0% found this document useful (0 votes)

172 views32 pages

Summary Report of Information Technology Audit Findings

This document summarizes information technology (IT) audit findings from 87 audit reports of 80 public entities issued during the 2008-2009 fiscal year. It found a total of 613 IT audit findings, with 144 findings, or around 23%, also appearing in previous audit reports for the same entities. The most common issues involved deficiencies in controls over access to entity data and IT resources and in entity IT security management. The number of repeated findings indicates a need for entities to improve security and controls over their information and IT resources.

Uploaded by

hameed77

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

172 views32 pages

Summary Report of Information Technology Audit Findings

Uploaded by

hameed77

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 32

REPORT NO.

2010-062
DECEMBER 2009

SUMMARY REPORT OF
INFORMATION TECHNOLOGY AUDIT FINDINGS

Included In Our Financial and Operational Audit Reports

Issued During the 2008-09 Fiscal Year
A listing of the specific entities for which audit reports included information technology (IT) audit findings is
included in this report as Exhibit A.

The project was conducted by Hilda S. Morgan, CPA, CISA, and supervised by Tina Greene, CPA, CISA. Please address
inquiries regarding this report to Jon Ingram, CPA, CISA, Audit Manager, by e-mail at [email protected] or by
telephone at (850) 488-0840.
This report and other reports prepared by the Auditor General can be obtained on our Web site at
www.myflorida.com/audgen; by telephone at (850) 487-9024; or by mail at G74 Claude Pepper Building, 111 West Madison
Street, Tallahassee, Florida 32399-1450.
DECEMBER 2009 REPORT NO. 2010-062

SUMMARY REPORT OF
INFORMATION TECHNOLOGY AUDIT FINDINGS
Included In Our Financial and Operational Audit Reports
Issued During the 2008-09 Fiscal Year

SUMMARY

Public entities rely heavily on information technology (IT) to achieve their missions and business objectives.
As such, IT controls are an integral part of entity internal control systems. The Auditor General evaluates
the effectiveness of entity controls over IT as a part of financial and operational audits. IT audit findings
included in our financial and operational audit reports issued during the 2008-09 fiscal year are summarized
below:
¾ In 87 audit reports, we disclosed 613 IT audit findings involving 80 public entities. These findings
related to entity IT controls that were deficient or needed improvement. Of the 613 IT audit
findings, 144 findings, or approximately 23 percent, were also included in audit reports for the same
entities from previous fiscal years. Nineteen of the findings had been included in more than one
previous audit report for the same entity.
¾ The most prevalent IT audit findings disclosed that improvements were needed in controls over
access to entity data and IT resources and described deficiencies in entity IT security management.
¾ The nature and extent of the IT audit findings disclosed in our audits and the percentage of
repeated findings are indicative of the need for entity management, those charged with governance,
and other stakeholders to place increased emphasis on improving the security and control over data
and IT resources.

BACKGROUND

Information and the related technology are critical public assets. Public entities, including State agencies and
institutions of public education, depend on IT to achieve their missions and to record, process, maintain, and report
essential financial and program information. However, the widespread use of IT, without proper safeguards, can lead
to vulnerabilities that enable the perpetration of errors by employees in their daily work processes and frauds by
persons with malicious intentions.
Public entity management, therefore, has an important stewardship responsibility for establishing effective IT controls
that provide reasonable assurance of the achievement of management’s control objectives, including, in particular, the
confidentiality, integrity, and availability of data and IT resources. The absence of effective IT controls can result in
significant risks to entity operations and assets, such as risk of unauthorized or erroneous disclosure, modification, or
destruction of financial information and IT resources. Examples include:

¾ Financial resources, such as payments and collections, could be lost or stolen.

¾ IT resources could be used for unauthorized purposes, including diverting financial resources and launching
attacks on other systems or networks.
¾ Information that is confidential or exempt from public disclosure by law, such as student data, taxpayer data,
Social Security numbers, medical records, other personally identifiable information, and proprietary business
information could be inappropriately added, disclosed, copied, modified, deleted, or destroyed.
¾ Critical operations, such as those supporting law enforcement and emergency services, could be disrupted.

1
DECEMBER 2009 REPORT NO. 2010-062

¾ Information could be modified for purposes such as identity theft, embezzlement, and other types of crime.
¾ Public confidence in State government and the public education system could be diminished as a result of
embarrassing incidents such as the disclosure of personally identifiable information, unavailable or poorly
functioning IT-dependent services, IT-related fraud, or costly mismanagement of large IT system acquisition
or development projects.
Recognizing the need for improved IT security management in State government, the Florida Legislature has enacted
recent legislation (Chapter 2009-80, Laws of Florida) that provides for additional IT security management and
reporting responsibilities for the Agency for Enterprise Information Technology (AEIT) and other State agencies as
defined in Section 216.011(1)(qq), Florida Statutes. This legislation provides, in part, that:
¾ The Office of Information Security (Office) is established within the Agency for Enterprise Information
Technology, to be overseen by a state Chief Information Security Officer.
¾ The Office is responsible for establishing rules and publishing guidelines for ensuring an appropriate level of
security for all data and IT resources for executive branch agencies.
¾ The Office is required to develop, and annually update by February 1, an enterprise information security
strategic plan.
¾ The Office is required to submit to the Governor, President of the Senate, and Speaker of the House of
Representatives by December 31, 2010, a proposed implementation plan for IT security.
¾ State agencies are required to annually submit to the Office strategic and operational security plans pursuant
to the rules and guidelines established by the Office.
Similar provisions of law do not exist for institutions of public education.

SUMMARY OF IT AUDIT FINDINGS

The Auditor General conducts financial and operational audits of State agencies, universities, community colleges,
district school boards, and other governmental entities pursuant to Section 11.45(2), Florida Statutes. The Auditor
General may, pursuant to Section 11.45(3), Florida Statutes, conduct audits or other engagements of the accounts,
records, and IT programs, activities, functions, or systems of any governmental entity created or established by law.
We evaluate IT controls in financial audits and in many operational audits. Consideration of IT controls is an
essential and significant part of the audit process in these audits because entity business processes that are relevant to
the audit objectives are generally dependent on IT. In addition, IT systems are the specific topic of many operational
audits by our IT Audits Division.
During the 2008-09 fiscal year, we issued 219 audit reports, including 167 financial or operational audit reports. Of
the 167 financial or operational audit reports, 87 reports (representing 80 entities) included one or more findings
relating to entity management and control of IT, for a total of 613 findings. Of the 613 IT audit findings, 144
findings, or approximately 23 percent, were also included in audit reports for the same entities from previous fiscal
years. Nineteen of the findings had been included in more than one previous audit report for the same entity.
We have analyzed each of the 613 IT audit findings and, for the purposes of this report, summarized the findings into
nine control categories based on the Federal Information System Controls Audit Manual (FISCAM), issued by the
United States Government Accountability Office (GAO) in February 2009. The nine control categories, representing
a grouping of related controls having similar types of risks, are:

2
DECEMBER 2009 REPORT NO. 2010-062

General Controls
¾ Security Management: Controls providing assurance that security management is effective. Examples include
a security management program, periodic risk assessments and validation, and security control policies and
procedures.
¾ Access Controls: Controls providing assurance that access to data, software, equipment, and facilities is
reasonable and restricted to authorized individuals.
¾ Configuration Management: Controls providing assurance that changes to IT system resources are
authorized and systems are configured and operated securely and as intended.
¾ Separation of Duties: Controls providing assurance that incompatible duties are effectively separated.
¾ Contingency Planning: Controls protecting information resources, minimizing the risk of unplanned
interruptions, and providing for the recovery of critical operations should interruptions occur.
Business Process Application Controls
¾ Application Level General Controls: General controls, including the five types of controls listed above,
operating at the business process application level.
¾ Business Process Controls: Automated and manual controls applied to business process flows, including
controls over transaction data input, processing, and output and controls over master data.
¾ Interface Controls: Controls over the timely, accurate, and complete processing of information between
applications and other feeder and receiving systems and the complete and accurate migration of clean data
during conversion.
¾ Data Management System Controls: Controls used in data management systems, such as database
management systems, middleware, data warehouse software, and data extraction and reporting software.
The IT controls included within the scope of individual audits varied based on many factors, including the overall
audit objectives and scope, the nature of entity business operations and the entity’s use of IT, the entity’s IT
environment and other risk-based planning considerations. Controls such as Access Controls and Security
Management were frequently selected for audit. In contrast, other IT controls such as Interface Controls were not as
frequently included in the scope of audits. Consequently, any conclusions drawn based on the distribution of IT audit
findings among the nine control categories should take into consideration that certain IT controls were addressed in
audits more frequently than other IT controls.
The following table and chart provide a high-level summary of IT audit findings by control category (for a more
detailed breakdown and description of the findings, please see Exhibit B of this report):

3
DECEMBER 2009 REPORT NO. 2010-062

Number of
Control Category Findings
Access Controls 380
Security Management 120
Application Level General Controls 48
Contingency Planning 26
Business Process Controls 24
Separation of Duties 5
Configuration Management 5
Data Management System Controls 3
Interface Controls 2
Total Number of Findings 613

Number of Findings By Control Category

4
DECEMBER 2009 REPORT NO. 2010-062

As shown above, the predominant IT audit findings were in the categories of Access Controls and Security
Management. Although these categories of IT controls were frequently included within the scope of the 87 audits, the
number of findings in these two categories indicates that many opportunities exist within State government and the
public education system for improving IT security, as discussed below.
Access Control Findings
Access controls limit or detect inappropriate access to IT resources, thereby protecting the IT resources from
unauthorized disclosure, modification, and loss. Without adequate access controls, unauthorized individuals,
including outside intruders and former employees, can surreptitiously read and copy sensitive data and make
undetected changes or deletions for malicious purposes or personal gain. In addition, authorized users can
intentionally or unintentionally read, add, modify, delete, or exfiltrate (remove) data or execute changes that are
outside their span of authority.
The following table and chart provide a breakdown of access control findings by the specific control technique
needing improvement.

