KPMG states there were significant deficiencies in the “change control procedure” which miraculously was addressed literally 12 hours before the report was to be issued by the LIPA Board and only after LIPA Oversight Committee Co-Chairman Matt Cordaro brought it to light.
But what is most troubling is that KPMG failed to note that the change control procedure is just not for National Grid but it also the responsibility of LIPA to ensure that any financial system changes that are to be made by National Grid are indeed authorized by LIPA.
It is deeply concerning, on many levels, that LIPA apparently has no idea what a change control procedure is let alone that they should be the ones authorizing such changes.
by Claude Solnik Long Island Business News Published: March 30, 2012
The Long Island Power Authority posted on its website a statement from an auditor indicating it found “a significant deficiency” in procedures, only to remove the statement on the morning of its board of directors meeting and downplay the concerns.
As part of ia draft version of its annual report, LIPA posted on its website Wednesday evening statements indicating auditing firmKPMG found problems related to information technology controls at National Grid regarding LIPA data.
National Grid obtains and tracks financial data as part of its agreement with the authority. LIBN copied the statements regarding the concern before they were removed.
“During the course of our audit, we identified a significant deficiency in the segregation of duties over information technology program change controls at National Grid,” the auditors indicated in the draft version.
KPMG in the statement said “individuals with powerful and privileged access to development, staging and production environment” have the ability to develop, test and migrate changes, which could allow them to alter financial information.
“Due to the existence of these powerful access rights, there is a risk that unapproved or inappropriate changes to system configurations, including financially significant data used for financial reporting could potentially occur,” KPMG wrote.
But the time the board meeting took place on Thursday, there were no signs of KPMG’s concerns in the final version. Those statements had been removed, indicating LIPA had a clean bill of health at least regarding the scope of KPMG’s audit.
The board initially described the auditor’s opinion as indicating there had been no issues, without referring to the statements that had been posted regarding a “significant deficiency.”
A significant deficiency is defined as a deficiency or combination of deficiencies that are less severe than a material weakness, yet important enough to merit attention by those charged with governance.
In response to a question from Matthew Cordaro, co-chair of the Suffolk County Legislature’s LIPA Oversight Commitee, LIPA Board Member Laurence S. Belinksy said KPMG had raised concerns.
But he said they had been resolved by the time the board met, resulting in the removal of that section of the audit.
“It is not a LIPA issue. It is a National Grid IT issue related to turn over that has gone on at Grid and the number of people who had access to making changes to their computer system, which relates to our operations,” he explained.
Belinsky said KPMG requested and eventually received additional information from National Grid regarding other controls in place. KPMG declined to comment on the audit because of client confidentiality.
“National Grid within the last 48 or 96 hours provided KPMG with the requested information, which showed that they do have compensating controls and mitigating controls and proper controls in place so a handful of individuals with access to the main frame couldn’t do it without proper controls,” Belinsky said.
He added “there was a change recently at the end, because of the additional information,” as the auditors obtained data that gave them a more complete picture.
“Subsequently they did get it and their level of comfort increased,” Belinsky said. “We’ve received an unqualified opinion, which is good. There were no findings.”