Why the Controller’s Office Conducted the Examination
Pursuant to the Philadelphia Home Rule Charter, the Controller’s Office engaged BDO USA, LLP to conduct an assessment of the Information Technology (IT) general controls implemented by the Office of Innovation and Technology (OIT). The objective of this assessment was to evaluate the IT general controls over key financial-related applications at the OIT in connection with the Controller’s Office audit of the City of Philadelphia, Pennsylvania’s Comprehensive Annual Financial Report for the year ended June 30, 2016.
What the Controller’s Office Found
Key findings in the report are listed below. We believe these findings, and others described in the report warrant the attention of management.
- Procedures requiring approval and documentation of changes to the IT system prior to migration to production were not consistently followed. Documentation for changes to the city’s IT systems did not consistently evidence end-user testing or management approval. Non-compliance with approval and documentation requirements increases the likelihood of unauthorized changes to the city’s IT systems.
- OIT did not properly segregate the duties of (1) two programmers who had the ability to add, delete, and modify payroll transaction data; (2) two employees with development and systems administrator access rights to three applications; and (3) a database administrator who also had systems administrator access to one application. Consequently, there was an increased risk of unauthorized and improper changes to applications and data.
- For our entire sample of twenty newly hired employees, there was no evidence available to document the request authorizing the granting of user access rights to the network or city IT systems. With no evidence that user access was authorized, there was increased potential for unauthorized and inappropriate activity.
What the Controller’s Office Recommends
The city’s OIT should (1) strengthen change management procedures and ensure that required documentation and approvals are obtained; (2) implement segregation of duties in the IT environment or develop monitoring controls to track users with known segregation of duties concerns; and (3) review the new hire setup process and develop a procedure to document new user access requests. These and other proposed actions are more fully described in the body of the report.