Internal Audit Follow-Up Report. Compass TxDOT Office of Internal Audit

Transcription

1 Internal Audit Follow-Up Report Compass TxDOT Office of Internal Audit

2 Objective Assess the status of corrective actions for high risk Management Action Plans (MAPs) previously communicated in the Compass audit report issued May 10, Summary Results Testing included an evaluation of five MAPs to determine if corrective actions were implemented as agreed. MAP Status 1 Open 1 New Comments Corrective actions that require completion to address identified risks from the original audit report. Corrective actions that were newly identified and further actions are necessary to properly address the remaining risks. 4 Closed Corrective actions have been completed. Scope This engagement focused on the Management Action Plans that discussed improvements to the reliability and accuracy of information in the Maintenance Management System (MMS), including reviewing access rights. Maintenance activities from October 2014 through January 2015, which were captured on Daily Activity Reports (DARs) and entered into MMS, were selected for review from one maintenance office each in Abilene, Bryan, Houston, San Antonio, and San Angelo districts. In addition, all TxDOT employees with MMS access during the month of January 2015 were selected for access rights testing. The engagement was performed by Ike Okoli, Albert Bourque, Jaime Resendez, and Jennifer Stanush (Engagement Lead). The engagement was conducted during the period from December 19, 2014 to February 6, Methodology The engagement work included: Reviewing MMS Access Policies, Standard Operating Procedures, and training materials. Interviewing MAP owners and key personnel including district Super Users and maintenance office managers. A judgmental sample of 199 DARs that were entered into MMS was selected for review. A comparison of the hard copy DARs for work orders was made to the labor, equipment, and material information within the Maintenance Management System (MMS) to determine accuracy, completeness, and existence of information. Access testing for all 1,743 MMS user accounts across all of TxDOT was performed. Testing included reviewing users that left the agency, or had transferred to other districts or non-mms related positions. June

3 Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Compass Follow-Up engagement which was conducted as part of the Fiscal Year 2015 Audit Plan. The Compass project was established in order to provide TxDOT with a tool to manage maintenance operations statewide with timely, accurate, and complete information. The result of this project was the development and implementation of the Maintenance Management System (MMS). MMS is a web-based application that provides planning, scheduling, and reporting capability and provides information on cost associated with road maintenance (i.e., labor, equipment, material etc.). MMS is used by district maintenance offices to create and complete work orders for the day s work activities. Labor, equipment, and material information obtained from the hard copy DARs are entered into MMS. The Maintenance Division s Compass support group is responsible for granting, modifying, and terminating MMS access rights. The Maintenance Division (MNT) is also responsible for the management of MMS including training, guidance, and technical support. MNT relies on specific district employees, known as Super Users, to also provide support to MMS users in each of their respective districts. Super Users are responsible for disseminating information and training from MNT to the district users and approving and requesting MMS access from MNT. We conducted this follow-up engagement in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the engagement to obtain sufficient, appropriate evidence to provide a reasonable basis for our conclusions based on our audit objective. Recommendations to mitigate risks identified were previously provided to management during the original engagement to assist in the formulation of the management action plans referenced in this report. The Office of Internal Audit uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version June

4 Detailed MAP Follow-Up Status MAP Status: Open Corrective actions that require completion to address identified risks from the original audit report. Original Audit Finding Number 2: MMS Access Rights Oversight MAP Owners: Brandye Munn, Business Analyst - Maintenance Division (MNT) Stacey Worsham, IT Transformation Manager Information Technology Division (ITD) MAP 2.1: MNT will generate a report to compare inactive employees (from Labor Inventory) to Active Maintenance Management System (MMS) users (User names and Access). MNT will run the report on a monthly basis. Any Inactive employees user IDs will be deactivated in the MMS by MNT staff. This is a short term solution until the MMS can interface with valid Network IDs to restrict inactive employees from accessing the system in a timelier manner. MNT will develop a process for district Super Users to run a monthly User ID report to review users. ITD has initiated a process to disable accounts for terminated employees, and will work with MNT to include terminated MMS users in the deactivation process. Original Completion Date: July 15, 2014 Revised Completion Date: July 15, 2015 June

5 MAP Status: New Corrective actions that were newly identified and further actions are necessary to properly address remaining risks. Original Audit Finding Number 1: Data Integrity Original Audit Finding Number 2: MMS Access Rights Oversight FMAP Owners: Brian Crawford, P.E., Abilene District Director of Operations Terry Paholek, P.E, Bryan District Director of Maintenance Walter Hambrick, Houston District Maintenance Admin Dan Stacks, P.E., San Antonio District Director of Operations Tom Johnston, P.E., San Angelo Director of Operations Randy Hopmann, P.E., Director Engineering Operations for Rural and Urban Districts Bill Hale, P.E., Chief Engineer FMAP 1.1: The District Super Users will conduct their role as outlined in the Maintenance Division (MNT) Maintenance Management System (MMS) Standard Operating Procedures and also include: Provide instruction and training for Maintenance Management System (MMS) users. Disseminate information received from the Maintenance Division (MNT) to all District MMS end users as the information is received. Provide support to all District MMS end users as to processes and procedures, including the daily processing and review of Daily Activity Reports and Work Orders by Office Managers and Maintenance Supervisors. Generate and review the District MMS User ID report monthly and submit access termination or modification changes to MNT MMS Support. Completion Date: July 15, 2015 June

6 MAP Status: Closed Corrective actions have been completed. Original Audit Finding Number 1: Data Integrity MAP Owner: Brandye Munn, Business Analyst - Maintenance Division MAP 1.1: Implement a Standard Operating Procedure (SOP) for using the Daily Activity Report (DAR), Maintenance Management System (MMS) reports, and screens to monitor data entry and data approvals at the maintenance section level. The SOP will include roles, reports, and procedures for data review to ensure data is accurate. Districts will have an opportunity to provide input to the SOP and assist in the development of the policies and procedures included in the SOP. MNT will publish the SOP and provide training for the super users and end users on how to follow the procedure. Provide instructions for completing and filing the official DAR of record. MNT will publish the instructions and provide training for the super users and end users on how to follow the procedure. Provide a checklist of documentation and training needs for new MMS users. Provide access to MNT111 training materials to new employees that have not taken MNT111 yet but need to use the application and for current users to use as a reference. Completion Date: July 15, 2014 Original Audit Finding Number 2: MMS Access Rights Oversight MAP Owner: Brandye Munn, Business Analyst - Maintenance Division MAP 2.2: Since Maintenance is the owner of Maintenance Management System (MMS) Data, Maintenance will take on the responsibility of ensuring the following: Integrate Network ID validation into the MMS. This would sync up passwords with the network. If the network ID has been disabled, then the user would not be allowed into the MMS. Agile Assets, TxDOT IT, and NTT Data involvement will be required. Work with IT Security to modify any applicable forms to include MMS Access. Completion Date: February 15, 2015 June

7 Original Audit Finding Number 2: MMS Access Rights Oversight MAP Owner: Brandye Munn, Business Analyst - Maintenance Division MAP 2.3: Review and compare Maintenance Management System (MMS) Roles and Responsibilities and IT Application Access Criteria, making any corrections needed. Work with IT Security to develop, document, and publish a MMS access policy. Document an SOP that defines the process of adding, modifying, and deleting access to the MMS. This SOP will include which job functions need which roles in general and the approval process for any exceptions. MNT will publish the SOP and provide training for the super users and end users on how to follow the process Completion Date: November 15, 2014 Original Audit Finding Number 4: Functional Ability and Efficiency of MMS MAP Owners: Michael Lee, Director, Maintenance Division Stacey Worsham, IT Transformation Manager Don Dominguez, NTTDATA - Technical Team Manager Alain Si, NTTDATA Architect MAP 4.1: The following MAP activities will address the Maintenance Management System (MMS) audit deficiencies by determining prioritization/timing for fixing these issues, determining root causes, and performing corrective actions to address gaps: Meet with stakeholders to discuss current MMS issues to determine prioritization for the MSMS and SLD issues, as well as other issues identified during the meeting, and establish an on-going process to continue discussions and document issues. The expected outcomes of these actions will include the following: o Review and document current issues (e.g., MSMS and SLD interface), including a description of the issue o Assign a priority level to that issue (high, medium, or low) based on the business impact o Assign NTT Data staff to address the needed resource to address issues identified Assign a corrective action and who (Maintenance and NTT) is responsible for the corrective action Assign staff to further investigate issues that do not have a clear corrective action plan o Set-up regular meetings with NTT to update MNT on the progress of the investigations and corrective actions. Completion Date: July 15, 2014 June

8 Closing Comments The results of this MAP Follow-Up engagement were discussed with and provided to the Maintenance and Information Technology Divisions, and Abilene, Bryan, Houston, San Angelo, and San Antonio districts on February 17, The Audit team appreciates the cooperation and assistance received from the Maintenance Division, Human Resources Division, Information Technology Division, and the Abilene, Bryan, Houston, San Angelo, and San Antonio districts during this audit. June