The URL can be used to link to this page

Home My WebLink AboutMINUTES - 09262006 - C.73 TO: BOARD OF SUPERVISORS Contra FROM: INTERNAL OPERATIONS COMMITTEE g, _ ;�,;� _ ; . �;S CostaC.73 DATE: SEPTEMBER 18, 2006 ------------- ` County rA SUBJECT: STATUS REPORT ON EMPLOYMENT AND HUMAN SERVICES DEPARTMENT INTERNAL SECURITY PLAN SPECIFIC REQUEST(S)OR RECOMMENDATION(S)&BACKGROUND AND JUSTIFICATION RECOMMENDATIONS: 1. ACCEPT report prepared by the Employment and Human Services Director on the administration of a department security plan to prevent welfare and other types of internal theft or fraud. 2. DIRECT the Employment and Human Services Director to report back to the Internal Operations Committee in April 2007 the establishment of controls and monitoring tools to track changes in income eligibility various welfare benefits. BACKGROUND: On April 6, 1999,the Board of Supervisors referred to the 2000 Internal Operations Committee(IOC)the monitoring of actions taken by the Employment and Human Services Department(EHSD)following the filing of fraud charges against two County employees, and on County check issuance procedures and administration of petty cash funds,particularly the Immediate Need Imprest Fund. The 1999 IOC dispensed with issues and concerns regarding County check issuance procedures and administration of petty cash funds, and had these items removed as referrals. CONTINUED ON ATTACHMENT: YES SIGNATURE: At'e'a"�ir RECOMMENDATION OF COUNTY ADMINISTRATOR lI(E60MMENDA OF BOARD COMMITTEE ✓1�PPROVE OTHER S[ON ATURE(SI GAY B.UILKEMA,CHAIR MARK DeSAULNIER ACTION OF BOARD ON APPROVE AS RECOMMENDED OT ER VOTE OF SUPERVISORS I HEREBY CERTIFY THAT THIS IS A TRUE AND CORRECT COPY OF AN ACTION TAKEN V UNANIMOUS(ABSEN'r [-) AND ENTERED ON THE MINUTES OF THE BOARD OF SUPERVISORS ON THE DATE AYES: NOES: SHOWN. ABSENT: ABSTAIN: ATTESTED: SEPTEMBER 26,2006 CONTACT: JULIE ENEA(925)335-1077 JOHN CULLEN,CLERK OF THE BOARD OF SUPERVISORS AND COUNTY ADMINISTRATOR CC: INTERNAL OPERATIONS COMMITTEE STAFF COUNTY ADMINISTRATOR EMPLOYMENT AND HUMAN SERVICES DIRECTOR BY DEPUTY EHSD Internal Security Program September 18,2006 Internal Operations Committee Page 2 On April 6, 1999, the Board of Supervisors referred to the 2000 Internal Operations Committee the monitoring of actions taken by the EHSD following the filing of fraud charges against two County employees, and on County check issuance procedures and administration of petty cash funds, particularly the Immediate Need Imprest Fund. The 1999 Committee received and reviewed reports dated September 27, 1999 and October 11, 1999 from staff. The Committee reported back to the Board on County check issuance procedures and administration of petty cash funds and had these items removed as referrals. On July 18, 2000, the Committee made a status report to the Board and recommended that EHSD staff, in addition to establishing a Fraud Hotline, return to the IO Committee on November 13, 2000 with a follow-up report addressing: a. Identification of the individual who monitors system security access in the EHS, and the process and criteria used to determine security access levels. b. Review and verification of appropriate system security access for existing staff, in addition to new staff. c. Clarification of the levels of managers who will review program compliance and security reports for the 2nd Party Review Process,and how accountability will be established. d. Progress on the implementation of the Comprehensive 2"d Party Review Process for welfare cases and transactions. e. Use of random sampling of benefit issuances to enhance fraud detection efforts. f. Clarification of the mandated Electronic Benefit Transfer (EBT) Process for food stamp issuances, and an evaluation of the option for using EBT for cash issuances and related effects on security. f. Verification that new check stock is being used for Imprest Fund disbursements. On November 13,2000,the Committee received a status report from the Employment and Human Services Department addressing the above questions/concerns. The IOC subsequently recommended to the Board that the EHSD provide an annual status report to the IOC. In September 2001 and 2002,October 2003,and December 2004,and December 2005,the IOC met with EHSD and reported out to the Board of Supervisors on the progress of the internal security plan. In 2003,the IOC and the Board of Supervisors commended EHSD on the development of a multiple strategies to lower risk and exposure to internal fraud,and asked the Finance Committee to identify ways to preserve these efforts despite budget reductions. What remains as a referral to the IOC is the ongoing monitoring of the implementation and expansion of the Employment and Human Services Department's internal security plan. Attached is an update from the Employment and Human Services Director on the Department's continuing progress and efforts to expand the security program. The Director reports that the implementation of the state's Ca1WIN system has,by necessity,been the department's primary focus for the last year. Since the December 2005 report,the department has been able to deploy more staff resources to internal control issues. The attached report reviews in detail some of the new CalWIN tools that will be utilized to improve internal security. The department also reports