Performance Audit of the San Diego Convention Center s HR Systems AUGUST 2014



Similar documents
Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012

CASH COUNT AND BANK RECONCILIATION AUDIT

Cloud Computing Contract Clauses

SRA International Managed Information Systems Internal Audit Report

STATE OF NORTH CAROLINA

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Security Program

Submitted by: Christopher Mead, Director, Department of Information Technology

Client Security Risk Assessment Questionnaire

STATE OF NORTH CAROLINA

Workers Compensation Commission

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

OFFICE OF THE CITY CONTROLLER

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Practical and ethical considerations on the use of cloud computing in accounting

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

State and District Monitoring of School Improvement Grant Contractors in California FINAL AUDIT REPORT

Data Privacy, Security, and Risk Management in the Cloud

March 17, 2015 OIG-15-43

Austin Fire Department Worker Safety Audit

OFFICE OF THE STATE AUDITOR TWO COMMODORE PLAZA 206 EAST NINTH STREET, SUITE 1900 LAWRENCE F. ALWIN, CPA

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Information for Management of a Service Organization

System and Network Security Policy Internet User Guidelines and Policy. North Coast Council West Canal Road Valley View, Ohio 44125

PeopleSoft IT General Controls

Risk Management of Outsourced Technology Services. November 28, 2000

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

ACCOUNTING AND FINANCIAL REPORTING REGULATION MANUAL

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

GARMIN LTD. CORPORATE GOVERNANCE GUIDELINES

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Innovation and Technology Department

Payroll Process Final Audit Report Report Nr. 13/12 August 30, 2012

HIPAA/HITECH Compliance Using VMware vcloud Air

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Vendor Management Best Practices

Office of Inspector General

City of Berkeley. Prepared by:

Date: October 1, Audit, Finance and Enterprise Committee. Jennifer Ruttman, City Auditor. Audit of Workers Compensation Program

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Policy-Standard heading. Fraud and Corruption Policy

Comptroller of Maryland Information Technology Division Annapolis Data Center Operations

Estate Agents Authority

Credit Union Liability with Third-Party Processors

Software-as-a-Service (SaaS) Solutions from CA Technologies Frequently asked questions

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Avoiding Theft in Your Nonprofit Ohio Attorney General Mike DeWine

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

BARRIO COMPREHENSIVE FAMILY HEALTH CARE CENTER, INC., DID NOT ALWAYS FOLLOW FEDERAL REGULATIONS

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Cybersecurity: Protecting Your Business. March 11, 2015

OPERATIONAL AUDIT OKLAHOMA BOARD OF LICENSED ALCOHOL AND DRUG COUNSELORS FOR THE PERIOD JULY 1, 2006 THROUGH JUNE 30, 2008

Can You be HIPAA/HITECH Compliant in the Cloud?

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Department of Homeland Security

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

Cloud Technology Platform Enables Leading HR and Payroll Services Provider To Meet Solution Objectives

Transcription:

Performance Audit of the San Diego Convention Center s HR Systems HUMAN RESOURCES SOFTWARE AS A SERVICE SYSTEM RISKS ARE APPROPRIATELY MITIGATED AUGUST 2014 Audit Report Office of the City Auditor City of San Diego

This Page Intentionally Left Blank

Table of Contents Introduction 1 Background 2 Audit Results 4 THE CONVENTION CENTER HAS MITIGATED RISKS INHERENT TO OUTSOURCING HR SYSTEM SOFTWARE 4 Appendix A: Objectives, Scope, and Methodology 6

