The Commission had adequate controls over the network supporting its Workforce Accounting System (WAS), the timekeeping system that the Commission uses to track employees’ time worked and benefits.
However, the Commission did not have sufficient controls within WAS to ensure that data was accurate and complete. Specifically:
WAS did not have (1) application controls in the form of field edit checks, such as limiting data entry to minimum or maximum values, to prevent negative leave balances from accruing, or
(2) audit trail capabilities to track changes made to data.
While all users who had access to WAS were current employees and had valid reasons for their level of access, users with “timekeepers” and “administrator” roles had the ability to edit their own timesheets after their timesheets had been submitted and approved.
Jump to Chapter 3-B