Audit Report

Maryland State Department of Education

February 2013

OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland 21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877486-9964. Electronic copies of our audit reports can be viewed or downloaded from our website at http://www.ola.state.md.us. Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258. The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at 410-946-5400 or 301970-5400.

Table of Contents Executive Summary Background Information

Agency Responsibilities Organizational Change Unsubstantiated Accrued Revenues Status of Findings From Preceding Audit Report 5 7 7 7 7 8 9

Findings and Recommendations

* Child Care Programs Finding 1 MSDE Did Not Conduct Inspections of Child Care Facilities as Required Finding 2 MSDE Did Not Adequately Follow Up On Criminal Background Check Alerts Finding 3 MSDE Did Not Perform Timely Monitoring to Ensure the Propriety of Eligibility Determinations and Related Payments for the Child Care Subsidy Program Information Systems and Controls Finding 4 Controls Over Securing Critical Firewalls and Monitoring Network Traffic Were Not Adequate Finding 5 Security Events for Critical Databases Were Not Properly Monitored Finding 6 MSDE Lacked Assurance That the Outsourced Child Care Administration Tracking System Infrastructure Was Properly Secured and Operational Risks Were Addressed Finding 7 Information Technology Disaster Recovery Plans Were Not Comprehensive Cash Receipts Finding 8 Collections Received at MSDE Headquarters Were Not Adequately Controlled

9 10 12

13 14 15

17

17

Audit Scope, Objectives, and Methodology Agency Response

19 Appendix

Denotes item repeated in full or part from preceding audit report 3

Executive Summary
Legislative Audit Report on Maryland State Department of Education (MSDE) February 2013 MSDE did not conduct inspections of child care facilities as required. State regulations require MSDE to conduct at least one unannounced inspection of each facility during each 12-month period. Our test of 60 child care facilities disclosed that 23 facilities were missing at least one required inspection during the period from July 2008 to June 2011 and/or were not inspected timely; there were a total of 31 missing inspections. MSDE should conduct inspections of child care facilities as required and use available Child Care Administration Tracking System (CCATS) inspection reports to help ensure all inspections are performed in a timely manner. MSDE did not adequately follow up on criminal background check alerts. MSDE did not ensure, as part of its annual inspections of child care facilities, that all associated individuals were properly recorded in CCATS for criminal background check alert monitoring purposes. Our review of the follow-up performed for 25 alerts received during June 2011 at five regional child care offices disclosed that follow up was inadequate or not properly documented for 12 alerts. MSDE should ensure that all individuals associated with child care facilities are properly recorded in CCATS, and should establish procedures to ensure regional child care offices are performing adequate documented follow-up of criminal background check alerts. A number of security and control deficiencies were noted with regard to MSDEs information systems. For example, controls over securing critical firewalls and monitoring computer network traffic were inadequate, security event monitoring for critical child care and educator information system databases was inadequate, and disaster recovery plans were not comprehensive. MSDE should take the recommended actions to improve information systems controls and security. Deficiencies were noted with respect to monitoring child care subsidies and controlling cash receipts. MSDE should take the recommended actions to improve controls in these areas. 5

Background Information
Agency Responsibilities
The Maryland State Department of Education (MSDE), as the staff agency of the State Board of Education, supports the development and operation of educational and library programs throughout the State. MSDE is responsible for setting statewide goals for school performance, monitoring school achievement, distributing financial aid, and providing technical assistance to local school and library systems. MSDE also operates educational programs in the States juvenile facilities and provides services to people with disabilities. Finally, MSDE oversees child care programs and family support centers in the State. According to the States records, during fiscal year 2012, MSDEs operating expenditures totaled approximately $6.9 billion, of which $4.6 billion related to formula-based grants awarded to local education agencies.

Organizational Change
Chapter 134, Laws of Maryland 2008, effective July 1, 2008, transferred the responsibility for Adult Education and Literacy Services, and Education Programs for Correctional Facilities from MSDE to the Department of Labor, Licensing and Regulation (DLLR). This law also transferred the special fund used for the operation of educational programs in correctional institutions, as well as related federal appropriations, from MSDE to DLLR. The activities of these programs subsequent to July 1, 2008 were included in the scope of our audit of DLLR Office of the Secretary.

