Department of Administration
Financial Audit Division
The Office of the Legislative Auditor (OLA) is a professional, nonpartisan office
in the legislative branch of Minnesota State government. Its principal responsibility
is to audit and evaluate the agencies and programs of state government (the
State Auditor audits local governments). OLA's Financial Audit Division annually
audits the state's financial statements and, on a rotating schedule, audits
agencies in the executive and judicial branches of state government, three metropolitan
agencies, and several "semi-state" organizations. The division also investigates
allegations that state resources have been used inappropriately. The division
has a staff of approximately fifty auditors, most of whom are CPAs. The division
conducts audits in accordance with standards established by the American Institute
of Certified Public Accountants and the Comptroller General of the United States.
Consistent with OLA's mission, the Financial Audit Division works to:
Promote Accountability, Strengthen Legislative Oversight, and
Support Good Financial Management.
Through its Program Evaluation Division, OLA conducts several evaluations each
year and one best practices review.
OLA is under the direction of the Legislative Auditor, who is appointed for a six-year term by the Legislative Audit Commission (LAC). The LAC is a bipartisan commission of Representatives and Senators. It annually selects topics for the Program Evaluation Division, but is generally not involved in scheduling financial audits.
All findings, conclusions, and recommendations in reports issued by the Office of the Legislative Auditor are solely the responsibility of the office and may not reflect the views of the LAC, its individual members, or other members of the Minnesota Legislature.
This document can be made available in alternative formats, such as large print, Braille, or audio tape, by calling 651-296-1727 (voice), or the Minnesota Relay Service at 651-297-5353 or 1-800-627-3529. All OLA reports are available at our Web Site: http://www.auditor.leg.state.mn.us
If you have comments about our work, or you want to suggest an audit, investigation, evaluation, or best practices review, please contact us at 651-296-4708 or by e-mail legislative.auditor@state.mn.us
Table of Contents
Report Summary
Management Letter
Department of Administration’s Response
Audit Participation
The following members of the Office of the Legislative Auditor prepared this report:
Claudia Gudvangen, CPA Deputy Legislative Auditor
David Poliseno, CPA, CISA Audit Manager
Chris Buse, CPA, CISA, CISSP Information Technology Audit Manager
Mark Mathison, CPA, CISA Information Technology Auditor
Doreen Bragstad, CPA Auditor
Exit Conference
We discussed the findings and recommendations in this report with the following staff of the Department of Administration on March 8, 2004:
Brian Lamb Commissioner
Keith Payden Deputy Commissioner/State Chief
Information Officer
Jack Yarbrough Assistant Commissioner, InterTechnologies
Group
Greg Dzieweczynski Director, InterTechnologies Group
Jim Steinwand Manager, InterTechnologies Group
Larry Freund Director, Financial Management and
Reporting
Judy Hunt Director, Internal Audit
Report Summary
Current Finding and Recommendation:
The Department of Administration did not adequately secure some libraries that house critical state agency computer. We recommend that the department limit access to computer program libraries to only those people who need such clearance to fulfill their job duties. (Finding 1, page 3)
Management letters address internal control weaknesses and noncompliance issues
found during our annual audit of the state’s financial statements and
federally funded programs. The scope of work in individual agencies is limited.
During the fiscal year 2003 audit, our work at the Department of Administration
focused on activities that were material to the State of Minnesota’s basic
financial statements. We also performed certain audit procedures on selected
computer security controls in the Department of Administration’s Intertechnologies
Group.
The department’s response is included in the report.
Representative Tim Wilkin, Chair
Legislative Audit Commission
Members of the Legislative Audit Commission
Mr. Brian Lamb, Commissioner
Department of Administration
We have performed certain audit procedures at the Department of Administration
as part of our audit of the financial statements of the State of Minnesota as
of and for the year ended June 30, 2003. We have also audited selected internal
service fund balances to determine the state’s compliance with the requirements
described in the U.S. Office of Management and Budget (OMB) Circulars A-133
and A-87, commonly referred to as the Compliance Supplement and Cost Principles
for State, Local, and Indian Tribal Governments. We emphasize that this has
not been a comprehensive audit of the Department of Administration.
The scope of our audit work at the Department of Administration included activities that were material to the state’s basic financial statements. We also performed certain audit procedures on selected computer security controls in the Department of Administration’s Intertechnologies Group.
We conducted our audit in accordance with auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States.
Conclusions
Our December 5, 2003, report included an unqualified opinion on the State of Minnesota’s basic financial statements. In accordance with Government Auditing Standards, we have also issued our report, dated December 5, 2003, on our consideration of the State of Minnesota’s internal control over financial reporting and our tests of its compliance with certain provisions of laws, regulations, contracts, and grants. In March 2004, we will issue our report on compliance with requirements applicable to each major federal program and internal control over compliance in accordance with OMB Circular A-133.
