Office of the Legislative Auditor - Financial Audit Division

Report Summary

Department of Employee Relations
Department of Finance

SEMA4 Information Technology Audit

Overall Audit Conclusions

The Departments of Employee Relations and Finance have adequate controls to ensure that employees are paid the appropriate rates. Furthermore, the departments have adequate controls to ensure that the payroll is accurately processed and recorded in the state's general ledger. Finally, the departments have implemented controls to protect the integrity of SEMA4 payroll and personnel data. However, there are some opportunities to further enhance the security infrastructure.

Key Findings and Recommendations

• Some information technology professionals had excessive security clearances. Though some of these employees sometimes needed powerful clearances, we question the need to grant such clearances on a permanent basis. We recommend that the departments grant employees security clearances that are commensurate with their typical job duties and handle extraordinary security needs on a case-by-case basis.
• During transmission, some interface files were not appropriately secured. We recommend that the departments encrypt transmissions to and from SEMA4.

This information technology audit assessed the adequacy of key "application" and "general" controls of the State Employee Management System (SEMA4). Application controls filter out invalid data before it can be processed and ensure that remaining transactions are completely and accurately processed. General controls, such as security policies, procedures, and standards, are not unique to specific computerized business systems. Instead, they apply to all business systems that operate in a particular computing environment.