrador - Office of the Auditor General

North Carolina - Office of the State Auditor

North Dakota - Office of the State Auditor

Northern Ireland - Northern Ireland Audit Office

Northern Territory - Northern Territory Auditor General's Office

Nova Scotia - Office of the Auditor General

Ontario - Office of the Provincial Auditor of Ontario

Oregon - Oregon Secretary of State Audits Division

Queensland - Queensland Audit Office

Saskatchewan - Office of the Provincial Auditor

Scotland - Audit Scotland

South Australia - Auditor General's Department

Tasmania - Tasmanian Audit Office

Tennessee - Comptroller of the Treasury

Texas - Austin: Office of the City Auditor

Texas - Comptroller of Public Accounts

Texas - Dallas: Office of the City Auditor

Texas - State Auditor's Office

Toronto - Auditor General's Office

Utah - Legislative Auditor General

UK - Audit Commission

Vermont - Office of the State Auditor

Victoria - Office of the Auditor General

Virgin Islands (United States) - Office of the Inspector General

Virginia - Auditor of Public Accounts

Virginia - Fairfax County Internal Auditor

Washington - Seattle: Office of the City Auditor

Western Australia - Office of the Auditor General for Western Australia

Wisconsin - Wisconsin Legislative Audit Bureau


Auditor General



Annual Report of the Auditor General 2002-2003 (.pdf, 1.3MB)

Innovation and Science - the Ministry should improve systems and procedures in the following areas to ensure it effectively delivers services at reasonable cost:

Government of Alberta SuperNet project management. The Ministry should prepare a plan to test   SuperNet components (see page 198).

Alberta Government Integrated Management Information System. The Ministry should optimize the use of IMAGIS (see page 199) and implement an accountability framework (see page 201).

Government of Alberta Central Information Technology (IT) Environment. The Ministry should improve the central IT environment by coordinating reviews of control environments at service providers (see page 204) and by establishing a systems development methodology (see page 205).

Annual Report of the Auditor General 2000-2001 (.html)

Government departments should improve internal control systems. Deputy Ministers need internal audit to provide assurance that significant government systems and risks are effectively managed -see page 23.

We again recommend that Alberta Treasury Branches management document, evaluate and monitor internal controls to ensure assets are properly protected and financial information is accurate and complete - see page 103.


Office of the Auditor General



Government Information Technology Agency - State-wide Technology Contracting Issues (January 2003, Report No. 03-01)

This audit found that the Government Information Technology Agency (GITA) did not take the appropriate steps to ensure that a $30.6 million state-wide IT contract it negotiated was beneficial. Additional justification and reviews are needed prior to entering into future state-wide IT contracts that commit the State to over $1 million. To ensure its objectivity, GITA also needs to develop a policy to ensure its independence when reviewing state agencies’ IT projects. Finally, the Statewide Technology Licensing Agreement (STLA) account should be allowed to sunset because it has never been used and it is not needed.


Division of Legislative Audit



Department of Human Services - Food Stamps Automated Client Tracking System Information System Controls Audit

November 2002 (.pdf, 389KB)

Our audit resulted in the following significant findings:

  • Programmer with update ability in FACTS.

  • Terminated employees with data file access.

  • Passwords stored in clear text.

  • No contingency plan in place.

  • Lack of balancing controls for application input/output files.

Department of Human Services - Arkansas Client Eligibility System Information System Controls Audit

November 2002 (.pdf, 423KB)

Our audit resulted in the following significant findings:

  • Programmers with update ability in ACES.

  • Terminated employees with data file access.

  • Passwords are stored in clear text.

  • Data integrity edits not working properly.

  • ACES transaction file not being backed up.

  • No contingency plan in place.

  • Lack of balancing controls for application input/output files.

AASIS - General Controls Information Systems Audit

April 2002 (.pdf, 410KB)



The audit included a review and testing of controls in the following areas:

1. Operating System and Database

2. Firewall, Network Topology and Web Server

3. Management and Contingency Planning

4. Transport System and Program Change Controls

Our objectives were to test configuration, policies and procedures to obtain reasonable assurance that sufficient controls exist to: protect the application, database and web servers from unauthorized access; provide for the continuation of computer processing capabilities; ensure proper management of the AASIS computer hardware; ensure that only approved and tested system control parameters are updated to the production system; and, adequately test and approve programs before placement in the production system.

Arkansas Public School Computer Network Performance Audit

December, 2000 (.pdf, 1.69MB)

Our objectives in conducting this audit were as follows:

  • Determine if APSCN is meeting the needs of ADE and Arkansas public school districts.

  • Determine if APSCN provides adequate field support for the school districts.

  • Review APSCN financing and costs to provide a basis for cost/benefit analysis.

  • Project the cost of converting APSCN to a windows format and estimate the cost of maintaining the current DOS-based interface.

Department of Information Systems Hardware/Software Purchasing Procedures    (4MB .pdf)

Our objectives in conducting this review were as follows:

1. Review dept. of Information Systems procedures for purchasing hardware and software.

2. Review internal controls surrounding DIS procedures for their own needs and for other state agencies.

3. Review DIS hardware and software purchases for the year ended June 30, 2000 to determine compliance with prescribed procedures and internal controls.

British Columbia

Office of the Auditor General



Follow-up of Performance Reports

(.pdf, 496KB) Report 2 - August 2003

Management of the Information Technology Portfolio in the Ministry of Attorney General; Information Use by the Ministry of Health in Resource Allocation for Decisions for the Regional Health Care System; etc.

Management of the Information Technology Portfolio in the Ministry of Attorney General

(.pdf, 340KB) Report 5 - February 2002

Information technology (meaning the use of systems such as computers and telecommunications to store, retrieve and send information) offers all organizations unprecedented opportunity to improve performance, reduce costs, and enhance both the range and responsiveness of their service delivery. Over the years, government has increasingly come to depend on information technology systems to carry out its wide range of activities. However, management and delivery of these systems is challenging—because, in both the private sector and in the government environment, many such projects fail to meet time or budget requirements and few of the resulting systems are ultimately capable of doing all they were intended to do. Many projects started are never even completed.


Bureau of State Audits



Child Support Enforcement Program (.html) Sept 2003.

The State has contracted with IBM to develop and implement the major component of the State-wide Automated Child Support System. Our continued review of the Department of Child Support Services and Franchise Tax Board's (project team) procurement of a single, state-wide automated child support enforcement system revealed the following:

  • On July 14, 2003, the project team signed a contract for $801 million with the IBM Group to design, develop, and implement the major part of the single, state-wide automated child support system.
  • Despite concerns, the Federal Office of Child Support Enforcement approved the State's request for funding, giving the project team permission to execute the contract between the State and the IBM Group.
  • The State Department of Finance placed certain conditions on its approval of the feasibility study, requiring, for example, that the project team submit a benefits measurement plan within one year following the contract's signing.
  • The project team is still more than a year away from procuring a contractor for the state disbursement unit, a separate but integral part of the single, state-wide automated child support enforcement system.

Information Technology: Control Structures Are Only Part of Successful Governance

Feb. 2003 (.pdf, 462KB)


In 1995 the Legislature created the Department of Information Technology (DOIT) to provide leadership, guidance, and oversight for information technology (IT) initiatives and projects throughout the State. In July 2002, DOIT ceased operation, but the need for what it was chartered to do continues to exist.

To determine what lessons can be learned from states with exemplary practices in IT governance, our consultant conducted case studies in New York, Virginia, Pennsylvania, and Illinois. The studies revealed three models for achieving effective IT governance. They varied substantially in the extent to which formal authority is concentrated in the state's highest-level IT office as well as where that office is located in the governance structure and how it interacts with other stakeholders in IT initiatives.

The success of a new IT governance structure depends on the support and cooperation of many stakeholders, including the governor's office, the Legislature, control entities, client entities, and technical entities that will be affected by the IT program. The selection, adoption, and development of a governance structure should, therefore, be a collaborative effort involving stakeholders at all levels.

State-wide Fingerprint Imaging System (.html) Jan 2003.

This report concludes that Social Services implemented the Statewide Fingerprint Imaging System (SFIS) without determining the extent of duplicate-aid fraud throughout the State. In its eagerness to implement SFIS, Social Services based its estimates of the savings that SFIS would produce on an evaluation of Los Angeles County’s fingerprint imaging system, rather than conducting its own statewide study. We have concerns that the methods Los Angeles County used to develop its savings estimate do not allow for the results to be extrapolated statewide. Further, Social Services’ use of this data assumes that conditions in Los Angeles County hold true in other counties. Similar concerns were expressed by the United States Department of Agriculture as early as 1998.

Enterprise Licensing Agreement

The State Failed to Exercise Due Diligence When Contracting With Oracle, Potentially Costing Taxpayers Millions of Dollars

The State Needs to Improve the Leadership and Management of Its Information Technology Efforts

The State has a significant investment in information technology (IT)--more than an estimated $2 billion annually--and in the past has experienced several major failures in planned IT systems. When it passed legislation that resulted in the creation of the Department of Information Technology (DOIT) in 1996, the Legislature envisioned that DOIT would provide the leadership, guidance, and oversight needed to protect the State's investment in IT. Although DOIT is developing new processes to meet its responsibilities, it has not consistently delivered what it has been asked to do by the Legislature.


Office of the State Auditor



Beanpole Telecommunication Project


The General Assembly created the Beanpole project to encourage local public offices to aggregate telecommunication traffic as a way of enticing private telecommunication providers to build infrastructure in all areas of the State. Overall, the project has not yet met its objectives of encouraging private telecommunication vendors to offer services throughout the State and connecting local public offices to the state's multi-use network on a large scale.

Evaluation of Network Services


This evaluation focused on:

- an examination of the current statewide service delivery structure and an assessment of the advantages and disadvantages of aggregating the networks into centralized networks

- an assessment of the current status of and identification of needed improvements in the Network Services section's service efforts

- an analysis of the network Services section's costs and rate-setting methodologies.

Colorado Government Technology Services Computing Services

This report contains the results of our assessment of Computing Services’ ability to measure and manage performance and provide adequate levels of service to user agencies. The report details the scope of this review, provides an overview of Computing Services’ operations, and presents observations and recommendations that will enable Computing Services to enhance performance measurements.

Medicaid Management Information System

The purpose of the audit was to review the Department of Health Care Policy and Financing's controls over claims processing through MMIS for the Colorado Medicaid program. We reviewed documentation, analyzed data, and interviewed personnel at the Department and at the State's fiscal agent for the program, Consultec, LLC.  As part of our audit, Buck Consultants performed a technical review on aspects of MMIS operations. Results of Buck Consultants' work have been incorporated into this report as noted in the text.

Colorado Information Technology Services,   Financial Management of Network Services

The purpose of this audit was to review and evaluate the financial management of network services by the Colorado Information Technology Services in the Department of Personnel/General Support Services. Network services include voice and data communications.


Office of Auditor of Accounts



Dover Data Center Review of General Information Systems Controls

(.pdf, 251KB) June 2001


Dover Data Center Review of General Information Systems Controls

(.pdf, 96KB)  June 2000


Biggs Data Center Review of General Information Systems Controls

(.pdf, 252KB) FY 2000


European Union

The Court of Auditors



Implementation of the Integrated Administration and Control System (IACS)

The 1992 reform radically altered the philosophy underlying the Common Agricultural Policy (CAP). The external protection mechanisms and arrangements for supporting internal prices gradually gave way to a system of direct aid for farmers, which significantly increased the number of beneficiaries, but also the risks of irregularity, which is why IACS was introduced. It comprises five elements: computerised databases, an identification system for agricultural land parcels, a system of identification and registration of animals, aid applications and an integrated system for administrative controls and on-the-spot inspections.


