INFORMATION TECHNOLOGY SERVICES AND THE AUTOMATED INFORMATION SYSTEMS

Michigan Office of the
Auditor General
Thomas H. McTavish, C.P.A.
Auditor General

EXECUTIVE DIGEST #2755001
INFORMATION TECHNOLOGY SERVICES AND THE AUTOMATED INFORMATION SYSTEMS

INTRODUCTION
This report, issued in July 2002, contains the results of our performance audit of Information Technology Services and the Automated Information Systems, Bureau of State Lottery, Department of Treasury.

AUDIT PURPOSE
This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND
Information technology services are the responsibility of the Planning and Operations Division of the Bureau of State Lottery, Department of Treasury. The Division provides for the planning, testing, and evaluation of all on-line games and instant games; provides direct support for lottery retailers and all lottery retailer licensing functions; and provides all end-user computer support for the Bureau. The Division's mission is to ensure that all services, standards, policies, and procedures fully satisfy the business information processing requirements of the Bureau.

The Bureau contracts with a third party vendor to provide the front-end communications network and gaming system for the State's lottery. The Bureau's contractor is responsible for: installing and maintaining retailer sales terminals; maintaining a hot backup and recovery site for both itself and the Bureau; running the distribution warehouse for instant tickets, on-line game supplies, and other retailer supplies; tracking all game processing transactions, including sales, rejections, cancellations, redemptions, and other validation attempts; calculating the retailer invoices weekly; and reporting to management. For fiscal year 2000-01, the Bureau and its contractor processed approximately $1.6 billion in ticket sales through their information systems.

The Bureau's information technology services function had expenditures of approximately $2.5 million and authorization for 38 full-time equated positions in fiscal year 2000-01.

AUDIT OBJECTIVES, CONCLUSIONS, AND NOTEWORTHY ACCOMPLISHMENTS
Audit Objective: To assess the effectiveness of general controls over the management and security of information processing.

Conclusion: The Bureau's general controls over the management and security of information processing were reasonably effective. However, we noted reportable conditions related to a comprehensive information systems security program, operating system access controls, operating system configuration, database access controls, program change controls, and third party service organization audits (Findings 1 through 6).

Noteworthy Accomplishments: The Bureau developed a comprehensive disaster recovery plan for its automated information systems. A documented disaster recovery plan is essential for ensuring continued operations in the event of a disruption. The Bureau's disaster recovery plan identified resources needed to recover from minor disruptions, such as the failure of a server, as well as major disasters that would require the Bureau to reestablish services at a backup location. During our audit, the Bureau conducted tests of its disaster recovery plan. We were informed that the Bureau was able to successfully restore operations at its backup site.

In addition, the Bureau established a quality assurance test laboratory. The Bureau uses the test laboratory to test program changes and new implementations of on-line and instant games prior to their release to the public. The test laboratory contains all of the hardware and software that the Bureau needs to replicate retailer sales activity and Bureau operations. Through the use of test plans and scripted procedures, the Bureau compares actual with expected test results to ensure that the games are functioning properly.

Audit Objective: To assess the internal control and effectiveness of data input, processing, and output controls over the automated information systems.

Conclusion: The Bureau's internal control over the automated information systems was reasonably effective. However, we noted a reportable condition related to application access controls (Finding 7).

AUDIT SCOPE AND METHODOLOGY
Our audit scope was to examine the information processing and other records of the Bureau of State Lottery's automated information systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.

Our methodology included examination of the Bureau's and its contractor's information processing and other records for the period April 1999 through March 2002. Our methodology also included performing a risk assessment of the Bureau's and its contractor's automated information systems. We used this assessment to determine which systems to audit and the extent of our detailed analysis and testing. We reviewed the internal control over the Gaming System, On-Line Games System, Instant Games System, Financial System, and Retailer Licensing System pertaining to: (1) general controls, which included management and organization controls, program change controls, local area network controls, and database controls, and (2) application controls, which included data input, processing, and output controls. We evaluated the results of our testing and reported our findings.

AGENCY RESPONSES
Our audit report contains 7 findings and 7 corresponding recommendations. The agency preliminary response indicates that the Bureau agreed with all the recommendations; however, it disagreed with Recommendation 1 as it relates to part b. of the finding.

Full Audit Report - #2755001 - INFORMATION TECHNOLOGY SERVICES AND THE AUTOMATED INFORMATION SYSTEMS

Documents prefaced by require the Adobe Acrobat Reader®, a free application available on the Adobe homepage.

This page was created on July 19, 2002.


INTRODUCTION This report, issued in July 2002, contains the results of our performance audit of Information Technology Services and the Automated Information Systems, Bureau of State Lottery, Department of Treasury.

AUDIT PURPOSE This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND Information technology services are the responsibility of the Planning and Operations Division of the Bureau of State Lottery, Department of Treasury. The Division provides for the planning, testing, and evaluation of all on-line games and instant games; provides direct support for lottery retailers and all lottery retailer licensing functions; and provides all end-user computer support for the Bureau. The Division's mission is to ensure that all services, standards, policies, and procedures fully satisfy the business information processing requirements of the Bureau. The Bureau contracts with a third party vendor to provide the front-end communications network and gaming system for the State's lottery. The Bureau's contractor is responsible for: installing and maintaining retailer sales terminals; maintaining a hot backup and recovery site for both itself and the Bureau; running the distribution warehouse for instant tickets, on-line game supplies, and other retailer supplies; tracking all game processing transactions, including sales, rejections, cancellations, redemptions, and other validation attempts; calculating the retailer invoices weekly; and reporting to management. For fiscal year 2000-01, the Bureau and its contractor processed approximately $1.6 billion in ticket sales through their information systems. The Bureau's information technology services function had expenditures of approximately $2.5 million and authorization for 38 full-time equated positions in fiscal year 2000-01.

AUDIT OBJECTIVES, CONCLUSIONS, AND NOTEWORTHY ACCOMPLISHMENTS Audit Objective: To assess the effectiveness of general controls over the management and security of information processing. Conclusion: The Bureau's general controls over the management and security of information processing were reasonably effective. However, we noted reportable conditions related to a comprehensive information systems security program, operating system access controls, operating system configuration, database access controls, program change controls, and third party service organization audits (Findings 1 through 6). Noteworthy Accomplishments: The Bureau developed a comprehensive disaster recovery plan for its automated information systems. A documented disaster recovery plan is essential for ensuring continued operations in the event of a disruption. The Bureau's disaster recovery plan identified resources needed to recover from minor disruptions, such as the failure of a server, as well as major disasters that would require the Bureau to reestablish services at a backup location. During our audit, the Bureau conducted tests of its disaster recovery plan. We were informed that the Bureau was able to successfully restore operations at its backup site. In addition, the Bureau established a quality assurance test laboratory. The Bureau uses the test laboratory to test program changes and new implementations of on-line and instant games prior to their release to the public. The test laboratory contains all of the hardware and software that the Bureau needs to replicate retailer sales activity and Bureau operations. Through the use of test plans and scripted procedures, the Bureau compares actual with expected test results to ensure that the games are functioning properly. Audit Objective: To assess the internal control and effectiveness of data input, processing, and output controls over the automated information systems. Conclusion: The Bureau's internal control over the automated information systems was reasonably effective. However, we noted a reportable condition related to application access controls (Finding 7).

AUDIT SCOPE AND METHODOLOGY Our audit scope was to examine the information processing and other records of the Bureau of State Lottery's automated information systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances. Our methodology included examination of the Bureau's and its contractor's information processing and other records for the period April 1999 through March 2002. Our methodology also included performing a risk assessment of the Bureau's and its contractor's automated information systems. We used this assessment to determine which systems to audit and the extent of our detailed analysis and testing. We reviewed the internal control over the Gaming System, On-Line Games System, Instant Games System, Financial System, and Retailer Licensing System pertaining to: (1) general controls, which included management and organization controls, program change controls, local area network controls, and database controls, and (2) application controls, which included data input, processing, and output controls. We evaluated the results of our testing and reported our findings.

AGENCY RESPONSES Our audit report contains 7 findings and 7 corresponding recommendations. The agency preliminary response indicates that the Bureau agreed with all the recommendations; however, it disagreed with Recommendation 1 as it relates to part b. of the finding.