The URL can be used to link to this page

Home My WebLink About14.b. Receive Internal Audit Report for the Second Half of FY 2021-22 Page 1 of 4 Item 14.b. CENTRALSAN jdf A- hom CENTRAL CONTRA COSTA SANITARY DISTRICT July 21, 2022 TO: HONORABLE BOARD OF DIRECTORS FROM: BENJAMIN JOHNSON, INTERNALAUDITOR REVIEWED BY: PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE INTERNALAUDIT BIANNUAL FINDINGS REPORT FOR THE SECOND HALF OF FISCAL YEAR 2021-22 Please see biannual findings report attached that reflects the status of the findings identified in the second half of Fiscal Year 2021-22. The Internal Audit Department was able to partner with management and staff to close 17 out of the 20 findings reported as of mid-June 2022. Strategic Plan Tie-In GOAL THREE: Fiscal Responsibility Strategy 1—Maintain financial stability and sustainability, Strategy 2—Ensure integrity and transparency in financial management ATTACHMENTS: 1. Internal Audit Biannual Findings Report- Close of Q4 FY 2021-22 2. Presentation July 21, 2022 Regular Board Meeting Agenda Packet- Page 86 of 113 Amended Agenda Page 2of4 Ince...I Audit Bi.....I Fmdkig�Report-Close of Q4 IFY 2021-22 C^~of:�� Prepared by:Benjamin°�~Internal�� General Category of Observations Total Rill Rating Total Need for documentation of procedures.,updates 4 Highlight Legend Moderate Risk IT—lalad 13 High fl.e. FY T.tal to Date 20 Automation pp"t"iti" —1 �� Risk Rating ��. �� Finding Title Report Name Number Finding Description 'Residual) category Depart.— 0.— Manage, Report Date Due Date Date Closed Open 1:,y,.,.data myle,by a, FY 2020-21 Payroll D�igrly Review 3 HIR and Finance do not have the ability to produce T S'geg',t e ion of H...r=,ces; O'M.I In,.y; 1 11.21 1 HR-1 HRI-08.01.21 rapi.yia.with no Payroll =!led reporting within 0-1.that provide staff and dut Fl !be, .01.2 Closed) perform.robust a ...cynvi—Pay lid—Is Finance- Finance- weekly Payroll m.ce.,however,it is not s.bwq...thy (Original) (Partially ri by an employee with..p.y,.Il processing 06.30.22 Closed now .Viewed b Finance 2 Policies and procedure, �2021-22 Amount,Payable Audit R,p,ft I Alth-gh,m,documentation aists,policies and 3 Need for Finance Mio.n. Lab., 03.25.22 07.01.22 P,.c.du —ding the acc..ts pay, Process document ti.n of have n.t been ftimr.li�ecl.—gulady Procedures or to reflect Oracle system changes. updates 3 Physical check p.y—int �2021-22 Amount,Payable Audit Report 2 Given the strong internal controls in place prior to the 3 A—mat on Finance Mio.n. Lab., 03.25.22 12.31.23 run, County's riv.1vam—in the payment process,the opportunities County's count...ignat—Process appears duplicative and inaffici-t. Closed 1 Personnel and payroll ff 2020-21 Payroll Dealgrly Review 2 Two HIR staff have use,pHWIege,that allow the,to I Segregation of Human Pa— s O'Malley Bailey 0.21.21 10.05.21 privileges I.Oracle enter new employees!,to the Human Capital d.ties (Original) Management(HCM)personnel na.d.le as..If as edit data in the payroll module. 10.29.21 2 SP-IA.05-Access FY 2021-22 IT Identity and Access 2 The 0 ari,ation has est blished a formal process to 2 Need for Information Chebotarey Leber 09.16.2, g1.15.22 01.15.22 Management Management Review request access for new employees.However,the new hir� documentation of Technology form does not fo ocument who is approving the procedures or access for the ne=dovee update, 3 SP-A.07-Access 2021-22 IT Identity and Access 3 =,,i,,I,,remove,,for sers 1,,timely 1 IT-rel.ted Information Hibeshaw Lelber 0.16.21 01.15.22 01.15.22 Management Management Review for employees.H.—ve,CI.A identified si.