Audit Memo - EnerGov - Finance 1-11-18MIAMI BEACH MEMORANDUM
City of Miami Beach, 1700 Convention Center Drive, Miami Beach, Florida 33139, www.miamibeachfl.gov
Office of Internal Audit
Tel: 305-673-7020
TO: John Woodruff, Chief Financial Officer
VIA: Mark D. Coolidge, Interim Internal Auditor 1"\.b(!.,.
FROM: Norman Blaiotta, Senior Auditor @
DATE: January 11, 2018
suBJECT: Assessment of Access Rights for EnerGov User Roles (Finance Department)
Internal Audit has assessed the risks associated with created EnerGov user roles and the
corresponding access rights and privileges granted to Finance Department employees. The
focus of this review was to identify instances whereby these user roles and/or corresponding
system accesses granted could have an adverse impact on segregations of duties and/or
internal controls. Copies of the "EnerGov User Role Access Audit Reports" were separately
presented to Finance Department management detailing the access rights granted to pertinent
staff.
The six (6) EnerGov user roles listed below were created to grant access to the corresponding
number of Finance Department assigned users. The naming conventions were established by
the Finance Department in conjunction with the Information Technology Department so they
were not changed to help avoid creating any confusion.
1 Finance Gust Serv-(33 users)
2 Finance Administration-(1 user)
3 Finance W-Pay Now (4 users)
4 Finance Supv-(2 users)
5 Finance Manager-(1 user)
6 Finance NSF User-(3 users)
Only one (1) user role can be assigned to each staff member; however, all employees assigned
under a user role will share the same system accesses and privileges. In other words,
departmental users have a one to one relationship to user roles, while user roles have a one to
many relationship to department users.
After reviewing the access rights and privileges granted to each of the six (6) pertinent EnerGov
user roles, it was noted that the following items are in need of further consideration:
1. Five (5) of the Finance Department's six (6) user roles listed below were granted the ability
to manage work flows through either of two (2) distinct rights, "AIIowWorkflowManagement"
and "WorkFiowAdministrator", which are highlighted on the separately provided "EnerGov
User Role Access Audit Reports":
Page 1 of 4
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles
Finance Department
• Finance Gust Serv ("AIIowWorkflowManagement")
Januarv 11, 2018
• Finance Administration ("AIIowWorkflowManagement" and "WorkFiowAdministrator")
• Finance W-Pay Now ("AIIowWorkflowManagement" and "WorkFiowAdministrator")
• Finance Supv ("AIIowWorkflowManagement" and "WorkFiowAdministrator")
• Finance Manager ("AIIowWorkflowManagement" and "WorkFiowAdministrator")
Among other rights, "AI IowWorkflowManagement" allows users to bypass steps or actions in
the workflow for a particular record, as well as create steps and actions in a pre-established
workflow, whereas "WorkFiowAdministrator" allows users to create, delete, alter, skip and
approve workflows. Although the "WorkFiowAdministrator" right's ability to delete and/or
skip steps is more egregious, there are also concerns with the "AIIowWorkflowManagement"
right which give users the ability to bypass and or change the workflow. Consequently,
either of these rights should only be granted if absolutely necessary to perform their job.
The final decision on whether Finance Department staff needs either of these two (2) rights
lies solely with management. If either right is needed for any user role, then management
should designate someone independent of these EnerGov user roles to routinely review
exception reports originating from the system's audit trail. This monitoring process should
be documented in a Standard Operating Procedure which should include at a minimum a
listing of designated personnel responsible to perform the review and their corresponding
back-up personnel, as well as the frequency and the methodology used.
2. The Finance W-Pay Now user role was assigned to four ( 4) employees, including one ( 1)
Assistant Director, one (1) Revenue Manager, one (1) Financial Analyst Ill and one (1)
Financial Analyst II. The Finance W-Pay Now user role includes rights aligned with a
supervisory position. When asked, the Accounting Manager stated that the Financial
Analyst II does not need access to this role as her present duties are more aligned with the
Finance NSF User role so it should be changed accordingly.
3. The three (3) employees assigned into the Finance NSF User role were unaware they had
access to EnerGov and stated that they do not use it in the completion of their work.
Therefore, it is recommended to change these individuals to a view only access under the
Finance NSF User role.
