Summary

This operational audit focused on selected general and application controls related to the Financial Analysis and Monitoring Electronic Document Management System (FAME) of the Office of Insurance Regulation (OIR).  Our audit, covering the period March 2006 through February 2008, also included a follow-up on prior audit findings contained in audit report No. 2007-088, Viatical Settlement Regulation and Market Conduct Examinations.  Our audit disclosed the following:

Change Management

Finding No. 1:   OIR change management controls should be enhanced.  OIR staff could not always provide documentation to evidence program change requests and approvals, or subsequent user acceptance testing and approval.

User Access

Finding No. 2:   OIR had not established written policies and procedures related to FAME user access.  Additionally, OIR logical access controls over FAME needed improvement.

Scanning and Indexing

Finding No. 3:   OIR scanning and indexing procedures should be enhanced to better ensure that information is accurately and completely entered into FAME.

The Commissioner's response is included at the end of this report as APPENDIX A.