Unsubstantiated Accrued Revenues

During the fiscal year 2011 budgetary closeout, MSDE recorded unsubstantiated accrued revenues of approximately $12.9 million and reported this amount as an unfunded liability to the Comptroller of Maryland General Accounting Division. These unsubstantiated revenues related to federal fund expenditures incurred during fiscal years 2002 and 2003 for the Temporary Assistance to Needy Families (TANF) grant which MSDE failed to recover. This issue has been commented upon in our two preceding MSDE audit reports and our five preceding annual budget closeout reports. The Department of Human Resources, which processes the federal fund recoveries, advised that the TANF federal fund grants for those years have been fully expended and are no longer available to reimburse the MSDE expenditures. As a result, general fund appropriations in subsequent years (or deficiency 7

appropriations) are needed to eliminate the resulting deficit. MSDE submitted a request during the 2012 legislative session, and in several preceding years, for a deficiency appropriation to eliminate this deficit, but without success. MSDE has again requested funds to cover this deficit for consideration during the current (2013) legislative session.

Status of Findings From Preceding Audit Report

Our audit included a review to determine the status of the 16 findings contained in our preceding audit report dated August 27, 2009. We determined that the Department satisfactorily resolved 13 findings; the remaining 3 findings are repeated in this report.

Findings and Recommendations

Child Care Programs
Background The Maryland State Department of Education (MSDE) is responsible for child care programs in the State, including licensing facilities, monitoring facility compliance with regulations (for example, ensuring that health and safety standards are met), and taking enforcement actions related to child care facilities. MSDE oversees child care facilities through its 13 regional child care offices across the state. According to MSDE records, as of June 2012, there were 7,656 family child care homes and 2,720 child care centers licensed by MSDE. These child care homes and centers are licensed to serve approximately 219,000 children. MSDE also oversees the States Child Care Subsidy Program, which provides financial assistance to eligible families to meet their child care needs. This program is administered by the 24 local departments of social services (LDSS). According to MSDEs records, during fiscal year 2012, Child Care Subsidy expenditures totaled approximately $86.4 million ($43.9 million in general funds and $42.5 million in federal funds). Finding 1 Inspections of child care facilities were not conducted as required. Analysis MSDE did not conduct inspections of child care facilities as required. The primary purpose of the inspections is to ensure that child care facilities protect the general health and safety of children under their care. State regulations require MSDE to conduct at least one unannounced inspection of each child care facility during each 12-month period. Items inspected include capacity, supervision, cleanliness, and safety. However, our test of inspections performed of 60 child care facilities during the period from July 2008 to June 2011 disclosed that 23 facilities were missing at least one required inspection (31 missing inspections in total) and/or were not inspected timely as detailed in the following table. According to State regulations, these 60 facilities were required to have 180 unannounced inspections during this three-year period.

Test Results Inspections of Child Care Facilities

Regional Office Baltimore City Baltimore Howard/Carroll Montgomery Prince Georges Wicomico Total Facilities Tested 10 10 10 10 10 10 60 Facilities with Missing or Late Inspections 9 4 2 0 8 0 23 Missing or Late Inspections Missing 12 3 2 0 14 0 31 Late 5 1 0 0 0 0 6 Total 17 4 2 0 14 0 37

Furthermore, monthly monitoring reports of inspection activity on MSDEs Child Care Administration Tracking System (CCATS) were not always used by licensing supervisors at regional child care offices to help ensure inspections were performed in a timely manner. A similar condition was noted in our preceding audit report. Recommendation 1 We recommend that MSDE a. conduct inspections of child care facilities as required (repeat), and b. use the available CCATS inspection reports to help ensure all inspections are performed in a timely manner (repeat).

Finding 2 MSDE did not adequately follow up on criminal background check alerts that identified criminal activity by individuals associated with a child care facility. Analysis MSDE did not adequately follow up on criminal background check alerts relating to individuals associated with child care facilities. According to State law, all individuals must obtain a criminal background check prior to working or having contact with children at a child care facility. MSDEs headquarters and its regional child care offices are notified of the initial results of the background checks and receive ongoing alerts from the Department of Public Safety and Correctional Services if these individuals have any subsequent criminal activity in Maryland so that appropriate action can be taken (such as removal from the facility). Based on the initial background checks, these individuals are monitored through the Criminal Justice Information System. According to MSDEs records, 10

approximately 5,000 alerts were received during fiscal year 2011. Our review of MSDEs procedures for following up on these alerts disclosed the following conditions: MSDE did not perform procedures as part of its annual inspections to ensure that all individuals associated with child care facilities had obtained the required criminal background checks and were properly recorded in CCATS to allow for adequate follow-up of subsequent criminal activity. MSDE did not always follow up on criminal background check alerts to ensure that individuals were no longer associated with the facilities. Our review of MSDEs efforts to follow up on 25 alerts received during June 2011 at five regional child care offices disclosed that follow-up actions were inadequate or were not properly documented for 12 alerts. Specifically, we were advised that no action was taken on 5 alerts from June 2011 related to one office until we brought these alerts to MSDEs attention in February 2012. For 4 other alerts the documentation did not indicate the timeliness of the follow-up action. Finally, for 3 of the alerts tested, the local offices were unable to follow up on the alerts because there were no records of the individuals in CCATS, and MSDE was unable to determine if the individuals were currently working or had contact with children at a child care facility. MSDE had not established procedures to independently confirm (such as through on-site verifications) that appropriate action was taken by child care facilities in response to criminal background check alerts. Rather, the regional child care offices relied on verbal confirmations with the child care facilities that the individuals on the alerts were no longer employed or associated with the facilities.

