Internal Audit Report. Post Implementation Review PeopleSoft Project Costing TxDOT Internal Audit Division

Transcription

1 Internal Audit Report Post Implementation Review PeopleSoft Project Costing TxDOT Internal Audit Division

2 Objective To determine if the implementation for project costing and the control design provides for effective and efficient business operations. Opinion Based on the audit scope areas reviewed, control mechanisms are effective and substantially address risk factors and exposures considered significant relative to impacting reporting reliability, operational execution, and compliance. The organization's system of internal controls provides reasonable assurance that key goals and objectives will be achieved despite control gap corrections and improvement opportunities identified. Control gap corrections and improvement opportunities identified have the potential to negatively impact the achievement of the organization's business/control objectives. Overall Engagement Assessment Satisfactory No findings were identified through the course of fieldwork; however, an observation with a recommendation has been provided in this report which could further improve the system access evaluation process for the project costing module in the Financial Management Division. Control Environment TxDOT implemented the Oracle PeopleSoft (PeopleSoft) Project Costing (PC) module in October 2014 and added customized functionality to drive efficiencies in operational and reporting functionality. Although PC relies on interfaces from other modules and systems (e.g., PeopleSoft Accounts Payable, SiteManager, Right of Way Information System), daily reviews of automated reports are performed to confirm the accuracy and reliability of information in the PC module. Financial Management Division has noted discrepancies in the data produced by the automated reports generated through Structured Query Language (SQL). As a result, compensatory controls have been implemented by the Financial Management Division (FIN) to perform additional reviews to identify and correct erroneous data. The PeopleSoft PC module implementation delivered efficiencies to the project costing process and subsequently decreased the amount of time to manage project costs throughout the project life-cycle. The PC module is supported by TxDOT employees, as well as, a third party service provider (vendor). The vendor supporting the PeopleSoft application software is also responsible for correcting module issues and developing query reports for TxDOT users. TxDOT system administrators who also support the module will approve and review changes completed by this vendor. Summary Results No findings were identified, based on fieldwork performed. The scope areas below were evaluated and were designed and operating satisfactorily: August

3 Finding Scope Area Evidence 3 of 1934 (.2%) employees with access to Project Costing on June 7, 2016 were found to be terminated on May 31, 2016 None User Roles 6 of 127 (5%) employees who transferred to a new role and Identified no longer needed Project Costing access still maintained read-only access. This presents minimal risk as read-only access is permissible to employees across TxDOT. None Identified Data Accuracy and Reliability 83 of 83 (100%) projects tested were loaded correctly from Design and Construction Information System (DCIS) and activated in PeopleSoft 10 of 10 (100%) projects tested with amounts reported via a FIN overrun query were validated against data in PeopleSoft 10 of 10 (100%) project totals tested in PeopleSoft reconciled to project totals in SiteManager Audit Scope Audit testing was completed on PeopleSoft Project Costing for the period May 1, 2015 through May 31, User roles and PeopleSoft Project Costing access were evaluated to determine adequate control design and operating effectiveness exists to provide segregation of duties. Additional user access testing was performed to determine if authorized access is adequately monitored and maintained. A sample of TxDOT projects, including a representation of those that are high dollar amount and geographically dispersed, was selected for further control design and operating effectiveness testing. The sample project data was tested for data accuracy and reliability between PeopleSoft Project Costing and SiteManager. Additional testing was performed to verify data accuracy and reliability in PeopleSoft Project Costing from data that originated in DCIS. In addition, a random sample of projects listed on a FIN overrun query was also selected to determine the accuracy and reliability of overrun reporting The audit was performed by Jessica Esqueda, Jehryca Rayford, Ky Stafford and Casey Kopcho (Engagement Lead). The audit was conducted during the period from May 23, 2016 to July 29, Methodology The methodology used to complete the objectives of this audit included: Reviewed TxDOT internal documents, including Financial Management Division (FIN) and Information Management Division (IMD) policy and procedure manuals, organization charts, process maps, and management reports Reviewed state codes and manuals, including State of Texas Procurement manual, Texas Government Code, and Texas Administrative Code sections for purchase rules Reviewed prior audit reports from TxDOT s Internal Audit Division, and Texas State Auditor s Office Evaluated control design and operating effectiveness of the project costing process August

