Summary
Summary
| Report Number: | 2008-197 |
| Report Title: | Department of Children and Family Services - Florida On-Line Integrated Data Access (FLORIDA) System - Information Technology Audit |
| Report Period: | 10/2007 - 03/2008 with Selected Actions taken from 07/01/2006 |
| Release Date: | 06/30/2008 |
The Florida On-line Recipient Integrated Data Access (FLORIDA) System is a Statewide system operated and maintained by the Economic Self‑Sufficiency Services (ESS) Program Office and Office of Information Systems within the Department of Children and Family Services (Department) to assist in public assistance program eligibility determination and benefit issuance. Our audit of the FLORIDA System focused on evaluating selected information technology (IT) controls applicable to the Public Assistance component of the FLORIDA System for the period October 2007 through March 2008, with selected actions taken from July 1, 2006, and determining the status of corrective actions regarding prior audit findings disclosed in audit report No. 2005-106. We also evaluated selected systems modification and application controls over the Automated Community Connection to Economic Self-Sufficiency Web Application and the Integrated Benefit Recovery System for the period.
The results of our audit are summarized below:
Finding No. 1: Contrary to Section 119.071(5)(a), Florida Statutes, the Department used certain employee social security numbers (SSNs) without specific authorization in law or without having established the imperative need to use the SSN for the performance of its duties and responsibilities as prescribed by law. Specific details of how the SSN was used are not disclosed in this report to avoid the possibility of compromising Department information. However, appropriate Department personnel have been notified of this issue.
Finding No. 2: In certain instances, a separation of duties within the FLORIDA System was either not in place or was ineffective. Specific details of this control deficiency are not disclosed in this report to avoid the possibility of compromising Department information. However, appropriate Department personnel have been notified of the specific instances noted.
Finding No. 3: The Department lacked FLORIDA System exception reports and related procedures to detect potential employee fraud. Additionally, the Department had numerous unprocessed overdue data exchange responses.
Finding No. 4: The Department did not maintain an adequate log of user activity within the FLORIDA System.
Finding No. 5: Certain Department security controls protecting the FLORIDA System and related IT resources were deficient.
Finding No. 6: The organizational placement of the Information Security Manager (ISM) and the security function within the Department did not maximize the effectiveness of the security function or reflect an appropriate level of importance and priority of security within the Department.
Finding No. 7: The Department’s IT risk management procedures needed improvement.
Finding No. 8: The Department’s systems development and modification controls needed improvement.
The Secretary's response is included at the end of this report as Appendix A.