District – Patricia C. Bates, Vice Chair (ARA) AUDIT OF .
YUOi nCC o u n t yEThe Auditor-Controller is implementing an automated workflowprocess to replace the existing paper based process for authorizingaccess to the CAPS system resources and assigning user securityroles. We reviewed design documentation for the automatedAccess Request Application (ARA) to identify controls that ifimplemented properly would facilitate appropriate segregation ofduties, reviews and approvals, audit trails, and reconciliations. Wealso analyzed 2,571 CAPS user accounts as of November 1, 2013,to identify potential segregation of duties conflicts, inappropriateuser access, and CAPS security table issues.Our CAAT routines identified several exceptions that require furtherresearch by the Auditor-Controller to determine whether anexception existed. We identified three (3) Control Findings for theAuditor-Controller to perform further research on the reportedfindings to determine if they are valid exceptions.AUDIT NO: 1357REPORT DATE: AUGUST 20, 2014Director: Dr. Peter Hughes, MBA, CPA, CIASenior Audit Manager: Michael Goodwin, CPA, CIAIT Audit Manager: Wilson Crider, CPA, CISA*(*Certified Information System Auditor)ORA6t hNGL a r g e s tt h eNAs of May 31, 2014U S A(Cited as a Best Practice by the Institute of Internal Auditors)T17,303Internal Audit DepartmentS u p e r v i s o r so fB o a r dO C1st District – Janet Nguyen 2nd District – John M.W. Moorlach 3rd District – Todd Spitzer 4th District – Shawn Nelson, Chairman 5th District – Patricia C. Bates, Vice ChairAUDIT OF ACCESS REQUEST APPLICATION(ARA) USING COMPUTER-ASSISTED AUDITTECHNIQUES (CAATS):AUDITOR-CONTROLLERRISK BASED AUDITINGGAO & IIA Peer Review Compliant – 2001, 2004, 2007, 2010, 2013American Institute of Certified Public Accountants Award to Dr. Peter Hughesas 2010 Outstanding CPA of the Year for Local GovernmentGRC (Government, Risk & Compliance) Group 2010 Award to IAD as MVP in Risk Management2009 Association of Certified Fraud Examiners’ Hubbard Award to Dr. Peter Hughesfor the Most Outstanding Article of the Year – Ethics Pays2008 Association of Local Government Auditors’ Bronze Website Award2005 Institute of Internal Auditors’ Award to IAD for Recognition ofCommitment to Professional Excellence, Quality, and Outreach
IndependenceObjectivityIntegrityGAO & IIA Peer Review Compliant - 2001, 2004, 2007, 2010, 2013Providing Facts and Perspectives CountywideRISK BASED AUDITINGDr. Peter HughesDirectorPh.D., MBA, CPA, CCEP, CITP, CIA, CFE, CFF, CGMACertified Compliance & Ethics Professional (CCEP)Certified Information Technology Professional (CITP)Certified Internal Auditor (CIA)Certified Fraud Examiner (CFE)Certified in Financial Forensics (CFF)Chartered Global Management Accountant (CGMA)E-mail:peter.hughes@iad.ocgov.comMichael J. GoodwinSenior Audit ManagerCPA, CIAAlan MarcumSenior Audit ManagerMBA, CPA, CIA, CFEHall of Finance & Records12 Civic Center Plaza, Room 232Santa Ana, CA 92701Phone: (714) 834-5475Fax: (714) 834-2880To access and view audit reports or obtain additional information about theOC Internal Audit Department, visit our website: www.ocgov.com/auditOC Fraud Hotline (714) 834-3608
Letter from Dr. Peter Hughes, CPATransmittal LetterAudit No. 1357August 20, 2014TO: Jan E. Grimes, CPAAuditor-ControllerFROM: Dr. Peter Hughes, CPA, DirectorInternal Audit DepartmentSUBJECT: Audit of Access Request Application (ARA)Using Computer-Assisted Audit Techniques(CAATs): Auditor-ControllerWe have completed an Audit of Access Request Application (ARA) Using Computer-Assisted AuditTechniques (CAATs) as of May 31, 2014. We performed this audit in accordance with our FY 2013-14Audit Plan and Risk Assessment approved by the Audit Oversight Committee and the Board ofSupervisors. The final report is attached for your information.Please note we have a structured and rigorous Follow-Up Audit process in response torecommendations and suggestions made by the Audit Oversight Committee (AOC) and the Board ofSupervisors (BOS). Our First Follow-Up Audit will begin at six months from the official release of thereport. A copy of all our Follow-Up Audit reports is provided to the BOS as well as to all thoseindividuals indicated on our standard routing distribution list.The AOC and BOS expect that audit recommendations will typically be implemented within six monthsand often sooner for significant and higher risk issues. Our Second Follow-Up Audit will begin at sixmonths from the release of the first Follow-Up Audit report, by which time all audit