External Audit Reviews. Report by Director of Finance

Transcription

1 THE HIGHLAND COUNCIL AUDIT AND STANDARDS COMMITTEE 4 DECEMBER 2003 Agenda Item Report No External Audit Reviews Report by Director of Finance SUMMARY The pages that follow contain a report from the Council's External Auditors, (Audit Scotland). It informs Members of the recommendations made in the activity reviewed and reported since the date of the last Committee. The Action Plan, agreed by the relevant Service Manager, is included within the report. 1. Reports included: Ref. Service Subject Date Pages 133 Corporate 06/11/03 RECOMMENDATION Members are invited to consider the above report Signature: Designation: Director of Finance Date: 25 November 2003

2 Maggie Bruce CA, Senior Audit Manager Audit Scotland, Ballantyne House, 84 Academy Street, Inverness IV1 1LU Tel no Fax no The Highland Council

3 Contents Contents Section 1 Page Executive summary 1 Section 2 Action plan 3 Section 3 Introduction 7 Section 4 Migration of data to the new payroll system 8 Section 5 ICT controls operating within the new payroll system 10 Audit Services Audit Scotland

4 Section 1 Executive summary Introduction 1.1 The Highland Council employs approximately 18,500 employees at an annual cost of 184 million. The Council processes 23 individual payrolls (including those processed for the Highland and Western Isles Valuation Joint Board and other bodies) with employees allocated to a payroll group on the basis of employing department, payment frequency and conditions of service. 1.2 During 2002/03, the Council and its ICT provider, Fujitsu Services, began to replace its existing in-house payroll system, written in 1975, with Northgate Information Systems integrated payroll and personnel system, ResourceLink. At the time of our audit, nine payrolls had been transferred to the new system. The Council intends to complete the migration of all payrolls by November As part of our 2002/03 we undertook an overview of the new payroll system, including: the arrangements in place for the migration of existing data to the new payroll system; the ICT controls operating within the new payroll system. 1.4 This report summarises the findings from our review and, where appropriate, makes recommendations to address the weaknesses identified. The weaknesses identified are only those which have come to our attention during the course of our normal audit work and are not necessarily, therefore, all the weaknesses which may exist. It is the responsibility of management to decide the extent of the internal control systems appropriate to the Council. We would stress, however, that an effective control system is an essential part of the efficient management of any organisation. Summary of Main Findings 1.5 Our review revealed that the arrangements in place for the migration of existing data to the new payroll system are generally satisfactory, although there is scope for improvement. In particular, the acceptance of the data by the user department and their agreement that the new system should go live is not adequately documented. Our audit identified that all Pensions and Audit staff had access to the Invalid Login screen which displays details of incorrectly keyed passwords and the associated operator ids. This represented a serious security risk to the system as a member of the Pensions staff could potentially use this information to access the system using another officer s operator id and password. We brought our concerns to the attention of the Project Team Leader and are pleased to note that a systems upgrade has now been applied which ensures that incorrectly keyed passwords are no longer displayed on the Invalid Login screen. Areas of Good Practice a project team has been established to oversee the migration to the new integrated payroll/personnel system; a Migration Process Checklist has been developed which records all the expected steps and sign off milestones for the migration of each payroll. An error log is also maintained to record all exceptions and errors identified throughout the process, and the action taken to resolve them; Audit Services - Audit Scotland Page 1

5 Section 1 parallel running is undertaken to ensure that the new system is operating properly prior to going live ; a Systems Administration Manual has been developed which documents control mechanisms, procedures for release management and for back-up and restoration of the new payroll system; a Risk Register is maintained which documents the main risks to the new payroll system and how these are being addressed by the Council and Fujitsu Services. Areas with Scope for Improvement the acceptance of data transferred to the new payroll by the user department is not adequately documented. A senior officer within the user department should complete a pro-forma document to confirm their acceptance of the data and their agreement that the new payroll should go live ; the existing Payroll Service Description, which forms the basis of the relationship between the ICT service provider and the client department, will not be updated until all payrolls have been migrated to the new payroll system. We have been advised that Fujitsu Services have proposed that, in future, Service Descriptions be produced at the start of each project and would support this move towards good practice in project management; the risks of granting SUPERVISOR access, which includes the ability to set up new users on the system, to live payrolls should be assessed as a matter of urgency to ensure that adequate compensatory controls are in place to protect live payroll data; there is no guidance on the setting of the pre-determined period after which the system prompts the user to change their password (password duration) or disables their access due to non-use (account dormancy); control over operator ids requires to be improved. In particular, generic operator ids, which cannot be traced back to individual employees, should be restricted to specific circumstances and their use closely monitored and controlled. Action Plan 1.6 The Action Plan included in Section 2 of this report sets out the agreed actions to be taken in response to the main recommendations, graded to show their relative priority, and the timescales within which the issues are to be addressed. The Action Plan should be read in conjunction with the relevant reference from the main findings (Section 4). 1.7 The factual accuracy of the contents of this report, and the remedial action to be taken, have been agreed in discussion with appropriate officers. Acknowledgements 1.8 The assistance and co-operation received during the course of our audit is gratefully acknowledged. Maggie Bruce, CA Senior Audit Manager Audit Services - Audit Scotland Page 2

