KAREN E. RUSHING Clerk of the Circuit Court and County Comptroller AUDIT OF Human Capital Management System (HCMS) Application Controls Audit Services Karen E. Rushing Clerk of the Circuit Court and County Comptroller Ex Officio County Auditor Patricia J. Entsminger, CPA, CFE Kerkering, Barberio & Co. Certified Public Accountants Audit Team Paul F. DeLeo, CPA, CISA Information Systems Auditor August 2012 Report No. 2012-04 Project No. 2012-002
TABLE OF CONTENTS Table of Contents Summary and Results 3 Opportunity for Improvement 5 Page
Summary and Results Summary and Results Synopsis The responsible managers and staff of Human Resources Service Management Business Center (HR) have implemented processes and application controls to adequately mitigate risks related to the Human Capital Management System (HCMS). A potential enhancement was recommended to these controls, which was implemented before the conclusion of the audit. Objectives, Scope and Methodology An audit was conducted of the Human Capital Management System s (HCMS) application controls based on the application audit program commissioned by the Information Systems Audit and Control Association (ISACA). This audit program was developed in alignment with Control Objectives for Information and related Technology (COBIT ), a widely-accepted framework of generally accepted good practices promulgated by the IT Governance Institute. The objectives of this audit were to: Determine if responsible managers have identified and evaluated risks related to this information system. Determine if adequate and effective application controls were in place to provide reasonable assurance that these risks have been mitigated. The scope of the audit included the following: Identification of HCMS application controls; Evaluation of application control effectiveness; and Identification of issues requiring management attention. To meet the objectives of the audit and to obtain a clear understanding of HCMS, the following procedures were performed: Inquired of Human Resources Data Management & Analysis personnel to gain an understanding of the following: a) Business requirements the system was designed to fulfill; b) System design and enhancement; c) Application controls; d) Change/configuration management controls; e) User access controls; f) Compliance with regulatory requirements; g) Control weakness detection & remediation practices; and h) Routine system administration tasks and their assignment among the Data Management & Analysis group, Enterprise Information Technology (EIT) and contracted service providers. Page 3
Summary and Results Inquired of HR service employees to gain an understanding of their specific business processes. Inquired of the senior benefit analyst to obtain an understanding of the employee benefit component of HCMS. Application controls of the HCMS were tested by observing HR service employees perform routine duties and tasks on the system. Verified with the Chief Information Officer that third party vendor access was terminated at the date the system was no longer outsourced to the third party for development, maintenance and hosting. Tested that the third party vendor was inactive. Tested the presence of and evaluated the effectiveness of HCMS application controls by determining if the design of the system provides for identification and management of authorization levels, inspected authorization lists, compared authorization level with users job title and duties and observed that authorization levels are properly applied. Overall Results The procedures led to the determination that user login credentials are susceptible to interception while in transit between users computers and the server that hosts HCMS. Managers responsible for HCMS quickly addressed this control weakness by reconfiguring HCMS to encrypt all client/server data communications. A detailed action plan and additional comments from the responsible managers are included in the Opportunity for Improvement section of this report. Background The Human Capital Management System (HCMS) is used by Sarasota County to automate Human Resources business processes and employee benefit administration. This system is tightly integrated with the GovMax budget management system. GovMax has evolved considerably since it was initially developed by EIT in the early 90 s. More recently, the system s architecture was redesigned and built using current technologies. It has been reported by the County that this upgrade improved the system s functionality, user interface, security and created a technical foundation that can more readily support future business needs such as integration with HCMS. Examples of processes automated by HCMS include: Employee record-keeping (e.g. personal information, employment status, job classification, etc.); Performance management reviews and merit increases; Enterprise-wide compensation planning; Facilitation of employee self-service via enet; Recording new employees benefit elections, changes triggered by life events and Open Enrollment; and Production of carrier files used to inform benefit providers of changes to employees coverage. Page 4
Opportunity for Improvement Opportunity for Improvement The following opportunity to strengthen an application control to further mitigate risks was noted. The audit was neither designed nor intended to be a detailed study of every relevant system component, procedure, or transaction. Additional opportunities for improvement may exist in areas outside the defined scope of the audit. Condition Observed HCMS is accessible via the internet without a Virtual Private Network (VPN) connection. The system was not configured to transmit user names and passwords in a secure manner. These security credentials are transmitted in the clear between the user s computer and the server that hosts HCMS. Freely available software tools could enable others to eavesdrop on this communication and automatically record user names and passwords. This tactic is particularly fruitful when used on publicly accessible wireless networks provided by municipalities, restaurants, hotels and airports. Opportunity for Change Reconfigure HCMS to transmit users login credentials in an encrypted format. The time and effort required to decrypt them typically thwart attempts by unauthorized persons to gain access to HCMS in this manner. Management Response We concur. Action Plan We have implemented the Secure Sockets Layer (SSL) protocol on servers used to host HCMS. This encrypts all network communications between users web browser clients and servers used to host HCMS. Page 5