Auditor General



Agency for Health Care Administration (,htm)

Report 3-201, June 2003


LicenseEase is an integrated application package that assists the Agency in administering the licensing and regulatory process for various types of health care and managed care facilities. LicenseEase controls,  among others, application and fee processing, license issuance, complaint and inspection tracking, and discipline and compliance monitoring. We noted deficiencies in certain management controls related to LicenseEase. 

The Agency did not have a complete and tested IT disaster recovery plan.  There was no reconciliation performed between LicenseEase and the Florida Accounting Information Resource Subsystem to ensure that the moneys collected for licensures as recorded in LicenseEase were appropriately recorded in FLAIR.   Improvements were needed in the Agency’s IT risk management practices and in certain security controls protecting LicenseEase. 

Department of Banking and Finance

Section 215.94, Florida Statutes, provides that the Department of Banking and Finance is the functional owner of the Florida Accounting Information Resource Subsystem (FLAIR), a subsystem of the Florida Financial Management Information System. Our audit of FLAIR focused on evaluating selected information systems functions, determining the effectiveness of selected general and application controls, and determining the status of prior audit deficiencies. In addition, we reviewed selected aspects of the Department’s acquisition of IT consulting services for a feasibility study regarding the replacement of FLAIR.

Department of Children and Family Services

The Department of Children and Family Services maintains the Allocation, Budget, and Contract Control (ABC) System. The ABC System is an automated, integrated client budget information system designed to support planning and service provision to individuals with developmental disabilities. Our audit of the ABC System was a follow-up engagement to determine the status of Department actions in correcting general and application control deficiencies disclosed in audit report No. 13470.

Department of Elder Affairs

Our audit focused on management controls and selected information technology functions applicable to the Client Information, Registration and Tracking System of the Department of Elder Affairs during the period January 16, 2001 through April 16, 2001, and selected Department actions taken from August 23, 1999.

Department of Health

The Department of Health maintains the CoreSTAT System that contains core credentials data for health care practitioners. Our audit of CoreSTAT focused on determining the effectiveness of selected CoreSTAT information systems functions and the probability that CoreSTAT fees would recover costs, and evaluating selected CoreSTAT contract procedures.

Department of Highway Safety and Motor Vehicles

The Auditor General, as part of the Legislature’s oversight responsibility for operations of State agencies, is responsible for reviews of information systems. Consistent with this responsibility and in response to a request made by the Florida Department of Highway Safety and Motor Vehicles (Department) and the Florida Tax Collectors, Inc., we conducted a limited scope systems review of the development and implementation of the Department’s Florida Real Time Vehicle Information System (FRVIS) 2000. The review focused on the sufficiency of the Department’s testing with respect to FRVIS 2000 processing speed, FRVIS 2000 fee and tax calculations, FRVIS 2000 data conversion, and FRVIS 2000 off-line processing capabilities.

Department of Labor and Employment Security

The purpose of the Unemployment Compensation (UC) System is to provide prompt, accurate benefits for unemployed workers in order to expedite their reemployment, while providing a fair, equitable, and cost-effective Unemployment Compensation System for the employers of Florida.

We noted instances of deficiencies in computer general and application controls applicable to the Claim/Wages component and portions of other associated benefit components of the UC System during the period December 16, 1999, through March 31, 2000. 

Department of State

The Division of Corporations (Division) within the Florida Department of State (Department) serves as the State’s central repository for a variety of business entity filings and annual reports, Uniform Commercial Code financing statements, trade and service mark registrations, fictitious name registrations, and tax lien recordings. The strategic issue of the Division is to maintain a single central commercial repository for recording and retrieving all commercial information and related documentation with convenient public access and use in support of Florida’s economic and commercial growth.

We reviewed selected information systems functions applicable to the Division, in part, to evaluate the extent of progress the Department has made in correcting information systems control deficiencies we previously noted in Report No. 13177, dated March 25, 1998.

Department of Transportation - Financial Management System

The Financial Management System (System) is used by the Department of Transportation (Department) to manage the transportation programs. Our audit of the System focused on evaluating selected information systems functions applicable to the System, determining the effectiveness of selected general controls related to the System, and determining the effectiveness of selected application controls related to the Federal Programs Management component of the System.

Department of Revenue

We noted deficiencies in certain management controls related to the Child Support Enforcement (CSE) component and the CSE Automated Management System project.

  • The Department had not assessed the impact of CSE Automated Management System on the FLORIDA System nor sufficiently included Dept. of Children and Family Services in the planning process.

  • The Department had not enforced certain contract provisions with the Florida Association of Court Clerks for the operation of the State Disbursement Unit. Consequently, the Department paid Florida Association of Court Clerks for services not rendered and diminished the accountability for the Program.

  • The Department had not resolved identified variances between the CSE Component and the Florida Accounting Information Resource Subsystem. Additionally, the Department had not performed a reconciliation of the CSE Component with the State Disbursement Unit Repository.

  • The Department and the Dept. of Children and Family Services did not have a current interagency agreement for data processing services for the CSE Program, as required by Florida Statutes.

  • Deficiencies continued to exist in the documentation of reference table changes to evidence that they were requested, reviewed, and approved by applicable user groups prior to their activation.

State of Florida - Purchasing Card Program

The Purchasing Card Program (Program) was implemented in the State of Florida in 1997 to streamline the purchasing and payment processes for small dollar purchases, generally those under $1,000. The Department of Banking and Finance, Office of State Comptroller and the Department of Management Services administer the Program, with the assistance of Bank of America, the current service provider. The State Technology Office operates and manages the Shared Resource Center which also supports the Purchasing Card Program.

State Technology Office

Section 282.102, Florida Statutes, as amended by Chapter 2000-164, Laws of Florida, effective July 1, 2000, created the State Technology Office (STO). The STO was created within the Department of Management Services, headed by a Chief Information Officer appointed by the Governor. Among other purposes, the STO was created to provide support and guidance to all State agencies to enhance the State’s use and management of information technology (IT) resources. Our audit of the STO focused on its efforts to implement selected provisions of Section 282.102, Florida Statutes, specifically to integrate the State's IT systems and services, and on the transition of the State’s IT resources from the State agencies to the STO.


Department of Audit and Accounts



Distance Learning and Telemedicine (.pdf, 352KB) Sept. 2003

While this report discusses distance learning and telemedicine, the focus of the evaluation is on the Georgia Statewide Academic and Medical System (GSAMS). GSAMS, as explained in detail on pages 5 & 6, is a video conferencing system, which has many applications but is used primarily for distance learning and telemedicine.

Georgia Technology Authority GeorgiaNet (State Government’s Internet/Web Presence) (.pdf, 187KB) Nov. 2003


In 1990, the GeorgiaNet Authority was created to provide for the centralized marketing, provision, sale, and leasing of certain public information maintained by the state in electronic format. The GeorgiaNet Authority was also responsible for maintaining the State of Georgia website and developing internet based e-commerce applications for state agencies. The Authority was funded by the income resulting from the sale of public information. In 2000, the Georgia Technology Authority (GTA) was created as a result of the need to have a strong centralized organizational structure that could address all of the state’s technology requirements. In addition to assuming the responsibilities of the old GeorgiaNet Authority, the GTA also operates the state's data center and telecommunications network, coordinates the state’s purchase of technology resources, oversees the state’s IT projects costing more than $1 million, and reviews and analyzes the state’s IT budgets and strategic plans.

Procurement, Use, and Security of Wireless Technology

(.pdf, 260KB) August 2003


This report discusses two distinct topics: the procurement and use of personal wireless devices; and the security of personal wireless devices and wireless computer networks.

The review of procurement and use of personal wireless devices includes attempts to identify the number of devices used by state agencies1 and the expenditures for those devices and services. It also discusses the methods of procurement and agencies’ compliance with the state’s telecommunications policy.

The security of personal wireless devices section includes a review of agencies’ security measures related to personal wireless devices and wireless computer networks.


States of Guernsey Audit Commission



Project Management Report

(.pdf, 538KB) May 2003

The aims of this report are to provide a blueprint (albeit a flexible one) for managing complex projects well and to learn from the lessons of the past.

Review of Information and Communications Technology in the States of Guernsey

The main findings of this review conclude that the States is currently not realising best value from its deployment, use and management of ICT services. There are a number factors contributing to this position on an operational and technology basis. However, the extent of the recommendations (and their fundamental nature) stems from the lack of a strong strategic ICT direction and ability to implement an ICT strategy on a corporate States-wide basis. This is despite the fact that the States has an ICT Strategic Framework document within which committees are encouraged to work.


Office of the Auditor



Audit of the Department of Human Services' Electronic Benefit Transfer (EBT) Program

(.pdf, 5.2MB)  August 2003


An EBT system is an electronic means for a government agency to distribute needs-tested benefits. Recipients access their benefits through automated teller machines or point-of-sale terminals using magnetic striped cards similar to bank debit cards. Previous audits found deficiencies in the department’s management controls over its food stamp and financial assistance programs resulting in overpayments and inaccurate computerized data. Our current audit found that the department continues to struggle with implementing proper controls resulting in decreased payment accuracy ratings, loss of enhanced federal funding, increased risk of unauthorized benefits, and limits to the effectiveness of the EBT program.

Study of the Automated Child Support Enforcement System (KEIKI)

(.pdf 1.5MB) January 2003


This study explored ways to make KEIKI more responsive and accurate. It also examined ways to improve and streamline the Child Support Enforcement Agency’s organizational structure and balance the agency’s customer service requirements with the primary responsibility of making payments to custodial parents.

The study concluded that KEIKI's capabilities are not being fully exploited and that the Agency is not converting captured data into information to support management, planning, and operational control. The Agency has not developed a strategic plan and workflow planning and control information are not used effectively, and although the Agency has made improvements in customer service it has not yet established a culture of customer service, which needs numerous improvements. The Agency Administrator has not defined what constitutes adequate or excellent customer service or related measures of effectiveness. Telephone customer support continues to be unacceptable - fewer than 60% of callers entered the telephone queue and under 50% eventually talked to an agency representative.

Establishment of a Public Land Trust Information System, Phase One

(.pdf, 1.95MB) March 2001

This progress report is submitted in response to Act 125, Session Laws of Hawaii (SLH) 2000, which directed the Auditor to initiate and coordinate all efforts to establish a public land trust information system. Act 125 requires that the information system include an inventory of the lands and other information useful for the proper administration and management of the public land trust. The act requires the Auditor to submit a progress report to the 2001 Legislature that outlines necessary tasks to complete the public land trust information system and inventory.

Audit of the Department of Human Services' Information Systems

(.pdf, 353KB) February 2001

The State Auditor initiated this audit to assess the Department of Human Services' information systems' effectiveness in providing for public welfare needs efficiently. The audit was conducted pursuant to Section 23-4, Hawaii Revised Statutes, which requires the Auditor to conduct post audits of the transactions, accounts, programs, and performance of all departments, offices, and agencies of the State and its political subdivisions.


Office of Performance Evaluations



Data Management at the Commission of Pardons and Parole and the Department of Correction (follow-up review).

Report 03-03F (.pdf, 319KB) February 2003.

Both the Commission of Pardons and Parole and the Department of Correction have made progress on implementing all nine recommendations resulting from our May 2001 performance evaluation of their data management. In addition, the Department of Correction is close to finalizing the acquisition of Utah’s offender management system at no cost to Idaho, which is a substantial saving over the department’s request of $700,000 for such a system.

