INTOSAI Working Group on IT Audit

Report

Summary

Annual Report of the Auditor General 2002-2003 (.pdf, 1.3MB)

Innovation and Science - the Ministry should improve systems and procedures in the following areas to ensure it effectively delivers services at reasonable cost:

Government of Alberta SuperNet project management. The Ministry should prepare a plan to test   SuperNet components (see page 198).

Alberta Government Integrated Management Information System. The Ministry should optimize the use of IMAGIS (see page 199) and implement an accountability framework (see page 201).

Government of Alberta Central Information Technology (IT) Environment. The Ministry should improve the central IT environment by coordinating reviews of control environments at service providers (see page 204) and by establishing a systems development methodology (see page 205).

Annual Report of the Auditor General 2000-2001 (.html)

We again recommend that Alberta Treasury Branches management document, evaluate and monitor internal controls to ensure assets are properly protected and financial information is accurate and complete - see page 103.

Report

Summary

Government Information Technology Agency - State-wide Technology Contracting Issues (January 2003, Report No. 03-01)

This audit found that the Government Information Technology Agency (GITA) did not take the appropriate steps to ensure that a $30.6 million state-wide IT contract it negotiated was beneficial. Additional justification and reviews are needed prior to entering into future state-wide IT contracts that commit the State to over $1 million. To ensure its objectivity, GITA also needs to develop a policy to ensure its independence when reviewing state agencies’ IT projects. Finally, the Statewide Technology Licensing Agreement (STLA) account should be allowed to sunset because it has never been used and it is not needed.

Report

Summary

Department of Human Services - Food Stamps Automated Client Tracking System Information System Controls Audit

November 2002 (.pdf, 389KB)

Department of Human Services - Arkansas Client Eligibility System Information System Controls Audit

November 2002 (.pdf, 423KB)

• Programmers with update ability in ACES.

• Terminated employees with data file access.

• Passwords are stored in clear text.

• Data integrity edits not working properly.

• ACES transaction file not being backed up.

• No contingency plan in place.

• Lack of balancing controls for application input/output files.

AASIS - General Controls Information Systems Audit

April 2002 (.pdf, 410KB)

The audit included a review and testing of controls in the following areas:

1. Operating System and Database

2. Firewall, Network Topology and Web Server

3. Management and Contingency Planning

4. Transport System and Program Change Controls

Our objectives were to test configuration, policies and procedures to obtain reasonable assurance that sufficient controls exist to: protect the application, database and web servers from unauthorized access; provide for the continuation of computer processing capabilities; ensure proper management of the AASIS computer hardware; ensure that only approved and tested system control parameters are updated to the production system; and, adequately test and approve programs before placement in the production system.

Arkansas Public School Computer Network Performance Audit

December, 2000 (.pdf, 1.69MB)

Department of Information Systems Hardware/Software Purchasing Procedures    (4MB .pdf)

Our objectives in conducting this review were as follows:

1. Review dept. of Information Systems procedures for purchasing hardware and software.

2. Review internal controls surrounding DIS procedures for their own needs and for other state agencies.

3. Review DIS hardware and software purchases for the year ended June 30, 2000 to determine compliance with prescribed procedures and internal controls.

Report

Summary

Follow-up of Performance Reports

(.pdf, 496KB) Report 2 - August 2003

Management of the Information Technology Portfolio in the Ministry of Attorney General; Information Use by the Ministry of Health in Resource Allocation for Decisions for the Regional Health Care System; etc.

Management of the Information Technology Portfolio in the Ministry of Attorney General

(.pdf, 340KB) Report 5 - February 2002

Information technology (meaning the use of systems such as computers and telecommunications to store, retrieve and send information) offers all organizations unprecedented opportunity to improve performance, reduce costs, and enhance both the range and responsiveness of their service delivery. Over the years, government has increasingly come to depend on information technology systems to carry out its wide range of activities. However, management and delivery of these systems is challenging—because, in both the private sector and in the government environment, many such projects fail to meet time or budget requirements and few of the resulting systems are ultimately capable of doing all they were intended to do. Many projects started are never even completed.

Report

Summary

Child Support Enforcement Program (.html) Sept 2003.

