A Performance Audit
An Audit Report on The Information Management Protecting Adults and Children in Texas (IMPACT) System at the Department of Family and Protective Services
December 2021
Summary Analysis
The Department of Family and Protective Services (Department) has processes and controls related to its Information Management Protecting Adults and Children in Texas (IMPACT) system to help ensure that (1) access to the system is appropriately assigned and (2) data in the system is secure.
However, the Department should strengthen its user access controls and some of its data security practices, and it should ensure that it complies with its policies.
The Department uses IMPACT to document all stages of a case, beginning with intake of a report of alleged abuse, neglect, or exploitation, through investigation and services, to disposition and closure.
The Department also uses IMPACT’s financial module to process payments to service providers and for program-related payments, such as foster care maintenance payments.
In addition to the Department’s direct input into IMPACT and output from IMPACT related to its program activities, the Department works with 13 other agencies and organizations to update and share information in IMPACT through automated data exchanges.
Each user accesses IMPACT through their network account. The Department assigns each user a basic profile in IMPACT that enables the user to perform functions related to the user’s position, job duties, regional location, and program.
As of April 8, 2021, the Department had assigned 33,369 security profiles in IMPACT to 12,145 internal users and 1,838 external users.
The Department provided appropriate high-level access to its network domain, servers, and IMPACT database, based on the positions, job duties, and responsibilities of the users tested. However, the Department’s process for managing requests for high-level access did not always operate in accordance with Department policies.
The Department’s policies and controls for managing access to IMPACT include approving access, assigning users basic access and security profiles based on their duties, performing background checks, and conducting annual user access reviews. However, the Department did not consistently disable user access, conduct annual user access reviews, or perform renewal background checks for external users in accordance with its policies. Specifically:
- The Department removed access to IMPACT for 40 (89 percent) of 45 employees and 1 (50 percent) of 2 external users who were no longer working with the Department as of April 8, 2021. However, that access was not removed as quickly as required by the Department’s policies.
- The Department policy stated the Department is to disable IMPACT access for users who have not logged into IMPACT for 30 days. The Department did not comply with this policy for 65 (54 percent) of 120 current employees and 19 (27 percent) of 71 current external users.
- The Department’s annual user access review did not identify the applicable employees who stopped working with the Department and who no longer needed access to IMPACT.
- The Department did not ensure that 13 (33 percent) of 39 external users received renewal background checks in accordance with its policies.
The Department did not consistently implement controls to ensure that the same individual did not close and approve case stages in IMPACT, or perform consistent monitoring and analysis to determine if it was appropriate for the same individual to close and approve case stages in IMPACT. The IMPACT system does not have comprehensive edit controls programmed into the system to prevent persons from closing case stages and submitting the closures to themselves for approval. Specifically, the Department implemented a change in IMPACT that would restrict self-approval for case stages to supervisors; however, this restriction only relates to Adult Protective Services case stages. Based on analysis of IMPACT data for case stage closures that occurred between September 1, 2019, and April 8, 2021, 8 percent (51,431 of 636,714 case stages) of the total case stage closures across all Department program areas were closed and approved by the same individual.
The Department established a Change Approval Board (Board) that meets weekly and as needed to approve development and testing of changes and moving the changes into production. For 7 (9 percent) of the 76 changes auditors tested, the Board’s meeting minutes and records did not show approval prior to the changes being moved into production. If the changes are not documented in the Board’s meeting minutes, there is no evidence that the Board approved the change to be implemented into IMPACT.
Between September 1, 2019, and April 8, 2021, the Department was a party to 17 agreements that (1) established and managed data exchanges between IMPACT and systems outside of the Department and/or (2) granted IMPACT access to external users. Those agreements helped ensure that IMPACT data was protected and that appropriate access was granted to external users; however, the Department did not consistently comply with its policies for forming and approving these agreements.
The Department deleted cases from IMPACT in accordance with its procedures; however, it did not have supporting documentation to s how supervisor approval for 5 (13 percent) of the 38 cases deleted between September 1, 2019, and April 8, 2021.
The Department implemented automated controls in IMPACT to help protect data in the system. Auditors tested automated controls related to accessibility and ability to modify case stage and case status types. The controls ensure that:
- Information contained in closed stages of nonsensitive cases cannot be changed by caseworkers or supervisors. IMPACT users can view the stage information, but cannot change it.
- Caseworkers and supervisors with the appropriate IMPACT security profile can view information contained in closed stages of sensitive cases (see text box) but cannot change the information.
- Only caseworkers and supervisors who are assigned to open stages of sensitive cases and who have the appropriate IMPACT security profile can view and change information in sensitive cases.
- Only caseworkers and supervisors assigned to open stages of nonsensitive cases can change information in those stages. Other IMPACT users not assigned to the stages can view the information but are not able to change it.
Graphics, Media, Supporting documents