COMPLIANCE AUDIT BADGE ACCESS CONTROLS JUNE 6, 2018

Transcription

1 COMPLIANCE AUDIT BADGE ACCESS CONTROLS JUNE 6, 2018 INTRODUCTION

2 Background System Office policy requires employees to use identification badges to enter the Caswell Building. Employees are also to wear the identification badge inside the building. Badges can be swiped at the primary building entrance to access the building outside of normal business hours. Visitors are not to enter the building, unless accompanied by an employee, until the building opens each day. All visitors are required to register at the front desk. Employee access to the building during non-business hours is allowed for flexibility purposes. In addition, the policy of non-business hours access allows work to continue during emergency and adverse weather situations. Security concerns dictate the policy of deactivating badges once returned after separation of employment. Jane Phillips, Personnel Director, and Milton Tart, Building Services Coordinator, stated the process to deactivate the badges is as follows: badges are to be submitted to Human Resources on the last day of employment. Human Resources delivers the badges to the Building Services Coordinator for deactivation. Objective, Scope, and Methodology The objective of this engagement was to determine the following: (1) building access badges were issued to current employees and contractors only; (2) access restrictions associated with badges were appropriate; (3) employees and contractors no longer working in the System Office returned the badges; and (4) returned badges were deactivated. The scope of this engagement was limited to active badges noted by the Building Services Coordinator. The Building Services Coordinator generated a report containing a list of all badges and associated employee information. A report was obtained from Human Resources containing a current employees list. Comparison of the two reports was made to determine if active badges are only issued to current employees. Issues noted are included in the findings section of this report.

3 FINDINGS The following findings were identified during the audit. Ten (10) former employees whose badges are still active. The badges were deactivated on January 23, 2018 after the finding was reported to Building Services. Two (2) former field employee badges were unable to be confirmed as collected upon separation of employment. Seven (7) badges issued to contractors no longer performing work at the System Office, all related to housekeeping contracts. 230 employees/contractors have badge access. 120 employees/contractors have 24- hour access to the building. Depending on the work performed, this could be an excessive number of people with 24-hour access. RECOMMENDATIONS The following recommendations are submitted for consideration. Recommendation 1 Human Resources should consider additional controls to ensure field employees return badges upon separation from employment. Recommendation 2 Building Services should consider additional controls in ensure badges are deactivated upon separation of employment rather than the current policy of deactivating upon collection of the badge. Human Resources may include said controls in the employee separation process. Recommendation 3 Building Services should consider adding a verification control, possibly included on a checklist, to the badge collection and deactivation process to ensure all badges are properly deactivated upon employee separation. Recommendation 4 Management should consider requiring supervisors review badge access rights for employees biannually to determine if access permissions are appropriate for each respective employee.

4 NORTH CAROLINA COMMUNITY COLLEGE SYSTEM Peter Hans, President MEMORANDUM August 3, 2018 TO: FROM: RE: Bryan Jenkins, Executive Director of Accountability and State Board Affairs Jennifer Haygood, Chief of Staff Compliance Audit Badge Access Controls NC Community Colleges System Office appreciates the opportunity to respond to the Badge Access Controls compliance audit dated February 9, We also appreciate the diligence and the recommendations that the Auditor provided. The response to the audit findings are as follows: Recommendation 1 Human Resources should consider additional controls to ensure field employees return badges upon separation from employment. Response 1 The current separation checklist directs the employee to turn in their badge and other items to either their supervisor or Human Resources. This form has been changed to assign this responsibility to the direct supervisor who will then turn in the badge directly to the Building Services Coordinator. Recommendation 2 Building Services should consider additional controls in ensure badges are deactivated upon separation of employment rather than the current policy of deactivating upon collection of the badge. Human Resources may include said controls in the employee separation process. Response 2 Human Resources notifies building services via of all employees who are separating and their separation date. Building Services will terminate badge access on the last day of employment. The separation checklist will be modified to add a place for Building Services to indicate that the badge has been deactivated upon separation. Mailing Address: 5001 Mail Service Center Raleigh, NC Street Address: 200 West Jones Street Raleigh, NC Phone: Fax: AN EQUAL OPPORTUNITY EMPLOYER

5 Recommendation 3 Building Services should consider adding a verification control, possibly included on a checklist, to the badge collection and deactivation process to ensure all badges are properly deactivated upon employee separation. Response 3 The separation checklist will be modified to add a place for Building Services to indicate that the badge has been received and deactivated upon separation. Human Resources will review the list of separated employees on a monthly basis to ensure a completed checklist for each separated employee has been submitted by Building Services within a reasonable timeframe. Recommendation 4 Management should consider requiring supervisors review badge access rights for employees biannually to determine if access permissions are appropriate for each respective employee. Response 4 Building Services will provide each division Vice President with the current access rights for all employees on January 2 of each year for re-certification. Each VP shall review access rights and submit review to Building Services by January 30 of each year. A copy of the revised Employee Separation Checklist is attached.

6 NCCCS Employee Separation Checklist Employee Name Division Supervisor Section 1: EMPLOYEE: Return the following items to your supervisor on or before the last day of work: 1. All keys, including office, building, desk, file cabinets, etc. Yes Not applicable 2. ID badge Yes 3. Parking transponder Yes Not applicable 4. Telecommunications equipment/cell phone/pager Yes Not applicable 5. Computer/lap tops/tablets, etc. Yes Not applicable 6. Vehicles Yes Not applicable 7. Other Equipment & Materials Yes Not applicable Complete the following actions prior to the last day of employment: 8. Enter and release timesheets through last day of work Yes 9. Submit any outstanding travel receipts or requests Yes Not applicable 10. Close out all workplans for your direct reports, if applicable Yes Not applicable 11. Ensure that your address in Beacon is correct or notify HR of any changes so you will receive your annual W-2 income tax forms, etc. Yes Employee Signature Date Supervisor s Signature Date Page 2 completed by Supervisor and Building Services

7 Section 2: SUPERVISOR: Complete or return these items to the appropriate department. Attachment AUD 03 SEPARATION CHECKLIST, page 2 1. Forward a copy of the letter of resignation to HR Yes 2. Complete the final performance evaluation/closed out workplan Yes 3. Cancel any training scheduled but not yet incurred Yes Not applicable 4. Cancel any travel scheduled but not yet incurred Yes Not applicable 5. Ensure that any special computer access has been terminated Yes Not applicable 6. Turn in computer equipment, cell phones, etc. to the appropriate department Yes Not applicable Supervisor: Submit this completed form to Building Services along with the items 1-4 on page one. Section 3: BUILDING SERVICES: 1. ID badge has been received? Yes No 2. ID badge access has been terminated? Yes 3. Turned in parking transponder? Yes Not applicable 4. Received all building keys? Yes Not applicable 5. Received and reset telecommunications equipment? Yes Not applicable Building Services Coordinator Date Building Services: Return the completed form to HR.