Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Similar documents
Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

REPORT 2015/149 INTERNAL AUDIT DIVISION

TxDOT Internal Audit Materials and Testing Audit Department-wide Report

Postal Inspection Service Mail Covers Program

REPORT 2015/010 INTERNAL AUDIT DIVISION

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Making trust evident Reporting on controls at Service Organizations

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

IT Attestation in the Cloud Era

REPORT 2015/186 INTERNAL AUDIT DIVISION

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SSC Transformation Initiative Fairness Monitoring Services

Audit Considerations Relating to an Entity Using a Service Organization

Understanding and Evaluating Service Organization Controls (SOC) Reports

General Information Technology Controls Follow-up Review

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Information for entity management. April 2018

TAC 202 Requirements 2017

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

ISACA Cincinnati Chapter March Meeting

Public Safety Canada. Audit of the Business Continuity Planning Program

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Article I - Administrative Bylaws Section IV - Coordinator Assignments

Workday s Robust Privacy Program

Error! No text of specified style in document.

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Request for Proposal (RFP)

MNsure Privacy Program Strategic Plan FY

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

General Information System Controls Review

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Texas Lottery Commission Internal Audit. Mailroom Processes. August 30, 2018 Report # An Internal Audit of. Prepared by:

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Transitioning from SAS 70 to SSAE 16

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Tools & Techniques I: New Internal Auditor

SERVICE DESCRIPTION ISO Lex. Certifications

IS Audit and Assurance Guideline 2001 Audit Charter

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

SOC Reporting / SSAE 18 Update July, 2017

Investigation. City of Edmonton Office of the City Auditor. ETS Workforce Development. January 14, 2019

ADIENT VENDOR SECURITY STANDARD

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

SAS70 Type II Reports Use and Interpretation for SOX

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Information Technology General Control Review

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Minimum Requirements For The Operation of Management System Certification Bodies

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

PROTERRA CERTIFICATION PROTOCOL V2.2

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Article II - Standards Section V - Continuing Education Requirements

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Office of Internal Audit

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

DFARS Cyber Rule Considerations For Contractors In 2018

Rules for LNE Certification of Management Systems

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

EXAM PREPARATION GUIDE

INTERNAL AUDIT DIVISION REPORT 2017/138

POSITION DESCRIPTION

I n f o r m a t i o n S y s t e m s C y b e r s e c u r i t y A s s e s s m e n t

Maryland Health Care Commission

TX CIO Leadership Journey Texas CIOs Bowden Hight Texas Health and Human Services Commission Tim Jennings Texas Department of Transportation Mark

Chain of Custody Policy. July, 2015

EXAM PREPARATION GUIDE

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

Streamlined FISMA Compliance For Hosted Information Systems

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Privacy Breach Policy

IS Audit and Assurance Guideline 2002 Organisational Independence

CASA External Peer Review Program Guidelines. Table of Contents

Request for Qualifications for Audit Services March 25, 2015

COUNTY AUDIT HILLSBOROUGH COUNTY, FLORIDA CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA) PROCUREMENT PROCESS AUDIT REPORT # 251

Exploring Emerging Cyber Attest Requirements

Auditing in an Automated Environment: Appendix E: System Design, Development, and Maintenance

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

NYDFS Cybersecurity Regulations

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

The Internet Society. on behalf of. The IETF Administrative Oversight Committee. Request for Proposal. RFC Editor RFC Format CSS Design

REQUEST FOR PROPOSAL (RFP) TELECOMMUNICATIONS SERVICES

University of Wyoming Mobile Communication Device Policy Effective January 1, 2013

Checklist According to ISO IEC 17024:2012 for Certification Bodies for person

Texas A&M University: Learning Management System General & Application Controls Review

Auditing IT General Controls

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Office of Inspector General Office of Professional Practice Services

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

EXAM PREPARATION GUIDE

01.0 Policy Responsibilities and Oversight

Transcription:

Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based on the audit scope areas reviewed, control mechanisms are effective and substantially address risk factors and exposures considered significant relative to impacting operational execution and compliance. The organization's system of internal controls provides reasonable assurance that most key goals and objectives will be achieved despite significant control gap corrections and improvement opportunities identified. Control gap corrections and improvement opportunities identified are likely to impact the achievement of the organization's business/control objectives, but management has agreed to corrective action plans to address the relevant risks within 6 months. Overall Engagement Assessment Satisfactory Title Finding Control Design Operating Effectiveness Finding 1 Data Security x x Needs Improvement Rating Management concurs with the above finding and prepared management action plans to address deficiencies. Control Environment The TxDOT Construction Division (CST) contracts with a vendor who provides the client interfaces and data warehousing for the Electronic Bidding System (EBS). Although CST management incorporates controls in the electronic bidding process to assist with data entry and accuracy of input, considerable reliance is placed on the vendor to provide a secure environment. CST management assigns roles and responsibilities related to the EBS to assure the integrity and confidentiality throughout the bidding process. Summary Results Finding Scope Area Evidence Utilization by the Construction Division (CST) of the 2010-2013 attestation reports noted the following:: 4 of 4 (100%) annual attestation reports had no evidence of review by CST 1 o 2 of 4 (50%) annual attestation reports (fiscal Electronic Bid: years 2011 and 2012) were not requested for Data Security review by CST Attestation reports are used to help provide assurance of an outside contractor s design and operating effectiveness of IT controls. August 1, 2014 2

Audit Scope The audit focused on the electronic systems supporting the construction and maintenance monthly contract letting process. The systems were reviewed to verify bidders using the electronic processes are verified, data transmission is complete, and stored data is secured. The audit was performed by Omar Elsaad, Patti Drummer, Ike Okoli, and Karin Faltynek (Engagement Lead). The audit was conducted during the period from March 24, 2014 through May 30, 2014. Methodology The methodology used to complete the objectives of this audit included: Reviewing State and Federal laws and standard operating procedures Interviews with key personnel such as the TxDOT letting administrator and letting officials Testing controls in the Electronic Bidding System Reviewing electronic bid transmissions between April 2, 2013 and April 3, 2014 Examining data security environment (i.e., attestation reports of IT controls) of outsourced electronic bid service provider These procedures were applied as necessary to perform the audit fieldwork. Background This report is prepared for the Texas Transportation Commission, TxDOT Administration, and Management. The report presents the results of the Electronic Bidding and Contract Letting Audit which was conducted as part of the Fiscal Year 2014 Audit Plan. Highway construction and maintenance contracts are awarded through a sealed bid process. Electronic bidding, introduced in 2009, allows contractors to submit bids remotely while still in a secure environment. Electronic bids are collected and stored by a third party vendor in an electronic vault. This process provides several advantages to both bidders and TxDOT. Bidders benefit from ease of submission and controls embedded in the electronic process which also verifies completeness of the submitted bids. The review of sealed bids for fiscal year 2013 showed that approximately 81% of bids were submitted electronically. The outsourcing of electronic data storage (i.e., the electronic vault) requires TxDOT to obtain assurance that controls are in place with the vendor to protect the data. Such assurance can be obtained by reviewing the vendor s Statement on Standards for Attestation Engagements (SSAE) 16 reports. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on August 1, 2014 3

our audit objectives. The Office of Internal Audit transitioned to Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version 2013 in December 2013. A defined set of control objectives was utilized to focus on operational and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against operational sub-optimization or non-compliance, particularly in areas not included in the scope of this audit. August 1, 2014 4

