2017-2 DAVID Report Signed Attest1
INNE64-HE C1R'
I Internal Audit Department
Audit Report 2017-2
Department of Highway Safety
and Motor Vehicles
Driver And Vehicle Information
Database Internal Control Attestation
Issued: January 30, 2017
Prepared by: Michael Harder, Senior Internal Auditor
Patrick Blaney, Senior Internal Auditor
Report Distribution: Marc Tougas, Information Services Director
Jill Lennon, Courts Director
Cc: Dwight E. Brock, Clerk of the Circuit Court
Crystal K. Kinzel, Chief Deputy Clerk
James D. Molenaar, Internal Audit Manager
TABLE OF CONTENTS
Summary.............................................................................................................. 2
Objectives............................................................................................................. 2
Scope..................................................................................................................2
Background...........................................................................................................2
Observation...........................................................................................................3
Conclusion............................................................................................................ 3
The files and draft versions of audit reports remain confidential and protected from public records requests
during an active audit under Nicolai v. Baldwin (Aug. 28. 1998 .DC;9 of IL. 5"' District) and Florida Statute
119.0713. Workpapers supporting the observations noted within this report are public record and can be made
available upon request once the final audit report has been issued.
1
This examination generated the following observations regarding internal controls over the Driver And Vehicle
Information Database (DAVID):
• Internal Controls Over DAVID Are Adequate to Protect Personal Data.
The objectives of this engagement were to evaluate internal controls surrounding DAVID personal data, and to
determine whether they are adequate to protect that data from unauthorized access, distribution, use, modification or
disclosure.
The audit engagement consisted of, but was not limited to, the following tasks:
• Reviewing the current Memorandum of Understanding (MOU) & audit worksheet;
• Reviewing the previous annual affirmation report and workpapers;
• Interviewing Clerk of Courts personnel;
• Observing physical security of computers enabled with DAVID access;
• Examining a sample of ten Clerk of Courts staff DAVID access for one week; and
• Performing analytical and reasonableness testing on a sample of DAVID usage data.
On April 18, 2016, the "Requesting Party," Collier County Clerk of the Circuit Court, entered into a Memorandum
of Understanding (MOU) with the "Providing Agency," Florida Department of Highway Safety & Motor Vehicles
(DHSMV), to access the Driver and Vehicle Information Database (DAVID). The Clerk's staff uses DAVID to
research and validate names and driver license numbers from traffic citations.
As stated in the MOU Section VI, Part A, "Upon request from the Providing Agency, the Requesting Party must
submit an attestation from a currently licensed Certified Public Accountant performed in accordance with American
Institute of Certified Public Accountants (AICPA) `Statements on Standards for Attestation Engagement'... In the
event the Requesting Party is a governmental entity, the attestation may be provided by the entity's internal auditor
or inspector general. The attestation must indicate that the internal controls over personal data have been evaluated
and are adequate to protect the personal data from unauthorized access, distribution, use, modification or disclosure.
The attestation must be received by the Providing Agency within 180 days of the written request."
In its October 31, 2016 email to the Clerk, the DHSMV formally requested that an internal control attestation
engagement be conducted for the Clerk to ensure personal data is being safeguarded and used in accordance with the
MOU.
2
1) Internal Controls Over DAVID Are Adequate to Protect Personal Data.
The internal controls over DAVID personal data have been evaluated and, in the opinion of Internal Audit, are
adequate to protect the personal data from unauthorized access, distribution, use, modification and/or disclosure to
third parties. The Clerk of Courts' users appear to be utilizing the DAVID information strictly for appropriate business
purposes.
CONCLUSION
Audits do not relieve management of its responsibilities. It is the responsibility of County management to understand
and implement the proper procedural controls in order to reduce and limit the risk of fraud, error, and misappropriation
of County assets or revenues. Internal Audit may recommend improvements, but ultimately it is the duty and decision
of County management to formulate processes and controls that ensure compliance with applicable rules and
regulations.
Internal Audit appreciated the cooperation of MIS and Court personnel during this review.
3
Terry L. Rhodes
A SAFER Executive Director
rLORID
HIGHWAY SAFETY AND MOTOR VEHICLES
ATTESTATION STATEMENT
Contract Number HSMV-0029-17
2900 Apalachee Parkway
Tallahassee, Florida 32399-0500
www.flhsmv.gov
In accordance with Section VI, Part B, of the Memorandum of Understanding between Department of Hi hway
Safety and Motor Vehicles and Collier County Clerk of Court (Requesting Agency), this MOU is contingent upon
the Requesting Party having appropriate internal controls over personal data sold or used by the Requesting Party
to protect the personal data from unauthorized access, distribution, use, modification, or disclosure. Upon request
from the Providing Agency, the Requesting Party must submit an attestation stating that a currently licensed
Certified Public Accountant performed an audit in accordance with the American Institute of Certified Public
Accountants (AICPA), "Statements on Standards for Attestation Engagement." In lieu of submitting the attestation
from a currently licensed Certified Public Accountant, the Requesting Party may submit an alternate certification
with pre -approval from the Department. In the event the Requesting Party is a governmental entity, the attestation
may be provided by the entity's internal auditor or inspector general. The attestation must indicate that the internal
controls over personal data have been evaluated and are adequate to protect the personal data from unauthorized
access, distribution, use, modification, or disclosure. The attestation must be received by the Providing Agency
within 180 days of the written request. The Providing Agency may extend the time to submit attestation upon written
request and for good cause shown by the Requesting Agency.
Collier County Clerk of Court (Requesting Agency) hereby attests that Requesting Agency has evaluated and has
adequate controls in place to protect the personal data from unauthorized access, distribution, use and modification
gar -disclosure and is in full compliance as required in the contractual agreement.
v
�Prnin ed ame
LIe-
Title
Date
Collier County Clerk of Court
NAME OF AGENCY
• Service • Integrity • Courtesy • Professionalism • Innovation • Excellence
An Equal Opportunity Employer