The Examination Of Information Technology-Related Controls At The Department Of Revenue's Child Support Enforcement Division
JANUARY 31, 2011 · Department Of Revenue · Read the full official report (PDF) ↗
source
“Our review of the Division of Child Support Enforcement (CSE) found that internal controls were in place to provide reasonable assurance that IT-related control objectives would be met with respect to program changes to application systems and logical access security.”
Read the plain-English breakdown
This is a state audit of technology controls at the Department of Revenue’s Child Support Enforcement Division.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we performed an information technology (IT) general controls evaluation regarding program change control.”
Auditors wanted to see whether changes to CSE’s business software were approved, documented, tested, and protected from unauthorized access.
“Our primary audit objective was to determine whether the Division of Child Support Enforcement (CSE) IT-related internal control environment, including policies, procedures, practices, and organizational structure, provided reasonable assurance that application program changes to CSE’s business systems are authorized and documented, and that changes are developed, tested, and implemented in a secure environment.”
CSE handles child support records and payments for many families, so weak IT controls could affect sensitive data and payment systems.
“CSE currently issues, on average, monthly financial assistance to approximately 50,000 custodial parents representing approximately 200,000 payments per month.”
If you rely on child support services, the audit says the systems used to manage cases and payments had controls to protect data and system changes.
“Included in our audit was an assessment of the adequacy and effectiveness of controls in place to protect the integrity and confidentiality of data within COMETS.”
The auditor did not report major problems; the agency agreed with the audit’s results and conclusions.
“The agency agrees with the audit results and conclusions.”
The auditor suggested that other parts of the Department of Revenue compare their own change-control practices with CSE’s approach.
“We suggest that other Divisions within DOR benchmark their change control practices against those employed by the Division of Child Support Enforcement to ensure that generally accepted practices are in place on an enterprise-wide basis.”
The report is significant because it found strong controls over who can access and change CSE’s important child support systems.
“Regarding logical access security for program changes, we found there were strong controls in place to restrict access to only authorized users including programmers and developers that make modifications to CSE’s application systems.”
“IV-D” means the federal child support enforcement program, and an IV-D case generally involves welfare benefits or someone applying for child support services under that law.
“The term "IV-D" comes from Title IV, Part D, of the federal Social Security Act, which established the Child Support Enforcement Program in 1975.”
What the Auditor checked
- Complied Did the Division of Child Support Enforcement’s IT-related internal control environment provide reasonable assurance that application program changes were authorized, documented, developed, tested, and implemented in a secure environment?