Detailed Findings and Management Action Plans (MAP) Finding No. 1: Data Security Condition The Construction Division (CST) did not utilize a process to verify adequacy of controls for the Electronic Bidding System (EBS) hosting partner. The EBS hosting partner should provide an annual attestation report, otherwise known as an SSAE 16 report, which provides an independent assessment on the design and operating effectiveness of the IT internal controls at the EBS hosting partner (i.e., outside vendor). These reports were not reviewed or always obtained from 2010-2013 to obtain independent assurance that the vendor s controls were adequate. Effect/Potential Impact CST had no assurance the vendor was providing adequate control over confidential bid data. Without the knowledge of any potential control issues being addressed in the SSAE 16 report, mitigating controls may not have been introduced by TxDOT. Additionally, not reviewing the annual attestation report can lead to the following: Reduced data reliability due to potential unaddressed control weaknesses Non-compliance with State requirements for data security assessment Criteria TAC 202.72 Managing Security Risks requires an annual assessment of IT controls that cover high risk operational areas such as high dollar and confidential information TAC 202.25 Information Security Resources Safeguards requires general safeguards to be in place where electronic data is stored Cause A review process was not in place due to the following: The Service Level agreement (SLA) between TxDOT and the EBS hosting partner did not discuss when to request or submit an attestation report CST did not define or assign responsibility to review the annual attestation reports CST does not perform and document a risk assessment of information resources Evidence The annual attestation reports for the last 4 years of the contract (2010-2013) were available to the department; however, the following was noted: 4 of 4 (100%) annual attestation reports had no evidence of review performed by the CST project manager o 2 of 4 (50%) annual attestation reports (fiscal years 2011 and 2012) were not requested from the hosting partner for review by the CST project manager August 1, 2014 5

Management Action Plan (MAP): MAP Owner(s): Roxana Garcia-Zinsmeyer, P.E., Section Director, Construction Division Brian Hohle, Manager, Contract Letting and Contractor Pre-qualification Branch MAP 1.1: The Construction Division (CST) Contract Letting and Contractor Pre-qualification Branch will develop an information resources risk assessment process to identify and classify the potential threats and risks associated with the Electronic Bidding System (EBS) throughout its operation. This process will help identify the appropriate controls for reducing or eliminating risks during operation. The documented risk assessment will, at the minimum, include: Identifying the key processes to achieving our business objectives Identifying the internal and external activities (risks) that will hinder achieving the key processes and their likelihood and impact Identifying the controls (activities) in place to mitigate the identified risks at both: o CST Letting Branch User complementary controls o EBS hosting partner Review SSAE 16 Attestation Report Request assistance from subject matter experts, if necessary Monitor controls for effectiveness and make changes as appropriate Complete this process annually by the end of January for continuous improvement Completion Date: December 15, 2014 MAP 1.2: Update the Service Level Agreement ( SLA ) between TxDOT and Electronic Bidding System (EBS) hosting partner to add as deliverables: Annual submission of SSAE 16 Report prepared by the independent service auditor General IT control activities at the EBS hosting partner that are designed, and in place, to protect and secure the data Define the Record Retention Policy for electronic bids at the EBS hosting partner Completion Date: September 15, 2014 August 1, 2014 6

Observations and Recommendations Audit Observation (a): Continuity Planning The Construction Division (CST) has not documented its process to provide technical support for the contractor desktop application to electronic bidding vendors. This process is exclusive to and performed by one employee who is eligible for retirement. Effect/Potential Impact In the event of a sudden departure of the only current employee providing technical support services to vendors, the agency may temporarily find it difficult to continue providing electronic bidding services and support at an efficient operational level. A reduction in electronic bid support services may force the vendors to use the alternate manual bid option which will require more CST resources to process. Approximately 81% of all submitted bids are now electronic, representing $3.7 billion of contracts let in Fiscal Year 2013. Recommendation To support business continuity, CST should document the technical support services process provided to vendors who bid electronically routinely review the documentation for improvement provide training in the support of the contractor desktop applications to appropriate support personnel assign backup personnel for technical support August 1, 2014 7

Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with Construction Division management. We appreciate the assistance and cooperation received from the Construction Division employees contacted during this audit. August 1, 2014 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback