Recurring Findings

Public Health: Recurring Significant Internal Control Deficiencies
Federal Program Issue First Year Reported
Department's Assertion Page Number
WIC (Supplemental Nutrition Program) During our audit for fiscal year 2011-12, we reported the information technology (IT) controls over logical access and change management for the Integrated Statewide Information System (ISIS) were not properly designed. In fiscal year 2012-13, we also found certain information technology controls over logical access were not properly designed and implemented. Public Health utilizes ISIS to determine eligibility for WIC participants and monitor issuance and redemption of food vouchers. IT general controls should be properly designed and operating effectively to help ensure application controls function properly. Public Health did not properly terminate access to ISIS. We found that 16 of the 292 individuals with access to ISIS had been terminated and, therefore, should no longer have access to the system. In addition, Public Health did not properly restrict access for one of 25 users tested. Public Health granted the user access to the policy/eligibility functions within ISIS: however, the user’s job function did not require this level of access. We also noted that it does not have a control in place to annually review the level of access granted to users. Additionally, we found that the cost neutrality report generated from ISIS appears to be double counting certain food instruments. The cost neutrality report is used to perform the quarterly cost neutrality assessment, to ensure that the average price per food instruments type that above-50-percent vendors charge participants does not exceed the price charged by regular vendors, either within their peer groups or statewide. The cost neutrality report for each quarter was between 50 and 83 food instruments higher than the query used to identify the number of food instruments for regular vendors. 2011-12
CDPH agrees with this recommendation and has partially implemented it. CDPH relies on local agencies (LAs) to comply with CDPH policy to ensure the security and integrity of the ISIS system. This policy requires LA supervisors to “review the agency’s ISIS logon ID Maintenance Report” and delete any logon IDs of former employees and any other unnecessary logon IDs in accordance with the California WIC Program Manual. CDPH’s Information Technology Services Division (ITSD) generates the ISIS logon ID Maintenance Report, which the WIC Program distributes monthly to LAs. By August 31, 2014, the WIC Program will clarify instructions and expectations for use of the “ISIS logon ID Maintenance Report” and include reference to WIC 140-20 when distributing the report to the LAs. By August 31, 2014, the WIC Program and ITSD will develop a role-based ISIS ID request/change form that defines the minimum ISIS access requirements to align with the application needs of employees. The WIC Program will continue to require three levels of signatures before any ISIS ID changes are made. Regarding the appearance that the cost neutrality report generated from ISIS may have been double counting certain food instruments, ITSD and WIC worked together to analyze the detailed SQL parameters to confirm that the SQL used to produce the cost neutrality report from ISIS is not double counting any records. As of March 10, 2014, the WIC Program and ITSD confirmed that the SQL parameters contain no errors and ISIS is no longer double counting any food instruments. 37