Clerk & Comptroller
Audit findings · data access
31 findings match the current filter. Sorted by severity, then dollar amount.
- highdata accessCCC · FY 2024
32 of 86 teammates held inappropriate CCIS driver license clearance permissions
The Pasco Users with DHSMV D6 Clearance County Permissions Report reflected 86 teammates had permission to reinstate suspended driver licenses in CCIS. Formal documented policies and procedures for reviewing and updating user permissions did not exist, and the CCIS Security User Agreement did not provide guidance for removing access for former or transferred teammates. As a result, 32 of the 86 teammates had permissions that were not appropriate, no longer required, or were not updated in a timely manner, spanning Administration (1), Civil (15), Criminal (9), Finance (2), IT (4), and Records (1), increasing the risk of unauthorized reinstatements.
in: CCC Driver License Reinstatements - Dated December 27, 2024 - highdata accessBCC · FY 2023
Accela permit report reflected unexplained gaps in sequential permit numbers
Of 43,742 permits on the Accela permit report for the audit period, the IG identified 1,113 gaps (approximately 3%) in sequential permit numbers. Explanations provided by management included 1,054 permits with file creation dates outside the audit period, 10 deleted permits (the delete function was inadvertently enabled and used in error with no supporting documentation), 48 permits attributed to a system glitch or child record creation, and one permit marked inactive without supporting documentation. No formalized procedure existed for monitoring gaps in sequential permit numbers, and documented management approvals were not required for deletions or inactivations, increasing the risk of unauthorized transactions going undetected.
in: BCC: Development Services Private Provider Refunds - Dated June 30, 2023 - highdata accessBCC · FY 2023
Accela permit report lacked complete and reliable private provider data fields
Of 41,951 permits eligible for outsourcing, approximately 77% (32,353 permits) had incomplete data fields for identifying whether inspections and/or plans reviews were outsourced to private providers. Specifically, 24,300 permits (approximately 58%) had at least two blank data fields and 8,053 permits (approximately 19%) had one blank data field. The outsourcing data fields were not mandatory in Accela, allowing permit technicians or customers to skip them, and no documented procedures required secondary review to verify accuracy and completeness of data entry.
in: BCC: Development Services Private Provider Refunds - Dated June 30, 2023 - highdata accessBCC · FY 2023
Accela outsource data fields contained frequent inaccurate permit information
Testing of 53 permits found that 27 (approximately 51%) reflected an incorrect outsourcing status or a status that could not be verified. Seventeen permits had data entry errors including 'No' recorded instead of 'Yes' or vice versa, or blank fields instead of 'No.' Three permits that had received private provider refunds were not included on the Schedule of Refunds List because inaccurate 'No' entries in Accela caused them to be missed; they were only caught because contractors self-identified. Ten permits had one blank outsource field for plans review and the IG could not independently verify whether those permits were owed a refund. No formalized policy required staff to update outsource fields when new or corrected information became available.
in: BCC: Development Services Private Provider Refunds - Dated June 30, 2023 - highdata accessCCC · FY 2023
20 of 88 Teammates Have Inappropriate Physical Access to Evidence Areas
The Reader Assignments to Cardholders Report showed 88 teammates had badge access to evidence rooms and vaults. Of these, 20 had access that was not applicable to their position, was not appropriate, or was no longer needed. Formal documented policies and procedures for periodically reviewing and updating physical access did not exist, increasing the risk of unauthorized access that could compromise evidence integrity.
in: CCC: Evidence Final Report - Dated December 8, 2023 - highdata accessCCC · FY 2023
33 of 61 TrakMan Users Have Inappropriate Evidence Deletion Permissions
There were 61 active TrakMan users with permission to delete evidence. After management review, 33 of 61 had deletion permissions that were not applicable to their position, not appropriate, or no longer needed. No formal documented policies existed for reviewing and updating TrakMan delete permissions. A system limitation in TrakMan required the delete permission profile for users who need to purge files, complicating remediation. This increased the risk of unauthorized and undetected evidence deletions.
in: CCC: Evidence Final Report - Dated December 8, 2023 - highdata accessCCC · FY 2022
Employee DAVID System Misuse Undetected by Internal Controls
During fieldwork, the IG identified one Criminal Courts user who conducted personal DAVID searches. A total of seven personal searches were identified between August 9, 2019 and December 8, 2021. The misuse was overlooked by the IT Point of Contact during the 2021 Quarter 3 User Activity Review and not escalated to management. Upon notification by the IG, management contacted the Pasco County Sheriff's Office for investigation, and the employee subsequently resigned. Timely notification was sent to DHSMV and affected individuals as required by the MOU.
in: CCC: DAVID Attestation-Admin - Dated July 12, 2022 - mediumdata accessCCC · FY 2025
Printed and Electronic DAVID Personal Data Not Properly Safeguarded
Criminal teammates were directed to place printed DAVID information in OSA (Obsolete, Superseded, or Administrative Value Lost) boxes when no longer needed, but those boxes were not physically secured from unauthorized persons. Additionally, teammates who telework were not required to black out their computer screens while accessing DAVID remotely, contrary to MOU Section V requirements for protecting personal information from unauthorized viewing.
