EnerGov - Sanitation Division 9-30-17MIAMI BEACH MEMORANDUM
City of Miami Beach, 1700 Convention Center Drive, Miami Beach, Florida 33139, www.miamibeachfl.gov
Office of Internal Audit
Tel: 305-673-7020
TO: Alberto Zamora, Sanitation Division Director
VIA: Mark Coolidge, Assistant Internal Auditor fti\C!..
FROM: Fidel Miranda
DATE: September 30, 2017
SUBJECT: Assessment of Access Rights for EnerGov User Roles (Sanitation Division)
Internal Audit has assessed the risks associated with created EnerGov user roles and the
corresponding access rights and privileges granted to Sanitation Division employees. The focus
of this review was to identify instances whereby these user roles and/or corresponding system
accesses granted could have an adverse impact on segregations of duties and/or internal
controls. A copy of the Sanitation Division's "EnerGov User Role Access Report" is attached
that details the access rights granted to pertinent staff as a result of the meetings held with the
Information Technology Department and the Office of Internal Audit for this analysis.
One (1) EnerGov user role entitled "Sanitation Admin" was identified that granted access to five
divisional users. The user role's naming convention was established by the Sanitation Division
in conjunction with the Information Technology Department so it was not changed to help avoid
creating any confusion.
Only one (1) user role can be assigned to each staff member; however, all employees assigned
under a user role will share the same system accesses and privileges. In other words, division
users have a one to one relationship to user roles, while user roles have a one to many
relationship to division users.
After reviewing the access rights and privileges granted to the "Sanitation Admin" user role, it
was noted that the following items are in need of further consideration, which have been
highlighted on the "EnerGov User Role Access Report" presented after this memo.
a) The ability to adjust fees (AIIowAdjustFees)
b) The ability to delete attachments to the file (AIIowDeleteAttachment)
c) The ability to skip, approve, and create steps and actions in workflow
(AIIowWorkflowManagement)
Due to the relatively small number of clerical staff, all employees need to have the same access
as they substitute for one another when someone is out of the office. Although necessary, this
scenario poses a greater risk since segregation of duties is minimal.
In addition, the division should consider implementing a continuous monitoring program by a
designated independent employee of fee deletions, adjustments and invoices voided. An
"Exceptions Report" has been created by the Information Technology Department to help
identify all instances whereby any of these actions took place to facilitate reviewing their validity.
Page 1 of 2
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles
Sanitation Division September 30, 2017
It is recommended that the workflows created properly align to the business processes and
rules already implemented through the division's Standard Operating Procedures. This practice
will help allow for the creation of meaningful workflows that will reduce the need for any user to
have access to change and/or skip any steps of the established process. The rights to manage
and/or administer workflows should be maintained at a System Administrator level and not by
system users.
Furthermore, allowing users the ability to delete attachments in the system should be
reconsidered. It is important to note that attachments provide the supporting documentation
required for the work performed. In addition, there are record retention requirements that must
be complied with, which users may not be aware of. Although we view the ability to remove
attachments as a lesser risk, its granting merits closer consideration.
F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC16-17\PC WORK\EnerGov Roles & Rights\Sanitation 7-20-17\Audit Memo -
Sanitation 9-30-17.docx
cc: Eric Carpenter, Assistant City Manager
Mark Taxis, Assistant City Manager
John Woodruff, Chief Financial Officer
Ariel Sosa, Director-Information Technology Department
Page 2 of 2