Transcript Legislative Audit Reports for Fiscal Year 2003

FY 2003 MnSCU Audits
MnSCU Audit Committee
September 17, 2003
FY 2003 Audit Contract
• 10 College Audits
– Internal Control
– Legal Compliance
• Statewide Assurances
– SCUPPS IT Review
– SEMA4 IT Review
– Certifications
Typical College Audit Scope
• Financial Management
• Tuition and Fees
• Payroll
• Administrative Expenditures
• Auxiliary Enterprises
• Excludes Federal Financial Aid
College Audits/Findings
•
Alexandria (9)
•
North Hennepin (4)
•
Anoka (7)
•
Pine (14)
•
Anoka Ramsey (6)
•
Ridgewater (3)
•
Dakota (5)
•
South Central (0)
•
Lake Superior (7)
•
Saint Paul (12)
College Audit Findings
• 67 Audit Findings
– 25 % decrease from prior audit
• Internal Audit Classification
– 9 Critical
– 35 Important
– 23 Management Discretion
Critical Findings
• Access to Computerized Business
Systems (4 colleges)
–
–
–
–
Cashiering and accounts receivable
Purchasing and accounts payable
Sharing user Ids and passwords
Access unrelated to job duties
• Reconciliations (1 college)
– Resolution of old outstanding items
Critical Findings (continued)
• Collateral (1 college)
– Compliance with statutory requirements
• Revenue and Receivables (2 colleges)
– Monitoring outstanding receivables
– Control over backdated registrations and
tuition deferments
• Study Abroad Program (1 college)
– Collection of travel fees
– Potential conflict of interest
Personnel/Payroll
• SCUPPS
– Salary and work assignments
– Biweekly transactions
– Feed transactions to SEMA4
• SEMA4
–
–
–
–
Fringe benefits
Employee deductions
Checks or bank transfer
Feed transactions to SCUPPS/Accounting
SCUPPS IT Audit
• General Controls
– Relate to all MnSCU business systems
– Focused on “Security”
• Operating system
• Application
• Database
• Application Controls
– SCUPPS processing logic
– Focused on data integrity controls
General Controls – Conclusions
• Application security adequate
• Ongoing concerns with operating
system and database security
• Substantial improvement needed
• Seven findings categorized as critical
Findings
•
No standards or procedures for access
•
Unnecessary and excessive privileges
•
Some programs not properly secured
•
Several users can alter critical data from
uncontrolled environments
•
Ineffective password management
•
Ineffective monitoring of security-related
events
•
Interface files not secured during transmission
Application Controls - Conclusions
• SCUPPS accurately processed data
• Few preventive controls, emphasis on
detective controls
• Three findings, one critical
– Improved monitoring of human resource
transactions entered directly into SEMA4
– Computerized edits could improve data
integrity
– Improved automation for faculty leave