4 Reviewed the Financial Supply Chain Management (FSCM) Functional Roles and Responsibilities for Project Costing between May 1, 2015 and May 31, 2016 which was used as the criteria for access security policy Reviewed employees assigned FSCM Project Costing roles between May 1, 2015 and May 31, 2016 to validate access was in accordance with security policy Tested PeopleSoft Project Costing employee access against list of terminated and transferred employees to validate access management for departed employees as of June 7, 2016 Interviewed key stakeholders, including staff and management, from IMD and FIN Through data analysis and random sampling in production environment: o Tested data where project cost overruns were identified o Tested data for project set-up from Design and Construction Information System (DCIS) Through data analysis and stratified sampling in production environment: o Tested data processed between SiteManager and PeopleSoft Project Costing Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Post Implementation Review PeopleSoft - Project Costing which was conducted as part of the Fiscal Year 2016 Audit Plan. TxDOT implemented a new Oracle PeopleSoft system in October PeopleSoft is an integrated suite of software, which provides a common technology platform across core business areas of human resources, finance, supply chain, and payroll. The TxDOT PeopleSoft system replaced over 20 mainframe and legacy systems in Finance, Human Resources, and General Services. The new PeopleSoft consists of three main applications: Financial Supply Chain Management (FSCM), Enterprise Learning Management (ELM), and Human Capital Management (HCM). The FSCM application includes project costing, procurement, contracts and purchasing, as well as, other finance functions (e.g. accounts payable, asset management, billing, general ledger, and inventory). The project costing function in the FSCM module was reviewed for this audit. In the FSCM module, the Project Costing function relies on data interfaces with other systems. Project information is first set up in the Design and Construction Information System (DCIS) by individuals at the district and division level. The Letting Management team in FIN downloads DCIS extracts and reviews project data for completeness and accuracy before activating the project within PeopleSoft Project Costing. Once activated, an individual project may receive expenditure data from multiple systems (e.g., SiteManager, Right of Way Information System, electronic Grants). The primary source of expenditure information in PeopleSoft Project Costing originates in SiteManager, a project management system provided by American Association of State Highway and Transportation Officials (AASHTO). Project costing data is monitored by FIN to determine if additional funds are necessary to avoid cost overruns on any particular project. Upon project completion, FIN utilizes PeopleSoft Project Costing to perform closeout reviews and final billing, if necessary. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional August

5 Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. The Internal Audit Division uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version A defined set of control objectives was utilized to focus on reporting, operational, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance, particularly in areas not included in the scope of this audit. August

6 Observation and Recommendation Audit Observation (a): Access Roles Access controls do not provide an effective mechanism for the removal of access for terminated and transferred employees. Three terminated employees still retained Project Costing read-only access at the time testing was conducted; however, that access was subsequently removed in later weeks. In addition, six transferred employees still retain Project Costing read-only access; however this access was validated as appropriate by FIN as any TxDOT employee may have read-only access to view project information. There were 1,869 employees that were tested to verify their appropriateness. Effect/Potential Impact Improper and unnecessary access within the Project Costing system can lead to increased susceptibility to fraud or inappropriate actions. Audit Recommendation Information Management Division (IMD) should continue to systematically remove PeopleSoft Project Costing access within one business day of receiving notification of employees who transfer out of a role requiring such access. IMD should also continue to work with Human Resources Division to confirm access is removed upon employee termination. In addition, IMD should provide Financial Management Division managers the ability to review their direct reports access to evaluate any potential segregation of duties issues. FIN should continue to at least annually perform access role evaluations for any potential segregation of duties issues that result from access between PeopleSoft Financial Supply Chain Management (FSCM) modules. August

7 Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with Financial Management Division and Information Management Division on August 10, The Internal Audit team appreciates the assistance and cooperation received from the Financial Management Division and Information Management Division contacted during this audit. August