Amtrak 2015 Annual Report Download - page 57

Download and view the complete annual report

Please find page 57 of the 2015 Amtrak annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 61

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61

1607-2003957 55
Appendix A – Material Weakness in Internal Control
Over Financial Reporting
Information Systems
Information management security and change management controls are fundamental to the
integrity of all information systems. Such controls, including appropriately designed and
implemented preventative controls and monitoring controls for proper assessment and timely
remediation, can help manage risks such as unauthorized access and changes to critical data and
programs. These controls include logical access restrictions and an appropriate level of segregation
of incompatible duties throughout the information system processes to validate that the integrity
of Amtrak’ s information resources is not compromised.
As part of our fiscal year 2015 audit, we have identified two significant deficiencies that when
aggregated result in a material weakness in the design and operation of information systems
controls. The significant deficiencies relate to information technology general controls,
specifically user access and change management controls.
User access – lacked timely removal of user access, frequency, precision, and
documentation of user access reviews, and timely resolution of discrepancies, segregation
of privileged user access, conformity of and periodic and ongoing monitoring of
infrastructure security configurations to the Company’ s standards for significant
applications, operating systems and databases. In addition, there was a lack of controls to
validate the completeness and accuracy of data and reports used in executing review
controls.
Appropriate consideration of the design of controls over user access is essential to provide
a suitable framework for subsequent implementation and operation of the controls.
Change management – experienced difficulties in implementing its policy of least
privilege access and segregation of duties, preventing and monitoring for inconsistencies
in access rights appropriateness to the production environments. Further for environments
without segregation of duties within the change management process, appropriate
monitoring procedures were not in place to serve as a compensating control. The Company
also lacked sufficient documentation to evidence the population of program changes in the
production environment for certain information systems.
The material weakness impacted application controls and IT-dependent manual controls including
management review controls relying on electronic data across all classes of transactions that were
significant to financial reporting process.