Office of the Legislative Auditor - Financial Audit Division
Department of Finance
MAPS Interface Controls
Overall Audit Conclusions
The Department of Finance implemented controls to ensure that Interface Warrant Print (IWP) and Common Inbound Transaction Architecture (CITA) interface data is both accurate and complete. However, our audit identified two security weaknesses that should be addressed to further enhance IWP and CITA data integrity controls. The department also implemented controls to protect the integrity and confidentiality of Electronic Fund Transfer (EFT) data. However, we found several weaknesses that diminished the effectiveness of those controls.
Key Findings and Recommendations
An inordinate number of state agency information technology professionals had unnecessary clearance to modify or delete another agency's CITA interface data. We recommended that the department restrict employees to their own agency's CITA interface data and log actions performed by information technology professionals with extremely powerful security clearances.
The department did not adequately secure a powerful Minnesota Accounting and Procurement System (MAPS) account. We recommended that the department secure powerful MAPS accounts so that unauthorized people cannot use them. Furthermore, we recommended limiting agencies to the minimum clearance that is needed to process their IWP and CITA interface batches.
The department did not have effective authentication controls for some accounts that have clearance to perform EFT functions. We recommended that the department enforce its policy that prohibits employees from sharing passwords and store its bank smart card in a secure location. Also, if passwords must be stored in a computer file, we recommend that the department limit access to that file and encrypt the file's contents.
The department transferred unencrypted EFT data over public networks, making it susceptible to eavesdropping. We recommended encrypting all EFT data that is transferred over public networks.
The department did not adequately separate EFT processing duties. We recommended that the department develop controls to detect EFT batch errors or irregularities before they are submitted to the state's financial institution for Automated Clearing House (ACH) processing.
This information technology audit assessed the adequacy of MAPS data interface controls. Most data that is processed by MAPS is captured through interfaces with other state agency computer systems. Totaling over $18.9 billion, IWP and CITA interface transactions accounted for approximately 73 percent of the state's expenditures during fiscal year 2002. EFT data files are one of the most significant outbound MAPS interfaces. During fiscal year 2002, the department disbursed over $12.2 billion through EFT.