Finding Text
Criteria
SMAs must establish and maintain a program for conducting periodic risk analyses to ensure appropriate and cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. SMAs shall review ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews (45 CFR section 95.621).
Condition
The security plan for ADP (Automatic Data Processing) system, including policies and procedures to address contingency plans in the event of unforeseen interruptions has not been implemented and tested.
Cause
This situation was primarily caused by the lack of effective internal control over ADP Risk Analysis and System Security Review.
Effect
Critical business functions may not be resumed on time in case an emergency or disaster causes the ADP system resources to become unable to meet critical processing needs in the event of a short or long-term interruption of service.
Questioned Costs
NonePerspective information
N/A
Prior Year Audit Finding
2021-001
Recommendation
The Data Collection Form and Single Audit package shall be submitted within the required due dates
Management’s Response:
Refer to Grantee’s Corrective Action Plan