July 1999

TABLE OF CONTENTS

Report on Third Party Review 1

Report Summary 5

General Controls 11

Administration Controls 13

Computer Operations Controls 17

Security Controls 19

Application Systems Development Controls 23

Security Administration Controls 27

Systems Programming Controls 29

Telecommunication Controls 31

Systems Software Controls 33

Application Controls 39

Accounting Information System 41

Central Payroll System 45

Central Inventory System 49

Central Time and Attendance System 53

Appendix A - Complementary User Organization Controls 55

Appendix B - List of User Entities 59

Appendix C- Year 2000 Disclosure 61

JULY 1999

The Honorable William G. Holland
Auditor General
State of Illinois

We have examined the accompanying description of the systems and procedures used to control data processing operations at the Bureau of Communication and Computer Services of the Department of Central Management Services (Department). Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of the Department's controls that may be relevant to a user organization's internal control structure; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily; and (3) such controls had been placed in operation as of April 16, 1999. Our review, started in the summer of 1998 and primarily performed between February 16 and April 16, 1999, was limited to controls at the Department's Central Computer Facility (CCF), the Department's Communications Center, and its branch facility. Our examination was performed in accordance with the Illinois State Auditing Act, applicable generally accepted auditing standards, and "Government Auditing Standards" issued by the Comptroller General of the United States. We included those procedures considered necessary under the circumstances to obtain a reasonable basis for rendering our opinion.

In our opinion, the accompanying description of the aforementioned systems and procedures presents fairly, in all material respects, the relevant aspects of the Department's controls that had been placed in operation as of April 16, 1999. Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily.

In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in the body of the report, to obtain evidence about their effectiveness in meeting the control objectives, during the period from February 16 to April 16, 1999. The specific controls and the nature, timing, extent, and results of the tests are listed in the body of the report. This information has been provided to the Department’s user organizations and to their auditors to be taken into consideration, along with information about the internal control structure, when they assess control risk at their organization. In our opinion, the controls that were tested, as described in the body of the report, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in the body of the report were achieved during the period from February 16 to April 16, 1999. However, the scope of our engagement did not include tests to determine whether control objectives not listed in the body of the report were achieved; accordingly, we express no opinion on the achievement of control objectives not included in the body of the report.

The relative effectiveness and significance of specific controls at the Department and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations.

The description of controls at the Department is as of April 16, 1999, and information about tests of the operating effectiveness of specified controls covers the period from February 16 to April 16, 1999. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specified controls at the Department is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that (1) changes made to the system or controls, (2) changes in processing requirements, or (3) changes required because of the passage of time [such as to accommodate the dates in the year 2000] may alter the validity of such conclusions.

This report is intended for the information of the Auditor General, the General Assembly, the Legislative Audit Commission, the Governor, Department management, and affected State agencies, and auditors of the State agencies. However, this report is a matter of public record and its distribution is not limited.

______________________________________
William J. Sampias, CISA
Director, Information Systems Audits

April 16, 1999

July 1999

REPORT SUMMARY

INTRODUCTION

The Department of Central Management Services' (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/35.3; 20 ILCS 405/35.7; 20 ILCS 405/35.7a; 20 ILCS 405/35.7c; and 20 ILCS 405/35.8). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and a branch facility in Springfield. The Springfield branch facility also serves as the primary backup site should a disaster prevent processing at the Central Computer Facility. Through its facilities, the Department provides data processing services to approximately 104 user agencies (see Appendix B).

The CCF functions as a data processing service center providing computing and telecommunication resources for State agencies' use. The Department and the agencies that use the Department's computer resources share the responsibility for maintaining the integrity and security of computerized data and functions. Although the Third Party Review addressed only controls for which the Department is responsible, we identified numerous control areas that should be reviewed and addressed by user agencies' internal and external auditors (see Appendix A).

We reviewed data processing general controls at the Department. We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary in the circumstances to evaluate the controls.

We also reviewed or confirmed application controls for systems maintained by the Department for State agencies' use. The systems were:

• Accounting Information System;

• Central Payroll System;

• Central Inventory System; and

• Central Time and Attendance System.

The Department's control procedures and the degree of compliance with the procedures were sufficient to provide reasonable, but not absolute, assurance that relevant control objectives were achieved.

Year 2000 Readiness

The Year 2000 issue is the result of a common practice by programmers over the years to abbreviate the year field to two digits rather than four. Computers using two digits to define the year may not know what to do when faced with 00, as in Year 2000. The computers might translate the millennium as 1900. Since year fields are used in date calculations throughout mission-critical applications, the problem can affect the integrity, reliability, and usefulness of the organization’s lifeblood—its information. This situation can affect the full range of operations: contractual agreements, schedules, calculations for financial results and employee benefits, as well as penalty and interest payments, security authorizations, deadlines (driver’s license expiration dates, welfare checks), employee records, and hundreds of other physical and electronic resources.

The Department has taken the lead to increase State agency awareness of the need to ensure computer systems are Year 2000 compliant. The Department started this process in April 1996. Subcommittees were created; monthly meetings were held with State agency representatives; a central repository of information was developed on the Intranet to share information among the agencies on available tools as well as software and hardware information; and efforts were underway to share testing strategies. Starting in April 1999, monthly Year 2000 status reports were required from State agencies reporting to the Governor. Agencies identified the functions that they perform and the computer systems that support those functions. On May 28, 1999, the Governor released a comprehensive State agency report outlining the status of State government in preparing computers and other systems for conversion to the Year 2000 as of April 30, 1999.

On November 30, 1998, the Year 2000 Technology Task Force Preliminary Report was released. The Task Force was chaired by the Director of the Department and its members were from the Legislature, Constitutional Offices, and State agencies.

The Department should continue to work with the Governor’s Office and coordinate the State’s efforts in addressing and reporting the Year 2000 issue. The Department should continually assess their progress in completing their conversion efforts and develop contingency plans for any systems or applications that may not be Year 2000 ready.

See Appendix C for the Department’s Year 2000 Disclosure Statement.

Control Deficiencies

We identified several control deficiencies that appear in pages 13 through 54. Four of these issues warrant additional emphasis.

Systems Development

The Department’s Application Systems Development (ASD) Division is responsible for the development and maintenance of computer applications available for use by State agencies. These applications are referred to as the Common Systems and include the Accounting Information and Central Payroll Systems. The new ASD Methodology, adopted in October 1998, with revisions in 1999, provided ASD Project Managers and Internal Audit with a great deal of flexibility in terms of project management and oversight respectively.

Based on our review of the development process, there did not appear to be a function in place to assess the quality of controls within the systems or ensure compliance with the ASD Methodology. Although the new Methodology may offer an efficient method for developing systems, a thorough and effective monitoring function is needed to ensure that systems are consistently developed within acceptable parameters.

Quality Assurance’s (QA) role in the system development process is limited to reviewing and monitoring to ensure the deliverables selected on a project’s Checklist are developed. A Checklist is required for new development and for enhancement projects only. Between July 1, 1998, and February 26, 1999, we noted that QA’s monitoring function was limited to 33 of the 486 ASD development projects initiated. In addition, the oversight function is restricted to monitoring delivery of project deliverables, and does not include reviewing the adequacy of the deliverables, appropriateness of the classification of a project, reasonableness and completeness of testing and documentation, efficiency of development design, adequacy of built-in controls, etc.

