Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

LATSnet application records and retains State employees’ times, attendance, effort, and supervisor approval. Specifically, related to change management controls within LATSnet application, the Provider did not maintain appropriate segregation of duties between code change development and migration as programmers had the ability to develop and migrate changes into production within the LATSnet environment. Properly segregating these duties helps to guard against the risk that the third-party provider may migrate unauthorized changes and enhancements in LATS, which may impact the accuracy of effort reporting. Additionally, related to logical access controls within the LATSnet application, the Office did not perform an annual LATSnet user access review. Cause The condition found because the Office was not aware that the Provider had not establish proper segregation of duties for general information technology controls over change management, and the Office’s logical access was not properly designed and implemented. Related to change management, while changes go through the appropriate change management process of approval, development, user access testing (UAT), and finally migration, there is not an appropriate level of segregation of duties between developers and migrators at the Provider. Additionally, regarding logical access, the Office did not perform a LATSnet user access review over all privileged users. Possible Asserted Effect Failure to have a reliable general information technology environment over change management and logical access may result in unauthorized changes being made to LATSnet, which may result in erroneous reliance on the operating effectiveness of automated information technology control over personnel costs allowability, specifically effort reporting. Failure to have effective internal controls over personnel cost allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Office revise its procedures related to program access by implementing an annual user access review that also focuses on the completeness and accuracy of the listing of users being reviewed over privileged users of the LATSnet application. Additionally, we recommend that Office work with its third party software service provider to ensure they review their change management policies and procedures, including related internal controls encompassing segregation of duties between code changes development and migration as well as to ensure a complete population of all LATSnet changes migrated into production for agencies served by the Office are provided to the Office.

112

(Continued)