5
DECEMBER 2009 REPORT NO. 2010-062
Number
of Number
Access Controls – Control Techniques Findings of Entities
Appropriate Access Privileges 52 45
User Identification and Authentication Controls – Application 51 44
Removal or Adjustment of Former or Reassigned Employee or Contractor Access 48 41
User Identification and Authentication Controls – Network 42 41
Monitoring and Logging Controls 40 28
User Identification and Authentication Controls - Operating System 25 25
Restriction of Access to Sensitive Data 22 20
Access Authorization 21 17
User Identification and Authentication Controls – Database 19 16
Security Administration Monitoring and Logging Controls 19 18
Review of Access Privileges 15 13
Boundary Controls 8 8
Physical Security Controls 7 6
Transmission Controls 3 3
User Identification and Authentication Controls - Web 3 3
User Identification and Authentication Controls - Workstations 3 3
User Identification and Authentication Controls - Security Software 1 1
User Identification and Authentication Controls - Firewall 1 1
Total Number of Findings 380

Access Controls
Number of Findings By Control Technique

6
DECEMBER 2009 REPORT NO. 2010-062

Security Management Findings

The effectiveness of an entity’s access controls and other aspects of IT security are dependent in part on the
effectiveness of its overall security management. An entitywide security management program is the foundation of a
security control structure and a reflection of senior management’s commitment to addressing security risks. The
security management program should establish a framework and continuous cycle of activity for assessing risk,
developing and implementing effective security procedures, and monitoring the effectiveness of the procedures.
Improvements in the overall IT security management of public entities would enhance their ability to identify, assess,
and remedy deficiencies in IT security controls in a cost-effective manner.
The following table and chart provide a breakdown of security management findings by the specific control technique
needing improvement.
Number Number
of of
Security Management – Control Techniques Findings Entities
Security Policies and Procedures 57 48
Security Awareness Program 34 33
Risk Management 19 17
Positions of Special Trust and Background Screening 8 8
Security Management Program 2 1
Total Number of Findings 120

Security Management
Number of Findings By Control Technique

7
DECEMBER 2009 REPORT NO. 2010-062

Other Control Categories

The following table and charts provide a breakdown of IT audit findings that were grouped into the seven other
control categories, including the specific control techniques that were the subject of the findings.

Number of Number of
Control Category Control Technique Findings Entities
Application Program Change Controls 45 28
Application Level General Controls
Documentation Controls 3 2
Contingency Plan Development, Modification,
and Testing 20 20
Contingency Planning
Environmental Controls 4 4
Performance Management 2 2
User Controls 13 9
Business Process Controls Transaction Data Processing Controls 6 5
Input Controls 5 4
Configuration Management Software Patch Management 5 5
Database Controls 3 3
Separation of Duties
Computer Operations Controls 2 2
Data Management System Controls Transaction History Logging 3 3
Interface Controls Data Exchange Controls 2 2
Total Number of Findings 113

Number of Findings By Control Category and Control Technique

8
DECEMBER 2009 REPORT NO. 2010-062

RECOMMENDATION FOR THE LEGISLATURE

Maintaining effective internal controls, including IT controls, is an important management responsibility. As shown
in the summarizations of IT control issues provided above, the nature and extent of IT audit findings noted in our
audit reports issued during the 2008-09 fiscal year and the percentage of repeated findings indicate that information
security programs have not yet been fully or effectively implemented for numerous entities and that entity
management, those charged with governance, and other stakeholders should place an increased emphasis on
improving the security and control of public data and IT resources. Without effective IT security and control
practices, controls may continue to be inadequate; responsibilities may be unclear, misunderstood, or improperly
implemented; and controls may be inconsistently applied.
As previously discussed, Chapter 2009-80, Laws of Florida, provides that the Office of Information Security within
AEIT is responsible for establishing rules and publishing guidelines for ensuring an appropriate level of security for
data and IT resources for executive branch agencies. In addition, Section 282.318(4), Florida Statutes, provides that
each agency head is responsible for assisting the Office by, in part, conducting and updating comprehensive security
risk analyses, establishing written internal policies and procedures, developing cost-effective safeguards to reduce
identified security risks, and ensuring the conduct of periodic internal audits and evaluations of agency security
programs for data, information, and IT resources. Consistent with these requirements, we encourage agency
management, those charged with governance, and other stakeholders to work toward improving IT security and
control practices.
Similar provisions do not exist in State law for promoting and encouraging effective IT security and control in
Florida’s K-20 education system. Some administrative rules and regulations exist that address certain IT security
requirements for educational entities. However, State law does not clearly address responsibilities within the public
education system for the security and control of data and IT resources.
Of the 80 entities for which audit reports were released in the 2008-09 fiscal year disclosing IT audit findings, 56 were
educational entities. The significant number of educational entities with IT audit findings, the importance of IT to the
accomplishment of educational entity missions, and the existence of significant confidential and exempt information
within educational entity IT systems indicates a need to promote and encourage IT security and control practices in
the public education system.
Identifying and addressing responsibilities within Florida’s K-20 public education system for the security and control
of data and IT resources is a significant task. Florida’s K–20 public education system consists of a diverse group of
entities, including the State University System, the State college system, and district school boards, as well as other
related entities such as Florida Distance Learning and the Florida Center for Library Automation. These educational
entities have different missions, governance structures, requirements, and levels of resources. These entities all use IT
resources to various degrees; however, the IT environments vary from entity to entity in such areas as the type of IT
infrastructure, type and number of application systems, age of the infrastructure and systems, size of the entity being
supported, and the number and qualifications of staff and amount of monetary resources available to support IT.
Financial application systems used by educational entities range from complex Enterprise Resource Planning systems
to legacy mainframe systems. Many educational entities use IT consortia, regional data centers, or private service
providers for various levels of IT services.

9
DECEMBER 2009 REPORT NO. 2010-062

Because of the diverse and complex nature of the educational entities’ environments, a collaborative approach is
necessary to identify strategies and solutions for achieving an appropriate level of security of data and IT resources
among all educational entities while at the same time allowing these entities the autonomy provided for in State
Constitution and law. Within the governance structure for Florida’s K-20 public education system, there are
organizations that may be able to assist entities within their jurisdiction. Such organizations include the Department
of Education that has certain oversight responsibilities for school districts and colleges; the Information Resource
Management office within the State University System Board of Governors that has issued a regulation for
Universities regarding security of data and related IT resources; and the Chief Information Officers (CIOs) of
educational entities, who collaborate and share information regarding the advancement of educational technology. In
addition, AEIT is well positioned to provide information and assistance to all public entities regarding IT security and
control best practices.

Recommendation: We recommend that the Legislature consider establishing a workgroup composed of

applicable stakeholders to study and make recommendations for strategies to promote an appropriate level
of security of data and IT resources for Florida’s educational entities. The workgroup should include
representatives from the Department of Education, the Board of Governors of the State University System,
the educational entities’ CIO communities, and AEIT. Matters to be addressed by the workgroup could
include strategies in the following areas: promoting information security awareness, standards, and
guidelines; conducting security planning and risk analyses; establishing cost-effective IT security and
control practices to reduce identified security risks; and ensuring the conduct of periodic internal audits and
evaluations of information security programs. The workgroup should consider establishing a long-range
security plan for achieving an appropriate level of security of data and IT resources for Florida’s K-20
education system.

OBJECTIVES, SCOPE, AND METHODOLOGY

The objective of this project was to analyze and summarize all IT audit findings reported by the Auditor General
during the 2008-09 fiscal year.
The scope of this project included a review of 167 Auditor General financial or operational audit reports released
during the 2008-09 fiscal year.
Our methodology included a review of applicable audit reports and an analysis and summarization of IT audit
findings. We conducted this review in accordance with applicable generally accepted government auditing standards.
We believe that the procedures performed provide a reasonable basis for the summaries of IT audit findings included
in this report.

10
DECEMBER 2009 REPORT NO. 2010-062

AUTHORITY

Pursuant to the provisions of Section 11.45(3)(b), Florida Statutes, I have directed that this report be prepared to
present a summary of IT audit findings included in our financial and operational audit reports issued during the
2008-09 fiscal year.

David W. Martin, CPA

Auditor General

11
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT - A
LISTING OF
FINANCIAL AND OPERATIONAL AUDIT REPORTS ISSUED DURING THE 2008-09 FISCAL YEAR
THAT INCLUDED INFORMATION TECHNOLOGY (IT) AUDIT FINDINGS
Report Report
No. Entity Name No. Entity Name
2009-003 Agency for Workforce Innovation 2009-099 Baker County District School Board
2009-004 Department of Financial Services 2009-100 Department of Children and Family Services
2009-011 Department of Corrections 2009-101 Department of the Lottery
2009-013 Department of Citrus 2009-102 Citizens Property Insurance Corporation
2009-017 Department of Transportation 2009-109 University of West Florida
2009-018 Department of Health 2009-118 Jackson County District School Board
2009-020 Department of Legal Affairs 2009-119 Suwannee County District School Board
2009-022 Pasco-Hernando Community College 2009-128 Liberty County District School Board
2009-024 Department of Revenue 2009-131 Northwest Florida State College
2009-028 Marion County District School Board 2009-132 North Florida Community College
2009-029 Escambia County District School Board 2009-134 Dixie County District School Board
2009-031 Department of State 2009-138 Franklin County District School Board
2009-032 Office of Insurance Regulation 2009-139 Levy County District School Board
2009-033 Palm Beach Community College 2009-140 Hamilton County District School Board
2009-034 Hernando County District School Board 2009-141A Citrus County District School Board
2009-036 Office of Insurance Regulation 2009-142 Hendry County District School Board
2009-038 Department of Law Enforcement 2009-143 Holmes County District School Board
2009-039 Department of Children and Family Services 2009-144 Department of Financial Services,
2009-040 Indian River County District School Board Department of Community Affairs,
2009-041 Santa Fe College Agency for Workforce Innovation,
2009-048 Lee County District School Board Department of Revenue,
2009-049 Department of State Department of Education,
2009-052 Department of Management Services Department of Health,
2009-053 Department of Financial Services Department of Children and Family Services, and
2009-055 Seminole County District School Board Division of Emergency Management
2009-056 Madison County District School Board 2009-145 Lake-Sumter Community College
2009-057 St. Petersburg College 2009-149 Valencia Community College
2009-062 Gulf Coast Community College 2009-151 Miami Dade College
2009-063 Nassau County District School Board 2009-152 Bay County District School Board
2009-065 Columbia County District School Board 2009-153 Bradford County District School Board
2009-067 Lake County District School Board 2009-154 Walton County District School Board
2009-070 Agency for Workforce Innovation, 2009-155 Indian River State College
Department of Revenue, and 2009-159 Polk Community College
Department of Management Services 2009-161 Santa Rosa County District School Board
2009-078 Department of Management Services, 2009-163 Washington County District School Board
Division of Administrative Hearings, 2009-164 Wakulla County District School Board
Florida Commission on Human Relations, and 2009-166 Glades County District School Board
Public Employees Relations Commission 2009-169 Putnam County District School Board
2009-082 Gulf County District School Board 2009-171 Taylor County District School Board
2009-083 Agency for Workforce Innovation, 2009-172 Clay County District School Board
Department of Agriculture and Consumer Services, 2009-175 Highlands County District School Board
Department of Health, 2009-179 Charlotte County District School Board
Fish and Wildlife Conservation Commission, and 2009-186 Pinellas County District School Board
Office of State Courts Administrator 2009-188 Gadsden County District School Board
2009-086 Division of Emergency Management 2009-189 Leon County District School Board
2009-087 Florida Agricultural and Mechanical University 2009-197 Department of Veterans' Affairs
2009-091 Department of Financial Services 2009-199 Department of Revenue
2009-093 Department of Transportation 2009-200 Department of Management Services
2009-094 Jefferson County District School Board 2009-208 Department of Education
2009-096 Sumter County District School Board 2009-209 Monroe County District School Board
2009-097 Gilchrist County District School Board 2009-213 Department of Education
2009-098 Hardee County District School Board

12
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies1 Entities Entities
1. 1. Senior management should establish a ▪ The placement of the CIO within the 2 1 0 1
Security Security security management structure for Department's organizational structure
Management Management entitywide, system, and application needed review and the scope of his
Program levels that have adequate independence, authority for performing IT duties
authority, expertise, and resources. An assigned in State law needed
information systems security manager improvement to provide increased
should be appointed at an agency oversight of all Department IT functions.
(entity) level and at appropriate ▪ The Department and Divisions had
subordinate (i.e., system and not clearly established the roles and
application) levels and given appropriate responsibilities of the Department's
authority. The security program information security manager and the
documentation should clearly identify Division data security administrators.
owners of computer-related resources
and those responsible for managing
access to computer resources. Security
responsibilities and expected behaviors
should be clearly defined at the
entitywide, system, and application
levels for information resource owners
and users, information technology
management and staff, senior
management, and security
administrators.

Security 2. Appropriate risk assessment policies and ▪ There were no policies and procedures 19 6 11 17
Management Risk procedures should be documented and for a periodic risk analysis for critical
Management based on security categorizations. information resources or for a
Information systems should be comprehensive risk analysis after major
categorized based on the potential changes in software, procedures,
impact that the loss of confidentiality, environment, organization, or hardware.
integrity, or availability would have on ▪ A formal risk assessment had not been
operations, assets, or individuals. Risks performed to identify and document
should be reassessed for the entitywide, information technology systems and
system, and application levels on a resources, vulnerabilities and exposures,
periodic basis or whenever systems, policies and control measures, and
applications, facilities, or other management's signed acceptance of
conditions change. Risk assessment unmitigated risks.
documentation should include security ▪ The auditee did not conduct routine
plans, risk assessments, security test and network and system vulnerability testing.
evaluation results, and appropriate ▪ There was no enterprise risk
management approvals. Changes to management function, consequently
systems, facilities, or other conditions there was no documentation to support
and identified security vulnerabilities that an enterprise-wide evaluation of the
should be analyzed to determine their effectiveness of controls had been
impact on risk and the risk assessment conducted.
should be performed or revised as ▪ Contrary to the security policy, the
necessary. auditee did not have an approved
security plan for a major information
system.
▪ Contrary to the security policy, the
auditee did not perform a certification
and accreditation for a major information
system.
▪ The first phase of a strategic plan had
been completed but still lacked further
exposure to IT stakeholders and formal
approval.
▪ Vulnerability assessment and
penetration testing had never been
performed.

1 For the purposes of this summary, Citizens Property Insurance Corporation was included with the State agencies.

13
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
▪ The auditee did not have a policy for
the classification of data according to risk
and importance to support decisions
regarding the appropriate level of data
protection to be employed during
systems development and change
activities.
▪ The auditee had not classified its data
according to sensitivity or level of
significance.
▪ Data owners had not been identified.
▪ The Department had not prepared
security plans and strategies for
implementing appropriate cost-effective
safeguards to reduce, eliminate, or
recover from the identified risks to data,
information, and IT resources.

Security 3. Security control policies and procedures ▪ The auditee's Electronic Security for 57 12 36 48
Management Security Policies at all levels should: Public Records Policy was outdated.
and Procedures ▪ be documented ▪ The auditee lacked written policies and
▪ appropriately consider risk procedures for certain IT functions
▪ address purpose, scope, roles, (including security functions) or they
responsibilities, and compliance were not sufficiently comprehensive or
▪ ensure that users can be held fully approved.
accountable for their actions ▪ The auditee did not have written
▪ appropriately consider general and security administration policies and
application controls procedures for an application.
▪ be approved by management ▪ There was no written policy
▪ be periodically reviewed and updated. prohibiting the sharing of user and
Security policy is senior management's system administrator identifications.
directives to create a computer security ▪ There were no written policies to
program, establish its goals, and assign prohibit the granting of workstation
responsibilities. Procedures are detailed administrator rights to end-users.
steps to be followed to accomplish ▪ There were no written procedures for
particular security-related tasks (for requesting, approving, assigning, and
example, preparing new user accounts removing user access privileges.
and assigning the appropriate ▪ There were no written procedures
privileges). addressing the erasure, data backup, or
physical security of surplus IT property.
▪ The auditee did not follow its written
property disposal procedures.
▪ The auditee had not established
security protocols for controlling access
through user names and passwords.
▪ The auditee had not established a
process to ascertain the appropriateness
of security controls for their vendor-
owned application.
▪ There were no policies and procedures
for monitoring access privileges to the
application or the security events were
not monitored.
▪ The auditee allowed the use of instant
messaging software on its computers
without establishing a specific policy or
procedures governing its secure use.
▪ There were no written policies and
procedures for network and system
administration functions such as
configuration and management of
routers, switches, and other security
devices.
▪ No written policies and procedures

14
DECEMBER 2009 REPORT NO. 2010-062

Security 4. An ongoing security awareness program ▪ The auditee had not developed a 34 6 27 33
Management Security should be implemented that includes written security awareness training
Awareness security briefings and training that is program or performed ongoing
Program monitored for all employees with information technology security
system access and security awareness training for all employees.
responsibilities. Training should be ▪ The personnel file did not always
documented and monitored. Typical include signed Acceptable Use of
means for establishing and maintaining Information Technology Agreements
security awareness include: and the personnel file did not always
▪ informing users of the importance of include a signed Confidentiality and
the information they handle and the Non-Disclosure Agreement.
legal and business reasons for ▪ The auditee's security awareness
maintaining its integrity and training program needed improvement.
confidentiality ▪ Security awareness training was not
▪ distributing documentation provided on a recurring basis.
describing security policies, procedures, ▪ The Department did not retain
and users' responsibilities, including documentation of employee participation
their expected behavior in security awareness training activities.
▪ requiring users to periodically sign a
statement acknowledging their
awareness and acceptance of
responsibility for security and their
responsibilities for following all
organizational policies
▪ requiring comprehensive security
orientation, training, and periodic
refresher programs to communicate
security guidelines to both new and
existing employees and contractors.

Security 5. For prospective employees, references ▪ The auditee had not established a 8 8 0 8
Management Positions of should be checked and background written policy for designating positions
Special Trust checks performed. Nondisclosure or of special trust.
and Background security access agreements should be ▪ The auditee had not performed level 2
Screening required for employees and contractors background screenings with fingerprints
assigned to work with sensitive for all employees or contractors in
information. positions of special trust.
▪ The auditee's contract for application
services did not require that appropriate
background screenings be conducted of
contractor staff and adequate
background checks were not performed
for all contracted staff.
▪ The auditee had not identified which
positions require access to confidential
data or designated those positions as
positions of special trust.
▪ The Department did not perform
Federal background checks on one

15
DECEMBER 2009 REPORT NO. 2010-062

2. 1. Networks should be appropriately ▪ Changes to firewall settings were not 8 4 4 8

Access Boundary configured to adequately protect access monitored.
Controls Controls paths within and between systems, ▪ The auditee was unable to provide
using appropriate technological documentation of an approved baseline
controls (e.g., routers, firewalls, etc.). firewall configuration.
▪ The auditee had not installed a firewall
to protect its network.
▪ An unauthorized wireless network was
in use at the auditee's headquarters even
though they monitored for rogue
wireless devices.
▪ Default port settings had not been
changed where necessary.
▪ There were no written policies and
procedures for the use of firewalls.
▪ There was no written procedure to
periodically review facilities for rogue
wireless access points.
▪ Numerous wireless access points did
not have the appropriate firmware.

Access 2. Users or processes should be These findings were for numerous types 51 17 27 44
Controls User appropriately identified and of applications, including financial,
Identification authenticated through logical access payroll/human resource, student, and
(ID) and controls. User authentication others. In some cases, these weaknesses
Authentication establishes the validity of a user's existed for more than one application for
Controls - claimed identity typically during access an auditee.
Application to a system or application. Logical Application passwords and user IDs:
controls should be designed to restrict ▪ Passwords were not required to log on
legitimate users to the specific systems, to the application.
programs, and files that they need and ▪ User IDs and passwords were shared.
prevent others, such as hackers, from ▪ Passwords were assigned by the
entering the system at all. Passwords security administrator and could not be
are the most widely used means of changed by the user.
authentication. Controls for protecting ▪ Users were not required to change the
the confidentiality of passwords password at initial logon.
include: ▪ Password and logon controls did not
▪ Individual users are uniquely enforce a password change interval or
identified rather than sharing group the interval was too long.
IDs. ▪ Password and logon controls did not
▪ Generic user IDs and passwords are enforce password complexity
not used. requirements.
▪ Password selection is controlled by ▪ Password and logon controls did not
the user and is not subject to disclosure. enforce password minimum length
▪ Passwords are changed periodically, requirements or the minimum length was
about every 30 days. too short.
▪ Passwords are not displayed when ▪ Password and logon controls did not
entered. enforce password reuse rules (history) or
▪ Passwords contain alphanumeric and the history setting was too short.
special characters. ▪ Password and logon controls did not
▪ Passwords have a minimum character limit the number of allowed invalid
length of at least 8 characters. access attempts or the limitation was too
▪ Use of old passwords is prohibited. high.
▪ Vendor-supplied passwords are ▪ Password and logon controls did not
replaced immediately. enforce a password-protected timeout
▪ Attempts to log on with invalid for idle workstations or the time set was
passwords are limited. too long.
▪ There were no password reset

16
DECEMBER 2009 REPORT NO. 2010-062

Access 3. Same description as shown above for Database passwords and user IDs: 19 4 12 16
Controls User ID and User Identification (ID) and ▪ Password standards were not enforced.
Authentication Authentication Controls - Application. ▪ User IDs and passwords were shared
Controls - for administering the database.
Database ▪ Users were not required to change the
password at initial logon.
▪ Password and logon controls did not
enforce a password change interval or
the interval was too long.
▪ Password and logon controls did not
enforce password complexity
requirements.
▪ Password and logon controls did not
enforce password minimum length
requirements or the minimum length was
too short.
▪ Password and logon controls did not
enforce password reuse rules (history) or
the history setting was too short.
▪ Password and logon controls did not
limit the number of allowed invalid
access attempts, the limitation was set
too high, or the user could bypass the
control by using another session.
▪ Password and logon controls did not
enforce a password-protected timeout
for databases or the time set was too
long.
▪ Vendor default accounts had not been
changed.

Access 4. Same description as shown above for Firewall passwords and user IDs: 1 1 0 1
Controls User ID and User Identification (ID) and ▪ User IDs and passwords were shared
Authentication Authentication Controls - Application. for administering the firewall.
Controls - ▪ Passwords did not expire, contrary to
Firewall procedures.

Access 5. Same description as shown above for Network passwords and user IDs: 42 7 34 41
Controls User ID and User Identification (ID) and ▪ The network was not password
Authentication Authentication Controls - Application. protected.
Controls - ▪ The password procedures were
Network inconsistent.
▪ There were no password reset
procedures for the network.
▪ Network passwords were not required
to be changed upon initial logon.
▪ Password and logon controls did not
enforce a password change interval or
the interval was too long.
▪ Password and logon controls did not
enforce password complexity
requirements.

17
DECEMBER 2009 REPORT NO. 2010-062

Access 6. Same description as shown above for Operating system passwords and user 25 1 24 25
Controls User ID and User Identification (ID) and IDs:
Authentication Authentication Controls - Application. ▪ No password standards were enforced
Controls - on the operating system.
Operating ▪ Security features had not been
System configured for the operating system and
any user could change their user
identifier to a superuser.
▪ Users were not required to change the
password at initial logon.
▪ Password and logon controls did not
enforce a password change interval or
the interval was too long.
▪ Password and logon controls did not
enforce password complexity
requirements.
▪ Password and logon controls did not
enforce password minimum length
requirements or the minimum length was
too short.
▪ Password and logon controls did not
enforce password reuse rules (history) or
the history setting was too short.
▪ Password and logon controls did not
limit the number of allowed invalid
access attempts or the limitation was set
too high.
▪ Password and logon controls did not
enforce a password-protected timeout
for operating systems or the time set was
too long.
▪ Vendor default settings had not been
changed for the servers.
▪ The default password parameters for
some user accounts on production
servers were overwritten to make them
less restrictive.
▪ The root account and some user

18
DECEMBER 2009 REPORT NO. 2010-062

Access 7. Same description as shown above for Security software passwords and user 1 0 1 1
Controls User ID and User Identification (ID) and IDs:
Authentication Authentication Controls - Application. ▪ Password and logon controls did not
Controls - enforce a password change interval or
Security the interval was too long.
Software

Access 8. Same description as shown above for Web interface passwords and user IDs: 3 3 0 3
Controls User ID and User Identification (ID) and ▪ Password and logon controls did not
Authentication Authentication Controls - Application. enforce a password change interval or
Controls - Web the interval was too long.
▪ Password and logon controls did not
enforce password complexity
requirements.
▪ Password and logon controls did not
enforce password reuse rules (history) or
the history setting was too short.
▪ User IDs and passwords were shared
among staff for the Web interface.
▪ The limitation on invalid logon
attempts was set too high and
automatically reset after 15 minutes.
▪ The automatic inactivity timeout was
set at eight hours.

Access 9. Same description as shown above for Workstation passwords and user IDs: 3 1 2 3
Controls User ID and User Identification (ID) and ▪ Password and logon controls did not
Authentication Authentication Controls - Application. enforce a password change interval or
Controls - the interval was too long.
Workstations ▪ Password and logon controls did not
enforce password complexity
requirements.
▪ Password and logon controls did not
enforce password minimum length
requirements or the minimum length was
too short.
▪ Password and logon controls did not
enforce password reuse rules (history) or
the history setting was too short.
▪ Password and logon controls did not
limit the number of allowed invalid
access attempts on the workstations, the
limitation was set too high, or the control
could be bypassed.
▪ Password and logon controls could be
changed or totally disabled by the user
for the password-protected screen-savers
on workstations.

Access 10. To adequately control user accounts, an These findings were for access to 21 8 9 17
Controls Access entity should institute policies and numerous types of applications,
Authorization procedures for authorizing logical including financial, payroll/human
access to information resources and resource, student, and others.
document such authorizations. They were also related to access requests
Resource owners should have identified for the operating systems, databases,
authorized users and the access they are networks, and other information
authorized to have. technology resources.
▪ Documentation of access

19
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
Approved authorizations should be authorization requests could not be
maintained on file. provided because the documentation was
not required or was not retained.
▪ Documentation of access
authorization requests did not provide
adequate evidence that the level of access
granted was the same as requested,
including not having adequate
descriptions of what was being
requested.
▪ Access privileges granted did not
correspond to the access privileges
authorized on the authorization forms.
▪ Documentation was not sufficient to
determine the user's identity.
▪ Supervisory approvals were not
required before access privileges were
granted.
▪ There were no written procedures
regarding authorization of access
privileges.

Access 11. Access should be limited to individuals ▪ Users had application update access 52 14 31 45
Controls Appropriate with a valid business purpose (least that was not required for their duties or
Access privilege). allowed them to perform incompatible
Privileges duties.
▪ Security administration capabilities
were inappropriately granted to
individuals other than security
administrators.
▪ An excessive number of application
users were granted correction mode
access.
▪ Users had full administrator rights on
their workstations.
▪ Security was incorrectly set up and
allowed users more access than needed.
▪ Individuals (users and IT staff) had
access capabilities in various IT areas that
were not required for their duties.
▪ IT staff performed incompatible IT-
related duties (sometimes with the
superuser account).
▪ More people than necessary had
domain administration access capabilities
to administer the servers.
▪ IT staff had end-user update access to
the application.
▪ Help desk staff could enter data into
the application for users.
▪ Individuals had unnecessary access
capability to make changes to the
application data files outside application
controls.
▪ Default accounts were not
appropriately restricted.
▪ There were incompatible duties
between system administration and
security administration.
▪ Logging in using the root ID was not
disabled on the production servers.
▪ There were unnecessary duplicate
accounts.
▪ Users' access could not be limited to

20
DECEMBER 2009 REPORT NO. 2010-062

Access 12. Security managers should review access ▪ A review of application access 15 8 5 13
Controls Review of authorizations and discuss any privileges was not being performed on a
Access questionable authorizations with periodic basis to ensure that access
Privileges resource owners. Resource owners privileges remained appropriate and
should periodically review access necessary.
authorizations for continuing ▪ There was no documentation of a
appropriateness. periodic review of user access rights.
▪ The security officer assigned user roles
based on the employee's supervisor's
recommendation, rather than a review of
the employee's position description as
required by auditee policy.
▪ There were no written requirements
for data owners to conduct a periodic
review of access to the data for which
they were responsible.

Access 13. All changes to security access ▪ Security tables were not subject to 19 6 12 18
Controls Security authorizations should be automatically logging and monitoring.
Administration logged and periodically reviewed by ▪ Security events were logged but they
Monitoring and management independent of the were not periodically reviewed.
Logging security function and unusual activity ▪ The application (and sometimes the
Controls should be investigated. database) did not have the functionality
to maintain an audit log of security
accesses.
▪ The system did not provide adequate
logging of access privilege changes.
▪ The auditee had not implemented
periodic reviews of the appropriateness
of the security system settings.
▪ The history file that contained changes
to file permissions, changes to file
ownerships, and deletions of files had
been inadvertently deleted.
▪ Logs of network access modifications
made by security administrators did not
exist.
▪ The security software did not have a
logging function available which
prevented management from reviewing
access modifications made within the
security software.
▪ The division did not monitor security

21
DECEMBER 2009 REPORT NO. 2010-062

Access 14. Inactive accounts and accounts for ▪ Former or reassigned employees (or 48 13 28 41
Controls Removal or terminated or reassigned employees and contractors) continued to have active
Adjustment of contractors should be disabled, e-mail, mainframe, operating system,
Former or removed, or adjusted in a timely network, or database accounts.
Reassigned manner. ▪ A former employee's user ID was
Employee or being used by programming staff to run
Contractor batch programs.
Access ▪ Users who had been given temporary
update access privileges retained access
privileges beyond the time frame
necessary.
▪ Former employees had their user IDs
used beyond their termination date and
the auditee was unable to determine what
activities were performed.
▪ The auditee did not document the date
the employees' access privileges were
removed from the application.
▪ There was no formal or timely process
for notifying security administrators of
employees leaving employment or
changing positions.
▪ Auditee policy allowed for employees
to access the auditee's network and e-
mail for up to 30 days after terminating
employment.
▪ Terminated employees continued to be
defined as active in the network after
termination.
▪ A contractor continued to have access
to the source code library after his access
termination request date.
▪ User accounts of former employees
were not revoked timely and continued
to have access beyond their termination
dates.

Access 15. Access to sensitive/privileged accounts ▪ The auditee collected and used certain 22 16 4 20
Controls Restriction of should be restricted to individuals or employee social security numbers (SSNs)
Access to processes having a legitimate need for in the application with no specific
Sensitive Data the purposes of accomplishing a valid authorization in law (in some cases as
business purpose. unique identifiers).
Password/authentication services and ▪ The auditee did not have a policy or
directories should be appropriately procedure for classification of
controlled and encrypted when application data as confidential, sensitive,
appropriate. or public; to address requests for
employee-related nonpublic information;
or to address physical security of
documents containing nonpublic
information.
▪ Auditee was inappropriately disclosing
SSNs, contrary to State law.
▪ Instances were noted where vendor
files containing SSNs were not
adequately secured.
▪ Procedures for monitoring
procurement record attachments for
confidential information needed
improvement.
▪ All passwords were stored in clear text.

22
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
▪ Security administrators could print a
list of users and their respective
passwords.
▪ User IDs and passwords were
distributed in unencrypted e-mail.
▪ Steps had not been taken to ensure
that staff were aware of policies
regarding nonpublic information
safeguards.
▪ Purchasing agreements and contracts
did not contain clear and comprehensive
security clauses prohibiting the disclosure
of nonpublic information by vendors.
▪ There were no procedures to address
cleansing or destroying electronic media
that was to be disposed and some were
not completely erased.
▪ Accurate documentation regarding
surplus computers was not always
maintained.
▪ Effective security controls had not
been established for compact discs
containing protected data that were
distributed to other entities.
▪ The District did not adequately sanitize
the hard drives of surplus equipment.

Access 16. Cryptographic tools should be ▪ Confidential and sensitive information 3 2 1 3

Controls Transmission implemented to protect the integrity was not adequately protected during
Controls and confidentiality of sensitive and transmission to outside entities.
critical data and software programs ▪ Secure transmission was not used
where appropriate. Encryption when remotely accessing the network
procedures should be implemented in and remote access did not go through a
data communications where firewall.
appropriate based on risk. ▪ The auditee utilized unencrypted telnet
and unencrypted file transfer protocol.
▪ Office applications were not encrypted
and traffic over the network including
transfer of bank accounts and SSNs was
not encrypted between the District and
Headquarter offices.

Access 17. An effective intrusion detection system ▪ The auditee had not established 40 11 17 28
Controls Monitoring and should be implemented, including appropriate security standards for logging
Logging appropriate placement of user activity within the application.
Controls intrusion-detection sensors and incident ▪ The auditee lacked the capability to log
thresholds. An effective process should user activity on the network.
be established based on a risk ▪ Logging was not enabled on the
assessment to identify auditable events database.
that will be logged. All auditable ▪ Although the auditee logged
events, including modifications of modifications of sensitive or critical
sensitive or critical system resources, tables, files, and transactions, there was
should be logged. Audit records should no periodic review of the logs.
contain appropriate information for ▪ The tracking list was not always
effective review including sufficient reviewed daily as required.
information to establish what events ▪ There were no logs documenting the
occurred, when the events occurred, computers for which the hard drives
the source of the events, and the were erased or when and by whom the
outcome of the events. Audit records erasure had been performed.
should also be retained long enough to ▪ The lack of auditee monitoring and
provide support for after-the-fact logging reports prevented the auditee
investigations of security incidents and from determining if generic user IDs had
to meet regulatory and organizational been used.
information retention requirements. ▪ Application, database, and network

23
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
activity and performance were not
monitored.
▪ The console log did not provide
sufficient detail to clearly describe the
change made or identify the person who
made the change.
▪ Auditee monitoring procedures did not
include monitoring a
subrecipient-established application's
security policies and controls during the
fiscal year.
▪ The auditee was unable to provide
documentation showing where
employees acknowledged that they had
reviewed the system logs for
inappropriate activity.
▪ There was no intrusion detection
system installed on the production
servers and the servers and network
traffic were not monitored.
▪ There was no notification to IT
support staff of repeated unsuccessful
access attempts.
▪ The auditee did not monitor or review
application security events such as
accesses to and modifications of critical
tables and files.
▪ Accounts with sensitive privileges did
not have the audit flag enabled and the
logs that were created were missing
certain days' activity.
▪ Oracle database auditing was not
enabled and actions taken by the system
account were not recorded.
▪ There were no procedures in place
regarding monitoring of security events
or breaches to the applications or
databases.
▪ The Department did not have available
logging activated to record the activities
of individuals using inherently risky
application functions.
▪ Logs identifying invalid access
attempts and intruder lockouts for the
network were not periodically reviewed.

Access 18. Physical security controls should be ▪ Physical access to the computer data 7 6 0 6
Controls Physical Security implemented to restrict physical access center was not always effectively
Controls to computer resources including: restricted.
▪ primary computer facilities ▪ Access to the data center was not
▪ cooling system facilities removed for individuals who had
▪ network devices such as routers and terminated employment.
firewalls ▪ Sensitive, nonpublic, or proprietary
▪ terminals used to access a computer information was stored in an unlocked
▪ access to network connectivity location.
▪ computer file storage areas ▪ Documentation did not always support
▪ telecommunications equipment and adherence to the policy requirement of at
transmission lines. least two employees being present in the
Access should be limited to those vault at all times while it is open.
individuals who routinely need access ▪ Access to the server or network room
through the use of guards, identification was not restricted to only staff who
badges, or entry devices such as key required access to perform server or
cards. Management should conduct a network maintenance work.
regular review of individuals with ▪ The Department did not periodically

24
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
physical access to sensitive facilities to review the appropriateness of physical
ensure such access is appropriate. access privileges to the servers.
▪ Sixteen key fob or key pad
combination assignments were not
appropriate.
▪ There was a hole in the door above the
door knob that was large enough to
allow a person to open the door from the
inside.
▪ Maintenance staff had keys providing
unrestricted access to the server room.

3. 1. An effective patch management process ▪ Systems used versions of software that 5 4 1 5

Configuration Software Patch should be documented and were no longer supported by the vendor.
Management Management implemented, including: ▪ The auditee's patch management
▪ identification of systems affected by software was not a current version.
recently announced software ▪ The anti-virus software that was used
vulnerabilities on some desktop clients and servers did
▪ prioritization of patches based on not have the current patch version
system configuration and risk installed.
▪ appropriate installation of patches on ▪ The operating system did not have the
a timely basis, including testing for current patch version installed.
effectiveness and potential side effects ▪ The auditee did not require
on the entity's systems programmers to complete a record of
▪ verification that patches, service work, including workflow authorization
packs, and emergency fixes were signatures, when implementing patches
appropriately installed on affected and updates for system software.
systems. ▪ Department policy had not been
updated to address security patches for
the Division's new operating system
environment.

4. 1. Data administration involves planning ▪ Policies and procedures had not been 3 0 3 3
Separation of Database for and administering the data used provided for database administration
Duties Controls throughout the entity. Documented responsibilities and activities, and data
job descriptions should accurately storage procedures had not been defined.
reflect assigned duties and
responsibilities and segregation of duty
principles. All employees should fully
understand their duties and
responsibilities and should carry out
those responsibilities in accordance
with their job descriptions.

Separation of 2. Detailed, written instructions should ▪ There were no procedures in place to 2 2 0 2

Duties Computer exist and be followed for the ensure that all jobs were authorized and
Operations performance of work. Instruction scheduled.
Controls manuals should provide guidance on ▪ Auditee staff did not follow established
system operation. Application run job scheduling procedures resulting in
manuals should provide instruction on discrepancies in balances on the general
operating specific applications. ledger master file.

5. 1. Fire detection and suppression devices ▪ A fire suppression system was not 4 1 3 4
Contingency Environmental should be installed and working (smoke installed at the data center.
Planning Controls detectors, fire extinguishers, and ▪ The data center had a wet pipe fire
sprinkler systems). Controls should be suppression system with water pipes
implemented to mitigate other disasters directly over IT equipment.
(floods, earthquakes, terrorism). ▪ The division server room did not have
Building plumbing lines should not raised floors or water detectors.
endanger the computer facility. A UPS ▪ The temperature and humidity in the
or backup generator should be server room were not monitored.
provided. Humidity, temperature, and ▪ There was no automatic monitoring of
voltage should be controlled. the air conditioning and it was not on a
separate circuit.

25
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
▪ The fire extinguishers had a last
recorded maintenance date of May 2005
and December 2000.

Contingency 2. Records should be maintained on the ▪ The auditee did not log, monitor, or 2 0 2 2
Planning Performance actual performance in meeting service review performance of the application.
Management schedules. Problems and delays ▪ The auditee did not log, monitor, or
encountered, the reason, and the review performance of the database.
elapsed time for resolution should be ▪ The auditee did not log, monitor, or
recorded and analyzed to identify review performance of the network.
recurring patterns or trends. Senior
management should periodically review
and compare the service performance
achieved with the goals and surveys of
user departments to see if their needs
are being met.

Contingency 3. A contingency plan should be ▪ The auditee's security over backup 20 6 14 20

Planning Contingency documented that: tapes being transported off-site was
Plan ▪ is based on clearly defined deficient, or the off-site facility was too
Development, contingency planning policy close to the data center.
Modification, ▪ reflects current conditions, including ▪ The disaster recovery plan did not
and Testing system interdependencies address key elements such as
▪ has been approved by key affected prioritization of critical operations and
groups, including senior management, data, provisions for backup personnel,
information security and data center allowable outage times before activating
management, and program managers the alternate site, procedures to follow
▪ clearly assigns responsibility for when the regional data center is
recovery inoperable, what responsibilities were
▪ includes detailed instructions for assigned to the Recovery Team, and what
restoring operations supplies, forms, and support equipment
▪ identifies the alternate processing would be needed at the alternate site.
facility and the backup storage facility ▪ The alternate site was within close
▪ includes procedures to follow when proximity to the data center and a second
the data/service center is unable to alternate site was not addressed.
receive or transmit data ▪ The disaster recovery plan had not
▪ identifies critical data files been tested, or all critical applications
▪ is detailed enough to be understood had not been tested.
by all entity managers ▪ The IT disaster recovery plan was in
▪ includes computer and draft form and had not been officially
telecommunications hardware adopted, or had not been fully
compatible with the entity's needs implemented.
▪ includes necessary contact numbers ▪ Sole responsibility for disaster recovery
▪ includes appropriate system-recovery was the responsibility of one individual
instructions without a named alternate.
▪ has been distributed to all appropriate ▪ The disaster recovery plan had not
personnel been updated to include current
▪ has been coordinated with related software, hardware, processes, and
plans and activities. procedures.
The contingency plan should also be ▪ The disaster recovery plan was not a
periodically tested under conditions comprehensive, management-approved
that simulate a disaster. document prepared based on the
identification of disaster or disruption
scenarios, criteria to initiate the recovery
process, and recovery strategies.
▪ The auditee's signed agreement with
the regional data center did not include
the regional data center's commitment to
resume services within two weeks of
disruption of service or other
responsibilities.
▪ Backup images were copied to tape
only once a week and cycled off-site,
hampering the Department's ability to

26
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
completely recover lost data by using the
off-site backup tapes.
▪ The disaster recovery plan had not
been updated to reflect current staff or
current backup operating procedures.
▪ The Department did not have a
Departmentwide disaster recovery plan
that included procedures for annual
testing and applied to all critical
Department IT resources.

6. 1. Entities need to proactively manage ▪ Programming staff did not follow 45 14 14 28

Application Application changes to system environments, established policies and procedures.
Level General Program application functionality, and business ▪ No mechanism to detect and log
Controls Change processes to reasonably assure financial program changes being moved to
Controls data and process integrity. Entities production.
should restrict and monitor access to ▪ Program change requests lacked
program modifications and changes to documentation to substantiate that the
configurable objects in the production changes made were appropriately
environment. Most application authorized, tested, and approved for
configuration changes are managed implementation.
using a staging process. The staging ▪ Programs were programmed, tested,
process allows the entity to develop and and moved by the same person.
unit test changes to an application ▪ Programmers had access to production
within the development environment, code and the production job scheduler.
transport the changes into a quality ▪ Users had update access to production
assurance environment for further code.
system and user acceptance testing and, ▪ The work order status was not closed
when the tests have been completed for completed change requests.
and the changes are approved, ▪ There was no supervisory review to
transport the changes into the ensure required approvals were in place.
production environment. ▪ Change control standards and manuals
were outdated.
▪ A user acceptance test environment
did not exist.
▪ Documentation of independent testing
could not be provided.
▪ Procedures did not require that
program changes moved to production
be logged, reviewed, or monitored by
supervisory staff.
▪ The development software did not
provide the capability to retain historical
logs of program changes.
▪ The auditee had not activated the
design lock feature to preclude
concurrent development of the same
program.
▪ Development software did not control
developer's access to data.
▪ Change management procedure lacked
provision for approvals of emergency
changes and minimal ad hoc changes.
▪ Testing program changes was
performed in the production
environment.
▪ There was no Information System
Development Methodology.
▪ The auditee did not require
programmers to complete a record of
work, including work flow authorization
signatures, when implementing
configuration changes or database
upgrades.

