Office of the Washington State Auditor

Pat McCarthy

Performance Audit
IT Interface Controls
September 17, 2018

Washington’s state agencies need complete and accurate data to deliver

services effectively and efficiently. In some cases, the critical data comes from
another agency or system through an interface. An interface is a combination
of hardware, software and human processes that allows information to move
from one system to another. Interface controls are the processes designed to
ensure the accurate, complete, and secure transmission and processing of
the data between systems. Without reliable data, the state may fail to deliver
services, eligible clients may not receive benefits, or billing could be incorrect.
The Office of the Washington State Auditor reviewed 13 interfaces at five state
agencies and examined whether interface controls were sufficient.
Auditors found most of the interfaces had adequate controls; however, there
were a few opportunities for improvement. One agency did not have controls
in place to ensure access to data was restricted to only those agency and
contracted staff authorized to view or change the data, while another did not
have reconciliation procedures to ensure data was complete.

R ep o r t N u m b e r: 1 0 2 2 1 7 4
Table of Contents

Introduction.............................................................................................................. 3
Scope and Methodology...................................................................................... 5
Audit Results............................................................................................................. 6
Recommendations.................................................................................................. 8
Agency Response.................................................................................................... 9
Appendix A: Initiative 900..................................................................................11
Appendix B: Methodology.................................................................................12

The mission of the Washington State Auditor’s Office State Auditor’s Office contacts
Provide citizens with independent and transparent State Auditor Pat McCarthy
examinations of how state and local governments use public 360-902-0360, Pat.McCarthy@sao.wa.gov
funds, and develop strategies that make government more
efficient and effective. Scott Frank – Director of Performance Audit
360-902-0376, Scott.Frank@sao.wa.gov
The results of our work are widely distributed through a variety
of reports, which are available on our website and through our Shauna Good, CPA – Principal Performance Auditor
free, electronic subscription service. 360-725-5615, Shauna.Good@sao.wa.gov
We take our role as partners in accountability seriously. We Diana Evans, CPA – Assistant Audit Manager
provide training and technical assistance to governments and 360-725-5426, Diana.Evans@sao.wa.gov
have an extensive quality assurance program. Jon Howard, CISA – Assistant State Auditor
For more information about the State Auditor’s Office, visit 360-725-5420, Jonathan.Howard@sao.wa.gov
www.sao.wa.gov.
Kathleen Cooper – Director of Communications
Americans with Disabilities 360-902-0470, Kathleen.Cooper@sao.wa.gov
In accordance with the Americans with Disabilities Act, this
document will be made available in alternative formats. Please To request public records
email Communications@sao.wa.gov for more information. Public Records Officer
360-725-5617, PublicRecords@sao.wa.gov

IT Interface Controls | 2
Introduction

Computer systems in state government frequently share data with other systems that
support various state and federal services. Agencies need complete and accurate data
to deliver services effectively and efficiently. Without reliable systems and reliable
data, the state may fail to deliver services, eligible clients may not receive benefits, and
under- or over-billing could occur.
The state also must protect the millions of sensitive and confidential records
exchanged daily between its systems from intentional or unintentional disclosure,
loss, and unauthorized use. Data breaches can have significant consequences, such
as legal and regulatory violations, decreased customer satisfaction, and eroded
public trust. A 2017 study by the Ponemon Institute, a research center that focuses
on privacy, data protection and information security policy, found that a data breach
costs government an average of $110 per record lost. These costs can include:
• Engaging forensic experts to determine the cause and breadth
of the incident
• Hotline support for affected people
• Notifying affected people
• Providing people with free credit monitoring subscriptions
• Paying fines. For example, the U.S. Department of Health and Human
Services’ Office for Civil Rights may impose fines when protected health
information is breached.

Strong system interface controls can help protect data

An interface is a combination of hardware, software and human processes that allows
information to move from one system to another. Interface controls are automatic or
manual processes designed to ensure transmission and processing of information between
systems is complete and accurate. Consider a customer who places an order for medication
online. The order is not complete if the pharmacy does not fill all the prescriptions in the
order. The order is not accurate if the pharmacy gives the wrong dosage.
Interface controls also ensure that data is secure. Using the pharmacy example, the
order is not secure if a hacker or others can see a customer’s prescriptions. Strong
interface controls protect the security of data both in transit and at rest. Data in
transit is data moving from one location to another. Data at rest is data stored on a
server, within a specific location, waiting to be processed.
State agencies are required to follow Washington State Office of Financial Management
(OFM) and Washington State Office of the Chief Information Officer (OCIO) policies.
OFM requires state agencies to develop controls to “provide for accountability of the
state’s assets and compliance to its laws and regulations” (State Administrative &
Accounting Manual). OCIO policies require agencies to protect the state’s data. The
Federal Information System Controls Audit Manual (FISCAM) offers leading practices
that apply to system interfaces. Following these requirements and practices can help
agencies ensure data exchanged between systems are complete, accurate and secure.
Based on assessed risk, this audit was designed to determine if there are opportunities
to strengthen interface controls at five state agencies by answering this question:
• Do the selected state agencies’ information systems have interface controls
that effectively ensure the completeness, accuracy, and security of the state’s
data during transfer and at rest?

