Auditor General
Thomas H. McTavish, C.P.A.
Auditor General
|
Auditor General Thomas H. McTavish, C.P.A. Auditor General |
|
![[Up]](/images/arrw3u.gif){kind=small}
| ![[Left]](/images/arrw3l.gif)
![[Next]](/images/arrw3r.gif){kind=small}
|
| INTRODUCTION | This report, issued in July 1997, contains the results of our performance and financial related audit of the Automated Information Systems, Department of Natural Resources (DNR) and Department of Environmental Quality (DEQ). The financial related portion of our audit covered the period October 1, 1994 through December 31, 1996. |
|---|---|
| AUDIT PURPOSE | This performance and financial related audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency. Financial related audits are conducted at various intervals to permit the Auditor General to express an opinion on the State's financial statements. Also, this audit complements the departmentwide financial audit of DNR. |
| BACKGROUND | The Management Information Division (MID), DNR, provides data processing services to DNR and DEQ. These services include mainframe processing, local area network (LAN) administration, microcomputer support, wide area network support, and database administration. DNR and DEQ share one LAN. Effective October 1, 1995, DNR and DEQ moved from a centralized mainframe environment to an end-user computing environment. Included in this move was the permanent assignment of
MID's application development staff to DNR and DEQ divisions.
DNR implemented the Retail Sales System (RSS) to automatically process and issue hunting and fishing licenses and the Central Reservation System (CRS) to automatically process State park campground reservations. RSS and CRS were developed by computer software development firms. During fiscal year 1995-96, RSS and CRS processed approximately $39.3 million and $7.7 million, respectively, in revenue. DNR and DEQ use the Remittance Processing System (RPS) and the Accounts Receivable System (ARS) to record and process receipts and accounts receivable transactions. RPS and ARS were developed for DNR and DEQ by a computer software development firm. During fiscal year 1995-96, RPS and ARS processed approximately $250 million in receipts and $87 million in invoices, respectively. DNR also developed and implemented the Trust Fund Tracking System (TFTS). DNR uses TFTS to process grants to local units of government. DEQ developed and implemented the Permit Application Submittal System (PASS) and the Permit Toolkit System (PTS). DEQ uses PASS and PTS to prepare and process renewable operating permits. |
| AUDIT OBJECTIVES AND CONCLUSIONS | Audit Objective: To assess the effectiveness of DNR's and DEQ's LAN and end-user computing (EUC) in providing reliable and secure information.
Conclusion: DNR's and DEQ's LAN and EUC were reasonably effective in providing reliable and secure information. However, we noted seven reportable conditions that DNR and DEQ should correct to improve the reliability and security of information. These conditions relate to management oversight of automated information systems, data processing security, ARS and RPS security, usercode and password security, LAN access controls, LAN backup controls, and system development methodology and documentation controls. (Findings 1 through 7). Audit Objective: To assess the effectiveness of DNR's internal control structure over RSS to ensure that it completely processed only authorized data in a prompt and accurate manner. Conclusion: DNR's internal control structure over RSS did not ensure that it completely processed only authorized data in a prompt and accurate manner. Our assessment disclosed one material condition:
Audit Objective: To assess the effectiveness of DNR's internal control structure over CRS to ensure that it completely processed only authorized data in a prompt and accurate manner. Conclusion: DNR's internal control structure over CRS had limited effectiveness in ensuring that it completely processed only authorized data in a prompt and accurate manner. We noted eight reportable conditions that DNR should correct to strengthen the internal control structure over CRS. These conditions relate to reconciliation of CRS revenue, CRS processing controls, CRS and Park Database effectiveness and efficiency, CRS and Park Database security, CRS contractor billings, park staff training, and CRS user group (Findings 12 through 18). Noteworthy Accomplishments: DNR has taken steps to address the conditions identified in this audit report, including the selection of a new reservation contractor and the relocation of the CRS file server*. After implementation, the internal control structure should be reasonably effective in ensuring that CRS completely processes only authorized data in a prompt and accurate manner. |
| AUDIT SCOPE AND METHODOLOGY | Our audit scope was to examine the information processing and other records of the Department of Natural Resources' and the Department of Environmental Quality's automated information systems. Also, our audit scope was to examine the financial related records for the period October 1, 1994 through December 31, 1996. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.
Our methodology included examining DNR's and DEQ's information processing and other records for the period October 1, 1994 through December 31, 1996. Our methodology also included developing a preliminary assessment of DNR's and DEQ's automated information systems. We then analyzed the information and determined where to concentrate our detailed analysis and testing. We designed tests of the control structure and performed those tests to meet our audit objectives. We evaluated the results of our testing and reported our findings. |
| AGENCY RESPONSES AND PRIOR AUDIT FOLLOW-UP | Our report contains 18 findings and 19 corresponding recommendations. DEQ's agency preliminary response indicated that DEQ has complied or will comply with 6 of the 6 recommendations that pertain to DEQ. DNR's agency preliminary response indicated that DNR has complied or will comply with 17 of the recommendations. DNR disagreed with 2 recommendations. DNR's preliminary response is included in its entirety in the agency preliminary responses section of this report. An Auditor General epilogue is incorporated within the DNR preliminary response for selected issues.
DNR and DEQ had complied with 12 of the 17 prior audit recommendations included within the scope of our current audit. We repeated 1 and rewrote 4 prior audit recommendations for inclusion in this report. |
|
|
|