Executive Summary
Why the Controller’s Office Conducted the Assessment
Pursuant to the Philadelphia Home Rule Charter, the Office of the City Controller engaged Eisner Advisory Group, LLC (EisnerAmper) to conduct an assessment of the Information Technology (IT) general controls for selected financial systems. The objective of this assessment was to evaluate the IT controls over key financial-related applications in connection with the Controller’s Office audit of the City of Philadelphia, Pennsylvania’s Annual Comprehensive Financial Report for the fiscal year ended June 30, 2025.
What the Controller’s Office Found
Key findings in the report are listed below. We believe these findings and others described in the report warrant the attention of management.
- With regard to periodic user access reviews (UARs), exceptions were identified in the documentation and execution of UARs in ACIS, and a UAR was not performed at all for PHLContracts and the Office of Innovation and Technology (OIT).
- Concerning ACIS, exceptions were identified related to documentation and segregation of duties between development, test, and production environments. Specifically, five out of five change management requests were not fully documented, individuals with system administrator access had the ability to both develop changes in the development environment and migrate those changes into the production environment, and there was no post change monitoring control in place.
- Regarding PHLContracts, there was a lack of documentation and operation of logical access controls. Testing revealed privileged access provisioning was not adequately documented, and termination controls were not operating effectively.
What the Controller’s Office Recommends
The Controller’s Office has developed a number of recommendations to address the findings noted above. These recommendations can be found in the body of the report.
Click “Download Full Report” above to review the report and it’s findings.