Second Follow-Up Audit Report On The Data Processing Controls And Procedures Of The Administration For Children’s Services

Audit Report In Brief

This second follow-up audit determined whether the Administration for Children’s Services (ACS) implemented the 14 recommendations made in a previous follow-up audit of ACS’ data processing controls. In this report, we discuss the 14 recommendations from the prior audit in detail, as well as the implementation status of each recommendation.

On June 6, 2003, our office conducted a follow-up audit to determine whether ACS implemented 18 recommendations contained in a previous audit of ACS’ data processing controls and procedures, which was issued on January 9, 2001. The 2003 audit disclosed that ACS only implemented six of the 18 recommendations; three were partially implemented, and nine were not implemented. In addition, the audit disclosed new findings pertaining to weaknesses in access controls over the system. To address these issues, the 2003 report contained 14 recommendations, which included two recommendations to address the new findings.

Audit Findings and Conclusions

Despite assurances from ACS officials that corrective action would be taken to address the issues raised in our two prior audit reports (issued on January 9, 2001, and June 6, 2003), many deficiencies still exist. Such weaknesses, if not addressed, increase the risk of unauthorized system access, business disruptions, misuse of sensitive data, and misappropriation of expensive equipment. Of 14 recommendations made in the previous follow-up audit, this audit disclosed that ACS implemented five, partially implemented three, and did not implement six. The issues that have not been addressed include: implementing a disaster recovery plan; installing a fire suppression system at the Data Center; maintaining a complete and accurate record of computer hardware and software; ensuring that system passwords are periodically changed; deactivating user IDs of employees who are no longer working for the agency; and, developing procedures for reviewing, investigating, and reporting failed login attempts.

To address these issues, this report recommends that ACS should:

• Implement the disaster recovery plan and conduct comprehensive tests of the plan, in accordance with Comptroller’s Directive #18.
• Implement the Cisco Security Agent to reduce the risk of system intrusion.
• Ensure that the Data Center is equipped with an operating fire suppression system, in accordance with Directive 18.
• Develop a complete and accurate list of all of its computer equipment.
• Conduct annual inventory reconciliations and update its computer inventory list accordingly.
• Ensure that its inventory list of computer applications and software contains license numbers, number of licenses held, and names of users who are authorized to use each application.
• Conduct annual inventory reconciliations of all of its software licenses and update the inventory records accordingly.
• Ensure that passwords are changed at predetermined intervals.
• Ensure that user IDs are deactivated in accordance with its procedures.
• Develop and implement procedures for reviewing, investigating, and reporting failed remote logins, in accordance with Directive #18.