FY 2003 MnSCU AuditsFY 2003 MnSCU AuditsFY 2003 MnSCU AuditsFY 2003 MnSCU Audits

MnSCU Audit Committee

September 17, 2003

FY 2003 Audit ContractFY 2003 Audit ContractFY 2003 Audit ContractFY 2003 Audit Contract

• 10 College Audits– Internal Control

– Legal Compliance

• Statewide Assurances– SCUPPS IT Review

– SEMA4 IT Review

– Certifications

Typical College Audit ScopeTypical College Audit ScopeTypical College Audit ScopeTypical College Audit Scope

• Financial Management

• Tuition and Fees

• Payroll

• Administrative Expenditures

• Auxiliary Enterprises

• Excludes Federal Financial Aid

College Audits/FindingsCollege Audits/FindingsCollege Audits/FindingsCollege Audits/Findings

• Alexandria (9)

• Anoka (7)

• Anoka Ramsey (6)

• Dakota (5)

• Lake Superior (7)

• North Hennepin (4)

• Pine (14)

• Ridgewater (3)

• South Central (0)

• Saint Paul (12)

College Audit FindingsCollege Audit FindingsCollege Audit FindingsCollege Audit Findings

• 67 Audit Findings– 25 % decrease from prior audit

• Internal Audit Classification– 9 Critical

– 35 Important

– 23 Management Discretion

Critical FindingsCritical FindingsCritical FindingsCritical Findings

• Access to Computerized Business Systems (4 colleges)– Cashiering and accounts receivable

– Purchasing and accounts payable

– Sharing user Ids and passwords

– Access unrelated to job duties

• Reconciliations (1 college)– Resolution of old outstanding items

Critical Findings (continued)Critical Findings (continued)Critical Findings (continued)Critical Findings (continued)

• Collateral (1 college)– Compliance with statutory requirements

• Revenue and Receivables (2 colleges)– Monitoring outstanding receivables

– Control over backdated registrations and tuition deferments

• Study Abroad Program (1 college)– Collection of travel fees

– Potential conflict of interest

Personnel/PayrollPersonnel/PayrollPersonnel/PayrollPersonnel/Payroll

• SCUPPS– Salary and work assignments

– Biweekly transactions

– Feed transactions to SEMA4

• SEMA4– Fringe benefits

– Employee deductions

– Checks or bank transfer

– Feed transactions to SCUPPS/Accounting

SCUPPS IT AuditSCUPPS IT AuditSCUPPS IT AuditSCUPPS IT Audit

• General Controls– Relate to all MnSCU business systems

– Focused on “Security”• Operating system• Application• Database

• Application Controls– SCUPPS processing logic

– Focused on data integrity controls

General Controls – ConclusionsGeneral Controls – ConclusionsGeneral Controls – ConclusionsGeneral Controls – Conclusions

• Application security adequate

• Ongoing concerns with operating system and database security

• Substantial improvement needed

• Seven findings categorized as critical

FindingsFindingsFindingsFindings

• No standards or procedures for access

• Unnecessary and excessive privileges

• Some programs not properly secured

• Several users can alter critical data from uncontrolled environments

• Ineffective password management

• Ineffective monitoring of security-related events

• Interface files not secured during transmission

Application Controls - ConclusionsApplication Controls - ConclusionsApplication Controls - ConclusionsApplication Controls - Conclusions

• SCUPPS accurately processed data

• Few preventive controls, emphasis on detective controls

• Three findings, one critical– Improved monitoring of human resource

transactions entered directly into SEMA4

– Computerized edits could improve data integrity

– Improved automation for faculty leave