Loading...
EnerGov - Parking Department 7-26-17MIAMI BEACH MEMORANDUM City of Miami Beach, 1700 Convention Center Drive, Miami Beach, Florida 33139, www.miamibeachfl.gov Office of Internal Audit Tel: 305-673-7020 TO: VIA: FROM: Saul Frances, Parking Director James Sutter, Internal Audito~A .. Fidel Miranda ~ -~ DATE: July 26, 2017 SUBJECT: Assessment of Access rights for EnerGov User Roles (Parking Department) Meetings were held with you and/or members of your team on April 27, 2017 and May 04, 2017 to review and assess risks associated with created EnerGov user roles, and the corresponding access rights and privileges granted by the Information Technology (l.T.) Department. The focus of our review was to identify instances whereby created user roles and/or corresponding system accesses granted could have an adverse impact on segregations of duties and/or internal controls. During our review, we identified the following four (4) EnerGov user roles that were created to grant access to department users: • Parking Management -(3 users assigned) • Parking Dispatch -(18 users assigned) • Parking Space Rental Grp -(5 users assigned) • Parking CPMP -(3 users assigned) Only one user role can be assigned to each user I staff member; however, all users I staff members assigned under a user role will share the same system access and privileges, without exception. In other words, department users have a one to one relationship with user roles, while user roles have a one to many relationship with department users. After looking at the access rights and privileges provided to EnerGov users under each of the four (4) user roles created, it was noted that the following items are in need of further consideration, which have been highlighted on the User Role Access_Report submitted along with this memo for your review and further reference: · 1. Users under the "Parking Space Rental Grp" user role were granted among other rights, the ability to manage work flow ("AllowWorkflowManagement"). This right allows users to bypass steps or actions in the workflow for a particular record. Although a report can be generated to identify all instances in which a workflow step was bypassed, it would require continuous monitoring to proactively detect any incident(s) whereby a step or an action is skipped or approved through the workflow. Best practices should be to review the current business processes and map it out so that creating the workflow is easier and each required step or action is given the adequate hierarchy in the workflow; therefore, removing the need to allow access to any user role to manage the workflow. Workflow management should be a procedural control and not an operational option. Consequently, Internal Audit recommends ensuring that workflows are created to reflect the processes of the department and once properly set up; only system administrator level users Page 1 of 3 INTERNAL AUDIT MEMORANDUM Assessment of Access Rights for EnerGov User Roles Julv 26. 2016 should have access to manage or administer workflows. Workflows should be the result of Standard Operating Procedures and established business rules within the department. 2. Users under the "Parking Space Rental Grp" user role were granted access to delete fees. In this particular case, department personnel stated it was needed to delete administrative fees that would be automatically generated in invoices where more than one parking space rental permit (multiple locations) was being processed. Because fee deletion should be avoided whenever possible, Internal Audit recommends reviewing the City Code, which establishes the requirement to assess the administrative fee for parking space rental permits to better define if a rental request is supposed to be set by location and/or by permit. If so, then fees are being charged accordingly and there is no need to delete or even adjust these fees. This is more in line with the level of effort administratively required to create the paperwork and post the reserved parking spaces. However, if a rental request is not required by location, meaning that anyone can request a number of spaces in different locations, as long as this is done once, then a custom fee should be created in the system to accommodate this need. Alternatively, a continuous monitoring of the exceptions report by a designated departmental employee independent of this user group of all fees deleted should be performed periodically in order to detect and questions, if necessary, any fee deletions captured on the report. It is important that any action taken in this particular case maintains consistency between the policy set through the City Code, the business decisions and rules made by the department, and Standard Operating Procedures approved and implemented. Along with this memo are the rights and privileges assigned to each of the user roles created in EnerGov for your department. Please review them and certify your agreement by signing and returning the enclosed "EnerGov User Roles and Access Rights Certification" form to Internal Audit. F:\OBPl\$AUD\INTERNAL AUDIT FILES\DOC16-17\PC WORK\EnerGov Roles & Rights\Clerk -7-20-17\Audit Memo EnerGov Roles and Rights -Parking Department.docx cc: Kathie G. Brooks, Assistance City Manager Mark Taxis, Assistant City Manager John Woodruff, Chief Finance Officer Ariel Sosa, Director-Information Technology Department Page 2 of 3 INTERNAL AUDIT MEMORANDUM Assessment of Access Rights for EnerGov User Roles Julv 26, 2016 EnerGov User Roles and Access Rights Certification Date: _____ _ Department I Division: ______________ _ I, , hereby certify that I have reviewed and are fully aware of the EnerGov user roles created for our department and the corresponding access rights and privileges assigned. I further represent that our department will make every effort to establish sound business rules and processes to mitigate any risks associated with the roles and rights granted to us, as EnerGov users. Such business rules and processes will help to establish and/or maintain effective internal controls, both in design and operation. (Signature) Page 3 of 3