Department of Transportation Financial Management Information System Centralized Operations

Transcription

1 Audit Report Department of Transportation Financial Management Information System Centralized Operations July 2001

2 This report and any related follow-up correspondence are available to the public and may be obtained by contacting the Office of Legislative Audits or the Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland. Alternate formats may be requested by contacting the Office of Legislative Audits at , (voice), or (toll-free voice), or (fax), and (Maryland Relay Service). Audit reports can also be viewed or downloaded from the Internet. Our web site address is

3 July 16, 2001 Delegate Samuel I. Rosenberg, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the centralized operations of the Financial Management Information System (FMIS) as administered by the Department of Transportation Secretary s Office for the period beginning July 1, 1998 and ending October 31, The System is used to support the Department s purchasing, accounting and payment functions. Expenditures processed through the System for fiscal year 2000 totaled approximately $1.9 billion. Our audit disclosed that FMIS contained many essential internal controls that were properly functioning. However, our audit also disclosed certain weaknesses that reduced the effectiveness of the System s internal controls. We found that access to certain critical FMIS files was not properly restricted. In addition, reports of security violations, successful accesses to critical files, and changes to the system access capabilities of users were not properly reviewed. Furthermore, several Department employees were assigned incompatible FMIS security duties. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

4 (This Page Intentionally Left Blank) 2

5 Table of Contents Background Information 4 History 4 FMIS Responsibilities 4 Findings and Recommendations 5 Computer Security Procedures, Reporting and Access Controls Finding #1 Numerous Employees Could Grant Themselves 5 Unauthorized FMIS Access Finding #2 - Security Software Activity Reports Were Not Reviewed 6 by Appropriate Supervisory Personnel or Retained Finding #3 - Modification Access to Several System Wide Procurement 6 Control Tables Was Not Adequately Restricted Ad-Hoc FMIS Database Finding #4 Assurance Was Lacking that the Separate Ad-Hoc Database 7 Used by the Department s Agencies for Supplemental Reporting Was Accurate Audit Scope, Objectives and Methodology 9 Agency Response Appendix 3

6 Background Information History The Department s Financial Management Information System (FMIS) is an integrated database system with purchasing and accounting components. The FMIS supports purchasing functions through the Advanced Purchasing and Inventory Control System (ADPICS) component and accounting operations through the Relational Standard Accounting and Reporting System (R*STARS) component. Both System components have been operational at all Department agencies since the inception of our audit period. The System runs on the Department s Office of Transportation Technology Services (OTTS) mainframe computer. Expenditures processed through the System for fiscal year 2000 totaled approximately $1.9 billion. A separate version of FMIS (known as statewide FMIS) is maintained by the Department of Budget and Management, the Department of General Services and the Comptroller of the Treasury s General Accounting Division for the use of most executive branch agencies and is outside the scope of this audit. Because of the unique needs of the Department of Transportation, particularly with respect to Federal grants and projects, it maintains its own version of FMIS. FMIS Responsibilities The FMIS Unit within the Department s Secretary s Office and the Department s OTTS are responsible for daily System administration, including maintenance, operation, security and backup of related database records and the computer programs, which perform on-line and overnight processing. The agencies within the Department are responsible for establishing and monitoring their employees security access to the System. The Office of Legislative Audits separately audits the Secretary s Office and all Departmental agencies. Our most recent audits of these entities included a review of their agency-based FMIS responsibilities. This central System audit included elements of the FMIS operation and internal control not included in the aforementioned agency audits (for example, database and security controls). The Department interfaces certain System financial information to the statewide version of FMIS for recordation, payment processing and reporting. This audit included a review of the controls and processing over financial information interfaced to and recorded on State FMIS. 4