27
DECEMBER 2009 REPORT NO. 2010-062

Application 2. Documentation should be updated ▪ Flow and management of data have 3 1 1 2

Level General Documentation when a new or modified system is not been documented for certain system
Controls Controls implemented. functions, including financial,
payroll/personnel, and student
applications.
▪ The Division had not developed
application user documentation.
▪ There were no user manuals, diagrams,
or system documentation for the
application.

7. 1. Appropriate edits should be used to ▪ Auditee scanning and indexing 5 4 0 4

Business Input Controls reasonably assure that data are valid and guidelines did not include provisions for
Process recorded in the proper format. supervisory or independent review of
Controls Procedures should also be established information scanned and stored in the
to reasonably assure that all inputs into application.
the application have been accepted for ▪ The scanner used to input documents
processing and accounted for; and any into the application automatically
missing or unaccounted for source assigned document numbers thus
documents or input files have been providing a total count of documents
identified and investigated. The scanned, but staff did not perform
procedures should specifically require record counts prior to scanning and were
the exceptions be resolved within a unable to compare the quantity of
specified time period. documents processed to the system
count.
▪ The auditee did not require adequate
authentication of the data submitted on a
payment form for vendors which
resulted in a fraud perpetuated by a third
party.
▪ There was no standardization for
addresses in the application database.
▪ When group services were provided,
the services for the customers within the
groups were not being entered into the
application.

Business 2. Application processing of input data ▪ The auditee did not timely address 6 5 0 5
Process Transaction should be automated and standardized. processing errors resulting from the daily
Controls Data Processing System entries should use transaction data upload process.
Controls logs to reasonably assure that all ▪ There was not an automatic address
transactions are properly processed and cross-match between entities to
to identify the transactions that were determine if any sexual predator or
not completely processed. offender addresses were in the
Transactions with errors should be application database.
rejected or suspended from processing ▪ The auditee did not fully utilize all the
until the error is corrected. functional capabilities available in the
system and continued to rely on
workarounds and alternate systems in
lieu of system functionality.
▪ The salary refund calculation of net
pay contained a programming error.
▪ Deficiencies continued to exist in the
2008 tax rate calculation process.
▪ A programming error existed within
the approval process for compromise
waivers.

28
DECEMBER 2009 REPORT NO. 2010-062

EXHIBIT B (Continued)
SUMMARY OF IT AUDIT FINDINGS
BY CONTROL CATEGORY AND TECHNIQUE
Control Control Description Finding Results and Issues No. No. of No. of Total
Category Technique of State Educational No. of
Findings Agencies Entities Entities
Business 3. Periodic reconciliations should be ▪ There were no procedures requiring 13 8 1 9
Process User Controls performed and exceptions should be monthly reconciliations between the
Controls appropriately handled. audited system and FLAIR.
▪ The audited system's consolidated data
was not analyzed for potential
overpayments.
▪ There was no formal review by
management to ensure that changes or
overrides to certain application controls
had been made in accordance with
established State law.
▪ The auditee lacked reconciliation
procedures.
▪ The auditee did not consistently
document the release of output data
tapes to other entities.
▪ Claims were not reviewed in a timely
manner.
▪ Reports included misstatements or
incorrect calculations.
▪ Exception reports were not reviewed
by the appropriate administrative staff.
▪ There was no control in place to
prevent a failed input file from being
deleted before the file was reloaded by
the assigned staff.
▪ Effective procedures for the review of
the corrections of errors on the failed file
did not exist to ensure that the errors
were followed up on.

8. 1. Procedures should include a complete ▪ Although data exchange errors were 2 2 0 2

Interface Data Exchange list of interfaces to be run, the timing of generated, they were deleted after seven
Controls Controls the interface processing, how it is days if not addressed.
processed and how it is reconciled. A ▪ The auditee did not retain
positive acknowledgement scheme documentation evidencing that data had
should be used to ensure that files sent been requested at least quarterly.
from a source system are received by ▪ The auditee had not negotiated an
the target system. agreement with another entity for the
The files generated by an application provision of data at needed intervals.
interface should be properly secured
from unauthorized access and/or
modifications.

9. 1. Logging and monitoring controls ▪ Transaction logging was either not in 3 2 1 3

Data Transaction should be in place at the data place within several applications or data
Management History Logging management system level that logs only recorded the most recent user
System effectively satisfies requirements to ID, date updated, and panel updated, but
Controls accurately identify historical system did not record the actual data fields
activity and data access. changed.
▪ Although changes to data files were
recorded, the information was not
reviewed.
▪ Updates to datasets were not logged by
the system to establish responsibility for
such changes and to allow for proper
monitoring and review.
TOTAL FINDINGS 613

