Council Auditor s Office

Similar documents
INVESTIGATION REPORT

Audit Committee Internal Regulations

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

Policies and Procedures No. 56

Subscriber Registration Agreement. Signing up is as easy as 1, 2, 3...

TEXAS DEPARTMENT OF PUBLIC SAFETY 5805 NORTH LAMAR BOULEVARD POST OFFICE BOX 4087, AUSTIN, TX /

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

ETHICS POLICY OF THE ARIZONA COMMERCE AUTHORITY

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

SUPPLIER DATA PROCESSING AGREEMENT

South Carolina Department of Motor Vehicles

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA IREDELL COUNTY CLERK OF SUPERIOR COURT

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA ROCKINGHAM COUNTY CLERK OF SUPERIOR COURT

Executive Director; Section , Florida Statutes

Broward College Focused Report August 26, 2013

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FORSYTH COUNTY CLERK OF SUPERIOR COURT

A REPORT BY THE NEW YORK STATE OFFICE OF THE STATE COMPTROLLER

(1) This article shall be titled the Office of Inspector General, Palm Beach County, Florida Ordinance.

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STANLY COUNTY CLERK OF SUPERIOR COURT

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA ANSON COUNTY CLERK OF SUPERIOR COURT

BYLAWS. ARTICLE I Board of Directors. Section 1. Purpose. The purpose of the Florida International University Research

COMPLIANCE PART V A. HANDLING AND DISPOSITION OF CONSUMER COMPLAINTS 1. DEPARTMENT PHILOSOPHY

Office of Inspector General Florida Independent Living Council (FILC)

OFFICE OF TEMPORARY AND DISABILITY ASSISTANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-78 OFFICE OF THE NEW YORK STATE COMPTROLLER

Office of Administrative Hearings

GENERAL COMPLAINT INVESTIGATION PROCEDURES

Office of the Clerk of Circuit Court Baltimore City, Maryland

FIA INSTITUTE ANTI BRIBERY AND CORRUPTION POLICY

MEMORANDUM OF UNDERSTANDING

Point of Contact (POC): District s contact person when SDDCI sends out Audit information, the contact person when an onsite Audit is scheduled.

Connecticut Informational Guide for Noncriminal Justice Use of Criminal History Record Information (CHRI)

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

Office of the Clerk of Circuit Court Anne Arundel County, Maryland

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

FOLLOW UP AUDIT OF THE CLERK OF THE CIRCUIT COURT CIVIL COURT RECORDS SUPPORT/FAMILY SECTION

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Performance Measure and Corrective Action Plan Annual Report County Fiscal Year End (October 2009 through September 2010)

BIASED BASED PROFILING

State Highway Administration

Firehouse Restaurant Group, Inc. Customer Survey Sweepstakes Official Rules

RULES AND REGULATIONS OF THE ALAMEDA COUNTY BAR ASSOCIATION. CRIMINAL COURT APPOINTED ATTORNEYS PROGRAM (Effective May 1, 2013)

SEMIANNUAL REPORT TO THE CONGRESS

AIA Australia Limited

Regulations of the Audit, Compliance and Related Party Transactions Committee of Siemens Gamesa Renewable Energy, S.A.

STATE OF ILLINOIS ILLINOIS STATE POLICE ADAM WALSH CHILD PROTECTION ACT USER AGREEMENT BETWEEN THE ILLINOIS STATE POLICE AND

TABLE OF CONTENTS A. POLICY 1 B. GENERAL 1 C. WEAPONS IN THE COURTHOUSE OR SATELLITE COURTHOUSE 2 D. CASE FILING 2 E. PRE-TRIAL CONFERENCE 4

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

Interstate Commission for Adult Offender Supervision

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Peet s Coffee & Tea Sweepstakes OFFICIAL RULES

Office of the Clerk of Circuit Court Carroll County, Maryland

ANTI BRIBERY AND CORRUPTION POLICY

GLOBAL NEW CAR ASSESSMENT PORGRAMME ANTI BRIBERY AND CORRUPTION POLICY [DRAFT]

CANDIDATE S PERSONAL HISTORY STATEMENT

STATE OF NORTH CAROLINA

Whistle-Blowing Policy and Procedure Manual

Ethics Policy. Administrative Code under Part 3, Chapter 9, Article 1, Section 1.4

LA14-24 STATE OF NEVADA. Performance Audit. Department of Public Safety Office of Director Legislative Auditor Carson City, Nevada

NO PURCHASE NECESSARY TO ENTER OR WIN. A PURCHASE WILL NOT IMPROVE YOUR CHANCES OF WINNING.

