St. Charles County Auditor's Office

Transcription

1 St. Charles County Auditor's Office 201 N. Second Street Room 526 St. Charles, MO (636) Fax (636) To Honorable County Council Members October 11, 2011 Honorable Steve Ehlmann, County Executive The Information Systems Department examination opened February 18, 2011 has been completed, and the final report is being issued today. Fieldwork for the review was completed on April 28, 2011, and our report reflects the results of work performed through that date. Responses were requested for by July 1 st and received on October 7, The objectives of the review were to determine whether internal controls were adequate and effective, operations and records were in compliance with established standards, regulations, policies and procedures, and resources were being used efficiently. The examination covered system control, network security, help desk operations and programming requests. We reviewed the internal control environment surrounding those activities, as well as performed an evaluation of the effectiveness and efficiency with which department objectives are being achieved. In addition, reviews for compliance with the County Charter and Ordinances, Missouri Statutes, and internal policies and procedures were performed. This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, and consisted of examining, on a test basis, sufficient evidence to afford a reasonable basis, for our opinion. In our opinion, except for the opportunities included in this report, internal controls were adequate and effective and operations and records were in compliance with established standards. The issuance of this report completes the formal examination process. However, if you wish to discuss any aspects of the audit or report, please contact me. Brent Statler Brent R. Statler, CPA, CGAP County Auditor Attachment Copy To Chuck Gross, Director of Administration Don Brannam, Director of Information Systems

2 St. Charles County Auditor's Office Information Systems Department Examination Report Opened February 18, 2011

3 Table of Contents I. Background and Introduction...1 Authority and Activity 1 Funding 2 Staffing...3 II. Status Board 4 III. Executive Summary 7 IV. Detailed Findings.. 8 Compliance Opportunities 8 Control Opportunities....9

4 BACKGROUND AND INTRODUCTION Authority and Activity: The Information Systems Department (IS) supports County departments and offices with information technology over an enterprise wide-area network and is responsible for network administration, infrastructure design, application programming, data security, geographic information systems (GIS) and maintenance of the County web site and phone system. The GIS Division provides mapping data for engineering design, emergency services, road projects, community planning, election information, tax assessment, the USGS national map project and other County government functions. IS supplies regularly scheduled updates of GIS data to businesses for a fee. (301). Capital equipment (PCs, laptops, servers, etc.) are purchased through the Capital Projects Fund The Information Systems Department s program mission as stated in the 2011 budget is as follows: Provide a state of the art countywide information system. The department provides the consulting, design, programming and operational resources required by all County departments and offices. We develop, protect and secure the County s data resources and network infrastructure. We provide internet and database services. Information Systems is committed to providing the highest level of customer satisfaction budget, pg

5 Funding: The primary funding for IS is provided by the general revenue fund. The historical funding for IS is presented below. Information Systems Department General Revenue Fund Expenditures Fiscal Years Fiscal Year Salaries & Benefits % Increase Operating Expenditures % Increase Capital Expenditures % Increase Total Expenditures % Increase 2006 $928,766 n/a $324,230 n/a $97,385 n/a $1,350,381 n/a 2007 $1,004, % $382, % $144, % $1,531, % 2008 $1,143, % $392, % $5, % $1,541, % 2009 $1,129, % $480, % $ % $1,610, % 2010 $1,131, % $656, % $0 0.0% $1,787, % 2011* $1,168, % $821, % $0 0.0% $1,989, % Information Systems Department Technology Enhancement (005) & Capital Project (301) Funds Expenditures Fiscal Years Fiscal Year Capital Expenditures % Increase Total Expenditures % Increase 2006 $138,524 n/a $1,350,381 n/a 2007@ $502, % $502, % 2008@ $601, % $601, % 2009@ $496, % $1,610, % 2010^ $589, % $1,787, % 2011^* $754, % $1,989,458 - Capital Expenditures reported in Technology Enhancement Fund (005) ^ - IS related Capital Expenditures reported in Capital Projects Fund (301) 2