recommendationsare expected to be addressed and implemented. At the request of the AOC, we are to bring to theirattention any audit recommendations we find still not implemented or mitigated after the secondFollow-Up Audit. The AOC requests that such open issues appear on the agenda at their nextscheduled meeting for discussion.Each month I submit an Audit Status Report to the BOS where I detail any material and significantaudit issues released in reports during the prior month and the implementation status of auditrecommendations as disclosed by our Follow-Up Audits. Accordingly, the results of this audit will beincluded in a future status report to the BOS.As always, the Internal Audit Department is available to partner with your staff so that they cansuccessfully implement or mitigate difficult audit recommendations. Please feel free to call me shouldyou wish to discuss any aspect of our audit report or recommendations. Additionally, we will requestyour department complete a Customer Survey of Audit Services. You will receive the survey shortlyafter the distribution of our final report.ATTACHMENTSOther recipients of this report are listed on the OC Internal Auditor’s Report on page 4.iThe Internal Audit Department is an independent audit function reporting directly to the Orange County Board of Supervisors.
Table of ContentsAudit of Access Request Application (ARA) UsingComputer-Assisted Audit Techniques (CAATs):Auditor-ControllerAudit No. 1357As of May 31, 2014Transmittal LetteriOC Internal Auditor's ReportOBJECTIVES1RESULTS2BACKGROUND3SCOPE3Detailed Results, Findings, Recommendations and Management ResponsesFinding 1 – Security and Workflow Policy Conflicts (Control Finding)6Finding 2 – CAPS User Account Exceptions to HR Employee Records(Control Finding)6Finding 3 – CAPS Security Table Configuration (Control Finding)7ATTACHMENT A: Report Item Classifications8ATTACHMENT B: Auditor-Controller Management Responses9
OC Internal Auditor’s ReportAudit No. 1357TO:Jan E. Grimes, CPAAuditor-ControllerFROM:Dr. Peter Hughes, CPA, DirectorInternal Audit DepartmentAugust 20, 2014SUBJECT: Audit of Access Request Application (ARA) Using ComputerAssisted Audit Techniques (CAATs): Auditor-ControllerAudit HighlightWe reviewed ARAdesign documentationto identify applicationcontrols ifimplemented properlywould facilitateappropriatesegregation of duties,reviews andapprovals, audit trails,and reconciliations.We also analyzed2,571 CAPS useraccounts as ofNovember 1, 2013, toidentify potentialsegregation of dutiesconflicts,inappropriate CAPS user access, andCAPS security tableissues.We identified three(3) ControlsFindings that requireaction by the A-C toresolve CAPS policyconflicts,unnecessary CAPS access, andunnecessary securitytable entries.OBJECTIVESIn accordance with our FY 2013-2014 Audit Plan and Risk Assessment approvedby the Audit Oversight Committee and Board of Supervisors, the Internal AuditDepartment conducted an audit of Access Request Application (ARA). Wereviewed design documentation for ARA as well as performed a variety of audittests of CAPS user access records utilizing Computer-Assisted AuditTechniques (known by the acronym CAATs). This audit was conducted inconformance with the Professional Practice of Internal Auditing prescribed by theInstitute of Internal Auditors.Our objective was to review design documentation to identify controls that ifimplemented properly would facilitate appropriate segregation of duties, reviewsand approvals, audit trails, and reconciliations. In addition, we analyzed CAPS user access tables to determine whether the CAPS user accounts asestablished provided an adequate segregation of duties. To accomplish this, weperformed the following objectives:1. Reviewed ARA design documents to identify application controls:Reviewed documentation to identify application controls that if implementedproperly would facilitate: Appropriate segregation of duties, Reviews and approvals, Audit trails, and Reconciliations.2. Analyzed CAPS User Access to identify policy conflicts:Reviewed CAPS user accounts for potential security and workflow roleconflicts as defined by Auditor-Controller.3. Compared CAPS User Accounts with HR employee files to identifyinappropriate access: Compared CAPS user accounts with HR employeefile to identify: Inactive employees, Non county employees, and Account names not conforming to standard.4. Analyzed CAPS Security Tables to identify inefficiencies: ReviewedCAPS security tables to identify issues in the following areas: Security roles, Workflow roles, and CAPS resources.Audit of Access Request Application (ARA)Using Computer-Assisted Audit Techniques (CAATs):Auditor-ControllerAudit No. 1357Page 1