A Message to Legal Personnel

RIVERSTONE HOLDINGS LIMITED

NEW BRUNSWICK POLICE DEPARTMENT POLICY & PROCEDURES

UNIVERSITY of NORTH FLORIDA POLICE DEPARTMENT Written Directives Manual

DEPARTMENT OF TRANSPORTATION. National Highway Traffic Safety Administration. [Docket No. NHTSA ; Notice 1]

ANTI-BRIBERY POLICY. 1. Purpose

STATE OF NORTH CAROLINA

2.2. Describes procedures for coordination between ATSDR and DON.

THE COLLECTION OF COURT COSTS AND FINES IN LOUISIANA JUDICIAL DISTRICTS

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

Supreme Court of Florida

LOUISIANA BOARD OF DRUG AND DEVICE DISTRIBUTORS (FORMERLY LOUISIANA BOARD OF WHOLESALE DRUG DISTRIBUTORS) STATE OF LOUISIANA

d. Pinellas County, Florida Annual Financial Report for the Fiscal Year Ended September 30, 2010.

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

CODE OF PRACTICE FOR RELEASE OF INFORMATION

LA14-20 STATE OF NEVADA. Performance Audit. Judicial Branch of Government Supreme Court of Nevada. Legislative Auditor Carson City, Nevada

WHISTLE BLOWER POLICY

Office of the Clerk of Circuit Court Worcester County, Maryland

Terms of Use. 1. Limited Use

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

Pursuant to Virginia State Code : Every circuit court clerk shall provide secure remote access to land records

(i) the data provided in the domain name registration application is true, correct, up to date and complete,

STATE OF NORTH CAROLINA

OFFICE OF ETHICS, COMPLIANCE AND OVERSIGHT (ECO) INTAKE OVERVIEW AND PROCEDURE

TOWN OF HAYNESVILLE INVESTIGATIVE AUDIT ISSUED JANUARY 18, 2017

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA DEPARTMENT OF PUBLIC INSTRUCTION

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

STATE OF MINNESOTA Office of the State Auditor

BLACK DIAMOND HOCKEY DIAMOND DRAFT SWEEPSTAKES OFFICIAL RULES

SPECIAL INSPECTOR GENERAL FOR AFGHANISTAN RECONSTRUCTION CHIEF FOIA OFFICER REPORT FISCAL YEAR 2010

STATE OF NORTH CAROLINA

TUCOWS.INFO domain APPLICATION SERVICE TERMS OF USE

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Trustwave Subscriber Agreement for Digital Certificates Ver. 15FEB17

ON THE LAST PAGE, PLEASE BE SURE TO INCLUDE YOUR FULL SOCIAL SECURITY NUMBER AND BOTH YOUR RACE AND YOUR ETHNICITY.

SETTLEMENT AND RELEASE AGREEMENT

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F December 20, 2017 EDMONTON POLICE SERVICE. Case File Number F8141

Transcription:

Council Auditor s Office DAVID Compliance Audit Clerk of Courts March 7, 2017 Report #791 Released on: April 3, 2017 117 West Duval Street Jacksonville, Florida 32202-3701 Telephone (904) 630-1625 Fax (904) 630-2908 www.coj.net

AUDIT REPORT #791 INTRODUCTION...- 1 - STATEMENT OF OBJECTIVE...- 1 - STATEMENT OF SCOPE AND METHODOLOGY...- 1 - REPORT FORMAT... - 2 - STATEMENT OF AUDITING STANDARDS...- 2 - AUDITEE RESPONSES...- 2 - AUDIT CONCLUSIONS...- 3 - AUDIT OBJECTIVE...- 3 -

OFFICE OF THE COUNCIL AUDITOR Suite 200, St. James Building March 7, 2017 Report #791 Honorable Members of the City Council City of Jacksonville INTRODUCTION The Duval County Clerk of Courts and the Florida Department of Highway Safety and Motor Vehicles (DHSMV) entered into a memorandum of understanding (MOU) related to the Clerk s access to the Driver and Vehicle Information Database (DAVID) system which is maintained by the DHSMV. Pursuant to the MOU, upon request from the DHSMV the Clerk of Courts is required to provide an attestation from a currently licensed CPA, its internal auditor or inspector general. As such, we were requested to conduct a compliance attestation on the Clerk s internal controls surrounding its access and use of the DAVID system. When finalizing the work we elevated the standards followed to that of a performance audit. The DAVID system contains a variety of confidential personal information regarding Florida drivers such as driver license number, home address, license plates, social security number, driver s history, emergency contact information, drivers picture, etc. The Clerk of Courts uses DAVID information in court or traffic related cases for research or confirmation purposes only. As of January 31, 2017, there were fifteen employees with access to DAVID. Two users were IT employees or system administrators and the other thirteen employees using the database worked in the Misdemeanor, Felony, or Traffic areas at the Clerk of Courts. Clerk employees performed a total of 9,556 searches in DAVID from January 1, 2016 through January 31, 2017. STATEMENT OF OBJECTIVE To evaluate and determine that proper internal controls are in place to protect personal data in the DAVID System from unauthorized access, distribution, use, modification, or disclosure. STATEMENT OF SCOPE AND METHODOLOGY The scope of the audit was January 1, 2016 through January 31, 2017. We identified major internal controls in place to protect personal data contained in the DAVID System. We also identified any internal control in place that ensures compliance with Sections 4(B) and 5 of the MOU. We then tested these controls to determine whether or not we could rely on them to meet the audit objective. Lastly, we randomly selected a week within the audit scope period and ten 117 West Duval Street Jacksonville, Florida 32202-3701 Telephone (904) 630-1625 Fax (904) 630-2908 www.coj.net

