Recurring Findings

Education: Recurring Significant Internal Control Deficiencies
Federal Program Issue First Year Reported
Department's Assertion Page Number
Child and Adult Care Food Program During our audit for fiscal year 2012-13, we reported that the information technology controls over logical access for Educationís Child Nutrition Information and Payment System (CNIPS) were not properly designed or implemented. We found the same control deficiency in the 2013-14 audit. Education uses CNIPS to calculate reimbursements to its subrecipients based on approved rates and meal counts. This system is critical to federal compliance since it is configured to calculate and submit requests to the U.S. Department of Education for reimbursement. During our audit, we noted the following: (1) Although Education has a process that requires a quarterly review of CNIPS user access and check for terminated employees, it does not have a central monitoring process to ensure managers review active employee permissions; (2) Education does not have a process for identifying potential segregation of duties conflicts on the CNIPS application level. We found two groups with the ability to approve the creation of a site and sponsor, approve the submission of a claim, and move the claim to a claim tracking status. We also found three users who had a state and a local account. Failure to maintain adequate information technology controls over logical access could result in improper reimbursements through CNIPS. 2012-13
Education accepts the recommendations to strengthen CNIPS information technology general controls over logical access. Education has implemented the following processes to more effectively monitor active employee permissions, as well as identify and correct any potential segregation of duties conflicts within the application: 1. Education began utilizing spreadsheets to track audit inquiries from managers and subject matter experts (SME) in April 2014. The spreadsheets include pertinent information including: (1) dates of audit inquiries; (2) manager/SME response dates; (3) response details; and (4) the names of individuals that did not respond. This centralized tracking system will allow Education to maintain a historical record of security audits and ensure that only authorized employees have CNIPS permissions Education removed the local account permissions from the users identified by KPMG that have both state and local accounts. To ensure that there were no other active employees with multiple accounts, Education conducted a name-to-name search between state and sponsor accounts; no additional double accounts were found. In addition, under the new procedures, CNIPS will not allow a user to have multiple accounts; 2. To identify potential segregation of duties conflicts within CNIPS, Education has reviewed all security groups to identify and remove state staff permissions based on potential conflicts of interest and business needs for; (1) creating sites and sponsors; (2) approving claim submissions; and (3) changing claim tracking status. 18
National School Lunch Program During our audit for fiscal year 2012-13, we reported that the information technology controls over logical access for Educationís Child Nutrition Information and Payment System (CNIPS) were not properly designed or implemented. We found the same control deficiency in the 2013-14 audit. Education uses CNIPS to calculate reimbursements to its subrecipients based on approved rates and meal counts. This system is critical to federal compliance since it is configured to calculate and submit requests to the U.S. Department of Education for reimbursement. During our audit, we noted the following: (1) Although Education has a process that requires a quarterly review of CNIPS user access and check for terminated employees, it does not have a central monitoring process to ensure managers review active employee permissions; (2) Education does not have a process for identifying potential segregation of duties conflicts on the CNIPS application level. We found two groups with the ability to approve the creation of a site and sponsor, approve the submission of a claim, and move the claim to a claim tracking status. We also found three users who had a state and a local account. Failure to maintain adequate information technology controls over logical access could result in improper reimbursements through CNIPS. 2012-13
Education accepts the recommendations to strengthen CNIPS information technology general controls over logical access. Education has implemented the following processes to more effectively monitor active employee permissions, as well as identify and correct any potential segregation of duties conflicts within the application: 1. Education began utilizing spreadsheets to track audit inquiries from managers and subject matter experts (SME) in April 2014. The spreadsheets include pertinent information including: (1) dates of audit inquiries; (2) manager/SME response dates; (3) response details; and (4) the names of individuals that did not respond. This centralized tracking system will allow Education to maintain a historical record of security audits and ensure that only authorized employees have CNIPS permissions Education removed the local account permissions from the users identified by KPMG that have both state and local accounts. To ensure that there were no other active employees with multiple accounts, Education conducted a name-to-name search between state and sponsor accounts; no additional double accounts were found. In addition, under the new procedures, CNIPS will not allow a user to have multiple accounts; 2. To identify potential segregation of duties conflicts within CNIPS, Education has reviewed all security groups to identify and remove state staff permissions based on potential conflicts of interest and business needs for; (1) creating sites and sponsors; (2) approving claim submissions; and (3) changing claim tracking status. 18
School Breakfast Program During our audit for fiscal year 2012-13, we reported that the information technology controls over logical access for Educationís Child Nutrition Information and Payment System (CNIPS) were not properly designed or implemented. We found the same control deficiency in the 2013-14 audit. Education uses CNIPS to calculate reimbursements to its subrecipients based on approved rates and meal counts. This system is critical to federal compliance since it is configured to calculate and submit requests to the U.S. Department of Education for reimbursement. During our audit, we noted the following: (1) Although Education has a process that requires a quarterly review of CNIPS user access and check for terminated employees, it does not have a central monitoring process to ensure managers review active employee permissions; (2) Education does not have a process for identifying potential segregation of duties conflicts on the CNIPS application level. We found two groups with the ability to approve the creation of a site and sponsor, approve the submission of a claim, and move the claim to a claim tracking status. We also found three users who had a state and a local account. Failure to maintain adequate information technology controls over logical access could result in improper reimbursements through CNIPS. 2012-13
