Michigan Information Processing Center

Michigan Office of the
Auditor General
Thomas H. McTavish, C.P.A.
Auditor General

EXECUTIVE DIGEST #0759597
Michigan Information Processing Center

INTRODUCTION
This report, issued in December 1998, contains the results of our performance and financial related audit of the Michigan Information Processing Center (MIPC), Department of Management and Budget. The financial related portion of our audit covered the period June 1 through October 31, 1997.

AUDIT PURPOSE
This performance and financial related audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency. Financial related audits are conducted at various intervals to permit the Auditor General to express an opinion on the State's financial statements. Also, this audit complements our financial audits of State agencies and the State of Michigan Comprehensive Annual Financial Report.

BACKGROUND
MIPC is the State's consolidated data center. MIPC was established by Executive Order 1995-10 for the purpose of centralizing mainframe data processing for the State.

MIPC is responsible for providing mainframe computer processing equipment, software, and services for all State agencies.

MIPC supports the two mainframe operating environments, Unisys and Bull, used by State agencies. As of June 1996, all State agencies operating on the Unisys system, with the exception of the Michigan Department of State Police and the Bureau of State Lottery, had "migrated" their applications to MIPC. Agencies operating on the Bull system completed their migration by September 1996.

MIPC had 84 full-time equated positions as of September 30, 1997. MIPC is funded entirely from the Information Technology Revolving Fund. During fiscal year 1996-97, MIPC had expenditures of approximately $26 million.

AUDIT OBJECTIVE, CONCLUSION, AND NOTEWORTHY ACCOMPLISHMENTS
Audit Objective: To assess the effectiveness of MIPC's general controls in providing a reliable and secure environment for the operation of the State's information systems.

Conclusion: MIPC's general controls were reasonably effective in providing a reliable and secure environment for the routine operation of the State's information systems. However, we noted one material condition that would preclude MIPC from providing a reliable and secure environment in the event of a disaster or other critical incident:

MIPC had not developed and tested a business resumption plan to ensure the continuity of information systems processing in the event of an interruption (Finding 1).

We were informed that MIPC did not agree with the judgment that this is a material condition. MIPC stated that, for the first time in the State's history, the State has duplicate mainframe computers, redundant communications, and the necessary technical support to ensure their continued operation. An actual disaster recovery/business resumption plan for the State Lottery was successfully conducted and documented. The MIPC operation, while a work in progress, still provides better disaster recovery/business resumption to State agencies than has existed at any time in history. Further, the central issue is one of the existence of paperwork versus documented capability. The paperwork needs to be developed, but the capability exists; therefore, the material condition judgment is not justified. MIPC expects the documentation to be completed by December 31, 2000.
We also noted five reportable conditions relating to MIPC's security risk assessments, access controls, monitoring of system activity, system software controls, and policies and procedures (Findings 2 through 6).

Noteworthy Accomplishments: Although MIPC had not performed a comprehensive risk assessment for all aspects of its operations, MIPC's technical support staff did perform a risk assessment of the Unisys operating system environment. The risk assessment identified potential control weaknesses associated with the Unisys production and development systems. This resulted in MIPC developing a corrective action plan to address the identified control weaknesses. During our fieldwork, MIPC completed or started working on most of the items identified in its corrective action plan.

Act 364, P.A. 1996, established a performance objective of having MIPC's services available to its users during 99% of fiscal year 1996-97. For the period that we reviewed (January through July 1997), MIPC had met the availability objective.

AUDIT SCOPE AND METHODOLOGY
Our audit scope was to examine the general controls and other information processing records of the Michigan Information Processing Center. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.

Our audit methodology included examining MIPC's information processing and other records for the period March 1994 through October 1997. We made a preliminary assessment of the general controls at MIPC. We then analyzed the information and determined where to concentrate our detailed testing. We designed tests of the general controls and performed those tests to meet our audit objective. We evaluated the results of our testing and reported our findings.

AGENCY RESPONSES
Our report contains 6 findings and 9 corresponding recommendations. The agency preliminary response indicated that MIPC would comply with all 9 of the recommendations; however, it did not agree with the classification of Finding 1 as a material condition.

