september 4, 2001

8/14/2019 September 4, 2001

1/22

September 4, 2001

Members of the Legislative Budgetand Audit Committee:

In accordance with the provisions of Title 24 of the Alaska Statutes, the attached report is submittedfor your review.

DEPARTMENT OF ADMINISTRATIONAPPLICATION CONTROLS OVER THE

ALASKA STATEWIDE ACCOUNTING SYSTEM

August 10, 2001

Audit Control Number

02-10002-01

We conducted this audit to gain an understanding of application controls over the AlaskaStatewide Accounting System (AKSAS) as well as selected general controls within the AlaskaData Center related to AKSAS. We used this understanding to determine the degree of reliancewe placed on these controls in our financial and performance audits of the State of Alaska. Wesummarized our conclusions on AKSAS controls in the Report Conclusions.

We conducted our audit in accordance with generally accepted governmental auditing standards.Fieldwork procedures utilized in the course of developing the findings and recommendations andreport conclusions are discussed in the Objectives, Scope, and Methodology section of this report.

Pat Davidson, CPALegislative Auditor

8/14/2019 September 4, 2001

2/22

TABLE OF CONTENT S

Page

Objectives, Scope, and Methodology ..................................................................................... 1

Organization and Function...................................................................................................... 3

Report Conclusions ................................................................................................................. 5

Findings and Recommendations............................................................................................. 7

Appendix: Glossary of Technical Terms................................................................................ 13

Agency Response .................................................................................................................... 19

8/14/2019 September 4, 2001

3/22

- 1 -

OBJECTIVES, SCOPE, AND METHODOLOG Y

In accordance with the provisions of Title 24 of the Alaska Statutes, we conducted this audit

to gain an understanding of application controls over the Alaska Statewide AccountingSystem (AKSAS) as well as selected general controls within the Alaska Data Center relatedto AKSAS.

Objective

The objective of our review was to gain an understanding of application controls over AKSAS to determine the degree of reliance to place on these controls in our performanceaudits and in our financial audit of the State of Alaska Comprehensive Annual FinancialReport.

Scope

The scope of our review encompassed:

1. Organizational structure pertinent to AKSAS. This area considers factors such as thecontrol environment and individuals roles and responsibilities.

2. Managing data that includes input, processing, output and database controls. Inputcontrols that ensure source data is authorized, complete, and accurately input.Processing controls that ensure input is accurately and consistently processed. Output

controls to provide assurance that the output is accurate and distributed only toauthorized persons. Data base controls to ensure the integrity and security of the data base. Controls over data management encompass both batch and on-line processing.

3. General control areas at the Alaska Data Center which impact AKSAS. These controlsinclude identification of data center and user responsibilities, file access, changecontrol, contingency planning, backup and archiving.

During our audit we used the Information Systems Audit and Control Foundations (ISACF)document Control Objectives for Information and Related Technology (CobiT) to identifygenerally accepted and applicable internal control objectives and practices. ISAF is aworldwide organization dedicated to research, development, and publication of generallyaccepted information technology control objectives and audit guidelines. Also, as a resourcewe use the guidelines in The Auditors Study and Evaluation of Internal Control in EDPSystems.

8/14/2019 September 4, 2001

4/22

- 2 -

Methodology

To meet the objectives of our audit, we performed the following:

1. Reviewed various manuals, guides and publications, as follows:

Accounting Procedures Manual, Financial Transaction Section, produced by theDepartment of Administration, Division of Finance.

Handy Guide to AKSAS Transactions produced by the Department of Administration, Division of Finance.

AKSAS system documentation, including the AKSAS table files.

Guide to the Data Center and Telecommuications Services produced by theDepartment of Administration, Information Technology Group.

Natural Security Version 3.1.2 for Mainframes, December 1999, Software AG.

CA-ACF2 Auditors Guide, Computer Associates, 1989, 1986, IBM Corporation.

Introduction to NATURAL 2 Programming ADABAS Concepts and Facilities.

2. Analyzed ACF2 and Natural security privileges.

3. Conducted interviews with various Division of Finance employees involved withsystem administration and security, programming, accounting control, and accountingservices.

4. Conducted interviews and shadowed various Information Technology Groupemployees involved with system security, physical controls, tape backup, databasemanagement, and contingency planning.