Education accepts the recommendations to strengthen CNIPS information technology general controls over logical access. Education has implemented the following processes to more effectively monitor active employee permissions, as well as identify and correct any potential segregation of duties conflicts within the application: 1. Education began utilizing spreadsheets to track audit inquiries from managers and subject matter experts (SME) in April 2014. The spreadsheets include pertinent information including: (1) dates of audit inquiries; (2) manager/SME response dates; (3) response details; and (4) the names of individuals that did not respond. This centralized tracking system will allow Education to maintain a historical record of security audits and ensure that only authorized employees have CNIPS permissions Education removed the local account permissions from the users identified by KPMG that have both state and local accounts. To ensure that there were no other active employees with multiple accounts, Education conducted a name-to-name search between state and sponsor accounts; no additional double accounts were found. In addition, under the new procedures, CNIPS will not allow a user to have multiple accounts; 2. To identify potential segregation of duties conflicts within CNIPS, Education has reviewed all security groups to identify and remove state staff permissions based on potential conflicts of interest and business needs for; (1) creating sites and sponsors; (2) approving claim submissions; and (3) changing claim tracking status. 18
Special Milk Program for Children During our audit for fiscal year 2012-13, we reported that the information technology controls over logical access for Educationís Child Nutrition Information and Payment System (CNIPS) were not properly designed or implemented. We found the same control deficiency in the 2013-14 audit. Education uses CNIPS to calculate reimbursements to its subrecipients based on approved rates and meal counts. This system is critical to federal compliance since it is configured to calculate and submit requests to the U.S. Department of Education for reimbursement. During our audit, we noted the following: (1) Although Education has a process that requires a quarterly review of CNIPS user access and check for terminated employees, it does not have a central monitoring process to ensure managers review active employee permissions; (2) Education does not have a process for identifying potential segregation of duties conflicts on the CNIPS application level. We found two groups with the ability to approve the creation of a site and sponsor, approve the submission of a claim, and move the claim to a claim tracking status. We also found three users who had a state and a local account. Failure to maintain adequate information technology controls over logical access could result in improper reimbursements through CNIPS. 2012-13
Education accepts the recommendations to strengthen CNIPS information technology general controls over logical access. Education has implemented the following processes to more effectively monitor active employee permissions, as well as identify and correct any potential segregation of duties conflicts within the application: 1. Education began utilizing spreadsheets to track audit inquiries from managers and subject matter experts (SME) in April 2014. The spreadsheets include pertinent information including: (1) dates of audit inquiries; (2) manager/SME response dates; (3) response details; and (4) the names of individuals that did not respond. This centralized tracking system will allow Education to maintain a historical record of security audits and ensure that only authorized employees have CNIPS permissions Education removed the local account permissions from the users identified by KPMG that have both state and local accounts. To ensure that there were no other active employees with multiple accounts, Education conducted a name-to-name search between state and sponsor accounts; no additional double accounts were found. In addition, under the new procedures, CNIPS will not allow a user to have multiple accounts; 2. To identify potential segregation of duties conflicts within CNIPS, Education has reviewed all security groups to identify and remove state staff permissions based on potential conflicts of interest and business needs for; (1) creating sites and sponsors; (2) approving claim submissions; and (3) changing claim tracking status. 18
Summer Food Service Program for Children During our audit for fiscal year 2012-13, we reported that the information technology controls over logical access for Educationís Child Nutrition Information and Payment System (CNIPS) were not properly designed or implemented. We found the same control deficiency in the 2013-14 audit. Education uses CNIPS to calculate reimbursements to its subrecipients based on approved rates and meal counts. This system is critical to federal compliance since it is configured to calculate and submit requests to the U.S. Department of Education for reimbursement. During our audit, we noted the following: (1) Although Education has a process that requires a quarterly review of CNIPS user access and check for terminated employees, it does not have a central monitoring process to ensure managers review active employee permissions; (2) Education does not have a process for identifying potential segregation of duties conflicts on the CNIPS application level. We found two groups with the ability to approve the creation of a site and sponsor, approve the submission of a claim, and move the claim to a claim tracking status. We also found three users who had a state and a local account. Failure to maintain adequate information technology controls over logical access could result in improper reimbursements through CNIPS. 2012-13
Education accepts the recommendations to strengthen CNIPS information technology general controls over logical access. Education has implemented the following processes to more effectively monitor active employee permissions, as well as identify and correct any potential segregation of duties conflicts within the application: 1. Education began utilizing spreadsheets to track audit inquiries from managers and subject matter experts (SME) in April 2014. The spreadsheets include pertinent information including: (1) dates of audit inquiries; (2) manager/SME response dates; (3) response details; and (4) the names of individuals that did not respond. This centralized tracking system will allow Education to maintain a historical record of security audits and ensure that only authorized employees have CNIPS permissions Education removed the local account permissions from the users identified by KPMG that have both state and local accounts. To ensure that there were no other active employees with multiple accounts, Education conducted a name-to-name search between state and sponsor accounts; no additional double accounts were found. In addition, under the new procedures, CNIPS will not allow a user to have multiple accounts; 2. To identify potential segregation of duties conflicts within CNIPS, Education has reviewed all security groups to identify and remove state staff permissions based on potential conflicts of interest and business needs for; (1) creating sites and sponsors; (2) approving claim submissions; and (3) changing claim tracking status. 18
© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader