ebook img

EDP audit report, information processing facility and central applications PDF

30 Pages·1995·0.64 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview EDP audit report, information processing facility and central applications

S Montana* 351•7232Legislature« L72ipf Legislative Audit 1995 EDP audit report* inforraation processxng Legislative Audit Division State ofMontana Report to the Legislature EDP Audit RcpOFt November 1995 Iiiformation Processing Facility and Central Applications EachyeartheOffice oftheL^islativeAuditoraudits thestate'scentral computerfacilityandcentralizedcomputerapplications. This report is usedby financial-complianceandperformanceauditorsandcontains ourconclusionsand/orrecommendations forimprovinggeneral controls overthemainframecomputer (InformationProcessingFacility)and appUcationcontrols overthefollowingsystems: StatePayroll System StatewideBudgeting andAccounting System WarrantWriterSystem ^nTE DOCUMENTS COLLECTION MONTANA STATE LIBRARY HuEp,LEcN.iA?,„^5MEO.N6TtAhNAAVE5.9620 Directcomments/inquiries to: L^islativeAuditDivision Room 135, State Capitol POBox 201705 Helena Montana 59620-1705 95DP-33 MONTANASTATELIBRARY ESD3P51au7d2it32reLp7o2ritp,ltn1f9o9r5mact.t1onprocessing 3 0864 00096695 5 EDPAUDITS ElectronicDataProcessing(EDP)auditsconductedbytheLegislativeAuditDivisionaredesigned to assess controls in anEDPenvironment. EDP controls provide assuranceoverthe accuracy, reliability, and integrityoftheinformationprocessed. Fromtheauditwork, adetermination is madeasto whethercontrolsexistand areoperatingasdesigned. Inperformingtheauditwork, the auditstaffuses auditstandards setforthbytheUnited States General Accounting Office. Members ofthe EDP audit staffhold degrees in disciplines appropriate to the audit process. Areas ofexpertiseincludebusiness andpublic administration. EDPauditsareperformedasstand-aloneauditsofEDPcontrolsorinconjunctionwithfinancial- complianceand/orperformance auditsconductedbytheoffice. Theseauditsaredoneunderthe oversight of the Legislative Audit Committee which is a bicameral and bipartisan standing committeeoftheMontanaLegislature. ThecommitteeconsistsofsixmembersoftheSenateand sixmembers ofthe HouseofRepresentatives. MEMBERSOFTHE LEGISLATIVE AUDITCOMMITTEE SenatorGreg Jergeson, Vice Chairman RepresentativeErnestBergsagel,Chairman SenatorSue Bartlett Representative Beverly-Barnhart Senator Reiny Jabs Representative A. R. "Toni" Hagener SenatorTom Keating Representative Bob Keenan SenatorKen Miller Representative RobertPavlovich Senator Linda Nelson Representative Bruce Simon STATEOF MONTANA (^ititt itf tit^ ^t^isintiixt: ^nhiixtx STATECAPITOL PCBOX201705 HELENA,MONTANA59620-1705 DEPUTYLEGISLATIVEAUDITORS: 406/444-3122 FAX406/444-3036 MARYBRYSON OperationsandEDPAudit LEGISLATIVEAUDITOR: JAMESGILLETT SCOTTA.SEACAT Financial-ComplianceAudit LEGALCOUNSEL: JIMPELLEGRINI JOHNW.NORTHEY PerformanceAudit November 1995 TheLegislative AuditCommittee oftheMontanaStateLegislature: This is our EDP auditofcontrols relatingtothe state's centralized dataprocessing systems operated by the Department ofAdministration and the State Auditor's Office. We reviewed the Department ofAdministration's general controls overthe Information Processing Facility and application controls over State Payroll and the Statewide Budgeting and Accounting System (SBAS). In addition, we reviewed application controls over theWarrant Writer system, operated by the State Auditor's Officeduring fiscal year 1994-95. This reportcontains recommendations for improving EDP controls related to SBAS, StatePayroll, and Warrant Writer systems and the Information Processing Facility. Written responses to our audit recommendations are included in theback ofthe report. Wethank theDepartment ofAdministration and State Auditor's Office for their cooperation and assistancethroughouttheaudit. Respectfully submitted. Scott A. Seacat Legislative Auditor Legislative Audit Division EDP Audit Information Processing Facility and Central Applications Members ofthe audit staff involved in this audit were: Rich McRae, Alan Lloyd, Renee Foster, Scott Hoversland, and Pete Brustkern. Table ofContents Appointed and AdministrativeOfficials ii ReportSummary S-1 Chapter! Introduction 1 Introduction OrganizationofReport 1 EDPAuditGeneral and Application Controls 1 AuditObjectives 2 AuditScope and Methodology 3 Compliance 4 PriorAuditRecommendations 4 n Chapter Introduction 5 Genial Controls Information ProcessingFacility 5 Physical Security 5 ISD Improves DisasterRecovery Preparedness - StateAgencies Should Follow 6 Physical Accessto Operating System Documentation 7 Physical Security ofDataCartridges 8 Physical Inventory ofData Cartridges atStorageFacility 9 