Summary

The Florida Accounting Information Resource Subsystem (FLAIR) is the State of Florida’s accounting system.  Pursuant to Sections 215.93(1)(b) and 215.94(2), Florida Statutes, FLAIR is a subsystem of the Florida Financial Management Information System and the Department of Financial Services (Department) is the functional owner of FLAIR.  FLAIR’s functions, as provided in Florida law, include accounting and reporting so as to provide timely data for producing financial statements for the State in accordance with generally accepted accounting principles and for auditing and settling claims against the State.

Our audit of FLAIR focused on evaluating selected information technology (IT) controls, applicable to the system during the period July 1, 2006, through June 30, 2007, and determining the status of prior audit deficiencies.  

The results of our audit are summarized below:

Finding No. 1:        We noted inconsistencies among the Department’s various access control policies and procedures for FLAIR.  In addition, we noted instances where the Department’s access control policies and procedures for FLAIR were lacking or not being followed.

Finding No. 2:       We continued to note that Department staff could not provide a comprehensive and accurate listing of all terminated employees.  In addition, we continued to note instances where the Department did not remove the access privileges of terminated individuals and transferred employees in a timely manner. 

Finding No. 3:       The Department’s antivirus software did not have the current patch version installed.  Additionally, the Department’s documentation of certain software patches, including the installation and testing thereof, was lacking.

Finding No. 4:       Contrary to the Department’s Enterprise Security Policy, guidelines and procedures had not been developed for administering network firewalls.  In addition, the Department had not established an approved baseline firewall configuration.

Finding No. 5:       We noted certain deficiencies in the Department’s security control features, in addition to the matters described in Finding Nos. 1 through 4 above.

Finding No. 6:       Department staff did not follow established job scheduling procedures during a nightly production run, resulting in voucher processing errors. 

Finding No. 7:       Department staff did not follow established procedures for change control, specifically documentation, testing, and approval procedures, when implementing a special data correction, resulting in discrepancies between data files. 

Finding No. 8:       A system edit implemented to prevent prohibited contractual service expense disbursements from being paid from an expense category was not working properly in all scenarios throughout the application.  

Finding No. 9:       We noted a programming error in the salary refund calculation of net pay that resulted in inaccurate salary refunds for four employees.

Finding No. 10:     Department staff did not have procedures in place to verify that the total State Active Duty (SAD) W-4 records sent from the Department of Military Affairs matched the records received on the Department’s SAD W-4 control totals report produced during the processing of the SAD W-4 file.  

The Chief Financial Officer's response is included at the end of this report as Appendix A.