EnerGov - Parking Department 7-26-17MIAMI BEACH MEMORANDUM
City of Miami Beach, 1700 Convention Center Drive, Miami Beach, Florida 33139, www.miamibeachfl.gov
Office of Internal Audit
Tel: 305-673-7020
TO:
VIA:
FROM:
Saul Frances, Parking Director
James Sutter, Internal Audito~A ..
Fidel Miranda ~ -~
DATE: July 26, 2017
SUBJECT: Assessment of Access rights for EnerGov User Roles (Parking Department)
Meetings were held with you and/or members of your team on April 27, 2017 and May 04, 2017 to review
and assess risks associated with created EnerGov user roles, and the corresponding access rights and
privileges granted by the Information Technology (l.T.) Department. The focus of our review was to
identify instances whereby created user roles and/or corresponding system accesses granted could have
an adverse impact on segregations of duties and/or internal controls.
During our review, we identified the following four (4) EnerGov user roles that were created to grant
access to department users:
• Parking Management -(3 users assigned)
• Parking Dispatch -(18 users assigned)
• Parking Space Rental Grp -(5 users assigned)
• Parking CPMP -(3 users assigned)
Only one user role can be assigned to each user I staff member; however, all users I staff members
assigned under a user role will share the same system access and privileges, without exception. In other
words, department users have a one to one relationship with user roles, while user roles have a one to
many relationship with department users.
After looking at the access rights and privileges provided to EnerGov users under each of the four (4)
user roles created, it was noted that the following items are in need of further consideration, which have
been highlighted on the User Role Access_Report submitted along with this memo for your review and
further reference: ·
1. Users under the "Parking Space Rental Grp" user role were granted among other rights, the
ability to manage work flow ("AllowWorkflowManagement"). This right allows users to bypass
steps or actions in the workflow for a particular record. Although a report can be generated to
identify all instances in which a workflow step was bypassed, it would require continuous
monitoring to proactively detect any incident(s) whereby a step or an action is skipped or
approved through the workflow.
Best practices should be to review the current business processes and map it out so that creating
the workflow is easier and each required step or action is given the adequate hierarchy in the
workflow; therefore, removing the need to allow access to any user role to manage the workflow.
Workflow management should be a procedural control and not an operational option.
Consequently, Internal Audit recommends ensuring that workflows are created to reflect the
processes of the department and once properly set up; only system administrator level users
Page 1 of 3
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles Julv 26. 2016
should have access to manage or administer workflows. Workflows should be the result of
Standard Operating Procedures and established business rules within the department.
2. Users under the "Parking Space Rental Grp" user role were granted access to delete fees. In this
particular case, department personnel stated it was needed to delete administrative fees that
would be automatically generated in invoices where more than one parking space rental permit
(multiple locations) was being processed.
Because fee deletion should be avoided whenever possible, Internal Audit recommends
reviewing the City Code, which establishes the requirement to assess the administrative fee for
parking space rental permits to better define if a rental request is supposed to be set by location
and/or by permit. If so, then fees are being charged accordingly and there is no need to delete or
even adjust these fees. This is more in line with the level of effort administratively required to
create the paperwork and post the reserved parking spaces.
However, if a rental request is not required by location, meaning that anyone can request a
number of spaces in different locations, as long as this is done once, then a custom fee should be
created in the system to accommodate this need. Alternatively, a continuous monitoring of the
exceptions report by a designated departmental employee independent of this user group of all
fees deleted should be performed periodically in order to detect and questions, if necessary, any
fee deletions captured on the report.
It is important that any action taken in this particular case maintains consistency between the
policy set through the City Code, the business decisions and rules made by the department, and
Standard Operating Procedures approved and implemented.
Along with this memo are the rights and privileges assigned to each of the user roles created in EnerGov
for your department. Please review them and certify your agreement by signing and returning the
enclosed "EnerGov User Roles and Access Rights Certification" form to Internal Audit.
F:\OBPl\$AUD\INTERNAL AUDIT FILES\DOC16-17\PC WORK\EnerGov Roles & Rights\Clerk -7-20-17\Audit Memo EnerGov
Roles and Rights -Parking Department.docx
cc: Kathie G. Brooks, Assistance City Manager
Mark Taxis, Assistant City Manager
John Woodruff, Chief Finance Officer
Ariel Sosa, Director-Information Technology Department
Page 2 of 3
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles Julv 26, 2016
EnerGov User Roles and Access Rights
Certification
Date: _____ _
Department I Division: ______________ _
I, , hereby certify that I have
reviewed and are fully aware of the EnerGov user roles created for our department and the
corresponding access rights and privileges assigned. I further represent that our department
will make every effort to establish sound business rules and processes to mitigate any risks
associated with the roles and rights granted to us, as EnerGov users. Such business rules and
processes will help to establish and/or maintain effective internal controls, both in design and
operation.
(Signature)
Page 3 of 3