in: CCC: DAVID Attestation- Dated July 28, 2025 - mediumdata accessCCC · FY 2025
DAVID User Access Not Deactivated Within Required Five Business Days
MOU Section IV, Subsection B.8 requires user access and permissions to be updated within five business days of reassignment. One user was deactivated 55 working days after reassignment to a position that did not require DAVID access. The auditor verified the user did not access DAVID after reassignment.
in: CCC: DAVID Attestation- Dated July 28, 2025 - mediumdata accessCCC · FY 2025
Existing Password Security Procedures Inadequate
Some practices did not demonstrate effective password security. Teammates used the web browser's autofill feature to save DAVID login credentials and did not lock workstations when left unattended. Additionally, passwords were stored in an envelope kept in an unlocked desk drawer, creating risk of unauthorized access to DAVID.
in: CCC: DAVID Attestation- Dated July 28, 2025 - mediumdata accessCCC · FY 2025
DAVID User Permissions Inconsistent and Not Role-Appropriate
DAVID user permissions were not consistently configured to match user roles. Five of 13 Criminal users had permission to search by vehicle make and model, which was unnecessary for their job duties. Additionally, both Criminal and Inspector General users had varying days and hours of access to DAVID rather than a standardized schedule.
in: CCC: DAVID Attestation- Dated July 28, 2025 - mediumdata accessCCC · FY 2023
Image privacy levels for some Civil docket codes less restrictive than case privacy level
For six Civil docket codes, image privacy levels did not agree with or were less restrictive than the assigned case privacy level within Clericus. For example, codes 899 (Petition for Termination of Parental Rights) and 7163 (Notice on Petition for Adoption) had public image privacy levels that were required to be confidential. All six codes were corrected during the audit.
in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023 - mediumdata accessCCC · FY 2023
Privacy levels were incorrect for some Civil images tested
Privacy levels of existing images were not periodically reviewed for compliance or consistency. Issues identified included two sealed cases with images assigned OnDemand privacy levels, nineteen images with public privacy levels that were required to be confidential (docket codes 675, 678, 1397), and one image marked confidential rather than sealed. Corrections were made during the audit.
in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023 - mediumdata accessCCC · FY 2023
One Records OnDemand image not made available to public in timely manner
One OnDemand image of 32 tested was requested for viewing on October 22 and again October 30, 2020 but was not made available until management was notified on November 23, 2020. An IT control error caused a 'Courts 23 rule banner' to be incorrectly assigned in the Dr. Watson redaction system, resulting in over-restriction of the image.
in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023 - mediumdata accessBCC · FY 2023
Terminated DAVID user not deactivated within required timeframe
The MOU required user access to be immediately deactivated upon termination and updated within five business days upon reassignment. One DAVID user was not deactivated within five business days of their termination date. The IG verified there was no user activity after the termination date.
in: BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023 - mediumdata accessBCC · FY 2023
DAVID access authorization and acknowledgement forms not maintained
The DAVID SOP required users to sign three forms before receiving access — the DAVID Access Authorization Request, Acknowledgement of Penalties for Misuse, and Florida Computer Crimes Act — and these forms were required to be retained for five years. Access and authorization forms for DAVID users were not maintained.
in: BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023 - mediumdata accessBCC · FY 2023
Four unauthorized employees had access to restricted DAVID file folder
Citations, DAVID policies and procedures, and DAVID monitoring reports were stored in a restricted file folder accessible only to authorized personnel. The IG verified four unauthorized employees had access to the restricted file folder. After the IG brought this to the POC's attention, access was immediately requested to be removed for these individuals.
in: BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023 - mediumdata accessCCC · FY 2023
Key and Combination Access to Evidence Vaults Not Properly Documented
The Key/Combination Request & Issuance Form used to document issuance of vault keys and combinations was not always maintained, complete, or updated. For 6 of 13 Records teammates with vault access, forms were missing required signatures, did not clearly identify the specific access location, were not on file, or were not updated. Form language was also too vague to clearly identify which specific location access was authorized for.
in: CCC: Evidence Final Report - Dated December 8, 2023 - mediumdata accessCCC · FY 2022
One DAVID User Not Deactivated Within MOU Required Timeframe
Of nine DAVID users deactivated during the audit period, one employee's access was disabled 21 working days after reassignment to a position not requiring DAVID access, well beyond the MOU-required five working days. The IG verified the user did not conduct any DAVID searches after reassignment, limiting the actual risk exposure.
in: CCC: DAVID Attestation-Admin - Dated July 12, 2022 - mediumdata accessCCC · FY 2022
Inadequate Segregation of Duties for Monitoring POC Activity in DAVID
The IT Point of Contact responsible for conducting and signing off on the DAVID Quarterly Quality Control Reviews was also included in the randomly sampled users for the 2021 Q3 and Q4 reviews, meaning the POC reviewed their own activity. Additionally, the alternate POC was included in the Q4 random sample. This lack of segregation of duties created a risk that POC activity would not receive independent review.
in: CCC: DAVID Attestation-Admin - Dated July 12, 2022 - mediumdata accessBCC · FY 2022
EAM system glitch added phantom inventory items to wrong warehouses
During the audit at Shady Hills Warehouse, one item (#2083Y) appeared on count sheets without a valid bin location and did not physically exist at that location. A system glitch caused the item, newly added to Embassy Warehouse, to be automatically propagated to Shady Hills (with '*' bin) and Wesley Center (with 'PR' bin), creating inaccurate inventory records and count sheets.
in: BCC: Utilities Warehouse Inventories Follow-up – Dated December 13, 2022 - mediumdata accessBCC · FY 2022
Inventory system reflected incorrect bin locations for multiple items
Of the 103 items tested at Embassy Warehouse, five items (5%) — #22003, #07007M, #82048, #500586, and #230112 — were located in a different area than reflected in the EAM system or could not be identified. Management stated the inventory had been reorganized due to spacing issues, but the system was not updated at the time of the audit, compromising the reliability of inventory records.
in: BCC: Utilities Warehouse Inventories Follow-up – Dated December 13, 2022 - mediumdata accessCCC · FY 2021
Civil image privacy levels inconsistent with assigned case privacy levels
For six Civil docket codes, image privacy levels did not agree with or were less restricted than the assigned case privacy levels in Clericus. Examples included image privacy changed from Public to Confidential for codes 899 and 7163, and changes from Confidential to OnDemand for codes 1517, 3401, 4623, and 8000. The IG verified all six were corrected during the audit.
in: CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021 - mediumdata accessCCC · FY 2021
Privacy levels incorrect for multiple Civil images tested
Privacy levels were incorrect for several Civil images tested, including two sealed cases with images at OnDemand and dockets at public levels, adoption case images with inconsistent confidential vs. sealed levels, 19 images for domestic violence and stalking petitions incorrectly assigned public privacy, and one image confidential instead of sealed due to a FACTS-to-Clericus conversion issue. No periodic review process existed for image privacy level compliance.
in: CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021 - mediumdata accessBCC · FY 2020
DAVID workstation not secure from unauthorized access or view
The cubicle used to access the DAVID system was not secure from unauthorized view and access. Other Stormwater Inspectors who were not authorized DAVID users shared the cubicle workspace, and the cubicle had no door. DAVID users stated they attempted to access the system only when unauthorized inspectors were absent, but this was not a reliable control. This arrangement violated MOU Section V, Subsection G, which required DAVID information to be protected from unauthorized persons viewing, retrieving, or printing it.
in: BCC: Stormwater DAVID Contract Attestation – Date March 24, 2020 - mediumdata accessBCC · FY 2020
Review of POC DAVID activity not independent or documented
The Assistant Director of Public Works stated he conducted monthly reviews of the Point of Contact's (POC) DAVID activity, but these reviews were not documented. Furthermore, the user activity reports reviewed were generated by the POC from the DAVID system, meaning the review was not independent. As a result, the IG could not verify that reviews were actually performed or that the information was complete and accurate.
in: BCC: Stormwater DAVID Contract Attestation – Date March 24, 2020 - lowdata accessBCC · FY 2025
Fourteen Inactive Billing Codes Remain Active in Billing System
During review of the FY2024 and FY2025 utility rate charts, 14 billing codes that were no longer in use were found to still be active in the utility billing system. Of 318 billing codes in FY2024, 304 agreed to BCC-approved rates and 14 were inactive but enabled; the same 14 codes persisted in the FY2025 chart of 329 codes. Active inactive codes pose a risk of accidental use that could result in inaccurate customer billings.
in: BCC Utilities Rates - Dated May 30, 2025 - lowdata accessCCC · FY 2023
Civil defendant incorrectly flagged as juvenile in Clericus
For one Civil image tested, the defendant/relevant party was not reflected on the Online Court Records Search because they were incorrectly marked as juvenile in Clericus. However, the party was born in 1965 and was not a juvenile. Management corrected the issue during the audit and the party's name was made available online.
in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023 - lowdata accessCCC · FY 2023
Unattended Workstations Allowed Incorrect Evidence Deletion Attribution
One evidence deletion in TrakMan was attributed to the wrong teammate because a shared computer was not locked before being left unattended. A second teammate performed the deletion while the computer remained logged in under the prior user's credentials. This resulted in inaccurate audit trail records in TrakMan.
in: CCC: Evidence Final Report - Dated December 8, 2023 - lowdata accessCCC · FY 2021
One OnDemand image not made available to public in timely manner
Of 32 OnDemand images tested, one was requested for viewing on October 22 and again on October 30, 2020, but was not made available until management was notified on November 23, 2020 — over a month later. The delay was caused by an IT control error that incorrectly assigned a 'Courts 23 rule banner' to the image in Dr. Watson, resulting in over-restriction.
in: CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021 - lowdata accessCCC · FY 2021
Civil defendant incorrectly flagged as juvenile in Clericus
For one Civil image included in testing, the defendant/relevant party born in 1965 was incorrectly marked as juvenile in Clericus, causing their name to not appear on the Online Court Records Search. Management corrected the issue during the audit and the party's name was made available online.
in: CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021