(6) controls Technology :—u-belonging to third party use,that war, rabled mcl had not logged into the cc...t for the Past three(3)years.These cc...ts h.d'p.ssw.d1 4 SP-A.20-Access FY 2021-22 IT Identity and Access 5 Ong"i"thm has not formally performed,review 1 F-relaited Infr dmn Hart Lelber 0.16.21 03.28.22 03.28.2Z Management(App-Office Mannagement Review of network access that....—network access right, controls Technology are 365 e appropriate to all imdiVd..Ih vvithm the Organ hati.n. 5 SP-A.21-Access FY 2021-22 IT Identity and Access 6 The Orgainhatimi has not formally performed.review 1 IT—laited Infr tim, Chabot— Lelber 0.16.21 02.15.22 02.15.22 Management(App- Management Review of ser access vvithm Oracle F.shun to ensure access controls Technology Oracle F.skm) rights are appropriate to.11 individuals within the Orgainhati 6 SP-IA.23-Access FY 2021-22 IT Identity and Access 8 T 3 IT-rel ted Information Hart Lab.r 09.16.21 03.28.22 03.28.22 =ii.n has not formally�rfcrmecl.review of M. gement(App-Office Management Review ,within Office 365 to ensure access right,are controls Technology 365) appropriate to.11 individuals within the Org,mi-i.r. I SP-IA.24-Access FY 202 1-22 IT Identity and Access 9 The Org.ni-i.in currently does not form.Ily review 3 IT-rel—c! Information Hart Leber 09.16.21 03.28.22 03.28.22 M._ge.ent(APP_Office Management Review dm iniotr.t.r activity on.periodic basis within Office controls Technology 215) 3155. .SP-PS.03-Physical Security FY 2021-22 IT Identity and Access 12 The Org.mi-im's data center is locked,and only 3 IT-rel t�d Information Hir—h— 1-61ber 09.16.21 12.15.21 12.15.21 of IT Asset, Management Review uth.rio,cl pa—mief are able to cce.the can controls Technology Rep.rts can be&--d to ensure.11 access is .pprpri,t,H--there I,currently no for al review of these ein-,being performed on,periodic basis. 9 SP-HR.01-HR Sac,rity FY 2021-22 IT Identity and Access 14 The Org.mi-im provides acceptable use and security 2 IT-rel ted Information Hart Leber 09.16.21 04.01.22 03.30.22 Management Review Polities to all new hires.H.—ar,Asting employees and controls Technology new employees are not�q.ired to complete security 10 SD-EM.02-L.g and Event FY 2021-22 IT Identity and Access 15 h� zation has al-s generated for si,spiti-s 3 IT-rel ted Information Vega;Hart Laib�r 09.16.21 01.15.22 01.15.22 Management Management Review behavior,related to th e network.However,the lert for controls Technology 11 Policies and procedures H 2020-21 Payroll Design-cirly Review 1 Policies and procedure,surnminding the payroll process 2 Need fo H,ma,Resources O'Malley Bailey 09.21.21 4244�u 04.11.22 not be have een updated since the mil—of the Oracle d c—entation (Original) payroll module. of procedure or .pdaftea 03.31.22 12 SP-IA.01-Access FY 2021-22 IT Went ity and Access I The Organization has an access management g.ideline 2 Need f. Information Hlft�she. Leber 09.16.21 04.30.22 N.20.22 M.-gament Management R.vie. that I,distributed to all employee,that have mtw,rk documentation of Technology =H.Weve,the policy in place d-s—include procedures or ds of segregation of duties,role change updates pr.ced.ms,and the us.of access ch�ckl[sts.in addition, C�identified that three(3)of the five(5)new usar s pl.s did not have ckn—Iedgm of the access management guideline policy documented. 13 SP-IA.12-Access FY 202 1-22 IT Identity and Access 4 Per review of the domain d.ini.r.tive listing,CILA was 2 IT-rel ted Information Hart Laib�r 09.16.21 04.30.22 04.20.22 Management Management R.vie. infrme controls Technology I dentify the purpose of service—unts t hat have domain administration access long with an annual app -1.Cl-A identified on r in the administrative listing whose access was ci:�(I)use —c!as inappropriate. 14 SP-A.22-Access 2021-22 IT Identity and Access 7 The Orgah.b..currently does rat formally review 1 IT-related Infr don Chebt.rev Lelber 0A.21 04.30.22 04.20.22 Management(App- Management Review administrator activity on.periodic basis within Oracle controls Technology Oracle F.skm) Fuel- 15 SP-PS.05-Physical Security FY 2021-22 IT Identity and Access 13 The Organization currently does not have video 2 IT-rel—c! Information Hir—hew Leber 09.16.21 12.31.22 03.31.22 of IT Assets Management Review su—ill.nce in the data center to ensure entry and in-ra controls Technology activity is appropriate. 16 SP-DS.01-Data Security& FY 2021-22 IT Identity and Access 10 The Organization currently allows users to cm.their 3 IT-rel—c! Information Chebot.ry; Leber 09.16.21 0440-1Z 05*15,22 Privacy Management R.vie. pcnal—I cc.uwithin the ne..rk.No web controls Technology Hart (Original) content filtering is currently in place to restrict the use of P—cmal—il sites. 05.31.22 17 SP-DS.O-Data Security& H 2021-22 IT Identity and Access 11 The Organization has domain administrator accounts 3 IT-rel.ted Information Hart Laib�r 09.16.21 0440-1Z 05.25.22 Privacy Management Review ...igned to findivid,,Is and only used for administrative controls Technology (Original) purposes.However,the Org.rumb-currently.11-ws main dininistriu—to directly cce.the ii—met. 05.31.22 July 21. 2022Regular Board Meeting Agenda Packet Page 87of113 Amended Agenda Page 3 of 4 Attachment 2 3. -qT INTERNAL AUDIT REPORTING FOR THE SECOND HALF OF FY 2021 -22 Board Meeting July 21, 2022 Benjamin Johnson, Internal Auditor JA Ik 1 INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE BOARD CLOSE of Q4 FY 2021-22 • Cumulative results • 3 audit reports issued • FY 2020-21 Payroll Design-only Review • FY 2021-22 IT Identity and Access Management Review • FY 2021-22 Accounts Payable Audit Report • 20 findings reported • 17 findings are closed including 1 late finding • Risk rating breakout • High Risk:6 findings • Moderate Risk:6 findings • Low Risk:8 findings 2EEffd3,qTW7�9ff,M, ' 2 July 21, 2022 Regular Board Meeting Agenda Packet- Page 88 of 113 Amended Agenda 1 Page 4 of 4 INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE BOARD CLOSE of Q4 FY 2021-22 • Cumulative results (Continued) • Observation categories • Need for documentation of procedures or updates:4 findings • Segregation of duties:2 findings • IT-related controls: 13 findings • General process and/or control improvements: No current findings • Automation opportunities: 1 finding • Current and future projects • The FY 2021-22 Miscellaneous Assets Review is complete, and the final draft of the report is being crafted as of mid-June • The FY 2021-22 Payroll Operational Audit will begin late-June and extend into Q1 FY 2022-23 3 '! 3 INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE BOARD CLOSE of Q4 FY 2021-22 • Key takeaways • Staff have been overwhelmingly responsive to audit reports and appear to be firmly committed to improving operational processes • As of mid-June, staff have remediated and closed 17 out of the 20 audit findings reported • FY 2022-23 audit plan • Internal Audit is crafting an audit plan for the new fiscal year based on the Board's/management's concerns and our assessment of risk 16 related to key operational processes • The new audit plan will be finalized and presented in Q1 FY 2022-23 4 ' 4 July 21, 2022 Regular Board Meeting Agenda Packet- Page 89 of 113 Amended Agenda 2