Loading...
Audit Memo - EnerGov - Finance 1-11-18MIAMI BEACH MEMORANDUM City of Miami Beach, 1700 Convention Center Drive, Miami Beach, Florida 33139, www.miamibeachfl.gov Office of Internal Audit Tel: 305-673-7020 TO: John Woodruff, Chief Financial Officer VIA: Mark D. Coolidge, Interim Internal Auditor 1"\.b(!.,. FROM: Norman Blaiotta, Senior Auditor @ DATE: January 11, 2018 suBJECT: Assessment of Access Rights for EnerGov User Roles (Finance Department) Internal Audit has assessed the risks associated with created EnerGov user roles and the corresponding access rights and privileges granted to Finance Department employees. The focus of this review was to identify instances whereby these user roles and/or corresponding system accesses granted could have an adverse impact on segregations of duties and/or internal controls. Copies of the "EnerGov User Role Access Audit Reports" were separately presented to Finance Department management detailing the access rights granted to pertinent staff. The six (6) EnerGov user roles listed below were created to grant access to the corresponding number of Finance Department assigned users. The naming conventions were established by the Finance Department in conjunction with the Information Technology Department so they were not changed to help avoid creating any confusion. 1 Finance Gust Serv-(33 users) 2 Finance Administration-(1 user) 3 Finance W-Pay Now (4 users) 4 Finance Supv-(2 users) 5 Finance Manager-(1 user) 6 Finance NSF User-(3 users) Only one (1) user role can be assigned to each staff member; however, all employees assigned under a user role will share the same system accesses and privileges. In other words, departmental users have a one to one relationship to user roles, while user roles have a one to many relationship to department users. After reviewing the access rights and privileges granted to each of the six (6) pertinent EnerGov user roles, it was noted that the following items are in need of further consideration: 1. Five (5) of the Finance Department's six (6) user roles listed below were granted the ability to manage work flows through either of two (2) distinct rights, "AIIowWorkflowManagement" and "WorkFiowAdministrator", which are highlighted on the separately provided "EnerGov User Role Access Audit Reports": Page 1 of 4 INTERNAL AUDIT MEMORANDUM Assessment of Access Rights for EnerGov User Roles Finance Department • Finance Gust Serv ("AIIowWorkflowManagement") Januarv 11, 2018 • Finance Administration ("AIIowWorkflowManagement" and "WorkFiowAdministrator") • Finance W-Pay Now ("AIIowWorkflowManagement" and "WorkFiowAdministrator") • Finance Supv ("AIIowWorkflowManagement" and "WorkFiowAdministrator") • Finance Manager ("AIIowWorkflowManagement" and "WorkFiowAdministrator") Among other rights, "AI IowWorkflowManagement" allows users to bypass steps or actions in the workflow for a particular record, as well as create steps and actions in a pre-established workflow, whereas "WorkFiowAdministrator" allows users to create, delete, alter, skip and approve workflows. Although the "WorkFiowAdministrator" right's ability to delete and/or skip steps is more egregious, there are also concerns with the "AIIowWorkflowManagement" right which give users the ability to bypass and or change the workflow. Consequently, either of these rights should only be granted if absolutely necessary to perform their job. The final decision on whether Finance Department staff needs either of these two (2) rights lies solely with management. If either right is needed for any user role, then management should designate someone independent of these EnerGov user roles to routinely review exception reports originating from the system's audit trail. This monitoring process should be documented in a Standard Operating Procedure which should include at a minimum a listing of designated personnel responsible to perform the review and their corresponding back-up personnel, as well as the frequency and the methodology used. 2. The Finance W-Pay Now user role was assigned to four ( 4) employees, including one ( 1) Assistant Director, one (1) Revenue Manager, one (1) Financial Analyst Ill and one (1) Financial Analyst II. The Finance W-Pay Now user role includes rights aligned with a supervisory position. When asked, the Accounting Manager stated that the Financial Analyst II does not need access to this role as her present duties are more aligned with the Finance NSF User role so it should be changed accordingly. 3. The three (3) employees assigned into the Finance NSF User role were unaware they had access to EnerGov and stated that they do not use it in the completion of their work. Therefore, it is recommended to change these individuals to a view only access under the Finance NSF User role. 4. The Revenue Manager, who supervises the only employee assigned to the Finance Administration role (a Financial Analyst II or FA-11), agreed in the need to change the FA-ll's rights to mitigate associated risk especially since the FA-ll supervises the cashiers and is their back-up when needed. The current settings for the Finance Administration role allows the FA-ll to adjust or delete fees, refund and void payments, void invoices, delete attachments, etc. Therefore, it is recommended to change the FA-ll's permissions to another less comprehensive one and designate a Financial Analyst Ill or a higher position to hold permissions involving deletion, refund or adjust transactions. 