Audit Report on the User Access Controls of the Financial Management System at the Financial Information Services Agency

June 25, 2003 | 7A03-137

Table of Contents

    AUDIT REPORT IN BRIEF

    We performed an audit on the user access controls of the Financial Management System (FMS) at the Financial Information Services Agency (FISA). FISA is responsible for data processing operations that support the activities of City personnel and units responsible for organizing, compiling, and coordinating the City’s central financial records, data, and related information and for making appropriate reports. FISA provides authorized access to information stored in FMS. FMS, which was implemented in June 1999, is the City’s centralized accounting and budgeting system, supported by FISA from its mainframe computers. FISA permits personnel access to FMS based on approval by each respective agency.

    Currently, some 3,500 users from more than 90 City agencies have access to FMS. FISA handles the processing of new FMS user requests through more than 200 agency FMS security officers who are chosen by their respective agencies.

    FISA has adequate controls in place to protect FMS records from unauthorized access. Specifically, FISA:

    • Established formal security procedures and included them in its Agency FMS Administration Policies & Procedures statement;
    • Maintains electronic and manual hard-copy records for special FMS access requests;
    • Requires that agencies designate a FMS security officer and a backup FMS security officer who are familiar with the agency’s mission and how it relates to FMS;
    • Requires adequate separation of duties over user access to different components of FMS.
    • Provides protection against unauthorized access by automatically revoking access to FMS when user identification (ID) codes are used with invalid passwords;
    • Revokes ID codes of users not properly accessing FMS for a 30-day period.

    However, although we found that FISA maintains electronic and manual hard-copy records for special FMS access requests and the corresponding approvals or rejections, FISA does not maintain a central log of those requests. In addition, FISA does not provide periodic training to FMS security officers.

    To address these issues, FISA should:

    • Establish a log to record all requests from agencies for special FMS access rights.
    • Provide periodic training to FMS security officers.
    $286.39 billion
    Nov
    2024