Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary


Financial-Related Audit

Department of Employee Relations
Department of Finance

SEMA4 Information Technology Audit


Overall Audit Conclusions

The departments of Employee Relations and Finance have adequate controls to ensure that employees are paid the appropriate rates. Furthermore, the departments have adequate controls to ensure that the payroll is accurately processed and recorded in the state's general ledger. Finally, the departments have implemented controls to protect the integrity of SEMA4 payroll and personnel data. However, our audit identified some opportunities to further enhance the SEMA4 security infrastructure.

Key Findings and Recommendations

  • The departments did not revoke the SEMA4 security clearances of some individuals who left state service or transferred jobs. We recommend that the departments remove the unnecessary clearances, develop reports to help detect similar situations in the future, and search for automated ways to deactivate security clearances that are no longer needed.
  • The departments did not actively monitor some SEMA4 system components for potential security breaches. We recommend that the departments deploy intrusion detection controls for all critical components of the system.
  • The departments also were not properly monitoring some high-risk transactions. We recommend that they log and monitor changes to key human resource and benefit control tables and actively monitor correction transactions.

Background

This information technology audit assessed the adequacy of key "application" and "general" controls of the State Employee Management System (SEMA4), which underwent a major upgrade in April 2003. Application controls filter out invalid data before it can be processed and ensure that remaining transactions are completely and accurately processed. General controls, such as security policies, procedures, and standards are not unique to specific computerized business systems. Instead, they apply to all business systems that operate in a particular computing environment.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155