Summary
| Report Number: | 03-176 |
| Report Title: | Public Service Commission – Case Management System - Information Technology Audit |
| Report Period: | 08/2002-01/2003 |
| Release Date: | 04/09/2003 |
Pursuant to Florida
law (Sections 350.01(1) and 350.011, Florida
Statutes), the Public Service Commission (Commission) serves as a state
regulatory agency and consists of five commissioners. The Commission regulates or oversees various
operations of the telecommunications, electric, gas, and water and wastewater
industries. The Commission promulgates
rules governing utility operations, hears and settles complaints, issues
written orders similar to court orders, and enforces state laws affecting the
utility industries.
Matters to be brought before the Commission for regulatory or oversight decisions are organized and tracked by docket (case). Once a docket is established, the activities relating to the docket are tracked in the Case Management System (CMS). Our audit focused on evaluating selected Commission information technology (IT) functions and determining the effectiveness of general and CMS application controls.
Although we did not identify any significant control deficiencies within the CMS application, certain general control deficiencies were noted which, if uncorrected, could, over time, jeopardize the reliability of the system. Specifically:
We noted instances where the Commission had not established an appropriate segregation of duties among IT functions, increasing the risk of erroneous or unauthorized modification or destruction of data.
Deficiencies existed in the Commission’s IT security administration, increasing the risk that access to IT resources were not appropriately controlled.
The Commission had not established an adequate information system development methodology, increasing the risk of changes to programs and data outside of management’s authorization.
We noted instances where the Commission had not adequately utilized sufficient security control features to protect CMS information resources and also noted aspects of the Commission’s business continuity/disaster recovery plan that needed improvement.
The Executive Director’s complete written response to the audit findings and recommendations can be viewed as a part of the complete report filed on the Auditor General web site.