Summary

The Florida Accounting Information Resource (FLAIR) Subsystem is the State of Florida’s accounting system.  Pursuant to Sections 215.93(1)(b) and 215.94(2), Florida Statutes, FLAIR is a subsystem of the Florida Financial Management Information System and the Department of Financial Services (Department) is the functional owner of FLAIR.  FLAIR’s functions, as provided in State law, include accounting and reporting so as to provide timely data for producing financial statements for the State in accordance with generally accepted accounting principles and for auditing and settling claims against the State. 

Our audit of FLAIR focused on evaluating selected information technology (IT) controls relevant to financial reporting and applicable to the system during the period July 1, 2007, through June 30, 2008, and selected actions through September 17, 2008.  We also determined the status of corrective actions regarding prior audit findings disclosed in audit report No. 2008‑026.

The results of our audit are summarized below:

Finding No. 1:         We noted instances where, as similarly noted in audit report No. 2008-026, the Department did not remove the access privileges of former and transferred employees in a timely manner. 

Finding No. 2:        The primary Departmental Accounting Component (DAC) access control custodian shared a user identification (ID) with a backup access control custodian.

Finding No. 3:        The Department lacked procedures for the Statewide Financial Statements (SWFS) Subsystem security administration process and for the reconciliation of data loaded from the Purchasing Card Module and DAC into the Information Warehouse. 

Finding No. 4:        In addition to the matters discussed in Finding Nos. 1, 2, 3, and 7, certain Department security and application controls needed improvement.  Some of the issues were also included in audit report No. 2008-026.

Finding No. 5:        As similarly noted in audit report No. 2008-026, we noted a programming error in the salary refund calculation of net pay.

Finding No. 6:        Department staff did not follow established job scheduling procedures during a nightly production run, resulting in discrepancies in the balances on the general ledger master file.  A similar finding was included in audit report No. 2008-026.

Finding No. 7:        As also noted in audit report No. 2008-026, contrary to the Department’s Enterprise Security Policy, the Department had not established an approved baseline firewall configuration.

Finding No. 8:        The Department did not consistently document the release of output data tapes to other entities.

Finding No. 9:        On July 16, 2008, a fraud occurred that resulted in $5,700,352 in vendor electronic funds transfer (EFT) payments being inappropriately diverted to the bank account of a third party.  The Department, subsequent to the fraud, revised and expanded its EFT procedures; however, the procedures needed further improvement.  

The Chief Financial Officer’s response is included as Exhibit A.