Report 2013-302/2013-303 Data Reliability Assessments
Description of Data | Agency Purpose of Data |
---|---|
Oracle Financial System (Oracle) |
The Administrative Office of the Courts (AOC) and the eight other judicial entities we reviewed use Oracle to issue purchase orders and record certain procurement activity. Further, the AOC uses procurement data from Oracle to generate the semiannual reports it provides to the Joint Legislative Budget Committee and the California State Auditor on behalf of the Judicial Council of California (semiannual reports). Magnitude of DataFor the period January 1, 2013, through June 30, 2013, the Oracle Financial System contained information pertaining to payments to 1,333 vendors of approximately $188 million. |
Purpose of Testing | Data Reliability Determination |
To determine the accuracy and completeness of data related to the AOC and the eight judicial entities from the Semiannual Report on Contracts for the Judicial Branch for the Reporting Period July 1, 2012, through December 31, 2012, submitted by the AOC to the Legislature and the state auditor. |
Not Sufficiently Reliable—To assess the reliability of Oracle Financial System, we reviewed selected information system general controls the AOC implemented over the Oracle Financial System. We identified issues in several key general control categories such as security management, which provides a framework for assessing and managing risk and developing security policies, and access controls, which are logical and physical controls that limit or detect access to computer resources such as data, programs, equipment, and facilities. Business process application controls are directly related to a specific computerized application—the Oracle Financial System, in this case—and help to ensure that transactions are complete, accurate, and available. The strength of general controls is a significant factor in determining the effectiveness of business process application controls. Therefore, because we identified such pervasive weaknesses in the general controls the AOC implemented over its information systems, we did not perform any testing of the Oracle Financial System's business process application controls. The results of our review indicate that there is an unacceptably high risk that data from the applications the AOC currently use to perform its day-to-day operations could lead to an incorrect or improper conclusion. Therefore, we determined the data were not sufficiently reliable, regardless of the purpose for which the data are used. |
Agency Response Date | November 2016 |
Corrective Action Recommended | Status of Corrective Action |
The AOC should implement all of the best practices related to general and business process application controls as outlined in the U.S. Government Accountability Office's Federal Information System Controls Audit Manual no later than December 31, 2014, thereby strengthening and continuously monitoring the effectiveness of the controls over its information systems. In addition, the AOC should immediately begin implementing improvements to its controls over access to its information systems and place these improvements into effect by February 2014. Finally, the AOC should provide guidance and routinely follow up with the superior courts—requiring updates every six months until all identified issues are corrected—to ensure that they make the necessary improvements to their general and business process application controls. |
Not Fully Implemented—The Judicial Council of California (Judicial Council) was able to secure the Governor's approval for $3.1 million in additional funding during fiscal year 2016-17 to strengthen information technology security and disaster recovery programs, with additional ongoing funding of $1.9 million in subsequent years. This funding will result in the implementation of user access auditing tools at the courts, the establishment of annual information system risk assessments, and the implementation of a formalized information technology security plan. The BCP also provides funding for three full time employees to support the IT security and disaster recovery programs within the Judicial Council. The Judicial Council anticipates having additional information on an anticipated timeline in our next annual update. |
Description of Data | Agency Purpose of Data |
Phoenix Financial System (Phoenix) |
The superior courts generally use Phoenix to issue purchase orders and record certain procurement activity. Further, the Administrative Office of the Courts (AOC) uses data from Phoenix to compile the semiannual reports it submits to the Joint Legislative Budget Committee and the California State Auditor on behalf of the Judicial Council of California (semiannual reports). Magnitude of DataFor the period January 1, 2013, through June 30, 2013, the Phoenix Financial System contained information pertaining to 12,445 contracts for the superior courts that were originally valued at nearly $107.5 million. |
Purpose of Testing | Data Reliability Determination |
To determine the accuracy and completeness of data related to the AOC and the eight judicial entities from the Semiannual Report on Contracts for the Judicial Branch for the Reporting Period July 1, 2012, through December 31, 2012, submitted by the AOC to the Legislature and the state auditor. We included the Phoenix Financial System in our review because we will be auditing the procurement practices of selected superior courts in subsequent audits. |
Not Sufficiently Reliable—To assess reliability of the Phoenix Financial System, reviewed the general and business process application controls over the AOC's Phoenix Financial System. The AOC contracts with a third-party service provider to support its Phoenix Financial System. Therefore, following U.S. Government Accountability Office guidelines, we evaluated the general and business process application controls that the service provider, the AOC, and the superior courts collectively implemented over the Phoenix Financial System and identified pervasive weaknesses. For example, we found that some of the AOC's plans were either nonexistent, or in one case, the plan had not been updated since 1997. Further, in its reviews of the superior courts, the AOC repeatedly identified the same concerns with the superior courts' plans, policies, and procedures, some dating back to 2003. The results of our review indicate that there is an unacceptably high risk that data from the applications the AOC and superior courts currently use to perform their day-to-day operations could lead to an incorrect or improper conclusion. Therefore, we determined the data were not sufficiently reliable, regardless of the purpose for which the data are used. |
Agency Response Date | November 2016 |
Corrective Action Recommended | Status of Corrective Action |
The AOC should implement all of the best practices related to general and business process application controls as outlined in the U.S. Government Accountability Office's Federal Information System Controls Audit Manual no later than December 31, 2014, thereby strengthening and continuously monitoring the effectiveness of the controls over its information systems. In addition, the AOC should immediately begin implementing improvements to its controls over access to its information systems and place these improvements into effect by February 2014. Finally, the AOC should provide guidance and routinely follow up with the superior courts—requiring updates every six months until all identified issues are corrected—to ensure that they make the necessary improvements to their general and business process application controls. |
Not Fully Implemented—The Judicial Council of California (Judicial Council) was able to secure the Governor's approval for $3.1 million in additional funding during fiscal year 2016-17 to strengthen information technology security and disaster recovery programs, with additional ongoing funding of $1.9 million in subsequent years. This funding will result in the implementation of user access auditing tools at the courts, the establishment of annual information system risk assessments, and the implementation of a formalized information technology security plan. The BCP also provides funding for three full time employees to support the IT security and disaster recovery programs within the Judicial Council. The Judicial Council anticipates having additional information on an anticipated timeline in our next annual update. |