Improvements in Data Management Needed at the Commission of Pardons and Parole

A report of the Commission of Pardons and Parole's data management, and the Department of Correction's proposed acquisition of a new offender information system.

The Department of Fish and Game's Automated Licensing System Acquisition and Oversight

The department of Fish and game did not comply with state purchasing laws and regulations when it acquired the licensing system, although there was no evidence that it intended to violate the law. In addition, the agreements through which the system was acquired lacked clear and complete contract terms, which complicated contract oversight and enforcement.

Inmate Collect Call Rates and Telephone Access:  Opportunities to Address High Phone Rates

On September 29, 2000, the Joint Legislative Oversight Committee requested that the Office of  Performance Evaluations conduct an evaluative review of inmate telephone rates and access. Committee members indicated concern about high phone rates for calls from inmates and the possibility that the Department of Correction was making money from these calls. Additionally, concerns were voiced that inmate access to telephones might be excessive. 


Auditor General



Agency use of Internet user tracking technology

Each State agency is responsible for developing privacy policies that disclose how the agency will use information obtained over the Internet. Of the 42 agencies that used cookies, only 7 disclosed in privacy policies that cookies were being used. Of the 114 agencies that reported having a web-site, only 32 (28 percent) reported that they had a privacy statement or policy located on their web-sites.


Legislative Division of Post Audit



KDHE Information Systems: Reviewing the Department’s Management of Those Systems

(.pdf, 636KB) October 2003

This is the third in a series of specialized compliance and control audits designed to focus on an important area of agency operations that generally hasn’t been reviewed—the technical aspects of operating information systems. At the direction of the Legislative Post Audit Committee, this audit focused on the management of the Department’s information systems. Specifically, we reviewed how well the Department secures its information systems.

The Department’s operations were at an extremely high risk of fraud, misuse, or disruption caused largely by the following problems:

  • KDHE’s method of issuing and handling passwords was profoundly flawed, giving any former or current employee - and most hackers - fairly easy access into the agency’s network and data. Using password cracking software, we were able to crack more than 1,000 of the agency’s passwords (about 60% of the total) in 3 minutes, including several administrative passwords.

  • The Department’s anti-virus system was badly flawed, allowing computers to become infected with a large number of different viruses, worms, and Trojan horses. Many computers weren’t receiving the necessary virus protection updates, some were set to ignore viruses, and nearly 200 computers didn’t have the anti-virus software installed. Many computers were infected with viruses, and some had been infected for months.

Information Network of Kansas (April 2003)

Executive summary (.htm)

Full report (.pdf, 328KB)

A review of revenues, expenditures and administrative structure.

High-Capacity Telecommunications Services:  Examining Local Telephone Companies' Compliance with the 1996 Telecommunications Act. (April 2000)

The Kansas Telecommunications Act of 1996 required local telephone companies to provide existing and newly ordered "broadband" or high-speed telecommunications services to schools, hospitals, libraries, and other State and local government entities at discounted prices.

During the 2000 legislative session, legislators received information showing that individual school districts appeared to pay vastly different amounts for the high-speed connections they used to access the Internet. This raised questions about whether telephone companies had complied with the requirements of the Telecommunications Act, and whether the Kansas Corporation Commission had taken the actions needed to enforce these statutory provisions.  This report contains the findings, conclusions, and recommendations from a completed performance audit. 


The Auditor of Public Accounts



Press release

State Auditor discovers transportation computers hacked and Cabinet computers used for thousands of porn site visits.

Governor's Office for Technology

2001-2002 (.pdf, 1.5MB)

A report on controls placed in operation and their operational effectiveness.

Deficiencies In The State's Medicaid Claims Processing Contract

This audit was performed to assist the department for Medicaid Services in renegotiating its fiscal agent contract. The results of the audit provide a blueprint for state government's contracting with and overseeing fiscal agents and other third party administrators. It list 14 'lessons learned' for future systems development and service contracts.

Examination of the use of the Commonwealth's IT resources for non-public purposes. (.pdf, 71KB) November, 2000



Two Internet domain names residing on a web server in the Governor’s Office of Technology (GOT) were of a non public nature. One domain name was reserved for a physician in Louisiana and the other domain contained an active Internet site for a high school alumni page. The State Auditor recommended the GOT remind its employees that "technology resources are to be used to perform public responsibilities and are not for non public or personal use."


Legislative Auditor



Records management

The primary purpose of the Archives and Records Program (State Archives) is to provide a state-wide system of managing and preserving government records and to do so efficiently and economically. This performance audit asked the questions:

The audit objectives were to answer the following:

  • Is the use of electronic imaging reducing the demand for storage space?

  • Does the Archives and Records Program’s use of retention schedules ensure efficient use of its Records Center?

  • Are the Records Center’s customers satisfied with its services?

  • Does the Archives and Records Program provide quality microfilm services at the lowest cost?


Office of Legislative Audits



Financial Management Information System Centralized Operations

(.pdf, 163KB) March 2003

Our audit disclosed that FMIS contained many essential internal controls that were functioning properly. However, our audit also disclosed certain weaknesses that reduced the effectiveness of the System’s internal controls. For example, we found that access to certain critical FMIS program files was not properly restricted or recorded. In addition, a number of State employees were assigned incompatible FMIS security duties.

State Cell Phone Usage

(.pdf, 329KB) February 2003

Effective Statewide Oversight of Cellular Communication Services and Expenses Was Lacking; Cell Phone Vendors Did Not Comply With Certain Contractual Requirements; State Agencies Did Not Adequately Monitor Cell Phone Usage.

Department of Transportation Financial Management Information System Centralized Operations

July, 2001


The centralized operations of the Financial Management Information System (FMIS) is administered by the Department of Transportation. The System is used to support the Department’s purchasing, accounting and payment functions. Expenditures processed through the System for fiscal year 2000 totalled approximately $1.9 billion. Our audit disclosed that FMIS contained many essential internal controls that were properly functioning but it also disclosed certain weaknesses that reduced the effectiveness of the System’s internal controls. We found that access to certain critical FMIS files was not properly restricted. In addition, reports of security violations, successful accesses to critical files, and changes to the system access capabilities of users were not properly reviewed. Furthermore, several Department employees were assigned incompatible FMIS security duties. 

Department of Juvenile Justice Information Technology (IT) Expenditures

Sept., 2000

We conducted a performance audit to identify and assess the propriety of the Department of Juvenile Justice’s information technology expenditures and to evaluate the related procurement and contract monitoring procedures. Such expenditures totalled approximately $14.3 million for the period from July 1, 1997 to June 30, 2000. 

Based on our tests, most information technology expenditures were properly approved and supported by vendor invoices. However, the Department did not detect unauthorized charges of approximately $256,000. We also determined that the Department’s budgetary estimates for its information technology requirements were incomplete, which was a major factor in the Department significantly overspending its original appropriations for the three years under review by the aggregate amount of $5.4 million. We also noted that approximately $857,000 was expended for certain data conversion efforts that were minimally successful. 


"The Cruelest Tax of All is Waste"

Auditor of the Commonwealth of Massachusetts





The scope of the audit included a review and evaluation of system access security to the FamilyNet system and a review of access controls over the network on which the FamilyNet application resides; control practices, procedures, and devices regarding physical security and environmental protection over and within the buildings housing DSS business offices; physical security and environmental protection over restricted areas housing confidential client records at the business offices and on-site storage for  computer-related media; control practices regarding the security over and destruction and removal of hardcopy confidential information regarding DSS clients. 



The scope of the audit included an examination of IT-related controls pertaining to organization and management, physical security, environmental protection, fixed-asset inventory for the IT environment, logical access security, disaster recovery and business continuity planning, and on-site and  off-site storage of backup magnetic media for mission-critical and essential computer systems.


The scope of our IT audit included an evaluation of IT-related general controls for the administrative and academic IT functions. Areas reviewed included IT-related organization and management, physical security, environmental protection, logical access security, on-site and offsite storage of magnetic backup media, and disaster recovery and business continuity  planning. We also examined controls over IT-related service contracts and procurement and inventory record-keeping of IT-related assets. 


Office of the Auditor General



Performance and Financial Related Audit - Michigan Administrative Information Network

Feb. 2003 (.pdf, 187KB)

MAIN is the State's automated administrative management system that supports accounting, payroll, purchasing, and other activities. The audit objective was to assess the effectiveness of general controls over management, development, and security of information processing.

Technology Services and the Automated Information Systems (July, 2002)

This report contains the results of a performance audit of Information Technology Services and the Automated Information Systems, Bureau of State Lottery, Department of Treasury.

Telecommunication Services and Enterprise Security (March, 2002)

This report contains the results of a performance audit of Telecommunication Services and Enterprise Security, Department of Management and Budget (DMB).

Data Collection and Distribution System

(August, 2001)

This report contains the results of a performance audit of the Data Collection and Distribution System (DCDS), Michigan Administrative Information Network (MAIN), Department of Management and Budget (DMB).

Technology Services and the Automated Information Systems

(May, 2001)

This report contains the results of a performance audit of Technology Services and the Automated Information Systems, Department of Education.

Automated Information Systems

(December, 2000)

This report contains the results of a performance audit of the Automated Information Systems, Department of Military and Veterans Affairs.


Office of the Legislative Auditor



SEMA4 Information Technology Audit

(August, 2002)


This information technology audit assessed the adequacy of key “application” and “general” controls of the State Employee Management System (SEMA4). Application controls filter out invalid data before it can be processed and ensure that remaining transactions are completely and accurately processed. However, some information technology professionals had excessive security clearances, and some interface files were not appropriately secured during transmission.

Managing Local Government Computer Systems (April, 2002)


Full report

Local governments may manage their computer systems in-house, by outside vendors, by an intergovernmental computer collaboration, or by a combination of these three approaches. This report recommends that counties, cities, and school districts adopt certain best practices as they consider how they want to manage their computer systems.

Local E-Government (April, 2002)


Full report

This report identifies best practices for local governments, including cities, counties, and school districts, that deliver e-government services to citizens via the Internet.


Office of the Missouri State Auditor



State Data Center Comprehensive Continuity Planning And Mainframe Security Administration

(.htm) Nov. 2003

This audit reviewed the State Data Center’s comprehensive continuity plan and security administration.  The Office of Administration, Division of Information Services established the State Data Center, which processes mainframe data, stores data, and backs up state data systems.  Without a complete continuity plan, there is limited assurance information technology processing could be promptly resumed after a disaster or other disruptive event. Security control weaknesses put mainframe data at risk for unauthorized use or modification. 

Comprehensive Continuity Planning and Information Resource Security Management of The State's Accounting System (.htm) Oct. 2003

This audit reviewed the Office of Administration’s management of the state’s accounting system (SAM II) as it relates to plans for handling business continuity and information technology recovery should a disaster or other disruptive event occur.  SAM II is the state government’s integrated financial management, human resource and payroll system which processed approximately $25 billion in expenditure and transfer transactions in fiscal year 2003. 

Division of Child Support Enforcement Computer Risk Management Program   May 2003


This audit assessed how well the state can recover data after unexpected interruptions to the state's child support computer system, which disburses child support checks.  Division of Child Support Enforcement distributed about $447 million in child support checks to parents during fiscal year 2002.  The computer system also maintains confidential child support data, such as parental and court-ordered information, and is not adequately protected from unauthorized access.

Department of Revenue Information Resource Security Management


The Department of Revenue, which collects taxes and administers drivers’ licenses and motor vehicle records, needs to better address system access control management policies and practices.  These practices protect the integrity, confidentiality, and availability of data and information, which are at risk from unauthorized use, modification, or disclosure.

