KAREN E. RUSHING. AUDIT OF Human Capital Management System (HCMS) Application Controls



Similar documents
KAREN E. RUSHING. Clerk of the Circuit Court and County Comptroller. AUDIT OF Fixed Asset Inventory. Audit Services. Karen E.

KAREN E. RUSHING. Ghost Employee Audit

KAREN E. RUSHING AUDIT OF. Fuel Tax Refunds

KAREN E. RUSHING. Audit of Purchasing Card Program

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

KAREN E. RUSHING. FOLLOW UP of. Fixed Asset Inventory. Issued January 2013

HUMAN RESOURCES PAYROLL

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

KAREN E. RUSHING. Clerk of the Circuit Court and County Comptroller. Audit Services. Karen E. Rushing

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

FOLLOW-UP REPORT Change Management Practices

DRAFT Standard Statement Encryption

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Best practices on cellular M2M deployment. Paul Bunnell November 2014

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

KAREN E. RUSHING Clerk of the Circuit Court and County Comptroller

- PUBLIC REPORT - CITY OF SAN ANTONIO INTERNAL AUDIT DEPARTMENT

Server Management-Scans & Patches

Oracle WebCenter Content

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

GOVERNANCE AND MANAGEMENT OF CITY WIRELESS TECHNOLOGY NEEDS IMPROVEMENT MARCH 12, 2010

Mobile Admin Security

Audit Report. Information Technology Service. May Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT

Certified Information Systems Auditor (CISA)

Chapter 1 The Principles of Auditing 1

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Copyright Telerad Tech RADSpa. HIPAA Compliance

Smithsonian Enterprises

Defending the Database Techniques and best practices

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Miami University. Payment Card Data Security Policy

AnswerNow Guides How New HIPAA Regulations Impact Medical Answering Services

KEY TRENDS AND DRIVERS OF SECURITY

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

8070.S000 Application Security

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Department of Public Utilities Customer Information System (BANNER)

ISO COMPLIANCE WITH OBSERVEIT

Securing Remote Vendor Access with Privileged Account Security

Client Security Risk Assessment Questionnaire

OFFICE OF AUDITS & ADVISORY SERVICES MOBILE DEVICE MANAGEMENT COUNTYWIDE AUDIT FINAL REPORT. County of San Diego Auditor and Controller

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

Ensuring the security of your mobile business intelligence

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Integrating Hitachi ID Suite with WebSSO Systems

Office of Enterprise Technology

U.S. Securities and Exchange Commission. Mailroom Package Tracking System (MPTS) PRIVACY IMPACT ASSESSMENT (PIA)

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Cornerstones of Security

University System of Maryland University of Maryland, College Park Division of Information Technology

PCI DSS COMPLIANCE DATA

How Managed File Transfer Addresses HIPAA Requirements for ephi

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

PeopleSoft IT General Controls

Insurance Administration

MICHIGAN AUDIT REPORT PERFORMANCE AUDIT OF THE QUALIFIED VOTER FILE AND DIGITAL DRIVER'S LICENSE SYSTEMS

Written by Edmond Ng on behalf of D-Link for a Thai magazine (before translation) Page 1 of 4

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

Introduction to Cyber Security / Information Security

Network Security Assessment

Stock Broker System Audit Framework. Audit Process

Best Practices for PCI DSS V3.0 Network Security Compliance

Important information for all POP users

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Auditing in the New Millennium:

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Is your data safe out there? -A white Paper on Online Security


GiftWrap 4.0 Security FAQ

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Security Transcends Technology

Information Technology Security Standards. Effective Date: November 20, 2000 OFM Guidelines for Economic Feasibility Revision Date: January 10, 2008

Healthcare Technology Audit Basics. Session Objectives

3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015

POSTAL REGULATORY COMMISSION

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Office of the City Auditor and Clerk

What is an SSL Certificate?

BERKELEY COLLEGE DATA SECURITY POLICY

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

RSS Cloud Solution COMMON QUESTIONS

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

Understanding It s Me 247 Security. A Guide for our Credit Union Clients and Owners

Missouri Student Information System Data Governance

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

IT Architecture Review. ISACA Conference Fall 2003

Transcription:

KAREN E. RUSHING Clerk of the Circuit Court and County Comptroller AUDIT OF Human Capital Management System (HCMS) Application Controls Audit Services Karen E. Rushing Clerk of the Circuit Court and County Comptroller Ex Officio County Auditor Patricia J. Entsminger, CPA, CFE Kerkering, Barberio & Co. Certified Public Accountants Audit Team Paul F. DeLeo, CPA, CISA Information Systems Auditor August 2012 Report No. 2012-04 Project No. 2012-002