Recommendation 2 We recommend that MSDE a. ensure, as part of its annual inspections, that all individuals associated with child care facilities have obtained the required criminal background checks and are properly recorded in CCATS; b. ensure regional child care offices are performing adequate documented follow-up of criminal background check alerts, including those noted above; and c. establish confirmation procedures to verify actions of the regional child care offices.

11

Finding 3 MSDE did not perform timely monitoring of local departments of social services to ensure the propriety of eligibility determinations and the related payments for the Child Care Subsidy Program. Analysis MSDE did not conduct timely monitoring of local departments of social services (LDSSs) to ensure the propriety of child care subsidy eligibility determinations and related payments. These periodic reviews are performed by MSDE to verify, on a test basis, the propriety of the determination of recipients eligibility and subsidy payment amounts. Identified error rates that exceed MSDE standards require the LDSSs to submit corrective action plans. Specifically, our test of the most recent MSDE reviews for the 24 LDSSs disclosed that, for 6 LDSSs, MSDE did not conduct the reviews within the 18month period required by MSDE policy. For these 6 LDSSs the reviews were delayed by 3 to 18 months. For example, the review for one LDSS, which according to MSDE records accounted for $16.2 million (or 15.5 percent) of the fiscal year 2011 child care subsidy expenditures, was initiated in August 2010, which was three years after the preceding review was completed. The preceding review disclosed that one-third of the case records tested did not contain sufficient documentation of the family income, which was the basis for the subsidy and copayment level. The failure to conduct timely reviews is significant because the preceding reviews of all 6 of these LDSSs identified error rates that exceeded MSDE standards and required the LDSSs to submit corrective action plans. A similar condition was noted in our preceding MSDE audit report as well as in our March 7, 2005 audit report of the Department of Human Resources Child Care Administration. Recommendation 3 We recommend that MSDE conduct timely monitoring of LDSSs in accordance with its policy to help ensure the propriety of child care subsidy eligibility determinations and the related payments (repeat).

Information Systems and Controls

Background MSDE information technology (IT) operations are decentralized over several sites including the MSDE headquarters. Each sites IT operations function as a separate entity, with its own applications, network components, and detailed disaster recovery plan. However, most of the network administration is performed by the Office of Information Technology (OIT), which is located at 12

MSDE headquarters. OIT operates and maintains a wide area network spread throughout the various MSDE offices, which provides connectivity and Internet access to connected sites. OIT also maintains the email system, the MSDE website, and key applications. In conducting our audit, we selected the MSDE headquarters for our general controls, security, and network reviews, and focused our review on certain systems including the Child Care Administration Tracking System (CCATS) and the Educator Information System (EIS) that maintains educator accreditation and certification information. Finding 4 Controls over securing critical firewalls and monitoring network traffic were not adequate. Analysis Controls over securing critical firewalls and monitoring network traffic were not adequate. Specifically, we noted the following conditions: Several critical firewalls were not configured to send email alerts to administrators concerning firewall problems and possible attacks on the firewalls. In addition, MSDE did not review successful and failed firewall logon attempts. The Department of Information Technologys (DoIT) Information Security Policy specifies that agencies shall receive and review information system security alerts on a regular basis. Virtually all computers on the MSDE internal network had unnecessary network level access to the CCATS firewall. In addition, the vendor that provided hosting services for CCATS also had unnecessary network level access to the CCATS firewall. As a result of these conditions, these parties could attempt to obtain administrative access to the firewall and compromise its integrity. DoITs Information Security Policy states that agencies must restrict information system input to authorized personnel. A copy of the Internet firewalls configuration was not stored at an offsite location. According to the State of Maryland Information Technology (IT) Disaster Recovery Guidelines, backup media should be stored off site in a secure, environmentally controlled location. In the event of a disaster affecting MSDE, the configuration of this network device could be lost, thus resulting in significant delays (of an undetermined period) in restoring the devices beyond the expected delays that would exist if secure backups were readily available.

13

Network traffic from an untrusted source to certain critical network segments was not subject to Intrusion Detection Prevention System (IDPS) monitoring. In addition, the IDPS device was not configured to notify (via email) administrators of occurrences of high severity level events detected by the device. The DoIT Information Security Policy requires that IDPS be employed to monitor system events, detect attacks, and identify unauthorized use of information systems.

Recommendation 4 We recommend that MSDE comply with the aforementioned provisions of the DoIT Information Security Policy and the State of Maryland Information Technology (IT) Disaster Recovery Guidelines. Specifically, we recommend that MSDE a. configure its firewalls to send email alerts to the firewall administrators concerning firewall problems and possible attacks, and review all significant firewall events; b. restrict network level access to the CCATS firewall to only those parties requiring such access; c. store backup copies of the configurations for the Internet firewall at an off-site, secure, environmentally controlled location; and d. properly configure its network to provide IDPS coverage for all critical network segments relative to network traffic, and configure its IDS device to send email alerts to network administrators for significant IDS messages.

Finding 5 Security events for critical databases were not properly monitored. Analysis Security events for the CCATS and the EIS databases were not properly monitored. Specifically, we noted the following conditions: The audit capability for the CCATS database was not enabled. Accordingly, reports of critical security events such as changes to audit settings, changes to security configuration parameters, granting and revoking database access, and creating deleting or modifying critical database objects (such as tables) were not generated for subsequent review by management. For the EIS database, MSDE did not log certain security events (such as changes to security configuration parameters, granting and revoking database access) and audit events (add audit, modify audit, stop audit). In addition,

14

although the EIS database was set to log failed login attempts, MSDE personnel advised that no review was performed of the failed login attempts. Accordingly, significant database security violations could go undetected, permitting unauthorized or inappropriate activities to adversely affect the integrity of the related production data files. The DoIT Information Security Policy requires that information systems must generate audit records for all security-relevant events, including all security and system administrator accesses and that procedures must be developed to routinely (for example daily or weekly) review audit records for indications of unusual activities, suspicious activities or suspected violations, and report findings to appropriate officials for prompt resolution. Recommendation 5 We recommend that MSDE comply with the aforementioned DoIT Information Security Policy. Specifically, we recommend that MSDE a. log critical database security and audit events; b. generate reports of logged activity; and c. review these reports on a timely basis, document these reviews, and retain the documentation for subsequent verification.

Finding 6 MSDE lacked assurance that the outsourced CCATS infrastructure was properly secured and operational risks were addressed. Analysis MSDE lacked assurance that the CCATS infrastructure was properly secured and operational risks were addressed. MSDE has a contract with a vendor to host CCATS. The contract, effective January 2011, has a base two-year period with a renewal option through May 2014. The vendor (service organization) is responsible for maintaining all CCATS hardware and related operating systems and performing data backups. However, the contract did not require the vendor to periodically obtain an independent examination that addresses controls at the service organization that relate to operations and compliance. In May 2011, the American Institute of Certified Public Accountants issued guidance concerning examinations of service organization controls. Based on this guidance, customers, such as MSDE, may obtain from service organizations an independent auditors report referred to as a Service Organization Controls (SOC) 2 type 2 report. Such a report contains the service organizations description of its system and the results of the auditors examination of the suitability of the 15

system design and operating effectiveness of the controls for a specified period. SOC 2 reports specifically address one or more critical system attributes relating to security, availability of data, processing integrity, confidentiality of data, and privacy of data over the hosted environment. While not required under the contract, the vendor obtained a different examination of the hosted environment, known as a SOC 1 type 2 examination, for the period from January 1, 2011 to December 31, 2011 and the related report was dated February 16, 2012. However, as of the date of our testwork, March 20, 2012, MSDE had not obtained and reviewed a copy of this report because the vendor would not release the report to MSDE, citing confidentiality concerns with respect to its other customers. As a result, MSDE was not aware of any deficiencies in the vendors system design and the operating effectiveness of controls with respect to CCATS infrastructure. Furthermore, there are fundamental differences between a SOC 1 type 2 examination and a SOC 2 type 2 examination. Reports for both examinations include an opinion on the fairness of presentation of the service organizations system, suitability of design, and the operating effectiveness of the controls, and a description of the tests of the controls and results. However, a SOC 1 examination is relevant to internal controls over financial reporting of a user entity, whereas a SOC 2 report is relevant to entities who outsource tasks or functions to service organizations that operate, collect, process, transmit, store, organize, maintain, and dispose of information for user entities. Accordingly, a SOC 2 report is relevant to MSDE. The vendor allowed us to perform an on-site review of the aforementioned SOC 1 type 2 report and we noted that the report did not adequately address several significant security concerns. For example, the report did not address whether the vendors network was adequately protected by a firewall and if proper malware protections existed for critical network devices. Recommendation 6 We recommend that MSDE a. attempt to amend the aforementioned contract as soon as possible to require that the vendor annually obtain a SOC 2 type 2 examination for the hosted environment, and that the vendor provide a copy of the related reports to MSDE; b. ensure that future contracts contain these provisions; and c. review the SOC 2 type 2 reports to ensure that all critical security-related provisions were adequately addressed by the examinations.

