Performance Audit of Human Resources Management Network (HRMN) Self-Service
Receives AOPTA Award for Six-Month Period Ended - September 30, 2004
Scott Strong, Deputy Auditor General, is pleased to announce that the performance audit of Human Resources Management Network (HRMN) Self-Service, Department of Civil Service, is the winner of the Audit Operations Project Team Award (AOPTA) for the six-month period ended September 30, 2004. The audit team consisted of Shelly Fanson, supervisor; team members Paul Jacokes and Lori Mullins; Steve Baker, Audit Division Administrator; and Melissa Schuiling, Audit Manager.
The performance audit of HRMN Self-Service was a complex and technical audit. The audit team demonstrated excellence in several aspects of the audit, including coordinating with multiple departments, researching technical security issues, focusing audit effort on high-risk areas, and communicating effectively with the agency throughout the audit and at the audit conference. Throughout the audit, the team exhibited creativity, enthusiasm, and objectivity that enabled it to effectively test the system.
The audit was conducted because of the upcoming (at that time) mandatory use of HRMN Self-Service by all State employees. The audit report contained 7 findings, including 3 material conditions. The findings disclosed serious weaknesses related to the risk of providing confidential State employee and dependent data over the Internet, ineffective access and password controls over HRMN Self-Service, and insufficient Web application security controls.
The significance of the findings was exemplified in a letter sent from the Auditor General to the Departments of Civil Service (DCS) and Information Technology immediately upon the auditors’ identification of the weaknesses. The letter communicated the material weaknesses and the risks associated with the weaknesses, including unauthorized access to personnel data; unauthorized changes to personnel data; disclosure of confidential data; and, ultimately, identity theft. The letter was sent in time for changes to be made to the system before the open enrollment period.
The first-time supervisor handled the audit remarkably well and exhibited excellent time management skills. Most notably, the audit was completed within budget and the letter to the department directors and the audit report were issued timely.
In response to the audit report, DCS enhanced the employee/manager password security system, changed its method of resetting passwords, and required all employees to complete their security profile. The audit received attention in the GONGWER and MIRS.
In recognition of their selection, the audit team members will be Mr. McTavish’s guests for lunch, will have a letter of commendation placed in their personnel and evaluation files, and will have their names engraved on the AOPTA plaque that is prominently displayed in the OAG office.
← Back to Awards, Honors, and Recognition