DAVID users to review usage. We obtained and reviewed their respective user activity report as follows: We searched each name listed on the user activity report in the Duval County Court Records Inquiry database, to verify if these individuals had any court or traffic related case that could justify the search performed by Clerk employees. We performed internet searches to find out if the individual searched was a celebrity or a politician. We also compared the last name of the Clerk employee doing the search with the last name of the individual being searched to see if they were potentially related. We also determined whether or not the DAVID search was done during regular working hours (from 8:00 am to 6:00 pm). REPORT FORMAT Our report is structured to identify Internal Control Weaknesses, Audit Findings, and Opportunities for Improvement as they relate to our audit objectives. Internal control is a process implemented by management to provide reasonable assurance that they achieve their objectives in relation to the effectiveness and efficiency of operations and compliance with applicable laws and regulations. An Internal Control Weakness is therefore defined as either a defect in the design or operation of the internal controls or is an area in which there are currently no internal controls in place to ensure that objectives are met. An Audit Finding is an instance where management has established internal controls and procedures, but responsible parties are not operating in compliance with the established controls and procedures. An Opportunity for Improvement is a suggestion that we believe could enhance operations. STATEMENT OF AUDITING STANDARDS We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. AUDITEE RESPONSES Responses from the Clerk of Court s Office have been inserted after the respective finding and recommendation. We received these responses from Ronnie Fussell, Duval County Clerk of the Court, in a memorandum dated March 29, 2017. - 2 -

AUDIT CONCLUSIONS Overall the Clerk of Courts has adequate controls in place to protect the personal data from unauthorized access, distribution, use and modification or disclosure; however, we did find that the agency is not in full compliance with all requirements as required in the contractual agreement between the Clerk of Courts and the DHSMV and that there were misuses of the DAVID database by an employee. AUDIT OBJECTIVE To evaluate and determine that proper internal controls are in place to protect personal data in the DAVID System from unauthorized access, distribution, use, modification, or disclosure. Finding 1 *Misuse of DAVID Information by Employee* We found evidence that an employee at Clerk of Courts appears to have misused the DAVID system on multiple occasions. This employee performed 25 searches on eight different individuals including themselves that appear to be unauthorized. These searches were of their spouse, siblings, a parent and others. We were unable to find any public records in the Duval County Clerk of Courts website (such as a traffic ticket, a misdemeanor or felony case connected to these individuals) that would justify these searches done by the employee as business related. Section 5(A) of the MOU states that information exchanged will not be used for any purposes not specifically authorized by this agreement. Unauthorized use includes, but is not limited to, queries not related to a legitimate business purpose, personal use, and the dissemination, sharing, copying or passing of this information to unauthorized persons. Additionally, personal information contained in motor vehicle record is considered confidential pursuant to the Driver s Privacy Protection Act, 18 U.S.C. 2721 Unauthorized uses of driver s information from DAVID could result in civil proceedings against the agency and/or criminal proceedings against any user or other person involved. Violations or misuse may also subject the user and the agency to administrative sanctions and could result in DAVID access termination. Recommendation to Finding 1 We recommend that the Clerk of Courts further investigate these DAVID misuses and then take adequate corrective and administrative actions. If it is determined that personal information has been compromised, then the Clerk of Courts must notify the DHSMV and the affected individuals as required by the MOU. Finally, the Clerk of Courts should monitor employees - 3 -