16

Finding 7 Information technology disaster recovery plans were not comprehensive. Analysis MSDE did not have adequate information technology disaster recovery plans for recovering from disaster scenarios (for example, a fire). Our review of the disaster recovery plans found deficiencies for multiple locations, including the Division of Rehabilitation Services, which operates a case management application that is used to make disbursements associated with the rehabilitation of people with disabilities. For example, MSDEs plan for the Division of Rehabilitation Services did not adequately address certain requirements of the Department of Budget and Managements IT Disaster Recovery Guidelines. Specifically, this plan did not adequately address restoration of network connectivity, specific alternate site processing, and provisions for testing. Without complete disaster recovery plans, a disaster could cause significant delays, for an undetermined period, in restoring operations beyond the expected delays that would exist in a planned recovery scenario. A similar condition was commented upon in our prior audit report. Recommendation 7 We recommend that MSDE develop and implement comprehensive information systems disaster recovery plans in accordance with the aforementioned IT Disaster Recovery Guidelines (repeat).

Cash Receipts
Finding 8 MSDE did not adequately control collections received at MSDEs headquarters. Analysis MSDE did not adequately control collections received at its headquarters. Collections during fiscal year 2012 totaled approximately $81 million of which $19.1 million were grant-related collections (such as grant funds returned from Local Education Agencies) received by various units at MSDE headquarters and processed by the business office. Specifically, our review of procedures and controls disclosed the following conditions: Certain collections received at the MSDE business office for processing were not recorded immediately upon receipt. Specifically, grant reimbursements were handled by at least two employees prior to being recorded. 17

MSDE did not account for prenumbered receipt forms as to issued, voided, or on hand. The various MSDE units used these prenumbered forms to record collections received and submitted the forms and the related collections to MSDEs business office for processing and deposit. Although MSDEs business office maintained a record of the forms purchased and the forms distributed to the units, there was no process to periodically account for the forms. Three employees had access to collections at the business office and could also update the related accounts receivable records. As a result there is a lack of assurance that all payments posted to the receivable records were properly deposited. MSDEs accounts receivable balance as of June 30, 2012 totaled approximately $2.4 million.

Recommendation 8 We recommend that MSDE ensure that a. collections are recorded immediately upon receipt; b. prenumbered receipt forms are periodically accounted for as to issued, voided, or on hand; and c. employees who maintain the accounts receivable records do not have access to the related collections. We advised MSDE on accomplishing the related separation of duties using existing personnel.

18

Audit Scope, Objectives, and Methodology

We have audited the Maryland State Department of Education (MSDE) for the period beginning July 1, 2008 and ending June 30, 2011. The audit was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. As prescribed by State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine the MSDEs financial transactions, records and internal control, and to evaluate compliance with applicable State laws, rules, and regulations. We also determined the status of the findings contained in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. The areas addressed by the audit included the child care program, student transportation services, payroll, cash receipts, procurements and disbursements, grants, students with disabilities program, and budgetary closeout transactions. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of MSDEs operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include an evaluation of internal controls for federal financial assistance programs and an assessment of MSDEs compliance with federal laws and regulations pertaining to those programs because the State of Maryland engages an independent accounting firm to annually audit such programs administered by State agencies, including MSDE. MSDEs managements are responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved.

19

Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect MSDEs ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. This report also includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to MSDE that did not warrant inclusion in this report. MSDEs response to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 21224 of the Annotated Code of Maryland, we will advise the MSDE regarding the results of our review of its response.

20

Maryland State Department of Education Response to Legislative Audit Report For the Period of: 07/01/08 06/30/11

Finding 1 Inspections of child care facilities were not conducted as required. Recommendation 1 We recommend that MSDE a. conduct inspections of child care facilities as required (repeat), and b. use the available CCATS inspection reports to help ensure all inspections are performed in a timely manner (repeat).

MSDE Response: MSDE agrees with the finding. Regarding Recommendation 1a: MSDE agrees that inspections of child care facilities need to be performed on a timely basis. In this regard, MSDE has strengthened its controls and procedures associated with performing these inspections. The strengthened controls and procedures, as described in the response to Recommendation 1b., will ensure that inspections of child care facilities are conducted as required. Regarding Recommendation 1b: MSDE has strengthened controls and procedures associated with performing inspections of child care facilities in accordance with COMAR requirements. Specifically, the Licensing Branch Chief to the Regional Child Care Offices issued guidance for Monitoring Staff Work Activity that became effective on April 27, 2011. This procedure requires Licensing Specialists to use CCATS Report #53 on a monthly basis in determining the timeliness of their inspections and projected inspections. This report is generated to determine, 30 days in advance of the anniversary date, the facilities in need of an inspection. The specialist uses the report to schedule inspection visits, thereby ensuring that all facilities are inspected within the specified timeframe required by regulation. This report is also used as a supervisory management tool by the Office of Child Care Licensing Supervisors and Regional Child Care Office Managers to monitor the timeliness of their Licensing Specialists inspections. In addition, the Licensing Branch Chief reviews the CCATS Report #53 at the beginning of each month to identify any facilities that have not been entered into CCATS as being inspected. Emails are issued to Regional Child Care Office Managers and Licensing Specialist Supervisors to followup with staff and obtain closure on any outstanding inspections. These procedures will provide assurance that inspections of child care facilities are conducted per regulatory requirement.

Finding 2 MSDE did not adequately follow up on criminal background check alerts that identified criminal activity by individuals associated with a child care facility. Recommendation 2 We recommend that MSDE a. ensure, as part of its annual inspections, that all individuals associated with child care facilities have obtained the required criminal background checks and are properly recorded in CCATS; b. ensure regional child care offices are performing adequate documented follow-up of criminal background check alerts, including those noted above; and c. establish confirmation procedures to verify actions of the regional child care offices.

MSDE Response: MSDE agrees with the Finding. Regarding Recommendation 2a: Revisions to the Division of Early Childhood Developments (ECD) Child Care Center Licensing Manual have been made which require that employment records be reviewed during annual inspections to determine that all child care center employees have received a criminal background check. Furthermore, the results of annual inspections, including the verification of employees working at child care centers, are required to be entered into the CCATS system within ten days of the inspection. Regarding Recommendation 2b: An electronic spreadsheet, The Regional Follow-up on CJIS Alerts Report, was created during 2005 to track the investigation of criminal background check alerts. As a result of this audit, modifications were made to the report during June 2012 requiring regional child care office personnel to enter additional documentation regarding alert follow-up. The report now records the date when follow-up was initiated, the results of the investigation and the date the investigation was concluded. Furthermore, the spreadsheet is required to be updated weekly by Licensing Staff for subsequent review by regional child care office and headquarters supervisors. The aforementioned requirements are documented in ECDs Guidance - Suitability for Employment Process. After analysis and research, MSDE has been able to satisfactorily close nine of the alerts where it was noted that follow-up actions were inadequate or were not 3

properly documented. Research efforts have been exhausted for the remaining three alerts and further investigation is not possible. Regarding Recommendation 2c: Prior to this audit, MSDEs unwritten policy required that a follow-up inspection be performed for an employee no longer employed at a child care facility, and staff was required to conduct a follow-up inspection (site visit) to determine whether the employee was terminated. As a result of this audit, MSDE developed a written policy and incorporated it into the Guidance - Suitability for Employment Process procedures. Effective October 24, 2012 the policy states, Upon receipt of an alert for an individual who is no longer employed at the respective child care facility and is not end dated in CCATS, the child care provider must submit to the Regional Office, the required Staff Member Change Form (OCC1203), a copy of the payroll register that indicates when the employee was last paid, and the payroll register for the following pay period to verify non employment. This corrective action requiring use of payroll records to verify non employment will provide objective assurance that these employees are no longer working at the child care facility.

Finding 3 MSDE did not perform timely monitoring of local departments of social services to ensure the propriety of eligibility determinations and the related payments for the Child Care Subsidy Program. Recommendation 3 We recommend that MSDE conduct timely monitoring of LDSSs in accordance with its policy to help ensure the propriety of child care subsidy eligibility determinations and the related payments (repeat).

MSDE Response: MSDE agrees with the finding. Regarding the Recommendation: MSDE agrees that the second level reviews of the Local Departments of Social Services (LDSSs) should be conducted in a timely manner. As of January 1, 2012, MSDEs policy is that all LDSSs, taken as a group, must be reviewed on a 24-month basis. We began a new review of the 24 counties in September of 2011 and are currently on time with the remaining counties allocated for the rest of the cycle.

