Professional Documents
Culture Documents
Performance Audit
December 2009
Dennis J. Gallagher
Auditor
The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is
responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the
proper and efficient use of City resources and providing other audit services and information to City
Council, the Mayor and the public to improve all aspects of Denver’s government. He also chairs the
City’s Audit Committee and oversees the City’s Comprehensive Annual Financial Report (CAFR).
The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee
assists the Auditor in his oversight responsibilities of the integrity of the City’s finances and operations,
including the integrity of the City’s financial statements. The Audit Committee is structured in a manner
that ensures the independent oversight of City operations, thereby enhancing citizen confidence and
avoiding any appearance of a conflict of interest.
Audit Committee
Dennis Gallagher Maurice Goodgaine
Robert Haddock Jeffrey Hart
Charles Husted Bonney Lopez
Timothy O’Brien
Audit Staff
John Carlson, Deputy Audit Director, JD, CIA, CICA
Stephen E. Coury, IT Audit Supervisor, CISA
Robert Pierce, Lead IT Auditor, CISA
Aaron Pratt, Senior IT Auditor, CISA
Brandon Blomquist, Staff IT Auditor
Molly Rauzi, Chief Information Officer Claude Pumilia, Chief Financial Officer
Technology Services Department of Finance
City and County of Denver City and County of Denver
Attached is the Auditor’s Office Audit Services Division’s report of their audit of PeopleSoft IT
General Controls for the period of October 1, 2008 through September 30, 2009. The purpose of
the audit was to examine and assess the IT general controls related to the PeopleSoft Human
Resources and Financial Management applications to ensure they provide sound foundations to
support the proper operating and security of these information systems. Audit work focused on
change control, security settings, access management, and operations as they pertain to the
PeopleSoft Human Resources and Financial Management applications.
The audit revealed deficiencies in the process for disabling systems access of terminated
employees as well as the need for process improvements to help ensure system password
settings are effective. The audit also identified a need to perform a disaster recovery test for the
PeopleSoft Human Resources and Financial Management applications.
If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5029.
Sincerely,
Dennis Gallagher
Auditor
DJG/ect
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit
services that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver
201 West Colfax Ave., Dept. 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247
www.denvergov.org/auditor
Dennis J. Gallagher
Auditor
AUDITOR’S REPORT
We have completed an audit of PeopleSoft IT General Controls for the period of October 1, 2008
through September 30, 2009. The purpose of the audit was to examine and assess the IT general
controls related to the PeopleSoft Human Resources and Financial Management applications to
ensure they provide sound foundations to support the proper operating and security of these
information systems. Audit work focused on change control, security settings, access
management, and operations as they pertain to the PeopleSoft Human Resources and Financial
Management applications.
This audit was included in the Auditor’s Office Audit Services Division’s 2009 Annual Audit Plan
and is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1,
General Powers and Duties of Auditor, and was conducted in accordance with generally
accepted government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit objectives.
The audit revealed deficiencies in the process for disabling systems access of terminated
employees as well as the need for process improvements to help ensure system password
settings are effective. The audit also identified a need to perform a disaster recovery test for the
PeopleSoft Human Resources and Financial Management applications.
We extend our appreciation to the personnel who assisted and cooperated with us during the
audit.
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit
services that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
TABLE OF CONTENTS
EXECUTIVE SUMMARY 1
SCOPE 6
OBJECTIVES 7
METHODOLOGY 8
FINDING 1 9
Procedures for Removing System Access Are Not Fully Effective 9
FINDING 2 10
Password and Physical Access Controls Are Not Consistently Aligned with
City Policies and Procedures 10
FINDING 3 12
Disaster Recovery Procedures Are Not Tested on a Periodic Basis 12
AGENCY RESPONSE 13
EXECUTIVE SUMMARY
Audit work revealed deficiencies in the process for disabling systems access of
terminated employees as well as the need for process improvements to help ensure
system password settings are effective. The audit also identified a need to perform a
disaster recovery test for the PeopleSoft Human Resources and Financial Management
applications.
These deficiencies were found in three of the four areas of Information Technology
General Controls (ITGCs) reviewed for the PeopleSoft application and supporting
infrastructure. The three areas with deficiencies were access management, security
settings, and operations. No deficiencies were found based on the testing we performed
in the change control area.
Access Management
Security Settings
Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have
adequate controls over their passwords. It is important that users follow good password
practices as set by management. Passwords provide the primary control over user
access to computer resources and their effectiveness tends to diminish over time. A lack
of security parameters weakens security controls, which could lead to unauthorized
access to the system and the subsequent disclosure, misuse and/or destruction of City
data. Specifically, these security weaknesses could result in unauthorized individuals
gaining access to the system and possibly changing, modifying, or deleting sensitive
system files, or viewing confidential documents stored within the information systems
environment.
Audit work also identified data center access cards that were not assigned to specific
authorized persons. Without full accountability for who has access to the data centers,
unknown persons could cause system disruption, physical damage or steal valuable
assets.
O f f ice of t he A udit or
Page 1
Operations
Business owners and Technology Services have not performed a test of the existing
disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the
last year. Hardware, software, and personnel changes occurring over time could cause
parts of the plan to become obsolete. Without periodic testing there is a risk that the
disaster recovery plan will not work properly when needed.
Although many city agencies use the various PeopleSoft modules, we identified the
Office of the Controller as a key business owner and user of PeopleSoft. The Technology
Services organization provides the technical support and IT general controls environment
for PeopleSoft through its Enterprise Applications Services and Operations groups.
O f f ice of t he A udit or
Page 3
Change Control
Strong procedures over change control ensure
that changes introduced into production are
authorized and tested to maintain the integrity
and availability of both software applications
and data.
The software developer makes system changes in the Test environment but cannot
implement the changes into production. Persons other than the software developer
perform software testing functions in the Quality Assurance environment. After approval
by the requesting party or business owner, the change is then implemented into the
Production environment.
Controls that provide a separation of duties ensure that no single person can implement
a change into production. The processing and testing of changes through the three
environments of Test, Quality Assurance and Production helps to ensure that changes are
authorized, tested, and approved. The overall result of these controls helps to preserve
the integrity of the production environment’s system and data, and prevents
unnecessary disruption of production systems.
Operating System Level – Both the PeopleSoft application and the Oracle
database run on servers controlled by the AIX operating system. System
Administrators configure servers to support the integrity and protection of the
data. System Administrators can have local accounts on the server that are
separate from their general network logins. Password controls over these local
accounts are configured in the AIX operating system. Changing passwords
periodically helps protect unauthorized system access in the event passwords are
unknowingly compromised.
O f f ice of t he A udit or
Page 5
uses it. The root password should be changed periodically and changed
immediately when anyone knowing the password transfers out of the department
or terminates employment with the City.
Physical Security Level – The physical servers that support all the aforementioned
levels reside in a protected data center. Proximity badge readers control access
to the data center. The City issues access security cards to authorized individuals.
These individuals scan the cards by a specialized reader mounted near the door,
which verifies the card and unlocks the door accordingly. As the card is the sole
control for physical access, a person should have only one card and every card
should be registered to a known and authorized individual.
Access Management
Employees are granted access rights to
the City’s information systems upon being
hired. Job requirements determine
specific access rights and such rights are
modified when job responsibilities change.
Access is disabled or removed when
individuals terminate their employment
with the City. These controls are designed
to ensure that only authorized individuals
have access to City systems and data
and that such access is limited according
to their specific job requirements.
Operations
Controls over operations of systems help to ensure the confidentiality, integrity, and
availability of information systems. These controls include regularly backing up system
data, storing backup media offsite, and regularly testing system recovery capability in
the event of a disaster.
SCOPE
The audit examined and evaluated IT general controls related to the City’s PeopleSoft
Human Resources and Financial Management applications. The audit tested IT general
controls in the areas of change control, security settings, access management, and
operations. The audit focused on agencies that directly use PeopleSoft and are
supported by Technology Services, which excludes the Denver International Airport. The
audit period extended from October 1, 2008 through September 30, 2009.
Operational controls providing for system backup and recovery capability for the
PeopleSoft applications.
O f f ice of t he A udit or
Page 7
METHODOLOGY
We utilized multiple methodologies to achieve audit objectives. These evidence gathering and
analysis techniques included, but were not limited to:
Directly observing physical access controls in place at the data centers and ensuring
that none of the 1,235 terminated employees had access to the data centers
supporting the PeopleSoft application.
Independently testing a sample of changes from the Human Resources and Financial
Management applications using Stat, the change and access management tool
used by Technology Services.
