A Performance Audit
An Audit Report on The Office of the Comptroller of Public Accounts’ Controls Over the Centralized Accounting Payroll/Personnel System
October 2017
Summary Analysis
The Office of the Comptroller of Public Accounts (Comptroller’s Office) has implemented controls and processes governing the operation of the Centralized Accounting Payroll/Personnel System (CAPPS). As of August 2017, CAPPS was processing payments and payrolls for certain state agencies. Specifically:
• CAPPS was processing payments for 21 state agencies and, according to the Comptroller’s Office, processed $1.2 billion in vouchered payments in fiscal year 2016.
• CAPPS was processing payroll for 43 state agencies and, according to the Comptroller’s Office, processed $170.1 million in payroll expenses for fiscal year 2016.
While auditors noted that both the Financials and HR/Payroll systems in CAPPS are processing payments, the Comptroller’s Office should improve certain controls to help ensure that CAPPS is secure and that system changes do not adversely affect the system’s operations. Specifically,
• The Comptroller’s Office should strengthen its change management controls to help ensure that changes are properly controlled and tested before implementation of those changes into the production environment.
• The Comptroller’s Office could improve the application controls to help provide additional assurance that CAPPS Financials system data is accurate and complete.
To minimize the risks associated with public disclosure, auditors provided the details about the control weaknesses related to logical access and recommendations separately to the Comptroller’s Office, which agreed to implement the recommendations.
Pursuant to Standard 7.41 of the U.S. Government Accountability Office’s Government Auditing Standards, the findings identified in the limited-use report discussed above were deemed to present potential risks to public safety and the security of critical network infrastructure and private or confidential data. As such, the detailed findings and recommendations are considered confidential and will be excluded from this publicly available report. Under the provisions of Texas Government Code, Section 552.139, the confidential findings in this report are exempt from the requirements of the Public Information Act.
The Comptroller’s Office should strengthen its change management controls to help ensure that code changes are properly controlled as required by the contract. The Comptroller’s Office was unable to provide a complete and accurate population of changes, implemented changes without proper testing that resulted in errors, and lacked documentation related to a sample of changes that auditors reviewed.
The Comptroller’s Office had controls in place to help ensure that CAPPS HR/Payroll generates and processes payrolls in a complete and accurate manner. Selected data elements reviewed, including state salary schedules and federal tax deduction information, were accurately recorded in the system. Additionally, CAPPS HR/Payroll will not process payrolls if required key information is not loaded in the system.
The Comptroller’s Office implemented controls within CAPPS Financials to help transactions process accurately through the system. However, CAPPS Financials lacked certain functionality to help ensure that expenditures were accurate and transactions recorded in the system were complete.
The payroll process as implemented in CAPPS did not ensure that payroll expenditure transactions were recorded using an employee’s actual time and effort information. CAPPS used estimated revenue source information to calculate payroll expenditures and did not have an automated process to ensure that payroll expenditures are properly adjusted and recorded in a state agency’s financial system based on the actual time and effort that each employee worked.
Graphics, Media, Supporting documents