Audit of the Government, Government-guaranteed and Municipal Debt Management Information Systems in the Ministry of Finance of the Republic of Bulgaria Read full summary in English
The main audit question studied during the audit was: Are the government, government-guaranteed (SDMS) and municipal debt management information systems (CMDR) at the Ministry of Finance effective? The audit covered the period from 01.01.2013 to 31.12.2013 and investigated four major areas: IT system strategy and general management; IT security and controls against disasters; Operational controls and Documentation; Application Controls.
- Unclear segregation of duties of the personnel in charge of application SDMS.
- There are three employees appointed by MF for system administrators for SDMS. They are also authorized to perform functions related to business processes and users’ profiles management.
- The password complexity management was performed through ascertaining of flag CHECK_POLICY at the moment of its creation. The problem was identified during the logical controls check and the reason to identify a password which does not correspond to the complexity requirements is the availability of flag CHECK_POLICY = OFF for the relevant login at the moment of its creation.
- The system of Municipal Debt register allows simultaneous registration of more than one user with the same user name from two different computers.
- The systems allowed access passwords for applications to be changed with very easy ones, which does not comply with the MF’s policy.
- The software does not provide function for interrupting the user’s session after closing and then re-opening the internet browser used, as well as existence of more than one user registered into the system with the same user name and password.
- Information of technical assistance provided and the out-of-warranty maintenance for operation of the government, government guaranteed and municipal debt information system guarantee is not maintained on the critical levels, time for reaction, exact date and time for elimination of a problem.
- In 2013 there were no conditions for a complete audit trail for the changes and/or corrections made at SDMS and CMDR information systems.