5. Documented and analyzed controls over electronic processing, warrant redemption, programming change process, database management, input, processing, output, and

interfacing systems.

Due to the technical nature of this report, we have included an appendix of nomenclature toassist the reader in understanding our findings and recommendations. It is important to notethat the findings and recommendations in this report highlight areas of control weakness anddo not emphasize data processing controls which are functioning properly.

8/14/2019 September 4, 2001

5/22

- 3 -

ORGANIZATION AND FUNCTIO N

AKSAS was developed by a contractor for the State of Alaska and became operational on

July 1, 1985. It is a major application system which processes on an IBM 9672 mainframecomputer at the Alaska Data Center. State agencies enter transactions into the system fromacross the state via the telecommunications network. Processing is accomplished in overnight

batches. Reports, both hard copy and on-line, may be routed to various locations throughoutthe State.

Department of Administration (DOA), Information Technology Group (ITG)

Alaska Statute 44.21.150-.170 designates DOA as the entity responsible for the operation andmanagement of automatic data processing resources and activities of the State. ITG operatesthe Alaska Data Center. Some individuals within the following Computer Services sectionsare responsible for general controls related to AKSAS. Those sections include:

1. Operations, which maintains the physical operation environment, schedules softwareand hardware maintenance; maintains on-line system schedules; runs batch and testapplications; and runs the printers, bursters, and other off line equipment.

2. Data Base Services, which is responsible for the operation of statewide data baseswhich includes the States accounting system.

3. Technical services, which installs and maintains operating and system software used

to operate the mainfram.

DOA, Division of Finance (DOF)

Alaska Statute 37.05 requires DOA maintain accounting records and report annually thefinancial activity and condition of the State of Alaska. DOF has been charged with fulfillingthese statutory requirements.

To meet these responsibilities, the division operates and maintains statewide general accountingand payroll systems (AKSAS and AKPAY) which service all state agencies. All vendors whoconduct business with the state and all state employees are dependent upon the successfulcontinued operation of these central systems for mandatory record keeping, payroll services, and

payment for goods and services provided to the state. These central systems are also necessary toenforce appropriation compliance, perform fund accounting, and provide a sound foundation for reporting financial information in accordance with generally accepted accounting principles(GAAP).

DOF is led by a director who supervises the operations of the state accountant, the systemadministration and security supervisor, and the administrative services manager. The latter two individuals supervise a staff of professionals which includes accountants and analyst

8/14/2019 September 4, 2001

6/22

- 4 -

programmers. Many DOF personnel are involved in the administration and operation of AKSAS.

The state accountant provides oversight for all statewide accounting policies and procedures, isresponsible for agencies compliance with state and federal laws and professional accounting

and financial reporting standards.

The system security and administration section ensures financial integrity and system securityfor AKSAS, AKPAY, GENEVA (the AKSAS reporting system); coordinates, writes, and editsuser manuals and Alaska Administrative Manual sections; and coordinates system changes.

The administrative services manager oversees accounting control, accounting services, programming support sections, and payroll. The accounting control section monitors vendor assignments, security agreements, tax levies, and garnishments; controls vault access; designs,approves and monitors state warrant standards for all agencies, maintains payroll files,distributes computer reports for AKSAS and GENEVA, and oversees warrant redemption

process for most state departments.

The accounting services staff maintains AKSAS structures; advises, consults with and trainsagency personnel; prepares the State Comprehensive Annual Financial Report, statewide costallocation plan and various federal reports; accounts for bond and debt service payments; and

prepares materials for the State Administrative Code, the State Administrative Manual, and theAKSAS and AKPAY user manuals.

The programming support section analyzes, develops, and documents solutions to AKSAS andAKPAY system problems, provides training and technical assistance to staff members, and

ensures successful completion of the computer production schedule.

8/14/2019 September 4, 2001

7/22

- 5 -

Exhibit 1

Internal Control Framework

Control Environment: Sets the tone of anorganization, influencing the controlconsciousness of its peoples.

Risk Assessment: Identification andanalysis of those risks related to

achievement of objectives, forming a basis for how risks should be managed.

Control Activities: Integrated with therisk assessment process, and must becarried out properly and on a timely

basis.