The State has contracted with IBM to develop and implement the major component of the State-wide Automated Child Support System. Our continued review of the Department of Child Support Services and Franchise Tax Board's (project team) procurement of a single, state-wide automated child support enforcement system revealed the following:

• On July 14, 2003, the project team signed a contract for $801 million with the IBM Group to design, develop, and implement the major part of the single, state-wide automated child support system.
• Despite concerns, the Federal Office of Child Support Enforcement approved the State's request for funding, giving the project team permission to execute the contract between the State and the IBM Group.
• The State Department of Finance placed certain conditions on its approval of the feasibility study, requiring, for example, that the project team submit a benefits measurement plan within one year following the contract's signing.
• The project team is still more than a year away from procuring a contractor for the state disbursement unit, a separate but integral part of the single, state-wide automated child support enforcement system.

Information Technology: Control Structures Are Only Part of Successful Governance

Feb. 2003 (.pdf, 462KB)

In 1995 the Legislature created the Department of Information Technology (DOIT) to provide leadership, guidance, and oversight for information technology (IT) initiatives and projects throughout the State. In July 2002, DOIT ceased operation, but the need for what it was chartered to do continues to exist.

To determine what lessons can be learned from states with exemplary practices in IT governance, our consultant conducted case studies in New York, Virginia, Pennsylvania, and Illinois. The studies revealed three models for achieving effective IT governance. They varied substantially in the extent to which formal authority is concentrated in the state's highest-level IT office as well as where that office is located in the governance structure and how it interacts with other stakeholders in IT initiatives.

The success of a new IT governance structure depends on the support and cooperation of many stakeholders, including the governor's office, the Legislature, control entities, client entities, and technical entities that will be affected by the IT program. The selection, adoption, and development of a governance structure should, therefore, be a collaborative effort involving stakeholders at all levels.

State-wide Fingerprint Imaging System (.html) Jan 2003.

This report concludes that Social Services implemented the Statewide Fingerprint Imaging System (SFIS) without determining the extent of duplicate-aid fraud throughout the State. In its eagerness to implement SFIS, Social Services based its estimates of the savings that SFIS would produce on an evaluation of Los Angeles County’s fingerprint imaging system, rather than conducting its own statewide study. We have concerns that the methods Los Angeles County used to develop its savings estimate do not allow for the results to be extrapolated statewide. Further, Social Services’ use of this data assumes that conditions in Los Angeles County hold true in other counties. Similar concerns were expressed by the United States Department of Agriculture as early as 1998.

Enterprise Licensing Agreement

The State Failed to Exercise Due Diligence When Contracting With Oracle, Potentially Costing Taxpayers Millions of Dollars

The State Needs to Improve the Leadership and Management of Its Information Technology Efforts

The State has a significant investment in information technology (IT)--more than an estimated $2 billion annually--and in the past has experienced several major failures in planned IT systems. When it passed legislation that resulted in the creation of the Department of Information Technology (DOIT) in 1996, the Legislature envisioned that DOIT would provide the leadership, guidance, and oversight needed to protect the State's investment in IT. Although DOIT is developing new processes to meet its responsibilities, it has not consistently delivered what it has been asked to do by the Legislature.

Report

Summary

Beanpole Telecommunication Project

12/02

The General Assembly created the Beanpole project to encourage local public offices to aggregate telecommunication traffic as a way of enticing private telecommunication providers to build infrastructure in all areas of the State. Overall, the project has not yet met its objectives of encouraging private telecommunication vendors to offer services throughout the State and connecting local public offices to the state's multi-use network on a large scale.

Evaluation of Network Services

9/02

This evaluation focused on:

- an examination of the current statewide service delivery structure and an assessment of the advantages and disadvantages of aggregating the networks into centralized networks

- an assessment of the current status of and identification of needed improvements in the Network Services section's service efforts

- an analysis of the network Services section's costs and rate-setting methodologies.

Colorado Government Technology Services Computing Services

This report contains the results of our assessment of Computing Services’ ability to measure and manage performance and provide adequate levels of service to user agencies. The report details the scope of this review, provides an overview of Computing Services’ operations, and presents observations and recommendations that will enable Computing Services to enhance performance measurements.

