TECHNOLOGY SERVICES AND THE AUTOMATED INFORMATION SYSTEMS

Michigan Office of the
Auditor General
Thomas H. McTavish, C.P.A.
Auditor General

EXECUTIVE DIGEST #3159400
TECHNOLOGY SERVICES AND THE AUTOMATED INFORMATION SYSTEMS

INTRODUCTION
This report, issued in May 2001, contains the results of our performance audit of Technology Services and the Automated Information Systems, Department of Education.

AUDIT PURPOSE
This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND
Technology Services (formerly known as Data, Research, and Technology Services), headed by the chief information officer, provides data processing services to the Department. The mission of Technology Services is to provide leadership and technology services that continually improve the quality, accessibility, and use of electronic information to meet the needs of government agencies, schools, and the Michigan education community. Some of the primary responsibilities of Technology Services include providing local area network (LAN) and technical services, ensuring that all applications run smoothly in the client-server and data warehouse environment, coordinating training and technical support for the Department's users, and developing and maintaining the Department's Internet and intranet web pages.

During our audit period, the Department moved its automated systems off the mainframe computer and onto its LAN as client-server systems. The Grant Accounting System, Federal Letter of Credit System, J20 System for Food and Nutrition Programs (J20 System), and State Aid Management System (SAMS) are examples of systems that were moved to the LAN.

Executive Order 2000-9 established the Center for Educational Performance and Information as a temporary agency. Among its other responsibilities, this agency will be responsible for establishing a single repository of educational data that will replace the Education Data Network and the K-12 Database.

For fiscal year 1999-2000, Technology Services had appropriations of approximately $6.4 million and was authorized 37.2 full-time equated positions.

AUDIT OBJECTIVES, CONCLUSIONS, AND NOTEWORTHY ACCOMPLISHMENTS
Audit Objective: To assess the effectiveness of the Department's general controls over the management, development, and security of its automated information systems.

Conclusion: The Department's general controls over the management, development, and security of its automated information systems were limited in their effectiveness and should be improved. Our assessment disclosed two material conditions:

The Department had not established a comprehensive information systems security program (Finding 1).

The Department agreed with the corresponding recommendation and informed us that many improvements to security have already been implemented and further improvements will be made.
The Department had not established effective program change controls (Finding 8).

The Department agreed with the corresponding recommendation and informed us that it is in the process of establishing effective program change controls.
In addition, we identified reportable conditions related to the effectiveness of information technology, technology services organization and staffing, LAN access controls, physical security controls, standardization and documentation of network configuration, system development methodology and system documentation, LAN backup and recovery controls, and business resumption plan (Findings 2 through 7, 9, and 10).

Audit Objective: To assess the effectiveness of the Department's internal control over its automated information systems.

Conclusion: The Department's internal control over its automated information systems was generally effective. We determined that data was accurately processed by the automated information systems and that, in general, payments were properly calculated and paid to the recipients. However, we identified reportable conditions regarding system access controls, SAMS processing controls, completeness and accuracy of processing, and audit trails (Findings 11 through 14).

Noteworthy Accomplishments: We conducted a survey of a sample of school districts to obtain their opinions about the Grant Accounting System, J20 System, and SAMS. The survey disclosed that the school districts were generally satisfied with the systems. The survey also disclosed that the school districts were very satisfied with the timeliness with which payments were received.

AUDIT SCOPE AND METHODOLOGY
Our audit scope was to examine the information processing and other records of the Department of Education's automated information systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.Our methodology included examination of the Department's information processing and other records for the period October 1, 1998 through September 30, 2000.

Our methodology also included developing a preliminary risk assessment of Technology Services and the automated information systems. We used this assessment to determine which systems to audit and the extent of our detailed analysis and testing. We reviewed internal control over the Grant Accounting System, Federal Letter of Credit System, J20 System, and SAMS pertaining to (a) general controls, which included management and organization controls, system development and documentation controls, program change controls, and LAN controls, and (b) application controls, which included data input, data processing, and data output controls.

AGENCY RESPONSES AND PRIOR AUDIT FOLLOW-UP
Our audit report contains 14 findings and 15 corresponding recommendations. The agency preliminary response indicates that the Department agreed with all of the recommendations.

The Department complied with 2 of the 10 prior audit recommendations included within the scope of our current audit. We repeated 2 prior audit recommendations in this report (Findings 1 and 10) and 6 were rewritten for inclusion in this report.

