Audit Memo - EnerGov - Code Compliance 11-16-17MIAMI BEACH MEMORANDUM
City of Miami Beach, 1700 Convention Center Drive, Miami Beach , Florida 33139, www.miamibeac hfl .gov
Office of Intern a l A udit
Tel : 305-673-7020
TO : Hernan Cardeno, Code Compliance Department Director
VIA: Mark D. Coolidge, Interim Internal Auditor M-1> ~
FROM: Norman Blaiotta, Senior Auditor(!!}
DATE: November 16, 2017
SUBJECT: Assessment of Access Rights for EnerGov User Roles (Code Compliance
Department)
Internal Audit has assessed the risks associated with created EnerGov user roles and the
corresponding access rights and privileges granted to Code Compliance Department
employees. The focus of this review was to identify instances whereby these user roles and/or
corresponding system accesses granted could have an adverse impact on segregations of
duties and/or internal controls. Copies of the "EnerGov User Role Audit Reports" will be
separately presented to Code Compliance Department management detailing the access rights
granted to pertinent staff.
The six (6) EnerGov user roles listed below were created to grant access to the listed number of
assigned users. The naming conventions were established by the Code Compliance
Department in conjunction with the Information Technology Department so they were not
changed to help avoid creating any confusion .
1 Code Administrative Aide-(5 users)
2 Code Invoicing-(3 users)
3 Code Limited Access-CCO (49 users)
4 Code Limited Access CCA-(3 users)
5 Code LMTD CCA w-reassign-(2 users)
6 Code Management-(6 users)
In addition, the following four (4) additional user roles were also created but have no individuals
assigned and therefore should be deleted if they are not going to be used :
1 Code Limited Access W-BTR
2 Code Limited W-BTR Review
3 Code Full Access
4 Code Full Access W-BTR
Only one (1) user role can be assigned to each staff member; however, all employees assigned
under a user role will share the same system accesses and privileges. In other words ,
departmental users have a one to one relationship to user roles , while user roles have a one to
many relationship to department users.
Page 1 of 3
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles
Code Compliance Department November 16, 2017
Page 2 of 3
After reviewing the access rights and privileges granted to each of the six (6) pertinent EnerGov
user roles, it was noted that the following items are in need of further consideration, which have
been highlighted on the “EnerGov User Role Audit Reports”.
a) AllowWorkflowManagement - The ability to bypass steps or actions in the workflow for a
particular record, as well as create steps and actions in a pre-established workflow has
been granted to all six (6) user roles that have assigned users:
Code Administrative Aide
Code Invoicing
Code Limited Access – CCO
Code Limited Access CCA
Code LMTD CCA w/reassign
Code Management
b) WorkFlowAdministrator - The ability to create, delete, alter and approve workflows which
was granted to the Code Management user role.
Allowing users to manage and administer workflows poses a risk to the fundamental operations
and processes within the department as they should be kept at a System Administrator's level.
Workflows are designed and developed to establish actions and steps that are driven by the
Standard Operating Procedures and business rules approved and implemented by each
department. Any changes in workflow should be documented by revised or newly established
and approved procedures. Best practices should be to review the current business processes
and map it out so that creating the workflow is easier. Once created, no individual user should
have access to alter or bypass any step or action as this would be a departure from the
established business processes.
Furthermore, according to EnerGov's User Setup Manual the function of a System Administrator
is defined as "Allows the user to perform the same functions as AllowWorkflowAdministrator".
By definition, System Administrator is the most comprehensive access right in any system so
that anyone granted the AllowWorkflowAdministrator access has in fact a System Administrator
access role. For this reason, it is recommended to remove this right from everyone but the
actual System Administrator.
Lastly, the table below lists ex-City employees whose rights within the reviewed Code
Compliance Department user roles have not been removed from the system according to the
“EnerGov User Role Audit Reports” created on 11/07/2017.
Ex- City
Employee Name User Role Termination
Date
Number of Days Between
11/07/2017 and Termination Date
Paul Spencer Code Limited Access - CCO 08/01/2017 98
Marquise McEady Code Limited Access - CCO 06/20/2017 140
David Gonzalez Code Limited Access – CCO 06/04/2017 156
Juan Reyes Code Limited Access - CCO 01/15/2017 296
Joshua Stevens Code Limited Access - CCO 09/02/2016 431
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles
Code Compliance Department November 16, 2017
Page 3 of 3
F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC17-18\REPORTS - FINAL\Audit Memo - Code Compliance 11-16-17.docx
cc: Susanne Torriente, Assistant City Manager
Mark Taxis, Assistant City Manager
John Woodruff, Chief Financial Officer
Ariel Sosa, Director – Information Technology Department