HomeMy WebLinkAbout4.a. Receive Internal Audit Biannual Findings Report for the Second Half of Fiscal Year 2021-22 Page 1 of 4
Item 4.a.
CENTRAL SAN
July 5, 2022
TO: ADMINISTRATION COMMITTEE
FROM: BENJAMIN JOHNSON, INTERNALAUDITOR
REVIEWED BY: PHILIPLEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION
ROGER S. BAILEY, GENERAL MANAGER
SUBJECT: RECEIVE INTERNALAUDIT BIANNUAL FINDINGS REPORT FOR THE
SECOND HALF OF FISCAL YEAR 2021-22
Please see biannual findings report attached that reflects the status of the findings identified in the second
half of Fiscal Year 2021-22. The I nternal Audit Department was able to partner with management and staff
to close 17 out of the 20 findings reported as of mid-June 2022.
Strategic Plan Tie-In
GOAL THREE: Fiscal Responsibility
Strategy 1—Maintain financial stability and sustainability,, Strategy 2—Ensure integrity and transparency in financial
management
ATTACHMENTS:
1. Internal Audit Biannual Findings Report- Close of Q4 FY 2021-22
2. Presentation
July 5, 2022 Regular ADM IN Committee Meeting Agenda Packet- Page 4 of 41
Page 2 of 4
Attachment 1
Internal Audit Biannual Findings Report-Close of 04 FY 2021-22
Current as of:06.15.22
Prepared by:Benjamin Johnson,Internal Auditor
General Category of Observations Total
Risk Rating Total Need for documentation of procedures or updates 4 *Highlight Legend
1-High Risk 6 Segregation of duties 2 Past Due
2-Moderate Risk 6 IT-related controls 13 High Risk
3-Low Risk 8 General processand/orcontmI improvements 0 Closea
FY Total to Date 20 Automation opportunities 1
Finding Risk Rating Observation Executive
Finding Title Report Name Number Finding Description (Residual) Category Department Owner Manager Report Date Due Date Date Closed
Open
1 Payroll data review by an FY 2020-21 Payroll Design-only Review 3 HR and Finance do not have the ability to produce 1 Segregation of Hu man Resources; O'Malley; Bailey; 09.21.21 HR- HR-08.01.21
employee with no Payroll detailed re parting within Oracle that provide staff and duties Finance Mizuno Leiber 09.01.21 (Closed)
duties anagement critical data elements necessaryto
perform a robust accuracy review.Payroll data is Finance- Finance-
ually reviewed for accuracy by HR staH during the 114&2b 11.12.21
bi weekly Payroll process,however,it is not (Original) (Partially
subsequently reviewed by an employee with no payroll 06.30.22 Closed-
Pracessingresponsibilities prior to key processes. (Extended) Changes to
the GL are
new
wed by e Finance
Manager)
2 Policies and procedures FY 2021-22 Accounts Payable Audit Report 1 Although some documentation exists,policies and 3 Need for Finance Mizuno Leiber 03.25.22 07.01.22
procedures surrounding the accounts payable process documentation of
have not been formalized or regularly reviewed/updated procedures or
to reflect Oracle system changes. updates
3 Physical check payment FY 2021-22 Accounts Payable Audit Report 2 Given the strong internal controls in place prior to the 3 Automation Finance Mizuno Leiber 03.25.22 12.31.23
run,
County:involvement in the payment process,the opportunities
County's countersignature process appears duplicative
and inefficient.
Closed
Personnel and Payroll user FY 2020-21 Payroll Design-only Review 2 Two HR staff have user privileges that allow them to 1 Segregation of Human Resources 'Malley Bailey 09.21.21 09.80.21
privileges in Oracle enter new employees into the Human Capital duties (Original)
Management(HCM)personnel module as well as edit
data in the Payroll module. 10.29.21
Extended
2 SP-IA.05-Access FY 2021-22 IT Identity and Access 2 The Organization has established a formal process to 2 Need for Information Chebotarev Leiber 09.16.21 01.15.22 01.15.22
Management Management Review request access for new employees.However,the new documentation of Technology
hire form does not formally document who is approving procedures or
the access for the new employee
m Io ee updates
3 SP-IA.07-Access FY 2021-22 IT Identity and Access 3 The Organization removes accounts for users in a timely 1 IT-related Information Hiteshew Leiber 09.16.21 01.15.22 01.15.22
Management Management Review n er for employees.However,CIA identified six(6) controls Technology
ants belonging to third party users that were
nabled and had not logged into the account for the
past three(3)years.These accounts had'password
expired'enabled.
4SP-IA.20-Access FY 2021-22 IT Identity and Access 5 The Organization has net formally performed a review 1 IT-related Inf ormation Hart Wiser 09.16.21 03.28.22 03.28.22
Management(App-Office Management Review of network access that ensures network access rights controls Technology
365) are appropriate to all individuals within the
Organization.
5 SP-IA.21-Access FY 2021-22 IT Identity and Access 6 The Organization has not formally performed a review 1 IT-related Information Chebotarev Leiber 09.16.21 02.15.22 02.15.22
Management(App- Management Review of user access within Oracle Fusion to ensure access controls Technology
Oracle Fusion) rights are appropriate to all individuals within the
Organization.
6 SP-IA.23-Access FY 2021-22 IT Identity and Access 8 The Organization has at formally performed a review of 3 IT-related Information Hart Leiber 09.16.21 03.28.22 03.28.22
Management(App-Office Management Review within Offlce 365 te ensure srlghts are controls Technology
user access acces
365) appropriate to all individuals within the Organization.
7 SP-IA.24-Access FY 2021-221T Identity and Access 9 The Organization currently does not formally review 3 IT-related Information Hart Leiber 09.16.21 03.28.22 03.28.22
Management(App-Office Management Review administrator activity on a periodic basis within Office controls Technology
365) 365.
8 SP-PS.03-Physical Security FY 2021-22 IT Identity and Access 12 The Organization's data center is locked,and only 3 IT-related Information Hiteshew Leiber 09.16.21 12.15.21 12.15.21
of IT Assets Management Review authorized personnel are able to access the center. controls Technology
Reports can be generated to ensure all access is
appropriate.However,there is currently no formal
review of these reports being performed on a periodic
basis.
9 SP-HR.01-HR Security FY 2021-22 IT Identity and Access 14 The Organization provides acceptable use and security 2 IT-related Information Hart Leiber 09.16.21 04.01.22 03.30.22
Management Review policies to all new hires.However,existing employees and controls Technology
newemployees are not required to complete security
awareness training.
10 SD-EM.02-Log and Event FY 2021-22 IT Identity and Access 15 The Organization has alerts generated for suspicious 3 IT-related Information Vega;Hart Leiber 09.16.21 01.15.22 01.15.22
Management Management Review behaviors related to the network.However,the alert for controls Technology
attempts to access disable accounts is currently not
enabled.
11 Policies and procedures FY 2020-21 Payroll Design-only Review 1 Policies and procedures surrounding the payroll process 2 Need for Human Resources O'Malley Bailey 09.21.21 �12AL 04.11.22
have not been updated since the rollout of the Oracle documentation (Original)
payroll module. of procedures or
updates 03.31.22
(Extended)
12 SP-IA.01-Access FY 2021-22 IT Identity and Access I The Organization has an access management guideline 2 Need for Information Hiteshew Leiber 09.16.21 04.30.22 04.20.22
Management Management Review that is distributed to all employees that have network documentation of Technology
ss.However,the policy in place does not include procedures or
standards of segregation of duties,role change updates
procedures,and the use of access checklists.In addition,
CLA identified that three(3)of the five(5)new user
amples did not have acknowledgement of the access
anagement guideline policy documented.