IT Interface Controls :: Introduction | 3

The audit examined 13 interfaces at five agencies. Because of the sensitivity
of information contained in government systems, and under the authority of
RCW 42.56.420(4), the agencies are not identified in this report.

Information system interfaces allow data Exhibit 1 – The ‘I’ in each row indicates where an
to be exchanged between two systems interface facilitates the interaction
As shown in Exhibit 1, interfaces can share information
State agency  I  Person
between a variety of organizations. For example, an
interface can be present between systems maintained by a State agency  I  State agency
single agency, or between systems maintained by different State agency  I  Federal agency
agencies or private companies. The data exchanged might be State agency  I  Local government entity
a file consisting of one or more records which is processed
at a later time, or it can be a real-time update. Interfaces are
State agency  I  Private company
present between a variety of different types of state agency
systems, including those housed on legacy mainframe Exhibit 2 – An effective
systems, client server systems and third-party vendor systems. Risk associated interface ensures the source
with interfaces increases as the number of transactions or the number of other data is received completely,
services and systems supported by the interfaced data increases. accurately and securely
Interfaces, both external and internal, should be effectively managed and
controlled to deliver the required criteria for completeness, accuracy and ORIGINAL DATA
security. When interfaces are not managed well, errors can arise between the
sent and received data files, as illustrated in Exhibit 2. According to FISCAM
Section 4.3, an effective interface has the following characteristics. 1) ABC D

Complete – All transactions and events that should be recorded 2) EFGH

are recorded. 3) JKLM
When data is transferred from one system to another, the risks associated
with incomplete data are that records and dollar amounts are not completely
transferred to the receiving system. In other words, if 10 records are expected to COMPLETE INCOMPLETE
be transferred from system A to system B, all 10 records should be transferred
to system B. 1) ABCD 1) ABCD
Accurate – Amounts and other data relating to recorded transactions 2) EFGH 2) EFGH
and events are recorded correctly. 3) JKLM 3)
Data transfers to the receiving system should be accurate, meaning data should
arrive exactly as it left the sending system. While completeness and accuracy
are closely related, accuracy is more concerned with the details of the individual ACCURATE INACCURATE
records that transfer. For example, an account number should have all the same
digits, in the same order, in both systems.
1) ABCD 1) ABCR
Secure – Access to data is adequately restricted to reduce risk of intentional
2) EFGH 2) EO GH
and unintentional disclosure, loss and unauthorized use.
3) JKLM 3) JKLV
Data transferring between two systems should be protected from external
threats, such as hacking or theft. Data should also be protected from
inappropriate use. Only staff who need to view or change interface data to SECURE NOT SECURE
perform their jobs should be granted access.

1) Q0!X 1) ABCD
2) +Y1* 2) EFGH
3) Z=T? 3) JKLM

IT Interface Controls :: Introduction | 4

Scope and Methodology

Based on knowledge from auditing state agencies and previous system-related

audit work, we selected five agencies for this assessment. With the involvement
of key agency staff, we identified significant systems at each agency and selected
13 interfaces. We reviewed relevant standards and best practices, specifically
OCIO 141.10, FISCAM, and OFM’s State Administrative & Accounting Manual,
to develop criteria for assessing the effectiveness of certain interface controls. We
identified and tested relevant controls by interviewing key personnel, reviewing
security access screens and reports, and observing agency input and output
comparison processes.

Audit performed to standards

We conducted this performance audit under the authority of state law (RCW
43.09.470), approved as Initiative 900 by Washington voters in 2005, and in
accordance with generally accepted government auditing standards as published
in Government Auditing Standards (December 2011 revision) issued by the
U.S. Government Accountability Office. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives. See Appendix A, which addresses
the I-900 areas covered in the audit. See Appendix B for a detailed description of
the audit’s methodology
Next steps
Our performance audits of state programs and services are reviewed by the Joint
Legislative Audit and Review Committee (JLARC) and/or by other legislative
committees whose members wish to consider findings and recommendations on
specific topics. Representatives of the State Auditor’s Office will review this audit
with JLARC’s Initiative 900 Subcommittee in Olympia. The public will have the
opportunity to comment at this hearing. Please check the JLARC website for the
exact date, time, and location (www.leg.wa.gov/JLARC). The State Auditor’s Office
conducts periodic follow-up evaluations to assess the status of recommendations
and may conduct follow-up audits at its discretion.

IT Interface Controls :: Methodology | 5

Audit Results

Did selected state agencies have interface controls that

effectively ensure the state’s data transfers are complete,
accurate and secure?
Answer in brief: For most interfaces included in the audit, agencies had adequate
controls to ensure the completeness, accuracy and security of state data. However, Reporting detailed
there were a few opportunities to improve controls. results
IT security information
We gave the five state agencies comprehensive results of their individual agency’s tests is exempt from
during the audit and at the conclusion of work. We also shared the detailed results public disclosure in
with the Washington Technology Solutions, Office of Cyber Security. However, accordance with RCW
to protect the state’s IT systems and the confidential and sensitive information 42.56.420 (4).
contained in those systems, this report does not include the agencies’ names or a To protect the IT
complete description of the audit results. security of Washington
state, this report does
Auditors reviewed 13 interfaces at five state agencies and examined the controls not include the names
designed to ensure the data exchanged between systems was complete, accurate and of the five selected
secure. The table in Exhibit 3 summarizes the results. agencies, nor any
detailed descriptions of
Exhibit 3 – Summary of results from review of system interfaces the findings. Disclosure
Check mark given if the interface had adequate controls to meet criteria of such detail could
potentially be used by
Agency Complete? Accurate? Secure in transit? Secure at rest? a malicious attacker
Agency 1 against the state.
Interface 1    
Interface 2    
Interface 3    
Agency 2
Interface 1    No
Interface 2    No
Interface 3 * *  No
Agency 3
Interface 1    
Agency 4
Interface 1    
Interface 2    
Interface 3    
Interface 4    
Agency 5
Interface 1 No   
Interface 2 * *  
* Not relevant for the tested interface.

IT Interface Controls :: Audit Results | 6

Controls at all five agencies were adequate to ensure accurate data,
but one agency lacked adequate controls to ensure data was complete
Of the 13 interfaces reviewed, one at Agency 5 lacked adequate controls over
completeness of data. At the time of the audit, the agency did not have a process to
identify and correct records not transferred to the receiving system. Staff said the
agency did not incorporate reconciliation controls when designing the system and
that after it was placed into operation, addressing other issues were a higher priority.
At the conclusion of this audit, agency staff said they had implemented a process to
compare records in the sending system to those in the receiving system, however,
auditors did not have the opportunity to test the effectiveness of this process.
Most interfaces had controls to ensure data was secure, but three
interfaces at one agency did not
Data in transit
WaTech provides a service called the State Government Network (SGN) that allows
agencies to share systems and data within the statewide private network. Washington’s Data in transit is data
OCIO requires data be encrypted if it travels outside of the SGN; if it travels only inside moving from one
location to another.
the SGN, encryption is not required. Only one of 13 interfaces reviewed transmitted
data outside the SGN and would require additional encryption. For this interface, Data at rest is data
stored on a server,
the agency used another software solution called Secure File Transfer Protocol within a specific
encryption to ensure data was secure during transit and met OCIO requirements. location, waiting to be
Data at rest processed.
Of the 13 interfaces reviewed, ten adequately secured data stored in interface files,
but three, all at Agency 2, did not have controls to ensure data was secure. Auditors
identified two issues with security for these interfaces.
First, all individuals with a network login ID had permissions that allowed them to
modify data for all three interfaces, instead of just those who needed that access to
perform their job duties. With this level of access, users could make unauthorized
changes to data. In addition, excessive access to confidential data also increases the
risk of unintentional disclosure, loss and unauthorized use. When auditors requested
documentation showing who had access, agency staff recognized and reported the
broad access, and further stated that it resulted from an incorrect file configuration.
In addition, auditors found the agency lacked an effective process to periodically
evaluate who had access to interface files and remove unnecessary access. A
remediation plan was later submitted to the auditors during the audit.
Second, some IT developers have the ability to modify data files for two of the
interfaces without review and approval, which is prohibited by state requirements.
Developers were given this level of access to resolve issues that might arise during
data transfers. Granting developers this type of access presents increased risk because
their ability to manipulate the system’s software code enables them to modify files
without leaving an audit trail. If the agency grants developers this type of access,
leading practices suggest that it establish a process to clearly document, track and
approve any changes developers make, but Agency 2 management did not have such
a process.