Department of Revenue Comprehensive Continuity Planning

This audit analyzed the Department of Revenue's capability to resume normal business operations and recover information from automated data systems after a disaster or other disruptive event.  Auditors examined disaster recovery planning, staff emergency response training, as well as testing and documentation procedures for backup systems and environmental controls.  

Management of Cellular Telephones At State Agencies

This audit examined how effectively state agencies manage cellular telephone use and found no assurance that employees are enrolled in the most cost-effective plans or that telephones are fully utilized.  Auditors reviewed cellular telephone policies at 16 state agencies and made detailed reviews of billing plans at seven organizations within four agencies.

Government benefits delivered better with new electronic system

The Department of Social Services’ new electronic benefits transfer system disburses benefits more efficiently and reduces the chance of fraud.  This audit found no major deficiencies in the new system, which replaced paper benefit coupons.   

Computer Security in the Department of Labor and Industrial Relations

This audit reviewed how effectively the Department of Labor and Industrial Relations computer security program protects its system from unauthorized access and/or information loss from disaster or other interruptions. In fiscal year 2000, the Department used its computer systems, which contain more than 3 million confidential records, to pay $300 million in unemployment benefits and approximately $28 million in second injury fund compensation. The department immediately fixed several system weaknesses upon discovery through the audit.


Legislative Audit Division



Administration, Montana Lottery Security

(.pdf, 171KB) Sept. 2003

State law requires the Legislative Audit Division conduct a comprehensive audit every two years of all aspects of security in the operation of the Montana Lottery. Our primary audit objective is to evaluate the existence and operation of security controls and evaluate compliance with state law.

Audit of the Administration, State-wide Accounting, Budgeting and Human Resource system.

(.pdf, 244KB) March 2002

SABHRS functions as the state’s primary accounting, budgeting, human resource management, and procurement system. We reviewed general controls over the SABHRS processing environment and application controls over Human Resource Management and Finance systems.

In conclusion, we identified weaknesses within the SABHRS general controls environment regarding inadequate service continuity and security planning. We also determined the responsibilities and segregation of incompatible duties should be defined.

Assessment of the Department of Revenue’s Process Oriented Integrated System (POINTS).

2.1MB pdf 


This system post implementation audit included the following findings:

  • the department undertook several major efforts during the same time frame, adding complexity to the development of POINTS.

  • POINTS is still not operating at design specifications.

  • The data on POINTS has errors introduced at the time of conversion and compounded by system defects.

  • In general, staff indicate customer service seems to be less effective with POINTS because users either cannot find information due to defects, or the system information is too inaccurate to be useful for timely response.

  • System functionality does not work as designed creating backlog and increased workload beyond ordinary business.

  • Defects that are currently being worked in POINTS I, may or may not impact the account types developing in POINTS II; however, POINTS II may introduce additional defects upon the foundation that could effect all account types.

Audit of the Teachers' Retirement Division Computer Based Application

An EDP audit of controls relating to the computer-based application which processes and stores Teachers' Retirement System information on member contributions and disbursements. It contains recommendations for improving controls over TRS’ electronic data processing environment, which include:

- Restricting electronic access to critical files and programs.

- Documenting and testing a disaster recovery plan.

- Documenting critical application processes.

Montana Lottery Security (2001)

This report contains information regarding the security controls over Montana Lottery operations. The report concludes controls are in place, which ensure the overall security of Montana Lottery operations.

System for the Enforcement and Recovery of Child Support (SEARCHS)

This report provides information regarding application controls over the department’s SEARCHS system, and access and change controls over the related processing environment. It contains recommendations for improving controls over the SEARCHS information system environment,  which include:

- Resolving programming problems to ensure child support collections are assigned to the state for reimbursement of public assistance.

- Distributing excess reimbursed assistance to custodial parents.

- Validating social security numbers.

- Modifying support orders to include medical support.

- Reviewing bank account information.

Montana Online Tax and Reporting System (MOTRS)


This report provides information regarding system development controls over MOTRS. It includes recommendations for improving controls to ensure development results meet department expectations. Audit issues address:

- Completing a business area analysis.

- Documenting user acceptance testing procedures and results.

- Completing program and operations documentation.

University of Montana Banner System

A limited scope information systems audit of the University of Montana's (UM) Banner Human Resource (HR), Finance, and Student Financial Aid processes. The audit concluded that UM Banner system applications operate in a controlled environment for the selected process that were tested, with the exception of weaknesses identified over user access. Testing indicates that two conditions existed: (1) current procedures did not prevent individuals whose need has expired, students not currently working with a program, or terminated employees from accessing UM data. (2) current procedures did not lessen the potential for unauthorized HR transactions.


Auditor of Public Accounts



Fixed Assets - State-wide Inventory System and Computer Asset Management System

(.pdf, 227KB) May 2002

The report relates to the Nebraska Health and Human Services System (HHSS) – Fixed Assets. The audit objectives were to evaluate HHSS internal controls regarding maintenance of fixed assets records; determine if fixed assets values reported were complete and accurate; determine HHSS compliance with applicable State Statutes.


Legislative Counsel Bureau, Audit Division



Security and Integrity of the State's Criminal History Repository (LA02-24)


Errors and missing data in the criminal history records database reduce the reliability of programs that rely on this information.  Such programs include background checks for employment and gun purchases.  In addition, thousands of criminal fingerprint cards have not been fully processed and others were not processed timely.  These weaknesses have resulted from a lack of controls in entering and testing data, and allocating resources to other activities. Computer security weaknesses place the criminal history repository at risk of unauthorized access to the system and data.  This could result in sensitive and confidential information being viewed, altered, or destroyed deliberately or accidentally.  In addition, controls over physical access to source documents and computer equipment need strengthening.  Furthermore, the lack of a complete disaster recovery plan leaves the system vulnerable in the event of a disaster or tampering with data.  Sustained management commitment is needed to ensure these weaknesses are addressed.

Department of Information Technology (LA98-20)

The Department of Information Technology was created to ensure the state's information needs are met economically. However, managing information technology projects has long been a problem in Nevada. Although the State has substantially increased the resources spent on information technology in recent years, this investment has yielded mixed results. Large cost overruns, lengthy project delays, and poorly performing systems are commonplace. Furthermore, most agencies feel their information needs are not being met. Developing information systems is a difficult and complex process--full of risks. To successfully manage these risks, the Department must strengthen its management controls.

Department of Prisons Computer Systems Security (LA98-17)

The Department's AS/400 system controls provide reasonable assurance that its data, programs, and software are protected from unauthorized access. For instance, procedures such as constant monitoring of user profiles provide strong front-end controls. However, in a few instances we found secondary operating system settings inconsistent with the higher support level established by SSIS for global security to protect against unauthorized access. When these inconsistencies were identified, SSIS staff immediately set the value to a higher security level. We also found that the computer room was not protected from disasters such as fire.

New Jersey

Office of the State Auditor



Division of Revenue Information Systems

(.pdf, 68KB) August 28, 2003

Our review disclosed that while selected application controls were in place and functioning adequately for transaction processing data integrity, the selected general controls for system management and continuity, and for data security were not adequate.

Division of Taxation-Public Access Systems

(.pdf, 51 KB) December 11, 2002

Our review disclosed that while selected application controls were in place for transaction processing data integrity, the selected general controls for data security and application maintenance require improvements.

Office of Information Technology E-Government

(.pdf, 64 KB) May 20, 2002

OIT management has recognized the importance of properly controlling the E-Government Services it provides. However, we have found several control weaknesses within this effort that, if not corrected, could contribute to failures to provide secure state services through the Internet.

New South Wales

Audit Office of New South Wales



1999 - 2000 Millennium Date Rollover:
Preparedness of the NSW Public Sector

(.pdf, 237 KB)
This audit looks at how well prepared our government was to address the risks of the millennium date rollover.

Freedom of Information

(.pdf, 184 KB) August 2003

Most democratic societies recognise that Freedom of Information (FOI) is a fundamental element of government accountability. Opening government processes to scrutiny allows the public to question and better evaluate the activities the Government carries out on their behalf. In New South Wales, FOI has been law since 1989. Since then, members of the public have had a legal right to access most information in most government agencies.

This report highlights key issues and illustrates the range of challenges which agencies face when handling FOI requests.

Delivering Services Online (.html, June 2003) We selected the Roads and Traffic Authority (RTA) as a case study to highlight important aspects of online service delivery. We consider that the RTA’s e-business approach and achievements may be of benefit and interest to other government agencies. This audit provides a strategic assessment of how well RTA is managing the benefits and risks associated with a major element of its e-business. In particular, the audit assessed how well RTA manages and achieves its e-business program; protects information assets, and the security and reliability of its online services to promote public confidence; and manages stakeholder and staff issues.

We focused on registration services, RTA’s biggest online service. This service includes vehicle registrations, personalised vehicle number plate sales and the provision of information.

Outsourcing Information Technology

(.html, Oct 2002)

A review of how five agencies outsourced information technology functions.

Electronic Procurement of Hospital Supplies (.html, Sept 2002)

The use of e-procurement offers potential for significant savings. Achieving full value from e-procurement is a substantial challenge. Structures will have to change, as will attitudes. This will require strong executive vision, commitment and leadership, efficient and effective processes, quality management information and sound infrastructure. This report assesses how well the NSW public health system manages the e-procurement of hospital supplies.

Use of the Internet and related technologies to improve public sector performance

(.html, Sept. 2001)

The transformation from traditional government to electronic government may be one of the most important public policy issues of our time. This performance audit provides a strategic overview of the current (Sept. 2001) position of the NSW public sector in its implementation of e-government.

Management of Intellectual Property

(Oct 2001)

The lack of an integrated framework and co-ordinated support for agencies means that the management of IP has varied across the public sector and in general is not adequate. The audit found that:

  • some agencies do not understand what IP is and are not aware of IP assets under their control

  • most agencies do not maintain a register of their IP assets

  • many agencies do not have adequate policies and systems to manage IP

  • because of lack of expertise in the area, agencies tend to be overly cautious towards IP

  • few agencies recognise or reward innovation leading to IP

  • most agencies have not allocated adequate resources for the management of IP.

Using Computers in Schools for Teaching and Learning

This audit considered the logistics of putting computers in schools and the use of computers for teaching and learning. It involved:

  • more than 30 person days spent on site examining in detail the use of computers at four primary and four secondary schools;

  • interviews with relevant officers of the Department of Education and Training and other experts, including teacher training faculties of major Sydney universities;

  • file and document examination;

  • extensive international literature review, focusing on academic research into computer technology and teaching, and current practices in other jurisdictions.

e-Government: user friendliness of web sites (June, 2002)


(See also the NSW Auditing E-Government web site)

Our review of these nine sites and three interstate government agency sites showed that some NSW government websites are very good and that NSW sites compare favourably with those interstate. Our review also showed some common areas for improvement. Five of these were:

§           Agencies should consult more with users when developing their websites.

§           Websites should include advice on their purpose, how best to use them, and important legal issues (e.g. security, privacy and copyright)

§           Websites should support two‑way communication between the public and agencies

§           Information on websites should be organised so users can easily locate information using mainstream search engines. Also the quality of search engines on agency websites could be improved.

§           Websites should cater for people with a disability, from a non-English speaking background or with access to basic technologies.