Medicaid Management Information System

The purpose of the audit was to review the Department of Health Care Policy and Financing's controls over claims processing through MMIS for the Colorado Medicaid program. We reviewed documentation, analyzed data, and interviewed personnel at the Department and at the State's fiscal agent for the program, Consultec, LLC.  As part of our audit, Buck Consultants performed a technical review on aspects of MMIS operations. Results of Buck Consultants' work have been incorporated into this report as noted in the text.

Colorado Information Technology Services,   Financial Management of Network Services

The purpose of this audit was to review and evaluate the financial management of network services by the Colorado Information Technology Services in the Department of Personnel/General Support Services. Network services include voice and data communications.

Report

Summary

Dover Data Center Review of General Information Systems Controls

(.pdf, 251KB) June 2001

Dover Data Center Review of General Information Systems Controls

(.pdf, 96KB)  June 2000

Biggs Data Center Review of General Information Systems Controls

(.pdf, 252KB) FY 2000

Report

Summary

Implementation of the Integrated Administration and Control System (IACS)

The 1992 reform radically altered the philosophy underlying the Common Agricultural Policy (CAP). The external protection mechanisms and arrangements for supporting internal prices gradually gave way to a system of direct aid for farmers, which significantly increased the number of beneficiaries, but also the risks of irregularity, which is why IACS was introduced. It comprises five elements: computerised databases, an identification system for agricultural land parcels, a system of identification and registration of animals, aid applications and an integrated system for administrative controls and on-the-spot inspections.

Report

Summary

Agency for Health Care Administration (,htm)

Report 3-201, June 2003

LicenseEase is an integrated application package that assists the Agency in administering the licensing and regulatory process for various types of health care and managed care facilities. LicenseEase controls,  among others, application and fee processing, license issuance, complaint and inspection tracking, and discipline and compliance monitoring. We noted deficiencies in certain management controls related to LicenseEase. 

The Agency did not have a complete and tested IT disaster recovery plan.  There was no reconciliation performed between LicenseEase and the Florida Accounting Information Resource Subsystem to ensure that the moneys collected for licensures as recorded in LicenseEase were appropriately recorded in FLAIR.   Improvements were needed in the Agency’s IT risk management practices and in certain security controls protecting LicenseEase. 

Department of Banking and Finance

Section 215.94, Florida Statutes, provides that the Department of Banking and Finance is the functional owner of the Florida Accounting Information Resource Subsystem (FLAIR), a subsystem of the Florida Financial Management Information System. Our audit of FLAIR focused on evaluating selected information systems functions, determining the effectiveness of selected general and application controls, and determining the status of prior audit deficiencies. In addition, we reviewed selected aspects of the Department’s acquisition of IT consulting services for a feasibility study regarding the replacement of FLAIR.

Department of Children and Family Services

The Department of Children and Family Services maintains the Allocation, Budget, and Contract Control (ABC) System. The ABC System is an automated, integrated client budget information system designed to support planning and service provision to individuals with developmental disabilities. Our audit of the ABC System was a follow-up engagement to determine the status of Department actions in correcting general and application control deficiencies disclosed in audit report No. 13470.

Department of Elder Affairs

Our audit focused on management controls and selected information technology functions applicable to the Client Information, Registration and Tracking System of the Department of Elder Affairs during the period January 16, 2001 through April 16, 2001, and selected Department actions taken from August 23, 1999.

Department of Health

The Department of Health maintains the CoreSTAT System that contains core credentials data for health care practitioners. Our audit of CoreSTAT focused on determining the effectiveness of selected CoreSTAT information systems functions and the probability that CoreSTAT fees would recover costs, and evaluating selected CoreSTAT contract procedures.

Department of Highway Safety and Motor Vehicles

The Auditor General, as part of the Legislature’s oversight responsibility for operations of State agencies, is responsible for reviews of information systems. Consistent with this responsibility and in response to a request made by the Florida Department of Highway Safety and Motor Vehicles (Department) and the Florida Tax Collectors, Inc., we conducted a limited scope systems review of the development and implementation of the Department’s Florida Real Time Vehicle Information System (FRVIS) 2000. The review focused on the sufficiency of the Department’s testing with respect to FRVIS 2000 processing speed, FRVIS 2000 fee and tax calculations, FRVIS 2000 data conversion, and FRVIS 2000 off-line processing capabilities.

