The Regulatory-Agency’s Regulatory-Agency-Audit
Written by Editor   
Friday, April 17, 2015 12:00 AM
It seems that everyone answers to someone.  The Texas Board of Chiropractic Examiners (TBCE) recently under went an audit of its procedures and reporting by one of its own “regulatory agencies,” and the State Auditor’s Office in March of 2015 published its report on the TBCE.  The report titled Performance Measures at the Board of Chiropractic Examiners sought to evaluate five performance measures: the number of new licenses issued, licenses renewed, complaints received, and the number of complaints resolved.  
The TBCE tested eighty-percent reliable in the reporting of their data to the state (four of the five measures were considered “certified with qualification” meaning that the report "appears accurate, but controls over data collection and reporting are not adequate to ensure continued accuracy,” or if “the source of documentation is unavailable for testing”  or there is a “less than five-percent difference between the number reported … and the correct performance measure result”).  One performance measure was considered “inaccurate."
The “inaccurate” measure occurred when “the Board inaccurately excluded 191 chiropractic licenses that were renewed at the same time that the license status was changed from active to inactive.”  This resulted in an underreporting error of three-percent, well within the five-percent required for certification, but because of a “date stamping procedure” and data entry mismatch, two out of thirty complaints had mismatching dates – a seven-percent error rate resulting in a rating of “inaccurate” from the auditors.
The main weaknesses identified by the state auditors were “the Board did not have written policies and procedures for collecting, calculating, reviewing, and reporting performance measures during fiscal year 2014”, and “the Board should strengthen controls over user access, password controls, edit checks, audit trails, segregation of duties, and disaster recovery planning."
The TBCE "agreed with the recommendations in this report” and has already moved to improve or correct the weakness identified.  In general the TBCE encountered what it has long tried to teach its licensees – if it is not written down it did not occur.  
A VERY short synopsis of the report’s main points, and TBCE’s responses follow:  
Improve Controls
 
"For all five performance measures tested the … (Board) did not have written policies and procedures for the collection, calculation, review, and reporting of performance measures…. The Board should … strengthen certain information technology controls …."
The TBCE states “as of the beginning of Fiscal Year 2015, the agency has written procedures for the collection, calculation, review, and reporting of performance measures. … Policies are being drafted and will be finalized by the Executive Director at the end of Fiscal Year 2015. … [and] would like to note that Licensing staff did have written procedures for the collection of performance measure data, but during revision of the procedures in the beginning of Fiscal Year 2015, the previous version of the procedures was written over.  Therefore, no previous version was available to provide to the audit team…."
Another “control” issue the auditors had was “the Board should improve certain information technology controls over … its licensing and enforcement database, to help ensure the continued accuracy of performance measure results…. the Board should ensure that employees’ access is limited to only the information they need to fulfill their job duties."
Review the Data
 
“The Board did not have an independent individual review and document the review of performance measure data before that data was released” to the state.  Auditors noted that agency information should be reviewed for accuracy by an individual other than the one who entered the data and that that review should be documented.  Auditors recommended that “the Board should have an independent individual conduct and document a review of performance measure data prior to releasing that data” to the state.
TBCE responds that “management has already implemented this recommendation” and that “first quarter fiscal year 2015 performance measurers were reported using the new procedures.”  TBCE further notes that a review process has been implemented where the Executive Assistant reviews and “documents review by using screen shots and a form designed to document dates of reviews.  The form is signed by both the Executive Director and Executive Assistant to memorialize the review."
Improve Date Stamping Procedures
 
“Board’s procedures require each complaint to be date-stamped upon receipt.  However, the Board did not consistently enforce that procedure.  Specifically, twenty-five (forty-one percent) of the sixty-one complaint forms did not have a date stamp indicating the date on which the Board received the complaint …. In addition, for the Number of Complaints Resolved, the Board did not accurately enter the closed date in … the licensing and enforcement database the Board uses to calculate performance results.”   The auditors recommend that “the Board should: date-stamp all complaints upon receipt; and implement a review process to help ensure information entered in [the database] is accurate."
TBCE responded that it has already implemented this recommendation and explained that previously, when TBCE initiated its own complaint against a licensee “the Director of Enforcement signed and dated the complaint” and that date was used as the receipt date.  “Now,” the TBCE notes, “procedures dictate that no matter the method of receipt and no matter if the agency is the complainant, all complaints must be date stamped upon receipt,” and each the Director of Enforcement and the Enforcement Administrative Assistant meet weekly to review and document all database entries to ensure accuracy.
Restrict Access
 
Auditors also complained that “the Board grants administrative access to its licensing and enforcement information to all Board employees.  Administrative access allows employees to add, delete, and modify information, including modifications to the application. [Law] states that an employee’s access to agency data should be limited based on the employee’s assigned job duties.  Administrative access should be granted only to individuals responsible for managing an application, such as a system administrator. … The Board should improve password controls … [and] prevent employees from sharing their … passwords and accounts and enforce periodic changes of passwords."
Auditors also complained that “the Board does not have written policies and procedures to govern access to [its database] and its network …. [to] protect … against the risk of unauthorized access”, and that certain technical “weaknesses” such as limiting the kinds of characters than may be entered into a computer field, or a detailed audit trail rather than a “last viewed by” were needed.
They also complained that “while the Board’s servers are properly secured in a server rack and locked in a storage room, several Board employees who do not need access to the servers have access to the storage room because it also contains the Board’s filing cabinets.  In addition, the storage room contains a large amount of paper supplies, and it lacks a fire alarm; a fire extinguisher; and alarms to monitor environmental conditions, such as room temperature, water leaks, and humidity levels.  [Law] requires state agencies to appropriately manage physical access to mission-critical information resources and protect information resources from environmental hazards,” and “the Board reports that it does not have a written disaster recovery plan in place that outlines the steps the Board would implement to minimize or quickly resume mission-critical functions as required by [law]."
TBCE reports “the agency is ensuring that its new database will have adequate application controls …. and has already begun conversations with the Health Professions Council (HPC) regarding moving the agency’s servers to the HPC Data Center.  This data center is restricted access and has the necessary fire alarms, extinguishers, and room temperature alarms.  Because cost will be a factor and it is necessary to run fiber optic cable to the agency office, this move may not take place until … 2016 …. Also, the agency is in the process of removing some of the file cabinets, as the paper files are being digitally imaged.  These file cabinets should be removed by the end of March 2015.  The rest of the paper supplies cannot be moved at this time, as there is no room in the agency’s very small office for the storage of these supplies.  A fire extinguisher is located outside of the server room, and the temperature is monitored manually by staff members. … The agency also does a Continuity of Operations Plan (COOP) that was updated in October 2014 that includes disaster recovery …. the agency will … work with HPC to test this COOP and included disaster recovery plan.  We plan to have this completed by the end of Fiscal Year 2015."
Even the regulators have regulators.