fy 2003 mnscu audits mnscu audit committee september 17, 2003
TRANSCRIPT
FY 2003 MnSCU AuditsFY 2003 MnSCU AuditsFY 2003 MnSCU AuditsFY 2003 MnSCU Audits
MnSCU Audit Committee
September 17, 2003
FY 2003 Audit ContractFY 2003 Audit ContractFY 2003 Audit ContractFY 2003 Audit Contract
• 10 College Audits– Internal Control
– Legal Compliance
• Statewide Assurances– SCUPPS IT Review
– SEMA4 IT Review
– Certifications
Typical College Audit ScopeTypical College Audit ScopeTypical College Audit ScopeTypical College Audit Scope
• Financial Management
• Tuition and Fees
• Payroll
• Administrative Expenditures
• Auxiliary Enterprises
• Excludes Federal Financial Aid
College Audits/FindingsCollege Audits/FindingsCollege Audits/FindingsCollege Audits/Findings
• Alexandria (9)
• Anoka (7)
• Anoka Ramsey (6)
• Dakota (5)
• Lake Superior (7)
• North Hennepin (4)
• Pine (14)
• Ridgewater (3)
• South Central (0)
• Saint Paul (12)
College Audit FindingsCollege Audit FindingsCollege Audit FindingsCollege Audit Findings
• 67 Audit Findings– 25 % decrease from prior audit
• Internal Audit Classification– 9 Critical
– 35 Important
– 23 Management Discretion
Critical FindingsCritical FindingsCritical FindingsCritical Findings
• Access to Computerized Business Systems (4 colleges)– Cashiering and accounts receivable
– Purchasing and accounts payable
– Sharing user Ids and passwords
– Access unrelated to job duties
• Reconciliations (1 college)– Resolution of old outstanding items
Critical Findings (continued)Critical Findings (continued)Critical Findings (continued)Critical Findings (continued)
• Collateral (1 college)– Compliance with statutory requirements
• Revenue and Receivables (2 colleges)– Monitoring outstanding receivables
– Control over backdated registrations and tuition deferments
• Study Abroad Program (1 college)– Collection of travel fees
– Potential conflict of interest
Personnel/PayrollPersonnel/PayrollPersonnel/PayrollPersonnel/Payroll
• SCUPPS– Salary and work assignments
– Biweekly transactions
– Feed transactions to SEMA4
• SEMA4– Fringe benefits
– Employee deductions
– Checks or bank transfer
– Feed transactions to SCUPPS/Accounting
SCUPPS IT AuditSCUPPS IT AuditSCUPPS IT AuditSCUPPS IT Audit
• General Controls– Relate to all MnSCU business systems
– Focused on “Security”• Operating system• Application• Database
• Application Controls– SCUPPS processing logic
– Focused on data integrity controls
General Controls – ConclusionsGeneral Controls – ConclusionsGeneral Controls – ConclusionsGeneral Controls – Conclusions
• Application security adequate
• Ongoing concerns with operating system and database security
• Substantial improvement needed
• Seven findings categorized as critical
FindingsFindingsFindingsFindings
• No standards or procedures for access
• Unnecessary and excessive privileges
• Some programs not properly secured
• Several users can alter critical data from uncontrolled environments
• Ineffective password management
• Ineffective monitoring of security-related events
• Interface files not secured during transmission
Application Controls - ConclusionsApplication Controls - ConclusionsApplication Controls - ConclusionsApplication Controls - Conclusions
• SCUPPS accurately processed data
• Few preventive controls, emphasis on detective controls
• Three findings, one critical– Improved monitoring of human resource
transactions entered directly into SEMA4
– Computerized edits could improve data integrity
– Improved automation for faculty leave