Summary

MyFloridaMarketPlace (MFMP) is a Web-based electronic procurement system for State agencies.  Maintained and operated by Accenture, LLP, (Accenture) under contract with DMS, MFMP is designed to enable State agencies to procure commodities and contractual services on-line and electronically communicate information on purchasing activities to the State’s accounting system, the Florida Accounting Information Resource Subsystem (FLAIR).

Our audit of MFMP focused on selected general and application information technology (IT) controls related to the MFMP Buyer Component during the period July 1, 2005, through June 30, 2006, and selected DMS actions through August 31, 2006.  We also evaluated DMS’s progress in addressing MFMP control deficiencies noted in audit report No. 2006-015.  In addition, we conducted audit field work at 14 State agencies, including DMS, for the period July 1, 2005, through January 31, 2006, and selected actions through September 14, 2006, that focused on evaluating agency MFMP processes and related internal controls. 

As a part of  this audit, we conducted two surveys of State agencies regarding their use of, and satisfaction with, MFMP.  The results of these surveys are disclosed in Appendices A and B, respectively.

Our audit of MFMP disclosed that DMS is making progress in addressing the issues noted in the prior audit report No. 2006-015 and initiated actions to address certain issues raised in our current audit.  However, numerous MFMP IT controls and State agency user controls still need improvement.  These matters are summarized below:

System Performance

Proper management of system performance is an important aspect of IT service delivery.  We observed, and MFMP users reported, instances of MFMP system performance problems throughout the audit period.  DMS had taken steps to address system performance, but we continued to note aspects of DMS’s management of system performance that needed improvement.  (Finding No. 1)

Agency Utilization of MFMP Functions

Our audit field work at the 14 State agencies disclosed that few agencies were fully utilizing all the functional capabilities available in MFMP.  Agencies gave various reasons for not using certain MFMP functions and some agencies relied on workarounds or alternate systems in lieu of MFMP functionality.  (Finding No. 2)

Monitoring of Transaction Fees and Exemptions

Florida law and administrative rules provide that DMS may collect fees from vendors for the use of MFMP.  While transactions may be exempt for a number of reasons, agency transactions involving commodities and contractual services are generally assessed a one-percent transaction fee, which the vendor shall pay to the State.  We noted that improvements were needed in DMS’s review and follow-up process for the appropriateness of the application of transaction fees and exemptions.  (Finding No. 3)

Risk Assessments

IT risk assessment is a process of identifying and evaluating information risks that are relevant to the achievement of entity business objectives.  The MFMP project team had not been tracking project risks as described in the approved Risk Management Process for MFMP.  (Finding No. 4)

Security of Data and IT Resources

IT security controls are intended to protect the confidentiality, integrity, and availability of data and IT resources.  Our audit disclosed that the management of MFMP security continued to need improvement in the areas of conducting background checks of Accenture personnel; controlling access at the application system, operating system, and database levels; ensuring the appropriateness of project staff and user access privileges; providing comprehensive security policies and procedures; and other specific areas not disclosed in detail in this report to avoid jeopardizing MFMP security.  (Finding Nos. 5 through 10)

Application Systems Change Management

Effective management of application system changes helps ensure that the ongoing integrity of a system is preserved over time as the system is changed.  Our audit disclosed instances where neither DMS nor end-user approval of system changes and operational data updates (data changes made by Accenture on behalf of users) had been obtained prior to the changes becoming operational.  We also noted instances where the MFMP design specifications had not been updated to reflect system changes or contained inaccuracies.  (Finding Nos. 11 and 12)

Data Management

Effective data management controls help ensure the integrity of information stored within a system.  We continued to note deficiencies in the management of electronic documents within MFMP that serve as attachments to procurement records.  Additionally, DMS had not established maintenance procedures to ensure the ongoing retention and usability of electronic records pursuant to Department of State Rules.  We also noted instances of duplicate payments initiated from MFMP and processed by FLAIR for payment.  We noted other data integrity issues within MFMP and we continued to find data inconsistencies between MFMP and FLAIR.  Further, DMS had not established a mechanism for reconciling MFMP and FLAIR transaction data.  (Finding Nos. 13, 14, 16, 17, 18, and 19) 

Agency Procedural Deficiencies

Effective procedures and guidelines are necessary to promote end-users’ complete understanding and proper use of MFMP.  Our audit field work at the 14 State agencies disclosed instances where written procedures or guidelines for key MFMP processes were lacking and where procedural deficiencies existed regarding the issuance of direct orders (purchase orders), invoice reconciliations (the process whereby invoices are compared to direct orders), and processing of payments.  (Finding No. 15)

Statistical Sampling of Payments for Preauditing

MFMP’s Statistical Sampling Module was used by DFS to perform a preaudit of payments.  Improvements were needed in the operation of the sampling process to provide increased assurance of its validity.  (Finding No. 20)

Continuity of Service

IT service continuity is protected through such measures as disaster recovery planning and appropriate provisions for making and safeguarding copies of software and data.  Risk assessment elements within the MFMP disaster recovery plan needed enhancement.  Additionally, improvements were needed in MFMP program and data back‑up provisions and in environmental controls at the Tallahassee facility that housed the MFMP development environment and served as a back-up site to the primary hosting facility.  (Finding Nos. 21 through 23)

The Agencies' responses are included in their entirety as Appendix C.