6 Revenues generated by IS are deposited in the general revenue fund. The historical funding is presented below: Information Systems Department General Revenue Fund Revenues Fiscal Years Fiscal Year IS Fees Fees Collected by IS as a Percentage of Expenditures 2006 $1, % 2007 $21, % 2008 $16, % 2009 $7, % 2010 $14, % 2011* $8, % * These are the approved budget amounts from the 2011 budget. Staffing: The number of full-time equivalent authorized positions for IS increased (3.1%) from 16.0 full-time positions in 2007 to a total of 16.5 full-time budgeted employees in Note: IS was authorized to have 17.5 full-time positions in

7 II. STATUS BOARD The status board provides a summary of the Information Systems Department s functions and processes. Each cell located under a function represents an activity completed to ensure that the process is performed in an effective and efficient manner. The color of the cells represents the assessment regarding completion of the activity. The legend below gives a description of the definition of each color. Red indicates management's immediate attention is required. Yellow indicates an opportunity for improvement exists. Green indicates there is no action necessary at this time. Blue indicates a process that was not included in the scope of the review. Grey indicates a County issue that should be addressed by management, but is not necessarily a direct responsibility of the audited department/office. Network Services Program Requests GIS Services Work Orders The Network Services Division controls access to the County network. Employees must sign an Electronic Information Policy Certification Form to access the network. Approved employees receive an Active Directory ID and password. The password must be changed every 90 days. Network users can access internet, , MS Office and dept. programs based on the level of access granted. Some employees have a Virtual Private Network (VPN) to access the network when away from the office. The Application and Database Services Division processes program requests. Departments send program requests for the AS400/HTE system to the Division. IS meets with the dept. to discuss the program request. The programming is done to meet department specifications. The programming is beta-tested to eliminate errors before implementation. IS will eliminate programming requests once the AS400/HTE system is permanently phased out of use. GIS services are available to all County departments. Depts. contact GIS with requested work and GIS will work with the depts. to complete the project. Many GIS maps are available free-of-charge through the County website. Citizens can purchase maps, CDs and data use license agreements. A Data Use Agreement contract must be completed for annual licenses, signed by the customer and IS Director. License holders receive a log-in and password to access updated data for a period of one year. Employees phone, , or send a work order request to the IS Help Desk. Requests are received by the Help Desk Tech and logged in a tracking program. For many problems, the tech can use remote access to work on the employee s PC and quickly fix the problem. For complex problems, a work order is created in the tracking system and assigned to a tech. The technician works on the problem and updated the work order in the tracking system. The technician will contact the employee to notify them of progress with the issue and when it is resolved. Hardware/Software Purchasing and Upgrades The County s policy is to replace all PCs on a 6 year schedule. PC purchases are made from the Capital Projects Fund Other hardware purchases/ upgrades are reviewed on a caseby-case basis during capital budgeting. PCs are delivered to IS for set-up before being sent out for installation. All software licenses are maintained in the IS office. Volume license fees (MUNIS, MS Office, etc.) are paid by IS on an annual basis. 4

