The URL can be used to link to this page

Audit (Special) Report 2012-S3 DMSMV (Driver and Vehicle Information Database Internal Control Attestation) Internal Audit Department it GO NE CIR Report 2012 - S3 Department of Highway Safety and Motor Vehicles Driver and Vehicle Information Database Internal Control Attestation December 2011 Dwight E. Brock Clerk of the Circuit Court 3299 Tamiami Trail East Suite #402 Naples. FL 341 12-5746 www.collierclerk.com Prepared by: Allison Kearns, Internal Auditor Patrick Blaney, Senior Internal Auditor Report Distribution: Marc Tougas, Information Services Director Jill Lennon, Courts Director Cc: Dwight E. Brock, Clerk of the Circuit Court Crystal K. Kinzel, Director of Finance & Accounting TABLE OF CONTENTS Background 2 Summary 2 Scope 2 Observations, Recommendations and Responses 3 Conclusion 3 Additional Management Comments 3 The files and draft versions of audit reports remain confidential and protected from public records requests during an active audit under Nicolai v. Baldwin (Aug. 28, 1998 DCA of FL, 51" District) and Florida Statute 119.0713. Workpapers supporting the observations noted within this report are public record and can be made available upon request once the final audit report has been issued. 1 BACKGROUND On June 17, 2010, the Collier County Clerk of the Circuit Court ("Requesting Party") entered into a Memorandum of Understanding (MOU), with the Florida Department of Highway Safety & Motor Vehicles (DHSMV, a.k.a. "Providing Agency") to access the Driver and Vehicle Information Database (DAVID) systems. In a letter dated July 28, 2011, the DHSMV formally requested an internal control review be conducted for the Clerk to ensure personal data is being used in accordance with the MOU. As stated in the MOU Section VI, Part A, "Upon request from the Providing Agency, the Requesting Party must submit an attestation from a currently licensed Certified Public Accountant(CPA)performed in accordance with the American Institute of Certified Public Accountants (AICPA), `Statements on Standards for Attestation Engagements'... In the event the Requesting Party is a governmental entity, the attestation may be provided by the entity's internal auditor or inspector general. The attestation must indicate that the internal controls over personal data have been evaluated and are adequate to protect the personal data from unauthorized access, distribution, use, modification or disclosure. The attestation must be received by the Providing Agency within 180 days of the written request." SUMMARY The following observation was generated during the review: • Quarterly quality control reviews of users with access to DAVID should be conducted by MIS in accordance with MOU Section IV,Part B, Item 10. The internal controls over DAVID personal data have been evaluated and, in the opinion of Internal Audit, are adequate to protect the personal data from unauthorized access, distribution, use, modification and/or disclosure to third parties. The Clerk of Courts' users appear to be using the DAVID information for appropriate business purposes. The observation noted by Internal Audit is considered an opportunity for improvement and not a significant control weakness. SCOPE The review consisted of,but was not limited to the following tasks: • Reviewing the previous annual affirmation report and current MOU; • Meetings with Court and MIS staff; • Observing physical security of computers enabled with DAVID access; • Obtaining a sample from DHSMV that consisted of all DAVID access by Clerk of Courts staff for one week; • Performing analytical and reasonableness testing on a sample of DAVID usage data. The objective of the engagement was to determine whether the internal controls surrounding DAVID personal data are adequate to protect the data from unauthorized access,distribution,use,modification and/or disclosure. 2 OBSERVATION 1) Quarterly quality control reviews for authorized users are not being conducted. Reviews of active users are not currently being performed on a quarterly basis, as required by Section IV, Part B, Item 10 of the MOU. By periodically performing this review, the proper control will be in place to ensure access rights of authorized DAVID users remain current. From the inception of the Clerk's use of DAVID to the end of our field work there have been no changes in Clerk's personnel who are authorized to access DAVID. Recommendation: • The DAVID liaison from MIS should confirm current users with the Courts Director on a quarterly basis. This would ensure that all users of DAVID remain up-to-date, with an active business need for the database and will comply with Section IV,Part B, Item 10 of the MOU. Management Response: MIS has a spreadsheet of the DAVID users in the Clerk's Agency. To meet the quarterly review requirement,MIS can send this spreadsheet to the Courts Director every quarter. The Director can confirm if the people listed are the ones that should or should not be accessing DAVID and make any additions if appropriate. CONCLUSION After reviewing a sample of DAVID transactions, meeting with authorized users and interviewing management, it appears as though adequate physical and logical controls exist to protect confidential DAVID information from unauthorized access,distribution,use, modification and disclosure. The cooperation of Court and MIS staff during this review was greatly appreciated. 3