CCC: DAVID Attestation-Admin - Dated July 12, 2022
Summary
The Pasco County Clerk & Comptroller's Office of Inspector General conducted an audit of the CCC Administration's use of the Driver and Vehicle Information Database (DAVID) system, covering the period February 2, 2021 through February 2, 2022. The audit was initiated on January 14, 2022, in response to a DHSMV request for an Attestation Statement under MOU contract #HSMV-0615-019. The scope encompassed 20 DAVID users across three departments — Criminal Courts, Information Technology, and the Inspector General — and tested internal controls for compliance with MOU requirements governing authorized access, use, and protection of confidential driver information.
The IG concluded that the Clerk's office was overall compliant with the MOU and authorized to sign the Attestation Statement; however, the audit identified 8 opportunities for improvement spanning compliance failures and internal control weaknesses. Most significantly, one employee was found to have conducted 7 personal DAVID searches between August 2019 and December 2021, which went undetected by the quarterly review process, ultimately resulting in the employee's resignation and required notifications to DHSMV. Additionally, 955 of 1,660 searches (58%) conducted during the audit period could not be verified as proper business-related queries.
All eight findings were acknowledged by management, with corrective action plans targeting a September 30, 2022 implementation date. Management proactively updated policies, required new user agreement signatures, and provided additional DAVID training prior to the report's issuance.
8 findings
- Observation 1mediumpolicy
DAVID Users Not Conducting Searches Per Policies and Procedures
Six of the 12 (50%) Criminal Courts DAVID users were consistently using incorrect purpose codes for their DAVID searches and/or were not including a case/citation number in their search during the audit period February 1, 2021 through February 1, 2022. Additionally, there were several instances where impound searches were conducted on names rather than plate numbers, contrary to the CR-CC066 procedure which required use of the '020 – Other' code, inclusion of the case/citation number, and plate-based impound searches.
Recommendation: No formal recommendation was provided as compliance with policies and procedures was expected; management was expected to adhere to existing directives.Management response: Acknowledged. Procedures are being updated to clarify the purpose code and data input requirements for DAVID searches. Teammates will be trained on the updated procedures. Target implementation date: September 30, 2022. - Observation 2highdata access
Employee DAVID System Misuse Undetected by Internal Controls
During fieldwork, the IG identified one Criminal Courts user who conducted personal DAVID searches. A total of seven personal searches were identified between August 9, 2019 and December 8, 2021. The misuse was overlooked by the IT Point of Contact during the 2021 Quarter 3 User Activity Review and not escalated to management. Upon notification by the IG, management contacted the Pasco County Sheriff's Office for investigation, and the employee subsequently resigned. Timely notification was sent to DHSMV and affected individuals as required by the MOU.
Recommendation: No formal recommendation was provided as compliance with agreements, policies, and procedures was expected; management was expected to adhere to existing directives.Management response: Acknowledged. Guidelines and procedures will be reviewed and updated to include a coordinated effort between Criminal Courts and the POC to review DAVID system user activity. Target implementation date: September 30, 2022. - Observation 3mediumdata access
One DAVID User Not Deactivated Within MOU Required Timeframe
Of nine DAVID users deactivated during the audit period, one employee's access was disabled 21 working days after reassignment to a position not requiring DAVID access, well beyond the MOU-required five working days. The IG verified the user did not conduct any DAVID searches after reassignment, limiting the actual risk exposure.
Recommendation: No formal recommendation was provided as compliance with MOU requirements was expected.Management response: Acknowledged. A meeting occurred on May 11, 2022 between the POC and Leadership to discuss deactivation procedures. Procedures are being updated to include automatic deactivation for internally transferred teammates, with a new access request required if DAVID is needed in the new role. Target implementation date: September 30, 2022. - Observation 4highpolicy
Majority of DAVID Searches for Audit Period Could Not Be Verified
Of the 1,660 DAVID searches conducted during the audit period, 955 (58%) could not be verified as proper, authorized, business-related searches. Reasons for unverifiability included incorrect purpose codes, missing case/citation numbers, incorrect case/citation numbers, inability to locate the searched person in Clericus, impound searches using names instead of tag numbers, verbally requested searches with no documentation, and deleted email documentation. Documented policies and procedures providing guidance for conducting verifiable searches were limited, and verbal search requests were not required to be documented.
Recommendation: Create documented policies and procedures requiring use of the '020 – Other' code, inclusion of a brief reason for the search, and inclusion of the case/citation number. Require verbal DAVID search requests to be documented via email and maintained, and require email documentation for DAVID work to be retained in a designated folder.Management response: Acknowledged. Guidelines and procedures will be updated to include the above recommendations. Target implementation date: September 30, 2022. - Observation 5mediumpolicy
Internal Policies Did Not Fully Address All MOU Requirements
The documented policies and procedures for the DAVID system did not fully address all requirements from Sections IV(B), V, and VI of the MOU (HSMV-0615-19). Criminal Courts procedures failed to address 14 of the 24 applicable MOU requirements, and IT procedures failed to address 13 of the 24 requirements, leaving significant gaps in the internal control framework relative to the MOU's obligations.
Recommendation: Revise existing policies and procedures, or create new internal criteria, to fully address all applicable MOU requirements for Sections IV (Part B), V, and VI. Where requirements do not apply, explicitly state that in the new or revised policies and procedures.Management response: Acknowledged. Guidelines and procedures will be created/updated and reviewed to ensure compliance with the DAVID system MOU, to include indications of not applicable where appropriate. Target implementation date: September 30, 2022. - Observation 6mediumpolicy
Quarterly Reviews Did Not Flag Improper Purpose Codes or Missing Citation Numbers
The procedures for conducting quarterly Quality Control Reviews did not specify what steps the POC should take upon identifying incorrect purpose codes or missing case/citation numbers. As a result, 72 of 95 (76%) DAVID searches reviewed in the 2021 Quarterly Quality Control Reviews did not use the '020 – Other' purpose code and/or lacked a case/citation number, yet management was never notified and no corrective action was taken.
Recommendation: Revise internal criteria for conducting quarterly user activity reviews to specify the steps required of the POC when they encounter user searches with incorrect purpose codes and/or missing case/citation numbers.Management response: Acknowledged. Guidelines and procedures will be created/updated to outline clear criteria including action steps for the POC to report DAVID system searches with incorrect, incomplete, or missing reason codes. Target implementation date: September 30, 2022. - Observation 7mediumdata access
Inadequate Segregation of Duties for Monitoring POC Activity in DAVID
The IT Point of Contact responsible for conducting and signing off on the DAVID Quarterly Quality Control Reviews was also included in the randomly sampled users for the 2021 Q3 and Q4 reviews, meaning the POC reviewed their own activity. Additionally, the alternate POC was included in the Q4 random sample. This lack of segregation of duties created a risk that POC activity would not receive independent review.
Recommendation: Revise policies and procedures for conducting quarterly quality control reviews to include language addressing situations where one or both POCs are selected as part of the user sample, and prohibit the POC from approving their own authorization or activity.Management response: Acknowledged. Guidelines and procedures will be reviewed and updated to include the recommendation of segregation of duties. Target implementation date: September 30, 2022. - Observation 8lowpolicy
2021 Quarter 1 Review Selected Users With No DAVID Activity
For the 2021 Quarter 1 Review, the 10 randomly selected users had no DAVID activity or searches for the selected week. Reviewing user reports with no activity did not test for compliance and merely documented a lack of activity, rendering the quarterly review ineffective for that period.
Recommendation: Update policies and procedures to require that the random sample for quarterly reviews includes users who performed searches in DAVID during the quarter under review, identifiable by running a User Activity Audit Report in DAVID for the quarter.Management response: Acknowledged. Guidelines and procedures will be created/updated to include identifying DAVID system users who have conducted searches during the quarter in the random sampling for the quarterly review. Target implementation date: September 30, 2022.