6 Section 2 Action Plan Page/ Para Ref Rec. No. Recommendation Responsible Officer Agreed Comments Agreed Completion Date Migration of data to new payroll system 9/ The Project Team Leader should sign (in manuscript) his approval of each stage of the parallel testing process prior to requesting a senior officer within the user department to confirm their acceptance of the data and agreement that the new system should go live. Payroll & Pensions Manager Yes The previous documentation recorded the Team Leader s approval in type but not the Payroll Manager s. Documentation has been amended to include signatures (in manuscript) of each party. Completed 9/ A pro-forma document should be developed for completion by a senior officer within the user department to confirm their acceptance of the data and agreement that the new payroll should go live. Payroll & Pensions Manager Yes See comments re recommendation 1 above. Completed 9/ The reconciliations and reports/payslips retained as supporting evidence of the checks undertaken should be referenced and the file reference included on the Migration Process Checklist to enable them to be easily identified. Payroll & Pensions Manager Yes The Migration/Parallel Run Process Checklist will include the file reference. 30 November 2003 Medium priority Audit Services - Audit Scotland Page 3

7 Section 2 Page/ Para Ref Rec. No. Recommendation Responsible Officer Agreed Comments Agreed Completion Date ICT controls operating within the new payroll system 10/ A Service Description should be prepared for the new payroll system. Head of E- Government Yes The preparation of Service Descriptions will be a product associated with stages 3 and 4 of the project. 31 January / In line with good practice, Service Descriptions should be produced as part of the Product Description or Project Definition for future projects. Head of E- Government Yes This will require a change in the contractual requirements for PD production. The Head of E-Government is currently working with Fujitsu to redesign and agree a new PD format that will include a draft Service Description. 30 April / The Council should review all users with SUPERVISOR access, as a matter of urgency, to assess the risks of granting this access and ensure that adequate compensatory controls are in place to protect live payroll data. Payroll & Pensions Manager Yes A review of users with SUPERVISOR access will be carried out. 31 December 2003 Audit Services - Audit Scotland Page 4

8 Section 2 Page/ Para Ref Rec. No. Recommendation Responsible Officer Agreed Comments Agreed Completion Date 11/ Guidance should be prepared on setting the parameters for the length of time after which a user is prompted to change their password (password duration) or their access is disabled due to non-use (account dormancy). Standard frequencies should be set for each security profile based on an assessment of the risk associated with that level of access to the system. Finance Systems Officer Yes Passwords have been reviewed, and amended where necessary, to ensure that they comply with the guidance in the Council s Information Systems Security Framework. An exercise to consider the risk of different security profiles has been completed and password timeouts set accordingly. Usernames with high levels of access have been granted shorter password expiry periods. Completed Completed 11/ A list of operator ids should be produced regularly from the system and reconciled to the spreadsheet of users maintained by the Finance Systems Team. Medium priority Payroll & Pensions Manager Yes The Finance Systems Team will produce the list from the system and the spreadsheet of users on a quarterly basis. They will be reconciled by someone from the Payroll Section. 31 December / The use of generic operator ids should be restricted to specific circumstances and their use closely monitored and controlled. Payroll & Pensions Manager Yes All generic operator ids have been identified and their use will be monitored. Completed Audit Services - Audit Scotland Page 5

9 Section 2 Page/ Para Ref Rec. No. Recommendation Responsible Officer Agreed Comments Agreed Completion Date 12/ The list of operator ids produced by the system should be regularly reviewed to identify any redundant or duplicate operator ids. Payroll & Pensions Manager Yes This will be done as part of the actions for recommendations 7 and December 2003 Audit Services - Audit Scotland Page 6

10 Section 3 Introduction 3.1 The Highland Council employs approximately 18,500 employees at an annual cost of 184 million. The Council processes 23 individual payrolls (including those processed for Highland and Western Isles Valuation Joint Board and other bodies) with employees allocated to a payroll group on the basis of employing department, payment frequency and conditions of service. 3.2 During 2002/03, the Council and Fujitsu Services, its partner for the provision of ICT services, began to replace the existing in-house payroll system, written in 1975, with Northgate Information Systems integrated payroll and personnel system, ResourceLink. At the time of our audit, nine payrolls had been transferred to the new system. The Council intends to complete the migration of all payrolls by November Audit Scotland s Code of Audit Practice requires us to consider the corporate governance arrangements in place as they relate to the systems of internal control. As part of our 2002/03, therefore, we undertook an overview of the new payroll system, including: the arrangements in place for the migration of existing data to the new payroll system; the ICT controls operating within the new payroll system. 3.4 The aim of our audit was to ensure that: the data transferred to the new payroll system is complete and accurate; the key computer application controls operating within the new payroll system are adequate. 3.5 This report summarises the findings from our review and, where appropriate, makes recommendations to address the weaknesses identified. The weaknesses identified are only those which have come to our attention during the course of our normal audit work and are not necessarily, therefore, all the weaknesses which may exist. It is the responsibility of management to decide the extent of the internal control systems appropriate to the Council. We would stress, however, that an effective control system is an essential part of the efficient management of any organisation. Audit Services - Audit Scotland Page 7

11 Section 4 Migration of data to new payroll system Introduction 4.1 Prior to implementation of a replacement computer system, the data held on the previous system must be transferred to the new system. This process requires to be controlled to ensure that the data held on the new system is complete and accurate. In particular, it is essential that an audit trail is maintained of the process followed; the results of the validation exercise undertaken, including recording any errors identified and the action taken to correct them; and the acceptance of the data by the user department before the system goes live. 4.2 In order to control the migration of data from the old mainframe system to the new ResourceLink system, we would expect the Council to: establish a plan for the transfer of data; reconcile the data held on the old system to the data held on the new system; ensure all data was transferred or otherwise accounted for; ensure the data transferred to the new system was validated and accepted by the user department; maintain an audit trail to evidence that the process has been adequately controlled. 4.3 As part of our 2002/03 audit we reviewed the migration process for the following payrolls: Skye Manual Workers (payroll no. 57); Assessors (payroll no. 39). Audit Findings 4.4 A project team, comprising representatives from the Finance Service, Personnel Services and Fujitsu (the Council s IT provider), is responsible for overseeing the migration of the existing payrolls to the new integrated payroll/personnel system. The project team reports to the Project Board which consists of the Director of Corporate Services and the Director of Finance. 4.5 The Skye Manual Workers payroll (payroll no. 57) was the first to be migrated to the new payroll system. The Payroll Project Team used this payroll as a pilot exercise to develop a Migration Plan and Migration Process Checklist for use in subsequent data migrations. 4.6 Our review of the Migration Process Checklist confirmed that it defines the relative responsibilities of the Highland Council, Fujitsu and Northgate Information Systems and includes all the expected steps and sign off milestones. In addition, an error log was maintained by the Project Team throughout the migration process to record all exceptions and errors identified and the action taken to resolve them. 4.7 We are pleased to note that the Migration Process Checklist was completed for the migration of the Assessors payroll (payroll no. 39) and retrospectively for the Skye Manual Workers (payroll no. 57). Audit Services - Audit Scotland Page 8

12 Section Once all the data had been transferred to the new system, parallel running was undertaken to ensure that the new system was operating properly prior to going live. A number of checks were undertaken by the Project Team as part of this process including agreeing the total number of employees on each system, confirming the cumulative information reported on the new system s summary analysis reports to the P35 data held on the old system, and cross-checking all the information reported on individual payslips. We are pleased to note that these checks were evidenced on the Migration Process Checklist, on the Summary of Parallel Running Testing document and on the summary analysis reports and payslips. 4.9 We are concerned to note, however, that the acceptance of the data by the user department was not adequately documented. Our review of the migration documentation failed to identify any documents signed by a senior officer from the user department to evidence their acceptance of the data and agreement that the payroll should go live on the new system. It is acknowledged that the Summary of Parallel Running Testing document includes a column for the approval of the Project Team Leader and that this has been completed (typed) for both the Skye Manual Workers and Assessors payrolls. In our view, the Project Team Leader should sign (in manuscript) his approval of each stage of the parallel testing process and this should be used as the basis for requesting a senior officer within the user department to confirm their acceptance of the data and agreement that the new system should go live. A pro-forma should be developed for the senior officer s acceptance to ensure that this important control is adequately documented. Refer Action Plan Numbers 1 & Our review of the migration documentation also noted that the audit trail for the results of the parallel running testing could be improved. In particular, we would recommend that the reconciliations and reports/payslips retained as supporting evidence of the checks undertaken be referenced and the file reference included on the Migration Process Checklist to enable them to be easily identified. Refer Action Plan Number 3 Audit Services - Audit Scotland Page 9

