YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
YELLOW SHEET Office of the State Auditor of Missouri |
October 23, 2003
Report No. 2003-108
Comprehensive continuity planning framework and security controls should be established for state’s accounting system
This audit reviewed the Office of Administration’s (OA) management of the state’s accounting system (SAM II) as it relates to plans for handling business continuity and information technology recovery should a disaster or other disruptive event occur. SAM II is the state government’s integrated financial management, human resource and payroll system which processed approximately $25 billion in expenditure and transfer transactions in fiscal year 2003. The following highlights the finding:
Recommended controls not implemented
Many suggested controls described by the SAM II software vendor in a 1998 report were not implemented. Implementing these controls would have prevented almost half of the recovery and security weaknesses noted in this report. (See page 3)
Plans and training needed for resuming critical business operations and system processing
The OA has not identified critical resources necessary to operate the SAM II system, established an alternate offsite facility for the continuation of normal business operations or documented how manual processing of transactions will be performed if the SAM II system is not available. Auditors found that OA does not have an emergency management team to develop strategies for recovery support across all business functions. Such a team would activate continuity plans and coordinate recovery activities. In addition, SAM II and OA personnel are not trained on all aspects of their specific roles and responsibilities relating to recovery procedures. (See pages 4 and 5)
Some security controls need to be addressed
The OA cannot adequately protect the integrity, confidentiality and availability of data, which may result in unauthorized use or modification to sensitive information. Current management practices do not have sufficient controls for monitoring computer access or application administrator user rights. In addition, management practices do not adequately segregate duties related to system changes, sufficiently monitor access and security violations or ensure the integrity of system users. (See page 9)
Background checks for system users may be necessary
SAM II management does not require background checks on state employees using the SAM II system. High-level background checks conducted by the Missouri State Highway Patrol at our request on over 7,000 SAM II users, identified 146 system users with one or more criminal records. Forty-six of the individual offenses for these users involved potential financial-related issues such as theft, robbery, fraud, etc. (See page 12)