General Information System Controls Review

Transcription

1 General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No Office of the County Auditor Evan A. Lukic, CPA County Auditor

2 Executive Summary This report provides the results of our review of general information system (IS) controls over ECHO application software used by the Human Services Department s (HS) Broward Addiction Recovery Division (BARC). General IS controls are the structure, policies and procedures that apply to an entity s overall computer operations and help ensure their proper operation. Accordingly, our objective was to evaluate general IS controls over the integrity, confidentiality, and availability of the ECHO system and data maintained in ECHO. We identified the following general IS control weaknesses: 1. User access accounts are not maintained in accordance with established HS security policies and best practices for a secure environment. Access controls help ensure computer resources, such as the ECHO system, are protected from unauthorized changes, loss, disclosure or impairment. 2. Automated password control features of the ECHO software were not implemented to enforce criteria set forth in HS IT Security Policy. Password controls are essential to access controls, which help promote user accountability, data integrity and confidentiality. 3. System administrator access is not appropriately restricted to promote system and data integrity. Inadequate separation of incompatible duties increases the risk of compromised system and data integrity. 4. Backup resources to support and maintain ECHO have not been established, increasing the risk of system unavailability. 5. A maintenance agreement is not in place to ensure continued availability of vendor support for the ECHO software. To improve controls over system and data integrity, confidentiality, and availability, we have included specific recommendations to address the control weaknesses identified above. Background Established in 1973, the BARC Division of the Human Services Department provides medical and clinical treatment, substance abuse and nutrition education and support services to Broward County residents and homeless individuals who are chemically dependent and 18 years or older. BARC acquired and implemented ECHO software in 2003 at a cost of $461,482 to automate, track and manage operations. BARC utilizes two ECHO software modules, Clinician Desktop (CDT) and Revenue Manager (RM), for scheduling, tracking, reporting, and management of client demographic and clinical records, authorizations, assessments, treatment plans and outcomes, Office of the County Auditor 2

3 and billing. ECHO also facilitates electronic submission of activity reports to the Department of Children and Families to obtain reimbursement for eligible services. ECHO was developed and is supported by the vendor, The ECHO Group at an annual maintenance cost of $40,628. Maintenance includes upgrades, problem resolution and other support services. Customization and modification services are available from The ECHO Group for additional fees. There is one BARC staff member who is responsible for supporting 155 ECHO users (80% of BARC staff). This individual is also the administrator for security, the underlying database, and operating system. Over the past two years Human Services and BARC have undergone several organizational changes, which have affected staffing of HS Information Technology (IT) roles. During our review, HS IT staff and services were in the process of combining with the County s Enterprise Technology Services Division. Objectives, Scope and Procedures General information system (IS) controls are the policies and procedures that apply to an entity s information systems and help ensure their proper operation. Effective general IS controls help safeguard data, protect software programs, prevent unauthorized access, and ensure continued computer operations in case of unexpected interruptions. 1 Accordingly, our objective was to evaluate general IS controls over the integrity, confidentiality, and availability of the ECHO system and data maintained in ECHO. To accomplish our objective, we: Reviewed applicable HS policies, procedures and forms. Interviewed BARC staff responsible for information system technology. Reviewed internal controls over system access, including system roles, user accounts, and security configuration settings. Reviewed management processes for the support and maintenance of ECHO and the underlying database (SQL). Observed management processes to evaluate compliance with documented policies, procedures, and controls for system access, use, support, maintenance and processing. 1 Federal Information System Controls Audit Manual: Volume I Financial Statement Audits. United States Government Accountability Office, GAO/AIMD January Office of the County Auditor 3

4 In the performance of our review, we referenced criteria from Control Objectives for Information and related Technology (COBIT) published by the Information System Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT provides generally applicable and accepted measures, indicators, processes and best practices to assist organizations in the sound use and management of information technology. Findings and Recommendations Finding 1 User access accounts are not maintained in accordance with established HS security policies and best practices for a secure environment. Access controls should provide reasonable assurance that computer resources, such as the ECHO system, are protected from unauthorized changes, loss, disclosure or impairment. Inadequate access controls diminish the reliability of data and increase the risk of destruction or inappropriate disclosure of data. Although Human Services IT Security Policy includes criteria for creating and maintaining user ID's and profiles; the stated policy is not being effectively followed. Our review of internal controls over access to ECHO revealed the following: A periodic and comprehensive review of ECHO access accounts has not been performed to ensure continued effectiveness of account restrictions. In reviewing the 160 ECHO user accounts in conjunction with HS IT staff, HS IT staff identified 16 accounts which required removal of some or all of the user s access, due to changes in employee status. User accounts were created without evidence of a request form and/or proper authorization for access. In our review of twenty user accounts added since January 2008, only 8 out of 20 user accounts were supported by a user access form. Further, only 2 out of the 8 user access forms were properly authorized by a supervisor. Best practices 2 for user account management suggest the following processes be established for effective internal controls over access to systems: Periodic management review of all accounts and related privileges to ensure removal or reallocation of system rights upon change in employee status. Formal user account management procedures for requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges (profiles). An approval procedure which outlines the data or system owner responsibilities for granting access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. 2 Control Objectives for Information and related Technology (COBIT) section 4.1 Deliver and Support section 5.4 Office of the County Auditor 4

