PeopleSoft IT General Controls - Denver · PDF filePeopleSoft IT General Controls ... PeopleSoft Human Resources and Financial Management ... Human Resources (Payroll, Employee Benefits,

Dennis J. Gallagher

Auditor

Office of the Auditor

Audit Services Division

City and County of Denver

PeopleSoft IT General Controls Performance Audit

December 2009

The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is

responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the

proper and efficient use of City resources and providing other audit services and information to City

Council, the Mayor and the public to improve all aspects of Denver’s government. He also chairs the

City’s Audit Committee and oversees the City’s Comprehensive Annual Financial Report (CAFR).

The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee

assists the Auditor in his oversight responsibilities of the integrity of the City’s finances and operations,

including the integrity of the City’s financial statements. The Audit Committee is structured in a manner

that ensures the independent oversight of City operations, thereby enhancing citizen confidence and

avoiding any appearance of a conflict of interest.

Audit Committee

Dennis Gallagher Maurice Goodgaine

Robert Haddock Jeffrey Hart

Charles Husted Bonney Lopez

Timothy O’Brien

Audit Staff

John Carlson, Deputy Audit Director, JD, CIA, CICA

Stephen E. Coury, IT Audit Supervisor, CISA

Robert Pierce, Lead IT Auditor, CISA

Aaron Pratt, Senior IT Auditor, CISA

Brandon Blomquist, Staff IT Auditor

You can obtain free copies of this report by contacting us at:

Office of the Auditor

201 W. Colfax Avenue, Dept. 705 Denver CO, 80202

(720) 913-5000 Fax (720) 913-5026

Or view an electronic copy by visiting our website at:

www.denvergov.org/auditor

http://www.denvergov.org/auditor

To promote open, accountable, efficient and effective government by performing impartial reviews and other audit

services that provide objective and useful information to improve decision making by management and the people.

We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver 201 West Colfax Ave., Dept. 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor

Dennis J. Gallagher

Auditor

December 17, 2009

Molly Rauzi, Chief Information Officer Claude Pumilia, Chief Financial Officer

Technology Services Department of Finance

City and County of Denver City and County of Denver

Dear Ms. Rauzi and Mr. Pumilia:

Attached is the Auditor’s Office Audit Services Division’s report of their audit of PeopleSoft IT

General Controls for the period of October 1, 2008 through September 30, 2009. The purpose of

the audit was to examine and assess the IT general controls related to the PeopleSoft Human

Resources and Financial Management applications to ensure they provide sound foundations to

support the proper operating and security of these information systems. Audit work focused on

change control, security settings, access management, and operations as they pertain to the

PeopleSoft Human Resources and Financial Management applications.

The audit revealed deficiencies in the process for disabling systems access of terminated

employees as well as the need for process improvements to help ensure system password

settings are effective. The audit also identified a need to perform a disaster recovery test for the


If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5029.

Sincerely,

Dennis Gallagher

Auditor

DJG/ect

cc: Honorable John Hickenlooper, Mayor

Honorable Members of City Council

Members of Audit Committee

Ms. Roxane White, Chief of Staff

Mr. David T. Roberts, Chief Services Officer

Mr. David Fine, City Attorney

Mr. L. Michael Henry, Staff Director, Board of Ethics

Ms. Lauri Dannemiller, City Council Executive Staff Director

Ms. Beth Machann, Controller

Mr. Al Rosabal, Deputy Chief Information Officer


To promote open, accountable, efficient and effective government by performing impartial reviews and other audit

services that provide objective and useful information to improve decision making by management and the people.

We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver 201 West Colfax Ave., Dept. 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor

Dennis J. Gallagher

Auditor

AUDITOR’S REPORT

We have completed an audit of PeopleSoft IT General Controls for the period of October 1, 2008

through September 30, 2009. The purpose of the audit was to examine and assess the IT general

controls related to the PeopleSoft Human Resources and Financial Management applications to

ensure they provide sound foundations to support the proper operating and security of these

information systems. Audit work focused on change control, security settings, access

management, and operations as they pertain to the PeopleSoft Human Resources and Financial

Management applications.

This audit was included in the Auditor’s Office Audit Services Division’s 2009 Annual Audit Plan

and is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1,

General Powers and Duties of Auditor, and was conducted in accordance with generally

accepted government auditing standards. Those standards require that we plan and perform

the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our

findings and conclusions based on our audit objectives. We believe that the evidence obtained

provides a reasonable basis for our findings and conclusions based on our audit objectives.