AuthorizationforTransferringorDeleting Agency DataCartridges 10 m Chapter Introduction 11 Application Controls StatewideBudgeting and Accounting System 11 StatePayroll System 12 Warrant Writer System 12 Offsets should beEstablished for Direct Deposits 13 Pagei Appointed and AdministratiYe Oflidals Department of Lois Menzies, Director Administration Connie Griffith, Administrator Accounting and Management SupportDivision Terry Atwood, Chief Accounting Bureau Tony Herbert, Administrator Information Services Division JeffBrandt, Chief Policy, Development, and Customer Relations Bureau Paul Rylander, Chief Computing Operations Bureau MarkCress, Administrator Personnel Division JohnMcEwen, Chief Classification and Pay Bureau DonnaF. Warner, Supervisor StatePayroll Pageii Report Summary Introduction This EDPAuditreviewed centralized controls overthestate's mainframe computer and the StatePayroll, the StatewideBudgeting and Accounting System (SBAS), andtheWarrant Writer computer based applications. The audit included ageneral control review of thestate's mainframe computer and applicationreviews ofState Payroll, SBAS, and Warrant Writer. A discussion ofgeneral and applicationcontrols is included onpages 1 and 2. Theaudit objectives and scope arediscussed onpages 2 and 3 ofthereport. General Controls TheDepartmentofAdministration's Information Services Division (ISD), provides mainframe dataprocessing servicesto state agencies. Processing is performed onanIBM computer operating 24hours aday exceptduring scheduled system maintenance. Between 8:00 a.m. and 5:00p.m. thecentral computer operates at 90percentoperating capacity. General controls aredeveloped by management to ensurecomputer operations function as intended andprovideeffectivedata processing serviceto users. Except as noted below, the department's general conttol environmentprovides for confrolled applicationprocessing onthemainframe computer system. Additional discussionoftheaudit issues is included in ChapterU. PhysicalAccess to Operating system documentation includes installation guidelines and Operating System procedures, system configurations, user-written modifications, Documentation software installationprograms, etc. Inourprevious auditwe recommended thedepartment restrictaccess to operating system documentation to only thoseemployees who requireaccess to performjob duties. Thedepartmenthas not implemented ourprior recommendation but indicated they intend to install afilecabinetto secureselected system documentation. Unrestricted access could allow unauthor- ized individuals to changeoperating system specifications or destroy installationdocumentation. ISD should secureoperating system documentation, including installationguidelines and procedures manuals, in locked storagecabinets. PageS-1 Report Simunary Physical Inventory ofData Twiceeach week, ISD employees back-up all mainframe operating Cartridgesat Storage system software, applicationprograms, anddatato magnetic tape Facility cartridges, whichthey storeatanoff-sitefacility. Inourprevious auditwerecommended thedepartmentcomplete and document a formal annual inventory ofback-up datastored attheoff-site storagefacility. Duringthecurrentreview ISD personnel indicated they completed butdid notdocument an inventory. Documented inventoryprocedures will supportsubsequent inventory records and assistbackup personnel incompleting inventory duties. Withoutdocumentation, thedepartmentcannot ensureelectronic records agreetotheexistingdatacartridge inventory. Authorizationfor Departmentpersonnel transferdatacartridges attheInformation Transferring orDeleting ProcessingFacility datacenterto and fromtheoff-site storage area Agency Data Cartridlges per agency request. Although departmentprocedurerequires documented agency authorization, employees periodically transfer ordeleteagency datafilesuponverbal request. EDP guidelines suggestmanagement establishphysical security procedures to safeguard electronic datafrom loss orunauthorized access. Documented authorizationcan supportadditions or deletions to inventory records and ensuredepartmentpersonnel complete requests as intended. Application Controls Theauditreviewed applicationcontrolsover SBAS, StatePayroll, and WarrantWriter. SBAS is an accounting system which provides financial reportingofagency transactions. StatePayroll processespayroll for stateagencies and selectedunits ofthe MontanaUniversity System. WarrantWritercreates statewarrants from agency submitted transfer warrantclaims processedthrough SBAS. As discussed in Chapter III, applicationcontrols were effectiveand adequateto ensureaccurateandcomplete data processing for SBAS, StatePayroll, and WarrantWriter. PageS-2

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.