OC Internal Auditor’s ReportRESULTSObjective #1 – ARA Application Controls:We reviewed ARA design documentation to identify application controls in the areas of:segregation of duties, reviews and approvals, audit trails, and reconciliations and foundadequate controls in the written documents. Based on our review of design documentation, wedetermined that the application controls identified, if implemented properly, would facilitateappropriate segregation of duties, reviews and approvals, audit trails, and reconciliations.We have no findings or recommendations under this objective.Objective #2 – Security and Workflow Policy Conflicts:We used a CAAT routine to identify potential segregation of duties issues based on theAuditor-Controller’s defined security role conflicts for both the Financial/Purchasing andHR/Payroll systems. The Auditor-Controller had identified 270 Financial/Purchasing roleconflicts and 12 HR/Payroll role conflicts.Our CAAT analysis performed on 2,571 CAPS user accounts identified the following: 106 Financial/Purchasing conflicts relating to 61 user accounts, and 870 HR/Payroll conflicts relating to 122 user accounts.We identified one (1) Control Finding to implement ARA and resolve the CAPS user conflicts.(See the Detailed Results, Findings, Recommendations and Management Responses section ofthis report.)Objective #3 – Comparison to HR Employee Records:We compared the CAPS user accounts with the HR employee data file as of November 1,2013, to identify non-County user access and separated employees. Our CAAT analysisperformed on 2,571 CAPS user accounts identified the following: 185 (47 belong to special districts, courts) CAPS user accounts not matched to anactive employee;109 CAPS user accounts matched to an employee record with a status other thanactive; and15 CAPS user accounts (12 related to system processes) that did not conform to thestandard naming convention.We identified one (1) Control Finding to resolve the CAPS user access issues.Objective #4 – CAPS Security Tables:We analyzed the CAPS security tables including security role tables, workflow role tables,and resource definition tables to identify potential issues and identified the following: 31 CAPS resources not associated with a security role,172 Security roles that do not grant access to CAPS resources,76 Security roles not associated with a user,73 Workflow roles not associated with a user,58 Workflow roles that do not grant access to CAPS documents, and6 Workflow roles granting access to CAPS documents not defined in the workflowtable.We identified one (1) Control Finding to perform further research and resolve these issues.Audit of Access Request Application (ARA)Using Computer-Assisted Audit Techniques (CAATs):Auditor-ControllerAudit No. 1357Page 2
OC Internal Auditor’s ReportBACKGROUNDThe current process for requesting access to CAPS Financial/Purchasing, HR/Payroll and relatedsystems (e.g., ERMI, VTI, and Personnel Data Warehouse) is a paper-based process. All of thesesystems contain sensitive and/or critical data related to the County’s financial, human resources andpayroll information. Currently, a paper Access Request Form (ARF) is used that must be signedand routed to various approvers for a wet signature. The ARF is designed to ensure the creationand approval of transactions (financial, budget, purchasing, payroll, human resources) is performedonly by authorized users. An important internal control component is the proper assignment andsegregation of employee duties. Segregation of duties reduces the risk of both erroneous andimproper actions. Roles and responsibilities are set up to require at least two different people toview each transaction.The ARA (Access Request Application) automates the paper-based process and will streamlinethe current ARF process. Benefits of ARA include an automated “workflow” to help users find theirARA in the approval process; up-front segregation of duties (role conflict) validation, and an ability tocopy existing user profiles. Security and workflow will be established that will require user ID andpasswords; security roles, workflow rules and various levels of approval. The ARA system wasintended to go-live in June 2014, but was postponed to September 2014.Our audit reviewed selected aspects of pre-implementation of ARA. We utilized CAATs to identifyexisting security and workflow conflicts (indicating that duties are not segregated). CAATs differfrom our traditional audits in that CAATs can query 100% of a data universe whereas the traditionalaudits typically test but a sample of transactions from the population. CAATs are automated queriesapplied to large amounts of electronic data searching for specified characteristics. We use aproprietary, best practice and industry recognized software product (ACL) to help us in this process.Often there is additional research needed to validate exceptions that is only known at thedepartment level. Internal Audit attempts to validate and resolve exceptions; however, most of theresulting exceptions are forwarded to the appropriate department for validation and/or resolution.Depending on the department’s review, the exceptions may or may not be a finding. For theexceptions and findings noted in this report, we forwarded the preliminary exceptions to the AuditorController (A-C) on December 18, 2013, for further research and/or clarifying existing CAPS access policies and procedures. In this report, we are keeping the details of our exceptions to ageneral discussion and do not identify specific user access. The A-C has been provided with thespecific details of user access so they can conduct their research on the exceptions.SCOPEOur scope was conducting a CAAT analysis on 2,571 CAPS user accounts as of November 1,2013, and included the following documents: ARA Scope of Work, ARA Testing Instructions,Instructional Aide, & Test Scripts/Cases, ARF Automation Design, Security & Workflow Design, andCAPS Security Tables. Our analysis included a review in the following areas:1. ARA Design Documentation: We reviewed the ARA design documentation for controls in thefollowing areas: segregation of duties, reviews and approvals, audit trails, and reconciliations.2. Security and Workflow Policy Conflicts: We analyzed 2,571 CAPS user accounts forsegregation of duties conflicts as defined by the A-C CAPS Conflicting Roles Tables.3. Comparison to HR Employee Records: We compared all 2,571 CAPS user accounts withthe Human Resources employee data file to identify user account issues.4. CAPS Security Tables: We analyzed the CAPS security tables including security roles,workflow roles, and resources tables to identify potential issues.Audit of Access Request Application (ARA)Using Computer-Assisted Audit Techniques (CAATs):Auditor-ControllerAudit No. 1357Page 3
OC Internal Auditor’s ReportTo accomplish the above, we worked with Auditor-Controller/Information Technology andAuditor-Controller/Internal Audit. The Auditor-Controller/Information Technology managers overCAPS Financial/Purchasing and HR/Payroll assisted us in researching our exceptions and helpingrefine our CAAT routines used in the audit.AcknowledgmentWe appreciate the courtesy extended to us by the Auditor-Controller personnel during our audit. Ifwe can be of further assistance, please contact me directly at 834-5475 or Michael Goodwin, SeniorAudit Manager, at 834-6066.AttachmentsDistribution Pursuant to Audit Oversight Committee Procedure No. 1:Members, Board of SupervisorsMembers, Audit Oversight CommitteeMichael Giancola, County Executive OfficerFrank Kim, Chief Financial OfficerMark Denny, Chief Operating OfficerDenise Steckler, Chief Deputy Auditor-ControllerVictoria Ross, Director, Central Accounting Operations, Auditor-ControllerPhil Daigneau, Director, Information Technology, Auditor-ControllerBill Malohn, Manager, CAPS Financial/Purchasing, Auditor-ControllerTeresa White, Manager, CAPS HR/Payroll, Auditor-ControllerForeperson, Grand JurySusan Novak, Clerk of the Board of SupervisorsMacias Gini & O’Connell LLP, County External AuditorAudit of Access Request Application (ARA)Using Computer-Assisted Audit Techniques (CAATs):Auditor-ControllerAudit No. 1357Page 4
Detailed Results, Findings, Recommendations andManagement Responses1. ARA Design Documentation (Objective #1)We reviewed design documentation for the ARA application including: ARA Scope of Work, ARFAutomation Design, Security and Workflow Design, and ARA Testing Instructions, InstructionalAide & Test Scripts/Cases and identified the following application controls: Segregation of Dutieso ARA will automate the processing of CAPS access requests including a workflowfeature (email notifications and documented approvals) that will allow users tomonitor progress of their access request from initial request through final approval.o ARA will prevent segregation of duties conflicts as defined in the policy.o ARA security roles will