The URL can be used to link to this page

Energov - City Clerk Department 7-28-17MIAMI BEACH MEMORANDUM City of Miami Beach, 1700 Convention Center Drive , Miami Beach , Flo rid a 33139, www.miamibeachfl .gov O ff ice o f Internal A udi t Tel: 305-673 -7020 TO: VIA: FROM: Rafael Granado , City Clerk IY James Sutter, Internal Auditor Fidel Miranda DATE: July 28, 2017 SUBJECT: Assessment of Access rights for EnerGov User Roles (City Clerk/Special Master) Meetings were held with you and/or members of your team on May 12 , 2017 to review and assess risks associated with created EnerGov user roles , and the corresponding access rights and privileges granted by the Information Technology (I.T.) Department. The focus of our review was to identify instances whereby created user roles and/or corresponding system accesses granted could have an adverse impact on segregations of duties and/or internal controls . During our review , we identified the following user role that was created to grant access to department users: • Clerk Spec Master User-(4 users assigned) Only one user role can be assigned to each user I staff member; however , all users I staff members assigned under a user role will share the same system access and pr ivileges , without except ion. In other words , department users have a one to one relationship with user roles , while user roles have a one to many relationship with department users . After looking at the access rights and privileges provided to EnerGov users under the only user role created for your department , it was noted that the following items are in need of further consideration , which have been highlighted on the User Role Access Report submitted along with this memo for your review and further reference : 1. Users under the "Clerk Spec Master User" User Role were granted among other rights, the following : a) The ability to adjust fees (AIIowAdjustFees) b) The ability to delete attachments to the file (AIIowDeleteAttachment) c) The ability to delete fees (AIIowDeleteFees) d) The ability to void invoices (AIIowVoidlnvoices) e) The ability to skip, approve , and create steps and actions in workflow (AIIowWorkflowManagement) f) The ability to create, delete , alter, approve , etcetera , workflows (WorkFiowAdministrator) Because the small size of the department, all staff supporting the Special Master function have to have the same access , as they all have to substitute for one another at some point (Example: When other team members are on vacation). However, th is poses a greater risk since segregation of responsibilities is minimal to provide for better internal controls . In addition , the department should consider implementing a continuous monitoring by an independent staff of fee deletions , adjustments, and invoices voided , as frequently as possible . To facilitate this review , an "Exceptions Report " has been created to help identify all instances where any of these actions took place to review the validity or question it , as needed . Page 1 of 3 INTERNAL AUDIT MEMORANDUM Assessment of Access rights for EnerGov user roles Julv 28. 2017 For this department, Internal Audit recommends properly aligning the workflows created to the business processes and rules already in practice within the department, as supported through Standard Operating Procedures. This will allow to create relevant workflows that will remove the need for any user to have access to change and/or skip any steps and/or actions of a process. The rights to manage and/or administer workflows should be maintained at a system administrator level and not by users of the system. Along with this memo are the rights and privileges assigned to each of the user roles created in EnerGov for your department. Please review them carefully and certify your agreement by signing and returning the enclosed "EnerGov User Roles and Access Rights Certification" form to Internal Audit. F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC16-17\PC WORK\EnerGov Roles & Rights\Cierk -7-20-17\Audit Memo-Energov Roles and Rights City Clerk.docx cc: Mark Taxis, Assistant City Manager John Woodruff, Chief Finance Officer Ariel Sosa, Director -Information Technology Department Page 2 of 3 INTERNAL AUDIT MEMORANDUM Assessment of Access rights for EnerGov user roles Julv 28. 2017 EnerGov User Roles and Access Rights Certification Date: _____ _ Department I Division: _______________ _ I,(First, Last Name) ,(Title)._=-----------=--- hereby certify that I have reviewed and am fully aware of the EnerGov user roles created for our department and the corresponding access rights and privileges assigned. I further represent that our department will make every effort to establish sound business rules and processes to mitigate any risks associated with the roles and rights granted to us, as EnerGov users. Such business rules and processes will help to establish and/or maintain effective internal controls, both in design and operation. (Signature) Page 3 of 3