This Page Intentionally Left Blank

August 14, 2014 Carol Wallace, President and Chief Executive Officer San Diego Convention Center Transmitted herewith is an audit report on the San Diego Convention Center s Human Resources Systems. We have completed this report as requested by the Convention Center. This report is presented in accordance with City Charter Section 39.2. Management s response to the report is presented on page 8. We would like to thank the Convention Center s staff for their assistance and cooperation during this audit. All of their valuable time and efforts spent providing us information is greatly appreciated. The audit staff members responsible for this audit report are Stephen Gomez, Danielle Knighten, and Kyle Elser. Respectfully submitted, Eduardo Luna City Auditor cc: City of San Diego Audit Committee Members OFFICE OF THE CITY AUDITOR 1010 SECOND AVENUE, SUITE 555, WEST TOWER SAN DIEGO, CA 92101 PHONE (619) 533-3165 FAX (619) 533-3036 TO REPORT FRAUD, WASTE, OR ABUSE, CALL OUR FRAUD HOTLINE (866) 809-3500

This Page Intentionally Left Blank

Introduction Performance Audit of the San Diego Convention Center s HR Systems SDCC Current and Previous IT Performance Audits The San Diego City Auditor s Office (OCA) previously conducted two performance audits of risk areas within the San Diego Convention Center s (SDCC) information systems at the request of the Convention Center. The audit of the SDCC s HR Systems is the third of four IT risk areas identified in a previous risk assessment of the organization information systems environment as shown below: 1. IT infrastructure operations and security; 2. Financial systems IT controls; 3. Human Resources contracted system services; and 4. Management of IT system implementations; specifically, the implementation of the customer relationship management system. The Office of the City Auditor has completed the first three audits at the request of the San Diego Convention Center. OCA-15-004 Page 1

Background Performance Audit of the San Diego Convention Center s HR Systems The San Diego Convention Center s Role in San Diego SDCC s Economic Impact to the San Diego Region The San Diego Convention Center (SDCC) facilitates business, educational, social, cultural, and entertainment activities through several types of events, including convention and trade shows, consumer shows, conferences, community functions, meetings, seminars and performing arts. SDCC is a nonprofit public benefit corporation founded in 1984 by the City of San Diego, and operates under an independent Board of Directors appointed by the San Diego City Council. According to their 2013 annual report, the Convention Center generated $1.3 billion in economic impact to the San Diego region resulting from 148 events held in the building and the more than 760,000 attendees associated with those events. In addition to the significant economic benefits, an estimated 12,500 local jobs are supported by events held at the center. The SDCC projects their total operating revenues to be approximately 33 million dollars for Fiscal Year 2015. Due to the nature of their business, they schedule events far in advance, with several repeat annual events such as Comic-Con. In addition, the SDCC collects full payment prior to each event. The advance planning and collection of fees allows for a detailed revenue projection. The Convention Center hosts most of their IT services to maintain services such as financials, sales, and event calendar in-house; however, they have outsourced their Human Resources (HR) systems through Ultimate Software. OCA-15-004 Page 2

Performance Audit of the San Diego Convention Center s HR Systems Ultimate Software Group Inc. Ultimate Software has a proven product and longevity in the market. The vendor has been in the Human Resources IT services market and publicly traded on the Nasdaq stock exchange since the 1990 s. Ultimate has employees in 150 countries with approximately 2,700 customers, including Adobe Systems Incorporated, Bloomin Brands, Culligan International, Major League Baseball, Pep Boys, Texas Rangers Baseball, and Texas Roadhouse. According to their shareholder letter in their financial statements, they have had continuous growth year after year further demonstrating their financial health. Outsourced HR System Service Offering through SaaS Model The Convention Center has utilized UltiPro by Ultimate Software as their primary HR system since 2007. The system is provided using the Software-as-a-Service (SaaS) model, where the vendor maintains all the Information Technology (IT) Aspects of the system and the Convention Center accesses it through a web portal to maintain all the day to day HR operations. The roles and responsibilities of this model as well as recourse in the case of failure are governed by a contract between the parties, with an initial three year term and extended through four addendums through June 2015. OCA-15-004 Page 3