5. Inquiries found that 9 of the 33 individuals assigned to the Finance Gust Serv user role were not actual Finance Department Customer Service Division employees. The table presented below lists these individuals, their current position and notes as to whether they have ever worked in the Customer Service Division, were transferred or promoted to another position, etc. Page 2 of 4 INTERNAL AUDIT MEMORANDUM Assessment of Access Rights for EnerGov User Roles Finance Department Employee Name Current Position/(Current Department) Kenneth Patterson Office Associate V (Information Technology) Milos Majstorovic Transportation Operations Supervisor (Transportation) Ginette Luxama Financial Analyst I (Finance) Mark Milisits Asset Manager (Office of Real Estate) Geraldine Toussaint Office Associate Ill (Tourism, Culture and Economic Development) Yanira Pineda Environmental Specialist (Public Works Environmental) Pablo Roman Human Resource Specialist (Human Resources) Financial Analyst Ill Gabriel Donoso (Finance) Gabriela Alfonsin Administrative Officer (Office of Real Estate) Januarv 11. 2018 Notes Never worked in the Finance Customer Service Division Never worked in the Finance Customer Service Division Has not worked in the Customer Service Division since April 2017 Never worked in the Finance Customer Service Division Never worked in the Finance Customer Service Division Never worked in the Finance Customer Service Division Has not worked in the Customer Service Division since April 2017 Was transferred to another division within the Finance Department Never worked in the Finance Customer Service Division In summary, it is recommended that these nine (9) individuals be changed to a view only access role and if a more comprehensive access is subsequently needed, then they should request it through the established EnerGov access request process. Finance Department management should periodically review all their user roles going forward to help ensure that only authorized individuals have access to their associated rights. F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC17-18\REPORTS -FINAL \Audit Memo-Finance 1-11-18 (EnerGov).docx cc: Mark Taxis, Assistant City Manager Ariel Sosa, Director-Information Technology Department Page 3 of 4 INTERNAL AUDIT MEMORANDUM Assessment of Access Rights for EnerGov User Roles Finance Department Januarv 11, 2018 Finance Department management emailed the following responses to the Office of Internal Audit concerning the findings listed below: 1. "AIIo wWorkflowManagement" and "WorkflowAdministrator'' assigned user roles. Finance Department's Management Response: The "AIIowWorkflowManagement" and "WorkflowAdministrator" user roles are necessary access rights for Finance Department Customer Service Center employees to perform their jobs. The rights for "WorkflowAdministrator" are designated for Financial Analysts Ill, or higher, to delete and/or skip steps in the workflow, as well as, for the ability to bypass steps and/or change the workflow, given that the function is disabled for the Finance Customer Service user role. Under the "AIIowWorkflowManagement", the Finance Customer Service role is allowed to approve, fail and/or create actions. The Assistant Director of the Finance Department will be designated to review exception reports created from the system's audit trail on a quarterly basis. 2. A Finance Analyst II was included in the Finance W-Pay Now user role. Finance Department's Management Response: The Finance W-Pay Now user role right is similar to that of a receipting/recording function and is assigned more on a segregation of duties function rather than a supervisory function. All users were reviewed and rights are assigned to 1. Revenue Manager 2. Financial Analyst Ill [cashier supervisor with no custody of assets role] and 3. Financial Analyst II [with no custody of assets or reconciliation role]. 3. Finance NSF User role was unknowingly assigned to three (3) employees Finance Department's Management Response: The Finance NSF User role was removed from all three (3) identified employees. 4. Change Financial Analyst ll's permissions or re-assign to a Financial Analyst Ill. Finance Department's Management Response: The Finance Administration role was reassigned to the Financial Analyst Ill [cashier supervisor with no custody of assets role]. 5. Nine (9) of 33 users assigned to the Cust Serv user role were not Finance Department's employees. Finance Department's Management Response: All nine specified users have been moved to a read only user role. Page 4 of 4