My WebLink
|
Help
|
About
|
Sign Out
Home
2010-01-AU Limited Scope Performance Audit of Department of Water Supply's Internal Controls for Cash Handling and Financial IT Systems
PublicDocuments
>
Legislative Auditor
>
Audit Reports
>
County Auditor Reports
>
2010-01-AU Limited Scope Performance Audit of Department of Water Supply's Internal Controls for Cash Handling and Financial IT Systems
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
7/19/2011 3:41:19 PM
Creation date
7/19/2011 1:34:39 PM
Metadata
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
70
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
CHAPTER 4: CASH HANDLING SYSTEMS <br />RECOMMENDATION DWS financial IT systems personnel need to develop and <br />implement policies that address adequate physical and application <br />access controls, including transactional level passwords to provide <br />individual audit trails and an automatic lockout mechanism for <br />each Cashier's terminal in order to protect Cashiers as well as <br />hold them accountable for discrepancies in customer payments. <br />DWS management needs to ensure support of and adherence to <br />physical and application access control policies by providing <br />employees with regular training and monitoring control activities. <br />DWS management must also periodically review, assess, and <br />evaluate control processes, policies, and procedures for their <br />continued relevance, effectiveness, and efficiency in safeguarding <br />assets. <br />Criteria. Internal Control Criteria — Information System Audit and <br />Control Association (ISACA) Security Policy. <br />"The main goal of a corporate security policy is to protect data by <br />defining procedures, guidelines and practices for configuring and <br />managing security in the corporate environment. It is imperative <br />that the policy defines the organization's philosophy and <br />requirements for securing information assets. It is also important <br />that the policy outlines how it will apply to corporate employees, <br />processes and environments. Consequences for failed <br />compliance must also be addressed." <br />FINDING Control procedures relating to computer passwords and <br />logins are not consistently formalized in writing or <br />enforced in all offices of the Customer Service Branch. <br />Finance Division managers have not adequately monitored or <br />enforced the use of individual passwords or logins, and Customer <br />Service Branch personnel have even acknowledged the sharing of <br />passwords at one of the District offices. Auditors were told that <br />passwords are being shared for certain logins at one District <br />office, with the District supervisor and staff sharing the password <br />to the Public Utility Billing System (PUBS) in the event personnel <br />are out sick or on vacation. This practice is contrary to the <br />purpose of passwords or logins; that is, the ability to secure <br />system access and provide an audit trail of all activities conducted <br />under assigned passwords or logins. Individual passwords and <br />logins are a fundamental part of data security, monitoring, and <br />control, and are basic to protecting data integrity by reducing the <br />risks of unauthorized access and unauthorized transactions. <br />RECOMMENDATION DWS management needs to enforce standard IT policy against <br />the sharing of passwords and logins, and enforce standard <br />accounting practices for using audit trails to scrutinize system <br />entries when financial discrepancies are detected. In so doing, <br />33 <br />
The URL can be used to link to this page
Your browser does not support the video tag.