Full Audit Report - #0759597 - Michigan Information Processing Center

Documents prefaced by require the Adobe Acrobat Reader®, a free application available on the Adobe homepage.

This page was created on December 10, 1998.


INTRODUCTION This report, issued in December 1998, contains the results of our performance and financial related audit of the Michigan Information Processing Center (MIPC), Department of Management and Budget. The financial related portion of our audit covered the period June 1 through October 31, 1997.

AUDIT PURPOSE This performance and financial related audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency. Financial related audits are conducted at various intervals to permit the Auditor General to express an opinion on the State's financial statements. Also, this audit complements our financial audits of State agencies and the State of Michigan Comprehensive Annual Financial Report.

BACKGROUND MIPC is the State's consolidated data center. MIPC was established by Executive Order 1995-10 for the purpose of centralizing mainframe data processing for the State. MIPC is responsible for providing mainframe computer processing equipment, software, and services for all State agencies. MIPC supports the two mainframe operating environments, Unisys and Bull, used by State agencies. As of June 1996, all State agencies operating on the Unisys system, with the exception of the Michigan Department of State Police and the Bureau of State Lottery, had "migrated" their applications to MIPC. Agencies operating on the Bull system completed their migration by September 1996. MIPC had 84 full-time equated positions as of September 30, 1997. MIPC is funded entirely from the Information Technology Revolving Fund. During fiscal year 1996-97, MIPC had expenditures of approximately $26 million.

AUDIT OBJECTIVE, CONCLUSION, AND NOTEWORTHY ACCOMPLISHMENTS Audit Objective: To assess the effectiveness of MIPC's general controls in providing a reliable and secure environment for the operation of the State's information systems. Conclusion: MIPC's general controls were reasonably effective in providing a reliable and secure environment for the routine operation of the State's information systems. However, we noted one material condition that would preclude MIPC from providing a reliable and secure environment in the event of a disaster or other critical incident: MIPC had not developed and tested a business resumption plan to ensure the continuity of information systems processing in the event of an interruption (Finding 1). We were informed that MIPC did not agree with the judgment that this is a material condition. MIPC stated that, for the first time in the State's history, the State has duplicate mainframe computers, redundant communications, and the necessary technical support to ensure their continued operation. An actual disaster recovery/business resumption plan for the State Lottery was successfully conducted and documented. The MIPC operation, while a work in progress, still provides better disaster recovery/business resumption to State agencies than has existed at any time in history. Further, the central issue is one of the existence of paperwork versus documented capability. The paperwork needs to be developed, but the capability exists; therefore, the material condition judgment is not justified. MIPC expects the documentation to be completed by December 31, 2000. We also noted five reportable conditions relating to MIPC's security risk assessments, access controls, monitoring of system activity, system software controls, and policies and procedures (Findings 2 through 6). Noteworthy Accomplishments: Although MIPC had not performed a comprehensive risk assessment for all aspects of its operations, MIPC's technical support staff did perform a risk assessment of the Unisys operating system environment. The risk assessment identified potential control weaknesses associated with the Unisys production and development systems. This resulted in MIPC developing a corrective action plan to address the identified control weaknesses. During our fieldwork, MIPC completed or started working on most of the items identified in its corrective action plan. Act 364, P.A. 1996, established a performance objective of having MIPC's services available to its users during 99% of fiscal year 1996-97. For the period that we reviewed (January through July 1997), MIPC had met the availability objective.

AUDIT SCOPE AND METHODOLOGY Our audit scope was to examine the general controls and other information processing records of the Michigan Information Processing Center. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances. Our audit methodology included examining MIPC's information processing and other records for the period March 1994 through October 1997. We made a preliminary assessment of the general controls at MIPC. We then analyzed the information and determined where to concentrate our detailed testing. We designed tests of the general controls and performed those tests to meet our audit objective. We evaluated the results of our testing and reported our findings.

AGENCY RESPONSES Our report contains 6 findings and 9 corresponding recommendations. The agency preliminary response indicated that MIPC would comply with all 9 of the recommendations; however, it did not agree with the classification of Finding 1 as a material condition.