13 Section 5 ICT controls operating within the new payroll system Introduction 5.1 The ICT controls operating within any system application are fundamental to the overall system of internal control. As part of our 2002/03 audit, we have undertaken a limited review of the key computer application controls operating within the new payroll system. We examined: the control mechanisms in place to protect the application from environmental, operational and networking risks; the change management and quality procedures in place to ensure that any changes to the application are adequately authorised and controlled; the contingency planning and business continuity arrangements adopted to ensure that there is minimum disturbance to the Council s payroll services in the event of system failure. 5.2 We intend to undertake a full review of the application controls operating within the new system once it has been fully implemented. Audit Findings Service Description 5.3 Service Descriptions form the basis of the relationship between an ICT service provider and the client department. They should define the relative responsibilities of the client and the provider and include a definition of the service to be provided, minimum service levels, availability, support framework, charging arrangements, anticipated growth levels, loading restrictions and change control procedures. 5.4 In line with the Council s current project management practices, the existing Payroll Service Description will not be updated until November 2003 once all payrolls have been migrated to the new payroll system. We have been advised, however, that Fujitsu have proposed that, in future, Service Descriptions be produced at the start of each project as part of the Product Description or Project Definition. We support this move towards good practice in project management. Control Mechanisms Refer Action Plan Numbers 4 & We are pleased to note that the Payroll Project Team have prepared a System Administration Manual which documents the control mechanisms, including access controls and monitoring of security breaches, for the Payroll and Personnel System and clearly defines the responsibilities of the Council and Fujitsu Services for their implementation. Audit Services - Audit Scotland Page 10

14 Section We were concerned to note that, at the time of our audit, members of the Payroll Project Team undertook Systems Administration duties for live payrolls. The Project Board acknowledge that this represented an inadequate segregation of duties and has appointed the Finance Systems Officer as Systems Administrator with effect from 1 July We remain concerned to note, however, that the Payroll Project Team continue to have security profiles which allow them SUPERVISOR access (including the ability to set up new users on the system) for all live payrolls. In addition, we noted a number of other users with SUPERVISOR access where it was not clear why this access is required. Refer Action Plan Number Access to the system is password controlled, with the system automatically prompting users to change their passwords (password duration) and disabling their access due to non-use (account dormancy) after a pre-determined period. We are concerned to note, however, that no guidance has been prepared on setting these parameters. Audit testing revealed inconsistencies between employees with the same security profiles and highlighted a number of employees where the period was set at the default of 999 days (nearly 3 years). Refer Action Plan Number We were also concerned to note that all Pensions and Audit staff had been granted the same security profiles, which give view only access to Systems Administrator information within the system. In particular, we noted that all levels of Pension staff had access to the Invalid Login screen which displays details of incorrectly keyed passwords and the associated operator ids. This represented a serious security risk to the system as a member of the Pensions staff could potentially use this information to access the system using another officer s operator id and password, and was further compounded by the weaknesses identified at paragraphs 5.6 and 5.9. We immediately brought our concerns to the attention of the Project Team Leader and note that a systems upgrade has now been applied which ensures that incorrectly keyed passwords are no longer displayed on the Invalid Login screen. 5.9 Each user is allocated a unique user identity (operator id) which controls their access to the system and enables transactions to be traced back to individual employees. At the time of our review, the Project Team maintained two lists of operator ids, the Register of Users and the Application installation and enabled environments by user list, which described the technical environment for each user. Our review of the operator ids defined on the system noted that neither of these lists was up-to-date. We have been advised that, since the transfer of responsibility for Systems Administration to the Finance Systems Officer, a new spreadsheet of users has been prepared which will be reconciled to the system on a regular basis. Refer Action Plan Number 8 Audit Services - Audit Scotland Page 11

15 Section Our review of the operator ids defined on the system also highlighted the following areas of concern: four generic operator ids which cannot be traced back to individual employees. All of these provide access to all levels of the system and have password duration and account dormancy controls set at very high values (in excess of 500 days). Two of these accounts have not been accessed since 2001/02; two cases where the same employee had two operator ids. We have been advised that the duplicate operator ids have been disabled since we discussed our audit findings with the Payroll Manager; one case where the operator id had not been terminated when the employee left the employment of the Council. We have been advised that this operator id has been disabled since we discussed our audit findings with the Payroll Manager. Change management and quality procedures Refer Action Plan Numbers 9 & We are pleased to note that the System Administration Manual documents procedures for release management (upgrades or customisation of the system software) and that a number of theses procedures were in operation at the time of our review. We examined the Request for Change process as part of our 2001/02 Review of Computer Network Services and concluded that procedures have been established to ensure that changes are properly authorised and controlled. Contingency planning and business continuity 5.12 Audit testing confirmed that the procedures for backup and restoration of the payroll system documented within the System Administration Manual are operating in practice. We are pleased to note that, in line with good practice, a Risk Register is maintained which documents the main risks to the new payroll system and how these are being addressed by the Council and Fujitsu Services. In particular, the operation of a dual server environment ensures that the payroll can continue to be processed in the event of a failure in the system hardware. Audit Services - Audit Scotland Page 12