With the new ASD Methodology’s flexibility and the Internal Audit Division’s limited role in systems development review activities, the ASD Quality Assurance function should be expanded to ensure new developments, enhancements, and other changes are developed, documented, and reviewed in a structured and consistent manner to ensure system integrity. In addition, we recommend that the Internal Audit Division perform an audit of systems development activities and practices. The audit should focus on the suitability of the systems development methodology and standards, compliance with the methodology and standards, and the effectiveness of the Quality Assurance function (see pages 24 and 25).

Department Response

ASD management is evaluating Quality Assurance’s role and will develop an action plan to enhance its activity as a monitoring function.

Change Control

Although the Department has procedures for controlling changes to software, we found that the process was manually intensive and not always observed. The procedures contain guidelines for approving changes based on the priority category of the change, and require signatures at different points in the process. However, we identified numerous instances of noncompliance with the procedures and concluded that the current procedures do not agree with the change control practices.

Accepted information systems guidelines promote the implementation of procedures to ensure that software changes are controlled to help ensure the integrity of the computer system and user applications.

Department officials stated that an upgrade to the change management system is in the planning

stage. and sThe new system requirements include online change submission, assessment, approval, scheduling, and status updates along with multiple levels of assessment or approval. The Department should accelerate the selection and implementation of a comprehensive change management system. In the interim, the Department should consider modifying current procedures to enhance the control over changes (see page 30).

Department Response

Data Center is updating the current manual procedures to enhance controls over software changes. Data Center plans to convert to an on-line/real time application, which includes: on-line change creation, approval, status and history, and eliminates the manual paper based system.

Billing System

The Department is statutorily authorized to provide data processing services for the State agencies. The Department, the State agencies, and the users of the Central Computer Facility share the costs of those services. Funding for the Central Computer Facility is provided through the Statistical Services Revolving Fund (SSRF) and the Communication Revolving Fund (CRF). The SSRF service billing statements include charges for network services, on-line services, off-line services, secure cards, inventory, and usage of the Accounting Information System and other common systems. The SSRF billing process involves manually inputting data that already exists, in electronic form.

During our review of the Department’s billing system, we noted:

• Billing charge transactions manually entered were $12.7 million.

• Billing credits were tracked on a spreadsheet package and were manually entered into the Accounts Receivable/Payable System. Billing credits totaled $22.5 million in FY98.

• User agency names were not used consistently between the various systems.

• The keypunch system does not accept or print numbers that exceed 8 digits and is not Year 2000 compliant.

The Department should utilize its automation capabilities to eliminate the manual processes in the billing system and ensure that billing information is accurate (see pages 14 and 15).

Department Response

The Agency’s billing system accurately bills customers. The continuing automation effort is designed to improve the billing system’s efficiency. Agency is making the keypunch Y2K compliant.

Disaster Contingency Planning

Although the Department has made significant progress in addressing the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions still need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes. The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster. As such, a comprehensive and thoroughly tested disaster contingency plan and sufficient backup facilities are essential components of recovery efforts.

The Department should continue its efforts to ensure that the necessary components are available to provide for continuation of critical computer operations in the event of a disaster. In addition, the Department should continue to conduct comprehensive tests of the disaster recovery plan on an annual basis (see pages 20 and 21).

We will review progress towards the implementation of our recommendations during the next Third Party Review.

Department Response

The Agency continues to allocate significant resources to maintain its disaster recovery capability. Verification includes conducting comprehensive tests.

The Department responses were provided on June 15, 1999 by Michael S. Schwartz, Director of the Department of Central Management Services.

GENERAL CONTROLS

General controls are the methods, policies, and procedures adopted by an organization to ensure the protection of assets, promotion of administrative efficiency, and adherence to management's standards and intentions.

The general controls review consisted of an evaluation of the controls in eight distinct areas:

• Administration;

• Computer Operations;

• Security;

• Application Systems Development;

• Security Administration;

• Systems Programming;

• Telecommunication; and

• Systems Software.

 

The Third Party Review addresses each general control area in a separate control section of this Report.

ADMINISTRATION CONTROLS

Administration controls include the procedures necessary to ensure that resources are used efficiently and in accordance with management's intentions. They encompass the overall operation of the computer facility.

Administration controls also include functions that maximize organizational efficiency and productivity. Organizational efficiency can be directed through long-range planning efforts and effective personnel policies. Productivity in the computer facility is enhanced by adherence to standards.

Control objectives for administration include:

• segregating duties to prevent information systems (IS) personnel's performance of incompatible functions;

• providing training and direction; and

• ensuring that IS and user management participate in long-range planning.

Our review of the administration control objectives included a review of:

• segregation of duties and job descriptions;

• training requirements, records, and documentation;

• Internal Audit's participation in the development or modification of computer systems and their two-year audit plan;

• statements of current insurance coverage for computer and telecommunications equipment, and a comparison of coverage to the computer equipment inventory;

• the Department's long-range planning efforts;

• the process of billing user agencies for computer services;

• the Department’s progress in achieving Year 2000 compliance; and

• the status of 1998 Department administration findings.

We reviewed eight administration controls and received written confirmation from the Department on the status of five other administration controls. We noted the following:

Training Program - No formal training policies or procedures exist to ensure the Department’s employees are adequately trained. The Department should develop formal training policies and consider instituting a centralized training database to ensure that staff receive the necessary or required training classes.

Internal Audit Coverage of Information Systems - The Department oversees a $200 million computer operation and relies heavily on electronic data processing activities to provide services to other agencies and to perform its own functions. Since the Department’s Internal Audits (IA) Division has a mandated requirement to perform reviews of system developments and major modifications to existing systems, IA should establish formal procedures to identify which new system developments and/or system modifications IA will participate in to ensure compliance with the statutory requirement and sufficient audit coverage. We also recommend that the Internal Audit Division perform an audit of ASD’s systems development activities and practices.

Insurance Coverage - The Department currently has two insurance policies: 1) insuring approximately $106 million of Electronic Data Processing (EDP) equipment; and 2) insuring approximately $13.9 million of telecommunication equipment. The Department has four computer hardware inventory reports maintained on four separate computer systems. The Department did not have policies and procedures determining which equipment and the dollar amount to be insured. The Department should develop and distribute formal written procedures for reporting and entering equipment through a single system, as well as procedures for determining which equipment to insure.

Billing System - The Department is statutorily authorized to provide data processing services for the State agencies. The Department, the State agencies, and the users of the Central Computer Facility share the costs of those services. Funding for the Central Computer Facility (CCF) is provided through the Statistical Services Revolving Fund (SSRF) and the Communications Revolving Fund (CRF). The SSRF service billing statements include charges for network services, on-line services, off-line services, secure cards, inventory, and usage of AIS and other common systems. The SSRF billing process involves manually inputting data that already exists in electronic form.

During our review of the Department’s billing system, we noted:

• Billing charge transactions manually entered were $12.7 million.

• Billing credits are tracked on a spreadsheet package and are manually entered into the Accounts Receivable/Payable System (ARPS). Billing credits totaled $22.6 million in FY98.

• User agency names were not used consistently between the various systems.

• The keypunch system does not accept or print numbers that exceed 8 digits and is not Year 2000 compliant.

• Errors on two of four agency communications revolving fund circuit billings.

The Department should utilize its automation capabilities to eliminate the manual processes in the billing system and ensure that billing information is accurate. The Department should also ensure that names and other user agency identifiers are current and used consistently in billing-related systems.

Year 2000 Readiness - The Year 2000 issue is the result of a common practice by programmers over the years to abbreviate the year field to two digits rather than four. Computers using two digits to define the year may not know what to do when faced with 00, as in Year 2000. The computers might translate the millennium as 1900. Since year fields are used in date calculations throughout mission-critical applications, the problem can affect the integrity, reliability, and usefulness of the organization’s lifeblood—its information. This situation can affect the full range of operations: contractual agreements, schedules, calculations for financial results and employee benefits, as well as penalty and interest payments, security authorizations, deadlines (driver’s license expiration dates, welfare checks), employee records, and hundreds of other physical and electronic resources.

The Department has taken the lead to increase State agency awareness of the need to ensure computer systems are Year 2000 compliant. The Department started this process in April 1996. Subcommittees were created; monthly meetings were held with State agency representatives; a central repository of information was developed on the Intranet to share information among the agencies on available tools as well as software and hardware information; and efforts were underway to share testing strategies. Starting in April 1999, monthly Year 2000 status reports were required from State agencies reporting to the Governor. Agencies identified the functions that they perform and the computer systems that support those functions. On May 28, 1999, the Governor released a comprehensive State agency report outlining the status of State government in preparing computers and other systems for conversion to the Year 2000 as of April 30, 1999.

On November 30, 1998, the Year 2000 Technology Task Force Preliminary Report was released. The Task Force was chaired by the Director of the Department and its members were from the Legislature, Constitutional Offices, and State agencies.

The Department should continue to work with the Governor’s Office and coordinate the State’s efforts in addressing and reporting the Year 2000 issue. The Department should continually assess their progress in completing their conversion efforts and develop contingency plans for any systems or applications that may not be Year 2000 ready.

See Appendix C for the Department’s Year 2000 Disclosure Statement.

 

 

COMPUTER OPERATIONS CONTROLS

The command center unit of Computing Services is the focal point of data processing for the Central Computer Facility (CCF). The control and management of computer operations are vital to overall data processing effectiveness.

Computer operations management must be aware of all facets of the operating environment and be able to control it. Department management must ensure that processing meets specifications, thereby making the review of operations a prime concern. Therefore, Department management must require the logging of all actions initiated by computer operators and all actions performed by computer software.

Control objectives for computer operations include:

• ensuring that operator actions, system actions, operating problems, and operating statistics are maintained;

• establishing procedures for restart and recovery;

• controlling job schedules and magnetic tape/cartridge usage; and

• using available error correction techniques.

Our review of the computer operations control objectives included a review of:

• a computer analysis log and shift summary report;

• hardware monitoring and problem handling; policies and procedures for output distribution; and output checkout and authorization lists;

• automated operator tasks and security controls over computer operators;

• restart and recovery procedures, job scheduling procedures, and Information Management Problem Summary Reports;

• tape management procedures, missing tape log, and Tape Management System listing; and

• the status of 1998 Department computer operations findings.

We reviewed eight computer operations controls and received written confirmation from the Department on the status of six other computer operations controls. We noted the following:

ID Sharing - The IDs used by the computer operators provide access to functional areas and are shared by all 20 of the operators. Although a specific user ID and password is used to gain access to each functional area, the IDs being shared by all the operators provide no individual accountability for actions taken. The Department should review the current practice of sharing operations’ IDs among operators, supervisors, and managers and consider assigning individual IDs with appropriate access rights and privileges. If individual IDs are not assigned, management should consider implementing a compensating control such as biometric devices to ensure accountability for the use of shared functional user IDs. In addition, management should continually review the access capabilities of operators to ensure that access is limited to areas necessary to perform job duties.

Operating Problems - During our review, we determined that operating problems were all assigned the same priority code and that some problems were listed as unresolved for long periods of time, the longest noted was 209 days after identification. The Department should assign an appropriate priority code to each problem and ensure that problems are resolved or closed within a reasonable timeframe.

Tape Management - The Bureau has formal tape management procedures for the movement of tape media in and out of the Tape Library; however, we identified some minor problems and a discrepancy between the listing of tapes in the Tape Library and the billing system. The Department should take measures to strengthen control over their tape media management procedures. The following concerns should be corrected:

• The Tape Management System should be the source of agency tape storage billings.

• The Department should reconcile monthly the user agency tape media storage totals to billing totals to ensure the billings accurately reflect a user agency’s tape media storage.

• An annual physical inventory of the Tape Library and the offsite storage locations should be performed and reconciled with the Tape Management System.

• Tape Library and billing staffs should coordinate their use of assigned agency prefix identifiers to avoid errors in billing records.

 

SECURITY CONTROLS

The presence of security controls reduces or prevents disruption of service, loss of assets, and unauthorized access to equipment. An effective physical security program is a prerequisite to effective computer security. Unless computer equipment is physically secure, attempts to protect the system and data are futile.

Security measures include controlling access to computer facilities, controlling visitors within the facility, and planning for disaster recovery. As the Department places more reliance upon computer operations, the ability to continue critical processing is of prime importance.

Control objectives for security include:

• control over access to the facility;

• control over access within the facility;

• an adequate equipment servicing program;

• adequate backup power sources, alarms, and prevention equipment; and

• a written and tested disaster contingency plan.

Our review of the security control objectives included a review of:

• controls over access into and within the Central Computer Facility (CCF) and the Harris facility;

• controls over badges, contractor badge procedures, and policies for the return of badges from employees leaving the CCF;

• controls over tape movement in and out of the CCF tape library and key information and programs stored off-site;

• CCF janitorial contracts and housekeeping responsibilities;

• the uninterruptible power supply (UPS) system at the CCF and measures taken to ensure an adequate alternate power supply exists at the Harris facility;

• disaster contingency plan, including the systems and program products included in the plan, user agencies' critical application lists, recovery tests, test documentation, and disaster contingency information at the off-site storage location; and

• the status of 1998 Department security findings.

We reviewed ten physical security controls and received written confirmation from the Department on the status of two other physical security controls. We noted the following:

New Security System - The Department was implementing an enhanced card key system to secure the CCF and Harris facility during our review.

Off-Site Storage - The Department has two off-site storage locations for backup tape media. We found that procedures for the storage of materials were not always followed. The Department should ensure that storage procedures are followed at the off-site storage locations.

Tape Movement - The Department has procedures in place to control the movement of magnetic tapes to and from the CCF tape media library; however, we identified one instance of non-compliance with procedures. The Department should ensure that the transmittal forms are properly approved and filed.

Primary Backup Facility - The Department has designated the Harris facility as the primary backup and recovery facility. The agreement for the Department’s use of this facility was last signed in 1985 and has not been renewed, even though the Department of Human Services replaced the Department of Public Aid as the primary occupant of the Harris facility. The Department should enter into a new lease agreement to ensure the availability of the Harris facility.

Disaster Contingency Plan - On May 13, 1999, the Department sent a letter to the Office of the Auditor General that was signed by the Director, Bureau Manager, and Chief Internal Auditor which included the following sentence:

CMS’ current level of preparedness guarantees all users that have tested their defined Category 1 Critical Application successful recovery in the event of a disaster.

The Department has established four disaster contingency plans, the CMS/BCCS/CCF Disaster Recovery Plan (DRP - dated February 1999) for recovering the Department’s Central Computer Facility’s (CCF) operations; the NCC/Network Disaster Recovery Plan (NCC DRP - dated February 1996) for recovering the Department’s Network Control Center, Internet, and other telecommunications’ operations; the Central Management Services Local Area Network Disaster Recovery Plan (LAN DRP - dated June 1997); and the CCF Disaster Contingency Plan (dated February 1999) addressing Year 2000-related recovery issues. To assist the Department in assuring the plans are updated adequately, frequently tested, and continuously reviewed, the Department has assigned disaster contingency responsibilities to contingency coordinators located in the CCF, NCC, and LAN areas. Overall disaster contingency responsibility has been assigned to the Assistant to the Bureau Manager.

In addition, the Department has established an RFP for providing disaster contingency services for their CCF, Harris facility, and AS400 mid-range processors. It also provides consulting services for reviewing and making recommendations for the NCC and LAN disaster contingency plans. Although the Harris facility will continue to be the primary back up site for recovering CCF operations, Department officials stated the disaster contingency contract will supplement the satellite facility in the event additional processing capabilities are necessary.

The Department maintains a Statewide Critical Applications Processing Priority List based on information received from user agencies. During May 1998, the Department requested user agencies to review their applications and prioritize their critical applications in one of five categories:

• Human Safety - an application which is critical to the support of human safety to Illinois citizens;

• Critical Human Services - an application which is critical to the human welfare of Illinois citizens;

• Non-Critical Human Services - an application which is non-critical to the welfare of Illinois citizens;

• Administrative Services - an application which supports the administration of State processes; and,

• Maintenance Activities - an application which contains items related to the maintenance of the information processing environment.

During November 1998, the Department performed a disaster recovery test to concurrently restore the Category 1 critical applications included on the Statewide Critical Applications Processing Priority List. Although all seven agencies with Category 1 critical applications performed disaster recovery testing during 1998, only three of the seven participated in the November 1998 test. As such, although the test was performed successfully, not all the Category 1 critical applications were concurrently restored.

Although the Department has made significant progress in addressing the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions still need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes. The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster. As such, a comprehensive and thoroughly tested disaster contingency plan and sufficient backup facilities are essential components of recovery efforts.

 

APPLICATION SYSTEMS DEVELOPMENT CONTROLS

Application systems development is a critical part of the data processing function. A structured systems development process helps to ensure system reliability, quality, predictability, and user satisfaction.

The acceptance of a structured systems development methodology ensures that system designers meet the requirements of system users. A structured approach includes the use of standards for systems design, documentation, testing, and post-implementation review. It also ensures that all new and enhanced computer systems meet organizational requirements.

Control objectives for application systems development include:

• appropriate standards, policies, and procedures to control systems and programming functions;

• properly authorized, tested, reviewed, documented, implemented, and approved activities for systems development; and

• active user and management participation in defining, developing, testing, and reviewing systems and programming activities.

Our review of the application systems development control objectives included a review of the:

application systems development standards and methodology;

project management tools and techniques;

approval process for new and modified application systems;

system, operations, program, and user documentation;

testing requirements for new systems and major modifications to existing systems;

post-implementation review process for new systems and major system enhancements;

placing authorized programs into production;

quality assurance function; and

status of 1998 Department application systems development findings.

We reviewed twelve application systems development controls and received written confirmation from the Department on the status of three other application systems development controls. We noted the following:

Application Systems Development - The Department’s Application Systems Development (ASD) Division is responsible for the development and maintenance of computer applications available for use by the State agencies. These applications are referred to as the Common Systems and include the Accounting Information and Central Payroll Systems. The new ASD Methodology was adopted in October 1998 and revised in 1999.

The Bureau uses the Application Systems Development Methodology and Documentation Requirements (Methodology) as its guide for new systems, maintenance, enhancements, ad hoc, and prototype developments. The Methodology also outlines procedures for designing the system, developing documentation, conducting testing, and administering a post-implementation review. The use of and compliance with a structured systems development process helps to ensure that systems contain the proper controls, meet the users’ needs, are adequately documented, sufficiently tested, and appropriately moved into the production environment.

From our testing for the common systems’ compliance with the ASD Methodology, we identified the following weaknesses associated with the general systems development process:

• We determined that development standards have not been updated to reflect changes in the Methodology.

• We determined post-implementation reviews were not performed for all eligible projects.

• We found multiple program modules for the Accounting Information System (AIS) did not have complete documentation.

• We determined that Quality Assurance’s (QA) role in the system development process is limited to reviewing and monitoring to ensure the deliverables selected on a project’s Checklist are developed. Between July 1, 1998, and February 26, 1999, we noted that QA’s monitoring function was limited to 33 of the 486 ASD development projects initiated. In addition, the oversight function is restricted to monitoring delivery of project deliverables and does not include reviewing the adequacy of the deliverables, appropriateness of the classification of a project, reasonableness and completeness of testing and documentation, efficiency of development design, adequacy of built-in controls, etc.

We recommend the Department strengthen controls over systems development and implement the following:

• Update the development standards to reflect the updated Methodology.

• Perform post-implementation reviews as outlined in the Methodology.

• Continue to strive to bring documentation into compliance with Methodology requirements.

• Expand the Quality Assurance function to ensure new developments, enhancements, and changes are developed, documented, and reviewed in a structured and consistent manner to ensure system integrity.

SECURITY ADMINISTRATION CONTROLS

Security administration is responsible for security over the Central Computer Facility (CCF), including all aspects of physical and data security. A basic tenet of security administration is that its duties must be segregated from other computer operations. Security administrators must have independence in order to establish and enforce security policies.

Security administration must continually inform users and employees of security issues and be the focal point for implementing security measures.

Control objectives for security administration include:

• ensuring that the computer security administration function is independent of computer operations;

• providing reports and performing reviews of attempted security violations; and

• ensuring that users and employees are counseled on security considerations.

Our review of the security administration control objectives included a review of the:

• computer security administrators’ responsibilities and independence;

• security policies;

• general state of security awareness; and

• status of 1998 Department security administration findings.

We reviewed four security administration controls and received written confirmation from the Department on the status of three other security administration controls. We noted the following:

Security Administration - During Fiscal Year 1998, the Department created a Security Officer position, responsible for all aspects of computer security and reporting directly to the Bureau Manager. The Department has developed and approved a comprehensive Information Technology (IT) Security Policy. The IT Security Policy is dated June 1, 1998, and serves as an umbrella policy for the Department’s other security policies:

• Statewide Information Security Policies;

• Statewide Information Security Policy - Internal;

• Local Area Network (LAN)? Office Automation (OA); and

• Statewide Information Security Policy - Internet.

The Department should continue to enhance its security program, and update some position descriptions to ensure they state reporting relationships and identify security responsibilities.

SYSTEMS PROGRAMMING CONTROLS

System programmers control the operation of the computer system and are responsible for the efficient use of computer resources. System performance is a major concern to the system programmer.

Systems programming must develop a method of evaluating the performance of computer hardware and software. Criteria for measuring performance must be formalized and deviations from the performance criteria must be corrected.

Control objectives for systems programming include:

• standards, policies, and procedures for the administration of the systems programming function;

• standards, policies, and procedures for the measurement of system performance; and

• procedures for testing and approving system software changes.

Our review of the systems programming control objectives included a review of:

• systems software change control procedures;

• the Automated Library Authorization function;

• procedures for testing and approving system software changes;

• controls to prevent unauthorized changes to the systems;

• procedures for monitoring CPU and program performance; and

• the status of 1998 Department systems programming findings.

We reviewed three systems programming controls and received written confirmation from the Department on the status of four other systems programming controls. We noted the following:

Change Control - The Department has established change control procedures which are maintained in the DP Guide (Data Processing Guide). These procedures contain guidelines for approving system changes and were last updated on December 20, 1998.

We identified the following weaknesses in change control procedures:

• Forms routinely did not contain all of the required information or appropriate authorization.

• Change testing was generally not documented.

The Department should review its current change control procedures and assure they meet its needs. The Department should also ensure that all changes are documented and approved as required by the DP Guide.

 

TELECOMMUNICATION CONTROLS

Telecommunication systems control the transmission of messages between users and the computer. Through the telecommunication network, users at remote sites can access computer programs at the computer facility. The majority of devices interface with the computer facility by a telecommunication device. Control over the telecommunication network is necessary to ensure that only authorized users have access to the computer facilities.

Telecommunication network controls should encompass the network's operating performance and security.

Control objectives for telecommunication include:

• testing and approving telecommunication software changes;

• securing dial-up lines’ access to computer resources;

• analyzing response time, detecting problems, and documenting problem resolutions; and

• selecting available telecommunication security options.

Our review of the telecommunication control objectives included a review of:

• security features of CICS and DB2;

• security controls which prevent unauthorized access to the telecommunication software and dial-up lines;

• procedures for logging telecommunication problems;

• documentation of the telecommunication network and attached networks;

• procedures for securing the Department’s Internet connection; and

• the status of 1998 Department telecommunication findings.

We reviewed eight telecommunication controls and received written confirmation from the Department on the status of five other telecommunication controls. We noted the following:

Local Area Network (LAN) Security - The Department provides office automation services to a small number of user agencies through a WANG system and through Local Area Networks (LANs). The Department should continue efforts to phase out the WANG system.

Internet Security - The Department’s Internet connection was created on September 8, 1996. In December 1996 the Department issued the DCMS Statewide Internet Information Security Policy (Internet Security Policy) that must be followed when there is a flow of information between the Internet and the Bureau’s protected environment, the mainframe. In May 1997 the Department approved a comprehensive Information Technology (IT) Security Policy which governs all the Department’s computer resources, including Internet resources. Based on our review of the Security Policy, we share the Department’s concerns over this high risk area.

The Department should move forward to assess their Internet environment and to enforce their Security Policy. In addition, the Department should:

• Monitor State agency Internet addresses to identify those agencies that have not obtained their Internet service from CMS and thus pose a potential threat to the protected mainframe environment.

• Strengthen the review and approval process for dedicated Internet connections to include on-site technical reviews of the configurations of all State agencies that have a dedicated Internet connection.

• Ensure a completed Internet questionnaire is received from each of the agencies with a dedicated Internet connection.

• Implement controls to ensure the protected environment is adequately safeguarded with regard to access from sources external to State agencies, especially as the Department is moving forward with incorporating new technology.

• Provide security advice and alternatives to user agencies, enabling them to secure their environment and, subsequently, the protected environment.

• Obtain services of an expert to assess the Department’s Internet security.

• Inform all agencies who obtain their Internet service from the Department that the agencies are responsible for virus detection and prevention.

 

SYSTEMS SOFTWARE CONTROLS

Systems software consists of computer programs and related routines that control computer processing. The operating system is the prime component of system software; it controls the execution of user application programs.

Each system software product can be tailored to meet user needs. System tailoring is accomplished by setting optional system parameters and, therefore, has an impact on system performance and security.

Control objectives for systems software include:

• setting appropriate system parameters and security options for MVS and VM;

• controlling procurement and maintenance of software licenses; and

• using the security features of RACF effectively.

Our review of the systems software control objectives included a review of:

• CA-Examine reports on the MVS operating system;

• the Department’s software enterprise agreements and expenditures;

• MVS and VM system parameters and security options;

• procedures to identify, restrict, and monitor use of high-risk utility programs;

• DSMON and SETROPTS reports from the MVS and VM operating systems; and

• the status of 1998 Department systems software findings.

MVS

Multiple Virtual Storage (MVS) is the primary operating system used at the Central Computer Facility (CCF). MVS is a complex operating system used on mainframe computers and functions as the system software that controls the initiation and processing of all work within the computer. MVS’ continuing integrity is critical to maintain confidence in the accuracy and security of programs and data under its control.

Our general objective was to review the MVS operating system to assess the level of security and the integrity of controls in place within the operating system environment. The review of MVS was conducted by auditor observation, inquiry, and testing as well as through the use of CA-Examine. CA-Examine is an online product that provides detailed information on the hardware and software environment of the MVS system and provides information about security parameters and control mechanisms for MVS.

Although security over MVS was reasonably well instituted, the Department should continue to monitor and ensure the existence of date protection over sensitive system libraries.

VM

The Virtual Machine (VM) operating system is the secondary operating system used at the Central Computer Facility. VM creates a virtual environment for each system user. As far as users are concerned, they are in total control of the computer, a virtual storage device, a virtual printer, and possibly such devices as telecommunication lines. The illusion is so complete that other operating systems, such as MVS, can be run on a virtual machine under the control of VM.

VM differs from the MVS system in the security available to users, the way users are defined, and the types of applications available on the system. VM is similar to MVS in that VM controls the initiation and processing of work in the computer. The integrity of VM is critical to maintaining confidence in the accuracy and security of programs and data under its control.

In the VM system, the emphasis is on flexibility and user-friendliness. Users with varying degrees of expertise use VM's two main applications: the electronic mail application, which allows messages to be distributed among several State agencies, and NOMAD, which is a data base management system.

Our review of the VM operating system's control objectives included formally confirming the status of VM controls; reviewing controls over the VM directory, performance and error monitoring tools; procedures for authorizing and adding new users; and security issues.

Although security over the VM operating system was reasonably well instituted, the Department should continue to discourage user agencies from permitting users to write to a disk simultaneously.

RACF

The Department of Central Management Services uses Resource Access Control Facility (RACF) security system to control and monitor access to data maintained on their mainframe computers and other resources. RACF operates as an extension of, and an enhancement to, the basic MVS and VM operating systems. It provides a mechanism for controlling access and for monitoring secured computer resources.

RACF protects by exception; that is, the user individually defines each data set to be protected by RACF. It provides security and integrity capabilities that allow authorized users access to a defined set of protected resources, deny access to all other protected resources, and permit regular access to unprotected resources. RACF limits users to the pre-defined data sets for which they have access authorization. In addition, RACF maintains a log of all access attempts which is used to monitor unauthorized access attempts and identify areas where security may need to be strengthened.

RACF protects access and enforces user accountability over data and system resources by positively verifying the user’s authority to utilize that data or system resource and by logging the user’s actions. Under the current environment, user agencies are responsible for specifying which data sets are to be protected by RACF and for properly using the available RACF resources.

During our review of RACF security, we reviewed MVS and VM DSMON reports, RACF parameters and security options selected on both the MVS and VM operating systems, and the status of the RACF issues identified in the 1998 BCCS Third Party Review.

Although RACF was reasonably well instituted, the Department should:

• Ensure that all IDs are immediately revoked upon an employee’s termination of employment.

• Ensure all RACF profiles clearly identify the person or device assigned to the RACF ID. Shared IDs make it very difficult to establish an appropriate level of accountability. As such, the Department should replace shared functional IDs with individual IDs having appropriate access rights to ensure accountability over the Department’s secured resources.

• Store MVS passwords using the federal government standard for encryption rather than scrambled text.

• Increase the minimum password length and require special characters.

SOFTWARE LICENSING

We reviewed the controls over the procurement and maintenance of software licenses. The Department has enterprise agreements with 12 major software vendors and maintenance agreements with approximately 40 other vendors. Enterprise agreements generally are multiple-year contracts, include many of the vendor’s software packages, allow one license to cover multiple sites, and help maintain a level annual payment with cost savings over time. The Department’s Fiscal Year 1999 projected costs for enterprise agreements is approximately $11.4 million.

Software licenses obtained in the last five years are maintained at the CCF; those obtained prior to that are maintained by the Department’s Contract Administration Division.

We determined that controls over computer software licenses appeared to be generally adequate.

APPLICATION CONTROLS

Application controls are the methods, policies, and procedures adopted by an organization to ensure that all transactions are entered, processed, and reported correctly. Application controls ensure that data being entered, processed, and stored are complete and accurate. They ensure that the output from the computer application is timely and accurate.

Application controls can be grouped into three areas: input, processing, and output. Input controls ensure that the data entered into the system are authorized and accurate. These controls include both manual and computerized techniques. Processing controls are those that are coded into the software program. Manual procedures often supplement the programmed controls to verify that all processing has taken place as intended. Output controls govern the printing and distribution of reports.

The Department has developed several applications for use by State agencies. As part of the Third Party Review we reviewed several of the applications used by multiple State agencies.

The applications reviewed were:

• Accounting Information System;

• Central Payroll System;

• Central Inventory System; and

• Central Time and Attendance System.

 

 

ACCOUNTING INFORMATION SYSTEM

The Accounting Information System (AIS), implemented in 1995, is an online (real-time) and batch system used to process expenditures, obligations, transfers, and vendor invoices and it includes the production of vouchers and schedules. AIS tracks expenditures at the invoice level, through vouchering and posting, and serves as a method of reviewing the status of "work in progress". Although the AIS serves as the front end to the General Accounting System (GAS), transactions are processed inby GAS programs, which is stillcontinue to be the "Book of Record". AIS also has several interfaces with other applications maintained by the Department, in addition to an interface with the Illinois Office of the Comptroller’s Statewide Accounting Management System (SAMS). AIS is currently utilized by 51 agencies; however, one agency uses only the GAS portion of the system (see page 43 for a complete user list).

Transactions entered into the AIS are primarily doneentered online in a real-time environment. However, the system does offer the ability to batch transactions for processing at a later time. Although the AIS staff perform data entry on rare occasions, most data is entered into the system is performed by the user agencies, who harve the responsibileity ofor ensuring the data is correct. To assist in ensuring the data entered has integrity and is accuratecy of data entered is maintained, the AIS has edit checks designed into the system which alert a user to input errors. The errors must be corrected online online before the user can proceedcontinue entering data into the system. The AIS provides supervisor override capability on some functions.; however, Aaccess to this feature areis controlled by the AIS Security Module, in which user agencies use to define security parameterssituations and identify the staffthose authorized to override the specific functions. The AIS also provides several online and batch reports, as indicated in the AIS Reports Manual, that can be used for reconciliation purposes. Optional reports can be ordered online for overnight printing. AIS reports ordered are automatically generated after the transactions are processed and are distributed to the appropriate remote printing location. Security over printed reports areis controlled by users viausing the AIS User Security Record database. Department officials stated there are approximately 55 remote printing locations.

Access to the AIS is controlled using Resource Access Control Facility (RACF), in addition toand AIS’ internal security feature. Users must have a RACF user ID and password to gain access to the operating environment. Once access to the operating environment has been allowed, users must have a separate application user ID and password to gain access to the AIS. AIS application security is used to enforcedistinguish users between two approval levels, bureau and accounting, and to determine which level the user is assigned.: Bureau level users are the primary staff responsible for entering accounting transactions into the system; accounting level users are responsible for approving accounting transactions.

AIS is automatically backed up daily, weekly, and monthly. The daily and weekly backups are stored in the CCF tape librarycomputer room;; the monthly backups are rotated to the CCF’s off-site storage locations.

Per Department officials stated that, no significant changes, with the exception of those due to Year 2000, werehave been made to the AIS during this fiscal yeare past year. However, Department officials stated that additional interfaces and the development of history and help screens are being planned. During this fiscal yeare past year, Department staff have installed Y2K modifications and performed significant Y2K testing and modifications toon the AIS. AIS was modified to enable it to process Year 2000 dates, tested on the Department’s Year 2000 compliant system, and certified Year 2000 compliant. The status of AIS’ Y2K compliance has been communicated to users through the use of numerous AIS bulletins distributed to usersdistributed to users..

We performed tests to ensure the integrity and accuracy of data entered into the system is maintained. Although no significant weaknesses were identified, we found instances in which timestamps and voucher dates were not correct. The Department should review existing edits and add edits where appropriate to ensure all data entered into the system is accurate. For fields that contain information generated by the system, the Department should review the existing programs to ensure the correct data is generated. Although AIS appears to provide reasonable assurance that data integrity and security is maintained, users are responsible for the control and monitoring of their transactions, for proper cut-off schedules, reconciliations, and for matching related documents. Users are also responsible for the preparation, retention, and maintenance of the source documents necessary for an audit trail.

To ensure controls are fully implemented and functional, internal and external auditors performing compliance audits of agencies using the AIS should:

1. Determine whetherEnsure agency personnel are using the available security mechanisms to control access to their data.

2. Regularly review the established RACF user profiles and defined user groups having access to AIS to ensure access authorized is appropriate.

3. Review the effectiveness of critical manual controls, including the retention and maintenance of source documents necessary to maintain an audit trail of transactions.

4. Verify that only accurate and authorized accounting data are entered into AIS. It is the agency’s responsibility to ensure that only properly authorized transactions are entered into the system.

 

 

Department records listed the following agencies as users of the Accounting Information System.

* Agency uses only the GAS portion of the system

CENTRAL PAYROLL SYSTEM

The Central Payroll System (CPS) is an online system which standardizes payroll procedures and processing from both code and non-code State agencies. CPS provides agencies with an accurate and less time consuming semi-monthly payroll process, at a minimal cost.

CPS began production in July 1972 and is currently utilized by 83 agencies (see user list on page 47). The system enables State agencies to maintain automated employee pay records and provides them with payroll documents and a computer file that are submitted to the Illinois Comptroller’s Office for the production of the agencies’ payroll warrants.

CPS users can enter data online or they can request their data be entered by DCMS personnel. It is the goal of the Department to have all agencies enter their data online and currently 76 user agencies do enter their data online.

To gain access to the operating environment, CPS users must have a RACF user ID and password. Users must also have a different application user ID and password to access the system. Each agency is issued a user manual which is updated as needed. No steering committee/user group exists for the Central Payroll System. Department personnel stated that a committee would be established if the need were to arise. As CPS has been a stable system for several years, this appears reasonable.

CPS is automatically backed up daily and weekly. The daily backups and one weekly backup are stored in the CPS Division; four generations of weekly backups are rotated to an off-site storage location.

We reviewed the changes made to the CPS in FY99 and noted that agency officials stated no major changes were installed on the Central Payroll System during the prior year. The system was modified to enable it to process Year 2000 dates, tested on the Bureau’s Year 2000 compliant system, and certified Year 2000 compliant. We selected a sample of CPS data, testing it for appropriateness of the edit checks and reasonableness of the data, noting favorable results. Therefore, based on audit work performed and the Year 2000 certification of the system, we determined that the controls in place provide reasonable assurance that the CPS maintains accurate information in a secure manner.

