|
FINDINGS, CONCLUDIONS, AND RECOMMENDATIONS
INCORRECT FINANCIAL REPORTING
The Department did not correctly report financial information through the
State’s Generally Accepted Accounting Principles (GAAP) Reporting process. The
Department classified approximately $75 million of federal operating grants as general
grants and approximately $7 million of intergovernmental payables as accounts payable. In
addition, the Department did not include in the Department’s financial statements
$475 thousand of receipts that were collected but not deposited by June 30, 2002 and $291
thousand of cash on hand that was in two petty cash funds and seven foreign imprest funds.
(Finding 1, pages 11-12)
We recommended the Department comply with professional standards and the Statewide
Accounting Management System (SAMS) Procedures to ensure accurate financial information is
submitted to the Office of the Comptroller. Further, we recommended the Department review
and revise as necessary its current system in gathering the financial information that
will be reported to the State Comptroller in the GAAP Reporting Packages.
Department officials concurred with the finding and responded that they will comply
with professional standards and SAMS to ensure financial information is submitted to the
Office of the Comptroller in the proper format. The Department’s accounting staff
will continue to attend any state-sponsored training on GAAP reporting to learn more about
professional standards and SAMS.
INADEQUATE MONITORING OF CONTRACTORS
The Department paid 25 information systems contractors over $1.94 million. Nine
contractors received payments of over $100,000 with four receiving payments of over
$150,000.
Our review of the contracts and documentation supporting payments identified numerous
problems, including the following:
- The Department had expenditures of over $102,000 for training related costs for the
contractors. Specifically, the Department paid $30,919 for training course fees
(predominantly attended by contractors) and an additional $5,077 in travel reimbursement
for the contractors to attend the courses. Furthermore, based on records provided by
Department staff, contractors were paid their contracted hourly fee to attend the training
courses for an estimated $66,264.
- Contracts require contractors to provide detailed timesheets outlining the work
completed and the time it took; however, the majority of timesheets were submitted for
payment and paid without the required detail.
- The Department made payments, totaling $23,700, to contractors without supporting
documentation (timesheets).
- Documentation attached to invoice vouchers indicated that contractors were paid for 71
hours of holidays, vacations, and sick time totaling $4,459. In addition, contractors also
billed for and were paid $1,008 for hours where they were listed as "out" on the
timesheet submitted.
- The Department paid a contractor over $1.3 million for the development of a web-site.
However, the contractor went out of business and the Department did not receive adequate
documentation for the web-site or the source code file to permit the Department to
efficiently and effectively maintain the web-site prior to making the final payment.
Without proper monitoring of contractors, there exists an increased risk that
contractual requirements will not be met and that inappropriate or excessive
reimbursements will be made. (Finding 2, pages 13-15)
We recommended the Department perform a detailed review of its contract monitoring
process to ensure that contractors are complying with contractual requirements,
effectively performing duties, being paid for hours worked, and meeting the needs of the
Department.
Department officials responded that they partially agree with this recommendation and
have further reviewed their process for monitoring Information Technology contractual
vendors. The Department believes it has met the intent and substance of the
recommendation. Additionally, during the audit period, the Department initiated a project
to fully automate the Information Technology Office's timekeeping function for
contractors. The new system has been fully implemented and integrated with the
Department's financial management system since April 1, 2003. This system contains
supporting documentation for contractors' payments and requires management review.
INADEQUATE DEVELOPMENT AND COST ACCOUNTING OF THE CUSTOMER INFORMATION SYSTEM
The Department did not ensure compliance with the Application System Development
Standards (Standards) on the Customer Information System (CIS) project. Additionally, the
Department had not determined the total estimated cost of the complete CIS project.
The Department’s Standards address the various phases of system development
projects and require documentation throughout the development process. We reviewed three
modules of CIS for compliance with the Standards and found numerous instances of
non-compliance.
In addition, the total projected completion cost of the entire CIS project had not been
researched or analyzed. Management stated each module would be analyzed as it was brought
under the "umbrella" of the whole project. During FY02 the Department spent
approximately $875,332 for 11 contractors for the development of the CIS project. Of the
$875,332, $213,556 was paid from funds that receive federal funding. Without a formalized
detailed operating budget, it is difficult to determine the actual/expected cost of the
CIS project. (Finding 3, pages16-17)
We recommended the Department form a quality assurance team to ensure all system
development projects and major modifications follow the Standards. Appropriate
documentation should be maintained to demonstrate compliance with Standards. Additionally,
the Department should develop a detailed cost estimate and conduct a cost-benefit analysis
of the entire CIS project to ensure that the project will meet its needs in a
cost-effective manner.
Department officials responded that they partially agree with this recommendation. The
Department believed it met the criteria for a quality assurance team and for adequate
documentation. The Department also responded that it is in the process of preparing an
updated long-range cost estimate and analysis for the Customer Information System project.
INADEQUATE COMPUTER SECURTIY CONTROLS
The Department had established computer systems throughout the State and in the
Foreign Offices in order to meet its mission and mandate. The Department processes and
maintains critical, confidential and sensitive information on its computer systems.
During our review, we noted the following weaknesses:
- Lack of security strategy - A security strategy, to ensure that adverse situations such
as security breaches and system failures were adequately addressed in a timely manner, had
not been developed.
- Lax security parameters - Logical security was not consistently enforced or monitored,
and lax security controls were allowed. We identified accounts with no password
requirements, no password change interval, and no intrusion detection. Usernames and
passwords were maintained in clear text and available to all users of the
Department’s network. We also identified fifteen individuals with inappropriate
administrative access.
- Lack of encryption - Traffic transmitted through the Department’s internal network
as well as traffic to and from the Foreign Trade Offices via the Internet was not
encrypted to ensure that packets containing sensitive and confidential information were
not readable by unauthorized parties.
Without the implementation of adequate controls and procedures, there is a greater risk
that unauthorized access to Department resources may be gained and data destroyed. Prudent
business practices dictate that the Department strengthen its security to protect its
assets and resources against unauthorized access and misuse. Failure to identify specific
weaknesses associated with unauthorized access could leave the Department exposed to major
disruption of services to the public. (Finding 4, pages 18-19)
We recommended that the Department develop a formal security strategy and implement
more stringent security parameters on its computer systems. We also recommend that an
independent review of security administration and awareness be performed periodically to
ensure the Department’s security needs are being met, identify weaknesses, and
encourage adherence to established policies and procedures.
Department officials responded that they partially agree with this recommendation and
that while the Department agrees with the bulk of the finding, the Department does not
believe significant risks existed for either network or Internet operations. The
Department does agree that their policies and procedures can be improved.
The Department is currently in the process of strengthening their policies and
procedures as recommended, including security administration, and will establish a policy
regarding encryption of information transmitted through the network.
OTHER FINDINGS
The remaining findings were less significant and corrective action is reportedly in
process. We will review the Department’s progress toward implementation of our
recommendations in our next audit.
Mr. Jack Lavin, Director of the Department of Commerce and Economic Opportunity
(formally the Department of Commerce and Community Affairs) provided the Department's
responses.
AUDITORS’ OPINION
Our auditors stated the Department’s financial statements as of June 30,
2002 were fairly presented in all material respects.
___________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:TLD:pp
AUDITORS ASSIGNED
This audit was performed by the staff of the Office of the Auditor General.
|
