Public Employees Retirement Association
Information Technology Audit
Financial Audit Division Report 08-18
Released August 14, 2008
The Public Employees Retirement Association (PERA) generally had adequate controls to protect the integrity, confidentiality, and availability of its computer systems and business data. However, the department had six weaknesses related to internal control over some significant aspects of its operations. We highlight the findings below.
- Prior Finding Partially Resolved: PERA did not design and implement an overall security management framework.
- PERA did not have adequate controls to ensure computer users’ access was appropriate on an ongoing basis, and it did not adequately restrict access to some computer systems and data.
- Prior Finding Partially Resolved: PERA did not develop comprehensive security monitoring procedures.
- PERA did not follow adequate change management procedures.
- PERA had not segmented its internal private network to improve security over its computer systems and data.
- PERA has not fully tested its continuity of operations plan, developed continuity training, or selected adequate facilities to recover computer operations.
Audit Objectives and Scope
Our audit objectives were to answer the following questions:
- Did PERA have adequate controls to protect the integrity, confidentiality, and availability of its computer systems and business data?
- Did the organization resolve prior audit findings from Financial Audit Division Report 02-62?
We assessed PERA security controls as of April 2008.
PERA administers four public employee retirement plans: the Public Employees Retirement Plan, Police and Fire Plan, Correctional Plan, and the Defined Contribution Plan. Employees and their employers contribute to these plans during their working years and obtain benefits upon retirement, disability, or termination of employment. At June 30, 2007, the retirement association reported that its pension funds had $19.5 billion in net assets. Fiscal year 2007 retirement contributions and payments to beneficiaries were $693.2 million and $1.1 billion, respectively.