Department of Labor and Employment Security

The purpose of the Unemployment Compensation (UC) System is to provide prompt, accurate benefits for unemployed workers in order to expedite their reemployment, while providing a fair, equitable, and cost-effective Unemployment Compensation System for the employers of Florida.

We noted instances of deficiencies in computer general and application controls applicable to the Claim/Wages component and portions of other associated benefit components of the UC System during the period December 16, 1999, through March 31, 2000. 

Department of State

The Division of Corporations (Division) within the Florida Department of State (Department) serves as the State’s central repository for a variety of business entity filings and annual reports, Uniform Commercial Code financing statements, trade and service mark registrations, fictitious name registrations, and tax lien recordings. The strategic issue of the Division is to maintain a single central commercial repository for recording and retrieving all commercial information and related documentation with convenient public access and use in support of Florida’s economic and commercial growth.

We reviewed selected information systems functions applicable to the Division, in part, to evaluate the extent of progress the Department has made in correcting information systems control deficiencies we previously noted in Report No. 13177, dated March 25, 1998.

Department of Transportation - Financial Management System

The Financial Management System (System) is used by the Department of Transportation (Department) to manage the transportation programs. Our audit of the System focused on evaluating selected information systems functions applicable to the System, determining the effectiveness of selected general controls related to the System, and determining the effectiveness of selected application controls related to the Federal Programs Management component of the System.

Department of Revenue

We noted deficiencies in certain management controls related to the Child Support Enforcement (CSE) component and the CSE Automated Management System project.

• The Department had not assessed the impact of CSE Automated Management System on the FLORIDA System nor sufficiently included Dept. of Children and Family Services in the planning process.

• The Department had not enforced certain contract provisions with the Florida Association of Court Clerks for the operation of the State Disbursement Unit. Consequently, the Department paid Florida Association of Court Clerks for services not rendered and diminished the accountability for the Program.

• The Department had not resolved identified variances between the CSE Component and the Florida Accounting Information Resource Subsystem. Additionally, the Department had not performed a reconciliation of the CSE Component with the State Disbursement Unit Repository.

• The Department and the Dept. of Children and Family Services did not have a current interagency agreement for data processing services for the CSE Program, as required by Florida Statutes.

• Deficiencies continued to exist in the documentation of reference table changes to evidence that they were requested, reviewed, and approved by applicable user groups prior to their activation.

State of Florida - Purchasing Card Program

The Purchasing Card Program (Program) was implemented in the State of Florida in 1997 to streamline the purchasing and payment processes for small dollar purchases, generally those under $1,000. The Department of Banking and Finance, Office of State Comptroller and the Department of Management Services administer the Program, with the assistance of Bank of America, the current service provider. The State Technology Office operates and manages the Shared Resource Center which also supports the Purchasing Card Program.

State Technology Office

Section 282.102, Florida Statutes, as amended by Chapter 2000-164, Laws of Florida, effective July 1, 2000, created the State Technology Office (STO). The STO was created within the Department of Management Services, headed by a Chief Information Officer appointed by the Governor. Among other purposes, the STO was created to provide support and guidance to all State agencies to enhance the State’s use and management of information technology (IT) resources. Our audit of the STO focused on its efforts to implement selected provisions of Section 282.102, Florida Statutes, specifically to integrate the State's IT systems and services, and on the transition of the State’s IT resources from the State agencies to the STO.

Report

Summary

Distance Learning and Telemedicine (.pdf, 352KB) Sept. 2003

While this report discusses distance learning and telemedicine, the focus of the evaluation is on the Georgia Statewide Academic and Medical System (GSAMS). GSAMS, as explained in detail on pages 5 & 6, is a video conferencing system, which has many applications but is used primarily for distance learning and telemedicine.

In 1990, the GeorgiaNet Authority was created to provide for the centralized marketing, provision, sale, and leasing of certain public information maintained by the state in electronic format. The GeorgiaNet Authority was also responsible for maintaining the State of Georgia website and developing internet based e-commerce applications for state agencies. The Authority was funded by the income resulting from the sale of public information. In 2000, the Georgia Technology Authority (GTA) was created as a result of the need to have a strong centralized organizational structure that could address all of the state’s technology requirements. In addition to assuming the responsibilities of the old GeorgiaNet Authority, the GTA also operates the state's data center and telecommunications network, coordinates the state’s purchase of technology resources, oversees the state’s IT projects costing more than $1 million, and reviews and analyzes the state’s IT budgets and strategic plans.

The review of procurement and use of personal wireless devices includes attempts to identify the number of devices used by state agencies1 and the expenditures for those devices and services. It also discusses the methods of procurement and agencies’ compliance with the state’s telecommunications policy.

The security of personal wireless devices section includes a review of agencies’ security measures related to personal wireless devices and wireless computer networks.

Report

Summary

Project Management Report

(.pdf, 538KB) May 2003

The aims of this report are to provide a blueprint (albeit a flexible one) for managing complex projects well and to learn from the lessons of the past.

Review of Information and Communications Technology in the States of Guernsey

The main findings of this review conclude that the States is currently not realising best value from its deployment, use and management of ICT services. There are a number factors contributing to this position on an operational and technology basis. However, the extent of the recommendations (and their fundamental nature) stems from the lack of a strong strategic ICT direction and ability to implement an ICT strategy on a corporate States-wide basis. This is despite the fact that the States has an ICT Strategic Framework document within which committees are encouraged to work.

Report

Summary

An EBT system is an electronic means for a government agency to distribute needs-tested benefits. Recipients access their benefits through automated teller machines or point-of-sale terminals using magnetic striped cards similar to bank debit cards. Previous audits found deficiencies in the department’s management controls over its food stamp and financial assistance programs resulting in overpayments and inaccurate computerized data. Our current audit found that the department continues to struggle with implementing proper controls resulting in decreased payment accuracy ratings, loss of enhanced federal funding, increased risk of unauthorized benefits, and limits to the effectiveness of the EBT program.

Study of the Automated Child Support Enforcement System (KEIKI)

(.pdf 1.5MB) January 2003

The study concluded that KEIKI's capabilities are not being fully exploited and that the Agency is not converting captured data into information to support management, planning, and operational control. The Agency has not developed a strategic plan and workflow planning and control information are not used effectively, and although the Agency has made improvements in customer service it has not yet established a culture of customer service, which needs numerous improvements. The Agency Administrator has not defined what constitutes adequate or excellent customer service or related measures of effectiveness. Telephone customer support continues to be unacceptable - fewer than 60% of callers entered the telephone queue and under 50% eventually talked to an agency representative.

Establishment of a Public Land Trust Information System, Phase One

(.pdf, 1.95MB) March 2001

This progress report is submitted in response to Act 125, Session Laws of Hawaii (SLH) 2000, which directed the Auditor to initiate and coordinate all efforts to establish a public land trust information system. Act 125 requires that the information system include an inventory of the lands and other information useful for the proper administration and management of the public land trust. The act requires the Auditor to submit a progress report to the 2001 Legislature that outlines necessary tasks to complete the public land trust information system and inventory.

Audit of the Department of Human Services' Information Systems

(.pdf, 353KB) February 2001

The State Auditor initiated this audit to assess the Department of Human Services' information systems' effectiveness in providing for public welfare needs efficiently. The audit was conducted pursuant to Section 23-4, Hawaii Revised Statutes, which requires the Auditor to conduct post audits of the transactions, accounts, programs, and performance of all departments, offices, and agencies of the State and its political subdivisions.

Report

Summary

Data Management at the Commission of Pardons and Parole and the Department of Correction (follow-up review).

Report 03-03F (.pdf, 319KB) February 2003.

Both the Commission of Pardons and Parole and the Department of Correction have made progress on implementing all nine recommendations resulting from our May 2001 performance evaluation of their data management. In addition, the Department of Correction is close to finalizing the acquisition of Utah’s offender management system at no cost to Idaho, which is a substantial saving over the department’s request of $700,000 for such a system.

Improvements in Data Management Needed at the Commission of Pardons and Parole

A report of the Commission of Pardons and Parole's data management, and the Department of Correction's proposed acquisition of a new offender information system.