TABLE OF CONTENTS Table of Contents Summary and Results 3 Opportunity for Improvement 5 Page

Summary and Results Summary and Results Synopsis The responsible managers and staff of Human Resources Service Management Business Center (HR) have implemented processes and application controls to adequately mitigate risks related to the Human Capital Management System (HCMS). A potential enhancement was recommended to these controls, which was implemented before the conclusion of the audit. Objectives, Scope and Methodology An audit was conducted of the Human Capital Management System s (HCMS) application controls based on the application audit program commissioned by the Information Systems Audit and Control Association (ISACA). This audit program was developed in alignment with Control Objectives for Information and related Technology (COBIT ), a widely-accepted framework of generally accepted good practices promulgated by the IT Governance Institute. The objectives of this audit were to: Determine if responsible managers have identified and evaluated risks related to this information system. Determine if adequate and effective application controls were in place to provide reasonable assurance that these risks have been mitigated. The scope of the audit included the following: Identification of HCMS application controls; Evaluation of application control effectiveness; and Identification of issues requiring management attention. To meet the objectives of the audit and to obtain a clear understanding of HCMS, the following procedures were performed: Inquired of Human Resources Data Management & Analysis personnel to gain an understanding of the following: a) Business requirements the system was designed to fulfill; b) System design and enhancement; c) Application controls; d) Change/configuration management controls; e) User access controls; f) Compliance with regulatory requirements; g) Control weakness detection & remediation practices; and h) Routine system administration tasks and their assignment among the Data Management & Analysis group, Enterprise Information Technology (EIT) and contracted service providers. Page 3

Summary and Results Inquired of HR service employees to gain an understanding of their specific business processes. Inquired of the senior benefit analyst to obtain an understanding of the employee benefit component of HCMS. Application controls of the HCMS were tested by observing HR service employees perform routine duties and tasks on the system. Verified with the Chief Information Officer that third party vendor access was terminated at the date the system was no longer outsourced to the third party for development, maintenance and hosting. Tested that the third party vendor was inactive. Tested the presence of and evaluated the effectiveness of HCMS application controls by determining if the design of the system provides for identification and management of authorization levels, inspected authorization lists, compared authorization level with users job title and duties and observed that authorization levels are properly applied. Overall Results The procedures led to the determination that user login credentials are susceptible to interception while in transit between users computers and the server that hosts HCMS. Managers responsible for HCMS quickly addressed this control weakness by reconfiguring HCMS to encrypt all client/server data communications. A detailed action plan and additional comments from the responsible managers are included in the Opportunity for Improvement section of this report. Background The Human Capital Management System (HCMS) is used by Sarasota County to automate Human Resources business processes and employee benefit administration. This system is tightly integrated with the GovMax budget management system. GovMax has evolved considerably since it was initially developed by EIT in the early 90 s. More recently, the system s architecture was redesigned and built using current technologies. It has been reported by the County that this upgrade improved the system s functionality, user interface, security and created a technical foundation that can more readily support future business needs such as integration with HCMS. Examples of processes automated by HCMS include: Employee record-keeping (e.g. personal information, employment status, job classification, etc.); Performance management reviews and merit increases; Enterprise-wide compensation planning; Facilitation of employee self-service via enet; Recording new employees benefit elections, changes triggered by life events and Open Enrollment; and Production of carrier files used to inform benefit providers of changes to employees coverage. Page 4

Opportunity for Improvement Opportunity for Improvement The following opportunity to strengthen an application control to further mitigate risks was noted. The audit was neither designed nor intended to be a detailed study of every relevant system component, procedure, or transaction. Additional opportunities for improvement may exist in areas outside the defined scope of the audit. Condition Observed HCMS is accessible via the internet without a Virtual Private Network (VPN) connection. The system was not configured to transmit user names and passwords in a secure manner. These security credentials are transmitted in the clear between the user s computer and the server that hosts HCMS. Freely available software tools could enable others to eavesdrop on this communication and automatically record user names and passwords. This tactic is particularly fruitful when used on publicly accessible wireless networks provided by municipalities, restaurants, hotels and airports. Opportunity for Change Reconfigure HCMS to transmit users login credentials in an encrypted format. The time and effort required to decrypt them typically thwart attempts by unauthorized persons to gain access to HCMS in this manner. Management Response We concur. Action Plan We have implemented the Secure Sockets Layer (SSL) protocol on servers used to host HCMS. This encrypts all network communications between users web browser clients and servers used to host HCMS. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information