AUTOMATED INFORMATION SYSTEMS

Michigan Office of the
Auditor General
Thomas H. McTavish, C.P.A.
Auditor General

EXECUTIVE DIGEST #2759099
AUTOMATED INFORMATION SYSTEMS

INTRODUCTION
This report, issued in June 2000, contains the results of our performance audit of the Automated Information Systems, Department of Treasury.

AUDIT PURPOSE
This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND
The Information Technology Services Division's (ITSD's) function is to develop, implement, and operate the Department's automated information systems and to provide assistance with these functions. ITSD provides data processing services to the Department. These services include local area network (LAN) administration, system development and modifications, and microcomputer support. For fiscal year 1998-99, ITSD had appropriations of $11,550,000 and was authorized 167 full-time equated positions.

The Joint Electronic Filing (JELF) System and the RECON-Plus System are information processing systems. The Department uses the JELF System to process, store, and retrieve electronic tax returns. For tax year 1998, the Department processed approximately 621,000 electronic returns, a 46% increase over 1997. The Department uses the RECON-Plus System to reconcile bank accounts with the State's accounting records. For the month of June 1999, RECON-Plus processed approximately 850,000 transactions to reconcile a cash balance of approximately $3 billion.

AUDIT OBJECTIVES AND CONCLUSIONS
Audit Objective: To assess the effectiveness of the Department's general controls over the management, security, and program changes of its LAN-based automated information systems.

Conclusion: The Department's general controls over management, security, and program changes of its LAN-based automated information systems were limited in their effectiveness and should be improved. Our assessment did not disclose any material conditions; however, we noted reportable conditions related to a comprehensive information systems security program, LAN user access controls, LAN physical security controls, LAN backup and recovery controls, software licensing agreements controls, and program change controls (Findings 1 through 6).

Audit Objective: To assess the effectiveness of the Department's internal control over the information system that supports electronic filing of tax returns.

Conclusion: The Department's internal control over information systems that support electronic filing was reasonably effective. Our assessment did not disclose any material conditions; however, we noted reportable conditions related to JELF access controls and software approval procedures (Findings 7 and 8).

Audit Objective: To assess the effectiveness and efficiency of the Department's internal control over the information system used to reconcile bank accounts with the State's accounting records.

Conclusion: The internal control over the Department's system used to reconcile bank accounts with the State's accounting records was reasonably effective. Our assessment did not disclose any material conditions; however, we noted reportable conditions related to RECON-Plus user access controls and RECON-Plus system documentation (Findings 9 and 10).

AUDIT SCOPE AND METHODOLOGY
Our audit scope was to examine the information processing and other records of the Automated Information Systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.

Our methodology included examination of the Department's information processing and other records primarily for the period October 1998 through August 1999. Also, we identified the Department's automated information systems and performed a risk assessment of each system. We used this assessment to determine the systems to audit and the extent of our detailed analysis and testing. We performed an assessment of internal control pertaining to (a) general controls over the management, security, and program changes of LAN-based systems, and (b) application controls over the JELF System and the RECON-Plus System. We evaluated and reported on the results of our testing.

AGENCY RESPONSES
Our audit report contains 10 findings and 10 corresponding recommendations. The Department's preliminary response indicated that it agreed with all of the recommendations.

Full Audit Report - #2759099 - AUTOMATED INFORMATION SYSTEMS

Documents prefaced by require the Adobe Acrobat Reader®, a free application available on the Adobe homepage.

This page was created on June 9, 2000.


INTRODUCTION This report, issued in June 2000, contains the results of our performance audit of the Automated Information Systems, Department of Treasury.

AUDIT PURPOSE This performance audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency.

BACKGROUND The Information Technology Services Division's (ITSD's) function is to develop, implement, and operate the Department's automated information systems and to provide assistance with these functions. ITSD provides data processing services to the Department. These services include local area network (LAN) administration, system development and modifications, and microcomputer support. For fiscal year 1998-99, ITSD had appropriations of $11,550,000 and was authorized 167 full-time equated positions. The Joint Electronic Filing (JELF) System and the RECON-Plus System are information processing systems. The Department uses the JELF System to process, store, and retrieve electronic tax returns. For tax year 1998, the Department processed approximately 621,000 electronic returns, a 46% increase over 1997. The Department uses the RECON-Plus System to reconcile bank accounts with the State's accounting records. For the month of June 1999, RECON-Plus processed approximately 850,000 transactions to reconcile a cash balance of approximately $3 billion.

AUDIT OBJECTIVES AND CONCLUSIONS Audit Objective: To assess the effectiveness of the Department's general controls over the management, security, and program changes of its LAN-based automated information systems. Conclusion: The Department's general controls over management, security, and program changes of its LAN-based automated information systems were limited in their effectiveness and should be improved. Our assessment did not disclose any material conditions; however, we noted reportable conditions related to a comprehensive information systems security program, LAN user access controls, LAN physical security controls, LAN backup and recovery controls, software licensing agreements controls, and program change controls (Findings 1 through 6). Audit Objective: To assess the effectiveness of the Department's internal control over the information system that supports electronic filing of tax returns. Conclusion: The Department's internal control over information systems that support electronic filing was reasonably effective. Our assessment did not disclose any material conditions; however, we noted reportable conditions related to JELF access controls and software approval procedures (Findings 7 and 8). Audit Objective: To assess the effectiveness and efficiency of the Department's internal control over the information system used to reconcile bank accounts with the State's accounting records. Conclusion: The internal control over the Department's system used to reconcile bank accounts with the State's accounting records was reasonably effective. Our assessment did not disclose any material conditions; however, we noted reportable conditions related to RECON-Plus user access controls and RECON-Plus system documentation (Findings 9 and 10).

AUDIT SCOPE AND METHODOLOGY Our audit scope was to examine the information processing and other records of the Automated Information Systems. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances. Our methodology included examination of the Department's information processing and other records primarily for the period October 1998 through August 1999. Also, we identified the Department's automated information systems and performed a risk assessment of each system. We used this assessment to determine the systems to audit and the extent of our detailed analysis and testing. We performed an assessment of internal control pertaining to (a) general controls over the management, security, and program changes of LAN-based systems, and (b) application controls over the JELF System and the RECON-Plus System. We evaluated and reported on the results of our testing.

AGENCY RESPONSES Our audit report contains 10 findings and 10 corresponding recommendations. The Department's preliminary response indicated that it agreed with all of the recommendations.