INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

Transcription

1 INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT FOLLOW UP REVIEW TO AUDIT OF COURTROOM AUTOMATION Karleen F. De Blaker Clerk of the Circuit Court Ex officio County Auditor Robert W. Melton, CPA*, CIA, CFE Chief Deputy Director Internal Audit Division Prepared by: Deborah Cross-McCray, CIA Internal Auditor Supervised by: Ronald Peters, CIA, CISA Internal Audit Manager DECEMBER 4, 2003 REPORT NO *Regulated by the State of Florida

2 December 4, 2003 The Honorable Karleen F. De Blaker Clerk of the Circuit Court We have conducted a follow-up review to our audit of Courtroom Automation. The objectives of our review were to determine the implementation status of our previous recommendations. Of the 13 recommendations contained in the audit report, we determined that 6 have been implemented, 2 have been partially implemented, and 5 have not been implemented. The status of each recommendation is presented in this follow-up review. We appreciate the cooperation shown by the staff of Court Services Division during the course of our review. Respectfully Submitted, Robert W. Melton, CPA*, CIA, CFE Chief Deputy Director Internal Audit Division *Regulated by the State of Florida

3 Scope and Methodology We have conducted a follow-up review of our audit of Courtroom Automation. The purpose of our follow-up review is to determine the status of our previous recommendations for improvement. The purpose of the original audit was to: 1) review compliance with the Clerk s procurement process for the Contract, 2) evaluate the adequacy of the terms of the agreement to meet the objectives of the project, 3) determine compliance with the contract terms by the parties, 4) evaluate the effectiveness of the development methodology used by the Contractor to produce the functionality of the product to be delivered, 5) assess Court Service management s oversight of the project relating to the process ability to deliver a satisfactory product in a reasonable time frame, 6) confirm the adequacy of application testing and user training for the product. In addition, for the current production environment, 7) ascertain the appropriateness of the ongoing application maintenance, 8) determine the adequacy of the change control procedures and the application documentation to support the product, and 9) determine the appropriateness of the installation of NT Server security, In Court Docketing (ICD) and Microsoft-Sequential Query Language (MS-SQL) logical controls. To determine the current status of our previous recommendations, we conducted interviews with management to determine the actual action taken to implement the recommendations for improvement. We performed limited testing to verify the progress of the recommendations for improvement. Overall Conclusion Of the thirteen recommendations contained in the report; six have been implemented, two have been partially implemented and five have not been implemented. We encourage management to implement the remaining recommendations. Background The Clerk Of The Circuit Court (Clerk) undertook a project to develop and implement an automated solution covering the Clerk s courtroom daily activities. The objective was to improve the time in processing court documents as well as improving the efficiency and effectiveness of the Clerk s operations. The County s Information Technology Department (IT) was not staffed to undertake this type of project and recommended the use of a contractor that had the technical skills for the task. A contract with Innovative Software Solutions (Innovative) was signed in May 1997 to undertake the development project. The project team consisted of CJC operations personnel, IT staff as technical advisors as well as active participants for the mainframe interface segment, and the Contractor, as designer and programmer for the product. Using the input from the County staff, the contractor developed the Courtroom Automation Design Project Findings document that

4 encompassed development methodology, implementation plans, requirements, scope of development, technology platform and critical success factors. The information in the document was used as a blueprint for the Courtroom Automation Project. Adjustments were made when additional information was obtained, or areas of the plan were expanded as the phases were further defined. The project used Rapid Application Development techniques applying modern clientserver facilities. The ICD application was written in Visual Basic and supported by MS- SQL Server database software. The application runs in a NT-Server platform with Windows NT workstations. The deliverables for the application modules, interfaces and utilities were divided into three major phases. Required enhancements for the completed segments were incorporated in the next phase. The project was started May 1997 and completed March 2001.

5 This section reports our follow-up on actions taken by management on the Recommendations for Improvement in our audit of Courtroom Automation. The recommendations contained herein are those of the prior audit, followed by the current status. 1. The Deployment Of NT Server Security Is Inadequate For The ICD Production Environment, And Security Settings Do Not Meet County Standards. Our review of the functionality of the NT Server security for the Clerk s Domain, (CLKCCC) that supports the ICD Application, found non-compliance with IT and best practice standards. A. System-wide user security settings are not set at a level to provide adequate control. Noncompliance to County and best practice standards was present. We noted the following specific concerns regarding Global Account Policies: 1) The users are not required to periodically change their password ( Password Never Expires setting is active). IT standards require a password to be changed every 30 days. 2) The intruder detection security feature for the Domain has the Account Lockout-Lockout After Bad Logon Attempts option set to six attempts before the user-id is disabled by software security. The IT standard setting is three. In addition, the Account Lockout-Reset Count After option was set to 15 minutes, but the IT standard is 30 minutes. The Lockout Duration setting that tells the security software how long (in days-hours-minutes) to accumulate the incorrect login attempt count before resetting the counter to zero was set to 20 minutes. Best practice standards recommend 2-3 days for an automatic lockout duration setting. 3) Users are not required to have Unique Passwords enforced by software or by department policy. IT standards require a secure password containing both letters and numbers and, if available, enforced by software. 4) The setting User Must Log On In Order To Change Password is not active. IT standards require an active setting that limits only the user to change their password. B. Individual user security settings are not required to be set at a level to provide adequate control.