that more staff vacancies are being filled to strengthen the internal control function. As a follow-up,our Committee requested the department to report back in nine months on any tools and procedures that have been developed and implemented to detect changes in income eligibility for welfare benefits. EMPLOYMENT AND HUMAN SERVICES CONTRA COSTA COUNTY DATE June 30, 2006 TO Supervisor M. DeSaulnier Supervisor G.B.Uilkema Internal Operations Committee FROM Danna Fabella,Interim Director SUBJECT Status Report on Internal Security Plan Recommendations ACCEPT the report presented by the Employment and Human Services Department's (EHSD) Interim Director on the status of efforts to implement the Department's Internal Security Plan. REPORT OUT to the Board of Supervisors the actions and strategies taken to positively impact the security environment. BACKGROUND From 1998 through 2005, EHSD made considerable progress in implementing its Security Plan to improve the internal control environment for payment and collection activities, and increasing accountability throughout the organization. In managing this process, we were operating within the framework of a long established, case data system known as "CDS/GIS". In August 2005, under a statewide implementation plan for 18 counties, we discontinued this legacy mainframe system and began implementing the significantly more complex CalWIN (CalWORKS Information Network) system. Ca1WIN automates many eligibility determination and case management tasks necessary to deliver public assistance benefits and supportive services under our major programs: Ca1WORKS,Food Stamps,Medi-Cal, General Assistance, and Foster Care. The system's original design and subsequent modifications by the vendor have required that we extensively change.our operational practices. Ca1WIN has touched virtually all major programs and administrative and fiscal processes. As expected, this conversion has not been easy, and it has also necessitated a redesign of our internal security monitoring processes. The scope of this effort is large and it will be ongoing in the coming 6 to 12 months as we redesign and enhance our security program. Internal Operations Committee Internal Security Plan June 30, 2006 . Page 2 of 5 STRATEGIES AND ACTIONS TAKEN THAT IMPACT OUR SECURITY ENVIRONMENT In the short term, we expect to continue experiencing both the challenges and benefits of converting from a largely manual operation to a more automated environment. However, with the first "implementation year" nearly behind us, and some key management data reporting issues having been addressed, we are increasingly able to deploy more resources to internal control issues. As outlined in our original 1998 Security Plan, the Department is committed to effectively managing risk and exposure to internal fraud and non-compliance. Our Plan remains centered on these major areas: • Adequately controlling computer security access • Maintaining adequate segregation of duties • Adding other accountability and fraud prevention controls over disbursement and collection activities • Monitoring for potential internal fraud and non-compliance by using reporting tools and by conducting compliance reviews • Promoting greater use of second party reviews of casework Since our last report to the IOC in November 2005, we have been working on the below strategies and actions to help secure the environment: 1. Utilizing CaIWIN Audit Trail Logs for Internal Fraud and Compliance Monitoring — Since the CaIWIN audit logs became available for use, our Fiscal Compliance Accountant has been testing the specialized features and format. The accountant developed prototype fraud monitoring reports to track users' transactions entered on CaIWIN and enable more detailed analysis of monetary actions taken on cases. In the coming year, we will build on these prototype reports and expand our tracing of computer activity. 2. Developing Other New Fraud Monitoring Alerts — With the availability of data downloads from CaIWIN, our Fiscal Compliance Accountant has worked on redesigning prior fraud monitoring reports to incorporate the new data elements and programming configurations. By using data mining techniques, with a Business Objects software tool,the accountant has created six new fraud alert reports to test and monitor for potential fraud and non compliance risk areas. In the next year, we will continue this effort to create and utilize a higher number of similar reports. Internal Operations Committee Internal Security Plan June 30,2006 Page 3 of 5 3. Controlling, Assigning, and Timely Removing Users' Computer Access — Despite significant technical changes since "go-live", we have managed to retain a comprehensive process for assigning CalWIN access to staff, based on each user's job function and assigned duties. Requests are submitted electronically to our IT Security Administrator, and are linked directly to personnel actions such as transfers, new hires, separations, and retirements. This process ensures that we timely remove or change access levels, as users' job functions change or become obsolete. The IT Security Administrator updates and maintains users' access accordingly. The process works as follows: ✓ Access is granted by assigning a pre-approved "security profile" that enables an authorized user to open a