The Florida On-line Recipient Integrated Data Access (FLORIDA) System is a Statewide system operated and maintained by the Department of Children and Family Services (Department) to facilitate and economize the provision of program benefit services through a single, centralized system.  Our audit of the FLORIDA System focused on evaluating selected internal controls related to information technology (IT) functions applicable to the Public Assistance component of the system, determining the effectiveness of general and application controls, evaluating the Department’s planning for the acquisition of IT assets used in the operation of the system, determining the extent of outsourcing of user and programming functions for the system and evaluating related Department controls, and evaluating management’s actions taken regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the period November 2003 through March 2004, and selected Department actions taken from July 2002 and through September 2004. 

The results of our audit are summarized as follows:

Finding No. 1:     The FLORIDA System application controls did not, in certain instances, prevent the entry and processing of invalid or improper data.

Finding No. 2:    Users have been granted multiple security access levels, thereby circumventing proper segregation of duties.

Finding No. 3:    The Department’s change control process for FLORIDA System mainframe programs did not always sufficiently document modifications to programs and job control language.  Additionally, certain Information Systems standard operating procedures were either not in place, lacking final approval, or outdated. 

Finding No. 4:    The Department had not established a written policy for designating positions of special trust or written procedures describing the measures necessary for overseeing those positions.

Finding No. 5:    The organizational placement of the Information Security Manager and the security function within the Department may not maximize the effectiveness of the security function nor reflect an appropriate level of importance and priority of security within the Department.

Finding No. 6:    Improvements were needed in the Department’s IT risk management practices and in certain security controls protecting the FLORIDA System. 

Finding No. 7:    For the expenditures we examined relating to FLORIDA System computer hardware, software, and maintenance, our tests indicated that the Department followed its information resource planning policies and procedures for justification, approval, and documentation of the purchases.  Additionally, Department records indicated that the hardware, software, and maintenance services were used for FLORIDA System support purposes.   

The Secretary's written response to the audit findings and recommendations in the audit report is included in the report on the Auditor General Web site.