OIG No. 21-18: Review of DAVID Database Access and Internal ControlsJoseph M. Centorino, Inspector General
TO:
FROM:
Honorable Mayor and Members of the City Commission
Joseph Centorino, Inspector General
DATE:
PROJECT:
PERIOD:
April 14, 2021
DAVID Database Access and Internal Controls Review
OIG No. 21-18
December 26, 2017 through December 26, 2020
Office of the Inspector General (OIG) staff performed this review of selected terms in Contract
Number HSMV-0359-18 granting the City of Miami Beach access to the Florida Department of
Highway Safety and Motor Vehicles' Driver and Vehicle Information Database System (DAVID), at
no charge for a six-year term starting December 26, 2017. The City's Parking and Finance
Departments used this confidential data primarily to verify that inquiring customers were Miami
Beach residents and were entitled to receive discounted parking rates and/or residential parking
permits during December 26, 2017 through December 26, 2020.
INTRODUCTION
On December 3, 2014, the City of Miami Beach's Parking Department entered into a Memorandum
of Understanding or MOU with the Florida Department of Highway Safety and Motor Vehicles
(DHSMV) for access to DAVID. Through Contract Number HSMV-0378-15, the DHSMV initially
provided the City's Parking Department electronic access to DAVID at no cost for a three-year term.
Upon the expiration of this MOU, the City entered into a new six-year agreement with DHSMV
effective December 26, 2017 through Contract Number HSMV-0359-18. This new MOU was
entered into for the purpose of establishing the conditions and limitations under which the DHSMV
agreed to provide electronic access to DAVID information to the City at no charge.
DAVID permits authorized users to retrieve such confidential information as an individual's driver
license number, status, address, motor vehicle history, vehicle model and license plate/marine
vessel number. The City's Parking and Finance Departments use DAVID primarily to confirm Miami
Beach residency for residents applying to receive discounted parking rates. Although both
departments have access to DAVID, most of the database searches are conducted by Finance
Department Customer Service Division designated personnel.
In return, the Parking and Finance Departments are responsible for establishing and maintaining
an effective internal control system concerning DAVID's usage. An internal control system should
be designed to provide, reasonable assurance of achieving effective and efficient operations,
safeguarding of assets, and compliance with applicable laws and regulations.
Personal data and information associated with a driver or motor vehicle record are protected under
both federal and state law. Unauthorized access, use, or disclosure of DAVID data may result in
Page 1 of 8
penalties and civil lawsuits, and may constitute a criminal violation. Information obtained through
the DAVID database may only be used for the purposes for which authorization was granted in the
MOU, and may be disclosed to others only as authorized by state law.
SCOPE, OBJECTIVES, AND METHODOLOGY
The scope of this engagement was to determine whether the City's Parking and Finance
Departments complied with selected provisions in Contract Number HSMV-0359-18 concerning
their usage of DAVID from December 26, 2017 through December 26, 2020. In general, this review
focused on the following objectives:
a. To ensure that Standard Operating Procedures related to DAVID's usage were approved
by a Risk Management Information Technology Security professional as required in the
annual Certification Statements.
b. To validate whether adequate access controls exist to ensure that confidential DAVID data
is not disclosed to, or accessed by, unauthorized parties, and that the database searches
conducted are only for work-related purposes.
c. To verify that the pertinent City departments timely and sufficiently completed and/or
submitted the required Quarterly Quality Control Review Reports and the Annual
Certification Statements.
d. Other procedures as deemed necessary.
The methodology used by OIG staff included the following:
• Interviewed and made inquiries of staff to gain an understanding of internal controls, assess
control risk, and plan procedures.
• Performed substantive testing consistent with the engagement's objectives, including, but
not limited to, examination of applicable transactions and records.
• Drew conclusions based on the results of testing, made corresponding recommendations,
and obtained auditee responses and corrective action plans,
• Performed other procedures as deemed necessary.
TESTING RESULTS
1. Manual Log: The City's Information Technology (1.T.) Department created a database
application (manual log) in January 2018 for usage by Customer Service Division
management to review all searches performed in the DAVID database by designated staff.
The manual log entries are initiated by the individual, which differs from the DAVID database
audit log, as it is automatically created by the system for each search performed.
Upon request, the Customer Services Manager provided the manual log for the reviewed
period, which was compared with the DAVID database audit log for the same period. This
comparison was based on the line items containing license plates in the DAVID audit log,
as the manual log report only shows license plates as the key search used, although DAVID
searches can be done by license plate, driver's license, name, social security number, title
number, business name, etc. The following differences were identified regarding the
number of license plate searches:
a. Between January 1, 2018, and September 30, 2020, there were 4,372 license plate
searches in the DAVID audit log. Of these, 2,805 (64%) were in the manual log
report and 1,567 (36%) were not. When questioned, the Customer Services
Page 2 of 8
Manager was unaware of the significant differences between the two reports and
could only speculate as to the root cause of the differences.
b. Closer review of the "Inquiry ID" number in the manual log report, which is a
consecutive number created every time a search is recorded, found that it
occasionally breaks sequence and skips in approximately one thousand intervals
(i.e. from 2,897 to 3,897 or from 4,291 to 5,290). These breaks raise concern about
the reliability of the manual log report. It is disconcerting that it was not noticed
previously by either the City's I.T., Parking or Finance Departments during the past
three years. Consequently, one may assume that the accuracy of the manual log
report was not sufficiently tested, and the required analyzation needed to complete
the Quarterly Quality Control Review Reports (see #4 below) may not have been
adequately performed by Customer Service Division management.
It was also noted that, although the Parking Administrative Services Manager is the only
Parking Department user authorized to perform searches in DAVID, the manual log report
did not include any searches by that individual. However, it did contain two-line items
entered for a search occurring on January 31, 2019, created by another Parking Department
employee who has not ever been an authorized DAVID user, and these searches were not
present in the DAVID audit log. Lastly, Parking Department staff do not always complete
the manual log when they perform DAVID searches based on the 1,567 discrepancies
between the two reports.
2. Database Access Hours: Testing determined that access to DAVID is currently restricted
to one Parking Department employee and five Customer Service Division employees.
These six employees are granted database access between the hours of 8:00am and
7:00pm Monday through Friday to coincide with their department's regularly scheduled
working hours. OIG staff's DAVID audit log review confirmed that these employees were
properly denied access outside of these stated hours.
3. Database Access on Days Off: OIG staff tested, based on payroll schedules, whether
DAVID users made system inquiries on days that they were not scheduled to work, but
which occurred during the normal Monday through Friday work week. Examples include
instances when the users were not working due to using approved sick or vacation leave,
or on weekdays on which they were not scheduled to work, due to their 4 days/1 O hours per
day work week. The following results were noted:
a. Two authorized DAVID users made license plate searches on four different
Wednesdays, which was their scheduled weekday off. From the 26 total applicable
searches, 24 (92%) were found in the manual log, which suggests that the searches
were most likely work-related. However, two license plate searches (8%) were not
found in the manual log and their purpose remains unknown.
b. Three users each made one license plate search on a day that they were not
scheduled to work, when they were using either sick or vacation time based on the
payroll information obtained. One of the three license plates searched was not found
in the manual log, which raises concerns about its work-related purpose.
Although these 29 total inquiries were made by employees when they appear not to have
been working, this does not necessarily mean that they were performed for a non-approved
purpose. However, it does raise concerns, and Parking and Finance Department
management should more closely scrutinize these entries to determine if they were
warranted.
Page 3 of 8
4. Quarterly Quality Control Review Reports (QQCRRs): Section Vl(A) of the MOU states
that QQCRRs must be completed within 10 days after the end of each quarter and
maintained for two years. The Customer Service Division provided QQCRRs that
supposedly included the Parking Department's usage for the twelve quarters occurring from
October 1, 2017 through September 30, 2020, which OIG staff reviewed to find the following:
a. Four QQCRRs were prepared timely in accordance with Section Vl(A). The
remaining eight or 67% were prepared late, ranging from a low of 14 days to a high
of 157 days, with an average of almost 55 days per report.
b. Although the prepared QQCRRs stated the number of users audited during the
quarterly review, there was no documented evidence of the audit processes carried
out during these reviews (i.e. sample selection, dates, test performed, results, etc.)
according to questioned Finance and Parking management. Therefore, OIG staff
could not ascertain whether the required review work was performed, or whether the
forms were merely filled out and signed.
5. Annual Certification Statements and Standard Operating Procedures: Section Vl(C) of
the MOU states that the City must annually submit a signed Certification Statement to the
DHSMV within 45 days after the anniversary date of this MOU (December 26"). Although
not specified in the MOU, the DHSMV's Government Analyst overseeing the submittal of
these Certification Statements, sent the City a July 26, 2019 email stating, "It should be
signed by the agency head, as they are certifying that 'their agency' is following the rules of
the MOU."
