Quality Control Review of Controls Over the Enterprise Services Center
On October 5, we issued our final report on the general, application, and operational controls over the DOT's Enterprise Services Center (ESC). OIG hired a CPA firm to perform this review in accordance with the Statement of Auditing Standard No. 70. OMB requires Federal service providers either to (1) provide their user organizations with independent audit reports on the design and effectiveness of internal controls, or (2) allow user auditors to perform tests of controls at the service organizations. The audit covered Delphi Financial Management System operations, which are used by multiple Federal agencies; and the Consolidated Automation System for Time and Labor Entry (CASTLE), which is used to support DOT operations only. The audit concluded that management’s description of controls presents fairly, in all material respects, the controls that have been placed in operation as of June 30, 2010. In addition, controls are suitably designed and were operating effectively except in the areas of configuration management and access controls. Specifically, the Delphi system operated on a database for which the vendor stopped providing security updates in February 2009. Furthermore, ESC did not apply in a timely manner critical security updates that the vendor had provided, and did not assess the system for vulnerabilities and risks associated with the vulnerabilities. The Deputy Chief Financial Officer has committed to implementing corrective actions.