The audit revealed deficiencies in the process for disabling systems access of terminated

employees as well as the need for process improvements to help ensure system password

settings are effective. The audit also identified a need to perform a disaster recovery test for the


We extend our appreciation to the personnel who assisted and cooperated with us during the

audit.

Audit Services Division

Kip Memmott, MA, CGAP, CICA

Director of Audit Services


TABLE OF CONTENTS

EXECUTIVE SUMMARY 1

INTRODUCTION & BACKGROUND 3

What is PeopleSoft? 3

What are IT General Controls (ITGCs)? 3

SCOPE 6

OBJECTIVES 7

METHODOLOGY 8

FINDING 1 9

Procedures for Removing System Access Are Not Fully Effective 9

FINDING 2 10

Password and Physical Access Controls Are Not Consistently Aligned with

City Policies and Procedures 10

FINDING 3 12

Disaster Recovery Procedures Are Not Tested on a Periodic Basis 12

AGENCY RESPONSE 13

P a g e 1

OOffff iiccee ooff tthhee AA uuddiittoorr

EXECUTIVE SUMMARY Audit work revealed deficiencies in the process for disabling systems access of

terminated employees as well as the need for process improvements to help ensure

system password settings are effective. The audit also identified a need to perform a

disaster recovery test for the PeopleSoft Human Resources and Financial Management

applications.

These deficiencies were found in three of the four areas of Information Technology

General Controls (ITGCs) reviewed for the PeopleSoft application and supporting

infrastructure. The three areas with deficiencies were access management, security

settings, and operations. No deficiencies were found based on the testing we performed

in the change control area.

Access Management

Through the use of Computer Assisted Auditing Techniques (CAATs) we independently

matched terminated employees to the full database of 11,159 active network accounts

and found that 76 former employees (over 6% of the 1,235 terminated) from 16 agencies

still had active network accounts. Further analysis of the 76 terminated employee

accounts showed that 14 had accessed City systems after termination. These users had

much of the same access as if they were still a current employee. We also found that

eight had the capability to connect remotely to the City network from outside City

facilities. Of those eight with remote access, three had logged in subsequent to

termination. The failure to disable the login accounts of terminated employees exposes

City information systems and data to unauthorized modification, disclosure or

destruction.

Security Settings

Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have

adequate controls over their passwords. It is important that users follow good password

practices as set by management. Passwords provide the primary control over user

access to computer resources and their effectiveness tends to diminish over time. A lack

of security parameters weakens security controls, which could lead to unauthorized

access to the system and the subsequent disclosure, misuse and/or destruction of City

data. Specifically, these security weaknesses could result in unauthorized individuals

gaining access to the system and possibly changing, modifying, or deleting sensitive

system files, or viewing confidential documents stored within the information systems

environment.

Audit work also identified data center access cards that were not assigned to specific

authorized persons. Without full accountability for who has access to the data centers,

unknown persons could cause system disruption, physical damage or steal valuable

assets.

P a g e 2

CCiittyy aanndd CCoouunnttyy ooff DDeennvveerr

Operations

Business owners and Technology Services have not performed a test of the existing

disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the

last year. Hardware, software, and personnel changes occurring over time could cause

parts of the plan to become obsolete. Without periodic testing there is a risk that the

disaster recovery plan will not work properly when needed.

P a g e 3


INTRODUCTION

& BACKGROUND

What is PeopleSoft?

The City and County of Denver uses the PeopleSoft Enterprise system for a variety of key

business functions, such as, Human Resources (Payroll, Employee Benefits, Time and

Labor) and Financials (General Ledger, Purchasing, Payables, Projects and Grants, Asset

Management). PeopleSoft is an Enterprise Resource Planning (ERP) system that allows for

integration of business functions and a single access control model.

Although many city agencies use the various PeopleSoft modules, we identified the

Office of the Controller as a key business owner and user of PeopleSoft. The Technology

Services organization provides the technical support and IT general controls environment

for PeopleSoft through its Enterprise Applications Services and Operations groups.

What are IT General Controls (ITGCs)?

Information Technology General

Controls (ITGCs) are those “behind the

scenes” controls that serve as the

foundation for the proper operating

and security of information systems.

They help to ensure the operational and

data integrity upon which City systems

rely. ITGCs interact with each other like

pieces in a puzzle. Each control process

supports the others and without one,

the control structure is incomplete.

Following are descriptions the ITGC

areas of Change Control, Security

Settings, Access Management, and

Operations.

P a g e 4


Change Control

Strong procedures over change control ensure

that changes introduced into production are

authorized and tested to maintain the integrity

and availability of both software applications

and data.

To ensure the PeopleSoft systems operate as

intended and continue to operate without

disruption, the City tests and implements

changes through three separate processing

environments known as Test, Quality

Assurance, and Production. Effective change

controls provide for separation of duties between software developers, system testers,

and production users.

The software developer makes system changes in the Test environment but cannot

implement the changes into production. Persons other than the software developer

perform software testing functions in the Quality Assurance environment. After approval

by the requesting party or business owner, the change is then implemented into the

Production environment.

Controls that provide a separation of duties ensure that no single person can implement

a change into production. The processing and testing of changes through the three

environments of Test, Quality Assurance and Production helps to ensure that changes are

authorized, tested, and approved. The overall result of these controls helps to preserve

the integrity of the production environment’s system and data, and prevents

unnecessary disruption of production systems.

P a g e 5


Security Settings

There are four levels of security controls for the PeopleSoft

application: the Application Level, the Database Level, the

Operating System Level, and the Physical Security Level.

Application Level – Users can login to PeopleSoft in one

of two ways. Most access the system via a Web

interface that uses their general network ID and

password. Some sign directly onto

PeopleSoft using an ID and

password separate from their

network credentials, which are

stored and maintained within

PeopleSoft itself.

Application Level security settings

affect the design and functioning

of login IDs and passwords for

direct logins, such as their

minimum length and how often

they must be changed. Changing

passwords periodically helps

prevent unauthorized system

access through compromised passwords.

Database Level – The PeopleSoft application stores data in an Oracle database.

Database Administrators perform configuration and maintenance of the

database. These individuals have highly privileged access, including the

capability to modify data if necessary outside of the application controls. The IDs

and passwords at this level are controlled by settings within the Oracle database.

Again, changing passwords periodically helps prevent unauthorized system

access through compromised passwords.

Operating System Level – Both the PeopleSoft application and the Oracle

database run on servers controlled by the AIX operating system. System

Administrators configure servers to support the integrity and protection of the

data. System Administrators can have local accounts on the server that are

separate from their general network logins. Password controls over these local

accounts are configured in the AIX operating system. Changing passwords

periodically helps protect unauthorized system access in the event passwords are

unknowingly compromised.

Sometimes System Administrators need to access the server through a special

built-in account called “root” which has the proverbial “keys to the kingdom.” As

root does not require identification of the user, there is no accountability for who

P a g e 6


uses it. The root password should be changed periodically and changed

immediately when anyone knowing the password transfers out of the department

or terminates employment with the City.

Physical Security Level – The physical servers that support all the aforementioned

levels reside in a protected data center. Proximity badge readers control access

to the data center. The City issues access security cards to authorized individuals.

These individuals scan the cards by a specialized reader mounted near the door,

which verifies the card and unlocks the door accordingly. As the card is the sole

control for physical access, a person should have only one card and every card

should be registered to a known and authorized individual.

Access Management

Employees are granted access rights to

the City’s information systems upon being

hired. Job requirements determine

specific access rights and such rights are

modified when job responsibilities change.

Access is disabled or removed when

individuals terminate their employment

with the City. These controls are designed

to ensure that only authorized individuals

have access to City systems and data

and that such access is limited according

to their specific job requirements.

Operations

Controls over operations of systems help to ensure the confidentiality, integrity, and

availability of information systems. These controls include regularly backing up system

data, storing backup media offsite, and regularly testing system recovery capability in

the event of a disaster.

SCOPE The audit examined and evaluated IT general controls related to the City’s PeopleSoft

Human Resources and Financial Management applications. The audit tested IT general

controls in the areas of change control, security settings, access management, and

operations. The audit focused on agencies that directly use PeopleSoft and are

supported by Technology Services, which excludes the Denver International Airport. The

audit period extended from October 1, 2008 through September 30, 2009.

P a g e 7


OBJECTIVES Audit objectives included evaluating the Information Technology General Controls for the

following areas:

Change controls providing separation of processing environments for test, quality

assurance, and production, and separation of duties for the roles of software

developers, system testers, and end users. Including system changes being

authorized, tested, and approved before implemented into production.

Security settings limiting access to authorized individuals for PeopleSoft at the

application, database, operating system, and physical security levels.

Access management controls ensuring employee access is limited to specific job

functions and access to City systems and data is removed when individuals terminate

their employment with the City.

Operational controls providing for system backup and recovery capability for the

PeopleSoft applications.

P a g e 8


METHODOLOGY We utilized multiple methodologies to achieve audit objectives. These evidence gathering and

analysis techniques included, but were not limited to:

Interviewing personnel in the Controller’s Office and Technology Services and

reviewing selected policies and procedures related to PeopleSoft and its

infrastructure.

Independently executing queries to obtain complete populations of new and

changed users within PeopleSoft and testing for supervisor approval.

Utilizing Computer Assisted Auditing Techniques (CAATs) to compare the population

of 1,235 employees terminated during the audit period to the entire population of

11,159 Active Directory accounts, and the population of 13,068 employees with

access to PeopleSoft.

Directly observing physical access controls in place at the data centers and ensuring

that none of the 1,235 terminated employees had access to the data centers

supporting the PeopleSoft application.

Observing the execution of queries to obtain a complete population of changed

database objects for the Human Resources and Financial Management

applications. Changed objects included software patches, HR tax updates, salary

grade changes, benefit selections, stimulus grant reporting, and changes to access

privileges.

Independently testing a sample of changes from the Human Resources and Financial

Management applications using Stat, the change and access management tool

used by Technology Services.

Directly observing environmental controls in place at the data centers supporting the

PeopleSoft application through onsite inspection and examination of maintenance

records.

Examining evidence of backup and off-site storage of media.

Obtaining access to Active Directory Users and Computers (ADUC) for examining

login account access and information.

Executing scripts to extract system and password configuration settings for the

infrastructure supporting PeopleSoft (Oracle database and AIX servers).

Verifying that default passwords have been changed on highly privileged accounts

for the Oracle database and AIX operating system.

P a g e 9


76 Terminated Employees

Still Had Active Network

Login Accounts

FINDING 1

Procedures for Removing System Access Are Not Fully Effective

Through the use of Computer Assisted Auditing Techniques (CAATs) we independently

matched terminated employees to the full database of 11,159 active network accounts

and found that 76 former employees (over 6% of the 1,235

terminated) from 16 agencies still had active network

accounts. One of the 76 still had access to PeopleSoft.

Further analysis of the 76 terminated employee accounts

showed that 14 had accessed City systems after

termination. These users had much of the same access as if they were still a current

employee. We also found that eight had the capability to connect remotely to the City

network from outside City facilities. Of those eight with remote access, three had logged

in subsequent to termination. The failure to disable the login accounts of terminated

employees exposes City information systems and data to unauthorized modification,

disclosure or destruction.

The number of terminations

used above (1,235) occurred

during the audit scope period of

October 1, 2008 through

September 30, 2009. The actual

number of terminated

employees with active network

accounts may increase if the

time period were expanded to

include prior years.

Recommendations

Working with the Controller’s Office, we recommend that Technology Services:

1. Investigate and immediately deactivate all terminated employee login accounts,

including those from prior years.

2. Determine the root cause for the breakdown within the termination process.

3. Revise procedures to improve the effectiveness of the termination process.

4. Add compensating controls to support the revised termination procedures. For

example, scanning inactive accounts or adopting a periodic comparison of

active accounts against terminated employees.

5. Consider the implementation of more sophisticated or automated access

management tools.

Terminated Employees with Active Logins

Type Number of Employees

Terminated Employees 1,235

Active Login Accounts 76

Accessed Since Termination 14

Remote Access Capability 8

Accessed since termination

and have Remote Access

3

Have Access to PeopleSoft 1

P a g e 10


FINDING 2

Password and Physical Access Controls Are Not Consistently

Aligned with City Policies and Procedures

Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have

adequate controls over their passwords. It is important that users follow good password

practices as set by management. Passwords provide the primary control over user

access to computer resources and their effectiveness tends to diminish over time. By

requiring periodic passwords changes, the City will reduce risk of unauthorized access to

applications and the information stored within them. A password character setting

requiring too few characters can result in more easily guessed passwords, and an

undefined threshold of bad password attempts could result in users continued attempts

to access unauthorized systems without having their ID suspended.

A lack of security parameters weakens security controls, which could lead to

unauthorized access to the system and the subsequent disclosure, misuse and/or

destruction of City data. Specifically, these security weaknesses could result in

unauthorized individuals gaining access to the system and possibly changing, modifying,

or deleting sensitive system files, or viewing confidential documents stored within the

information systems environment.

PeopleSoft Password Controls are not configured for users authenticating outside of

Active Directory

The majority of PeopleSoft users authenticate (gain access) to PeopleSoft using their

Active Directory user ID and password. However, there are 43 users that access

PeopleSoft outside of the Active Directory authentication. As a result, these users do not

follow the Active Directory required password settings. Permitting access to PeopleSoft

without using Active Directory password controls allows users to circumvent the Active

Directory password requirements. There are no password requirements configured in

PeopleSoft for users that do not authenticate through Active Directory.

Inadequate Password Controls for Oracle Accounts

Audit work reviewed password controls related to Oracle databases supporting

PeopleSoft HR and Financials and determined that no password controls are enabled for

Oracle user accounts. Inadequate password controls could lead to unauthorized

individuals gaining access to the system and possibly changing, modifying, or deleting

sensitive system files, key financial data/programs or viewing confidential documents

stored within the Oracle environment.

Password Controls Not Enforced for AIX Administrative and User Accounts

During our review of the AIX servers hosting Oracle databases for PeopleSoft HR and

Financials, audit work found that highly privileged administrative accounts as well as 18

user accounts for HR and 20 user accounts for Financials do not meet City and County of

P a g e 11


Denver Acceptable Use Agreement or password standards. We reviewed AIX files

indicating the last password change date for accounts and noted highly privileged

administrative and user accounts without any forced password change date. Some

highly privileged accounts have not had their password changed since 2005.

Unaccountable Physical Access to Data Center

In addition to issues involving password control weaknesses, audit work also identified

data center access cards that were not assigned to specific authorized persons. Without

full accountability for who has access to the data centers, unknown persons could cause

system disruption, physical damage or steal valuable assets.

The majority of ID cards which grant access to the City’s data centers are logged in the

C*Cure system with a unique card number. Audit reviewed C*Cure access listings for two

data centers and noted the following:

Four active cards on the data center access lists that had no identifiable card

number.

Five cards within the C*Cure system had no employee or contractor listed as the

card owner.

Six test cards were still active.

Four individuals were assigned multiple cards with access to one or both of the

data centers.

Recommendations

We recommend that Technology Services:

1. Enforce Established Password Controls

Technology Services should configure password requirements within PeopleSoft software,

Oracle databases, and AIX operating systems to ensure that all users follow City and

County of Denver password requirements outlined in the Acceptable Use Policy. An

excerpt of the Acceptable Use Policy relating to password requirements is listed below:

Users shall construct passwords with at least eight (8) characters, including three

of the following four character types: upper case alphabetic, lower case

alphabetic, numeric, special characters (symbols, punctuation marks). For

additional security, Users are recommended to create “pass phrases” that

contain at least fifteen (15) characters. Passwords are case sensitive. Passwords

will expire after 90 days and Users will not be permitted to reuse any of the last

fifteen (15) passwords used. After five (5) failed login attempts, the User’s account

will be disabled. The User must then personally contact Technology Services to

manually reset their account.

2. Overhaul Data Center Access Lists

We recommend Technology Services remove data center access from all cards which

are not identifiable by card number or assigned to an individual. Technology Services

P a g e 12


should complete a review of all cards with access to the City’s data centers for

appropriateness and consider establishing formal, regular review procedures for physical

access listings. Review procedures should identify and remedy: inactive badges, badges

belonging to transferred or terminated personnel, duplicate IDs, and any inappropriate

access not commensurate with a user’s job function.

FINDING 3

Disaster Recovery Procedures Are Not Tested on a Periodic Basis

Business owners and Technology Services have not performed a test of the existing

disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the

last year. Testing is an essential part of disaster recovery planning. An effective disaster

recovery plan requires testing on a periodic basis, or there is a risk that the plan will not

work when needed.

Recommendation

1. Coordinating with business owners, Technology Services should perform regular tests

of the City’s disaster recovery capability for the PeopleSoft applications and supporting

infrastructure. The frequency of such tests should be dictated by system criticality, and

should occur at least every 12 to 18 months.

P a g e 13


AGENCY RESPONSE

P a g e 14


P a g e 15


P a g e 16


P a g e 17


PeopleSoft IT General Controls - Denver · PDF filePeopleSoft IT General Controls ... PeopleSoft Human Resources and Financial Management ... Human Resources (Payroll, Employee Benefits,

Documents