Information and Communication:Relevant information must be developedand communicated on a timely basis in aform that allows people to understandand carry out their responsibilities.

Monitoring: Internal controls must bemonitored on an ongoing basis to ensurethat the process is functioning asintended.

R EPORT CONCLUSION S

Generally accepted auditing standards require auditors to obtain an understanding of theinternal control structure of their auditees. The internal control framework is comprised of

five elements: control environment, risk assessment, control activities, information andcommunication, and monitoring (see Exhibit 1). Our review of the controls over AKSAS application wasconducted to obtain an understanding of the internalcontrols pertinent to financial accounting for the Stateof Alaska.

Data processing controls are categorized as generalcontrols and application controls. General controlscomprise the processing environment and thereforeapply to all applications processed. We reviewedgeneral control areas that impact AKSAS includingidentification of data center and user responsibilities,file access, change control, contingency planning,

backup and archiving. Application controls are specificto a computer application. They include controls over input, processing, output, on-line, and data baseactivity. They ensure that only authorized data is

processed, that processing is complete and accurate,and that output is reliable and properly distributed. It is

possible for strong application controls to compensate

for some weaknesses in general controls.

Our review encompassed all aspects of applicationcontrols, as well as an evaluation of general controls asthey relate to AKSAS. Overall, we conclude thatcontrols over AKSAS are sufficient to permit reliance.

The weaknesses identified during this review primarily pertain to managing data. Controlsover managing data help to ensure that data remains complete, accurate, and valid during itsinput, update, and storage. Below we identify the specific weaknesses identified during thereview:

No audit trail exists for changes made to the system management file tables thatcontrol AKSAS processing. See Recommendation No. 1.

Inadequate segregation of duties between input and certification with respect toauthorization of accounting transactions. See Recommendation No. 2.

Minor exceptions were noted in the security provided by ACF2 and NATURALsecurity. See Recommendation No. 3.

8/14/2019 September 4, 2001

8/22

- 6 -

Social security numbers, which are confidential information, are available to all users

of AKSAS. See Recommendation No. 4.

User documentation with respect to structural transactions is incomplete. SeeRecommendation No. 5.

Our review identified control weaknesses and other problems which are significant; however,these findings do not pose a material risk to the financial information produced by AKSAS.AKSAS application controls are sufficient to permit reliance on them. As a result, theintegrity of the financial information is adequately safeguarded during system processing.

8/14/2019 September 4, 2001

9/22

- 7 -

FINDINGS AND RECOMMENDATION S

Recommendation No. 1

The director of DOF should strengthen internal controls over changes to the SystemManagement File (SMF) tables.

DOF does not currently produce an automated audit trail of changes made to the SMF tables.Additionally, it is impossible to affix responsibility for changes since DOF systemadministration staff has the ability to make changes to the tables. The SMF tables controlmany aspects of AKSAS operations. Examples of SMF tables that result in significant

potential financial impact include, but are not limited to, the authorization responsibilitydistribution (RD) table 1 and offset table 2.

Access to the SMF tables is permitted by six of the individuals in DOFs systemsadministration section. The only record of changes made to the tables is a hand-written log. Itis impossible to affix responsibility for changes not logged. A daily report of the contents of every record from the tables in the SMF is generated as a part of each daily run. This reportcontains over a quarter of a million lines and is not physically printed. Daily reports are keptfor each processing day; however, a listing of only changes occurring between processingdays is not created.

Without an audit trail, DOF is unable to ensure changes to SMF tables are legitimate,supported, and approved. We recommend that DOFs director continue to pursue production

of an audit trail and affix responsibility for the changes. The audit trail should be reconciledto the hand-written log on a periodic basis to ensure completeness and validity of changes.Someone not authorized to make changes to the SMF log should perform the reconciliation.


The director of DOF should require a segregation of duties between input and certification of transactions.

Input control procedures should provide reasonable assurance that every transaction to be processed has been properly authorized, converted to machine sensible format, and recordedaccurately and completely. Input controls include those processes related to rejection,correction, and resubmission of data that was initially incorrect.

1 The statewide accounting system authorized RD code transaction table is the SAU. An RD code is a five digitnumber typically assigned to an individual. It is used to sign on to AKSAS and to identify authorized functions suchas initiating or certifying transactions.2 The statewide accounting system offset account table is the SOA. The SOA provides offset accounting entries(explosions) to allow proper financial statement reporting.

8/14/2019 September 4, 2001

10/22

- 8 -

A certifying officer is a responsible representative designated by a department head who hasresponsibility for the formal approval of a document or online transaction. One facet of goodinternal controls in any system is segregation of duties. Proper segregation of duties requiresthat authorization of a transaction be done by an individual other than the one initiating the

transaction. Without that separation, the potential for fraudulent transactions increases.

Currently, any certifying officer can initiate (input) and certify a transaction withoutintermediary report for propriety. In addition, a certifying officer can make changes to atransaction that was originally entered by another person without having that changereviewed. No system edit exists to preclude input and certifying by the same RD code.Reliance has been placed on agencies management to recognize if unauthorized money has

been spent.

Certifying officers are identified by RD codes. To be appointed as a certifying officer inAKSAS, an individuals RD code must be designated as a certification RD code on the SMFauthorized RD code transaction table (SAU). The SAU specifies the certification RD code(s)for a specific combination of source RD code and transaction code. A certifier inputting atransaction can enter an RD code for his/her subordinate in the source field, resulting in thetransaction being certified upon input of the transaction.

We recommend DOF establish an edit that precludes a single individual from processing atransaction from initiation through authorization. The edit could be limited to a certain kindsof sensitive transaction such as warrant requests, and would not have to apply to automatedinterfaces such as the payroll system. DOF should also consider disallowing a certifier tochange data input or require review of changes by another individual.

Until a system modification is implemented, we recommend the state accountant review allnon-interfacing transactions that have the same RD code for both input and certification.Transactions that have the same RD code for last changes and certification should also bereviewed.


DOF should improve security over AKSAS' program and data files.

ACF2 and NATURAL security are two products used to protect the AKSAS program anddata files. ACF2 provides security at the data set level and NATURAL provides security atthe program level. ACF2 and NATURAL security should be strengthened as follows:

A. ACF2 rules over AKSAS' data sets need further restricting.

ACF2 is a general security software package that provides the ability to control accessfor specific users to a variety of computer resources. ACF2 protection is comprised of several factors including global system options, the field definition record, logonid

8/14/2019 September 4, 2001

11/22

- 9 -

characteristics, data set rules, and rules governing interfacing software. The result is acomplex system which, if properly implemented, can greatly enhance the protectionof a computer installation from unauthorized access. AKSAS relies on ACF2 rules to

prevent unauthorized access to application data sets.

Present ACF2 rules over AKSAS' data sets are too broad, allowing access by personnel other than those with a legitimate need for such access. The seriousness of the situation is increased because many unnecessarily lenient rules permit unloggedaccess. The following weaknesses were noted:

1. AKSAS programmers can write to the production database without the access being logged. They also have read (copy)/execute access to ADABAS utilities.ADABAS will retain a record of the utility used and when it was used to changethe database, but it does not retain the users identity. Either the write accessesshould be logged, or the jobs revised so that programmers do not need access tothe utilities.

2. Rules over various data sets including the production source code allow writeaccess by all Division of Finance personnel rather than those requiring such accessin their jobs.

3. A generic user id (********JOBS****PROD) allows write access to part of the production data base by 20 non-DOA logonids without logging.

4. All mainframe application users have read access to the production source codewithout logging.

5. Confidential information including vendor social security numbers submitted tothe IRS via 1099 reports and employee purchasing card numbers are accessible toall users without logging.

AKSAS' lead programmer has conducted reviews of these rules with the goal toexclude other agencies' personnel from writing to the AKSAS database.Consequently, all DOF employees have complete access to AKSAS data setsregardless of whether they need it to maintain the system. Such an approach increasesthe potential for unauthorized changes including fraudulent manipulation of data andmisappropriation of assets.

As with all systems, the thoroughness of ongoing security evaluation is paramount tothe continued integrity of ACF2. DOF should schedule periodic reviews of their datasets to evaluate user groups and ensure ACF2 rules are appropriately limiting accessto those individuals for whom access is required to perform their job duties.

B. NATURAL security over AKSAS' test and production data bases should be updatedand strengthened.

8/14/2019 September 4, 2001

12/22

- 10 -

AKSAS utilizes NATURAL security software to manage system development (test)and production facilities. NATURAL manages the use of AKSAS by both

programmers and users. Different security structures have been set up for test and production, each of which is administered by a different individual. The security over both facilities is out-of-date and represents a potential risk to programs. Security for

the test facility puts the source code in jeopardy.

NATURAL security allows the security administrator to restrict access to files as wellas the use of whole application systems, individual programs, and functions. This isaccomplished by defining objects and the relationships between these objects. Thereare four types of objects that can be used and protected: users (of which there areseveral types), files, applications, and mailboxes. Access to AKSAS is generallycontrolled by "linking" or "unlinking" users to applications. Some specificweaknesses in those relationships are:

1. Several user ids are out-of-date. Currently two systems security groups exist, oneof which is defunct and should be removed. The defunct AK98GRP group isstructured to provide individuals whose job duties have changed access to securitysettings. Furthermore, user ids for departmental security administrators have never

been used, but have not been deleted.

2. Programmers have update access to numerous production files that is notnecessary for day to day activities.

The Guide to Data Center and Telecommunications Services states the "agencies areresponsible for protecting their data from invalid modifications by users or programs"

of which NATURAL security ". . . is the primary security tool for data baseapplications built with NATURAL."

We recommend DOF evaluate existing security and eliminate weaknesses. A comprehensivesecurity reevaluation plan that includes the periodic review of security should beimplemented to ensure continued integrity. Additionally, only those individuals with alegitimate need should have access to the system and program files.


The director of DOF should ensure the confidentiality of social security numbers on AKSAS.

Social Security numbers of employees and some vendors are available to all users of AKSASthrough vendor information and in the reference areas of warrant transactions. Since most on-line AKSAS transactions, including vendor maintenance transaction and warrantmaintenance transactions, are processed by agency staff in a decentralized data entryenvironment, employees at many different levels and in many different locations haveopportunities to view social security numbers and/or tax identification numbers stored inAKSAS.

8/14/2019 September 4, 2001

13/22

- 11 -

The social security number of an individual is the key to numerous data bases maintained bygovernment and private agencies. The ability to extract and correlate information threatensthe individuals right to privacy. Having access to names and social security numbers canalso make it easier to commit fraud. Congress recognized this in the Privacy Act of 1974, by

stating that the privacy of an individual is directly affected by the collection, maintenance,use, and dissemination of personal information. The Act states that the increasing use of computers and sophisticated information technology has greatly magnified the harm toindividual privacy that can occur.

The right to privacy is guaranteed by the Alaska State Constitution. Balancing this right to privacy against the right of the public to access public information is often a difficult task for state officials. This balance is complicated by state officials requirement to properly reportfederal tax earning information when data entry of earning information is performeddecentrally.

However, Legislative Council has stated that, under the balancing analysis, social securitynumbers should not be disclosed. This opinion is derived from the conclusion that theindividuals right to privacy outweighs a perceived minimal public interest in the disclosureof social security numbers. We recommend that DOF further their efforts to ensure theconfidentiality of social security numbers on AKSAS by limiting access to persons whoduties or responsibilities require such access.


The director of DOF should ensure that AKSAS user documentation for structural processing

is up-to-date and complete.

Although structural transactions are identified in the AKSAS Handy Guide, the structuraltransaction portion of the accounting procedures manual has yet to be completed. Accountingstructures in the statewide accounting system provide the framework for proper financial and

budgetary reporting. Structure transactions may be initiated and certified at the decentralizedagency level and are integral to the processing of financial accounting transactions.

User manuals provide the foundation for understanding how agencies are to utilize theapplication. User departments submitting data to the accounting system should be suppliedwith both procedures for required input and descriptions of output.

Improper setup of structures may result in inaccurate financial, federal, or budgetaryreporting. Inaccurate reporting may result in improper collection of revenues or misstatementof the agencys financial position.We recommend that DOF continue to pursue providing users with up-to-date structural

processing guidance. Once completed, all applicable documentation should be updated as thesystem is modified in order to keep it current.

