. S Montana 35l.'7232Legislative Audit L'72ebs Division 1996 Fxecutive budget systerr» Governor's Office of Budget and ProeraiT Legislative Audit Division State ofMontana Report to the Legislature EDP Audit Report June 1996 :)i LI HL 7 -ff%^ «®^ IWI*.. Executive Budget System Governor's Office ofBudget and Program Planning This report provides information r^ardinggeneral and application controls related to theEBS application. It contains recommendations forimproving controlswithintheoffice's electronic data processing environment. These recommendations address: > Establishing policiesandprocedures forinternal evaluations. * Improving electronicaccesscontrols. » Establishing formal contingency procedures. > Improving documentationofthesystem. STATE DOCUMENTS COLLECTION }H 1898 MONTANA STATE LIBRARY 1515 E. 6th AVE. HELENA, MONTANA 59620 Direct comments/inquiriesto: Legislative AuditDivision Room 135, StateCapitol PO Box 201705 Helena MT 59620-1-705 96DP-05 MONTANASTATELIBRARY 3 0864 0014 0462 6 EDPAUDITS ElectronicDataProcessing(EDP)auditsconductedbytheLegislativeAuditDivisionaredesigned to assess controls in anEDP environment. EDPcontrols provide assuranceoverthe accuracy, reliability, and integrityofthe information processed. From theauditwork, adetermination is made as to whethercontrolsexistand areoperatingas designed. Inperforming the auditwork, the audit staffuses audit standards setforth by the United States General Accounting Office. Members of the EDP audit staffhold degrees in disciplines appropriate to the audit process. Areas ofexpertise includebusiness and public administration. EDPauditsareperformedasstand-aloneauditsofEDPcontrolsorinconjunctionwithfinancial- complianceand/orperformance auditsconductedbytheoffice. Theseauditsaredoneunderthe oversight of the Legislative Audit Committee which is a bicameral and bipartisan standing committeeoftheMontanaLegislature. ThecommitteeconsistsofsixmembersoftheSenateand six members ofthe HouseofRepresentatives. MEMBERS OFTHE LEGISLATIVE AUDIT COMMITTEE Montana Legislati,ve Legislative Audit Division UtanCn ScouA. Seacat, LegislativeAuditor June 1996 TheLegislative Audit Committee ofthe Montana State Legislature: This is a report on our EDP auditofthe Governor's OfficeofBudget and Program Planning's internal controls relating to its computer-based Executive Budget System (EBS). We reviewed theoffice's general controls as they relateto thedataprocessed onthe state mainframe computer and onthe office's local areanetwork. In addition, we reviewed application controls over the EBS application. This report contains recommendations for improving controls. Our recommendations includeestablishing policies and procedures for internal evaluations, improving electronic access security, improving system documentation, and establishing formal contingency procedures. Written responses to our audit recommendations are included inthe back ofthe audit report. Wethank theofficepersonnel fortheircooperation and assistancethroughoutthe audit. Respectfully submitted. Scott A. Seacat Legislative Auditor Room136,StateCapitolBuilding POBox201706 HelenaMT69620-1706 Phone406-444-3122 FAX406-444-9784 Legislative Audit Division EDP Audit Report Executive Budget System (Governor's Office of Budget and Program Planning Members ofthe audit staffinvolved inthis audit were Dawn Brewer and Ken Erdahl. Table of Contents Appointed and Administrative Officials ii Report Summary S-1 Chapter I- Introduction Introduction 1 and Background EDP General and Application Controls 1 Background 2 AuditObjectives 3 Audit Scopeand Methodology 4 Chapter n- Executiye Introduction 5 Budget System Conclusion: General Controls Could be Improved 5 Conclusion: Application Controls Adequate to Ensure Budget Information is Complete and Accurate 5 Policies and Procedures 5 General Controls 7 Contingency Planning 7 Access Controls 9 Documentation 9 ACF2 Report Review 9 Application Controls 10 System Documentation 10 System Enhancements 11 System Edits 12 Conclusion 13 Agency Response Governor's OfficeofBudgetand Program Planning 17 Page i Appointed and Administrative Officials Office ofthe Governor Marc Racicot, Governor and Lieutenant Governor David M. Lewis, Director, OfficeofBudgetand Program Planning Steve Bender, AssistantDirector, OfficeofBudget and Program Planning Steve Colberg, DataProcessing Coordinator, OfficeofBudget and Program Planning Pageii Report Suimnary Introduction This is an auditofinternal controls relating to the Governor's OfficeofBudget and Program Planning's (OBPP) computer-based Executive BudgetSystem (EBS). Weperformed anelectronic data processing auditofthis application. We selected the OBPP and this applicationbecause ofthe significantdollar amounts that are processed and the statewideuseofthe information maintained on the system. Background Our auditwas limited to oneofthe Governor's Officeprograms, the OfficeofBudget and Program Planning (16.25 FTE). The OBPP assists thegovernor inplanning, preparing, and administer- ingthestatebudget. Itdevelops and evaluates alternativeprogram plans forproviding stategovernment services, and acts as the lead executivebranch agency for compliance with thefederal Single AuditAct. The EBS is acombination mainframe and PC-based application. TheOBPP extracts specificexpenditure information from statewide accounting and payroll systems, using mainframe based programs. Thedataarethencopied to OBPP's PC-based network. State agency personnel areableto access thedataspecific to their agency, and use it inpreparingtheirup-coming budgetrequests. Afterchanges havebeen made and agreed uponby OBPP, the LegislativeFiscal Division, and agency personnel, the data is copied backto themainframe for further processing. This report contains five recommendations to OBPPto improvecontrols associated withtheEBS application. Policies and Procedures The law provides guidanceregarding security which should be considered by agencies in establishing policies and procedures. Section 2-15-114, MCA, requires department heads to be ". . .responsiblefor assuring an adequate level ofsecurity for all data and information technology resources within his department. ." . OBPPhas notconducted an analysis to identify threats to the security oftheEBS application, and has no documented policies PageS-1 Report Summary regarding theuseofofficecomputers. The office should perform a security analysis to identify risks, implement procedures to mitigate thoserisks, and perform periodic evaluations ofsecurity in compliance with state law. In addition, formal office widepolicies should bedeveloped which outlineemployee responsibilities and officestandards regardingcomputerusage. ContingeiM^ Planning Contingencyplanning is abasic element ofsafeguardingcomputer systems and information resources. Contingency planning involves collectingplans, procedures, arrangements, and information which arecompleted, compiled, and held inreadiness for use intheevent ofadisruptionofnormal activities. Thecontingency plan should includeconsideration ofphysical facilities, personnel, operating instructions, supplies and forms, applicationprograms, documentation, system software, and data. Through interviews with officepersonnel, wedetermined theofficedoes nothave a formal contingencyplan as required by section 1-0240.00, MOM. A written, detailed plan outlining recovery procedures should exist and betested to ensurefeasibility oftheplan. Access Controls Proper access controls assistinthepreventionordetection of deliberateor accidental errors caused by improper useor manipulation ofdatafiles, unauthorized or incorrectuseofa computer program, or improper useofcomputer resources. Assigning limited access based onjob requirements facilitates checks and balances inthesystem. Also, passwords knownonlyto theuserpreventunauthorizedusers from accessing confidential information. Wereviewed mainfi-ame and PC controls overthe EBS application, and noted areas whereaccesscontrols couldbe improved. Access tothe EBS files and programs, level ofaccess requested, and authorization fortheaccess is notdocumented. As positions change, orturnoveroccurs, access needs may change. In orderto ensure access is proper and authorized, thepeople needing access, level ofaccess required, and timeperiods forthe allowed access shouldbedocumented. PageS-2