8 Network Services Program Requests GIS Services Work Orders The VPN accesses the network using an encrypted IP address. The GIS Coordinator maintains a spreadsheet tracking users and license termination dates. IS maintains a minimal parts inventory to use for CPU repairs, etc. Hardware/Software Purchasing and Upgrades Other software maintenance costs are paid as needed by department. User access is removed as notices are received from the department or HR. Users are sent an notification prior to license termination to provide an opportunity for renewal. After completion, the work order is updated for time and the final resolution. Updates and patches for County programs are distributed by IS through the network. The network is protected by a firewall. Fees are collected and receipted in the IS office and deposited with the Finance Dept. All PCs have real-time virus protection software installed. Contracted Services Database Administration County Phone System and Internet Access IS Administration IS contracts with 2 companies to provide services for the County. Database Administrators set up database locations in the IS Data Center using SQL programming. The County uses ShoreTel software to operate a Voice Over Internet Protocol system. Departments must complete e- mail and internet access requests for employees. Payroll Gateway Solutions provides a programmer to work on projects assigned by the Application and Database Services Division. Database Administrators grant database access rights to users with application access. The software is set-up on each employee s PC using Active Directory log-in information. The requests are approved by the IS Director and the employee is then given the approved level of access (B1). Purchasing (A1) The programmer works as needed with hours tracked on a timesheet by IS. User access can be set up as individual or group access. Passwords may also be set up for the databases. All incoming and outgoing calls and voic are run through the phone server located in the IS Data Center. Approved employees are put in use-groups based on the level of access granted. IT Security Policy Gateway Solutions sends monthly invoices which are reviewed by IS before being processed for payment. Database Administrators monitor the data distribution to ensure data is properly stored and updated. IS technicians handle any service calls for the phone system and install any necessary system updates. SonicWall restricts access to websites based on the settings of user s assigned group. IS Disaster Recovery Plan TR&L Communications provides wiring services for the County network/phone lines. The databases are backed up daily as part of the IS back-up procedures. Some outlying departments do not have access to the VOIP system. Approved users can access all sites not blocked by the content filter. Equipment Tracking 5

9 Contracted Services Database Administration County Phone System and Internet Access IS Administration Work is assigned and monitored by the Network Services Division. The databases are updated as needed, with testing done to ensure the update works as intended. Those departments use the local phone service (AT&T, Centurytel) and they are charged for usage. A Request to Access Prohibited Sites form must be approved to access blocked sites. Equipment Disposal/ Hard Drive Destruction TR&L Communications sends monthly invoices for hours worked to IS to process for payment (B2). Updates for major databases are sent out over the network. Minor database updates are done on the individual PCs. The content filter is maintained by an outside vendor, along with specific sites entered by IS. All users receive a County address and mailbox through MS Outlook. The SPAM filter is maintained by IS and blocks all SPAM and attachments. 6

10 III. EXECUTIVE SUMMARY Following is a summary of the noted opportunities for improvement during our review of the Information Systems Department: A. Compliance Opportunities 1. Line Item Classification: In 2011, IS charged programming services by Gateway Solutions to two separate accounts. B. Control Opportunities 1. County Access Approvals: There were issues with maintaining documentation of the Electronic Information Policy, Internet and Prohibited Internet Access policy forms 2. Documentation of Contracted Services: IS does not maintain any independent documentation for the hours worked by the TR&L Communications employee. 7

11 Compliance Line Item Classification Discussion and Background Cause Risk/Effect Recommendation Management Response All departments and offices request and receive a budget to expend funds. The County utilizes line item accounts for which expenditures are to be paid out of specific accounts to comply with both County procedures and for financial reporting purposes. If line item balances are insufficient, the Director of Administration may approve a same-category budget transfer. In 2011, IS charged programming services by Gateway Solutions to two separate accounts. One charge was to account (Professional Services) and another to (Data Processing Services). County policies not followed. IS should ensure that expenditures are charged to the appropriate general ledger line item account. These accounts are both used for programming services. We will merge them in the 2012 budget. 8