Audit Results Performance Audit of the San Diego Convention Center s HR Systems THE CONVENTION CENTER HAS MITIGATED RISKS INHERENT TO OUTSOURCING HR SYSTEM SOFTWARE The risks associated with utilizing the Software-as-a-Service (SaaS) model of outsourcing have been mitigated through contractual safeguards, contractual segregation of duties, external audits, and secondary controls. Contract Risks & Mitigations Common risks associated with outsourcing IT services to third party hosting include: Failure to deliver contractual services (inadequate contract definitions, poor business practices, insolvency); Poor IT security resulting in theft of data/data breach; Disclosure of sensitive data; and Loss of data resulting from inadequate data recovery ability. The Convention Center mitigates several of these risks through appropriate contract definition, such as roles & responsibilities definitions, recovery requirements, and warranty and indemnification clauses. We reviewed Ultimate Software s most recent Service Organization Controls (SOC1 1 ) Type 2 report, which provides an overall assessment of their financial and product control environment to provide third party assurance over the reliability of Ultimate Software s service offering. KPMG conducts control testing and issues Ultimate Software s SOC report every six months. 1 As defined by the AICPA, an SOC1 Type 2 reports on the fairness of the presentation of management s description of the service organizations system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. OCA-15-004 Page 4

Performance Audit of the San Diego Convention Center s HR Systems Customer Responsibilities Ultimate Software is responsible for all aspects of the HR system, except those defined as the responsibility of the Convention Center. The Convention Center is responsible for maintaining their User IDs and Passwords, maintaining the customer side environment, and notifying Ultimate Software of events that permit changes to contractual terms. Maintaining the customer side environment includes providing UltiPro webside administration. This web-side administration contains access to define approval requirements for adjusting employee compensation and managing some Convention Center-specific process flows. The Convention Center staff still need to submit most significant changes to Ultimate Software through a ticketing system; however, a Convention Center privileged user can modify the process flow controls around the payroll approvals using the available administration access. This risk is mitigated through restricting the number of users with this access, and financial controls outside of the system requiring significant collusion to bypass payroll controls and remain undetected. Additionally, Ultimate Software maintains back-ups of customer data for 12 weeks in addition to other SaaS standard controls meant to safeguard customer data. OCA-15-004 Page 5

Performance Audit of the San Diego Convention Center s HR Systems Appendix A: Objectives, Scope, and Methodology Objectives In accordance with the City Auditor s FY 2015 Work Plan and at the request of the San Diego Convention Center (SDCC), we conducted an IT audit of the Human Resources (HR) Systems to assess the controls over the HR systems contract and customer responsibilities. Specifically, our objective was to review the appropriateness of the controls and performance measures defined in the contract and review the strength of the controls as well as the vendor s compliance with the defined controls. Scope & Methodology In order to ensure we reviewed all relevant systems corresponding to the HR processes, we performed a risk assessment of SDCC s HR systems environment, including a review of SDCC s HR business processes. Through this assessment we confirmed that the Convention Center utilizes UltiPro by Ultimate Software in a Software-as-a- Service (SaaS) for their HR processes. We then reviewed the Ultimate Software Contract, dated September 2007 through the fourth addendum active until June 2015, to ensure it appropriately addressed responsibilities, Convention Center risks, and mitigations. In addition, we reviewed system data as well as the results of a Service Organization Controls review to evaluate Ultimate s compliance with the defined controls. We then reviewed remaining risks resulting from customer responsibilities to ensure the Convention Center has adequately mitigated remaining significant contractual risks. System configuration and user access data was obtained and reviewed during the May through July 2014 audit period. OCA-15-004 Page 6

Performance Audit of the San Diego Convention Center s HR Systems We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. OCA-15-004 Page 7

San Diego Convention Center Corporation WWW. VISITSANOIEGO.COM 111 WEST HARBOR DRIVE, SAN DIEGO, CA 92101 PHONE 619.525.5000 FAX 619.525.5005 August 8, 2014 Mr. Eduardo Luna City Auditor Office of the City Auditor Dear Mr. Luna: The San Diego Convention Center Corporation's management would like to thank the City Auditors for their through audit of our Human resources IT System, and to convey our agreement with the audit