8/14/2019 September 4, 2001

14/22

- 12 -

APPENDIX: Glossary of Technical Terms

Access The ability to gain entry to a computer resource. Access may be limited to readonly, which allows the user to only view a file or copy it to create their own version. Write or update access allows the user to make changes to a file.

ACF2 Access Control Facility. A general security software package that controls user accountability by universal access rules which define access to all system resources.

ADABAS The State's primary data base management system for mainframe applicationsused for retrieving and storing information.

Application Task-oriented computer program or group of programs designed to meet theneeds of an individual user.

application controls Controls that are specific to a particular application. They includecontrols to ensure that source data is authorized, complete, and accurately input; controls toensure that processing of data is appropriate; and controls to ensure that output is accurateand distributed only to authorized persons. Application controls include both programmed

procedures and manual procedures performed by users.

audit trail A chronological record of system activities that is sufficient enough to enablethe reconstruction, review, and examination of each event in a transaction from inception to

output of final results.

Authorization The granting of right of access to a user, program, or process.

Backup Any duplicate of a primary resource, such as a copy of a computer program or datafile, to be used in case of loss or failure of the primary resource. The process of creating a

backup copy.

Batch A mode of processing in which substantial queues of unprocessed transactions(jobs) are held in the computer and released for execution based upon size of the job and

types of resources required.

change control The procedures used to ensure that all changes made to programs areauthorized, tested, and approved prior to implementation.

computer program A series of operations that will perform a task when executed inlogical sequence.

8/14/2019 September 4, 2001

15/22

- 13 -

APPENDIX: Glossary of Technical Terms(continued)

Controls The methods, policies, and procedures adopted within an organization to ensurethe safeguarding of assets, the accuracy and reliability of data, and the adherence tomanagement's standards and intentions. Any protective action, device, procedure, technique,or other measure that reduces exposure.

Data Facts and information that can be communicated and manipulated. In relation to acomputer program, the input that a program and its instructions perform on which determinesthe results of processing.

data base An integrated aggregation of data usually organized to reflect logical or functional relationships among data elements.

data base controls Techniques and methods for coordinating and controlling thedevelopment, testing, use, and maintenance of data base systems and the integrity andsecurity of the data.

data set A group of related computerized records.

environment Everything comprising the surroundings in which a computer resourceresides. Defined by all aspects of hardware and software in a given system.

file An aggregation of data records organized on a storage medium for convenient location,access, and updating.

general controls Controls designed to ensure the proper operation of computer-relatedfunctions; often subdivided into administrative controls and integrity controls.

Hardware The physical equipment or devices included in computer systems.

Implementation The specific activities within the system's development life cyclethrough which the software portion of the system is developed, coded, debugged, tested, and

integrated with existing or newly acquired hardware.

Information Meaningful data; the result of processing data by computer or other means.

Input The process of entering information into the computer. Also, the information thatis entered.

input controls Techniques and methods for verifying, validating, and editing data toensure that only correct data enters the system.

8/14/2019 September 4, 2001

16/22

- 14 -


Integrity With respect to data, its accuracy, quality, validity, and safety fromunauthorized use.

integrity controls Manual and computerized procedures which ensure the proper andconsistent operation of computerized applications.

internal control The method of safeguarding business assets, including verifying theaccuracy and reliability of accounting data, promoting operational efficiency, andencouraging adherence to prescribed organizational policies and procedures.

JobA complete set of programs to be executed in sequence on a computer.

LAN Local Area Network. A data communications system spanning a limited geographicalarea that connects computers and peripheral equipment (microcomputers in the case of DOF).Typically a working group or section of an organization.

Library In computer terms, a library is a collection of similar files, such as source programs, stored together in a common area on tape and/or disks. Also, a collection of functions (subroutines) that are linked into the main program when it is compiled.

Link In NATURAL Security, a link is the relationship between a user and a protectedlibrary which allows the user to use the library. In programming, a link is a call to another

program or subroutine.

Linkedit The act of combining an object program with needed read/write or other specialized functions to create a computer-executable program (or load module). This

procedure is performed by a computer program called a linkage editor.

load module The results of the link edit process. The load module is a program in machinelanguage form ready to run in the computer.

log With respect to computer systems, a computerized journal which records events or transactions, usually including time and duration.

logon To begin a session on a computer by identifying an authorized user (logonid) and a password that permits access to the computer's resources.

logonid A string of characters that identifies a user and permits access to specific computer resources when presented to the system.