series of CalWIN windows containing further "tab" and "button" controls. Depending on the profile, access can be "read only", or a combination of"read only" with varying levels of"update"capability. ✓ A formal request, requiring supervisory authorization, is needed before a user may be granted"read only" or"update"access to CalWIN. ✓ The IT Security Administrator enforces standards for assigning access to users,based on their job functions and duties. ✓ All users' passwords automatically expire in 90 days, on a staggered basis. ✓ Users confidentially select and change their personal passwords. ✓ Users are automatically logged off the system after a short, timed session. ✓ In the past six months, a committee (Change Control Board) of mid to senior level managers (with security staff also represented), evaluates periodic requests to alter security profiles. While office protocol exists to document changes and updates to profile designs, we are reviewing this area for possible modifications. 4. Conducting a Comprehensive Risk Assessment of Computer Access Controls — For the August 2005 conversion, EHSD's CalWIN Project Team had set up employees' security profiles, in some cases, granting temporary higher access levels to accommodate the conversion activities. Our IT Division, through its Security Administrator, maintains the profiles and assignments. Now that CalWIN is more fully operational, we have moved to reduce access levels, where necessary, in keeping with permanent job functions. Our Fiscal Compliance Accountant is independently conducting a full inventory of each employee's security access levels to detect areas where Internal Operations Committee Internal Security Plan June 30, 2006 Page 4 of 5 potential risk and exposure to fraud can be further minimized. The goal is to ensure the "least privilege principle" is in place, meaning that users are only granted access that they absolutely require. Fiscal Compliance will be recommending profile changes, if necessary, to improve segregation of duties. To facilitate this process, Fiscal Compliance developed inventory reports showing the approximate 1,700 users and their access profiles. These query reports are updated regularly and assist our IT Security Administrator, as well, in analyzing access controls. 5. Staffing the Fiscal Compliance Unit — For the past three years, we have operated with a quite lean organization, staffing this unit with one Fiscal Compliance Accountant. However,to assist us in oversight activities under the more complex CalWIN environment, we recently obtained approval to restore and fill two Accounting Technician positions and one additional Fiscal Compliance Accountant position. In prior years, these positions were eliminated due to budget constraints. The restoration actions will expand the Fiscal Compliance Unit to four employees. At this time, we have already hired one of the technicians, and have begun recruiting to fill the second accountant position to help us perform desk and onsite control reviews. 6. Conducting Fraud Training — Our Fiscal Compliance Accountant has continued to provide Fraud training to new eligibility worker staff. This has been useful in reinforcing proper computer usage standards and password controls, outlining protocols for making a referral of suspected fraud, and providing staff with additional notice that all actions by computer users are subject to monitoring. 7. Sharing Information and Techniques with Other Counties—In April 2006, our Fiscal Compliance Accountant met with internal security representatives from 13 other counties to review and share information regarding security techniques under CalWIN. Future meetings and exchanging of information should continue in the next year, as more counties fully implement Ca1WIN. 8. Developing Future Strategies and Actions f Re-evaluating Supervisory Approval Practices/Requirements — Our next major task is to re-assess the effectiveness of the on-line supervisory approval/review technology under CalWIN and identify possible future improvements since our "go live" implementation of transaction sampling tools. Internal Operations Committee Internal Security Plan June 30,2006 Page 5 of 5 ✓ Revising Business Processes and Formalizing Operating Procedures and Controls— We will be continuing to identify operational functions that require new or revised written procedures to better support the new system and ensure that proper controls are documented and employee accountability is clearly established. As an example, currently our Fiscal analysts are working closely with IT to implement and document adequate stock, custody and issuance controls over the new CaIWIN in- house check disbursement process that will be used, on a very limited basis, for a small group of clients needing temporary housing assistance. Fiscal staff will be continuing to document other new process controls arising from CalWIN system changes. SUMMARY In future months, our Program,Fiscal, Security, and IT staff will continue working together to ensure that the new CaIWIN system is adequately secure, and that any necessary compensating controls and monitoring tools are in place. Our aim is to minimize the County's potential risk and exposure to internal fraud, while we also continue to provide a high level of service to our clients and recipients.