12 Control County Access Approvals Discussion and Background Cause Risk/Effect Recommendation Management Response Departments requesting employee access to the County network and/or internet must complete an Application and Network Access Request Form and indicate the type of access the employee needs. This form is signed by the requesting department and reviewed and approved by the IS Director. The technician that sets up the access initials the form as documentation that the employee has a signed Electronic Information Policy Certification and initials the form once the access has been set up. The forms are then filed at the Administrative Assistant's desk. County Code Section B.1, the Electronic Information Policy states, "The purpose of this policy is to ensure the proper use of computer information systems, Internet and by St. Charles County employees and others who may use County- owned equipment, data or facilities while supporting the needs of St. Charles County citizens, other customers of County services and County The following was noted during the Electronic Information Policy, Internet and Prohibited Internet Access review: 1) There was not an Electronic Information Policy certification on file for one (7.1%) of the fourteen persons reviewed. Note: This person is a non-county employee. 2) There was not an Application and Network Access Request Form on file for three (27.3%) of the eleven persons reviewed for County network and/or internet access. 3) There was not an Application and Network Access Request Form on file requesting access to established levels of internet sites or to restrict internet access for eleven (100%) of the eleven persons reviewed. 4) The persons' access did not agree to the access requested on the form for Compliance with departmental policies and County policies. Employees may receive unauthorized access to the County's network and/or internet sites. The County may not be able to hold non-county employees liable for violating the Electronic Information Policy. 9 IS should ensure that Application and Network Access Request Forms are approved and on file for all employees that have access to the County's network and established levels of internet access. Also, IS should consider requiring non-county employees to sign the Electronic Information Policy Certification Form. There was not an electronic Information Policy certification on file for one (7.1%) of the fourteen persons reviewed. This person is a Non-County employee. This is an employee of the City of St. Peters who is assigned to Humane Services. They do not use any county computer equipment. They are provided standard internet access to access necessary data from the City of St. Peters. They filled out a request form, but not required to fill out an EIP Certification as they are not a county employee. There was not an Application and Network Access Request Form on file for three (27.3%) of the eleven persons reviewed for County network and/or internet access. IS did provide a copy of the request form for the St. Peters employee discussed in prior paragraph. Could not locate forms for the other two employees (1 full-time and 1 parttime). There was not an Application and Network Access Request Form on file requesting access to prohibited

13 Discussion and Background Cause Risk/Effect Recommendation Management Response employees." one (12.5%) of the eight persons reviewed. 5) Neither the IS Tech setting up the access nor the IS Administrative Assistant initialed the Application and Network Access Request Form as documentation of the employee signing the policy certification on one (12.5%) of the eight forms reviewed. established levels of internet sales or to restrict internet access for eleven (100%) of the eleven persons reviewed. Law Enforcement Access was not written on the form for one Sheriff Employee. This was an administrative oversight and has been corrected. Law Enforcement Access was granted using a prohibited internet site access request form for a Sheriff Administrative employee. This form is no longer used, but was used in 2005 for Law Enforcement Access. A Public Health employee has an approved request form on file for access to sex education web sites. An Executive office employee does not have an approved form on file for access to Social Media. The Executive s Office is granted access to social media by policy. The Public Information employee did not have a request form for Usenet access, but has been corrected. A Workforce Development employee did not have a request form for WEB Communications but has been corrected. A Sheriff s employee does not have a form approving her for Internet Access. This has been corrected. Two Correction 10

14 Discussion and Background Cause Risk/Effect Recommendation Management Response employees have an Internet access that allows them to access the Jail software. The Maintenance employee has access to the HVAC application. The persons access did not agree to the access requested on the form for one (12.5%) of the eight persons reviewed. This has been corrected. Neither the IS Tech setting up the access, nor the IS Administrative Assistant initialed the Application and Network Access Request Form as documentation of the employee signing the policy certification on one (12.5%) of the eight forms reviewed. This has been corrected. 11

15 Control - Documentation of Contracted Services Discussion and Background Cause Risk/Effect Recommendation Management Response The County contracted with TR&L Communications to have an employee work under the direction of IS for thirty-two hours a week to install wiring and perform other services as needed. The contract calls for the employee to work a schedule of eight hours per day, Monday through Thursday. If there is a holiday during the week, the employee will work the other four days to reach the thirty-two hours worked for the week. TR&L Communications submits a monthly invoice to IS for the hours worked during the billing period. IS enters the invoice and sends it to the Finance Department for processing. IS does not maintain any independent documentation for the hours worked by the TR&L Communications employee. Opportunity for improved documentation. Without any independent documentation, the County would have no means of determining if TR&L Communications was over-billing for actual hours worked. IS should maintain some form of documentation for hours worked by the TR&L Communications employee. The documentation could include a timesheet, time clock, annotated calendar, etc. Contract is for 32 hours per week. If employee is not available for duty, TRL sends a replacement. It has been monitored by noting when 32 hours per week are not worked. We have corrected this and now keep a record of hours worked, as well as a copy of time sheets submitted by the contracted employee to TRL. 12