Skip to content
Pasco County Civic Records
Clerk & Comptroller auditsBCCMon, Nov 13, 2023

BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023

Read the source PDF ↗

Summary

The Pasco County Clerk & Comptroller's Department of Inspector General audited the BCC Stormwater Management Division's use of the Driver and Vehicle Information Database (DAVID) system. The audit period covered February 1, 2022 through January 31, 2023, with the scope limited to compliance with MOU contract #HSMV-0319-17 and adequacy of internal controls over sensitive driver and vehicle personal information.

The IG identified eight opportunities for improvement — five classified as compliance deficiencies and three as control weaknesses — spanning user access management, agency change notifications, quarterly quality control reviews, authorization form maintenance, monthly monitoring documentation, restricted folder access, query documentation, and SOP currency. All findings were corrected by the Division prior to report issuance, and the IG signed the required Attestation Statement. The audit required two extension requests from FLHSMV, with the final deadline extended to December 27, 2023, due to delays in corrective action completion.

8 findings

  1. Finding 1mediumdata access

    Terminated DAVID user not deactivated within required timeframe

    The MOU required user access to be immediately deactivated upon termination and updated within five business days upon reassignment. One DAVID user was not deactivated within five business days of their termination date. The IG verified there was no user activity after the termination date.

    Recommendation: Since compliance with agreements, contracts, laws, rules, regulations, policies, and procedures are required, a recommendation was not provided.
    Management response: Agreed. The former PWAD was deactivated on 02-21-23 which was a violation of the MOU. DAVID access users that are terminated will be deactivated in accordance with the MOU within 5 business days going forward.
  2. Finding 2mediumpolicy

    FLHSMV not properly notified of agency head and POC changes

    The MOU required changes in the agency head, POC, address, telephone number, and/or email address to be updated in DAVID within 10 calendar days of occurrence. FLHSMV was not properly notified when there was a change in the agency head and POC.

    Recommendation: Since compliance with agreements, contracts, laws, rules, regulations, policies, and procedures are required, a recommendation was not provided.
    Management response: Agreed. FLHSMV was notified on 4-18-23 of the change in POC and agency head. FLHSMV will be notified of any such changes in accordance with the MOU going forward.
  3. Finding 3mediumpolicy

    Quarterly quality control review reports incomplete and improperly documented

    The MOU required Quarterly Quality Control Review Reports (QQCRRs) to be completed within 10 days after the end of each quarter and maintained for two years. Two QQCRRs reflected zero users reviewed despite actual activity; one QQCRR was completed before the quarter ended; two QQCRRs reflected incorrect active user counts; required Quarterly User Reports and Quarterly Monitoring Review Reports were not completed; the POC did not notify the Public Works Assistant Director upon completion; and QQCRRs were not digitally signed by the Public Works Assistant Director.

    Recommendation: Since compliance with agreements, contracts, laws, rules, regulations, policies, and procedures are required, a recommendation was not provided.
    Management response: Agreed. Quarterly reports will be done in compliance with the MOU and SOP, generated within 10 days after close of the quarter, filled out completely, and the APWD will be notified for review and approval. Completion date: 9/26/2023.
  4. Finding 4mediumdata access

    DAVID access authorization and acknowledgement forms not maintained

    The DAVID SOP required users to sign three forms before receiving access — the DAVID Access Authorization Request, Acknowledgement of Penalties for Misuse, and Florida Computer Crimes Act — and these forms were required to be retained for five years. Access and authorization forms for DAVID users were not maintained.

    Recommendation: Since compliance with agreements, contracts, laws, rules, regulations, policies, and procedures are required, a recommendation was not provided.
    Management response: Agreed. Access authorization and acknowledgement forms dated 2/16/2023 for all personnel were provided during the audit. Going forward, employees must sign the forms before receiving access, and the POC has a restricted folder to house the documents.
  5. Finding 5mediumpolicy

    Monthly monitoring reports incomplete and lacking required approval signatures

    The DAVID SOP required the POC to conduct monthly monitoring of all authorized users, complete Monthly Monitoring Reports, and submit them to the Public Works Assistant Director for review, approval, and digital signature. The Monthly Monitoring Reports provided for the audit period were incomplete, inaccurate, and lacked the required digital signature of the Public Works Assistant Director.

    Recommendation: Since compliance with agreements, contracts, laws, rules, regulations, policies, and procedures are required, a recommendation was not provided.
    Management response: Agreed. The SOP has been updated; monthly monitoring reports have been removed from the SOP. Quarterly reports will be done in compliance with the MOU and SOP, with the APWD notified to sign off. Completion date: 9/26/2023.
  6. Finding 6mediumdata access

    Four unauthorized employees had access to restricted DAVID file folder

    Citations, DAVID policies and procedures, and DAVID monitoring reports were stored in a restricted file folder accessible only to authorized personnel. The IG verified four unauthorized employees had access to the restricted file folder. After the IG brought this to the POC's attention, access was immediately requested to be removed for these individuals.

    Recommendation: Update the DAVID SOP to include a procedure that ensures access to the restricted file folder is reviewed and monitored on a regular basis, and require the review to be documented.
    Management response: Agreed. SOP updated for random monitoring of the folder to be performed no later than once per quarter, documented on the quarterly enforcement folder audit spreadsheet. IT will be contacted to send a current list of employees with access when monitoring is performed. Completion date: 9/26/2023.
  7. Finding 7lowevidence

    DAVID search queries not documented in associated case files

    For 3 of 11 DAVID queries reviewed, the associated case file did not reflect the specific DAVID information that was queried, making it difficult to trace all queries to a legitimate business purpose.

    Recommendation: Update the DAVID SOP to provide guidance for referencing all DAVID queries in the associated case file created in City Works to ensure all DAVID queries can be traced to a legitimate business purpose.
    Management response: Agreed. The SOP was updated to require referencing all queries searched in DAVID and associated case files in CityWorks/NPDES. The identity and reason for each DAVID search will be documented in the NPDES/CityWorks system. Completion date: 9/26/2023.
  8. Finding 8lowpolicy

    DAVID standard operating procedures outdated and missing required guidance

    The DAVID SOP contained outdated and inconsistent information and lacked detailed guidance for certain MOU requirements, including: incorrect agency head, backup POC, and internal case system references; an attachment with outdated Florida Statute language; inconsistent five-year retention requirements for access forms; no requirement to generate a User by Agency Report from DAVID for comparison to the Division's user list; no designation of who is responsible for notifying the IG upon receipt of an FLHSMV attestation request; and no designation of who is responsible for notifying FLHSMV of changes in agency head, POC, or contact information.

    Recommendation: Update the DAVID SOP to align with current processes, criteria, and missing procedural elements. Periodically review internal policies and procedures to ensure they remain up to date.
    Management response: Agreed. All recommendations have been implemented in the updated SOP, including POC notification responsibilities, acknowledgement and access form retention, updated Florida Statute language, requirement to generate the User by Agency Report, and an authorized access log for all DAVID searches. The SOP will be reviewed annually. Completion date: 9/26/2023.

Findings extracted by Claude from the source PDF. Every claim on this page traces back to the linked report — click through for the original wording, exhibits, and management response in full.

Top ↑