Directly observing environmental controls in place at the data centers supporting the
PeopleSoft application through onsite inspection and examination of maintenance
records.
Obtaining access to Active Directory Users and Computers (ADUC) for examining
login account access and information.
Executing scripts to extract system and password configuration settings for the
infrastructure supporting PeopleSoft (Oracle database and AIX servers).
Verifying that default passwords have been changed on highly privileged accounts
for the Oracle database and AIX operating system.
2. Determine the root cause for the breakdown within the termination process.
O f f ice of t he A udit or
Page 9
FINDING 2
Password and Physical Access Controls Are Not Consistently
Aligned with City Policies and Procedures
Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have
adequate controls over their passwords. It is important that users follow good password
practices as set by management. Passwords provide the primary control over user
access to computer resources and their effectiveness tends to diminish over time. By
requiring periodic passwords changes, the City will reduce risk of unauthorized access to
applications and the information stored within them. A password character setting
requiring too few characters can result in more easily guessed passwords, and an
undefined threshold of bad password attempts could result in users continued attempts
to access unauthorized systems without having their ID suspended.
PeopleSoft Password Controls are not configured for users authenticating outside of
Active Directory
The majority of PeopleSoft users authenticate (gain access) to PeopleSoft using their
Active Directory user ID and password. However, there are 43 users that access
PeopleSoft outside of the Active Directory authentication. As a result, these users do not
follow the Active Directory required password settings. Permitting access to PeopleSoft
without using Active Directory password controls allows users to circumvent the Active
Directory password requirements. There are no password requirements configured in
PeopleSoft for users that do not authenticate through Active Directory.
Password Controls Not Enforced for AIX Administrative and User Accounts
During our review of the AIX servers hosting Oracle databases for PeopleSoft HR and
Financials, audit work found that highly privileged administrative accounts as well as 18
user accounts for HR and 20 user accounts for Financials do not meet City and County of
In addition to issues involving password control weaknesses, audit work also identified
data center access cards that were not assigned to specific authorized persons. Without
full accountability for who has access to the data centers, unknown persons could cause
system disruption, physical damage or steal valuable assets.
The majority of ID cards which grant access to the City’s data centers are logged in the
C*Cure system with a unique card number. Audit reviewed C*Cure access listings for two
data centers and noted the following:
Four active cards on the data center access lists that had no identifiable card
number.
Five cards within the C*Cure system had no employee or contractor listed as the
card owner.
Four individuals were assigned multiple cards with access to one or both of the
data centers.
Recommendations
We recommend that Technology Services:
Users shall construct passwords with at least eight (8) characters, including three
of the following four character types: upper case alphabetic, lower case
alphabetic, numeric, special characters (symbols, punctuation marks). For
additional security, Users are recommended to create “pass phrases” that
contain at least fifteen (15) characters. Passwords are case sensitive. Passwords
will expire after 90 days and Users will not be permitted to reuse any of the last
fifteen (15) passwords used. After five (5) failed login attempts, the User’s account
will be disabled. The User must then personally contact Technology Services to
manually reset their account.
We recommend Technology Services remove data center access from all cards which
are not identifiable by card number or assigned to an individual. Technology Services
O f f ice of t he A udit or
P a g e 11
should complete a review of all cards with access to the City’s data centers for
appropriateness and consider establishing formal, regular review procedures for physical
access listings. Review procedures should identify and remedy: inactive badges, badges
belonging to transferred or terminated personnel, duplicate IDs, and any inappropriate
access not commensurate with a user’s job function.
FINDING 3
Disaster Recovery Procedures Are Not Tested on a Periodic Basis
Business owners and Technology Services have not performed a test of the existing
disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the
last year. Testing is an essential part of disaster recovery planning. An effective disaster
recovery plan requires testing on a periodic basis, or there is a risk that the plan will not
work when needed.
Recommendation
1. Coordinating with business owners, Technology Services should perform regular tests
of the City’s disaster recovery capability for the PeopleSoft applications and supporting
infrastructure. The frequency of such tests should be dictated by system criticality, and
should occur at least every 12 to 18 months.
O f f ice of t he A udit or
P a g e 13
Cit y and Count y of Denver
P a g e 14
O f f ice of t he A udit or
P a g e 15
Cit y and Count y of Denver
P a g e 16
O f f ice of t he A udit or
P a g e 17