Why the Controller’s Office Conducted the Examination
In accordance with the Philadelphia Home Rule Charter, the Office of the City Controller engaged Eisner Advisory Group, LLC (EisnerAmper) to perform an assessment of the Information Technology (IT) general controls and applications related to the Philadelphia School District’s (District) new Oracle system. The Oracle system is a multi-year modernization initiative by the School District to replace its legacy Finance system. It will also replace the District’s legacy Human Resources Information System, which is currently in the process of being implemented. The assessment was to evaluate whether the IT general controls and application controls were efficiently designed, implemented, and operating as part of the Office of the City Controller’s audit of the School District’s Annual Comprehensive Financial Report (ACFR) for the fiscal year ended June 30, 2021.
Based on its potential impact to the District’s ACFR, the assessment identified one significant deficiency and three control deficiencies that require management’s attention. The findings are as follows:
A formally documented Segregation of Duties (SoD) policy, including identification of incompatible roles, responsibilities, and permissions was not established. Periodic reviews of user access have not been performed since the Oracle system went live on July 1, 2020. Additionally, a documented security program or policy, which should include the District’s responsibilities over the Oracle system, was not provided. As a result, there may be users with access not commensurate with their job responsibilities and users may have access across incompatible roles, responsibilities, and permissions within the system, potentially allowing users to bypass system controls.
Of 25 terminated employees tested, one user’s system access was not disabled in a timely manner. If unauthorized system access is maintained, a user could potentially perform unauthorized transactions.
There was no formal, documented review of the Oracle Fusion Service Organization Control (SOC) 1 report. SOC reports are AICPA defined reports which are performed by Public Accounting firms to evaluate and report on the controls at a third-party service provider. SOC reports allow management and auditors to gain comfort over controls at a third-party service provider without the need to perform their own audit procedures.
A formal policy for configuration changes, including the procedures for requesting changes from Oracle and the supporting vendor, nor a formal list of change requests, including Oracle requested changes, configuration changes, and emergency changes, was maintained. Without documented configuration change management process, there is a risk of unauthorized changes, and changes that have not been tested before implementation, which could affect the system’s operation.
What the Controller’s Office Recommends
The Controller’s Office has presented a number of recommendations to address the findings in this report. The recommendations include formally documenting a SoD policy and configuration change policy, as well as removing terminated employee access in a timely manner and formally reviewing SOC 1 reports.