Summary

This operational audit of the Department of Management Services (Department) and related entities for the period July 2006 through February 2008, and selected actions through July 22, 2008, focused on safeguards over nonpublic information and selected revenue and cash receipt functions.  Related entities included:  the Division of Administrative Hearings (DOAH), the Florida Commission on Human Relations (FCHR), and the Public Employees Relations Commission (PERC).  These entities, by law, are not subject to Department control, supervision, or direction but are assigned to the Department for administrative support and services, as requested.

As summarized below, our audit disclosed that internal controls over the safeguarding of nonpublic information and over revenue and cash receipt processes could be improved.

SSN Reporting Requirements

Finding No. 1:       The Department and related entities did not timely issue each provider of social security numbers (SSNs) with a written statement stating the purpose for the SSN collection.  Additionally, contrary to governing laws, certifications and reports regarding the collection and provision of SSNs were not timely provided to designated government officials.

Communication of Department Policies

Finding No. 2:       Key management personnel were not always cognizant of the Department’s established policies regarding the protection of nonpublic information.  Additionally, the Department did not maintain and make available to management and staff a listing of applicable State and Federal laws and rules relevant to the nonpublic information held by the Department.

Procedures and Standard Documents

Finding No. 3:       Department and related entity operating procedures and standard documents could be enhanced to better safeguard nonpublic information. 

Physical Security

Finding No. 4:       Physical security over documents containing nonpublic information was not always sufficient.

Access Controls

Finding No. 5:       The Department, DOAH, and FCHR had not established written procedures for requesting, approving, monitoring, and removing user access privileges for selected information technology systems.  Also, user access privileges were not routinely reviewed for continued applicability, and access authorizations were not retained.  Additionally, certain logical access controls relating to the management of access privileges needed improvement. 

Positions of Special Trust

Finding No. 6:       None of the related entities had developed written policies for designating positions that, because of special trust, responsibility, or sensitive location, require persons occupying the positions to be subject to a level 2 screening as a condition of employment; nor had the related entities so designated all such positions.

Cash Collection Controls

Finding No. 7:       Cash collection and processing procedures needed improvement.

User Access

Finding No. 8:       Incompatible duties had been assigned to some employees at DOAH.  

Change Management

Finding No. 9:       DOAH had not employed appropriate change management procedures.

Response letters from the Secretary of the Department of Management Services and the related entity heads are included in Exhibit B.