Transportation: Recurring Significant Internal Control Deficiencies
||First Year Reported
|Highway Planning and Construction
||During our audit for fiscal year 2011-12, we reported the information technology controls over logical access to the Caltrans Advantage Financial ERP system (Advantage) were not properly designed. In fiscal year 2012-13, Caltrans took corrective action to correct the deficiencies identified in the 2011-12 audit. However, we found certain other information technology controls over logical access and change management within Advantage were not properly designed and operating effectively. Caltrans uses Advantage as its accounting system and to maintain federal compliance since the system is configured to calculate and submit requests to the Federal Highway Administration (FHWA) for the Highway Planning grant for reimbursement, calculate the State’s share of expenditures (matching), and report expenditures to FHWA for the Highway Planning grant. In fiscal year 2012-13, we noted the following: • Although Caltrans has a policy that requires a quarterly review of Advantage user access and a process to gather responses from managers, the manager responses are not consistently obtained. • Advantage users that are considered administrative in nature, including users with the ability to approve the creation or modification of contracts, are excluded from the quarterly review of user access. The Security Admin team performs this review informally; however, there is no evidence of the review. • The DOT AD group used to manage administrative access to Advantage servers and the workstations used to compile codes for production builds include developers and terminated employees. • We found three instances in which members of the cashiering group had access to the ALL_TABLES admin role, which allows them to maintain all tables in the Advantage application. We also found one instance where an information technology developer changed job positions to an accounts payable clerk but the user’s administrative access was not revoked. These instances increase segregation of duties risk because users have the ability to create contracts, receive goods /services, invoice, and issue payments. • Some system change approvals may be provided verbally and documented after the change implementation date. In addition, change control documentation templates were not consistently utilized and e-mail change approvals were lost due to a mail server outage. • The Unix administration team does not have unique user IDs to implement changes. Failure to implement adequate information technology controls over logical access and change management could result in unallowable costs or inaccurate or incomplete draws, matching and reporting through Advantage.
|Caltrans concurs with the recommendations: 1. Caltrans conducts quarterly Gatekeeper reviews. Previously, access was not removed if no response to the Gatekeeper request was received. Beginning with the January 2014 quarterly Gatekeeper review, Caltrans has changed the process to include follow-up to those Gatekeepers who did not respond. If the Gatekeeper does not respond to the follow-up request, users will be notified that access will be removed if no response to the request is received by a certain date. Documentation to support the quarterly reviews will be maintained. 2. Beginning in February 2014 and every month thereafter, Caltrans Chief of Fiscal Systems Management Branch, Division of Accounting, will review the Advantage users that are considered administrative in nature for appropriate user access. Documentation to support the review will be maintained. 3. Caltrans has had a process in place for granting and removing user access to servers and workstations. Caltrans conducts quarterly Gatekeeper reviews. Previously, access was not removed if no response to the Gatekeeper request was received. Caltrans has changed the process and will remove access if no response to the Gatekeeper request is received. 4. Beginning in February 2014 and every month thereafter, Caltrans Chief of Fiscal Systems Management Branch, Division of Accounting, will review the Advantage Admin Roles to ensure that users are assigned proper Admin Roles based on their job requirements and that proper segregation of duties exists. Documentation to support the monthly reviews will be maintained. The All_Update Role has been removed from the three members of the Cashiering group and they have been assigned the appropriate roles. In addition, the Administrative Role has been removed from the Accounts Payable staff. 5. Caltrans has a change-management policy in place, which includes guidelines. The lack of retained documentation was the result of staff oversight. This policy is distributed to IT staff annually and was last distributed to IT staff on January 13, 2014. Caltrans will conduct quarterly reviews beginning in April 2014 to ensure compliance with the change-management policy and will retain documentation to support system changes. 6. Currently, the Unix administration team does have unique user IDs. Caltrans has a policy in place that requires the root password and on-call staff password be changed on a system when an administrator other than the primary system administrator obtains the root or on-call password. When an administrator receives the system-generated email that the on-call administrator has viewed the password for a system, they will change the root and on-call passwords within one business day, and update the database with the change. Administrators were reminded of the procedures during a staff meeting on February 13, 2014. The current system only allows authorized Operating Systems Support Branch administrators to access the root and on-call passwords for a system.