New York State

Office of the State Comptroller



Audit Finds Disconnect Between Plan and Implementation on State-wide Telecommunications Network

(.pdf, 529KB) August 2003

Overall, we conclude that the NYeNet has not attained all of its major goals. The NYeNet has not become a common and unified state-wide telecommunications network despite its highly touted capabilities and its announced readiness for service in July 2000. Sound project management practices require identifying measurable goals for a project; studying a project’s scope, feasibility and cost benefit; assuming accountability for the project’s completion in a stated timeframe; and tracking project progress. However, OFT did not follow these project management techniques to implement the NYeNet, so it is difficult to estimate when the NYeNet will be able to deliver all the promised services.

New York City Mayor's Office of Contracts: Vendor Information Exchange System

(.pdf, 467KB) March 2003

The Vendor Information Exchange System (VENDEX) is an automated information system maintained by the New York City Mayor’s Office of Contracts. VENDEX is used to maintain information about the contracts administered by New York City Mayoral agencies. We examined the accuracy of the information on VENDEX and found that certain improvements were needed. For example, some active contracts had not been entered on the system, and other information was not entered in a timely manner. We made recommendations for improving the accuracy of the information on VENDEX.

Department of State: Computer Network Security Controls

(.pdf, 367KB) June 2002


The Department of State licenses certain activities, administers building and commercial codes, and provides other regulatory and administrative services. We audited the controls for preventing unauthorized access to the automated information systems supporting these activities. We found that these controls were seriously inadequate. Moreover, since Department officials did not fully cooperate with our audit effort, we were unable to perform certain tests and unable to assess certain controls over access to the Department’s automated information systems. We recommend that Department officials take immediate action to strengthen the controls over access to these systems.

Department of Health: Medicaid Managed Care Encounter Data

(.pdf, 652KB) March, 2002

Many of New York’s Medicaid recipients are enrolled in managed care programs. Each month, the managed care providers are required to submit to the Department of Health information describing the medical services provided to Medicaid recipients. We examined the practices used by the Department to ensure that the information submitted by managed care providers (called encounter data) is complete, accurate and timely. We found that improvements are needed in the completeness, accuracy and timeliness of the data. We further found that, even when services were reported to the Department, the reported information was not always complete or reliable. We also found that encounter data could be used more effectively by the Department in its efforts to monitor the services provided to Medicaid recipients in managed care programs. For example, when we compared reported encounter data to other Medicaid data maintained by the Department, we identified as much as $3.8 million in duplicate payments as well as other potential problems. We made a number of recommendations aimed at improving the reliability and usefulness of the encounter data reported to the Department.

Department of Health: General and Application Controls Over the Health Information Network

(.pdf, 216KB) August 2001


The Health Information Network is a web-based information system maintained by the Department of Health for users in the Department and local health departments throughout New York State. The Network contains information relating to hospital operations, births and deaths, communicable diseases, and other aspects of public health. We examined whether confidential information in the Network was adequately protected against access by unauthorized individuals. We found that the controls for preventing such access were generally adequate, but improvements could be made in certain controls to provide even better protection. We also found that plans needed to be developed and other actions taken to prevent service interruptions and a loss of information from power failures, natural disasters and other such events.

State University of New York: Utilization and Control of Selected Standardized Computer Systems

(.pdf, 612KB) August 2000

SUNY System Administration maintains the university-wide computerized system that processes financial and human resource information such as accounting, purchasing, and accounts payable transactions. This system interfaces with applications that are not university-wide, including campus-based student information systems that process student financial aid, class registration and payment data. In our prior audit report, we concluded that SUNY could realize significant benefits and cost savings by establishing and adhering to policy supporting the use of standardized administrative computing systems throughout the University. Since that time, other reports from sources internal and external to SUNY have made similar conclusions. During this audit, we found that SUNY has taken some noteworthy steps to encourage standardized computer systems. However, we found that SUNY has not established policy direction supporting the utilization of standardized systems for student information, finance and human resource processing throughout the University. We conclude that with appropriate leadership from System Administration and policy direction supported by the Board of Trustees, SUNY could make considerably more progress toward the utilization of standardized systems with resultant cost savings and efficiencies.

Newfoundland and Labrador

Office of the Auditor General



Computer Hardware - Agencies of the Crown

Computer hardware is considered to be a moveable capital asset and as such, is susceptible to misappropriation or unintentional loss. As a result, it is important that all Government agencies have proper procedures and inventory systems in place to control and account for this computer hardware.

Our review indicated that controls over computer hardware in the 15 Government agencies reviewed are not adequate. Specifically agencies can not always locate their computer equipment. 3 of the 15 agencies reviewed did not have an inventory information system. Of the 12 remaining agencies that did have a system or an inventory listing, the information in these systems or on the listing was not complete or accurate.

North Carolina

Office of the State Auditor



Information Technology Services General Controls (pdf, 100KB) July 2003

We audited policies and procedures, interviewed key administrators and other personnel, examined system configurations, toured the computer facility, tested on-line system controls, reviewed appropriate technical literature, reviewed computer generated reports, and used security evaluation software in our audit of application controls. We conducted our audit in accordance with the standards applicable to performance audits contained in Government Auditing Standards issued by the Comptroller General of the United States and Information Systems Audit Standards issued by the Information Systems Audit and Control Association. We found that a personal web page was being hosted on a state computer, as well as indications that problems from previous years had not been fully addressed. 

Audit of the Information System General Controls at The University of North Carolina at Asheville (.pdf, 291KB) March 2003

The primary objective of this audit was to evaluate IS general controls at The University of North Carolina at Asheville. The scope of our IS general controls audit included general security, access controls, program maintenance, systems software, physical security, operations procedures, and disaster recovery. Other IS general control topics were reviewed as considered necessary. The auditors found several problems involving access control, policies and procedures, and segregation of duties.

Information System General Controls at UNC Hospitals (.pdf, 297KB) Dec. 2002

The primary objective of this audit was to evaluate IS general controls at UNC Hospitals. The scope of our IS general controls audit included general security, access controls, program maintenance, systems software, systems development, physical security, operations procedures, help desk, and disaster recovery. Other IS general control topics were reviewed as considered necessary. The aditors identified several problems dealing with security, disaster recovery and system back-ups.

Vulnerability Assessment (.pdf, 548KB) Dec. 2002

Contractors working for the Office of the State Auditor successfully penetrated 21 of 22 selected state computer networks as part of testing of computer security. The networks compromised included systems in the executive, legislative and judicial branches.

North Dakota

Office of the State Auditor



Medicaid Management Information System - March 6, 2003 (.pdf, 155KB)

Management Information System (MMIS) is used to process and pay eligible providers for claims primarily for the Medicaid program, but also includes claims for other programs and agencies. This report provides an analysis, findings, and recommendations regarding an audit of the MMIS. This audit was primarily an information system audit; however, we also addressed operational issues related to MMIS and its operation within the Department of Human Services.

State Information Technology Systems Risk Assessment - May 15, 2002

A risk assessment report of information technology systems within North Dakota State government. The risk assessment will be used to help us to direct our audit resources towards the applications that are important to the State of North Dakota. We reviewed 50 Executive Branch State Agencies and assessed risk for 379 information technology systems identified within those agencies.

Information Technology Department General Controls Audit - For the Period July 1, 2000 to June 30, 2001


General controls encompass the environment in which all applications are processed. Their purpose is not typically directed to any one application, but to all applications processed at the data center. Effective general controls provide the proper environment for good application controls. General controls increase in significance as more critical applications are processed through the computer. When general controls are weak or missing, the auditor must ascertain whether application controls exercised in user areas satisfy the control requirements.

• We recommend that ITD not allow alter access to the SMF data sets except in emergency situations. Page 39

• We recommend that ITD implement a formal training program on security for ITD employees. Page 43

• We recommend that ITD define the duties and responsibilities of IT Coordinators and Agency Security Officers. Page 43

• We recommend that ITD implement a quality assurance approach. Page 44

• We recommend that ITD follow their system development life cycle methodology or develop a new methodology that better meets their needs while still providing adequate controls over the development process. Page 44

Northern Ireland

Northern Ireland Audit Office



The PFI Contract for the Education and Library Boards' New Computerised Accounting System  March 2003

A report to Parliament on a contract negotiated in 1999 by the South-Eastern Education and Library Board for the development and operation of a new IT system to support the financial and management needs of the five Education and Library Boards. The provision of this service, procured under the Private Finance Initiative (PFI), is due to run until 2012 and is projected to cost £17.6 million at 1999-2000 prices.

The report highlights a number of key issues emerging from the review of the project and lessons which other public sector organisations need to keep in mind when developing and managing relationships with private sector PFI contractors.

Northern Territory

Northern Territory Auditor General's Office



Issues and Trends arising from IT Audits

Feb. 2003 (.pdf, 628KB)


See pages 12 & 13 of a general report......there were issues relating to:

 IT policy;

 Business continuity plans;

 Upgrade testing;

 Storage of back up tapes and disks;

 Passwords access control; and

 User access.

Nova Scotia

Office of the Auditor General



Treasury Management System


Treasury management aims to achieve effective money management that maximises return on investments and minimises debt servicing costs within acceptable risk tolerances. It is a responsibility of the Investments, Pensions and Treasury Services Branch of the Department of Finance. In 1998, the Branch issued a Request for Proposals for a treasury management system and in 1999 acquired the "Millennium" software package. The purpose of this software is to assist Branch staff in the management of the cash, investments and debt that comes within their control. This audit reviewed the acquisition process, and the operational control of the system.


Office of the Provincial Auditor



Electronic Service Delivery

(2002 Annual Report)

The objectives of this ESD audit were to assess the extent to which:

  • Management Board Secretariat has systems and procedures in place to continuously monitor, measure and report on the government’s progress towards meeting its objective of increasing customer satisfaction by becoming a world leader in the provision of electronic services by 2003; and....

  • ministries are developing and delivering electronic services in accordance with best practices and with due regard for economy and efficiency.

In our view, a number of issues need to be addressed to accelerate the pace of ESD implementation and to ensure that ESD investments provide value for money.

The Integrated Justice Project

(2001 Annual Report)

This project was instituted in 1996 with the intention of facilitating more modern, effective, and accessible administration of justice. It will affect approximately 22,000 employees in the Ministries at 825 different locations across Ontario, as well as municipal police forces, judges, private lawyers, and the general public. At the time the audit was completed, total project costs incurred were approximately $159 million, and about 200 staff from the Ministries and the consortium were working full-time on the Project. However, due to cost increases and delays, the Ministries were in the process of negotiating with EDS to determine if, when, and how the Project would be completed and at what cost. The audit assessed the extent to which:

  • adequate systems and procedures were in place to ensure compliance with corporate policies governing the use of Common Purpose Procurement; and

  • the Project was administered with due regard for economy.


Oregon Secretary of State Audits Division



Two-Way Radio Communications: Opportunities Exist to Strengthen Planning and Coordination (.pdf, 208KB) November 2004

Two-way radios provide an essential communications link for many government organizations operating in Oregon. The purpose of our audit was to determine if these systems are meeting user needs at the least possible cost.

We found overlapping and duplicative systems, many of which are incompatible with other groups, agencies, or jurisdictions. Officials attributed the cause of this situation to Federal Communications Commission regulations governing radio spectrum assignments. Still, these problems severely limit the usefulness of radio communications, especially in situations that demand large-scale immediate interagency communications and coordination. We also found that it may be possible to achieve cost saving on the purchase and maintenance of replacement systems through improved agency coordination and cooperation.

Department of Administrative Services: Information Resources Management Division Follow Up (.pdf, 136KB) June 2003 The Department of Administrative Services' computer archive center was not meeting its primary business objective of providing a significant off-site computer data backup and storage solution for the state's computer systems.
Department of Revenue: Corporation Automatic Tax Application Controls Review (.pdf, 140KB) April 2003
We determined that the Department of Revenue's Corporation Automatic Tax (CAT) system generally maintained the completeness, accuracy and validity of the data; however, we did find several minor programming errors warranting management's attention. We also found that processes relating to systems development and maintenance activities, physical and logical security, and disaster recovery and contingency planning could be improved.

Employment Department: Review of Oregon Benefit Information System Controls

March 2003 (.pdf, 132KB)

OBIS processes unemployment assistance claims for qualified unemployed workers. The purpose of our audit was to evaluate controls ensuring data integrity, system security, program change control, and business continuity.

The system produced reliable data. Unemployment benefits were calculated correctly and key data remained valid within the system during processing and update; however, the department's efforts to secure the system were insufficient. Security areas needing improvement included controls over screen-level access, and safeguards to protect production files and data. Security policies and procedures were also incomplete. Significant opportunities for improvement also exist regarding controls governing system maintenance and business continuity.

Youth Authority: Evaluation of Juvenile Justice Information System General and Application Controls - Report No. 2002-44

This audit was to determine if the Juvenile Justice Information System administered by the Oregon Youth Authority, contained necessary information for evaluating the effectiveness of Oregon’s juvenile justice system programs and services. In addition, we evaluated the integrity of the information system and data. The Juvenile Justice Information System did not contain complete information for evaluating the effectiveness of Oregon’s juvenile justice system programs, services and policies. The database provided useful information, but certain data were not valid or not entered consistently. In addition, the youth authority had not adequately controlled access to the JJIS system and database. Furthermore, the youth authority had not separated the process for implementing changes to the system from the design and development phases.

State Lottery Commission: Video Lottery System Application Controls Review - Report No. 2002-33

The purpose of our audit was to determine whether the Oregon State Lottery Commission's (Lottery) information technology controls over the Video Lottery System (system) provided reasonable assurance that:

  • System data remained complete, accurate, and valid.

  • Processes for acquiring and maintaining the system were reasonably controlled.

  • System services could be restored in a timely manner in the event of a major disruption.

  • System programs and data were appropriately safeguarded against unauthorized use, disclosure or modification, damage or loss.

Department of Administrative Services:
Statewide Systems Development Review

Report No. 2002-13

The purpose of this audit was to follow up on a prior audit that found that the Department of Administrative Services did not provide state agencies adequate policies and procedures to govern use of Information Technology. Specifically, this audit examined whether state agencies had independently adopted formal policies and procedures governing the development and maintenance of information technology (IT) systems. To do so, we reviewed the policies and procedures governing IT system development and maintenance at six state agencies.

Department of Human Services: Evaluation of General Computer Controls

The purpose of the audit was to evaluate general computer controls at the Department of Human Services' data center. The audit revealed that the department had not provided adequate physical security for its data center, sufficiently restricted data center employees' access to systems and data, and had not developed adequate disaster recovery and contingency plans. The department also needed to strengthen several operational controls.

Division of State Lands: Trust Property Section Internal Controls Review

The purpose of the audit was to assess the division's controls over the collection, accounting, and disposition of trust property assets, which are managed by the division's Trust Property section, and make recommendations for improvement. The audit revealed that:

  • Employee computer access to the unclaimed property computer system was not adequately limited.

  • Physical access to trust property assets was not properly secured.

  • Procedures were not sufficient to ensure that maximum sales prices were received for trust properties at auction.

  • Segregation of duties was inadequate for inventorying, accounting and disposing of estate assets.

  • Procedures were not sufficient to adequately reconcile auction proceeds, estate records, and trust property records.

  • Procedures to manage unclaimed securities were not sufficient.

  • The division repurchased securities for claimants and did not pursue recovery of overpayments made to claimants. These actions do not appear to comply with state law.

Oregon Department of Transportation: Data Center General Controls Review

The purpose of the audit was to evaluate the adequacy of general controls in place at the Oregon Department of Transportation data center. The audit concluded that the data center's general controls could be improved to further protect its equipment and people, and  recommended that management:

  • Make disaster recovery and contingency planning a priority to ensure that services can be restored in the event of a disruption.

  • Fully develop, implement and enforce policies and procedures to limit physical and logical access to its equipment and data.

  • Fully develop, document and implement formal systems development methodologies addressing systems software and hardware.

  • Fully develop and implement procedures to protect its systems and people from environmental hazards.

  • Follow its policy regarding annual performance appraisals and training plans.

  • Provide periodic internal audit reviews of the data center.

Oregon Department of Human Services: Security Controls for Computer Applications

The objective the audit was to evaluate the adequacy of the Department of Human Services security controls for computer applications intended to protect health and welfare information. The audit revealed that security did not receive an appropriate level of attention and resources. As a result, the department was unable to protect confidential health and welfare information and incurred loss due to employee theft. The report recommended that executive management make security a priority by:

  • Establishing a security framework and developing a long-range security plan that identifies and prioritizes security needs based on risk.

  • Immediately implementing those recommendations for which it has the available resources.

  • Immediately remove confidential information from its manuals and websites.


Queensland Audit Office



Information Governance and Access Controls

A briefing to raise awareness of the importance of controls over information in the Queensland Public Sector and to encourage agencies to give special attention to improving access controls in particular.

Auditor-General of Queensland Report No. 2 2001-02

This Report includes the results of a number of sector-wide audits including a review of information systems audit issues. Comments on the status of matters previously reported and on current and emerging issues such as the electronic reporting of financial statements are also included.


Office of the Provincial Auditor



Information Technology Office

(.pdf, 46KB) 2003

In 2002, the Government announced that it would develop a system to share water quality information among government agencies, as well as with the public. The system would be called Saskatchewan Water Information Management, or SWIM. The Government directed the Information Technology Office (ITO) and other partners with water-related responsibilities to work together to develop SWIM. The ITO’s role was to ensure that SWIM met the needs of the partners and provided public access to water quality information.

We wanted to examine whether the ITO had adequate processes to coordinate the development of cross-government information systems. We focused on the ITO’s processes to coordinate the development of SWIM. We found that, with the exceptions set out in our recommendations, the ITO used adequate processes to coordinate the development of the system.


Audit Scotland



Individual Learning Accounts in Scotland

March, 2003 (.pdf, 358KB)

The ILA scheme was an innovative programme which proved popular with genuine learners and learning providers but it suffered from many administrative errors and failings. It was a complicated scheme introduced in a hurry and involved several public bodies in Scotland. Out of a total £18.8 million worth of claims, it is estimated that the amount of irregular or fraudulent activity could be in the region of £4.5 million.

Despite early concerns about systems security, no formal evaluation of systems controls was carried out until late 2001, when there was already evidence of widespread and systematic abuse of the scheme.

Common data, common sense - Modernising information management in councils

This paper is aimed at councillors, chief executives and heads of service. It looks at how councils must change the way they manage data and information to help them deliver quality services and reduce costs.

Councils rely on information communications technology (ICT) to underpin their services. Currently, similar data is held many times by different departments. The number of databases and the duplication of records make it more difficult for councils to keep them up to date. Duplication of data also means that overhead costs are higher than they need to be. Councils are increasingly moving to centre services on specific client groups (e.g., combining social work children’s services with education). Reconfiguring services involves changes in business processes that need to be supported by integrated information systems. Such joined-up working should involve councils looking at ways in which they can share data – both internally and with partner agencies.

South Australia

Auditor General's Department



Information and Communications Technology – Future Directions: Management and Control  (.html) December 2003

The management, security and control of IT infrastructure and systems is essential for the completeness, accuracy and integrity of financial record keeping and the production of financial statements as well as the achievement of government and agency operational objectives. Effective management in these matters is essential for the ongoing continuity and control of business operations and the protection of agencies information and assets.

The Department for Administrative and Information Services has important responsibilities for the planning, leadership and direction of major Government IT initiatives and IT infrastructure, including government-wide systems and information and communications technology use. Individual agencies in their own right are also responsible for the development of a significant range of diverse systems. These systems deal with a number of major areas of government service delivery and financial operations.

It is within this context and having regard to the public interest importance of IT in governmental operations that the reviews included in this Report have been undertaken.


Tasmanian Audit Office



Public Sector Web Sites

(.pdf, 718KB)  August 2003

Like other Australian states and territories, Tasmania is committed to rolling out e-government – an initiative that has the potential to deliver faster, cheaper and better services. However, the success of these services hinges on their usability and accessibility.

The objective of this performance audit was to evaluate the effectiveness of a broad range of public sector web sites using criteria developed from accepted best practice and Tasmanian Government Web Publishing Standards. Audit testing was conducted with the general user or ‘man in the street’ in mind, placing emphasis on usability and accessibility.

Software Licensing

(.pdf, 132KB) April 2001

This report relates to a performance audit carried out by the Tasmanian Audit Office during the period November 2000  to March 2001. The object of this performance audit was to assess the effectiveness and efficiency of public sector management of software licensing in Tasmania. The approach taken was to conduct field visits to two government departments, a government business enterprise and a state owner company.


Comptroller of the Treasury



Issues Related to Office for Information Resources' ITPRO Contracts

(.pdf, 63KB) April 2003

The objective of the Information Technology Professional Services (ITPRO) contracts is to provide state agencies with qualified IT professionals to perform software programming, software system modifications, and database administration services. Issues that need to be addressed are excessive over-billing and the use of ITPRO contractors rather than State employees.


Austin - Office of the City Auditor



Citywide Information Technology Project Management Audit


This report presents findings and recommendations from an audit of Citywide information technology project management. Overall the City Departments’ management of information technology (IT) projects is uneven in quality and lacks minimum levels of corporate guidance.

Customer Information System


The report contained eleven recommendations designed to improve information technology (IT) project management. The first eight recommendations were for Austin Energy™ (AE) management and specifically addressed project management of the CIS. The last three recommendations were focused on corporate project management/information technology issues and directed to the City Manager’s Office (CMO).


Comptroller of Public Accounts



e-Texas, January 2003

"Government is going to be seen as bigger, dumber and slower than ever before if we don't become smaller, smarter and faster right now."

    -- Carole Keeton Strayhorn, Texas Comptroller


Improve Use of Information Technology:

GG 18 Hold the Texas Department of Information Resources Accountable for the Success of Major Information Technology Initiatives

GG 19 Ensure Returns on Investments in Information Technology

GG 20 Protect Personal Information in Public Records

GG 21 Increase Usage of Online Government Services

GG 22 Increase the Availability of Broadband Internet Services in Rural Areas

Texas Electronic Service Delivery: Final Report

January, 2001

The purpose of this project was to explore strategies and develop a road map for expanding the state's current electronic benefit transfer (EBT) system into an electronic services delivery (ESD) system that would allow Texas to retain and strengthen its position as a leader in technology. The EBT system is moving smoothly to a second generation of technology, and it is now time to identify and plan for the next steps.

Report of the e-Texas Commission

A report that places state government “under a microscope” and produce a comprehensive set of recommendations designed to bring Texas government into the 21st century.


Dallas - Office of the City Auditor



Audit of the records management function of the City Secretary’s Office.

(.pdf, 115KB) August 2003

We found that the primary objectives of the City’s records management function are being achieved; however:

-   the efficiency and effectiveness of the CSO’s records management process and related procedures and practices should be improved;

-   while records maintenance and disposition were generally in accordance with State statutes and City regulations, policies, and procedures, some records were kept beyond required retention periods;

-   the economy, efficiency, and effectiveness of providing records management services should be improved.

Related opportunities for improvement are presented in this report.

Audit of the Procurement and Implementation Phases of the Human Resources Information System

(.pdf, 117KB) March 2003

The audit concluded that some stated policies and procedures were not always followed, payroll data accuracy and completeness is in question, security provisions have not been fully defined, contract terms and conditions were not adequately reviewed and modified, and lack of complete functional requirements may impair the system implementation and payroll processing efficiencies. Although the system is processing payroll and checks are being issued, many of the outstanding issues remaining from implementation should be resolved to improve effectiveness.

Information Technology Audit of the City´s Use of Communication Devices - Wireless Phones, Pagers, and PDAs May, 2002

The report concludes that departments are not effectively monitoring billing for wireless phones, and that considerable savings could be made through more effective monitoring and use.

Audit of the Procedures Governing the Local Area Network and the Wide Area Network Report

April 3rd, 2002

Much work is needed in defining and implementing standards of the network infrastructure as well as training and support requirements to position the City's Communication and Information Services staff to meet the new computing environment challenges.


 State Auditor's Office



Security Over Electronic Protected Health Information

November 2002

System access and security control weaknesses at some Texas academic medical institutions have the potential to place electronic protected health information at risk. Individuals both inside and outside these medical institutions could gain unauthorized access to automated systems and read, copy, and possibly modify and delete electronic health information. Intruders also could disrupt the operations of systems that are critical in providing health care. In addition, the disaster recovery plans and physical security for information systems may not be adequate to prevent emergencies and natural disasters from causing significant disruptions to critical systems.

A Financial Review of The University of Texas at Brownsville

September 2002

While the University is providing accurate and consistent financial information, certain weaknesses in its financial controls and procedures were noted, including:

  • IT weaknesses make the University's computer systems vulnerable to unauthorized access. 

  • The University is working to address weaknesses in wire transfer procedures and check handling to ensure that assets are properly protected. 

  • The University's reported Examination for the Certification of Educators in Texas (ExCET) pass rate is incorrect because the University's data collection method for this performance outcome excludes certain teacher education graduates.

Status of State Student Assessment Systems and the Quality of Title 1 School Accountability Data

August 2002

Accountability data, which measures compliance with Title I requirements, can be improved at the federal, state, and local levels. Accurate, complete, valid, and timely information is critical to ensure that funding and decisions regarding adequate progress are based on reliable data.

Quality of the State's Public Education Accountability Information

May 2002

Because of the vision and efforts of public education leaders and stakeholders since 1984, Texas has one of the most comprehensive and effective public education accountability information systems in the country. The system accommodates local district control and provides comprehensive, multi-year data for decision-making. This information system enables the Texas Education Agency (Agency) to prepare annual school accountability ratings and measure improvements over time.

Auditor General's Office



SAP Financial and Human Resources/Payroll Information Systems - Post Implementation Review (.pdf, 209 KB) April, 2003

This review has two primary objectives. First, to review the implementation of the SAP system to determine that it was completed in a manner consistent with Council’s approval of the project, particularly in terms of its approved costs and its expected benefits and, secondly, to assess the current reporting functionality of the SAP Financial Information System against the management information needs of the various City Departments.

Oracle Database Software Acquisition - Additional Information (.pdf, 19KB) March 2002

Interim Report on Oracle Database Software Acquisition 

(.pdf, 23KB) Feb, 2002


The former Executive Director of Information and Technology Division, and the former Chief Financial Officer and Treasurer, approved the acquisition of 10,000 Oracle licenses and related software maintenance at a cost of approximately $11.3 million. The contract, in connection with this acquisition, was executed on January 5, 2000. Based on a review of the amount of actual licenses required, it has been determined that the number of licenses needed by the City is, in fact, only a fraction of the number of licenses purchased.

Windows NT Security Review (.pdf, 18KB) Feb, 2001

To report on the review of the security standards and practices followed in administering the Windows NT environment.

Legislative Auditor General



A Review of the Division of Information Technology Services

2003-06 (.pdf, 212KB)

At the request of the Executive Appropriations Committee, we reviewed three allegations concerning management operations within the Division of Information Technology Services (ITS). These allegations were bought forth by ITS employees who were concerned about the appropriateness of some management activities.

A Performance Audit of the UTAX Project

2003 - 02 (.pdf, 248KB)


The Utah State Tax Commission provides a vital function for state and local governments by collecting revenues to pay for many of the services enjoyed by the citizens of Utah. In order to collect these revenues, the Commission must be equipped with the necessary modern technology capable of administering the $4.6 billion in revenue it receives for Utah. In recent years the Commission was finding it increasingly difficult to administer taxes with their existing computer systems. Modernization was sought to propel the Commission into the twenty-first century. The UTAX project was the method for modernization.

During the course of our audit we found that UTAX project management should have held the contractor more accountable. In addition, we found issues concerning the contract’s target price and the funding of the UTAX project. Finally, we found that actual project costs were significant and excessive of the target price.


Audit Commission



Frontline Finance: Caerphilly County Borough Council

(.pdf, 362KB) July 2003

Customer satisfaction rates are high and customers have a variety of payment methods. Collection of council tax and rent is at a good level. Plans for replacement of computer systems will improve the service to customers. However there is no overall strategy for benefit take-up and information to assist local people needs to be improved.

Information & Communications Technology
Warrington Borough Council

(.pdf, 401KB) June 2003


The reliable IT system means that customers' queries can be answered quickly, but call centres are closed out of hours, and website information is inconsistent. Staff are committed, but the commitment of councillors and senior managers to radical change is uncertain. Customers must be more involved in the development of a vision for the service and a long-term, customer-focused improvement plan.

ICT Services: Swansea (City & County of)

(.pdf, 317KB) March 2003

The ICT Services in Swansea are good. Users rate the Service highly, systems are reliable (although some are ageing) and projects are completed successfully and on time - and this is despite what we consider to be an underinvestment in ICT. Provision of computers for public use is extensive, though as of yet, there are no facilities in other public buildings (e.g. Council reception areas and district housing offices). The Council's prospects for improvement are promising because, taken together, the action plans and ICT strategies set an ambitious improvement agenda.

Information and Communications Technology
Suffolk County Council

(.pdf, 384KB) March 2003

Suffolk has an informative and interactive web site, with good technology in libraries including free internet access. However, it must carry out an audit of the information collected so the public are not asked to provide the same information twice, and ensure that the public are informed of new ways of delivering services.

IT Services: Mid Bedfordshire District Council

(.pdf, 355KB) Jan 2003

Inspectors found that the council's computer hardware is generally up to date, that staff are reasonably satisfied with the IT service they receive and that local people have access to information about the council on its website. However, some of the council's main computer systems are becoming unreliable and need replacing.

Information Technology Services
Wandsworth LBC

(.pdf, 336KB) Nov. 2002

We found the Service to be good because there is a high performing service provided at relatively low cost and with positive satisfaction levels with scope for improvement, taking a lead on national initiatives. There is a good quality website, and attempts made to simplify access arrangements for the Council’s external customers. However, the website does not provide easy access to services for users of community languages, the views of external customers and partners have not been sought on Service aims, and there are no Service Level Agreements in place between internal providers and users.

ICT Provision

March 2003

This best value review of ICT provision covered all aspects of information and communications technology service provision, with the exception of service to schools, in the London Borough of Merton. The service is estimated to cost £4.6 million overall for 2002/03 including departmental staff. The IT service is located in the chief executive's department and employs about 60 staff, with a further 19 staff providing departmental IT support. Desktop equipment repair is outsourced.

Message Beyond the Medium (.pdf, 481KB)

Feb 2003.

In our report ‘Message beyond the medium: Improving local government services through e-government' we identified that for some councils e-government is working well. These ‘early succeeder’ councils have set out a practical vision of how technology can help to deliver, and improve, local priorities. A vision that is as much about improving the quality of services as it is about improving access to them. But many other councils are more hesitant and for them e-government still feels marginal to the delivery of core services. Members of these ‘hesitant’ councils are less engaged, and central government targets rather than local needs are shaping their agendas.

Your Business@Risk
An update on IT abuse 2001

This report is based upon responses from 688 organisations from the public and private sectors of which 460 reported that they had suffered some form of IT abuse during the last three years – that is, 1997 to 2000. It shows that the percentage of organisations reporting incidents increased by almost one half since our last survey.

Perfect Match, A: Report of the 1998 National Fraud Initiative

The Audit Commission’s National Fraud Initiative is a computerised data-matching exercise to detect, primarily, housing benefit fraud perpetrated upon local councils. As the systems for administering complex procedures, such as paying housing benefit, salaries, wages and pensions, become almost totally reliant upon information technology (IT), so must the techniques used to combat the risk of fraud.

City of Durham District Council
Information Technology

We have assessed the Council as providing a 'poor' service that will not improve. Our judgements are based on evidence obtained during the inspection and are outlined in the report.


Office of the State Auditor



Turning VISION Into Action: A Follow-Up Review and Assessment of the Department of Finance and Management's Implementation of Project VISION

(.pdf, 1.4MB) April 2003

From day one, department staff and the more than 600 VISION operators in 62 business units have struggled with a number of serious but predictable problems. Problems with VISION contribute to daily accounting glitches - where managers simultaneously struggle to fix problems, deal with their fallout, and complete their day-to-day functions. As frustrating as these difficulties are, they are also helping to build the will in State government to rethink the way information technology assets are managed.

The Road Beyond Risk

(.pdf, 611KB) April 2003


In May 2002, the Audit Office easily gained unauthorized access to nearly all units of the State’s enterprise-wide accounting system, VISION. This demonstrated that a would-be hacker could have entered, changed and approved payments from virtually every department in government. This points to the need for Vermont to take a serious look at how it designs systems like VISION, and how it secures them once they become operational.

Planning for the Unexpected: Protecting Assets, Securing Services. August, 2002

Taking stock of the progress Vermont has made in planning for the unexpected following the tragic events of September 11 - an open letter from the State Auditor. 

Review of Vermont's Information Technology Investments

March 2002

The State spends more than $50 million a year on information technology projects - everything from websites describing state services to the systems that process benefits payments, track legislative bills and pay state vendors. Successful IT implementation should streamline government and make it easier for citizens to interact with their elected officials and agencies and departments. User-friendly, accessible and dependable services increase citizens' confidence in state government.

Wiring Vermont's future  March 2002

Executive summary (.pdf, 220KB)

Report (.pdf, 1.3MB)

The Office of the State Auditor conducted a special review to determine whether Vermont has the proper controls in place to design, develop, integrate and manage its IT systems. We wanted to know: Is Vermont wisely investing its dollars and properly managing its assets? Are the projects delivering improved performance and better service to the state’s customers? Are Vermonters receiving appropriate returns for their tax dollars?

High-Level Assessment of Vermont's
Information Technology Security and Data Recovery Policies.
Feb 2002

Vermont is not doing enough to protect its investments in information technology. As a result, these assets may be at unnecessary risk of sabotage, loss or natural disaster.


Office of the Auditor General



Parliament's information technology upgrade (.html) September 2003

In November 2002, the IT upgrade was rolled-out throughout the parliamentary precinct and 132 electorate offices across the State. The upgrade, referred to as the Parlynet 2002 Project, was large in scale and not a simple task. It introduced a significantly different IT environment from the one to which the system’s users were accustomed.

Immediately after the roll-out, users started to report problems with the performance of the Parlynet network and applications. Users who responded to a survey undertaken by us were clearly unhappy about the speed, reliability and functionality of the system.