Information Systems and Controls Background MSDE information technology (IT) operations are decentralized over several sites including the MSDE headquarters. Each sites IT operations function as a separate entity, with its own applications, network components, and detailed disaster recovery plan. However, most of the network administration is performed by the Office of Information Technology (OIT), which is located at MSDE headquarters. OIT operates and maintains a wide area network spread throughout the various MSDE offices, which provides connectivity and Internet access to connected sites. OIT also maintains the email system, the MSDE website, and key applications. In conducting our audit, we selected the MSDE headquarters for our general controls, security, and network reviews, and focused our review on certain systems including the Child Care Administration Tracking System (CCATS) and the Educator Information System (EIS) that maintains educator accreditation and certification information.

Finding 4 Controls over securing critical firewalls and monitoring network traffic were not adequate. Recommendation 4 We recommend that MSDE comply with the aforementioned provisions of the DoIT Information Security Policy and the State of Maryland Information Technology (IT) Disaster Recovery Guidelines. Specifically, we recommend that MSDE a. configure its firewalls to send email alerts to the firewall administrators concerning firewall problems and possible attacks, and review all significant firewall events; b. restrict network level access to the CCATS firewall to only those parties requiring such access; c. store backup copies of the configurations for the Internet firewall at an off-site, secure, environmentally controlled location; and d. properly configure its network to provide IDPS coverage for all critical network segments relative to network traffic, and configure its IDS device to send email alerts to network administrators for significant IDS messages.

MSDE Response: MSDE agrees with the finding. Regarding Recommendation 4a: MSDE agrees with the Recommendation. The cited firewalls in ISA#4 have been configured so that email alerts are sent to firewall administrators concerning firewall problems and possible attacks. The firewall administrators will maintain documentation regarding their review of the emails. Regarding Recommendation 4b: MSDE agrees with the Recommendation. The cited IP addresses mentioned in ISA#5 have been removed from the CCATS network segment firewall. Regarding Recommendation 4c: MSDE agrees with the Recommendation. As of April 12, 2012, MSDEs backup routines have included the configurations for its Internet firewall. Consequently, the configurations for the Internet firewall are stored at an off-site, secure and environmentally controlled location. Regarding Recommendation 4d: MSDE agrees with the Recommendation. During May 2012 the IDS appliance was replaced at which time the replacement appliance started to again send email alerts to network administrators for significant IDS messages. By April 30, 2013, the untrusted source cited in ISA#2 will no longer have access to certain critical elements of the internal network.

Finding 5 Security events for critical databases were not properly monitored. Recommendation 5 We recommend that MSDE comply with the aforementioned DoIT Information Security Policy. Specifically, we recommend that MSDE a. log critical database security and audit events; b. generate reports of logged activity; and c. review these reports on a timely basis, document these reviews, and retain the documentation for subsequent verification.

MSDE Response: MSDE partially agrees with the finding. Regarding Recommendation 5a. Regarding the CCATS system: MSDE agrees with the Recommendation and critical security events as defined in the Analysis Section are logged by the CCATS vendor. 6

Regarding the EIS system: MSDE agrees with the Recommendation. In this regard, critical security events as defined in the Analysis Section are electronically logged by the SQL 2005 database. Regarding Recommendation 5b. Regarding the CCATS system: MSDE agrees with the recommendation but disagrees as to the method to accomplish it. MSDE agrees that the DB2 audit facility has not been enabled. Preliminary research indicates that turning on the DB2 audit facility could result in negative operational effects on the CCATS system. MSDE has issued a work order to the hosting vendor for an analysis of the performance impact of running the DB2 audit facility and also to identify any additional costs. This study is underway and the results are scheduled to be provided to MSDE by the end of April 2013. Currently, the critical security events are documented by the vendor in a hard copy log which it manually maintains. Regarding the EIS system: MSDE disagrees with this recommendation. The EIS system is scheduled to be removed from service during the first half of 2014. Due to current SQL 2005 limitations hard copy reports of the logged activity cannot be generated and the Agency believes any efforts which could be made to obtain hard copy reports would not be cost-effective. In addition, electronic logs of the critical events are not available since the logged events are not stored on a permanent basis. Regarding Recommendation 5c. Regarding the CCATS system: MSDE agrees with the Recommendation and has established a manual process to review and document critical security events. As explained in its response to Recommendation 5b, MSDE does not agree that this process should be replaced by utilizing the DB2 audit facility process. The CCATS database has less than fifty users, which makes regular manual reviews feasible and cost effective. MSDEs vendor reviews the critical events as defined in the Analysis section. In addition, an overall user accounts review is conducted weekly as part of normal maintenance. DB2 type critical security events will continue to be reviewed and questionable items investigated on a weekly basis. This activity is documented by the vendor in a log which is manually maintained. The log is provided to MSDEs CCATS Project Manager on a weekly basis for review, and the documentation is maintained at MSDE supporting these reviews. This review process will be in effect through the termination date of the current contract which is May 31, 2014.

Regarding the EIS system: MSDE agrees with the Recommendation and weekly reviews of the electronically recorded critical security events will be made and documented until the system is removed from service.

Finding 6 MSDE lacked assurance that the outsourced CCATS infrastructure was properly secured and operational risks were addressed. Recommendation 6 We recommend that MSDE a. attempt to amend the aforementioned contract as soon as possible to require that the vendor annually obtain a SOC 2 type 2 examination for the hosted environment, and that the vendor provide a copy of the related reports to MSDE; b. ensure that future contracts contain these provisions; and c. review the SOC 2 type 2 reports to ensure that all critical security-related provisions were adequately addressed by the examinations.

MSDE Response: MSDE agrees with the finding. The SOC 2 Type 2 requirement will no longer be pertinent once the CCATS system is transitioned to in-house hosting at MSDE by May 2014. Regarding Recommendation 6a: MSDE contacted the vendor to determine whether CCATS system contract could be amended to require that a SOC 2 type 2 examination be performed. In October 2012, the vendor advised MSDE that the company had decided to no longer provide hosting services and was not amenable to a contract modification requirement for a SOC 2 type 2 examination under the current task order. Regarding Recommendation 6b: As stated in the Analysis section, a SOC 2 type 2 examination is relevant to entities who outsource tasks or functions to service organizations that operate, collect, process, transmit, store, organize, maintain, and dispose of information for user entities. The agency is reviewing the CCATS infrastructure as part of a long term planning process to provide for the future management of the system. In this regard, the agency has developed a plan to migrate the application to an agency hosted environment. The first phase, deployment of the development and testing environments, will be completed by June 30, 2013. Complete migration of the CCATs system is scheduled to be accomplished by May 31, 2014. 8

Regarding Recommendation 6c: See response to Recommendation 6b.

Finding 7 Information technology disaster recovery plans were not comprehensive. Recommendation 7 We recommend that MSDE develop and implement comprehensive information systems disaster recovery plans in accordance with the aforementioned IT Disaster Recovery Guidelines (repeat).

MSDE Response: MSDE agrees with the finding. Regarding the Headquarters Disaster Recovery Plan (DRP), MSDE has updated the hardware and software listings for critical systems. Also, procedures for documenting system outages have been incorporated into the DRP and computer room power outages that recently occurred have been documented. Revisions have been made to the Division of Rehabilitative Services (DORS) DRP. Specifically, on February 7, 2013 specific alternate site processing arrangements were incorporated; on March 30, 2012 procedures for restoring network connectivity in the event of a disaster were incorporated and on November 8, 2012 detailed lists of hardware and software components were incorporated. Provisions for testing regarding the alternate site will be incorporated when installation is completed. Regarding the cited application in ISA#15, the application is being transitioned to in-house hosting at MSDE. The first phase, deployment of the development and testing environments, will be completed by June 30, 2013. Complete migration of the application is scheduled to be accomplished by May 31, 2014 at which time the application will be included MSDEs DRP.

Cash Receipts Finding 8 MSDE did not adequately control collections received at MSDEs headquarters. Recommendation 8 We recommend that MSDE ensure that a. collections are recorded immediately upon receipt; b. prenumbered receipt forms are periodically accounted for as to issued, voided, or on hand; and c. employees who maintain the accounts receivable records do not have access to the related collections. We advised MSDE on accomplishing the related separation of duties using existing personnel.

MSDE Response: MSDE agrees with the finding. Regarding Recommendation 8a: MSDEs Procedures for Filling Out Receipt of Deposit (RD) Forms, require that collections must be recorded upon receipt by an authorized employee who opens the mail. The procedures will be reviewed periodically with staff in the future to ensure continued compliance. Regarding Recommendation 8b: MSDEs procedures regarding the control over the unused pre-numbered receipt forms will be further strengthened in the future through periodic inventories. Regarding Recommendation 8c: In the future, employees who maintain accounts receivable records will not have access to collections.

10

AUDIT TEAM
Brian S. Tanen, CPA, CFE Audit Manager Richard L. Carter, CISA Stephen P. Jersey, CPA, CISA Information Systems Audit Managers Nelson W. Hopkins, CPA Senior Auditor Edwin L. Paul, CPA, CISA Albert E. Schmidt, CPA Information Systems Senior Auditors Eoghan J. Doherty, CPA Carey L. Harper, CPA Julia M. King Sandra C. Medeiros Elaine D. Portnoy Edward A. Rubenstein Robert J. Smith Henry H. Startzman IV Jennifer L. Thompson Staff Auditors Eric Alexander, CPA Jeffrey T. Zankowitz Information Systems Staff Auditors