The Health and Human Services Commission (Commission) has established policies for managing its vehicle fleet according to applicable requirements. However, the Commission lacked sufficient controls to ensure that those processes are managed and implemented appropriately.
To minimize security risks, auditors communicated in a separate report to the Commission details about other audit findings related to certain user access controls and the implementation status of three information technology-related recommendations made in a prior audit report. One finding was rated Priority because of issues that could critically affect the Commission’s ability to effectively administer its information security function. Immediate action should be taken to reduce the risk. One finding was rated Medium, indicating moderate risk. Action is needed to address the noted concerns and reduce risks to a more desirable level.