7 Findings and Recommendations Computer Security Procedures, Reporting and Access Rules Background The significance of the data maintained in the FMIS database and the magnitude of the expenditures and revenues processed through FMIS necessitates that access to the data and related FMIS programs be adequately restricted. In addition, all unauthorized attempted accesses, changes to the rules governing system access and certain allowed accesses should be recorded (that is, logged) for subsequent independent review. Critical FMIS data and programs on the Department s mainframe computer can be modified using different tools and by on-line transaction screens. To provide access control over the FMIS data and programs, the Department uses the mainframe software security product (that is, ACF2), the Department s database management software, and FMIS application program controls. Finding #1 A number of employees could grant themselves unauthorized FMIS access. Analysis We noted four employees in three agencies, including two employees from the Secretary s Office, who could render all approvals for obtaining FMIS and mainframe access at their respective agencies. Specifically, these individuals were responsible for both establishing and reviewing FMIS security settings (as FMIS security officers) as well as for authorizing mainframe access rights on the Department s mainframe computer (as agency security coordinators). As a result, these employees could grant themselves unauthorized FMIS access by creating fictitious userids with all System privileges. Furthermore, all 11 of the FMIS security officers (including the 4 individuals previously mentioned) could modify their own R*STARS access rights. Accordingly, these security officers could grant themselves improper security privileges and process unauthorized transactions, including disbursements through the system. We noted that the Department s ADPICS software prevented security officers from modifying their own ADPICS userids and access rights. However, a similar restriction did not exist within the R*STARS software. 5

8 Recommendation #1 We recommend that responsibilities be amended to ensure that no user functions as both a FMIS security officer and agency security coordinator. We also recommend that the Department implement R*STARS system software changes to prevent security officers from modifying their own R*STARS access rights. Finding #2 Security software activity reports related to FMIS were not reviewed by appropriate supervisory personnel or retained. Analysis Supervisory FMIS Unit personnel did not review the ACF2 security software activity reports. We were advised that the Secretary s Office security coordinator reviewed the security software reports of security violations, logged access to critical FMIS files, access rule changes, and related logonid changes for propriety. However, documentation supporting such reviews did not exist since the related reports were not retained. Furthermore, the security coordinator was not independent of the security modifications included on certain of these security reports and would not have the same level of understanding of FMIS operations as would supervisory FMIS personnel. Accordingly, there was a lack of assurance that security violations were addressed and that all logged accesses to critical FMIS files, access rule changes and related logonid changes were proper. Recommendation #2 We recommend that ACF2 security software activity reports related to FMIS be retained. We also recommend that supervisory FMIS Unit personnel review the reports of logged modification access to critical FMIS files and document such reviews. Finding #3 Modification access to several system wide procurement control tables was not adequately restricted. Analysis Several individuals were granted unnecessary modification access to seven tables in the Advanced Purchasing and Inventory Control System (ADPICS) that control overall aspects of system operations. For example, tables that contain document matching rules for procurements, and rules regarding the interface of ADPICS transactions to R*STARS were subject to unnecessary modification access. 6

9 Maintaining ADPICS control table integrity helps to limit the chances of inaccurate FMIS processing and reporting. Recommendation #3 We recommend that the Department limit modification access to system wide ADPICS control tables to personnel who require such access. Ad-Hoc FMIS Database Finding #4 Assurance was lacking that the separate Ad-Hoc database used by the Department s agencies for supplemental reporting was accurate. Analysis Assurance was lacking that the Ad-Hoc database, which Department agencies used to supplement the reporting capabilities of FMIS standard reports, was accurate. This database includes, for example, the details relating to all R*STARS financial transactions. The Department s agencies generate FMIS reports using the Ad-Hoc database (which is a separate copy of selected data from the FMIS production database) in addition to the standard FMIS production reports. The Secretary s Office s FMIS Unit is responsible for reconciling the FMIS production and Ad-Hoc databases, to ensure the integrity of the Ad-Hoc database. Our review of this reconciliation process disclosed the following: Although the R*STARS production and Ad-Hoc databases were reconciled, resulting adjustments to correct the differences were not made in a timely manner. Because some of these differences were significant (that is, greater than $10,000,000), the integrity and reliability of the Ad- Hoc reports may have been affected. We determined that differences had existed for some time (for example, since November 1999) and that supervisory personnel did not approve the reconciliations. A reconciliation procedure comparing ADPICS production data and Ad- Hoc data did not exist. Reports on ADPICS Ad-Hoc data are generated to provide users with information on procurements, invitations to bid, requisitions, purchase orders, and blanket purchase orders. 7

