AUDIT REPORT. Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement. June 11, 2015

Transcription

1 AUDIT REPORT Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement June 11, 2015 Citizens Insurance Suite Check Printing

2 Table of Contents: Page Executive Summary Background 1 Objectives and Scope 1 Audit Opinion 1 Appendices Definitions 3 Issue Classifications 4 Distribution 6 Audit Performed By 6

3 Executive Summary Background During March 2015, Finance management requested a review of the check printing process following an instance where IT support, as a test while repairing a broken check printer, reprinted a previously processed check file containing check data from the Citizens Insurance Suite application. OIA was informed that the checks were reprinted on plain white paper and there was no indication of any fraudulent activity associated with the reprinted checks. OIA was requested to assess the check printing process to validate that appropriate access controls had been applied during the Citizens Insurance Suite implementation project and to recommend necessary changes so that only specific Accounting personnel can perform check processing functions. The check processing work flow comprises five primary components, each consisting of underlying software and hardware: Audit Objectives and Scope With this audit, we evaluated the adequacy and effectiveness of the security access controls associated with the Citizens Insurance Suite check processing work flow. Our scope included a review of logical and physical access to all workflow steps including automated and manual procedures, batch jobs, output files, file storage systems and the physical security of the printers. Additionally, security access was also reviewed for the applicable servers and databases that are foundational to the process. Audit Opinion Based upon our audit work, the overall effectiveness of the processes and controls evaluated during the audit is rated as Needs Improvement. We found that Accounting personnel responsible for check printing have a strong knowledge of the process. This knowledge is invaluable in recognizing anomalies that may present a financial risk to the company. However, our work also indicated some specific opportunities to strengthen the control environment for checks originating from the Citizens Insurance Suite including: The need to implement encryption or other security measures for the check data files created by the Citizens Insurance Suite batch process. The current output file as well as archived files are located on a network storage server and neither file type is appropriately secured. Encryption was a business requirement identified in the system design document for the archived file copies; however, the design was not implemented as intended. Implementing encryption or other approved security measures for P a g e 1

4 Executive Summary the current and archived check data would prevent intentional or erroneous manipulation prior to a valid check run and deter attempts to circumvent the approved work flow process. Other issues considered as low risk were identified and discussed with management during the audit, some of which have been resolved. We would like to thank management and staff in Accounting, Budget and Financial Systems, Application Development, Application Delivery, Engineering Services, Facilities, and Information Security for their cooperation and professional courtesy throughout the course of this audit. P a g e 2

5 Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. P a g e 3

6 Appendix 2 Issue Classifications Control Category High Medium Low Financial Controls (Reliability of financial reporting) Operational Controls (Effectiveness and efficiency of operations) financial statement misstatements >USD 5 million Control issue that could have a pervasive impact on control effectiveness in business or financial processes at the business unit level A control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in the financial reporting process losses >USD 2.5 million Achievement of principal business objectives in jeopardy Customer service failure (e.g., excessive processing backlogs, unit pricing errors, call center non responsiveness for more than a day) impacting 10,000 policyholders or more or negatively impacting a number of key corporate accounts prolonged IT service failure impacts one or more applications and/or one or more business units negative publicity related to an operational control issue An operational control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in operations financial statement misstatements between USD 2.5 million to 5 million Control issue that could have an important impact on control effectiveness in business or financial processes at the business unit level losses between USD 0.5 to 2.5 million Achievement of principal business objectives may be affected Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting 1,000 policyholders to 10,000 or negatively impacting a key corporate account IT service failure impacts more than one application for a short period of time financial statement misstatements below USD 2.5 million Control issue that does not impact on control effectiveness in business or financial processes at the business unit level losses below USD 0.5 million Achievement of principal business objectives not in doubt Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting less than 1,000 policyholders IT service failure impacts one application for a short period of time P a g e 4

7 Appendix 2 Control Category High Medium Low Any operational issue leading to death of an employee or customer Any operational issue leading to injury of an employee or customer Compliance Controls (Compliance with applicable laws and regulations) Remediation timeline for public censure, fines or enforcement action (including requirement to take corrective actions) by any regulatory body which could have a significant financial and/or reputational impact on the Group Any risk of loss of license or regulatory approval to do business Areas of non-compliance identified which could ultimately lead to the above outcomes A control issue relating to any fraud committed by any member of senior management which could have an important compliance or regulatory impact Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy. for public censure, fines or enforcement action (including requirement to take corrective action) by any regulatory body Areas of noncompliance identified which could ultimately lead to the above outcomes Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date. for non-public action (including routine fines) by any regulatory body Areas of noncompliance identified which could ultimately lead the above outcome Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 3 months, but in every case must not exceed 120 days. P a g e 5

8 Appendix 3 Distribution Addressees Copies Fred Deeb, Director Budget and Financial Systems Curt Overpeck, Chief Information Officer Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief Systems and Operations Charles Johnson, Chief Human Resources Officer Jennifer Montero, Chief Financial Officer Christine Ashburn, VP, Legislative and External Affairs and Communications John Rollins, Chief Risk Officer Dan Sumner, Chief Legal Officer and General Counsel Aditya Gavvala, VP Application Delivery Robert Sellers, VP IT Infrastructure and Operations Debby Kearney, Director, Ethics and Compliance Officer Bruce Meeks, Inspector General Mario Andrade, Director IT Infrastructure Robert Borland, Director Application Development and Delivery Mitch Brockbank, Director IT Security and Risk Cherri Linn, Director Facilities and General Services Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Auditor in Charge Audit Director Under the Direction of Gary Sharrock, Manager IT Audit Karen Wittlinger, Director IT Audit Joe Martins Chief of Internal Audit P a g e 6