limit user’s capabilities similar to ERMI where access toconfidential documents (such as access request form) is restricted.o An ARA administrator account will be established to configure/edit ARA including:procedures for assignment/use/deactivation of the ARA administrator account; auditlogs of account activity; and email notifications to a pre-determined distribution list. Review and Approvalo ARA will automate the processing of CAPS access requests including a workflowfeature (email notifications and documented approvals) that will allow users tomonitor progress of their access request from initial request through final approval. Audit Trailso ARA will have an audit trail of all activity within system. Reconciliationo ARA will allow provide reconciliation reports between ARA and CAPS . Other Security Featureso ARA password criteria is configurable. For the ARA testing phase, passwordsettings were simplified: 4 characters including numeric, upper case, and lower casewith the last 3 passwords in history. For production, the password settings will bestrengthened: 8 characters including numeric, upper case, and lower case with thelast 3 passwords in history.o ARA will enable control of user email accounts, which is a key field in theadministration of user accounts.o ARA has automatic locking accounts for users that have been separated ortransferred when processed by CAPS HR.Conclusion:Based on our limited review of design documentation, we determined that the applicationcontrols identified, if implemented properly, would facilitate appropriate segregation of duties,reviews and approvals, audit trails, and reconciliations. No findings were noted under thisobjective.2. Security and Workflow Po
District – Janet Nguyen 2 nd District – John M.W. Moorlach 3 rd District – Todd Spitzer 4 th District – Shawn Nelson, Chairman 5 th District – Patricia C. Bates, Vice Chair ORANGE COUNTY 6 th Largest County in the USA . GAO & IIA Peer Review Compliant - 2001, 2004, 2007, 2010, 2013
1200 Amp 3-Phase Cam-Lok Pass-Thru Plus Box (120V)LEX, MOLE & OTHER MANUFACTURERS: 60 Amp Bates Extension Cable – 10' 60 Amp Bates Extension Cable – 25' 60 Amp Bates Extension Cable – 50' 60 Amp Bates Extension Cable – 100' 60 Amp Male Bates to 2-60 Amp Female Bates Splitter 100 Amp Bates Extension Cable – 25'
O C B o a r d o f S u p e r v I s o r s’ 1st District - Janet Nguyen 2nd District - John M.W. M oorlach, Vice Chairman 3rd District - Bill Campbell, Chairman 4th District - Shawn Nelson 5th District - Patricia Bates Audit Plan and Risk Assessment FY 2011-12 ORANGE COUNTY 6 th Lar g est Count y in the USA
District – Janet Nguyen 2 nd District – John M.W. Moorlach, Chairman 3 rd District – Bill Campbell 4 th District – Shawn Nelson, Vice Chairman 5 th District – Patricia C. Bates ORANGE COUNTY 6 th Lar g est Count y in the USA We audited the Social Services Agency Revolving Fund Process
John M.W. Moorlach (Second District), Bill Campbell (Third District), Chris Norby (Fourth District), and Patricia C. Bates (Fifth District). On January 8, 2008, Supervisor John M.W. Moorlach was elected the Chairman of the Board of Supervisors; on that same date, Supervisor Patricia C. Bates was elected the Vice Chair of the Board of .
se.n ator.bates@senate.ca.gov www.senate .ca.gov/bates april 25, 2019 mr. e. joaquin esquivel, chair senator patricia c . bates thirty-sixth senate district mr. hemy abarbanel, chair vice chair environmental quality vice chair tr ansportation vice chair housing insurance joint rules commit tee jo int legislative budget com mitte e
Dale Bates Cincinnatus, New York Assistant Superintendent, Skaneateles Central School District . Union Springs Central School District Patricia Shaw Owasco, New York Business Administrator, Port Byron Central School District . Dale Bates Vice Chairperson Debra Beyor Treasurer
Table of Contents a. District 1 pg. 6 b. District 2 pg. 7 c. District 3 pg. 9 d. District 4 pg. 10 e. District 5 pg. 11 f. District 6 pg. 12 g. District 7 pg. 13 h. District 8 pg. 14 i. District 9 pg. 15 j. District 10 pg. 16 k. District 11 pg. 17 l. District 12 pg. 18 m. District 13 pg. 19 n. District 14 pg. 20
standard on Asset Management, is a key waypoint on the journey to Asset Management Excellence, and the maturity scale is aligned with the Institute of Asset Management's (IAM's) de nition of Asset Management Excellence (see www.theiam.org): This is broadly the equivalent of ISO 55001 (or BSI PAS 55) compliance. If the organisation can demonstrate its processes are also e ective and .
