User Access. Auditors identified four travel information system user accounts for which the access privileges were not reasonable based on the users’ job responsibilities.
One additional user account had access privileges that also represented a weakness in separation of duties because it gave the user the ability to access multiple elements of a transaction.
In addition, auditors identified 13 EDISON user accounts for which the access privileges were not reasonable based on the Department divisions to which the users were assigned.
Change Management. Auditors determined that the Department’s change management policy was sufficient. That policy specified that:
All requests for changes to information resources must be managed using specific software.
Approvals of change requests must be obtained from the information technology director/information resources manager.
The Department must maintain separation of duties among employees who develop, review, and approve information system changes prior to implementation.
However, that policy did not address emergency changes to information resources.
The Department also did not consistently comply with its change management policy.
Physical Security and Environmental Controls. Auditors identified weaknesses in the environmental controls and physical security over the Department’s information technology assets.
As discussed above, auditors identified certain weaknesses related to user access; however, through review of user activity reports, auditors verified that inadvertent or unauthorized alteration
or deletion of data had not occurred during the audit period as a result of those weaknesses.
Jump to Chapter 4