ML Free Accounts With Skins
63% (8)
ML Free Accounts With Skins
325 pages
IT Audit Checklist
82% (11)
IT Audit Checklist
90 pages
Manual Eudemon-1000 PDF
No ratings yet
Manual Eudemon-1000 PDF
6 pages
Internal Controls Over Payroll Processes and IT General Controls
No ratings yet
Internal Controls Over Payroll Processes and IT General Controls
116 pages
Online Training Management Portal For Social Welfare and Institutional Development Bureau Final 1
No ratings yet
Online Training Management Portal For Social Welfare and Institutional Development Bureau Final 1
98 pages
Basic VSAT Info
100% (1)
Basic VSAT Info
16 pages
Thysseen Elevator Service MC2 Manual
100% (1)
Thysseen Elevator Service MC2 Manual
47 pages
Netflix Is An American Entertainment Company
No ratings yet
Netflix Is An American Entertainment Company
2 pages
Se MCQ Unit 2
100% (1)
Se MCQ Unit 2
6 pages
Developer Extensibility For SAP S4HANA Cloud On The SAP API Business Hub
No ratings yet
Developer Extensibility For SAP S4HANA Cloud On The SAP API Business Hub
8 pages
VTU Network and Cyber Security Module-3 (15ec835, 17ec835) - 2IN1
100% (2)
VTU Network and Cyber Security Module-3 (15ec835, 17ec835) - 2IN1
20 pages
USR-WIFI232 Low Power WiFi Module User Manual V2.2
No ratings yet
USR-WIFI232 Low Power WiFi Module User Manual V2.2
82 pages
Is Report 2019
0% (1)
Is Report 2019
52 pages
SJ-20161215185532-001-ZXR10 5960 Series (V3.02.20) Products at A Glance
No ratings yet
SJ-20161215185532-001-ZXR10 5960 Series (V3.02.20) Products at A Glance
12 pages
Ferrell Book 7th Ed Java-Programming-Ch7
No ratings yet
Ferrell Book 7th Ed Java-Programming-Ch7
48 pages
GSMA Report Childrens Use of Mobile Phones An International Comparison 2015
No ratings yet
GSMA Report Childrens Use of Mobile Phones An International Comparison 2015
44 pages
q2 2014 Cross Platform Report Shifts in Viewing
No ratings yet
q2 2014 Cross Platform Report Shifts in Viewing
24 pages
Mca Dbms Notes Unit 1
No ratings yet
Mca Dbms Notes Unit 1
36 pages
Overview of Linux Vulnerabilities: Shuangxia Niu Jiansong Mo
No ratings yet
Overview of Linux Vulnerabilities: Shuangxia Niu Jiansong Mo
4 pages
Ethical Hacking and Network Security PDF
No ratings yet
Ethical Hacking and Network Security PDF
2 pages
Overview of SPSS
No ratings yet
Overview of SPSS
14 pages
Intrusion Detection Technique (Idt) 4.1 Introduction To Intrusion Detection (ID)
No ratings yet
Intrusion Detection Technique (Idt) 4.1 Introduction To Intrusion Detection (ID)
10 pages
List of Attempted Questions AND Answers: True/False
No ratings yet
List of Attempted Questions AND Answers: True/False
9 pages
School Management System: Project Outline
No ratings yet
School Management System: Project Outline
6 pages
Barracuda - CloudGen - Firewall - F - DS - US
No ratings yet
Barracuda - CloudGen - Firewall - F - DS - US
4 pages
SABILLON Et Al (2017) A Comprehensive Cybersecurity Audit Model To Improve Cybersecurity Assurance
No ratings yet
SABILLON Et Al (2017) A Comprehensive Cybersecurity Audit Model To Improve Cybersecurity Assurance
7 pages
The Impact of Information Technology On The Audit Process
No ratings yet
The Impact of Information Technology On The Audit Process
13 pages
7 - Digital Signature
No ratings yet
7 - Digital Signature
12 pages
UGRD-ITE6100-2213T Introduction To Computing Midterm Q1
No ratings yet
UGRD-ITE6100-2213T Introduction To Computing Midterm Q1
6 pages
SE001
No ratings yet
SE001
4 pages
Disa Fafd PDF
No ratings yet
Disa Fafd PDF
107 pages
Research Questions:: Transaction Authorization
No ratings yet
Research Questions:: Transaction Authorization
6 pages
Testimony Before The House Energy and Commerce Subcommittee On Commerce, Manufacturing, and Trade
No ratings yet
Testimony Before The House Energy and Commerce Subcommittee On Commerce, Manufacturing, and Trade
20 pages
Auditing in CIS Environment - Auditing Operating Systems and Networks (Final)
100% (2)
Auditing in CIS Environment - Auditing Operating Systems and Networks (Final)
44 pages
Article 1
No ratings yet
Article 1
8 pages
Security of IT Systems and IT Audit: Strategy Paper On
No ratings yet
Security of IT Systems and IT Audit: Strategy Paper On
14 pages
Client Server Csa
No ratings yet
Client Server Csa
10 pages
A. Data/Information Security and Compliance: Vendor Checklist
No ratings yet
A. Data/Information Security and Compliance: Vendor Checklist
2 pages
Sample Is Audit 31-8-16
No ratings yet
Sample Is Audit 31-8-16
15 pages
IT Audit Topics Research Symposium: Symposium Facilitator: Steve Mar
No ratings yet
IT Audit Topics Research Symposium: Symposium Facilitator: Steve Mar
6 pages
08 Auditing in An It Environment
No ratings yet
08 Auditing in An It Environment
4 pages
Overview
No ratings yet
Overview
2 pages
FoC HW1 2024
No ratings yet
FoC HW1 2024
2 pages
It Audit Manual Asosai
No ratings yet
It Audit Manual Asosai
47 pages
Audit of It Environment
100% (1)
Audit of It Environment
39 pages
Internal Cyber Forensics
No ratings yet
Internal Cyber Forensics
4 pages
Core of IT Auditing
No ratings yet
Core of IT Auditing
3 pages
Internal Controls and Governance 2024: Financial Audit - 2 October 2024
No ratings yet
Internal Controls and Governance 2024: Financial Audit - 2 October 2024
74 pages
ISACA
No ratings yet
ISACA
32 pages
Information Security Risk Assessment Checklist
No ratings yet
Information Security Risk Assessment Checklist
7 pages
System Audit Explained
No ratings yet
System Audit Explained
9 pages
Cag It Audit
No ratings yet
Cag It Audit
90 pages
Chapter 2.3 Audit, IAM
No ratings yet
Chapter 2.3 Audit, IAM
12 pages
2024 Notes - Information Systems Governance and Control
No ratings yet
2024 Notes - Information Systems Governance and Control
92 pages
Computer Audit
No ratings yet
Computer Audit
36 pages
System Vulnerability and Abuse: Security
No ratings yet
System Vulnerability and Abuse: Security
23 pages
Megapanzer-Lifecycle of A Trojan Horse
No ratings yet
Megapanzer-Lifecycle of A Trojan Horse
3 pages
Chapter 2 Audit in Computerized Environment
100% (1)
Chapter 2 Audit in Computerized Environment
5 pages
Ch07 Information Systems Auditing and Controls
No ratings yet
Ch07 Information Systems Auditing and Controls
13 pages
Chapter Seven
No ratings yet
Chapter Seven
26 pages
Endorsement Version GUID 5101 Approved by FIPP 05092024 Track Changes
No ratings yet
Endorsement Version GUID 5101 Approved by FIPP 05092024 Track Changes
10 pages
IT Audit
No ratings yet
IT Audit
44 pages
AWS - Security Hardening Checklist
No ratings yet
AWS - Security Hardening Checklist
8 pages
Informe Ingles Auditoria Informatica
No ratings yet
Informe Ingles Auditoria Informatica
7 pages
Access control A Complete Guide
From Everand
Access control A Complete Guide
Gerardus Blokdyk
No ratings yet
IT Policies The Ultimate Step-By-Step Guide
From Everand
IT Policies The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Cybersecurity Center A Complete Guide - 2020 Edition
From Everand
Cybersecurity Center A Complete Guide - 2020 Edition
Gerardus Blokdyk
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 4
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 4
Byte Books
No ratings yet
ISO 38500 Complete Self-Assessment Guide
From Everand
ISO 38500 Complete Self-Assessment Guide
Gerardus Blokdyk
2/5 (1)
Enterprise Mobile Device Management Complete Self-Assessment Guide
From Everand
Enterprise Mobile Device Management Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Big Data Analytics Complete Self-Assessment Guide
From Everand
Big Data Analytics Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Disaster Recovery Business Continuity Complete Self-Assessment Guide
From Everand
Disaster Recovery Business Continuity Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Qualified Security Assessor Complete Self-Assessment Guide
From Everand
Qualified Security Assessor Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Continuity of Operations The Ultimate Step-By-Step Guide
From Everand
Continuity of Operations The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
IoT Platform Complete Self-Assessment Guide
From Everand
IoT Platform Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
Byte Books
No ratings yet
AppDynamics Third Edition
From Everand
AppDynamics Third Edition
Gerardus Blokdyk
No ratings yet
Data Governance for Tax Administrations: A Practical Guide
From Everand
Data Governance for Tax Administrations: A Practical Guide
Inter-American Center of Tax Administrations – CIAT
No ratings yet
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
Best Practices for SOX ITGC: Building a Resilient Framework for Financial Audits: TECHNOLOGY
From Everand
Best Practices for SOX ITGC: Building a Resilient Framework for Financial Audits: TECHNOLOGY
Elizabeth Mogopodi
No ratings yet
IT Service Management: ISO/IEC 20000 1:2018 - Introduction and Implementation Guide - Second edition
From Everand
IT Service Management: ISO/IEC 20000 1:2018 - Introduction and Implementation Guide - Second edition
Dolf van der Haven
No ratings yet
26 Ways to Save on Your Utility Bills!: 26 Ways, #1
From Everand
26 Ways to Save on Your Utility Bills!: 26 Ways, #1
Kimberly Peters
No ratings yet
Information Systems Auditing: The IS Audit Testing Process: Information Systems Auditing, #3
From Everand
Information Systems Auditing: The IS Audit Testing Process: Information Systems Auditing, #3
Robert E. Davis
1/5 (1)
The Leadership & Managerial Habits of Highly Effective Chief Audit Executives - Inspiring Excellence in Leading and Managing the Internal Audit Function
From Everand
The Leadership & Managerial Habits of Highly Effective Chief Audit Executives - Inspiring Excellence in Leading and Managing the Internal Audit Function
Hans Beumer
No ratings yet
Organizational Readiness to E-Transformation
From Everand
Organizational Readiness to E-Transformation
Aqel M. Aqel
No ratings yet
Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle Management
From Everand
Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle Management
Carl A. Bolton
No ratings yet
Tool Kit for Tax Administration Management Information System
From Everand
Tool Kit for Tax Administration Management Information System
Seok Yong Yoon
1/5 (1)
Business Continuity Management: Building an Effective Incident Management Plan
From Everand
Business Continuity Management: Building an Effective Incident Management Plan
Michael Blyth
No ratings yet
Compliance by Design: IT controls that work
From Everand
Compliance by Design: IT controls that work
Chong Ee
5/5 (1)
M1.2: Define Information Technology Processes
From Everand
M1.2: Define Information Technology Processes
Elizabeth Mogopodi
No ratings yet

Summary Report of Information Technology Audit Findings

Uploaded by

Summary Report of Information Technology Audit Findings

Uploaded by

REPORT NO.

Included In Our Financial and Operational Audit Reports

¾ Financial resources, such as payments and collections, could be lost or stolen.

SUMMARY OF IT AUDIT FINDINGS

Number of Findings By Control Category

Security Management Findings

Other Control Categories

Number of Findings By Control Category and Control Technique

RECOMMENDATION FOR THE LEGISLATURE

Recommendation: We recommend that the Legislature consider establishing a workgroup composed of

OBJECTIVES, SCOPE, AND METHODOLOGY

David W. Martin, CPA

2. 1. Networks should be appropriately ▪ Changes to firewall settings were not 8 4 4 8

Access 16. Cryptographic tools should be ▪ Confidential and sensitive information 3 2 1 3

3. 1. An effective patch management process ▪ Systems used versions of software that 5 4 1 5

Separation of 2. Detailed, written instructions should ▪ There were no procedures in place to 2 2 0 2

Contingency 3. A contingency plan should be ▪ The auditee's security over backup 20 6 14 20

6. 1. Entities need to proactively manage ▪ Programming staff did not follow 45 14 14 28

Application 2. Documentation should be updated ▪ Flow and management of data have 3 1 1 2

7. 1. Appropriate edits should be used to ▪ Auditee scanning and indexing 5 4 0 4

8. 1. Procedures should include a complete ▪ Although data exchange errors were 2 2 0 2

9. 1. Logging and monitoring controls ▪ Transaction logging was either not in 3 2 1 3

You might also like