Full Audit Report - #3159400 - TECHNOLOGY SERVICES AND THE AUTOMATED INFORMATION SYSTEMS

Documents prefaced by require the Adobe Acrobat Reader®, a free application available on the Adobe homepage.

This page was created on May 25, 2001.


INTRODUCTION This report, issued in May 2001, contains the results of our performance audit of Technology Services and the Automated Information Systems, Department of Education.

AUDIT PURPOSE This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND Technology Services (formerly known as Data, Research, and Technology Services), headed by the chief information officer, provides data processing services to the Department. The mission of Technology Services is to provide leadership and technology services that continually improve the quality, accessibility, and use of electronic information to meet the needs of government agencies, schools, and the Michigan education community. Some of the primary responsibilities of Technology Services include providing local area network (LAN) and technical services, ensuring that all applications run smoothly in the client-server and data warehouse environment, coordinating training and technical support for the Department's users, and developing and maintaining the Department's Internet and intranet web pages. During our audit period, the Department moved its automated systems off the mainframe computer and onto its LAN as client-server systems. The Grant Accounting System, Federal Letter of Credit System, J20 System for Food and Nutrition Programs (J20 System), and State Aid Management System (SAMS) are examples of systems that were moved to the LAN. Executive Order 2000-9 established the Center for Educational Performance and Information as a temporary agency. Among its other responsibilities, this agency will be responsible for establishing a single repository of educational data that will replace the Education Data Network and the K-12 Database. For fiscal year 1999-2000, Technology Services had appropriations of approximately $6.4 million and was authorized 37.2 full-time equated positions.

AUDIT OBJECTIVES, CONCLUSIONS, AND NOTEWORTHY ACCOMPLISHMENTS Audit Objective: To assess the effectiveness of the Department's general controls over the management, development, and security of its automated information systems. Conclusion: The Department's general controls over the management, development, and security of its automated information systems were limited in their effectiveness and should be improved. Our assessment disclosed two material conditions: The Department had not established a comprehensive information systems security program (Finding 1). The Department agreed with the corresponding recommendation and informed us that many improvements to security have already been implemented and further improvements will be made. The Department had not established effective program change controls (Finding 8). The Department agreed with the corresponding recommendation and informed us that it is in the process of establishing effective program change controls. In addition, we identified reportable conditions related to the effectiveness of information technology, technology services organization and staffing, LAN access controls, physical security controls, standardization and documentation of network configuration, system development methodology and system documentation, LAN backup and recovery controls, and business resumption plan (Findings 2 through 7, 9, and 10). Audit Objective: To assess the effectiveness of the Department's internal control over its automated information systems. Conclusion: The Department's internal control over its automated information systems was generally effective. We determined that data was accurately processed by the automated information systems and that, in general, payments were properly calculated and paid to the recipients. However, we identified reportable conditions regarding system access controls, SAMS processing controls, completeness and accuracy of processing, and audit trails (Findings 11 through 14). Noteworthy Accomplishments: We conducted a survey of a sample of school districts to obtain their opinions about the Grant Accounting System, J20 System, and SAMS. The survey disclosed that the school districts were generally satisfied with the systems. The survey also disclosed that the school districts were very satisfied with the timeliness with which payments were received.

AUDIT SCOPE AND METHODOLOGY Our audit scope was to examine the information processing and other records of the Department of Education's automated information systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.Our methodology included examination of the Department's information processing and other records for the period October 1, 1998 through September 30, 2000. Our methodology also included developing a preliminary risk assessment of Technology Services and the automated information systems. We used this assessment to determine which systems to audit and the extent of our detailed analysis and testing. We reviewed internal control over the Grant Accounting System, Federal Letter of Credit System, J20 System, and SAMS pertaining to (a) general controls, which included management and organization controls, system development and documentation controls, program change controls, and LAN controls, and (b) application controls, which included data input, data processing, and data output controls.

AGENCY RESPONSES AND PRIOR AUDIT FOLLOW-UP Our audit report contains 14 findings and 15 corresponding recommendations. The agency preliminary response indicates that the Department agreed with all of the recommendations. The Department complied with 2 of the 10 prior audit recommendations included within the scope of our current audit. We repeated 2 prior audit recommendations in this report (Findings 1 and 10) and 6 were rewritten for inclusion in this report.