s 352.6 L72SAB MAR2002 Legislative Audit Division StateofMontana ReporttotheLegislature March2002 Information System Audit Statewide Accounting, Budgeting and Human Resource System (SABHRS) Audit DepartmentofAdministration Thisreportprovidesinformationregardingapplicationcontrolsoverthe state'scentralcomputersystem,andgeneralcontrolsovertherelated processingenvironment. Itcontainsfiverecommendationstothe departmentforimprovingcontrolsovertheStatewideAccounting, BudgetingandHumanResourceSystem. C7ATE DOCUMENTS COLLECTION JUL 2 42002 Directcomments/inquiriesto: LReogoismla1t6i0v,eSAtuadtietCDaipviitsoilon HMEOLNETN1AA5N1,5AMESO.TNA6TtTAhENAALVIE5B.R9A6R2Y0 POBox201705 02DP-02 HelenaMT 59620-1705 Helpeliminatefraud,waste,andabuseinstategovernment. CalltheFraudhotlineat1-800-222-4446 statewideor444-4446inHelena. liifliii INFORMATIONSYSTEMAUDITS Information System (IS) audits conducted by the Legislative Audit Division are designed to assess controlsinanISenvironment. IScontrolsprovideassuranceovertheaccuracy,reliability,andintegrity oftheinformationprocessed. Fromtheauditwork,adeterminationismadeastowhethercontrolsexist andareoperatingasdesigned. Inperformingtheauditwork,theauditstaffusesauditstandardssetforth bytheUnitedStatesGeneralAccountingOffice. Members ofthe IS audit staffhold degrees in disciplines appropriate to the auditprocess. Areas of expertiseincludebusiness,accountingandcomputerscience. ISauditsareperformedasstand-aloneauditsofIScontrolsorinconjunctionwithfinancial-compliance andorperformanceauditsconductedbytheoffice. Theseauditsaredoneundertheoversightofthe LegislativeAuditCommitteewhichisabicameralandbipartisanstandingcommitteeoftheMontana Legislature. ThecommitteeconsistsofsixmembersoftheSenateandsixmembersoftheHouseof Representatives. MEMBERSOFTHELEGISLATIVEAUDITCOMMITTEE LEGISLATIVEAUDITDIVISION ScottA.Seacat,LegislativeAuditor Ma^ "Ix\ DeputyLegislativeAuditors: JohnW.Northey,LegalCounsel Qe^G^^Ti J''"Pellegrini,PerformanceAudit ToriHunthausen,ISAudit&Operations JamesGillett,Financial-ComplianceAudit March2002 TheLegislativeAuditCommittee oftheMontanaStateLegislature: ThisisthereportofourInformationSystemauditofcontrolsrelatingtothestate'scentral computersystemoperatedbytheDepartmentofAdministration. Wereviewedspecificgeneral andapplicationcontrolsovertheStatewideAccounting,BudgetingandHumanResourceSystem. Thisreportcontainsrecommendationsforimprovingcontrolsrelatedtothesystemand departmentprocedures. Writtenresponsestoourauditrecommendationsareincludedintheback oftheauditreport. WewishtoexpressourappreciationtothestaffoftheDepartmentofAdministrationfortheir cooperationandassistance. Respectfullysubmitted, ScottA.Seacat LegislativeAuditor Room160,StateCapitolBuildingPOBox201705Helena.MT59620-1705 Phone(406)444-3122 FAX(406)444-9784 E-Maillad(aistate.mt.us Legislative Audit Division Information SystemAudit Statewide Accounting, Budgeting and Human Resource System (SABHRS) Audit MembersoftheauditstaffinvolvedinthisauditwereDebraBlossom, CharlesNemec,andJessieSolem. TableofContents AppointedandAdministrativeOfficials ii ReportSummary S-1 ChapterI-IntroductionandBackground 1 IntroductionandBackground 1 SABHRSFinanceandHumanResourceManagementSystem Descriptions 1 AuditObjectives 3 AuditScopeandMethodology 4 PriorAuditRecommendations 4 RecommendationsPartiallyImplemented 5 ChapterII-GeneralControls 7 Introduction 7 SegregationofDuties 7 SecurityPlan 8 ServiceContinuity 10 ChapterIII-ApplicationControls 13 Introduction 13 SABHRSAuditTrail 13 ProductionRecovery 14 AgencyResponse A-1 DepartmentofAdministration A-3 Pagei AppointedandAdministrativeOfficials Departmentof ScottDarkenwald,Director Administration CathyMuri,Administrator AdministrativeFinancialServicesDivision JohnMcEwen,Administrator StatePersonnelDivision BrianWolf,ChiefInformationOfficer InformationTechnologyServicesDivision TonyHerbert,DeputyChiefInformationOfficer InformationTechnologyServicesDivision SABHRSServicesBureau ChuckVirag,BureauChief NylaJohnson FinanceLead JimSheehy InformationTechnologyLead TheresaScott BudgetLead MarthaWatson HumanResourceLead Pageii ReportSummary Introduction WeconductanannualreviewoftheStatewideAccounting, BudgetingandHumanResourceSystem(SABHRS). SABHRS flinctionsasthestate'sprimaryaccounting,budgeting,human resourcemanagement,andprocurementsystem. Wereviewed generalcontrolsovertheSABHRSprocessingenvironmentand applicationcontrolsoverHumanResourceManagementandFinance systems. Backgroundinformation,auditobjectivesandauditscope arediscussedinchapterI. Auditissuessummarizedbeloware discussedinchaptersIIandIII. GeneralControlsaremanagement-developedplans,policies,and GeneralControls proceduresappliedtotheSABHRSenvironmenttoassureproper operationofSABHRScomputersystemshardwareandsoftware. Wereviewedthefollowinggeneralcontrolareas: servicecontinuity andsecurityplanning,physicalandlogicalaccessoveroperatingand applicationsoftwareandhardware,softwaredevelopmentand changecontrols,andsegregationofduties. Auditissuesare summarizedbelow. Segregationofdutiesneedstobedefinedforhumanresource dataaccessbySABHRSstaff ServiceContinuityPlanneedstoincludeoperationalpriorities andneedstobetestedforSABHRSapplication. SecurityPlanisnecessarythatiscomprehensiveandabletobe implementedbySABHRSstaff ApplicationControls Applicationsarethegroupofindividualcomputerprogramsthat collectivelyoperatetoperformafunction. SABHRSapplications areHumanResourceandFinance. ApplicationControlsarethe management-developedplans,policies,andproceduresthatapplyto SABHRSapplicationsandaredesignedtoensuretheapplication's properoperation. Wereviewedthefollowingapplicationcontrolareas: data acquisition,dataprocessing,anddataoutput. Auditissuesare summarizedbelow. PageS-1 ReportSummary Finance WereviewedFinanceapplicationprocessingandnotedthat sufficientinformationisnotretainedtoenablethereviewor reconstructionofdailyprocessing. IndustryandUnitedStates GeneralAccountingOffice(GAO)guidanceandbestpractices providethatanaudittrailbecreatedtoprovideevidenceof successfulprocessingortodiagnoseandmanageincidentresponse andrestoration. SSBshouldretaininformationtosupport management'sabilitytomonitorprocessingperformanceand controls. Audittrailsarenecessarytorecordthehistoryofproductionand datachanges. Productionrecoveryproceduresarenecessaryforaconsistent approachtoprocessinginterruptions. HumanResource WeidentifiedSABHRSSupportBureaustaffwithunrestricted accesstoHumanResourceproductiondataandobservedinstances wheredatawaschangedwithouttheknowledgeorauthorizationof thedataownertomeetproductiondeadlines. IndustryandGAO guidanceandbestpracticesarethatproductionstaffshouldnothave accesstoproductiondata,andallchangesoradditionsshouldbe testedandapprovedbythedataownerbeforetheyaremovedinto production. SABHRSmanagementanddataownersshoulddevelop amethodthatallowsSABHRSstafftomeetproductiondeadlines andincludesdataownerauthorizationofdatachangesandadditions. PriorAudit Thepreviousauditreportcontainedfourteenrecommendations. Recommendations SABHRSmanagementimplementedeight,partiallyimplemented three,andthreerecommendationswereaddressedwithinthescope ofthefinancial-complianceauditofthedepartment. Conclusion Inconclusion,weidentifiedweaknesseswithintheSABHRSgeneral controlsenvironmentregardinginadequateservicecontinuityand securityplanning. Wealsodeterminedtheresponsibilitiesand segregationofincompatibledutiesshouldbedefined. Overall,theSABHRSapplicationsareprocessinginformationas intended;however,weidentifiedareaswherethedepartmentcould PageS-2