activity in DAVID on an on-going basis to deter and detect any future misuse of the database consistent with Finding 2. Auditee Response to Finding 1 We agree with this recommendation. Upon being notified of this finding, the Clerk's Office reported the suspected misuse to the Jacksonville Sherriff's Office Integrity/Special Investigations Unit for further investigation. The JSO concluded that a crime was not committed, but rather violations of the DAVID User Agreement and Office Policy and Procedure. In addition, as required by the MOU, the Clerk's Office has notified the Department of Highway Safety and Motor Vehicles (DHSMV) of this incident. This employee's access to DAVID was immediately terminated and a disciplinary action initiated. The Clerk's Office takes this breach very seriously and it will not be tolerated. Finding 2 *Users Activity Not Monitored Regularly* Based on our review, it appears that management is not regularly monitoring employees activity in the DAVID database. In order for a supervisor to monitor other employees activity, he/she has to run a User Activity Report which shows all user activity including searches and pages visited by the employee in the DAVID system. We found that a User Activity Report was only run twice on April 7, 2016 by the former system administrator and run 5 times in January 2017 by the current system administrator. When reviewing the User Activity Report for the supervisor in charge of monitoring other employees activity, we did not find any evidence that indicates the employee was periodically reviewing and monitoring users activity in the DAVID database during our audit scope period. Section 5(F) of the MOU states that all access to the information must be monitored on an ongoing basis by the requesting party. Additionally, not monitoring users activity regularly increases the chances that unauthorized access or misuse of the database goes undetected. Recommendation to Finding 2 We recommend that the Clerk of Courts monitor employees activity in DAVID on an on-going basis as required by the MOU. Also, the monitoring should be documented in some form. Auditee Response to Finding 2 We agree with this recommendation. - 4 -

Finding 3 *Lack of Evidence That Quality Control Reviews Are Being Done Quarterly* The Clerk of Courts was unable to provide adequate documentation that shows the quarterly quality control reviews were done for the period covering April through December of 2016. The DHSMV created a comprehensive Quarterly Quality Control Review form that explains in detail the audit steps that agencies should follow when performing their quarterly quality control review. The Clerk of Courts did not use the Quarterly Quality Control Review form provided by the DHSMV during our audit scope period. Section 4(B)(9) of the MOU states that the requesting agency agrees to conduct quarterly quality control reviews to ensure all current users are appropriately authorized. Section 5(F) of the MOU states that all access to the information must be monitored on an on-going basis by the requesting party. Additionally, good business practices suggest using a uniform form or program when conducting a quality control review. Recommendation to Finding 3 We recommend that the Clerk of Courts perform a quality control review every quarter as required by the MOU and properly document the work done. The Clerk should use the Quarterly Quality Control Review form provided by the DHSMV when performing their quarterly review. Finally, the agency should perform every step mentioned in this form. Auditee Response to Finding 3 We agree with this recommendation. Finding 4 *Access Permissions Not Removed Timely* We found one employee who resigned on May 30, 2014 but whose access to the DAVID system was not removed until November 8, 2016. This employee had access to the database for 893 days after the employment was terminated at the Clerk of Courts. However, per the employee s User Activity Report, it appears that the former employee never accessed the database after being terminated. Section 4(B)(9) of the MOU states that the requesting agency agrees to update user access permissions upon termination or reassignment of users within five working days. Recommendation to Finding 4 We recommend that access rights be removed upon termination or reassignment within five working days as required by the signed MOU. - 5 -

Auditee Response to Finding 4 We agree with this recommendation. User lists are being reviewed on an ongoing basis. In addition, notification is sent from Human Resources to Information Technology staff as to any changes in employment status so IT administrators can make the appropriate changes to system access. Internal Control Weakness 1 *Issues with Access Rights in DAVID* There are two users who are IT employees with improper access rights to the DAVID system. They have the ability to do searches in the database even though they do not need these capabilities to perform their job functions. These two employees are the system administrators and their primary function as it relates to the DAVID system is to grant or remove other users access rights as requested by management. Best business practices suggest that employees should only be granted the access rights needed to perform their job functions. We reviewed the user activity report for these two employees and it appears that they have never performed any searches in DAVID which would be considered outside their job functions. Additionally, it appears that their activity in the database has only been IT related. Recommendation to Internal Control Weakness 1 We recommend that the Clerk of Courts review the access rights granted to the system administrators to ensure they only have the appropriate access rights needed to perform their job functions. Auditee Response to Internal Control Weakness 1 We agree with this recommendation and the rights for the two IT administrators have been modified to reflect this recommendation. - 6 -

We appreciate the assistance and cooperation we received from the Clerk of Courts through the course of this audit. Respectfully submitted, Kirk A. Sherman Kirk A. Sherman, CPA Council Auditor Audit Performed By: Brian Parks, CPA, CIA, CGAP Chedly Broche, CPA - 7 -

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback