AUDIT REPORT. Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement. June 11, 2015



Similar documents
AUDIT REPORT. Service Desk and Problem Management Audit Opinion: Satisfactory. November 14, Report Number: 2014-IT-04

AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015

AUDIT REPORT. Cloud Software as a Service (SaaS) Procurement and Governance Audit. June 9, 2016

AUDIT REPORT. Citizens Data Warehouse Audit Opinion: Needs Improvement. Date: June 9, Report Number: 2014-AUD-IT-01

03/14/2013 Compensation Update Citizens Property Insurance Corporation Board of Governors Meeting March 22, 2013

May 2012 Report No

Audit of Business Continuity Planning

STATEMENT FROM THE CHAIRMAN

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

March 2007 Report No

Office of Inspector General

FLORIDA COMMISSION ON OFFENDER REVIEW (formerly Florida Parole Commission)

Cumbria Constabulary. Business Continuity Planning

REPORT 2016/035 INTERNAL AUDIT DIVISION

How quality assurance reviews can strengthen the strategic value of internal auditing*

ADMINISTRATIVE MANUAL Subject: CORPORATE RESPONSIBILITY Directive #: Present Date: January 2011

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

November 2009 Report No

IMMUNOTEC INC. AUDIT AND DISCLOSURE POLICY MANAGEMENT COMMITTEE CHARTER AND WHISTLEBLOWER POLICY

Internal Controls and Risk Management Report

The Advanced Certificate in Performance Audit for International and Public Affairs Management. Workshop Overview

Audit and Risk Committee Charter. 1. Membership of the Committee. 2. Administrative matters

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

AUDIT REPORT. Federal Energy Regulatory Commission's Fiscal Year 2014 Financial Statement Audit

Charter of the Audit Committee of the Board of Directors

STATE OF NORTH CAROLINA

DRAFT. Informing the audit risk assessment for Cheshire Fire Authority. Year ending 31 March 2013 xx April 2013

Materiality and Audit Adjustments

John Keel, CPA State Auditor. An Audit Report on The Dam Safety Program at the Commission on Environmental Quality. May 2008 Report No.

Audit, Risk and Compliance Committee Charter

AMERICAN AIRLINES GROUP INC. AUDIT COMMITTEE CHARTER

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

Josephine Mathias. Kenneth J. Horowitz Phone: Ext

Agency Board Meeting 28 July 2015

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

How To Manage Risk At Atb Financial

Final. Internal Audit Report. Creditors System

Virginia Commonwealth University School of Medicine Information Security Standard

the role of the head of internal audit in public service organisations 2010

Bradley University Credit Card Security Incident Response Team (Response Team)

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM

Fraud Risk Management Program Review

The Compliance Universe

NORTHERN MICHIGAN LAW ENFORCEMENT TRAINING GROUP AUDITED FINANCIAL STATEMENTS YEAR ENDED DECEMBER 31, 2009

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

February Audit committee performance evaluation

FIRST CITIZENS BANCSHARES, INC. FIRST-CITIZENS BANK & TRUST COMPANY CHARTER OF THE JOINT AUDIT COMMITTEE

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

SALESFORCE.COM, INC. CHARTER OF THE AUDIT AND FINANCE COMMITTEE OF THE BOARD OF DIRECTORS. (Revised September 11, 2012)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

ACNB CORPORATION & SUBSIDIARIES BOARD AUDIT COMMITTEE CHARTER

FDA 50-State Conference Call OIG Early Alert on FDA s Voluntary Food Recall Initiation Process. June 10, :30 pm EDT

Company Information Management (CIM) Audit Report Report # 2/15 March 11, 2015

Risk Management Advisory Services, LLC Capital markets audit and control

Department of Homeland Security

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

Transcription:

AUDIT REPORT Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement June 11, 2015 Citizens Insurance Suite Check Printing

Table of Contents: Page Executive Summary Background 1 Objectives and Scope 1 Audit Opinion 1 Appendices Definitions 3 Issue Classifications 4 Distribution 6 Audit Performed By 6

Executive Summary Background During March 2015, Finance management requested a review of the check printing process following an instance where IT support, as a test while repairing a broken check printer, reprinted a previously processed check file containing check data from the Citizens Insurance Suite application. OIA was informed that the checks were reprinted on plain white paper and there was no indication of any fraudulent activity associated with the reprinted checks. OIA was requested to assess the check printing process to validate that appropriate access controls had been applied during the Citizens Insurance Suite implementation project and to recommend necessary changes so that only specific Accounting personnel can perform check processing functions. The check processing work flow comprises five primary components, each consisting of underlying software and hardware: Audit Objectives and Scope With this audit, we evaluated the adequacy and effectiveness of the security access controls associated with the Citizens Insurance Suite check processing work flow. Our scope included a review of logical and physical access to all workflow steps including automated and manual procedures, batch jobs, output files, file storage systems and the physical security of the printers. Additionally, security access was also reviewed for the applicable servers and databases that are foundational to the process. Audit Opinion Based upon our audit work, the overall effectiveness of the processes and controls evaluated during the audit is rated as Needs Improvement. We found that Accounting personnel responsible for check printing have a strong knowledge of the process. This knowledge is invaluable in recognizing anomalies that may present a financial risk to the company. However, our work also indicated some specific opportunities to strengthen the control environment for checks originating from the Citizens Insurance Suite including: The need to implement encryption or other security measures for the check data files created by the Citizens Insurance Suite batch process. The current output file as well as archived files are located on a network storage server and neither file type is appropriately secured. Encryption was a business requirement identified in the system design document for the archived file copies; however, the design was not implemented as intended. Implementing encryption or other approved security measures for P a g e 1

Executive Summary the current and archived check data would prevent intentional or erroneous manipulation prior to a valid check run and deter attempts to circumvent the approved work flow process. Other issues considered as low risk were identified and discussed with management during the audit, some of which have been resolved. We would like to thank management and staff in Accounting, Budget and Financial Systems, Application Development, Application Delivery, Engineering Services, Facilities, and Information Security for their cooperation and professional courtesy throughout the course of this audit. P a g e 2

Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. P a g e 3

Appendix 2 Issue Classifications Control Category High Medium Low Financial Controls (Reliability of financial reporting) Operational Controls (Effectiveness and efficiency of operations) financial statement misstatements >USD 5 million Control issue that could have a pervasive impact on control effectiveness in business or financial processes at the business unit level A control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in the financial reporting process losses >USD 2.5 million Achievement of principal business objectives in jeopardy Customer service failure (e.g., excessive processing backlogs, unit pricing errors, call center non responsiveness for more than a day) impacting 10,000 policyholders or more or negatively impacting a number of key corporate accounts prolonged IT service failure impacts one or more applications and/or one or more business units negative publicity related to an operational control issue An operational control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in operations financial statement misstatements between USD 2.5 million to 5 million Control issue that could have an important impact on control effectiveness in business or financial processes at the business unit level losses between USD 0.5 to 2.5 million Achievement of principal business objectives may be affected Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting 1,000 policyholders to 10,000 or negatively impacting a key corporate account IT service failure impacts more than one application for a short period of time financial statement misstatements below USD 2.5 million Control issue that does not impact on control effectiveness in business or financial processes at the business unit level losses below USD 0.5 million Achievement of principal business objectives not in doubt Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting less than 1,000 policyholders IT service failure impacts one application for a short period of time P a g e 4

Appendix 2 Control Category High Medium Low Any operational issue leading to death of an employee or customer Any operational issue leading to injury of an employee or customer Compliance Controls (Compliance with applicable laws and regulations) Remediation timeline for public censure, fines or enforcement action (including requirement to take corrective actions) by any regulatory body which could have a significant financial and/or reputational impact on the Group Any risk of loss of license or regulatory approval to do business Areas of non-compliance identified which could ultimately lead to the above outcomes A control issue relating to any fraud committed by any member of senior management which could have an important compliance or regulatory impact Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy. for public censure, fines or enforcement action (including requirement to take corrective action) by any regulatory body Areas of noncompliance identified which could ultimately lead to the above outcomes Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date. for non-public action (including routine fines) by any regulatory body Areas of noncompliance identified which could ultimately lead the above outcome Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 3 months, but in every case must not exceed 120 days. P a g e 5

Appendix 3 Distribution Addressees Copies Fred Deeb, Director Budget and Financial Systems Curt Overpeck, Chief Information Officer Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief Systems and Operations Charles Johnson, Chief Human Resources Officer Jennifer Montero, Chief Financial Officer Christine Ashburn, VP, Legislative and External Affairs and Communications John Rollins, Chief Risk Officer Dan Sumner, Chief Legal Officer and General Counsel Aditya Gavvala, VP Application Delivery Robert Sellers, VP IT Infrastructure and Operations Debby Kearney, Director, Ethics and Compliance Officer Bruce Meeks, Inspector General Mario Andrade, Director IT Infrastructure Robert Borland, Director Application Development and Delivery Mitch Brockbank, Director IT Security and Risk Cherri Linn, Director Facilities and General Services Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Auditor in Charge Audit Director Under the Direction of Gary Sharrock, Manager IT Audit Karen Wittlinger, Director IT Audit Joe Martins Chief of Internal Audit P a g e 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information