4. The Revenue Manager, who supervises the only employee assigned to the Finance
Administration role (a Financial Analyst II or FA-11), agreed in the need to change the FA-ll's
rights to mitigate associated risk especially since the FA-ll supervises the cashiers and is
their back-up when needed. The current settings for the Finance Administration role allows
the FA-ll to adjust or delete fees, refund and void payments, void invoices, delete
attachments, etc. Therefore, it is recommended to change the FA-ll's permissions to
another less comprehensive one and designate a Financial Analyst Ill or a higher position to
hold permissions involving deletion, refund or adjust transactions.
5. Inquiries found that 9 of the 33 individuals assigned to the Finance Gust Serv user role were
not actual Finance Department Customer Service Division employees. The table presented
below lists these individuals, their current position and notes as to whether they have ever
worked in the Customer Service Division, were transferred or promoted to another position,
etc.
Page 2 of 4
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles
Finance Department
Employee Name Current Position/(Current Department)
Kenneth Patterson Office Associate V
(Information Technology)
Milos Majstorovic Transportation Operations Supervisor
(Transportation)
Ginette Luxama Financial Analyst I
(Finance)
Mark Milisits Asset Manager
(Office of Real Estate)
Geraldine Toussaint Office Associate Ill
(Tourism, Culture and Economic Development)
Yanira Pineda Environmental Specialist
(Public Works Environmental)
Pablo Roman Human Resource Specialist
(Human Resources)
Financial Analyst Ill Gabriel Donoso (Finance)
Gabriela Alfonsin Administrative Officer
(Office of Real Estate)
Januarv 11. 2018
Notes
Never worked in the Finance
Customer Service Division
Never worked in the Finance
Customer Service Division
Has not worked in the Customer
Service Division since April 2017
Never worked in the Finance
Customer Service Division
Never worked in the Finance
Customer Service Division
Never worked in the Finance
Customer Service Division
Has not worked in the Customer
Service Division since April 2017
Was transferred to another
division within the Finance
Department
Never worked in the Finance
Customer Service Division
In summary, it is recommended that these nine (9) individuals be changed to a view only
access role and if a more comprehensive access is subsequently needed, then they should
request it through the established EnerGov access request process. Finance Department
management should periodically review all their user roles going forward to help ensure that
only authorized individuals have access to their associated rights.
F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC17-18\REPORTS -FINAL \Audit Memo-Finance 1-11-18 (EnerGov).docx
cc: Mark Taxis, Assistant City Manager
Ariel Sosa, Director-Information Technology Department
Page 3 of 4
INTERNAL AUDIT MEMORANDUM
Assessment of Access Rights for EnerGov User Roles
Finance Department Januarv 11, 2018
Finance Department management emailed the following responses to the Office of Internal
Audit concerning the findings listed below:
1. "AIIo wWorkflowManagement" and "WorkflowAdministrator'' assigned user roles.
Finance Department's Management Response:
The "AIIowWorkflowManagement" and "WorkflowAdministrator" user roles are necessary
access rights for Finance Department Customer Service Center employees to perform their
jobs. The rights for "WorkflowAdministrator" are designated for Financial Analysts Ill, or
higher, to delete and/or skip steps in the workflow, as well as, for the ability to bypass steps
and/or change the workflow, given that the function is disabled for the Finance Customer
Service user role. Under the "AIIowWorkflowManagement", the Finance Customer Service
role is allowed to approve, fail and/or create actions. The Assistant Director of the Finance
Department will be designated to review exception reports created from the system's audit
trail on a quarterly basis.
2. A Finance Analyst II was included in the Finance W-Pay Now user role.
Finance Department's Management Response:
The Finance W-Pay Now user role right is similar to that of a receipting/recording function
and is assigned more on a segregation of duties function rather than a supervisory
function. All users were reviewed and rights are assigned to 1. Revenue Manager
2. Financial Analyst Ill [cashier supervisor with no custody of assets role] and 3. Financial
Analyst II [with no custody of assets or reconciliation role].
3. Finance NSF User role was unknowingly assigned to three (3) employees
Finance Department's Management Response:
The Finance NSF User role was removed from all three (3) identified employees.
4. Change Financial Analyst ll's permissions or re-assign to a Financial Analyst Ill.
Finance Department's Management Response:
The Finance Administration role was reassigned to the Financial Analyst Ill [cashier
supervisor with no custody of assets role].
5. Nine (9) of 33 users assigned to the Cust Serv user role were not Finance Department's
employees.
Finance Department's Management Response:
All nine specified users have been moved to a read only user role.
Page 4 of 4