OIG staff reviewed the annual Certification Statements provided and determined that the
first Certification Statement, due on February 9, 2019 and signed by an Assistant City
Manager, was submitted 187 days late on August 15, 2019. Its submittal occurred after the
City received emails from the DMHSV threatening to revoke the City's privilege to use the
DAVID database. The City Manager was out of the office, and the designated Assistant
City Manager was empowered to act on his behalf during his absence. The second
Certification Statement, signed by the City Manager, was submitted on December 17, 2019,
14 days before the quarter ended on December 31, 2019, which was 54 days before its
stated due date.
In addition, the annual Certification Statement also contains wording which constitutes an
oath signed under penalty of perjury that the signer has verified that the appropriate internal
controls are in place at all times to ensure that the DAVID data is protected from
unauthorized access, distribution, use, modification, or disclosure. This includes both
policies/procedures in place for personnel to follow, and data security procedures/policies
to protect personal data. The data security procedures/policies are to be approved by a
Risk Management IT Security Professional.
After several requests to the Parking and Finance Departments, the Customer Service
Manager provided their Standard Operating Procedures or SOP, whereby the following
shortcomings were identified:
a. The SOP does not disclose the internal control processes implemented by
management to ensure the correct use of the system. It does not include procedures
in place for personnel to follow and data security measures to protect personal data,
and it was also not approved by a Risk Management I.T. Security professional.
b. It only addresses the initial sign-in process to DAVID and some of the search
selection criteria that the system provides.
Page 4 of 8
c. It does not address the routine and repetitive activities to be followed by DAVID users
during their normal duties which include, but are not limited to, recording in the
manual log every search performed in DAVID or any other required steps regarding
the documentation of the searching process.
Although the limited scope SOP would satisfy Section Vl(C) of the MOU, it is unlikely that
the required Risk Management I.T. Security Professional would approve it in its current
state. It would have to be expanded to address the above shortcomings. Finally, the annual
Certification Statement signers' apparent lack of verification jeopardizes the City's credibility
and increases its liability if a security breach occurred involving DAVID's confidential data.
6. Timely Revocation of Access/Permissions: Section IV(B)(8) of the MOU states
"Immediately inactivate user access/permissions following termination or the determination
of negligent, improper, or unauthorized use or dissemination of information." Testing
conducted to determine the length of time to inactivate former DAVID users found that the
permissions for three former employees was revoked, respectively, three, five and ten days
after the termination date listed in the Munis system (the City's enterprise resource planning
system). These delays are not in adherence with Section IV(B)(8)'s immediate inactivation
requirements.
RECOMMENDATIONS (listed by Testing Results)
The usage of DAVID is a privilege and not a right, and by being granted access to its confidential
data at no charge, the City and its designated staff agree to strictly comply with all the MOU terms
or jeopardize future usage. Given these facts, and assuming that the DHSMV allows the City to
continue using DAVID, the City's Chief Financial Officer and the Interim Parking Director or their
designees should immediately implement the following recommendations to resolve the
deficiencies identified in this report in Testing Results 1 through 6 above:
1. All DAVID users, including those in the Parking Department:
a. Should record all searches performed in the manual log. Its entries must also include
any done in error (i.e. misspelling a name, transposing numbers, etc. while
conducting work-related searches).
b. The Parking and Finance Departments should consult with the City's Information
Technology Department as to the root cause for the breaks in the "ID inquiry" number
interval sequence so that this problem can be corrected to ensure that the number
of searches in the manual log equals the count in the DAVID audit log.
c. Parking and Finance Department management should periodically compare the
search counts in the two logs, promptly investigate the differences, and document
the results.
2. No deficiencies noted in the testing performed.
3. A test regarding searches performed by employees on their scheduled weekdays off should
be conducted and documented to determine whether the searches were work-related.
4. Timely prepare QQRCCs within 10 days after the end of each quarter and sufficiently
document the review processes performed.
5. Regarding the annual Certification Statements and the Standard Operating Procedures:
Page 5 of 8
a. Timely prepare and submit the annual Certification Statement to the DHSMV before
its due date of 45 days following each MOU anniversary.
b. The SOP should be reviewed, revised as necessary, and approved by a Risk
Management I.T. Security professional.
c. The Agency Head (City Manager or his designee) should confirm that all the criteria
listed on the Annual Certification Statement are satisfied as signing the document is
an oath under the penalty of perjury.
6. Designated Parking and Finance Department personnel should immediately inactivate
DAVID users upon termination or determination of negligent, improper, or unauthorized use,
or within five days upon reassignment of the employee.
