A Performance Audit
An Audit Report on Financial Processes at the Commission on Environmental Quality
May 2022
Summary Analysis
The Commission on Environmental Quality (Commission) had financial processes to ensure that its Office of Air, Office of Waste, and Office of Water (Offices) accurately billed, collected, and recorded fees for permits, registrations, and regulatory assessments in accordance with applicable agency and statutory requirements. The Commission also performed reconciliations between its accounts receivable system and the Uniform Statewide Accounting System to verify that it accurately recorded fee transactions.
In addition, the Commission had processes that helped ensure that (1) access to selected financial systems was limited to current employees and (2) programming changes to certain systems were appropriate. However, the Commission should strengthen security controls over certain information systems. To minimize security risks, auditors communicated details and recommendations about those audit findings separately to the Commission in writing.
The Commission’s financial processes ensured that its Office of Air, Office of Waste, and Office of Water accurately billed, collected, and recorded fees for permits, registrations, and regulatory assessments in accordance with applicable agency and statutory requirements. From September 1, 2019, through August 31, 2021, the Offices collected $605.8 million in fees.
The Commission had adequate controls over programming changes and over user access to certain systems. Specifically:
- Programming changes tested complied with the Department of Information Resources’ requirements. All 10 programming changes to the Commission’s billing systems tested and all 8 programming changes to the accounts receivable system tested were authorized, approved, documented, and implemented by employees different from the employees who developed the program change. The programming changes were implemented from September 1, 2019, to August 31, 2021.
- User accounts and their access rights were appropriate. The Commission’s user accounts to its accounts receivable system and USAS were assigned to current employees. Additionally, the access rights assigned to those user accounts were reasonable based on their job duties.
The Commission should strengthen certain controls to help protect its data from unauthorized changes. To minimize security risks, auditors communicated details about the audit findings separately to the Commission in writing.
Graphics, Media, Supporting documents