The Department of Fish and Game's Automated Licensing System Acquisition and Oversight

The department of Fish and game did not comply with state purchasing laws and regulations when it acquired the licensing system, although there was no evidence that it intended to violate the law. In addition, the agreements through which the system was acquired lacked clear and complete contract terms, which complicated contract oversight and enforcement.

Inmate Collect Call Rates and Telephone Access:  Opportunities to Address High Phone Rates

On September 29, 2000, the Joint Legislative Oversight Committee requested that the Office of  Performance Evaluations conduct an evaluative review of inmate telephone rates and access. Committee members indicated concern about high phone rates for calls from inmates and the possibility that the Department of Correction was making money from these calls. Additionally, concerns were voiced that inmate access to telephones might be excessive. 

Report

Summary

Agency use of Internet user tracking technology

Each State agency is responsible for developing privacy policies that disclose how the agency will use information obtained over the Internet. Of the 42 agencies that used cookies, only 7 disclosed in privacy policies that cookies were being used. Of the 114 agencies that reported having a web-site, only 32 (28 percent) reported that they had a privacy statement or policy located on their web-sites.

Report

Summary

KDHE Information Systems: Reviewing the Department’s Management of Those Systems

(.pdf, 636KB) October 2003

The Department’s operations were at an extremely high risk of fraud, misuse, or disruption caused largely by the following problems:

• KDHE’s method of issuing and handling passwords was profoundly flawed, giving any former or current employee - and most hackers - fairly easy access into the agency’s network and data. Using password cracking software, we were able to crack more than 1,000 of the agency’s passwords (about 60% of the total) in 3 minutes, including several administrative passwords.

• The Department’s anti-virus system was badly flawed, allowing computers to become infected with a large number of different viruses, worms, and Trojan horses. Many computers weren’t receiving the necessary virus protection updates, some were set to ignore viruses, and nearly 200 computers didn’t have the anti-virus software installed. Many computers were infected with viruses, and some had been infected for months.

Information Network of Kansas (April 2003)

Executive summary (.htm)

Full report (.pdf, 328KB)

A review of revenues, expenditures and administrative structure.

High-Capacity Telecommunications Services:  Examining Local Telephone Companies' Compliance with the 1996 Telecommunications Act. (April 2000)

The Kansas Telecommunications Act of 1996 required local telephone companies to provide existing and newly ordered "broadband" or high-speed telecommunications services to schools, hospitals, libraries, and other State and local government entities at discounted prices.

During the 2000 legislative session, legislators received information showing that individual school districts appeared to pay vastly different amounts for the high-speed connections they used to access the Internet. This raised questions about whether telephone companies had complied with the requirements of the Telecommunications Act, and whether the Kansas Corporation Commission had taken the actions needed to enforce these statutory provisions.  This report contains the findings, conclusions, and recommendations from a completed performance audit. 

Report

Summary

Press release

State Auditor discovers transportation computers hacked and Cabinet computers used for thousands of porn site visits.

Governor's Office for Technology

2001-2002 (.pdf, 1.5MB)

A report on controls placed in operation and their operational effectiveness.

Deficiencies In The State's Medicaid Claims Processing Contract

This audit was performed to assist the department for Medicaid Services in renegotiating its fiscal agent contract. The results of the audit provide a blueprint for state government's contracting with and overseeing fiscal agents and other third party administrators. It list 14 'lessons learned' for future systems development and service contracts.

Two Internet domain names residing on a web server in the Governor’s Office of Technology (GOT) were of a non public nature. One domain name was reserved for a physician in Louisiana and the other domain contained an active Internet site for a high school alumni page. The State Auditor recommended the GOT remind its employees that "technology resources are to be used to perform public responsibilities and are not for non public or personal use."

Report

Summary

Records management

The primary purpose of the Archives and Records Program (State Archives) is to provide a state-wide system of managing and preserving government records and to do so efficiently and economically. This performance audit asked the questions:

The audit objectives were to answer the following:

• Is the use of electronic imaging reducing the demand for storage space?

• Does the Archives and Records Program’s use of retention schedules ensure efficient use of its Records Center?