We believe that the unsatisfactory outcomes of the Parlynet 2002 Project were not only a result of poor project management; they were also a product of wider issues related to the management of Parliament’s administrative services. For example, the management arrangements and responsibilities for the upgrade were unclear, the Joint Services Department lacks strategies and policies to govern its IT and other functions, and IT staff need training to enable them to effectively and efficiently manage the new technologies introduced. There is also a need to give greater attention to risk management and the development of policies and procedures to enable effective asset and financial management.

Electronic procurement in the Victorian government (.html) June 2003


Electronic procurement involves changing work practices and processes, and introducing new technologies, including:

  • An e-procurement application, which allows a purchaser to look up items from an electronic catalogue and to create a requisition for those items;

  • A workflow system that routes documents for authorisation, creates purchase orders and initiates payments; and

  • An electronic catalogue that lists suppliers, the items they sell and price. In Victoria, some agencies have chosen not to establish a catalogue.

This audit assessed the efficiency and effectiveness of the planning and introduction of e-procurement in government agencies. It examined the achievements of the EC4P Project, and the management of key implementation and operational risks, and determined whether adequate plans and management structures are in place to ensure maximum benefits from e-procurement, and its sustainability and roll-out to the broader public sector.

Adequacy of control over the information technology environment (Feb 2003 - .pdf  474KB)

In relation to the 2001-02 financial audit cycle, we found that there remains a need for agencies to continually examine and review controls across all critical aspects of their IT operations to ensure the security of key systems and data (see section 3.45)

Implementation of RMIT University’s Academic Management System (Feb 2003 - .pdf  489KB)

The Victorian Auditor-General's Office has slammed RMIT University's management over their bungled Academic Management System IT project, identifying "fundamental failures" in project management structures - ZDNet (Australia), March 3rd, 2003.

(US) Virgin Islands

Office of the Inspector General



Audit of the use of Y2K funds (.pdf, 1.01MB) July 2003


The objectives of the audit were to determine if Y2K funds were disbursed in accordance with established guidelines and provisions of the Virgin Islands Code.

The results of our audit disclosed that the Office of Information Technology and other departments and agencies were not adequately managing programs under the Y2K Project. Specifically, we found that: (i) programs were not adequately planned, resulting in funding shortages for the various tasks; (ii) a significant amount of funds was disbursed without contracts, and without adhering to the bidding requirements established by the Virgin Islands Code and the Department of Property and Procurement; (iii) there were numerous instances of little or no monitoring of contractor performance; (iv) there were no inventory controls in place to account for the funds spent on computers and related equipment; and, (v) Y2K funds were used for programs not related to the Y2K Project.



Commonwealth of Virginia, Auditor of Public Accounts



Department of Information Technology, Service Organization Review, Report on Policies and Procedures Placed in Operation and Tests of Operating Effectiveness

(.pdf, 258KB) May 30, 2003

This report reviews the Department of Information Technology’s (DIT) policies and procedures placed in operation as of May 30, 2003, and should provide DIT customers, their independent auditors, and report users with sufficient information about DIT’s internal control policies and procedures. This report assesses the operating effectiveness of policies and procedures surrounding automated transactions processed or other services provided by DIT. This report, when combined with an understanding of the customer’s internal control policies and procedures, is intended to assist auditors in planning the customer’s audit and in assessing control risk for assertions in the customer’s financial statements that may be affected by policies and procedures at DIT. If customers do not have effective controls, DIT’s internal control policies and procedures may not compensate for such weaknesses.


Fairfax County Internal Auditor



Audit of Fairfax County Park Authority's Automated Services Branch Backup and Recovery Procedures

Sept., 2002 (.pdf, 206KB)

Audit objectives were to determine if Park Authority data: (1) Is reasonably and adequately protected from intentional or unintentional damage or loss; and (2) Can be reconstructed or recovered in the event of a loss.

Review of Software Change Management

May, 2002 (.pdf, 94KB)

Our overall audit objective was to determine whether adequate controls exist for software changes. Specific objectives included the following:

- To verify that software libraries are controlled and secure

- To determine if modifications are authorized for initial assignment

- To assure that all revised software are tested and approved

- To determine if modifications are authorized for production  migration

Review of Information Protection

(.pdf, 258KB)

Our audit objective was to determine the adequacy of the County’s current computer security function by evaluating the planned and existing control objectives, dissemination of policies, and compliance with these policies.

Application Data Backups

March, 2000 (.pdf, 69KB)

Our audit objective was to assess data backups with regards to operational, archival, and disaster recovery requirements.

Review of Remote Access Dial-Up Security Audit

October, 2000 (.pdf, 59KB)


This report covers a post implementation review of the security authentication system for dial-up access. Audit findings included the sharing of administrative user ID and password; lack of separation of duties; and the Remote Access Security Policy being in draft form for over a year.


Seattle - Office of the City Auditor



AT&T Broadband and Internet Services' Compliance with the Cable Customer Bill of Rights (.pdf, 827KB)

30 August 2002

In October 2001, the Office of City Auditor and the Office of Cable Communications initiated their second audit of video services for AT&T Broadband's compliance with the City's Cable Customer Bill of Rights, which is outlined in Seattle Municipal Code (SMC) Chapter 21.60. The audit team reviewed areas of non-compliance identified during a 1999 audit, as well as additional elements of the Cable Customer Bill of Rights.

Review of IT Security in the Consolidated Customer Service System (.pdf, 181KB)
18 October 2001

The City of Seattle's Consolidated Customer Service System (CCSS) is a combination of computer software and hardware that was designed to replace two separate City utility billing systems. We tested CCSS's security controls against a set of general information technology (IT) security standards, and concluded that the IT security controls over the CCSS system were generally adequate.  However, we identified some internal control weaknesses in CCSS and we provided recommendations to address these risks.

Western Australia

Office of the Auditor General for Western Australia



Security of the Government Internet Gateway

(.pdf, 117KB) June 2003


The security infrastructure of ServiceNet is generally sound though opportunities were found to improve ongoing security including some management aspects of the firewall and related infrastructure. Internet related risks can be reduced in at least one third of the 46 agencies connected to the Internet through ServiceNet by them more fully utilising ServiceNet's security features.

Customer Calling - Call Centres and the Delivery of Customer Benefits April, 2003 (.pdf, 535KB)

State Government agency call centres provide a wide range of services including crisis counselling and support, business and consumer advice, sales and account enquiries, and receiving information from citizens on issues such as illegal fishing, fires and other urgent situations.

The examination reviewed the performance of six selected Western Australian Government call centres (including an independent telephone assessment) in delivering benefits to customers at reasonable cost to agencies. The call centres handle between 1200 and over 1.1 million calls per year.

Management of Confidential Personal Information in Government Electronic Databases

Report No. 8 - December 2002 (.pdf, 235KB)

Digital technology has tremendous potential to enhance the free flow of information and improve organisational efficiency. As such it can significantly enhance the way in which we are governed and the way government operates. Some of that potential has already been realised and a good deal of time, money and effort is being put into extending those benefits.

This report discloses the findings from an audit that asked the question - How adequate are current policies, procedures and controls at the agency level to ensure the security of personal information in databases?. The age of may still be dawning but there are things the public sector can do now to address this issue.

Consortium IT Contracting in the Western Australian Public Sector

Contracting can have benefits for government in terms of better performance, lower costs and shifting the risks of asset ownership to the private sector. For information technology services, public sector agencies can also shift the risks of attracting and retaining appropriately skilled and experienced staff and keeping up to date with the rapid technological changes of the IT industry. However, outsourcing does not eliminate risks. It merely substitutes one set of risks for another, particularly given the loss of direct control over the outsourced services.

To keep these risks to a minimum and to get best value from contracting, contracts need to be closely monitored, actively managed and regularly evaluated. This requires the contracts to have clear and measurable objectives, for agencies to have the systems in place to monitor and check the contract outcomes, and for them to actively manage the contracts. 

The two contracts examined in this report – BIPAC and BDMW – were large consortium contracts let as part of the then Government’s IT outsourcing program in the mid-1990s.

Management of mobile phones in Government (see Part 3 of a general report)

Audit findings included a lack of reliable billing data and consequent inability to analyse mobile phone usage and charges has made it difficult to ensure that telecommunications carriers have delivered mobile phone services in accordance with the common use contract.

Internet and network security (commences on page 17 of a general report)

Over the last decade, the use of the Internet by Government has grown at a phenomenal rate with the majority of agencies now connected and taking advantage of the services and resources it affords. For instance, conducting research, publishing information and interacting with clients, other agencies and organisations in the exchange of information. The focus of this audit was on assessing:

  • Internet and network security over the configuration of firewalls and remote access security.

  • The adequacy of policy and procedures for monitoring and responding to ‘security events’.

Penetration tests were used to assess the susceptibility of systems and software to attack. Security of e-commerce services was not assessed.

On-line and Length? Provision and Use of Learning Technologies in Government Schools

This report is of an audit of the Learning Technologies Project, under which the State Government allocated $80 million to the Education Department of Western Australia (EDWA) to fund the provision of learning technologies for 266 000 students in 770 government schools in Western Australia over four years. The Learning Technologies Project builds upon previous EDWA initiatives to introduce technology into schools and to integrate it into curriculum as a teaching and learning tool.


Legislative Audit Bureau



State Agency Use of Computer Consultants

For executive branch agencies (excluding the University of Wisconsin-System), expenditures for IT consulting services were almost $93.6 million in FY 1998-99.

Anecdotal information about IT contracting prompted questions among legislators about the full extent and cost of the use of private-sector consultants. In addition, concerns have been raised about potential differences between what the State has paid private consultants compared to its own IT staff, and whether such differences result in high turnover among state staff. In response to these concerns and at the request of the Joint Legislative Audit Committee, we reviewed: 

  • statewide expenditures for computer consulting services;

  • the number and types of IT vendors used by the State;

  • the rates paid to hourly contractors, including those for services that are similar to services performed by state staff; and

  • available information on staff leaving state service in order to be rehired as consultants.

Wisconsin Lottery

GTECH Corporation, which maintains the computer system for the Lottery’s on-line and instant ticket games, implemented a new computer system in June 1997. From the implementation date to April 1999, GTECH experienced significant computer system problems, such as computer "downtime," and the Lottery assessed liquidated damages totaling $2.53 million. GTECH has already paid the Lottery $235,200 in the form of sales credits on its monthly invoices. To settle the remaining balance due, the Lottery and GTECH have agreed to a tentative one-time payment of $750,000, including $500,000 in cash. 

A Best Practices Review of Local E-Government Services

Local governments in Wisconsin increasingly use the Internet to deliver information and services electronically 24 hours a day, 7 days a week.  E-government holds the potential to improve government services by making them more convenient and more accessible to the public, as well as less costly. In our best practices review of e-government in Wisconsin counties and municipalities, we: 

  • examined local governments’ Web sites to determine the types and range of e-government services they make available;

  • identified the cost of providing e-government services to the public; and....

  • determined the types of services and e-government capabilities local governments in Wisconsin envision providing to the public in the future.

Suggested improvements in computer controls in The Department of Employment Relations

The Department of Employment Relations is responsible for personnel and employment relations policies and programs for state government employees. As part of its responsibility to administer the state’s classified system, the Department recruits job applicants, develops and administers civil service examinations, and provides lists of qualified candidates to state agencies.

The primary focus of this audit was to review the Department’s fiscal and computer operations to assess whether these activities are adequately controlled and in compliance with statutory requirements. Overall, we found the Department has appropriate fiscal policies and procedures in place, and is taking steps to prepare itself for Year 2000. However, we did identify areas in which the Department could improve controls over its computer processing.