AUTOMATED INFORMATION SYSTEMS

Michigan Office of the
Auditor General
Thomas H. McTavish, C.P.A.
Auditor General

EXECUTIVE DIGEST #5159000
AUTOMATED INFORMATION SYSTEMS

INTRODUCTION
This report, issued in December 2000, contains the results of our performance audit of the Automated Information Systems, Department of Military and Veterans Affairs.

AUDIT PURPOSE
This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND
The Directorate of Information Management (DOIM) provides computer services to the Department's headquarters. DOIM reports to the Department's Office of the Director and the Adjutant General. The mission of DOIM is to provide the Department's headquarters with reliable voice and data communications services that meet or exceed service levels established by the director. These include wide area network (WAN) connectivity, network management, electronic messaging administration, and voice systems. As of March 31, 2000, DOIM had 7 State employees. In addition, DOIM had 20 federal employees responsible for the administration and maintenance of the Department's federal networks.

The Grand Rapids Home for Veterans and the D.J. Jacobetti Home for Veterans are responsible for providing domiciliary care and nursing care to veterans of the State and to widows, widowers, spouses, former spouses, and parents of State veterans.

The Homes each have an information systems unit that is responsible for providing computer services to the Home. Some of the services provided include purchasing, installing, and maintaining hardware and software and managing the Homes' local area networks (LANs).

AUDIT OBJECTIVES AND CONCLUSIONS
Audit Objective: To assess the effectiveness of the Department's LANs and end-user computing (EUC) in providing reliable and secure information.

Conclusion: The Department's LANs and EUC were reasonably effective in providing reliable and secure information. However, we noted reportable conditions related to a security program, LAN access controls, LAN backup and recovery controls, LAN administrator training, and policies and procedures (Findings 1 through 5).

Audit Objective: To assess internal control and the effectiveness of input, processing, and output controls over the Department's automated information systems.

Conclusion: Internal control over the Department's automated information systems was reasonably effective. However, we noted a reportable condition related to system application controls (Finding 6).

AUDIT SCOPE AND METHODOLOGY
Our audit scope was to examine the information processing and other records of the Department of Military and Veterans Affairs' automated information systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.

Our methodology included examination of the Department's information processing and other records for the period August 1999 through March 2000. Our methodology also included identifying the Department's automated information systems and performing a risk assessment of each system. We used this assessment to determine the systems to audit and the extent of our detailed analysis and testing. We performed an assessment of internal control pertaining to (a) general controls for the Department's LAN, which included network administration, physical security, access, and management controls; and (b) application controls for the Accumax System, MDI System, Census System, and Finance System, which included data input, data processing, and data output controls.

AGENCY RESPONSES
Our audit report contains 6 findings and 6 corresponding recommendations. The Department's preliminary response indicated that it agreed with all of the findings.

Full Audit Report - #5159000 - AUTOMATED INFORMATION SYSTEMS

Documents prefaced by require the Adobe Acrobat Reader®, a free application available on the Adobe homepage.

This page was created on December 20, 2000.


INTRODUCTION This report, issued in December 2000, contains the results of our performance audit of the Automated Information Systems, Department of Military and Veterans Affairs.

AUDIT PURPOSE This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND The Directorate of Information Management (DOIM) provides computer services to the Department's headquarters. DOIM reports to the Department's Office of the Director and the Adjutant General. The mission of DOIM is to provide the Department's headquarters with reliable voice and data communications services that meet or exceed service levels established by the director. These include wide area network (WAN) connectivity, network management, electronic messaging administration, and voice systems. As of March 31, 2000, DOIM had 7 State employees. In addition, DOIM had 20 federal employees responsible for the administration and maintenance of the Department's federal networks. The Grand Rapids Home for Veterans and the D.J. Jacobetti Home for Veterans are responsible for providing domiciliary care and nursing care to veterans of the State and to widows, widowers, spouses, former spouses, and parents of State veterans. The Homes each have an information systems unit that is responsible for providing computer services to the Home. Some of the services provided include purchasing, installing, and maintaining hardware and software and managing the Homes' local area networks (LANs).

AUDIT OBJECTIVES AND CONCLUSIONS Audit Objective: To assess the effectiveness of the Department's LANs and end-user computing (EUC) in providing reliable and secure information. Conclusion: The Department's LANs and EUC were reasonably effective in providing reliable and secure information. However, we noted reportable conditions related to a security program, LAN access controls, LAN backup and recovery controls, LAN administrator training, and policies and procedures (Findings 1 through 5). Audit Objective: To assess internal control and the effectiveness of input, processing, and output controls over the Department's automated information systems. Conclusion: Internal control over the Department's automated information systems was reasonably effective. However, we noted a reportable condition related to system application controls (Finding 6).

AUDIT SCOPE AND METHODOLOGY Our audit scope was to examine the information processing and other records of the Department of Military and Veterans Affairs' automated information systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances. Our methodology included examination of the Department's information processing and other records for the period August 1999 through March 2000. Our methodology also included identifying the Department's automated information systems and performing a risk assessment of each system. We used this assessment to determine the systems to audit and the extent of our detailed analysis and testing. We performed an assessment of internal control pertaining to (a) general controls for the Department's LAN, which included network administration, physical security, access, and management controls; and (b) application controls for the Accumax System, MDI System, Census System, and Finance System, which included data input, data processing, and data output controls.

AGENCY RESPONSES Our audit report contains 6 findings and 6 corresponding recommendations. The Department's preliminary response indicated that it agreed with all of the findings.