As a result of our audit work, we identified the following weakness in internal control at the Department of Administration:
1. The department did not adequately secure some libraries that house critical state agency computer programs.
Some electronic libraries that house computer programs for certain of the state’s
largest computer systems were not properly secured. During our audit work on
the state’s business systems, we identified computer programs that could
be viewed by virtually all people with access to the central mainframe computers.
We also identified many computer programs in
“pre-production” test libraries that could be changed by unauthorized
individuals. Typically, only specific information technology professionals need
clearance to computer program libraries to fulfill their job duties.
Granting widespread access to sensitive computer programs exposes state business systems to unnecessary risks. With this access, unscrupulous individuals could gather information about powerful accounts that were created by state agencies to run their business processes. In fact, we found one case where both an account and password could be obtained for a major government computer system. To improve controls, the department should secure computer program libraries so that they are only accessible to people who need such clearance.
Recommendation
The department should limit access to computer program libraries to only those people who need such clearance to fulfill their job duties.
This report is intended for the information of the Legislative Audit Commission
and the management of the Department of Administration. This restriction is
not intended to limit the distribution of this report, which was released as
a public document on March 18, 2004.
/s/ James R. Nobles /s/ Claudia J. Gudvangen
James R. Nobles Claudia J. Gudvangen, CPA
Legislative Auditor Deputy Legislative Auditor
End of Fieldwork: February 27, 2004
Report Signed On: March 12, 2004
March 12, 2004
James R. Nobles, Legislative Auditor
Office of the Legislative Auditor
Room 140 Centennial Building
658 Cedar Street
St. Paul, MN 55155-1603
Dear Mr. Nobles:
The Department of Administration (Admin) extends its appreciation to you and your staff for the opportunities to discuss the results of your review of selected mainframe security controls during the State of Minnesota’s financial statement audit, and to respond accordingly.
As mentioned in our most recent meeting, we concur with the audit issue addressed in your management letter. The audit finding indicates that Admin “did not adequately secure some libraries that house critical state agency computer programs.” Specifically, the report comment reveals our exposure to a risk that individuals having access to both account and password information (inappropriate information) housed in a pre-production test library belonging to another audited state agency (the agency) could alter one of the state’s largest computer systems. Clearly, Admin’s InterTechnologies Group (ITG) needs to strengthen controls to secure certain program libraries, as you recommend, so that they are accessible only to those individuals who need such clearance to fulfill their job duties.
We have already initiated actions to implement your recommendation. The joint goal of the agency and Admin is to correct the problem immediately and to ensure appropriate measures are taken to prevent similar occurrences in the future. This will be accomplished by:
The audited state agency removing, via procedural changes, all instances
of inappropriate information and implementing procedures to ensure that entry
of similar inappropriate information does not occur in the future.
The ITG security team limiting the read and/or write access to agencies’
information in the libraries to only those individuals that work for these agencies
and are in need of such access to perform their normal job duties.
Since your staff brought this matter to our attention, ITG has completed the
following activities to achieve these goals:
Enabled logging of those agencies accessing named libraries to track
activity,
Established additional procedures to monitor migration from test to
production libraries to detect future violations,
Performed scans of all pertinent libraries and found no violations
other than those reported for the audited state agency,
Met with the audited state agency’s staff to design mitigation
and corrective action steps to remove inappropriate information and to prevent
future occurrences,
Met with staff of the OLA to discuss proper action steps for the audited
state agency and ITG, and
Met with the State Chief Information Office and internal auditor to
outline the steps necessary for proper closure of this finding.
Activities ITG personnel plan to complete soon to further remedy this audit
issue include:
Contact all state agencies that ITG finds has similar inappropriate
information stored in various libraries and arrange meetings to discuss mitigation
strategy and procedures,
Notify all security administrators in state agencies to be alert to
possible violations and how to prevent and to mitigate them,
Implement counter measures that will limit access to procedural information
within system libraries, and
Monitor the audited state agency to ensure it completes its corrective
actions and takes appropriate actions to mitigate future occurrences.
In our view, these mitigation steps will remove inappropriate information, prevent and protect the possibility of inadvertent access by unauthorized personnel to the subject libraries’ content, and ensure adoption of new processes and procedures to eliminate the continuation of this activity going forward.
ITG management responsible for taking the necessary corrective actions, which
are targeted for completion by March 31, 2004, include:
Greg Dzieweczynski, Interagency Services Manager (phone: 651-296-6360) and
Jim Steinwand, Security Services Manager (phone: 651-297-3894).
Again, we appreciate your bringing this matter to our attention.
Sincerely,
/s/ Brian J. Lamb
Brian J. Lamb
Commissioner
cc: Keith Payden, State Chief Information Officer
Jack Yarbrough, Assistant Commissioner, ITG
Larry Freund, Financial Management Director
Greg Dzieweczynski, Interagency Services Manager, ITG
Jim Steinwand, Security Services Manager, ITG
Judy Hunt, Internal Audit Director