Report Summary
Department of Management and Budget
Select Application Security Controls for
Statewide Integrated Financial Tools (SWIFT)
Information Technology Audit
Financial Audit Division Report 11-24 |
Released November 3, 2011 |
Conclusion
In overseeing the development of the state’s new accounting system, Statewide Integrated Financial Tools (SWIFT), the Department of Management and Budget did not design adequate internal controls to safeguard state resources and data by identifying incompatible security access roles and limiting access based on employees’ duties.
The department developed a generally adequate approach and identified milestones for updating the department’s policies and procedures and its business contingency plan prior to the implementation of SWIFT. However, as of October 10, 2011, the department had not published the SWIFT policy and procedures to supersede the MAPS policy related to security access.
The department did comply with specific legal and financial accounting requirements related to project management and financial reporting for intangible assets.
Findings
- The Department of Management and Budget did not formally assess the level of security controls needed to ensure the integrity and confidentiality of SWIFT data, nor did it subsequently determine the adequacy of the security controls that were designed.
- The Department of Management and Budget did not provide agency security liaisons with sufficient information to make appropriate SWIFT access decisions; the department also allowed a weak method to authorize access.
- The Department of Management and Budget did not sufficiently identify and communicate risks created by incompatible roles.
- The Department of Management and Budget did not plan to assess the effectiveness of agencies’ mitigating controls for incompatible security access, or they did not plan to implement a process to monitor that agencies’ independently assessed the effectiveness of their mitigating controls for incompatible duties.