6 1) All the individual user settings are active for Password Never Expires. IT standards require a password to be changed every 30 days. 2) Most individual user settings are active for User Cannot Change Password. The setting is not in compliance with IT standards. It is essential that the user, to help protect password integrity, periodically change passwords. C. The user ID Administrator is not adequately controlled. The user-id is functioning as a Generic log-on used by the LAN-Administrator, IT product programmer, and CJC product administrator as well as Technology Development Center (TDC). There is also an increase in password confidentiality risk present and a need for manual controls when using Generic user-ids. Its use must be strictly controlled and should never be used as a Generic log-on. D. There is inadequate documentation to justify the need for seven user-ids to be members of the Administrators Group. This Group has the same rights as the powerful Administrator account and, therefore, has full access to the system. To minimize risk and enhance controls, Administrators Group members should be maintained at the smallest possible number. E. The membership structure to Groups has redundancies where user-ids are members of lower level Groups but received the same access rights from their membership in higher-level Groups. F. There were two Generic user-ids that are not required but never removed from the user list. In addition there are four System user-ids that are not currently being used. All user-ids were active at the time of the audit. IT standards require inactive user-ids to be disabled or removed. G. The directories and sub-directories access Permissions for the CLKCCC4 server have not been reviewed by management since the access Rights set-up by the Contractor during the development stage. H. One User Right Policy granted to Groups needs to be adjusted. The Right Access This Computer From Network was given to the Everyone Group by default. A new Group should replace Everyone. For this server, the access should be changed to the Domain User Group. I. CJC management has not adequately defined the responsibility for NT Network security. Consequently, TDC has not been able to implement security that would be equivalent to current Novell Network security levels.

7 Recommendation: A & B. User settings that do not comply with IT or best practice standards be changed. Other settings that will become relevant when passwords are required should also comply with the standards, i.e., Minimum Password Length and Password Uniqueness. Management should also consider obtaining a software solution that would permit an interface with the Novell user-id and password. C. Control of the Administrator user-id be turned over to TDC. Any user-ids requiring Administrator Rights should be made a member of a Group that only grants the Rights needed. If required, new Groups should be established to handle the Right assignment. D. The seven user-ids need for Administrator Rights should be evaluated, and only those Rights that are needed should be granted. E. The Group structure be reviewed and any unnecessary redundant memberships removed. F. The Generic and System user-ids not needed be removed from the NT Server user list. G. CJC management review Permissions setup for the server directories. H. The Domain User Group replace the Everyone Group. I. CJC management assign the security responsibilities for the NT Network. The document should be in writing and accepted by TDC before implementation. Status: A&B. Implemented. CJC has installed Novel Account Management software for the NT Network. The software passes through the Novel user ID and password to the NT security software. Therefore, the NT security settings are not be used to control access. There is still a minor risk if a User can gain access to the NT network without going through the Novell Network. Direct access can be obtained through the NT network and print servers maintained at CJC in the Clerks area. Management informed audit that a combination door lock controls access to this room and Management has installed to prevent unauthorized access to the hardware.

8 C. Partially Implemented. Management has established a Group that will have LAN- Administrator rights. The group will permit the User to use their own ID to gain access with LAN-Admin rights. Control of the Administrator User-id has not been turned over to TDC. CJC Management needs the Administrator User-id to log the print services on the network. The Users having the Administrator Userid have been instructed not to use this ID for other for any other network tasks. The risk is still present for CJC staff to use the Administrator User-id without the action being related to one User. D. Implemented. The Administrators Group Users has been reviewed and only the persons needing access are now members. E. Implemented. The Group has been reviewed. Management will keep redundancies if Users perform dual roles. Management thinks this logic will permit ease of maintenance. If a User role changes then that persons User-ID will be removed from that group. Since this was a record keeping issue not an access risk item Audit has no issue with management s resolution. F. Implemented. Unneeded Generic and system User-id s have been removed. Currently one generic User-id is needed for the daily operation. G. Partially Implemented. Management did not formally review the sub-directories located on the NT servers. Some minor changes have been made. Management will make the changes when the Development Server for the NT network application function is installed H. Not Implemented. Management has not addressed this item. I. Implemented. CJC has technically qualified persons with overall security responsibility. 2. The ICD Application Documentation Is Not Adequate To Support Effective Maintenance and Enhancement Of The Product. The ICD application does not have adequate documentation to support the users maintenance and enhancement needs. The contract with Innovative, the vendor who provided the initial software product, only required source code. The contract was deficient in the area of application documentation requirements, as discussed below. The IT department has not set minimum County standards for documentation for applications running in the network server environment. However, in order for the

9 technical support department to maintain and/or enhance the application without technical staffing risk, documentation should include: System diagrams Application flows Program narratives Data flows Data edits that are included in the application SQL data structures Server directory definitions and data content information In some cases the Contractor did supply segments of the above items, but in most cases, the information is no longer current. Recommendation: CJC management request IT to construct a plan to consolidate, evaluate and update the limited documentation supplied by Innovative. After completing the updating, documentation to support the ongoing maintenance as well as user enhancements for the application should be developed. Status: Not Implemented. CJC management has not taken action on this issue. Management informed Audit that the maintenance of the application is under IT. We continue to encourage implementation of our recommendation. 3. The Procurement Of The Innovative Software Solutions Contract Was Not Competitively Offered for Bid. The Clerk s Office granted the contract to Innovative to provide services for the Courtroom Automation Project with no advertisement to solicit bids from other vendors. CJC management stated that Innovative was under contract with the IT Department and worked on existing programs relating to courtroom applications. Since the contractor had experience with the applications and IT was satisfied with their performance, the Clerk s Office decided to offer the new project contract to Innovative. The Clerk s Office Policies and Procedures, Chapter 12, Purchasing, states that all purchases or contracts for goods or services over $20,000 be advertised for bids, and awarded to the lowest and best bid serving the best interest of Pinellas County. The Clerk s Policies offer the ability to have Noncompetitive Purchases, if the goods or services are available from only one source. No documentation was present to support exercising this exemption.

10 Recommendation: The Clerk s Office conduct and document a good faith search for potential vendors before noncompetitive contracts are awarded. Non-competitive bid justification for any contract should be formally documented. Status: Not Implemented. Management has not formally documented justification for the non-competitively bid contract for Advanced Programming Resources. Management indicated this contract was a renewal of a terminating contract under the Board of County Commissioners due to budget cuts and to obtain the original programmer of the in-court docketing application. Although this may be a justifiable reason to non-competitively bid the contract, the Clerk s policies and procedures require documented justification of non-competitively bid contracts. Management indicated in most cases some formal documentation is utilized, but did not document this contract because it was a renewal of an existing contract under the Board of County Commissioners. However, the decision to not seek competition should be justified. 4. Information Relating To Service Rendered Present On The Contractor s Invoices Did Not Comply With Contract Requirements. The Contractor billed the County for a total of 14,055 hours (6.8 man-years) for the Courtroom Automation Project. Invoices did not identify the specific elements of the ICD programs which were being worked on. The billings only contained hours worked by each contractor and their living and air travel expenses. The Innovative Contract, Section 5, Compensation, states, Payments shall be made in accordance with Florida Prompt Payment Act upon the receipt of bimonthly invoices from the Contractor which include date of service by the subcontractors, the nature of the services performed, and the number of hours per subcontractor per day. The invoices did not contain adequate information to permit Court Administration Management to relate hours billed to the status of work completed. Without the ability to relate the task performed to the hours being billed, a key control was eliminated in the oversight of the Contractor s performance and expense verification.

11 Recommendation: Future contracts require detailed invoices to ensure compliance with payment terms. Status: Not Implemented. Invoices submitted for IT services under the current Courtroom Automation project only lists hours worked with no details as to what portion of the project the contractor worked on. 5. Contract Compliance For Insurance Coverage Was Not Properly Monitored. There is no documentation to support Workers Compensation coverage for August 27, 1997 to August 31, 1998 and September 2, 1999 to August 31, In addition, General Liability insurance coverage was not documented for September 2, 1997 to August 31, 1998 and September 2, 1999 to August 31, For the remaining contract time frame, proof of insurance was received from the Contractor. The Innovative Contract, Section 5, Compensation, states, Prior to the time Contractor is entitled to commence any part of the project, work or service under this agreement, Contractor shall procure, pay for and maintain at least the following insurance coverage limits. Said insurance shall be evidenced by delivery to the County of (1) certificate of insurance executed by the insurers listing coverage s and limits, expiration date and terms of polices and all endorsements upon whether or not required by the County, and listing all carriers said policies; and (2) a certified copy of each policy including all endorsements. The Contract required Workers Compensation in at least the limits as required by Florida Law and Comprehensive General Liability. The lack of complete insurance coverage documentation represents poor monitoring of contract requirements and if coverage was not in place, increased County liability issues. Recommendation: Future contracts be closely monitored to ensure compliance with insurance terms. Status: Not Implemented. The current Courtroom Automation IT contract requires the contractor maintain Workers Compensation insurance. No insurance certificate was maintained by the management. Insurance monitoring controls require

12 management to maintain a tickler system that would alert management in advance when an insurance certificate expires and the amount of coverage required by the contract. We did not observe a tickler procedure present to ensure adequate monitoring of active insurance certificates.