• Are the Records Center’s customers satisfied with its services?

• Does the Archives and Records Program provide quality microfilm services at the lowest cost?

Report

Summary

Financial Management Information System Centralized Operations

(.pdf, 163KB) March 2003

Our audit disclosed that FMIS contained many essential internal controls that were functioning properly. However, our audit also disclosed certain weaknesses that reduced the effectiveness of the System’s internal controls. For example, we found that access to certain critical FMIS program files was not properly restricted or recorded. In addition, a number of State employees were assigned incompatible FMIS security duties.

State Cell Phone Usage

(.pdf, 329KB) February 2003

Effective Statewide Oversight of Cellular Communication Services and Expenses Was Lacking; Cell Phone Vendors Did Not Comply With Certain Contractual Requirements; State Agencies Did Not Adequately Monitor Cell Phone Usage.

Department of Transportation Financial Management Information System Centralized Operations

July, 2001

The centralized operations of the Financial Management Information System (FMIS) is administered by the Department of Transportation. The System is used to support the Department’s purchasing, accounting and payment functions. Expenditures processed through the System for fiscal year 2000 totalled approximately $1.9 billion. Our audit disclosed that FMIS contained many essential internal controls that were properly functioning but it also disclosed certain weaknesses that reduced the effectiveness of the System’s internal controls. We found that access to certain critical FMIS files was not properly restricted. In addition, reports of security violations, successful accesses to critical files, and changes to the system access capabilities of users were not properly reviewed. Furthermore, several Department employees were assigned incompatible FMIS security duties. 

Department of Juvenile Justice Information Technology (IT) Expenditures

Sept., 2000

We conducted a performance audit to identify and assess the propriety of the Department of Juvenile Justice’s information technology expenditures and to evaluate the related procurement and contract monitoring procedures. Such expenditures totalled approximately $14.3 million for the period from July 1, 1997 to June 30, 2000. 

Based on our tests, most information technology expenditures were properly approved and supported by vendor invoices. However, the Department did not detect unauthorized charges of approximately $256,000. We also determined that the Department’s budgetary estimates for its information technology requirements were incomplete, which was a major factor in the Department significantly overspending its original appropriations for the three years under review by the aggregate amount of $5.4 million. We also noted that approximately $857,000 was expended for certain data conversion efforts that were minimally successful. 

Report

Summary

REPORT ON INTERNAL CONTROLS OVER THE DEPARTMENT OF SOCIAL SERVICES’ FAMILYNET SYSTEM

The scope of the audit included a review and evaluation of system access security to the FamilyNet system and a review of access controls over the network on which the FamilyNet application resides; control practices, procedures, and devices regarding physical security and environmental protection over and within the buildings housing DSS business offices; physical security and environmental protection over restricted areas housing confidential client records at the business offices and on-site storage for  computer-related media; control practices regarding the security over and destruction and removal of hardcopy confidential information regarding DSS clients. 

REPORT ON THE EXAMINATION OF INFORMATION TECHNOLOGY -RELATED CONTROLS AT THE HUMAN RESOURCES DIVISION

The scope of the audit included an examination of IT-related controls pertaining to organization and management, physical security, environmental protection, fixed-asset inventory for the IT environment, logical access security, disaster recovery and business continuity planning, and on-site and  off-site storage of backup magnetic media for mission-critical and essential computer systems.

REPORT ON INFORMATION TECHNOLOGY-RELATED CONTROLS AT MASSASOIT COMMUNITY COLLEGE

The scope of our IT audit included an evaluation of IT-related general controls for the administrative and academic IT functions. Areas reviewed included IT-related organization and management, physical security, environmental protection, logical access security, on-site and offsite storage of magnetic backup media, and disaster recovery and business continuity  planning. We also examined controls over IT-related service contracts and procurement and inventory record-keeping of IT-related assets. 

Report

Summary

Performance and Financial Related Audit - Michigan Administrative Information Network

Feb. 2003 (.pdf, 187KB)

MAIN is the State's automated administrative management system that supports accounting, payroll, purchasing, and other activities. The audit objective was to assess the effectiveness of general controls over management, development, and security of information processing.

