AUTOMATED INFORMATION SYSTEMS

Michigan Office of the
Auditor General
Thomas H. McTavish, C.P.A.
Auditor General

EXECUTIVE DIGEST #5959099
AUTOMATED INFORMATION SYSTEMS

INTRODUCTION
This report, issued in July 2000, contains the results of our performance and financial related audit of the Automated Information Systems, Michigan Department of Transportation (MDOT). The financial related portion of our audit covered the period October 1, 1998 through September 30, 1999.

AUDIT PURPOSE
This performance and financial related audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency. Financial related audits are conducted at various intervals to permit the Auditor General to express an opinion on the State's financial statements. Also, this audit complements the departmentwide financial audit of MDOT.

BACKGROUND
The Office of Information Management (OIM), headed by the chief information officer (CIO), provides data processing services to MDOT. The mission of OIM is to provide the highest quality information and communication capabilities needed to implement MDOT's business objectives and strategies. Some of the primary responsibilities of OIM include developing and implementing new applications; purchasing, installing, and maintaining hardware and software; and managing MDOT's Statewide data communications network.

During our audit period, MDOT developed several new systems, including the Transportation Management System (TMS), MDOT Architecture Project (MAP) Financial Obligation System (MFOS), and the MAP Database. MDOT redeveloped many of its mainframe systems into client-server systems, including Trns*port and FieldManager. Each of these systems is used for managing the various phases of road and bridge construction projects. During our audit fieldwork, MDOT was in the process of developing Safestat.

AUDIT OBJECTIVES, CONCLUSIONS, AND NOTEWORTHY ACCOMPLISHMENTS
Audit Objective: To assess the effectiveness of MDOT's project and contract management controls over system development projects.

Conclusion: MDOT did not implement effective project and contract management controls over system development projects. Our assessment disclosed three material conditions:

MDOT did not implement an effective information technology (IT) control environment (Finding 1).

MDOT did not comply with the Department of Management and Budget and MDOT policies and procedures for contracting for system development (Finding 2).

MDOT had not established controls to ensure the effective and efficient use of all IT funds (Finding 3).
In addition, we identified reportable conditions regarding system development payments, project management controls, project deliverables, project cost reporting,project history, and a quality assurance process (Findings 4 through 9).

Between June 1995 and February 1999, law enforcement agencies conducted an investigation of alleged improprieties in MDOT's system development contracting process. The investigation concluded that administrative policies had been violated.

Audit Objective: To assess the effectiveness of MDOT's internal control over its automated information systems.

Conclusion: MDOT's internal control over its automated information systems was generally effective. However, we identified reportable conditions regarding postimplementation review, completeness of TMS, and the TMS database (Findings 10 through 12). We also identified reportable conditions regarding TMS, MFOS, and Trns*port access controls; usercode and password security; audit trails; and processing controls (Findings 13 through 16).

Audit Objective: To assess the effectiveness of MDOT's general controls over management, development, and security of its automated information systems.

Conclusion: MDOT did not have effective general controls over management, development, and security of its automated information systems. Our assessment disclosed one material condition:

MDOT did not implement and document a system development life cycle methodology to identify the procedures to be followed when information systemsare being designed, developed, and maintained. Also, MDOT did not develop comprehensive TMS and MFOS system documentation (Finding 17).
In addition, we identified reportable conditions regarding system documentation standards, program change controls, security risk assessments, a security program, local area network (LAN) access controls, backup and recovery controls, a disaster recovery plan, and retention of electronic records (Findings 18 through 25).

Noteworthy Accomplishments: MDOT has taken steps to improve controls over its Automated Information Systems. MDOT created a help desk and an IT customer service function; it increased the performance rate of the network; and it replaced most of MDOT's computer hardware and established a schedule for future hardware replacement. MDOT informed us that these steps have resulted in improved employee satisfaction with IT services. Also, MDOT used good project management techniques and a quality assurance process during its year 2000 remediation efforts. As a result, the cost of year 2000 remediation was $3.2 million, compared to the original estimate of $14 million. Also as a result, MDOT received the American Association of State Highway and Transportation Officials' (AASHTO's) Trail Blazer's Award for its year 2000 efforts. Further, MDOT informed us that employee morale within OIM has improved since it hired the current CIO and the implementation of some of his initiatives.

AUDIT SCOPE AND METHODOLOGY
Our audit scope was to examine the information processing and other records of the Automated Information Systems. Also, our audit scope was to examine the financial related records for the period October 1, 1998 through September 30, 1999. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances.

Our methodology included an examination of MDOT's information processing and other records for the period October 1, 1991 through November 30, 1999. Our methodology also included developing a preliminary assessment of OIM and the automated information systems. We then analyzed the information and determined where to concentrate our detailed analysis and testing. We performed an assessment of internal control over TMS, MFOS, Trns*port, FieldManager, and the MAP Database. We evaluated the results of our testing and reported our findings.

AGENCY RESPONSES
Our audit report contains 25 findings and 28 corresponding recommendations. MDOT's preliminary response indicated that it agreed with all the recommendations.

