Commonwealth of Virginia Single Audit Report for the Year Ended ...

More documents

Recommendations

Info

FINANCIAL STATEMENT FINDINGS ACCESS MANAGEMENT 11-01: Perform VATS and VABS System Access Review Applicable to: Virginia Employment Commission The Employment Commission did not review user access for the Virginia Automated Benefit System (VABS) and the Virginia Automated Tax System (VATS) as required by their policies and procedures. The Information Security Officer and management are required to annually review user access for critical information systems, but this review has not been performed since May 2010. The Information Security Officer at the Employment Commission should ensure that management performs annual reviews of VATS and VABS access as required by their policies and procedures. Employees having access that they do not need to complete their job duties increases the risk that fraudulent activities could occur. Management Plan for Corrective Action for Information Technology In January 2012, Virginia Employment Commission’s Security Officer will begin working with managers in performing the annual review of VATS and VABS access. This should be finalized by March 2012. This complete access verification process should be automated by the end of 2012. Responsible Party: Linda Belflower, Information Technology Director Estimated Completion Date: March 31, 2012 11-02: Improve System Access Controls Applicable to: Department of Motor Vehicles Motor Vehicles employees have access and capabilities in the Oracle Financial Systems beyond the scope of their current job responsibilities, thereby increasing Motor Vehicles’ risk to potential inappropriate or fraudulent activity occurring and going undetected. Although Motor Vehicles reviews semi-annually that user access agrees with the documents that originally requested access, this review does not consider any changes in an employee’s job functions which did not result in a user access change request, but could impact the appropriateness of the employee’s access privileges. When granting access, Motor Vehicles should follow the principle of least privilege for access to key systems. Employees should only have those assigned privileges that are essential for their job performance. In the circumstance where management grants temporary access, management should immediately eliminate this access once the employee no longer needs this access. Excessive and/or conflicting system access increases the risk that fraudulent transactions could occur; regardless of what the employee’s job responsibilities entail or the fact that the systems are logging their transactions. 9
We further recommend that Motor Vehicles expands its user access monitoring process to include consideration of current job responsibilities against current access privileges in addition to currently authorized access privileges. Management Plan for Corrective Action for Department of Motor Vehicles DMV will implement a more detailed Oracle access review process. The new process will be performed every 6 months and will require supervisors to document their approval for each individual’s system responsibility thereby ensuring that the responsibility is in line with their EWP. Responsible Party: John Gruber, DMV FAR Director Jeff Ryan, DMV Assistant Commissioner for Finance Estimated Completion Date: June 1, 2012 11-03: Improve System Access Management Applicable to: Department of Behavioral Health and Developmental Services During our review of access management at BHDS, we noted three areas in need of improvement. Granting Capabilities Management has not educated its system security officers on which system capabilities they should not combine because together they eliminate an internal control. We noted 32 instances where an employee was granted both entry and approval capabilities within the agency’s accounts payable ledger. We also noted two employees with financial capabilities across multiple ledgers that could also change their abilities within the system. Management should limit these capabilities to maintain proper separation of duties. The data owners should document and provide the system security officers with the user capabilities that when combined would compromise internal control within critical systems. The Security Officer in the central office should ensure system security officers do not combine incompatible roles and grant individuals these roles across the agency’s information systems. Access Monitoring The Security Officer for the agency’s financial system does not perform regular system access reviews. The Security Officer for the financial system relies on regional security officers to ensure that access to the system is reasonable and current and does not review users’ capabilities in the system. The Security Officer should work with the BHDS’ Internal Audit Director to develop regular access reviews for the agency’s financial management system and other critical systems. Security Officers should periodically review user capabilities for critical systems to ensure that users do not have capabilities that allow them to circumvent internal controls. 10
Page 1 and 2: COMMONWEALTH OF VIRGINIA SINGLE AUD
Page 3 and 4: - T A B L E O F C O N T E N T S - P
Page 5 and 6: INDEPENDENT AUDITOR’S REPORT ON I
Page 7 and 8: REPORT ON COMPLIANCE WITH REQUIREME
Page 9 and 10: prepare the financial statements. T
Page 11: 84.318, 84.386 Educational Technolo
Page 15 and 16: Not including the specific access o
Page 17 and 18: ABC is required by the Commonwealth
Page 19 and 20: We recommend that Motor Vehicles de
Page 21 and 22: Management Plan for Corrective Acti
Page 25 and 26: 11-10: Improve Information Security
Page 27 and 28: We recommend that DMV dedicate the
Page 29 and 30: 11-14: Improve Microsoft SQL Server
Page 31 and 32: 11-16: Refine Estimates and Report
Page 35 and 36: ecord of the individuals receiving
Page 37 and 38: We recommend that Social Services d
Page 39 and 40: alternative solutions with the Depa
Page 41 and 42: U.S. DEPARTMENT OF EDUCATION 11-23:
Page 49 and 50: COMMONWEALTH OF VIRGINIA Resolution
Page 55 and 56: COMMONWEALTH OF VIRGINIA Schedule o
Page 63 and 64:
COMMONWEALTH OF VIRGINIA Schedule o
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
is classified as direct expenditure
Page 125 and 126:
Federal Department Detail Amount Ex
Page 127 and 128:
$205,061 are not included in the ac
Page 129 and 130:
financial assistance will be reflec
Page 131 and 132:
CFDA # Federal Program Name Amount
Page 133 and 134:
Page 135 and 136:
Page 137:
COMMONWEALTH OF VIRGINIA CONTACT LI
show all

Commonwealth of Virginia Single Audit Report for the Year Ended ...

Create successful ePaper yourself

Delete template?

Save as template?