Technology Services and the Automated Information Systems (July, 2002)

This report contains the results of a performance audit of Information Technology Services and the Automated Information Systems, Bureau of State Lottery, Department of Treasury.

Telecommunication Services and Enterprise Security (March, 2002)

This report contains the results of a performance audit of Telecommunication Services and Enterprise Security, Department of Management and Budget (DMB).

Data Collection and Distribution System

(August, 2001)

This report contains the results of a performance audit of the Data Collection and Distribution System (DCDS), Michigan Administrative Information Network (MAIN), Department of Management and Budget (DMB).

Technology Services and the Automated Information Systems

(May, 2001)

This report contains the results of a performance audit of Technology Services and the Automated Information Systems, Department of Education.

Automated Information Systems

(December, 2000)

This report contains the results of a performance audit of the Automated Information Systems, Department of Military and Veterans Affairs.

Report

Summary

SEMA4 Information Technology Audit

(August, 2002)

This information technology audit assessed the adequacy of key “application” and “general” controls of the State Employee Management System (SEMA4). Application controls filter out invalid data before it can be processed and ensure that remaining transactions are completely and accurately processed. However, some information technology professionals had excessive security clearances, and some interface files were not appropriately secured during transmission.

Managing Local Government Computer Systems (April, 2002)

Summary

Full report

Local governments may manage their computer systems in-house, by outside vendors, by an intergovernmental computer collaboration, or by a combination of these three approaches. This report recommends that counties, cities, and school districts adopt certain best practices as they consider how they want to manage their computer systems.

Local E-Government (April, 2002)

Summary

Full report

This report identifies best practices for local governments, including cities, counties, and school districts, that deliver e-government services to citizens via the Internet.

Report

Summary

State Data Center Comprehensive Continuity Planning And Mainframe Security Administration

(.htm) Nov. 2003

This audit reviewed the State Data Center’s comprehensive continuity plan and security administration.  The Office of Administration, Division of Information Services established the State Data Center, which processes mainframe data, stores data, and backs up state data systems.  Without a complete continuity plan, there is limited assurance information technology processing could be promptly resumed after a disaster or other disruptive event. Security control weaknesses put mainframe data at risk for unauthorized use or modification. 

Comprehensive Continuity Planning and Information Resource Security Management of The State's Accounting System (.htm) Oct. 2003

This audit reviewed the Office of Administration’s management of the state’s accounting system (SAM II) as it relates to plans for handling business continuity and information technology recovery should a disaster or other disruptive event occur.  SAM II is the state government’s integrated financial management, human resource and payroll system which processed approximately $25 billion in expenditure and transfer transactions in fiscal year 2003. 

Division of Child Support Enforcement Computer Risk Management Program   May 2003

This audit assessed how well the state can recover data after unexpected interruptions to the state's child support computer system, which disburses child support checks.  Division of Child Support Enforcement distributed about $447 million in child support checks to parents during fiscal year 2002.  The computer system also maintains confidential child support data, such as parental and court-ordered information, and is not adequately protected from unauthorized access.

Department of Revenue Information Resource Security Management

Feb.2003

The Department of Revenue, which collects taxes and administers drivers’ licenses and motor vehicle records, needs to better address system access control management policies and practices.  These practices protect the integrity, confidentiality, and availability of data and information, which are at risk from unauthorized use, modification, or disclosure.

Department of Revenue Comprehensive Continuity Planning

This audit analyzed the Department of Revenue's capability to resume normal business operations and recover information from automated data systems after a disaster or other disruptive event.  Auditors examined disaster recovery planning, staff emergency response training, as well as testing and documentation procedures for backup systems and environmental controls.  

Management of Cellular Telephones At State Agencies

This audit examined how effectively state agencies manage cellular telephone use and found no assurance that employees are enrolled in the most cost-effective plans or that telephones are fully utilized.  Auditors reviewed cellular telephone policies at 16 state agencies and made detailed reviews of billing plans at seven organizations within four agencies.

Government benefits delivered better with new electronic system

The Department of Social Services’ new electronic benefits transfer system disburses benefits more efficiently and reduces the chance of fraud.  This audit found no major deficiencies in the new system, which replaced paper benefit coupons.   

Computer Security in the Department of Labor and Industrial Relations