Internal Audit Report. Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division

Transcription

1 Internal Audit Report Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division

2 Objective To determine if the Oracle PeopleSoft Accounts Payable system is providing effective and efficient business operations. Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to impacting reporting reliability, operational execution, and compliance. The organization s system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Improvements are required to minimize existing process variation and control gap corrections that may result in potentially significant negative impacts to the organization including the achievement of the organization s business/control objectives. Overall Engagement Assessment Needs Improvement Title Findings Control Design Operating Effectiveness Rating Finding 1 History Xtract (HX) File Security x x Unsatisfactory Finding 2 Protecting PII in PeopleSoft x x Needs Improvement Finding 3 Fraud Report Utilization x x Needs Improvement Management concurs with the above findings and prepared management action plans to address deficiencies. Control Environment Testing of operating controls provided assurance that Oracle PeopleSoft ( PeopleSoft ) has helped the Texas Department of Transportation (TxDOT) 1) process payments in accordance to the three-way match controls, 2) make more timely payments, and 3) execute proper access controls for creating vendors and approving/releasing payments. While these operating controls have worked, other monitoring controls were not fully developed to ensure secure, accurate, and complete transmission of payment data to/from the Comptroller s Uniform Statewide Accounting System (USAS) and that the Accounts Payable process is paying for valid TxDOT purchases. Further, current processes and procedures for these operating and monitoring controls were not documented to help provide better assurance that staff understood their roles and responsibilities in working with these controls. In addition, safeguarding Personally Identifiable Information (PII) within PeopleSoft could have been further improved. April

3 Summary Results Finding Scope Area Evidence Security reviews for user access and data contained in USAS interface files showed the following: Observed and reviewed USAS History Xtract (HX) Files in non-encrypted plain text, which includes payment information (e.g. bank routing, account number, and the Texas Identification Number (TINS) information) that can be viewed or modified by multiple users. 4 of 13 (31%) TxDOT users no longer needed 1 USAS Interface access to the interface files on TxDOT servers, but still had the ability to read and write these files. No determination could be made if any changes were made to the files by these users. Two additional interface file user accounts were identified to have a shared username and password allowing for the ability to read and write these files on TxDOT servers. No determination could be made as to how many users may have gained access. Finance employees have access to Personally 2 Accounts Payable Segregation of Duties Identifiable Information (PII) in PeopleSoft where social security numbers, banking account numbers, and banking routing numbers were visible. These employees do not have a business need to access this information. A detection tool/report is not being utilized to monitor and assess segregation of duty issues for employee access within the Comptroller s Uniform Statewide Accounting System (USAS) used to make payments on 3 Accounts Payable Segregation of Duties behalf of TxDOT: The report identifies individuals who can enter, modify, and process payments and other transactions Review of the report identified one TxDOT transaction that was entered and released by the same user for a budget item done by a Texas Comptroller user. Audit Scope The scope of the audit included PeopleSoft and USAS user system access, the USAS interface, and the PeopleSoft three-way match process. Audit testing in these three areas included reviewing system access for creating vendors, approving the created vendors, initiating a payment transaction, and releasing a payment transaction. System access was reviewed in the USAS and PeopleSoft systems. The interface between these two systems was also reviewed to provide assurance that the information transmitted was accurate and April

4 the information was protected. Finally, testing was performed on the PeopleSoft three-way match process. Data selected for all the above testing was from October 7, 2014 (PeopleSoft implementation) to September 30, The audit was performed by Rita Ruiz, Tracey Garza, Jessica Esqueda, and Anne Heitke (Engagement Lead). The audit was conducted during the period from October 27, 2015 to December 7, Methodology The methodology used to complete the objectives of this audit includes: Reviewed TxDOT internal documents, including policy and procedure manuals, organizational charts, process maps, and technical reports Reviewed state regulations, such as the Texas Government Code Reviewed previously issued reports from TxDOT s Internal Audit Division, such as the Accounts Payable and Post-Implementation Review PeopleSoft: Recruiting and Payroll Interviewed key personnel, such as the current Chief Financial Officer (formerly the Finance Division Director), East Accounts Payable Manager, Section Director of Payments, Central Manager of Accounts Payable, Support Services, and Contract Services personnel within Information Management (formerly the Information Technology Division (ITD) Tested TxDOT users ability to create and approve new vendors in PeopleSoft and their access rights within USAS Reviewed daily and monthly reconciliation documentation between USAS and PeopleSoft to determine if they were being conducted and issues were being resolved Tested 35 direct entries into USAS for corresponding PeopleSoft entry to determine if payments were accurately recorded Tested 40 purchases and 40 payments to determine if the three-way match was done properly Reviewed purchases and payments that had the three-way match overridden to determine if override was appropriate Determined if PII information contained in interface files was encrypted Determined if PII information contained in interface files had appropriate limited access These procedures were applied as necessary to perform the audit fieldwork. Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Post Implementation Review PeopleSoft Accounts Payable audit, which was conducted as part of the Fiscal Year 2016 Audit Plan. TxDOT implemented a new PeopleSoft system in October PeopleSoft is an integrated suite of software, which provides a common technology platform across core business areas like human resources, finance, supply chain, and payroll. PeopleSoft replaced over 20 April

5 mainframe and legacy systems in Finance, Human Resources, and General Services. The new PeopleSoft consists of three main applications: Enterprise Learning Management (ELM), Human Capital Management (HCM), and Financial Supply Chain Management (FSCM). The FSCM application includes purchasing and payment functions that were reviewed for this audit. The FSCM application is used as TxDOT s financial system of record. The payments are entered and processed in the FSCM module and then sent to Texas Comptroller (Comptroller) of Public Accounts Uniform Statewide Accounting System (USAS) for official payment. Payments and vendor creation can initiate in PeopleSoft and pass through to USAS in an interface file. The information in the interface file is stored in a History Xtract (HX) File. Payments and vendor creation can also be entered directly into USAS, and bypassing PeopleSoft, if needed. Transactions originating in PeopleSoft that have associated Purchase Orders (POs), in general, must match entries in the PO, receipt of goods, and invoice. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. The Internal Audit Division uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version A defined set of control objectives was utilized to focus on reporting, operational, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance particularly in areas not included in the scope of this audit. April

6 Detailed Findings and Management Action Plans (MAP) Finding No. 1: History Xtract (HX) File Security Condition The Uniform Statewide Accounting System (USAS) History Xtract (HX) files, which contain the transmitted information between PeopleSoft and USAS, were stored in plain text, or not encrypted, and could be modified or read by several users. Auditors were not able to determine if any changes had been made to the files as no logs exist to review. In addition, two user accounts on TxDOT servers that house the HX files were identified to have shared usernames and passwords that could be accessed by multiple users. Effect/Potential Impact Information on the HX files could be altered. Information stored unencrypted in servers could also lead to disclosure of confidential and/or sensitive information of employees and vendors. Criteria The TxDOT Information Security manual states that TxDOT is required to protect against unauthorized access, disclosure, modification or destruction - whether accidental or deliberate; as well as, to assure the availability, integrity, authenticity, and confidentiality of information. Cause Appropriate assignment and subsequent monitoring of user access rights to HX files and protection of information within those files is not being performed. Evidence The evidence obtained in the review included: Auditors observed and reviewed the payment files in Notepad, which showed all the payment information (e.g., bank routing, account number, and the Texas Identification Number (TINS) information) in plain text and not encrypted. Auditors reviewed directory access and file permissions where 13 unique users had access to the interface file, the following was noted: o 4 of 13 (31%) TxDOT users no longer needed access to the HX files. These users still had the ability to read and write the files. Auditors were not able to determine if any changes were made to the files by these users as no logs exist to review. Two additional user accounts were identified that had shared usernames and passwords. The accounts had the ability to read and write the interface files. Auditors were not able to identify how many users had knowledge or access to these accounts. Auditors were also not able to determine if any changes were made to the files using these accounts as no logs exist to review. April

7 Management Action Plan (MAP): MAP Owner: Ben Hayes, IT Business Analyst, Information Management Division (IMD) MAP 1.1: IMD will determine which users require read and write access to the HX files and restricted access to all other users. IMD will remove all users that do not require access. IMD will create a script to perform monthly tracking and monitoring to determine which HX files were modified. Completion Date: Action Completed MAP 1.2: IMD will research and test changes that will prevent the two shared accounts being accessed by multiple users. The goal is to require system administrators to log in using their individual accounts and switch to the system accounts when needed. The research, actions taken, and testing will be documented. Completion Date: May 15, 2016 MAP 1.3: Based on actions taken in MAP 1.2, IMD will modify the two system accounts to prevent system administers from logging in directly with these accounts. Support personnel will log in with their individual account and switch to the system accounts when needed. Completion Date: August 15, 2016 April

8 Finding No. 2: Protecting PII in PeopleSoft Condition Personally Identifiable Information (PII) in PeopleSoft (i.e., Social Security numbers, banking account numbers, and banking routing numbers) was visible to Financial Management Division employees and Information Management staff that support the application. Retention of this information within the system was not necessary since payments are not directly made out of PeopleSoft. Effect/Potential Impact Unsecured information within the PeopleSoft system could lead to disclosure of confidential or sensitive information, identity theft, and/or a negative impact on TxDOT s reputation. Criteria National Institute of Standards and Technology (NIST) Special Publication and Title 1, Texas Administrative Code, Section recommends and requires the confidentiality of certain types of information including PII. In addition, The TxDOT Information Security manual states that TxDOT is required to protect against unauthorized access, disclosure, modification or destruction - whether accidental or deliberate; as well as, to assure the availability, integrity, authenticity, and confidentiality of information. Cause The necessity and risk of showing confidential information after it has been entered into the system was not considered during implementation. Evidence The evidence obtained in the review included: Auditors observed multiple PeopleSoft screens that are available to Financial Management Division employees where the social security numbers, banking account numbers, and banking routing numbers were visible. Management Action Plan (MAP): MAP Owners: Lanny Wadle, Director, Financial Management Division Heather Burgess, Accounts Manager, Financial Management Division Accounts Payable East Section MAP 2.1: The Financial Management Division has entered an AR, application request, RITM to have to have the bank account and routing information removed from PeopleSoft Completion Date: Action Completed April

9 Finding No. 3: Fraud Report Utilization Condition TxDOT was not using all available fraud detection tools, including the Risky Document Report (DAFR9840), to monitor TxDOT payments or other accounting transactions (e.g., changes to accounting files or release of batches) that have been entered or modified and then released for processing by the same user within Uniform Statewide Accounting System (USAS). Effect/Potential Impact Without proper and continuous monitoring of expenditure processing, where one user has the ability to enter, modify, and then process payments, TxDOT funds can be susceptible to fraudulent or other unauthorized activity. Criteria As a best practice to ensure system security, the IT Governance Institute s framework for Control Objectives for Information and Related Technology (COBIT) states that a monitoring function will enable the early detection of unusual activities that may need to be addressed. Cause TxDOT was not aware of the reporting tool (DAFR 9840 Report) provided by the Texas Comptroller of Public Accounts. The Financial Management Division did not identify the risk associated with same user access and did not implement detective controls to monitor activity of those users. Evidence The evidence obtained in the review included: The DAFR 9840 report had not been requested from the Comptroller s office since implementation of PeopleSoft in October Review of the report identified one TxDOT transaction that was entered and released by the same user. Auditors determined that this was an appropriate action. Management Action Plan (MAP): MAP Owners: Paul Campbell, Section Director, Financial Management Division - Payments Management Section Bryce Bayles, Accounting Manager, Financial Management Division - Accounts Payable Central Section MAP 3.1: As part of the bi-annual security review process, the TxDOT Financial Management Division Support Services Section will request and review the Risky Document Report (DAFR9840) and communicate exceptions to management for remediation. Completion Date: April 15, 2016 April

10 Observations and Recommendations Audit Observation (a): Three-Way Match Override Condition Purchasing and Accounts Payable users are able to override the match process in PeopleSoft to allow for a discrepancy of the quantity and dollar amount between the Purchase Order, Invoice, and Receipt of goods documents. Most of the exceptions identified in the audit occurred when PeopleSoft was initially implemented. After more training was provided, the number of overrides reduced. As of September 30, 2015, only 69 of 120,545 (.06%) vouchers had purchasing overrides. No inappropriate transactions were identified. Effect/Potential Impact Without proper monitoring and training overrides could result in incorrect payments to vendors and fraud. Audit Recommendation The Financial Management Division should monitor No Match overrides, educate users on appropriate use of the PeopleSoft feature, and establish criteria for acceptable overrides. April

11 Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with the Financial Management (formerly Finance) Division Director, the Financial Management Division Deputy Director, the Financial Management Division Payments Management Director, the Financial Management Division Accounts Payable East Manager, the Financial Management Division Accounts Payable Central Manager, the Information Management Division (IMD, formerly Information Technology) Enterprise Resource Planning Director, and the IMD Operation Excellence Specialist in December (Note: employee staff positions mentioned above represent those as of the December 2015 meeting.) We appreciate the assistance and cooperation received from IMD, the Financial Management Division, and third party providers contacted during this audit. April