Audit # 2016-03
Annual Audit of DHSMV
DAVID Access Controls
Department of Inspector General
Stacy M. Butterfield, CPA
Clerk of the Circuit Court and County Comptroller
Lita J. McHugh, CPA, CIG
Inspector General
Auditor(s) Assigned:
Kassandra Cook, MAcc
Stacy M. Butterfield, CPA
Clerk of the Circuit Court and County Comptroller
Polk County, Florida
July 26, 2016
INSPECTOR GENERAL AUDIT REPORT
AUDIT #2016-03 DHSMV DAVID Access Controls
The Honorable Stacy M. Butterfield, CPA
Clerk of the Circuit Court and County Comptroller
We have conducted an audit of the Clerk's internal controls over access to the Driver and
Vehicle Information Database (DAVID) of the Department of Highway Safety and Motor
Vehicles (DHSMV).
The objective of our limited-scope audit was to determine if the Clerk's internal controls were
adequate to protect personal data accessed through DAVID from unauthorized access,
distribution, use, modification or disclosure, in accordance with the Memorandum of
Understanding with DHSMV.
Our testing found that the use of DAVID information was for legitimate Clerk business during the
period tested. In our opinion, the Clerk's internal controls are adequate to protect personal data
accessed through the DAVID database from unauthorized access, distribution, use, modification
or disclosure. Recommendations are included in our report.
We appreciate the cooperation and assistance provided by the Civil and Criminal Divis ions
during the course of our audit.
We hope you find this report useful in ensuring Polk County government provides the best
possible services to our residents .
Respectfully submitted ,
Lita McHug, CPA, CIG
Inspector General
Audit 2016-03 DHSMV DAVID Access Controls
BACKGROUND
SUMMARY
The Department of Inspector General has completed a limited-scope audit of the Clerk’s
controls designed to protect personal data accessed through the Driver and Vehicle Information
Database (DAVID). Procedures to be performed are delineated in an audit guide provided by
the Department of Highway Safety and Motor Vehicles (DHSMV). In our opinion, the Clerk’s
internal controls are adequate to protect personal data accessed through DAVID from
unauthorized access, distribution, use, modification or disclosure. Recommendations are
included in this report.
BACKGROUND
DAVID is a database that contains driver’s license and motor vehicle information used by
Clerk’s employees for a variety of tasks related to their job duties. The DAVID system contains
confidential personal information protected by Chapter 119, Florida Statutes, and the Driver
Privacy Protection Act.
To access this information, the Clerk entered into a Memorandum of Understanding (MOU) with
the DHSMV. Per the MOU, unauthorized uses of the database include queries not related to a
legitimate business purpose, personal use, and the dissemination of this information to
unauthorized persons. The MOU is renewed every three years.
In addition to performing annual audits, the Department of Inspector General also conducted
quarterly quality control reviews as specified by the MOU during the audit period.
SCOPE AND METHODOLOGY
The scope of our limited audit was to analyze DHSMV reports of employee queries with the
objective to determine if DAVID information was obtained for legitimate business purposes. The
scope was set by the MOU Sections IV B and V. On a sample basis we tested user access
during the audit period to verify the following:
•
•
•
•
•
All users accessing the database are authorized and acknowledged confidentiality
requirements.
User access permissions were updated timely, as needed.
Inquiry dates and times were within normal Clerk business hours.
Inquiries were related to proper business functions.
Inquiries were not performed on relatives, celebrities or political figures.
Page 1 of 5
Audit 2016-03 DHSMV DAVID Access Controls
•
•
Repeated searches, if any, were appropriate.
There were no instances of accessing Emergency Contact Information.
The audit period was the year ending March 31, 2016; however, transactions and processes
reviewed were not limited by the audit period. Our limited-scope audit was conducted in
accordance with Principles and Standards for Offices of Inspector General.
Our testing found that the use of DAVID information was for legitimate Clerk business purposes
during the audit period. We have recommendations to improve controls over access to the
DAVID database.
Page 2 of 5
Audit 2016-03 DHSMV DAVID Access Controls
FINDINGS AND RECOMMENDATIONS
FINDING #1
There are no written internal policies and procedures for the DAVID system.
All users must complete the DAVID System Informational Training and Exam annually in order
to access the database. In addition, all new users are required to sign the Clerk's Confidentiality
and Criminal Sanctions Acknowledgements prior to accessing the database. However, the
Clerk's office has no internal written policies and procedures governing administration over
DAVID to promote consistency in training and usage, and to facilitate audit of user activity.
Lack of formalized procedures introduces risk into administration of the DAVID system and
compliance with the MOU. Potential effects are inconsistent policies and practices between
departments and locations, inconsistent training and reporting of incidents, and control failures.
For example, during our audit we noted variations in the use of the Purpose Code field that the
user must enter to specify the reason for their query. The standard purpose codes alone may
not provide enough information to determine the reason for the query. While some users simply
select one of the standard purpose codes, other users customize their selection to include a
case or citation number related to the query. During our testing, we were unable to determine
the case related to one query because specific case information was not provided. In other
instances, particularly when there was no case activity on or around the date of the query, we
were unable to determine the exact purpose for the query.
RECOMMENDATION
We recommend management prepare an SOP to formalize internal policies and procedures
addressing DAVID administration, including reporting security breaches to the DHSMV. Internal
policies related to purpose codes could be developed to facilitate audit of user activity.
MANAGEMENT RESPONSE
Please see the complete management response at the end of this report.
We agree to develop written procedures for this application, which will include but is not limited
to defining who is responsible for training, how users are established and removed, disciplinary
action when violations occur and how to select the proper purpose codes while providing
additional information for future reference as to the reason the search occurred.
Page 3 of 5
Audit 2016-03 DHSMV DAVID Access Controls
FINDING #2
One employee transferred to a different department that does not require use of the
DAVID system. DAVID access was not removed timely for the user.
We noted one user had no DAVID activity for the three months ending March 31, 2016. This
employee transferred departments on December 28, 2015, but retained access to DAVID. She
served as a back-up to the single other active DAVID user in the department while the manager
was on a temporary leave. When the manager returned, the transferred employee no longer
required access to DAVID but access was not inactivated. On April 14, 2016, the Business
Analyst noted the user still had access to DAVID and inquired of the employee's new manager,
who indicated the employee would not need DAVID for her job duties. Access was only then
inactivated. There was no inappropriate or non-business use of DAVID by the employee;
however, this is an exception to the requirement that DAVID access be removed within 5
business days from employee reassignment.
It is the responsibility of the manager of the department an employee is leaving to initiate
inactivation of access to DAVID. Unusual circumstances led to the untimely removal of access
for the above user. Lack of written policies and procedures may have contributed to the error.
RECOMMENDATION
We recommend management implement procedures to ensure user access is updated upon a
user's change in job duties or transfer of departments. User access should be limited to only
employees that require use of the database for their job duties.
MANAGEMENT RESPONSE
Please see the complete management response at the end of this report.
We agree this occurred during an extended leave as shared in the report. While the Clerk's
Office does already have a fairly new system in place with the Clerk Help Desk to request and
remove access for users to all applications our employee's use, known as the UAF process, we
will include a reference of this process in the SOP being created for Finding #1 to insure DAVID
procedures are fully defined.
Page 4 of 5
Audit 2016-03 DHSMV DAVID Access Controls
OTHER OBSERVATIONS
Listed below are items we observed during the audit that were outside the scope of our audit,
but that we consider worthy of being brought to the attention of management.
USERS WITH LITTLE OR NO QUERY ACTIVITY
During our audit, we noted two of the eleven users selected for testing had no DAVID activity for
a period of at least six months. Upon discussion with the employees and management, it was
determined they no longer required use of the system and access was inactivated. We also
noted one user with no DAVID query activity for the three months ending March 31, 2016.
Management determined that the employee should retain access to the system, but access was
inactivated for two other users in the department. We recommend that the Business Analysts
continue to advise managers to periodically review their department’s need for access to DAVID
and to immediately notify the BAs if changes should be made.
MANAGEMENT RESPONSE
Please see the complete management response at the end of this report.
We agree several users do not use DAVID frequently. Due to the nature of our customer service
offices and the unknown demands based on day to day operations, we will caution department
managers against reducing their users to the point it causes a hardship to their coverage needs
during busy times or office staff shortages due to illness or planned vacations.
Page 5 of 5
Stacy M. Butterfield
Drawer CC-1
Post Office Box 9000
Bartow, FL 33831-9000
Clerk of the Circuit Court & County Comptroller
Polk County, Florida
(863) 534-4544 Phone
(863) 534-4584 Fax
www.polkcountyclerk.net
July 20, 2016
RE: INSPECTOR GENERAL AUDIT REPORT
AUDIT# 2016-03 DHSMV Database Access Controls
Lita McHugh, CPA, CIG
Inspector Genera l
Stacy M . Butterfield, CPA, Clerk of Courts and Comptroller
Dear Ms. McHugh:
Thank you for taking the time to complete the Annual Audit of DHSMV DAVID Access Controls, known as
Audit #2016-03 for our organization. We are in rece ipt of the results of the audit, which focuses on
internal controls over access to the Driver and Vehicle Information Database (DAVID) of the Department
of Highway Safety and Motor Vehicles (DHSMV).
We fina lized our review of the results, findings, and observations, along with a brief ana lysis of the
recommendations. Please find our responses listed below:
Finding #1 - There are no written internal policies and procedures for the DAVID System.
We
agre~
to develop written procedures for t his application, which w ill include but is not limited to
defining who is responsible for training, how users are established and removed, disciplinary action
when violations occur and how to select the proper purpose codes while providing additional
information fo r future reference as to the reason the search occurred.
Finding #2 - One employee transferred to a different department that does not require use of the DAVID
system. DAVID access was not removed timely for the user.
We agree this occurred during an extended leave as sha red in the report. Wh ile the Clerk's Office does
already have a fairly new system in place with the Clerk Help Desk to request and remove access for
users to all applications our employee' s use, known as the UAF process, we will include a reference of
this process in the SOP being created for Finding #1 to insu re DAVID procedures are fully defined.
The Mission ofthe Office of Clerk ofthe Circuit Court is to fanction as a team dedicated to our customers by
preparing and maintaining accurate records, farnishing assistance in an understanding and compassionate manner, and
providing services with competence, professionalism, and courtesy in compliance with laws, rules and regulations.
AUDIT# 2016-03 Response
Page 2
Other Observations - Users with little or no query activity.
We agree several users do not use DAVID frequently. Due to the nature of our customer service offices
and the unknown demands based on day to day operations, we will caution department managers
against reducing their users to the point it causes a hardship to their coverage needs during busy times
or office staff shortages due to illness or planned vacations.
Thank you for your services and recommendations.
Kimberly R. Stenger, Director
Civil Division
Stacy M. Butterfield, CPA, Clerk of Courts and Comptroller
cc:
Stacy M. Butterfield, CPA, Polk County Clerk of Courts and Comptroller
H. Lyle Bulman, Director, Criminal Division