A Performance Audit
An Audit Report on The Department of Banking: A Self-directed, Semi-independent Agency
November 2016
Summary Analysis
The Department of Banking (Department) had effective controls that helped ensure that the financial data tested in its self-directed, semi-independent agency reports for fiscal year 2015 and fiscal year 2016 through May 2016 was accurate.
In addition, the Department complied with requirements for the calculation and collection of bank and trust assessment fees. To impose penalties on money services businesses when those businesses did not comply with requirements, the Department followed a process guided by factors in the Texas Finance Code.
The Department had controls to help ensure that data from its automated systems was reliable. However, auditors identified weaknesses related to user access and change management that the Department should address. To minimize security risks, auditors communicated details about other issues directly to the Department in writing.
The Department of Banking (Department) had effective financial control processes and procedures to help ensure the accuracy of the financial data that auditors tested from the Department’s self-directed, semi-independent agency reports for fiscal year 2015 and fiscal year 2016 through May 2016.
The Department accurately processed the receipt and deposit of penalties and accurately accounted for bank and trust assessment fees due. It also properly recorded and approved expenditures while maintaining appropriate segregation of duties.
In addition, the Department effectively reconciled its financial records on a monthly basis, which helped to ensure that the Department reported its financial data accurately.
Auditors also determined that:
• The Department accurately collected the 64 bank and trust and money services business revenue transactions tested, recorded the associated transactions in its financial accounting system, and deposited the associated revenue in the Texas Treasury Safekeeping Trust Company.
• The Department appropriately approved, supported with invoices and travel documents, and correctly coded in its accounting system and USAS all 68 expenditures tested.
The Department had an adequate process for setting bank and trust assessment fees, and that process was based on its budgetary needs. It followed a reasonable methodology to ensure that its revenue, which consisted primarily of bank and trust assessment fees, adequately covered its operational costs. The Department used its budget projections to determine the amount of revenue it would need to cover its operating expenditures. The Department also adjusted its bank and trust assessment fees, as necessary, to collect the desired amount of revenue.
In addition, the Department complied with requirements for the calculation of bank and trust assessment fees, and it followed a process guided by factors in the Texas Finance Code for imposing penalties when money services businesses did not comply with requirements.
From fiscal year 2015 through May 2016, the Department complied with Texas Finance Code requirements to impose penalties on money services businesses.
Specifically, for 10 consent orders tested, the Department appropriately imposed penalties on money services businesses by considering (1) the seriousness of the violation, (2) the money services business’s compliance history, and (3) the money services business’s good faith in attempting to comply with Texas Finance Code, Chapter 151. The Department’s process for assessing penalties is guided by its consideration of those factors as they are specified in a consent order issued against a money services business.
In its reports to the Finance Commission of Texas for fiscal year 2015 and fiscal year 2016 through May 2016, the Department reported accurate results for the following two performance measures tested:
• Number of Bank and Foreign Bank Examinations Performed.
• Percentage of Money Services Business (MSB) Licensees Examined by Special Audits When Due.
User Access. Auditors identified four travel information system user accounts for which the access privileges were not reasonable based on the users’ job responsibilities. One additional user account had access privileges that also represented a weakness in separation of duties because it gave the user the ability to access multiple elements of a transaction. In addition, auditors identified 13 EDISON user accounts for which the access privileges were not reasonable based on the Department divisions to which the users were assigned.
Change Management. Auditors determined that the Department’s change management policy was sufficient. That policy specified that:
• All requests for changes to information resources must be managed using specific software.
• Approvals of change requests must be obtained from the information technology director/information resources manager.
• The Department must maintain separation of duties among employees who develop, review, and approve information system changes prior to implementation.
However, that policy did not address emergency changes to information resources.
The Department also did not consistently comply with its change management policy.
Physical Security and Environmental Controls. Auditors identified weaknesses in the environmental controls and physical security over the Department’s information technology assets.
As discussed above, auditors identified certain weaknesses related to user access; however, through review of user activity reports, auditors verified that inadvertent or unauthorized alteration or deletion of data had not occurred during the audit period as a result of those weaknesses.
Graphics, Media, Supporting documents