IT Interface Controls :: Audit Results | 7

Recommendations

While most interfaces reviewed had controls in place, for those that did not, we make
the following recommendations. These recommendations have been communicated
directly to the agencies in detail.
To address issues with completeness, Agency 5 should:
• Design and implement effective controls over the completeness of data
transfers, such as reconciliations between sending and receiving systems
To address issues with security, Agency 2 should:
• Limit access to the interface data to only those whose job duties specifically
require access to the data
• Develop and employ a process to periodically evaluate who has access to
the interface files and remove access when it is no longer needed
• Develop procedures for review, testing and approval of changes made
by developers

IT Interface Controls :: Recommendations | 8

Agency Response

JAY INSLEE
Governor

STATE OF WASHINGTON

WA S H I NG T O N T E C HN O L OG Y S O L UT I ON S
1500 Jefferson Street SE Olympia, Washington 98504-1501 (360) 407-8700

September 12, 2018

The Honorable Pat McCarthy

Washington State Auditor
P.O. Box 40021
Olympia, WA 98504-0021

Dear Auditor McCarthy:

On behalf of the audited agencies, thank you for the opportunity to review and respond to the State
Auditor’s Office (SAO) performance audit report, “IT Interface Controls.”

We agree that effective interface controls are essential to ensure systems pass accurate and secure
information and continually strive to improve our IT infrastructure.

We appreciate the report acknowledging that overall most interfaces reviewed have adequate controls. We
also appreciate the suggestions provided by your staff for continued improvement.

Sincerely,

Vikki Smith
Acting Director and State CIO

cc: David Postman, Chief of Staff, Office of the Governor

Kelly Wicker, Deputy Chief of Staff, Office of the Governor
Keith Phillips, Director of Policy, Office of the Governor
Scott Frank, Director of Performance Audit, Washington State Auditors’ Office
Inger Brinck, Director, Results Washington, Office of the Governor
Tammy Firkins, Performance Audit Liaison, Results Washington, Office of the Governor
Scott Bream, Chief Information Security Officer, Washington Technology Solutions

IT Interface Controls :: Agency Response | 9

OFFICIAL STATE CABINET AGENCY RESPONSE TO PERFORMANCE AUDIT ON IT INTERFACE
CONTROLS – SEPTEMBER 12, 2018

This management response to the State Auditor’s Office (SAO) performance audit report received August
22, 2018, is provided by the Office of the Chief Information Officer on behalf of the audited agencies.

SAO PERFORMANCE AUDIT OBJECTIVES:

The SAO sought to answer this question:
1. Do the selected state agencies’ information systems have interface controls that effectively ensure the
completeness, accuracy, and security of the state’s data during transfer and at rest?

The report states that most interfaces reviewed had controls in place, for those that did not, we make the
following recommendations.

SAO Recommendation 1: To address issues with completeness, Agency 5 should:

 Design and implement effective controls over the completeness of data transfers, such as
reconciliations between sending and receiving systems.

STATE RESPONSE:

We have designed and implemented a delta difference comparison which compares data differences for the
system identified in the audit. We will continue to analyze our systems and identify and implement
additional controls as necessary to ensure completeness of data transfers.

Action Steps and Time Frame

 Design and implement controls for completeness of data transfers. Completed.

SAO Recommendation 2: To address issues with security, Agency 2 should:

 Limit access to the interface data to only those whose job duties specifically require access to the
data.
 Develop and employ a process to periodically evaluate who has access to the interface files and
remove access when it is no longer needed.
 Develop procedures for review, testing and approval of changes made by developers.

STATE RESPONSE: We value the review of our interface controls and have already implemented
corrective actions to ensure our data at rest is only accessed by those whose job duties specifically require
access to the data. We will continue to monitor this access on an ongoing basis.

Action Steps and Time Frame

 Developed and implemented a process to limit access to interface files. Completed April 20, 2018
 Develop procedures to document, track and approve changes made by developers. By March 31, 2019

IT Interface Controls :: Agency Response | 10

Appendix A: Initiative 900

Initiative 900, approved by Washington voters in 2005 and enacted into state law in 2006, authorized the State
Auditor’s Office to conduct independent, comprehensive performance audits of state and local governments.
Specifically, the law directs the Auditor’s Office to “review and analyze the economy, efficiency, and effectiveness
of the policies, management, fiscal affairs, and operations of state and local governments, agencies, programs,
and accounts.” Performance audits are to be conducted according to U.S. Government Accountability Office
government auditing standards.
In addition, the law identifies nine elements that are to be considered within the scope of each performance audit.
The State Auditor’s Office evaluates the relevance of all nine elements to each audit. The table below indicates which
elements are addressed in the audit. Specific issues are discussed in the Results and Recommendations section of
this report.

I-900 element Addressed in the audit

1. Identify cost savings No. The audit focused on the accuracy, completeness and security of
system interface data and not on cost savings.
2. Identify services that can be reduced or No. The scope of the audit included only system interfaces, which are
eliminated necessary to share information between systems.
3. Identify programs or services that can be No. The audit focused on the accuracy, completeness and security of
transferred to the private sector data in state agency system interfaces and not on whether programs or
services could be transferred to the private sector.
4. Analyze gaps or overlaps in programs or Yes. The audit identified gaps in system interface controls.
services and provide recommendations
to correct them
5. Assess feasibility of pooling information No. The audit focused on the accuracy, completeness and security of data
technology systems within the and did not include an analysis of the feasibility of pooling information
department technology systems.
6. Analyze departmental roles Yes. The audit analyzed system interface control functions and made
and functions, and provide recommendations to improve them.
recommendations to change or
eliminate them
7. Provide recommendations for statutory No. The audit did not identify any necessary statutory or regulatory
or regulatory changes that may be changes.
necessary for the department to
properly carry out its functions
8. Analyze departmental performance No. While the audit did review system interface processes, it did
data, performance measures and not include a review of departmental performance measures or
self-assessment systems self-assessment systems.
9. Identify relevant best practices Yes. The audit identified best practices for system interface controls.

IT Interface Controls :: Appendix A | 11

Appendix B: Methodology

Auditors evaluated controls over the completeness, accuracy, and security of data within interface files
and in transit between interface files. The audit scope was limited to only the interface files and did not
include reviews of the entire sending and receiving systems.

Selecting state agencies for audit

Based on knowledge from auditing state agencies and previous system-related audit work, we selected
five agencies for this assessment. We reviewed agencies using both legacy systems and newer replacement
systems. We also included agencies that interface confidential data and financial data with other entities.

Selecting systems and interfaces for testing

With the involvement of key agency internal audit and IT staff, we identified significant systems for
each agency, which we defined as systems with a high volume of transactions or high dollar amounts in
transactions and/or systems that processed confidential information.
We interviewed agency staff to gain an understanding of the incoming and outgoing interfaces and using
that information, along with knowledge gained during other audits, we selected 13 system interfaces for
testing at the five state agencies.

Control testing and assessment

We reviewed relevant standards and best practices, specifically Washington State Office of the Chief
Information Officer (OCIO) policy 141.10 and the Federal Information System Controls Audit Manual
(FISCAM), to develop criteria for assessing the effectiveness of certain interface controls. Leading
practices drawn from these sources addressed the key areas of concern: completeness, accuracy and
security.
Completeness and Accuracy
Auditors reviewed completeness and accuracy using leading practices from FISCAM that include:
• Procedures are in place to reasonably assure that the interfaces are processed completely and
accurately.
• The interfaced data is reconciled between the sending and receiving application to ensure that
the data transfer is complete and accurate.
• Errors during interface processing are identified and promptly investigated, corrected and
resubmitted for processing.
• Data files are not processed more than once.
Security
Auditors reviewed security using leading practices from FISCAM and requirements from the OCIO
that include:
FISCAM Section 4.3:
• Controls should be in place to ensure access is limited.
• All changes to configuration, including emergency changes, should be appropriately
documented and approved.

IT Interface Controls :: Appendix B | 12

OCIO Standard No. 141.10 4.4 Secure Data Transfer:
• Agencies must appropriately protect information transmitted electronically. Confidential
information that is specifically protected from disclosure by law that is transmitted outside of
the State Governmental Network requires encryption such that:
(1) All manipulations or transmissions of data during the exchange are secure.
(2) If intercepted during transmission the data cannot be deciphered.
OCIO Standard No. 141.10 7.2.(2) Application Development
• Agencies must implement separation of duties or other security controls between development,
test and production environments. The controls must reduce the risk of unauthorized activity or
changes to production systems or data including but not limited to the data accessible by a single
individual.
Auditors then determined which audit objectives were relevant to the identified interface. For
example, a receiving system might collect confidential data which could be used for initial research.
In this instance, the completeness of the data is not critical, but the confidential data that is collected
must be protected. Once we identified the relevant controls, we tested them by interviewing key
personnel, reviewing security access screens and reports, and observing agency input and output
comparison processes.

IT Interface Controls :: Appendix B | 13