5 User acknowledgement of rights and obligations relative to access. Recommendation: To ensure effective access security controls, we recommend the Board of County Commissioners direct the County Administrator, within ninety days, to: 1. Comply with the HS security policy and best practices for access controls by implementing the following controls: Requiring completed, authorized access request forms prior to granting or modifying access to ECHO. Timely action on requested changes to users access: new, expand, reduce, suspend and revoke. Retention of access authorization forms to enable periodic review of ECHO accounts for compliance with HS authorized access permissions. Automated account lock-out features for dormant accounts (e.g., accounts that do not login after a specified period of time). 2. Revise the existing user access procedures to define management s responsibility for requesting, approving and granting access to ECHO for all classes of users Finding 2 Automated password control features of the ECHO software were not implemented to enforce criteria set forth in HS IT Security Policy. User IDs in conjunction with corresponding passwords are a fundamental control over access to systems. Effective access controls help promote user accountability, data integrity and confidentiality. To ensure effective access controls, best practices recommend that organizations establish a password policy. HS s IT Security Policy establishes the following password criteria, which meets suggested best practices for a secure environment: May not contain any part of the user's account name. Must be least 8 alpha-numeric characters long. Only 5 failed attempts will be allowed before account is locked. A user will not be allowed to reuse the password for 15 consecutive change cycles. While ECHO access requires a valid account and corresponding password, ECHO does not automatically enforce the password criteria from the HS IT Security Policy. HS staff report that password security features are available, but they were not configured during ECHO implementation. Office of the County Auditor 5

6 Since the stated password criteria are not being enforced, either manually or automatically, the effectiveness of access controls is diminished. Recommendation: 3. To ensure effective access control over user accountability, data integrity and confidentiality, we recommend the Board of County Commissioners direct the County Administrator to evaluate and report on the feasibility of implementing automated password control features for the ECHO application, within ninety days of adoption. Finding 3 System administrator access is not appropriately restricted to promote system and data integrity According to best practices for internal controls over systems, work responsibilities should be separated so that one individual does not control all stages of a critical process. For example, the ability to maintain or update software and databases should not be paired with access to the application, or the ability to administer application security. Inadequate separation of incompatible duties provides the administrator with the access to perform and conceal improper activities. As the sole IT staff for ECHO support, the IT Manager is responsible for system maintenance, processing, user support, and security administration. Upon review of ECHO account privileges we found that the IT Manager had unmonitored, unrestricted access to 17 out of 18 available ECHO privileges (profiles). In addition to ECHO application access, the IT Manager has powerful administrator access to the ECHO database and server. The size of the HS IT function does not allow appropriate separation of responsibilities for maintaining software/databases and providing user support. Access controls could be improved by the removal of ECHO sign-on accounts from core IT staff and adoption of system activity monitoring procedures. Recommendation: To mitigate the exposure of inadequate separation of conflicting responsibilities, we recommend the Board of County Commissioners direct the County Administrator to (within ninety days of adoption): 4. Remove transaction responsibilities from IT staff. The IT Manager should not be assigned to input, adjust, or void transaction data in ECHO. 5. Require supervisors (other than the IT Manager) to monitor daily transactions and reconcile system reports of BARC activity to source documents. 6. Request ETS to perform a routine review of the database and Microsoft server configurations to ensure HS is maintaining the ECHO infrastructure in compliance with established County standards for operations and security. Office of the County Auditor 6

7 Finding 4 Backup resources to support and maintain ECHO have not been established, increasing the risk of system unavailability One individual has supported ECHO since the 2003 implementation. No other staff member has been trained to fulfill the role of application support. BARCs' reliance on one individual to support ECHO increases the risk of system unavailability. Should ECHO become unavailable and ECHO support staff not be accessible, recovery and ongoing problem resolution would be hampered. Recommendation: To mitigate the exposure to system unavailability, we recommend the Board of County Commissioners direct the County Administrator to (within ninety days of adoption): 7. Identify and train a backup resource for the BARC IT Manager. 8. Maintain ECHO system and database documentation as systems updates/upgrades are implemented, to facilitate backup administration, support and maintenance of ECHO. Finding 5 A maintenance agreement is not in place to ensure continued availability of vendor support for the ECHO software. In lieu of a software maintenance agreement, BARC paid vendor invoices for annual software maintenance using the direct payment voucher process. The amount paid for annual maintenance in 2009 was $40,628. This practice does not comply with established internal controls 3 for vendor payments, and exposes BARC to a potential loss of vendor support. Without a software maintenance agreement, there is no contractual obligation from the vendor to continue to support and maintain ECHO. The vendor has submitted an agreement renewal form letter each year; however, BARC staff did not negotiate the terms of the agreement and the agreement was not executed. Without an effective support agreement, BARC has no recourse from the vendor for non-performance or protection provided under the standard terms of a properly executed software maintenance agreement. Recommendation: To ensure compliance with the County's Administrative Code and provide for continued maintenance/support of ECHO, we recommend the Board of County Commissioners direct the County Administrator, within ninety days, to: 9. Re-evaluate vendor supplied support terms and process maintenance agreements and payments as required by Administrative Code, purchasing ordinance and Broward County procedures. 3 Volume 6, Accounting, Payroll & Tangible Property Procedures, Chapter 3, Payment Process, Section II. Documentation Required for Payment Section IV. Payment Requests Direct Voucher Payment Office of the County Auditor 7