10 Recommendation #4 We recommend that the Department resolve any differences between the R*STARS production and Ad-Hoc databases in a timely manner and make the necessary correcting entries. Additionally, we recommend that independent supervisory personnel review and approve these reconciliations. Finally, we recommend that the Department implement a reconciliation process for the ADPICS portion of the Ad-Hoc database. 8

11 Audit Scope, Objectives and Methodology We have audited the centralized operations of the Department of Transportation Financial Management Information System (FMIS) for the period beginning July 1, 1998 and ending October 31, The audit was conducted in accordance with generally accepted government auditing standards. As FMIS is a vital procurement and accounting application in all Department agencies, internal control over FMIS is critical to the user agencies. Since we audit these agencies and evaluate their internal control, we will periodically evaluate FMIS internal control. The State of Maryland maintains its own statewide version of FMIS, which is not included in the scope of this audit. As prescribed by the State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine the elements of FMIS operations, relative to the Department s overall internal control (for example, database and security controls) and compliance with applicable State laws, rules, and regulations not included in our individual audits of the Department s agencies. This was the initial audit of the Department s FMIS operations since the System s implementation. In planning and conducting our audit, we focused on the major financial related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of FMIS operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. The Department s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. 9

12 Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect the Department s ability to maintain reliable financial records, operate effectively and efficiently and comply with applicable laws, rules and regulations. Our report did not disclose any significant instances of noncompliance with applicable laws, rules, or regulations. The response from the Department of Transportation Secretary s Office to our findings and recommendations, is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise the Department regarding the results of our review of its response. 10

13

14 Maryland Department of Transportation Financial Management Information System Centralized Operations Draft Audit Report Responses Period July 1, 1998 to October 31, 2000 Computer Security Procedures, Reporting and Access Rules Finding #1 A number of employees could grant themselves unauthorized FMIS access. Response: We concur with the auditor s recommendations. We will investigate ways to adjust these responsibilities so that we can implement a segregation of duties as recommended. We will coordinate a similar effort with the modal administrations. We expect to complete this by August 1, The recommended software modification to prevent security officers from modifying their own R*STARS access rights has already been implemented. Finding #2 Security software activity reports related to FMIS were not reviewed by appropriate supervisory personnel or retained. Response: We concur with the auditor s recommendations. Documented reviews of security violations and logged access to critical files are now performed as recommended. These reports and reviews are now being retained for audit verification. Page 1 of 2

15 Maryland Department of Transportation Financial Management Information System Centralized Operations Draft Audit Report Responses Period July 1, 1998 to October 31, 2000 Finding #3 Modification access to several system wide procurement control tables was not adequately restricted. Response: We concur with the auditor s recommendation. ADPICS does not provide the ability to centrally control profiles in the same manner as R*STARS. We will investigate a programming change to provide the ability to prevent inappropriate access to these ADPICS tables. In the interim, steps will be taken to limit access to these tables as recommended. Notification will be sent to the modal security coordinators that these tables are to be maintained by the MDOT FMIS unit. The security coordinators will also be informed that on or before July 11, 2001, security access to these tables will be removed for those individuals outside of the MDOT FMIS unit. We will periodically review the security profiles to ensure that a modal security coordinator subsequently does not grant inappropriate access. Ad-Hoc FMIS Database Finding #4 Assurance was lacking that the separate Ad-Hoc database used by the Department s agencies for supplemental reporting was accurate. Response: We concur with the auditor s recommendations. The differences between the R*STARS and Ad-Hoc databases have been corrected. The Modal Administrations were notified of the out of balance conditions and were aware of ways to obtain accurate queries. Agencies will be informed of future out of balance conditions as they arise. Differences will be rectified on a timely basis. Weekly reviews by supervisory personnel of the reconciliations are being performed and documented. We have plans to develop a reconciliation process for ADPICS portion of the database. Currently just a few ADPICS tables exist in Ad-Hoc. We are planning to add more ADPICS tables to the Ad-Hoc. Once that has occurred, development of a reconciliation process can begin. Additionally, we will contact the State FMIS team to see how they addressed this issue. We will target January 1, 2002, to have an ADPICS Ad-Hoc reconciliation process in production. Page 2 of 2