To prevent unauthorized leave buyback transactions, the department should limit access for keying transactions to the payroll system only to authorized personnel staff.
As outlined in our October 2016 Response, the process involves responsibilities by the unit managers and Security Monitor (SM).
-The unit manager process is to notify the SM and Authorizing Official (AO), via email, when their staff that have SCO access need to be removed. Attached are substantiating copies of email notifications (Attachments A through E) which were emailed to the SM and/or AO by the unit managers. Since our last response, we have provided additional information to the unit managers regarding their process (Attachment F) and implemented a 'reminder' email (Attachment G) which is automatically sent to them on the first of each month. These additions to the process will ensure that the unit managers fully understand when their staff with SCO access need to be removed and to notify the SM and AO timely.
-The SM process is to immediately upon notification by the unit manager, or on a monthly basis, review, update and submit the PSD 125A to SCO to request removal of staff from SCO access. Attached are substantiating copies of PSD 125As (Attachments H through L) that were submitted to SCO by the SM after receiving the above unit managers' email notifications. Also, attached are substantiating copies of PSD 125As (Attachments M and N) with the AO's signature on the top right showing the date the monthly review was done by the AO and SM.
Since our last response, we have implemented a 'read receipt' email (Attachment O) so the AO will know that the unit managers have read the above 'reminder' email, and a monthly recurring meeting reminder (Attachment P) between the SM and AO.
Our current process for removing State Controller's Office access for staff who are leaving or have left the SCO access eligible position and unit, and/or the Department, is outlined below. Unit Manager Responsibility: It is the responsibility of the unit supervisor or manager who is notified that one of their employees, who is an authorized SCO user, is leaving the unit due to a transfer, promotion, demotion, separation or leave of absence of 30 or more days to notify the SCO Security Monitor and the Authorizing Official, via email, with a confirmed read receipt,and include the following information: 1. Employee name 2. Employee Classification 3. Effective date of separation, transfer or leave of absence, etc. 4.Reason for leaving, i.e., promotion, transfer, etc. The Security Monitor Responsibility: It is the responsibility of the department's SCO Security Monitor that upon receipt of notification from a unit supervisor or manager that his/her employee is transferring, promoting, demoting, separating, or going on a leave of absence of 30 or more days to update the PSD 125A and submit it to SCO to request removal or modification of the SCO access immediately. A copy of the email request from the supervisor or manager and the revised PSD 125A will be maintained for audit purposes. Once the updated PSD 125A is received from the SCO, it is immediately reviewed and verified by both the SCO Security Monitor and the Authorizing Official to ensure its accuracy. Any discrepancies are researched and corrected immediately. The SCO Security Monitor will then update any changes to the Matrix of Parks Defined SCO Access Roles. Once a month the SCO Security Monitor and the Authorizing Official will review the PSD 125A to verify the status of approved access to the SCO system. The Department has implemented this additional review to ensure the SCO Security Monitor and the SCO are kept abreast of any and all changes within the office.
In late October 2016, the department communicated to its payroll managers and its security monitor the process described in its response, which is an important component to fully implementing our recommendation. However, the department stated that it was not yet able to provide documentation to substantiate that staff have begun following this process.
In order to maintain and monitor the confidentiality and integrity of the State Controller's Office (SCO) sensitive and confidential data, as well as protect SCO's systems against misuse, abuse, and unauthorized use, the security monitor and assistant security monitor for Parks have a working knowledge of the SCO Personnel/Payroll Services Division's systems and applications, as well as the different level of system access. They also understand they must ensure compliance with the standards, procedures, and controls indicated in SCO's Decentralized Security Program manual, including the California Information Practices Act of 1977 and the California State Administrative Manual developed by the Department of General Services.
In addition, Parks created and follows the Matrix of Parks Defined SCO Access Roles (attached) which serves as a "safety net" or "second check" to ensure all requests for user access conform to the rules and regulations, as well as their classification and access levels. The Personnel Office will continue to serve as the final internal review, and provide final signature approval prior to sending the request for access to SCO. This procedure has also been added to our Security Monitor Binder, readily available to our security monitors and our Personnel Officer.
State Controller's Office Access Matrix Plan
The department's Access Matrix Plan outlines various levels of access for specific roles within units of the personnel services sections. Although the matrix provides a process for its security monitors to request access to the state controller's systems, the department's matrix does not outline the process used by the security monitors to remove access to these systems. As we describe on page 34 of our report, the state controller's payroll review report stated that managers who keyed the buyback transactions should not have had access to the payroll system. According to the state controller's report, the employees who keyed in the transactions had access to the system before becoming managers. However, the security monitor did not revoke this access when the employees became managers. We would expect the department's process to include steps for the security monitor to periodically verify whether those with access to the state controller's systems should continue to have access, and if not, the steps the security monitor should perform to remove inappropriate access. During our discussions with the department regarding the implementation of this recommendation, the department asserted that the security monitor would maintain a separate log and do a periodic check, every two weeks, to verify status of approved access to the state controller's system. However, the department did not provide documentation to demonstrate how it uses the security monitor's log to verify that those with access to the state controller's system should continue to have access.
The State Controller's Office (SCO) requires Department's to follow their security procedures as outlined in Office of the State Controller Personnel/Payroll Services Division: Decentralized Security Program Manual. The SCO Decentralized Security Administrator (DSA) manages SCO's Decentralized Security Program. The DSA makes the final determination as to who can key transactions based on job duties. The Authorizing Official/Manager and the Security Monitor are responsible for requesting SCO to either add or delete authorized users.
The department's response does not address our recommendation but rather reiterates points we made in our report on pages 34 and 35. We would expect the department to develop a plan for how its security monitor will limit access to the payroll system.
The Department of Parks and Recreation has taken measured steps to prohibit unauthorized leave buybacks and further restricted employee access (for keying transactions into the payroll system) to a select group of qualified personnel. All safeguards are fully implemented and have redundant security protections in place by both internal and external protocols.
All Transaction Staff have been trained on CalHRs policy on Cash-Out/Buy Back of Leave Benefits. These rules and guidelines are attached. Moreover, the Departments supervisor for hourly operations maintains a systematized authorization list with the State Controllers Offices (SCO) Personnel/Payroll Services Division.
The department has not provided documentation to substantiate its claim that it has restricted employee access to a select group of qualified personnel. Although it has issued a formal memo, it has not provided documentation demonstrating that it is following the memo for limiting access. For example, we expect to see documentation that the department has a robust process for its security monitor to ensure on an ongoing basis that access for keying transactions is limited only to authorized personnel staff.
Access to the State Controller's Office (SCO) payroll system is limited only to authorized personnel staff. Requests to add or change access must be approved in writing, to SCO, by the Personnel Officer.
The department has not provided documentation to support its claim that access to the payroll system is limited only to authorized personnel staff.
Agency responses received are posted verbatim.