13 SP-IA.12-Access FY 2021-22 IT Identity and Access 4 Per review of the domain administrative Iistin&CIA was 2 IT-related Information Hart Leiber 09.16.21 04.30.22 04.20.22
Management Management Review informed that no formal documentation is maintained to controls Technology
identify the purpose of service accounts that have domain
administration access along with an annual approval.CLA
identified one(1)user in the administrative listing whose
ess was deemed as inappropriate.
14 SP-IA.22-Access FY 2021-22 IT Identity and Access 7 The Organization currently does not formally review I IT-related Information Chebotarev Leiber 09.16.21 04.30.22 04.20.22
Management(App- Management Review administrator activity on a periodic basis within Oracle controls Technology
Oracle Fusion) Fusion.
15 SP-PS.05-Physical Security FY 2021-22 IT Identity and Access 13 The Organization currently does not have video 2 IT-related Information Hiteshew Leiber 09.16.21 12.31.22 03.31.22
of IT Assets Management Review surveillance in the data center to ensure entry and controls Technology
internal activity is appropriate.
16 SP-DS.01-Data Security& FY 2021-22 IT Identity and Access 10 The Organization currently allows users to access their 3 IT-related Information Chebotarev; Leiber 09.16.21 04:38.22 05.25.22
Privacy Management Review personal email accounts within the network.No web controls Technology Hart (Original)
content filtering is currently in place to restrict the use of
personal email sites. 05.31.22
(Extended)
17 SP-DS.02-Data Security& FY 2021-22 IT Identity and Access 11 The Organization has domain administrator accounts 3 IT-related Information Hart Leiber 09.16.21 04.38.22 05.25.22
Privacy Management Review assigned to individuals and only used for administrative controls Technology (Original)
purposes.However,the Organization currently allows
domain administrators to directly access the internet. 05.31.22
(Extended)
My egu ar ADMIN Committee Meeting Agenda Packet- Page 5 o
Page 3 of 4
Attachment 2
INTERNAL AUDIT REPORTING FOR THE
SECOND HALF OF FISCAL YEAR
2021 -22
Administration Committee Meeting
July 5, 2022
Benjamin Johnson, Internal Auditor
A Agh
1
INTERNAL AUDIT BIANNUAL FINDINGS REPORT
FOR THE ADMINISTRATION COMMITTEE
CLOSE OF Q4 FISCAL YEAR (FY) 2021-22
• Cumulative results
• 3 audit reports issued
• FY 2020-21 Payroll Design-only Review
• FY 2021-22 IT Identity and Access Management Review
• FY 2021-22 Accounts Payable Audit Report
• 20 findings reported
• 17 findings are closed including 1 late finding
• Risk rating breakout
• High Risk:6 findings
• Moderate Risk:6 findings
• Low Risk:8 findings
2 '
2
July 5, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 6 of 41 1
Page 4 of 4
INTERNAL AUDIT BIANNUAL FINDINGS REPORT
FOR THE ADMINISTRATION COMMITTEE
CLOSE of Q4 FY 2021-22
• Cumulative results (Continued)
• Observation categories
• Need for documentation of procedures or updates:4 findings
• Segregation of duties:2 findings
• IT-related controls: 13 findings
• General process and/or control improvements: No current findings
• Automation opportunities: 1 finding
• Current and future projects
• The FY 2021-22 Miscellaneous Assets Review is complete, and the
final draft of the report is being crafted as of mid-June
• The FY 2021-22 Payroll Operational Audit will begin late-June and
extend into Q1 FY 2022-23
3 '!
3
INTERNAL AUDIT BIANNUAL FINDINGS REPORT
FOR THE ADMINISTRATION COMMITTEE
CLOSE of Q4 FY 2021-22
• Key takeaways
• Staff have been overwhelmingly responsive to audit reports and
appear to be firmly committed to improving operational processes
• As of mid-June, staff have remediated and closed 17 out of the
20 audit findings reported
• FY 2022-23 audit plan
• Internal Audit is crafting an audit plan for the new fiscal year based
on the Board's/management's concerns and our assessment of risk
related to key operational processes
• The new audit plan will be finalized and presented in Q1 FY 2022-23
4 '
4
July 5, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 7 of 41 2