Why the Controller’s Office Conducted the Examination
In accordance with the Philadelphia Home Rule Charter, the Office of the City Controller engaged the Mercadien Group, who retained BDO USA, LLP, to conduct an assessment of the Information Technology (IT) general controls administered by the Office of Innovation & Technology (OIT). The purpose of this assessment was to evaluate the IT general controls over key financial-related applications at OIT as part of the Office of the City Controller’s audit of the City of Philadelphia’s Comprehensive Annual Financial Report (CAFR) for the fiscal year ended June 30, 2019.
Based on the potential impact to the city’s CAFR, the report identified four significant deficiencies, as well as several other deficiencies that require management’s attention. Key findings include:
• As noted in previous reports, OIT management has not provided sufficient oversight of the change management function, the process that ensures changes to IT systems are properly approved and tested before the implementation of that change. Specifically, the change management policy provided by OIT did not establish clear procedures for reviewing, testing and documenting changes to the city’s IT systems. A lack of oversight in the change management function increases the likelihood of unauthorized or inadequately reviewed changes. Additionally, inconsistencies in the processes for application changes can lead to delays in necessary changes and breakdowns in the system’s functionality.
• Our review identified several instances in which OIT management did not properly segregate the duties of employees or adequately monitor system access rights. Failure to provide oversight of system access rights can lead to unauthorized and undetected changes to applications and data, increasing the risk for potential fraud and abuse within the city’s financial systems. While OIT’s policy states that IT administrators will ensure proper segregation of duties, the report found three programmers who had the ability to add, delete, and modify water revenue transaction data in the Basis2 application; four database administrators who also had systems administrator access to the FAMIS and ADPICS applications; and two database administrators who also had systems administrator access to Basis2.
What the Controller’s Office Recommends
The Controller’s Office has presented a number of recommendations to address the findings in this report. Some of the more significant recommendations are noted below.
We recommend OIT management strengthen its change management procedures and ensure that changes are properly reviewed, approved and tested before implementation. OIT management should implement proper segregation of duties and increase oversight of assigned system access rights.