8/14/2019 September 4, 2001

17/22

- 15 -


mainframe A large, general purpose computer which is able to store and quickly process

quantities of data.

maintenance The process of altering program code or instructions to meet new or changingrequirements.

module A separate independent subset of instructions within a computer program. Amodule can be written, compiled, and tested before being linked with the remaining parts of the program.

NATURAL A high-level programming language that is primarily used with ADABAS data

base files. Many of AKSAS' on-line programs are written in this language.object code (also object program or object module ) The result of compiling a source

program. Not a fully executable program, an object program is used by the linkedit programto create a load module.

on-line A processing term that categorizes operations under direct, immediate control of thecomputer. Real-time systems are among those classified as on-line systems.

output Data/information produced by computer processing, such as graphic display on aterminal or hard copy reports.

output controls Techniques and methods to verify that the results of processing conform toexpectations and are communicated only to authorized users.

procedures Procedures are statements of definition for both manual and automated processes currently used to support the application and usage of data processing resources.Procedures interpret policies.

processing controls Techniques and methods used to make sure that processing producescorrect results.

production (system) A computer system used to process an organizations daily work.Contrast with a system used only for development and testing or for ad hoc inquiries andanalysis.

production programs Programs that are used in processing data that result in products for users. Differentiates these from test programs which have not yet been introduced to

production.

8/14/2019 September 4, 2001

18/22

- 16 -


software Computer programs, procedures, rules, and possibly documentation and data

pertaining to the operation of the computer system.

source code (Also source program ) A version of a computer program that is closest tohuman language. Programmers generally develop and maintain the source code of a program.This version is compiled into object code and link-edited to create the load module which isexecuted by the computer.

table An area of computer memory containing multiple storage locations that can bereferenced by the same name.

testing The examination of a program through its execution on sample data sets.

update The file processing activity in which master records are altered to reflect the currentactivity contained in transactional files.

8/14/2019 September 4, 2001

19/22

October 1, 2001

Ms. Pat DavidsonLegislative AuditorDivision of Legislative AuditP. O. Box 113300

Juneau, AK 99811-3300

Dear Ms. Davidson:

Re: Department of Administration, Application Controls over the Alaska StatewideAccounting System Audit Report

We have reviewed the preliminary report dated August 10, 2001. It is reassuring for thereport to conclude that controls over AKSAS are sufficient to permit reliance for auditpurposes. Our response to each recommendation is as follows.


The director of DOF should strengthen internal controls over changes to the SystemManagement File (SMF) tables.

We concur with this recommendation. This enhancement is included in the AKSASchange request log. The complexity and size of this project has prevented it from beingimplemented to date.

The audit cites two tables of particular risk: the authorization responsibility distributiontable and the offset table. Our plan differs for each. For the authorization responsibilitydistribution table, the sheer volume of updates precludes manual reconciliation of anautomated audit trail to the hand-written log. Therefore, we intend to build thecapability for agencies to initiate these updates themselves and process them based upondual approval by DOF staff. Changes to the offset table are less frequent and wouldbetter lend themselves to creation and independent reconciliation of an automated audittrail to the hand-written log.

8/14/2019 September 4, 2001

20/22

Pat Davidson -2- October 1, 2001

Both of these enhancements compete for our limited programming resources with thedozens of others listed on the AKSAS change request log, as well as daily productionissues that routinely arise. AKSAS is an aging mainframe system that requires constantmaintenance to remain operational.


The director of DOF should require a segregation of duties between input andcertification of transactions.

We concur that duty segregation is a crucial control affecting the integrity of financialsystems. As outlined in DOFs previous responses to this finding, making the suggestedfixes to prevent override of the control is complex. Our current plan is to improvedetective controls so agencies are informed of each instance where a certifying officerhas potentially overridden the segregation control.

We plan to develop reports listing transactions that were either input and certified bythe same person online, or last changed by the certifying officer. DOF will work withthe State Finance Officer Association to develop useful report content and proceduresfor agency review to ensure that all transactions listed are evaluated for fraudulentactivity. Once implemented, these procedures will be documented in the AccountingProcedures Manual maintained by DOF.


DOF should improve security over AKSAS program and data files.We concur with this recommendation, with the exception of B.2 as outlined below.

A. ACF2 rules over AKSAS data sets need further restricting.

1. We will request the Data Security Administrator to revise the ACF2 rules sothat write access using ADABAS utilities is logged.

2. We will request the ACF2 rule changes necessary to limit write access tomembers of the AKSAS programming team for production source code stored inLibrarian. Write access to other AKSAS data sets will be logged so that ACF2rules can be developed to effectively prevent unauthorized access while allowingthat necessary for system operation.

3. As of July 9, 2001, all write access to the AKSAS production database by thesegeneric user ids is being logged by ACF2.

4. We will request the ACF2 rule changes necessary to log all user read access toAKSAS production source code.

8/14/2019 September 4, 2001

21/22


5. Access to confidential information such as social security numbers andsensitive information such as purchasing card account numbers will be addressedoutside of ACF2 rules. We are currently working on limiting access to socialsecurity numbers to users with a business need. The purchasing card transactioninterface is being recreated to eliminate third-party software, and the newreplacement functionality within AKSAS will limit card account access to thosewith a business need. We are working with the State Finance Officer Associationto develop a privacy affidavit that will be signed by users with access toconfidential and sensitive information acknowledging their responsibilities.

We intend to have the proposed the ACF2 rule changes implemented before November1, 2001. All logging reports will be routed to our system administration unit for review.

A. NATURAL security over AKSAS test and production data bases should be updatedand strengthened.

1. The auditor is correct that several user ids are out of date and some need to beremoved. Our system administration section will address this finding.

2. It is true that some access granted our lead AKSAS programmers may not benecessary for day to day activities. However, system problems that require theirintervention generally occur in the middle of the night. Preventing access toresolve unanticipated problems during overnight processing would be poorbusiness practice. Our 16 years of experience with AKSAS leads us to theconclusion that such access is a necessary risk of keeping the system operational


The director of DOF should ensure the confidentiality of social security numbers onAKSAS.

Maintaining the confidentiality of social security numbers is a premise with which westrongly agree. As identity theft becomes more common, our commitment to privacywith regard to this sensitive information continues to grow. We intend to take two stepsto demonstrate this commitment.

1. Develop a new AKSAS functionality that limits the ability to view social securitynumbers to those with a business need. We are defining business need as the abilityto source, authorize, or certify vendor and warrant transactions, or responsibility for1099 maintenance.

2. Create a new privacy affidavit to be signed by these individuals that reminds them oftheir responsibility to use social security numbers only for legitimate federal taxinformation and vendor identification purposes.

8/14/2019 September 4, 2001

22/22


The timeframe for implementing the new AKSAS functionality is somewhat dependenton competing priorities, but we are currently defining the project. We will work withthe State Finance Officer Association to create and administer the new privacy affidavit.Timeframe for that is before the end of the fiscal year.


The director of DOF should ensure that AKSAS user documentation for structuralprocessing is up-to-date and complete.

DOF has made great strides over the past few years in the area of user documentation.It is a priority for us, as shown by the quantity and quality of materials available on ourwebsite. We are justifiably proud of the current state of our user documentation, andfeedback from the agencies we serve is universally positive. It took a concentrated,prolonged effort to get major publications such as the Administrative Manual and

Accounting Procedures Manual up-to-date and published, and we intend to keep themsuch.

We acknowledge the fact that structural processing is yet to be addressed in theAccounting Procedures Manual. We are working on higher priority items as identifiedby our users. The two large items at this time are the Payroll Procedures Manual and areporting component for the Accounting Procedures Manual. Once these are complete,we will look to our users for their next area of concern.

We want to point out that we are currently providing up-to-date structural processing

guidance to the relatively few users of AKSAS responsible for this function. Ourprofessional accountants in Accounting Services work daily with their agency contactson structural processing concepts and questions.

Thank you for the professional work done by the audit team. If you have questions orconcerns about this letter, please contact Kim Garnero, Director of Finance.

Sincerely,

Jim DuncanCommissioner

cc: Kim Garnero, Director, Division of FinanceDepartment of Administration

Dan Spencer, Director, Division of Administrative ServicesDepartment of Administration

september 4, 2001

Documents