Finding Text
Criteria
SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost
effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses
whenever significant system changes occur. SMAs shall review ADP system security installations involved in the
administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of
physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its
biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews
(45 CFR section 95.621).
Condition
The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address
contingency plans in the event of unforeseen interruptions has not been implemented and tested.
Cause
This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System
Security Review.
Effect
Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system
resources to become unable to meet critical processing needs in the event of a short or long-term interruption of
service.
Questioned Costs
None
Perspective information
N/A
Prior Year Audit Finding
2022-001
Recommendation
The Administration should establish and maintain a program for conducting periodic risk analysis to ensure
appropriate, cost-effective safeguards are incorporated into new and existing systems.
Management’s Response:
Refer to Grantee’s Corrective Action Plan