To ensure that controls are fully implemented and functional, internal and external auditors performing compliance audits at agencies using the Central Payroll System should:

1. Review critical manual controls. Auditors should verify that agency personnel review voucher schedules prepared by the system to ensure the schedules are correct.

2. Review user retention and maintenance of source documents necessary to maintain an audit trail of transactions.

3. Verify the accuracy of gross pay and trace all deductions to properly signed authorizations.

4. Ensure that agency personnel are using the available security mechanisms to control access to their data.

5. Verify that only accurate and authorized data are entered into the Central Payroll System. The input of inaccurate or unauthorized data would result in the production of incorrect or unearned payroll warrants.

6. Review the appropriateness of RACF user profiles of users with access rights to production files to ensure access is limited to those with a need to know and that the access level is appropriate.

 

Department records listed the following agencies as users of the Central Payroll System.

* Agencies that have data entered by DCMS.

The Central Inventory System (CIS), implemented in October 1985, is an online and batch system that allows users to maintain a record of their physical inventory and comply with the Department of Central Management Services’ (CMS’) Property Control Division’s rules of reporting and processing. Transactions (additions of new inventory items, deletions of inventory items being surplused, and updates of existing inventory items) are primarily entered into the CIS online real time, meaning users’ inventory data is updated immediately to reflect the transactions entered. Department officials stated the system does provide the ability to process batched transaction files; however, this capability is restricted to the Departments’ CIS staff for use in assisting agencies in rare instances when an agency has a special project and must enter enormous amounts of transactions.

The system is equipped with online edit checks, which provide the user with immediate notification if errors are encountered during data entry, and processing edit checks which report processing errors online. Error reports are available to CIS staff and to user agencies. The Department generates a Location Balance Report nightly to determine whether transactions were processed correctly. Additional reports are also available to users for reconciliation purposes. Although users must request these reports online, the request is batched for processing at a later time. The CIS is currently utilized by 34 agencies (see user list on page 51).

During April 1998, the Department developed a new Central Inventory System (CIS) and is in the process of migrating users from the old system to the new system. At the time of our review, over 50 percent of the existing users were still on the old system. The new system was tested on the Bureau’s Year 2000 test system; however, at the end of fieldwork it had not been certified as Year 2000 compliant. The old system is not Year 2000 compliant. As such, Department officials stated they plan to continue migrating users to the new system and expect to have this completed during the 2^nd quarter of 1999. The new CIS provides the same processing capabilities as the old system with the addition of four new screens (Voucher Maintenance Screen, Voucher List Screen, Responsibility Maintenance Screen, and Responsibility List Screen) and the modification of the Depreciation Process feature in CIS. Department officials stated they are currently restricting the use of the Depreciation Process to CMS’ Accounting Division; however, it is expected that this feature will be provided to agency users later.

During our review, we noted that the list of users identified by the Department’s CIS staff did not reconcile with the list of users being billed through the Department’s PACE/Kommand Billing System. Upon notification, CIS staff made efforts to notify those agencies that are being billed for CIS usage but have had no CIS activity for some time. The Department should ensure CIS staff regularly reconcile their system user list with the PACE/Kommand billing list and notify billing staff of any discrepancies.

CIS users must have a RACF user ID and password to gain access to the system. In addition, the CIS provides a Common System Password Database security feature used to provide additional security over accessing the CIS. CIS is automatically backed up nightly, for use in recovering from a system failure; the backups are stored in the CCF tape library. In addition, the Department maintains transaction history files for six months prior to archiving. Once archived, the transaction history files are maintained for another two and a half year period. During our review, we noted none of the nightly backups were rotated to the CCF’s off-site storage locations. The Department should ensure CIS backups are routinely stored at the CCF’s off-site storage vault.

We performed tests of data integrity and CIS edits and found no major weaknesses. Although the CIS provides reasonable assurance of accuracy and security, many controls are the responsibility of system users. Internal and external auditors should:

1. Review user retention and maintenance of source documents necessary to maintain an audit trail of transactions.

2. Ensure that agency personnel are using the available security mechanisms to control access authority to their data.

3. Regularly review the RACF user profiles and user groups with access to CIS to ensure access authorized is appropriate.

4. Review their BCCS Utilization Billing Reports to determine if they are appropriately billed for CIS. If the agency determines they are being billed for old CIS data and no longer needs access to the CIS, they should notify the Department to request the old data and access to the system be removed.

 

Department records listed the following agencies as users of the Central Inventory System.

* Agency was being billed but not included on CIS’ active user list.

The Central Time and Attendance System (CTAS) was developed by the Department and is currently utilized by 28 agencies (see user list on page 54) to provide a comprehensive system for recording and managing employee benefit time. CTAS users must have a RACF user ID and password to gain access to the system. In addition, users must have a separate CTAS user ID and password to access the system.

During our testing of the CTAS user list, we identified one agency that was erroneously billed for CTAS usage from October 1998 through February 1999. This was due to an incorrect update to the Bureau’s billing system agency table, from which bills are generated. In addition, we determined Bureau staff do not perform a reconciliation between CTAS users and agencies billed for CTAS usage.

CTAS is automatically backed up daily and weekly. Five generations of backup are kept, four in the CCF’s off-site storage vault and one in the Central Time and Attendance Division. Backups are rotated to off-site storage weekly.

We reviewed the changes made to the CTAS in FY99 and agree with agency officials who stated no major changes were installed on the Central Time and Attendance System during the prior year. The system was modified to enable it to process Year 2000 dates, tested on the Bureau’s Year 2000 compliant system, and certified Year 2000 compliant.

Although the CTAS provides reasonable assurance of accuracy and security, the Bureau should ensure the billing system agency table is correct and reconciles to the CTAS user list.

Many controls are the responsibility of system users. Internal and external auditors should:

1. Ensure that agency personnel are using the available security mechanisms to control access to their data.

2. Verify that only accurate and authorized timekeeping data are entered into the Central Time and Attendance System. It is the agencies’ responsibility to ensure that only properly authorized time and attendance records are entered into the system.

3. Review critical manual controls. Auditors should verify that agency personnel review timekeeping reports prepared by the system to ensure the reports are correct. In addition, auditors should ensure that adequate audit trail documentation is maintained by the user.

4. Confirm the agency is a CTAS user and that the billing amount is reasonable.

Department records listed the following agencies as users of the Central Time and Attendance System.

1. Bureau of the Budget

2. Capital Development Board

3. Department of Agriculture

4. Department of Central Management Services

5. Department of Commerce and Community Affairs

6. Department of Financial Institutions

7. Department of Human Rights

8. Department of Labor

9. Department of Lottery

10. Department of Natural Resources

11. Department of Public Health

12. Department of Revenue

13. Department of Veterans’ Affairs

14. Emergency Management Agency

15. Environmental Protection Agency

16. Guardianship and Advocacy Commission

17. Health Care Cost Containment Council

18. Illinois Criminal Justice Information Authority

19. Illinois Educational Labor Relations Board

20. Illinois Planning Council on Developmental Disabilities

21. Industrial Commission

22. Law Enforcement Training and Standards Board

23. Office of Banks and Real Estate

24. Office of the Attorney General

25. Office of the Governor

26. Office of the State Fire Marshal

27. Property Tax Appeal Board

28. State Police Merit Board

 

 

APPENDIX A

COMPLEMENTARY USER ORGANIZATION CONTROLS

1. Agencies should be preparing for the Year 2000.

User agencies should complete the monthly Year 2000 status reports and submit them to the State Technology Office. In addition, user agencies should continually assess their progress in completing their conversion efforts and develop contingency plans for any systems or applications that will not be Year 2000 ready.