Full Audit Report - #5959099 - AUTOMATED INFORMATION SYSTEMS

Documents prefaced by require the Adobe Acrobat Reader®, a free application available on the Adobe homepage.

This page was created on July 25, 2000.


INTRODUCTION This report, issued in July 2000, contains the results of our performance and financial related audit of the Automated Information Systems, Michigan Department of Transportation (MDOT). The financial related portion of our audit covered the period October 1, 1998 through September 30, 1999.

AUDIT PURPOSE This performance and financial related audit was conducted as part of the constitutional responsibility of the Office of the Auditor General. Performance audits are conducted on a priority basis related to the potential for improving effectiveness and efficiency. Financial related audits are conducted at various intervals to permit the Auditor General to express an opinion on the State's financial statements. Also, this audit complements the departmentwide financial audit of MDOT.

BACKGROUND The Office of Information Management (OIM), headed by the chief information officer (CIO), provides data processing services to MDOT. The mission of OIM is to provide the highest quality information and communication capabilities needed to implement MDOT's business objectives and strategies. Some of the primary responsibilities of OIM include developing and implementing new applications; purchasing, installing, and maintaining hardware and software; and managing MDOT's Statewide data communications network. During our audit period, MDOT developed several new systems, including the Transportation Management System (TMS), MDOT Architecture Project (MAP) Financial Obligation System (MFOS), and the MAP Database. MDOT redeveloped many of its mainframe systems into client-server systems, including Trns*port and FieldManager. Each of these systems is used for managing the various phases of road and bridge construction projects. During our audit fieldwork, MDOT was in the process of developing Safestat.

AUDIT OBJECTIVES, CONCLUSIONS, AND NOTEWORTHY ACCOMPLISHMENTS Audit Objective: To assess the effectiveness of MDOT's project and contract management controls over system development projects. Conclusion: MDOT did not implement effective project and contract management controls over system development projects. Our assessment disclosed three material conditions: MDOT did not implement an effective information technology (IT) control environment (Finding 1). MDOT did not comply with the Department of Management and Budget and MDOT policies and procedures for contracting for system development (Finding 2). MDOT had not established controls to ensure the effective and efficient use of all IT funds (Finding 3). In addition, we identified reportable conditions regarding system development payments, project management controls, project deliverables, project cost reporting,project history, and a quality assurance process (Findings 4 through 9). Between June 1995 and February 1999, law enforcement agencies conducted an investigation of alleged improprieties in MDOT's system development contracting process. The investigation concluded that administrative policies had been violated. Audit Objective: To assess the effectiveness of MDOT's internal control over its automated information systems. Conclusion: MDOT's internal control over its automated information systems was generally effective. However, we identified reportable conditions regarding postimplementation review, completeness of TMS, and the TMS database (Findings 10 through 12). We also identified reportable conditions regarding TMS, MFOS, and Trnsport access controls; usercode and password security; audit trails; and processing controls (Findings 13 through 16). Audit Objective:* To assess the effectiveness of MDOT's general controls over management, development, and security of its automated information systems. Conclusion: MDOT did not have effective general controls over management, development, and security of its automated information systems. Our assessment disclosed one material condition: MDOT did not implement and document a system development life cycle methodology to identify the procedures to be followed when information systemsare being designed, developed, and maintained. Also, MDOT did not develop comprehensive TMS and MFOS system documentation (Finding 17). In addition, we identified reportable conditions regarding system documentation standards, program change controls, security risk assessments, a security program, local area network (LAN) access controls, backup and recovery controls, a disaster recovery plan, and retention of electronic records (Findings 18 through 25). Noteworthy Accomplishments: MDOT has taken steps to improve controls over its Automated Information Systems. MDOT created a help desk and an IT customer service function; it increased the performance rate of the network; and it replaced most of MDOT's computer hardware and established a schedule for future hardware replacement. MDOT informed us that these steps have resulted in improved employee satisfaction with IT services. Also, MDOT used good project management techniques and a quality assurance process during its year 2000 remediation efforts. As a result, the cost of year 2000 remediation was $3.2 million, compared to the original estimate of $14 million. Also as a result, MDOT received the American Association of State Highway and Transportation Officials' (AASHTO's) Trail Blazer's Award for its year 2000 efforts. Further, MDOT informed us that employee morale within OIM has improved since it hired the current CIO and the implementation of some of his initiatives.

AUDIT SCOPE AND METHODOLOGY Our audit scope was to examine the information processing and other records of the Automated Information Systems. Also, our audit scope was to examine the financial related records for the period October 1, 1998 through September 30, 1999. Our audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States and, accordingly, included such tests of the records and such other auditing procedures as we considered necessary in the circumstances. Our methodology included an examination of MDOT's information processing and other records for the period October 1, 1991 through November 30, 1999. Our methodology also included developing a preliminary assessment of OIM and the automated information systems. We then analyzed the information and determined where to concentrate our detailed analysis and testing. We performed an assessment of internal control over TMS, MFOS, Trns*port, FieldManager, and the MAP Database. We evaluated the results of our testing and reported our findings.

AGENCY RESPONSES Our audit report contains 25 findings and 28 corresponding recommendations. MDOT's preliminary response indicated that it agreed with all the recommendations.