Summary
Summary
| Report Number: | 2009-020 |
| Report Title: | Department of Legal Affairs - Lotus Notes Applications - Information Technology Audit |
| Report Period: | 04/2008 - 07/2008 |
| Release Date: | 10/10/2008 |
The Department of Legal Affairs (Department) uses Lotus Notes software to develop, maintain, and operate over 300 custom applications to perform its day-to-day functions. The custom applications include functionality to support legal case management, victims’ claims processing, complaint and correspondence tracking, administrative and financial systems, workflow and collaboration, Web content management, and Web-based consumer services.
Our audit focused on evaluating the Department’s use of Lotus Notes to implement selected systems development and modification, data security, and data integrity controls over the custom Lotus Notes applications during the period April 2008 through July 2008. In addition, we determined the status of corrective actions regarding selected prior audit findings disclosed in audit report No. 02-023.
The results of our audit are summarized below:
Finding No. 1: Aspects of the Department’s Lotus Notes systems development software, and the Department’s configuration thereof, limited the Department’s deployment of appropriate systems development controls.
Finding No. 2: The Department’s policies and procedures did not provide for certain systems development controls included in industry best practices.
Finding No. 3: Some instances existed where the Department lacked documentation of the authorization and testing of program changes, the approval of program changes for implementation, and the names of employees who moved program changes into production.
Finding No. 4: Some instances existed of excessive and inappropriate access privileges to Lotus Notes applications and data.
Finding No. 5: In addition to the matters discussed in Finding No. 4, certain Department security controls related to Lotus Notes and the supporting network environment needed improvement. We have not disclosed specific details of these issues in this report to avoid the possibility of compromising the Department’s data and IT resources.
The Department management's response is included at the end of this report as APPENDIX A.