 

2. Disaster contingency plans are needed.

User agencies should:

• Participate in the Department’s annual disaster recovery test if they have a category 1 application;

• Continue to develop and update their disaster contingency plans to ensure the plans meet their current disaster recovery needs;

• Review and prioritize their critical applications, and forward the updated list with supplementary explanations and telecommunication restoration requirements to the Department;

• Notify the Disaster Recovery Coordinator if their "no critical applications" status changes;

• Comply with the Department's recovery requirements, including forwarding critical recovery information to the Department (i.e., updated list of critical applications, thoroughly completed disaster recovery testing forms, and summary memos of testing performed); and conducting disaster recovery tests;

• Conduct disaster recovery tests of all critical applications; and

• Ensure that critical data is backed up and stored off-site.

3. Available security mechanisms should be used.

We recommend that all users use RACF to protect their data and prohibit the sharing of user IDs and passwords. We recommend that user agencies:

• Utilize the capabilities of RACF;

• Formally designate a security coordinator who is segregated from computer operations;

• Review the RACF violation report weekly to monitor attempted accesses to their data;

• Fully utilize the security services, policies, and guidelines offered by the Department;

• Perform periodic reviews of existing RACF profiles to ensure that access rights are appropriate and limited to those with a need to access the information, including ensuring that the universal access authority assigned to catalogs is appropriate.

4. Security over Internet use should be reviewed.

State agencies are responsible for protecting the computer information resident at their location; therefore, each agency should evaluate the security over their Internet connection. Agencies should comply with the Department’s Security Policy and ensure that their Internet use is not placing their internal data, or other agencies’ data residing on the mainframe’s protected environment, at risk. Agencies should ensure their connection configurations have been reviewed and approved by the Department. In addition, agencies should assess their environment to determine whether additional security measures, such as virus detection and encryption, should be installed. Agencies using Windows NT as their server should ensure that the Remote Access Server is set to "disabled" and consider adding filters on their firewall for outgoing messages.

5. Security of VM systems should be reviewed.

Users should confine the use of Multi-Write (MW) to situations where it is absolutely necessary and consider the use of CONTROL rather than ALTER authority to eliminate the use of MW. User agencies should review the listings of VM IDs which have had no activity and take actions necessary to ensure that the Department's VM records reflect only current users. In addition, user agencies should test all their VM NOMAD applications on the "Q" system to ensure they are Y2K ready.

 

6. Bills for computer services should be reviewed.

User agencies should become familiar with the details of the SSRF (Statistical Services Revolving Fund) and CRF (Communications Revolving Fund) billings to ensure that they are being billed for services being used and the proper number of tapes stored in the CCF tape library. User agencies should also review the name and address on all billing and accounts receivable documents to ensure they are accurate and consistent. User agencies should notify the Department of necessary changes and maintain information relating to their terminals, circuits, and controllers.

 

7. Common Systems use should be reviewed.

Auditors of agencies that use the Central Payroll, Central Inventory, Central Time and Attendance, or Accounting Information Systems should review the application control memorandums on pages 41 through 54 of this document. Although no significant deficiencies were noted, internal and external auditors should perform the tasks outlined in the application memorandums.

 

8. The accuracy of agency security lists should be reviewed.

Upon receipt of the security lists, user agencies should verify the lists, make any necessary changes, and return them in a timely manner. Prompt notification ensures the security authorization lists remain accurate, complete, and timely.

 

9. Insurance coverage on computer equipment should be reviewed.

User agencies should review the amount of insurance carried on their computer equipment and update it periodically for equipment purchases and deletions.

 

10. Subsystem security should be reviewed.

Agencies using DB2 should ensure that only the database owner can create a database and that only the DB2 contact person has the "GRANT with GRANT" option.

Agencies using CICS should ensure they appropriately RACF protect their load libraries within their CICS region and distinguish between test and production CICS regions; exercise caution in granting individuals both system administrator and developer permissions; invoke the automatic sign-off feature; and ensure the CICS master terminal is in a secure location.

 

APPENDIX B

1. Administrative Office of the Illinois Courts
2. Board of Higher Education
3. Bureau of the Budget
4. Capital Development Board
5. Chicago State University
6. Civil Service Commission
7. Comprehensive Health Insurance Plan
8. Court of Claims
9. Department on Aging
10. Department of Agriculture
11. Department of Central Management Services
12. Department of Children and Family Services
13. Department of Commerce and Community Affairs
14. Department of Corrections
15. Department of Corrections - Correctional Industries
16. Department of Employment Security
17. Department of Financial Institutions
18. Department of Human Rights
19. Department of Human Services
20. Department of Insurance
21. Department of Labor
22. Department of Lottery
23. Department of Military Affairs
24. Department of Natural Resources
25. Department of Nuclear Safety
26. Department of Professional Regulation
27. Department of Public Aid
28. Department of Public Health
29. Department of Revenue
30. Department of Transportation
31. Department of Veterans’ Affairs
32. Development Finance Authority
33. East St. Louis Financial Advisory Authority
34. Eastern Illinois University
35. Economic and Fiscal Commission
36. Emergency Management Agency
37. Environmental Protection Agency
38. General Assembly (Senate Democratic Staff)
39. General Assembly Retirement System
40. Governors State University
41. Guardianship and Advocacy Commission
42. Health Care Cost Containment Council
43. Historic Preservation Agency
44. House of Representatives
45. House Republican Staff
46. Human Rights Commission
47. Illinois Arts Council
48. Illinois Commerce Commission
49. Illinois Commission on Intergovernmental Cooperation
50. Illinois Community College Board
51. Illinois Criminal Justice Information Authority
52. Illinois Deaf and Hard of Hearing Commission
53. Illinois Educational Labor Relations Board
54. Illinois Mathematics and Science Academy
55. Illinois Planning Council on Developmental Disabilities
56. Illinois Racing Board
57. Illinois State Board of Investment
58. Illinois State Police
59. Illinois State Toll Highway Authority
60. Illinois State University
61. Illinois Student Assistance Commission
62. Industrial Commission
63. Joint Committee on Administrative Rules
64. Judges Retirement System
65. Judicial Inquiry Board
66. Law Enforcement Training and Standards Board
67. Legislative Audit Commission
68. Legislative Information System
69. Legislative Printing Unit
70. Legislative Reference Bureau
71. Legislative Research Unit
72. Legislative Space Needs Commission
73. Liquor Control Commission
74. Medical Center Commission
75. Northern Illinois University
76. Office of Banks and Real Estate
77. Office of the Attorney General
78. Office of the Auditor General
79. Office of the Comptroller
80. Office of the Governor
81. Office of the Lieutenant Governor
82. Office of the State Appellate Defender
83. Office of the State Fire Marshal
84. Office of the Treasurer
85. Pension Laws Commission
86. Pollution Control Board
87. Prairie State 2000 Authority
88. Prisoner Review Board
89. Property Tax Appeal Board
90. Rural Bond Bank
91. Secretary of State
92. Southern Illinois University-Carbondale
93. Southern Illinois University-School of Medicine
94. State and Local Labor Relations Board
95. State Board of Education
96. State Board of Elections
97. State Employees’ Retirement System
98. State Police Merit Board
99. State Universities Civil Service System
100. State Universities Retirement System
101. State’s Attorneys Appellate Prosecutor
102. Teachers’ Retirement System of the State of Illinois
103. University of Illinois
104. Western Illinois University

APPENDIX C