PARKING AND FINANCE DEPARTMENT RESPONSES (listed by testing results):
The DAVID database, similar to many of our City databases, has an internal built-in audit log which
records each search. The IG Office has requested the Parking Department and Customer Service
maintain a redundant manual log of all searches. There are occurrences when a search is
conducted and a name is inadvertently misspelled or a number is transposed. In such an instance
where a name is misspelled and retyped, the audit log will have two searches, while the manual log
has recorded one entry, resulting in a finding from the OIG. If use of the DAVID database is
continued, the team will manually record all searches, including those which contain typos.
1. No deficiencies noted by the OIG.
2. The database access and internal controls review performed by the OIG found that our staff
accessed the DAVID database on scheduled days off. If you recall, our team is staffed
100% by salaried employees (Unclassified Ranks) and work until the job gets done, which
includes our team working to meet Residential Parking deadlines, even on their days off.
3. Staff was unaware that Quarterly Quality Control Review Reports were to be completed
within 10 days after the end of each quarter. If the DAVID system is continued to be utilized,
reports will be completed timely.
4. If use of the DAVID system is continued, annual Certificate Statements will be reviewed by
the agency head and submitted timely, and standard operating procedures will be updated
as necessary.
5. Three former employees were inactivated from the DAVID system three, five and ten days
after their termination date. This occurred because the employee responsible for
inactivating users was out of the office on leave when the three employees were
terminated. In order to avoid a delay in inactivating users in the future, an additional
supervisor was trained as a back-up for this function.
After discussions with the Parking Department and Finance Department, the Administration is
recommending the City of Miami Beach Residential Parking Program discontinue use of the Florida
Department of Motor Vehicles' Driver and Vehicle Information Database System (DAVID) provided
by the Florida Department of Highway Safety and Motor Vehicles (DHSMV).
The DAVID system is used for license plate verifications for parking permits and/or residential
discounts when residents do not have all of their required back-up documentation, or their
documentation is dubious. Very few staff members in the Parking Department and Finance
Page 6 of 8
Customer Service Section have access to this database. In addition to Parking and Finance, the
Police Department also uses the DAVID system.
Prior to 2017, Parking and Customer Service did not use the DAVID system. If a parking customer
provides the necessary documentation to verify vehicle ownership, there should be no need for City
staff to have the DAVID database. Parking and Customer Service believe duties can be performed
without the DAVID system, as its benefits are marginal.
After reassessing our operational needs, we recommend the MOU not be renewed and the Parking
Department and Customer Service discontinue use of the DAVID database.
INFORMATION SYSTEMS DEPARTMENT RESPONSE (listed by testing results)
1. I.T. concurs with the decision of DAVID's discontinued usage. If the Parking Department
decides to keep access to DAVID, we will set the manual log to only be editable by an I.T.
DBA - to include deletions and updates.
Reference the creation of a database application (manual log), see attached supporting
documentation showing the two occurrences of the increment in the DavidlnquirylD column.
Analysis of the data shows:
• The elapsed time in the inlnsertedDate is minimum compared to the total number of
searches that were manually logged per month.
• The amount of transaction on the gap does not correspond on the daily average of
production transactions.
• The records for year 2020 look consistent with the workload.
• Data suggests the gap may have been due to the effect of the reseed command
executed as part of a database optimization task.
• There is no evidence that the log entry was manually altered, or production data has
been manually deleted.
Gap 1
DavidlnquirylD Approved Comment Inserted By Inserted Date Reason
2897 1 NULL FINAAguJ 1/27/2020 17:37 Check DAVID
3897 o NULL FINARomP 1/28/2020 15:05 License plate not
found in system
Difference 22 Hours
Gap 2
DavidlnquirylD Approved Comment Inserted By Inserted Date Reason
4291 1 NULL FINACueN 4/16/2020 13:13 Check DAVID
5290 1 NULL FINACueN 4/17/2020 8:15 Check DAVID
Difference 19 Hours
Page 7 of 8
Year 2020 records per
Month
Month records
1 188
2 165
3 183
4 59
5 103
6 100
7 51
8 49
9 106
10 121
11 125
12 137
oat 7
O4-1{-3 02]
Date
Completed by:
ief Auditor
cc: Raul J. Aguila, Interim City Manager
Eric Carpenter, Assistant City Manager
Mark Taxis, Assistant City Manager
John Woodruff, Chief Financial Officer
Monica Beltran, Acting Parking Department Director
Chris Sarandos, Chief Information Officer
OFFICE OF THE INSPECTOR GENERAL, City of Miami Beach
1130 Washington Avenue, 6 Floor, Miami Beach, FL 33139
Tel: 305.673.7020 • Fax: 305.587.2401 • Hotline: 786.897.111I
Email: CityofMiamiBeachOIG@miamibeachfl.gov
Website: www.mbinspectorgeneral.com
Page 8 of 8