Subject TitleAuditing Banner

Auditing Banner

Karen Helderman

Kyle Webb

October 3, 2013

Auditing Banner

What is Banner

• Commercially available administrative application suite for higher education institutions.

• Similar to PeopleSoft and Oracle e-Business Suite, but specifically designed for higher education. It includes higher education specific modules such as financial aid.

Auditing Banner

Banner Features

• Dozens of modules• Hundreds of screens (forms) per module• Obtaining a user manual is difficult• Training for auditors is non-existent• Like PeopleSoft or Oracles, identifying

key application controls requires extensive reading and walk-throughs.

Auditing Banner

Key Internal Controls

• Auditing Standards requires the auditor to identify the key internal controls used by the university to ensure that:1. Assets and liabilities exist and transactions actually

occurred.

2. Transactions that should have been recorded are actually recorded.

3. Transactions are recorded at the proper amount.

4. Transactions are in the correct accounting period.

5. Transactions are recorded in the proper account.

Auditing Banner

Key Internal Controls

• Banner is delivered with many internal controls and the auditor may request Internet Native Banner (INB) access to review screens (called “forms”) and understand how the university is using Banner features.

Auditing Banner

Examples

• Management defines the accounting period within Banner and system automatically assigns transactions to the proper accounting period (Key Internal Control 4)

• Management loads the Board of Visitor approved rates into Banner and the system automatically charges the student each semester based on student criteria and registration info (Key Internal Controls 3&5)

Auditing Banner

Disclaimer

• The non-use of Banner functionality does not mean the University does not have internal controls, but rather that the controls may exist outside of Banner (i.e. manual or in another system).

• When the auditor finds Banner functionality not being used, the auditor will ensure he/she understands internal controls over the alternative process.

Auditing Banner

Banner Finance

• FTMCOAS (Chart of Accounts Code Maintenance Form) – auditor may examine to understand what accounts may have been added or changed since prior period. The auditor may review COA mapping for new and altered accounts.

Auditing Banner

FTMCOAS

Auditing Banner

Banner Finance

• FTMRUCL (Rules Maintenance Form) – auditor may examine to understand if any new rules have been added to Banner and inquire as to why.

Auditing Banner

Auditing Banner

Banner Finance

• FTMFSYR (Fiscal Year Maintenance Form) – examined to determine that the proper fiscal year period is defined.

Auditing Banner

Auditing Banner

Banner Finance

• FOASYSC (System Control Maintenance Form) – examined to determine approval processing, bypass, explicit, implicit for various document types; to see whether Non-Sufficient Funds (NSF) checking is used, and whether procurement document matching occurs in Banner.

Auditing Banner

Auditing Banner

Banner Finance

• FGAENCB (Encumbrance/Reservation Maintenance Form) – this form allows the university to encumber funds outside of the purchasing process. This form also allows the university to turn off NSF checking for these items. Auditor will check to see if this is occurring because this would override the previous control (FOASYSC) if management chose to require NSF checking.

Auditing Banner

Auditing Banner

Banner Finance

• FTMCARD (Purchase Card Maintenance Form) – auditor will look to verify that purchase card numbers are not stored in this form.

Auditing Banner

Auditing Banner

Banner Finance

• FAICARD (Purchase Card Query Form) this query displays purchase card numbers if they are stored in FTMCARD. If so, access should be limited.

Auditing Banner

Auditing Banner

Banner Finance

• FOMPROF (User Profile Maintenance Form) – auditor is concerned with who has access to this form because they can change user profiles. In this form the administrator can also set up flags to ensure compliance with university policy. For example, they can allow NSF override authority, invoice overage tolerances, receiving overrides and tolerances, etc.

Auditing Banner

Auditing Banner

Banner Finance

• FAARUIV (Recurring Payables Form) – auditor will establish whether the university uses the feature which can create efficiencies in areas such as lease or rent payments.

Auditing Banner

Auditing Banner

Banner Finance

• FGIJVCD (List of Suspended Journal Voucher Form) – auditor may use this online query to search for pending journal vouchers that did not post properly before year end and propose adjusting journal entries if material.

Auditing Banner

Auditing Banner

Banner Finance

• FGRTBEX (Trial Balance Exception Report) – auditor may ask if management is running this report to identify out-of-balance conditions.

Auditing Banner

Banner Finance

• FGRTRNR (Transaction Error Report) – auditor may discuss this report with management and how frequently it is run, the types of errors typically discovered, and how the errors are resolved.

Auditing Banner

Banner Finance

• FAIIREC (Receiving/Matching Status Query Form) – the auditor may run this query to consider the quantity and age of invoices awaiting receipt of goods. Could assist in identifying AP’s that need accrual because goods were actually received by financial statement date but just not noted in the system timely.

Auditing Banner

Banner Finance

• FTMVEND (Vendor Maintenance Form) – auditor will examine who has modify access to this form since these individuals can add vendors and change vendor information such as mailing address.

Auditing Banner

Banner Finance

• FMTSHIP (Ship to Address Maintenance Form) – concerned about access as user can add inappropriate shipping address. Auditor can review address to ensure they appear reasonable for the campus locations or set up data match to employee addresses in the payroll system.

Auditing Banner

Banner Finance

• FPARCVD (Receiving Goods Form) – using receiving within Banner ensures the three way match will work properly. Access to this form should be to appropriate users.

Auditing Banner

Banner Finance

• FAAPAYC (Payment Control Form) – users with access to this form can remove AP holds on invoices, thereby overriding system controls.

Auditing Banner

Banner Student

• SOATERM (Term Control Form) – auditor will use this form to understand the term days and also when fee assessment occurred.

Auditing Banner

Auditing Banner

Banner Student

• SFARGFE (Registration Fee Assessment Rules Form) – auditor will review that tuition and fee rates per term agree to approved rates. Auditor will also look for limited update access to this form.

Auditing Banner

Auditing Banner

Banner Student

• SLALMFE (Room/Meal/Phone Rate Code Rules Form) – auditor may determine if rates agree to approved rates. Auditor may also ask about third party systems that handle housing and meal plans.

Auditing Banner

Auditing Banner

Banner Student

• SOAHOLD (Hold Information Form) – auditor will be interested in access to this form since users can manually release holds.

Auditing Banner

Auditing Banner

Banner Student

• SFARFND (Registration Fee Assessment Refund by Total Rules Form) – auditor may examine access to this form since users can modify rules regarding how student refunds are handled.

Auditing Banner

Efficiency Recommendations

• After the auditor understands how the university is using Banner, the auditor may make recommendations to use Banner functionality in lieu of other processes to improve efficiency. Examples include:– Use Fixed Asset Module rather than a separate system– Use recurring AP feature for leases– Consider using Banner workflow/approvals– Use encumbrance feature rather than manual budget

checking.– Use three way match feature rather than matching paper

invoices, receiving reports and purchase orders

Auditing Banner

Review of User Access

• After understanding modules and processes used by the University, we will typically perform a user access review

• We prefer that the University perform this review and we verify their control is working properly; however, a typical annual user access review is inadequate.

• Managers usually receive a listing of staff having access to their system and perhaps their role

Auditing Banner

Review of User Access

• To be thorough, Managers need comprehensive information about their staff including roles granted in other departments and the forms they can access by virtue of their role. Also indirect access may compromise “roles”

• Our review slices and dices users, roles, and forms in many ways.

Auditing Banner

User Access Reviews

Auditing Banner

Review of User Access

• Gain an understanding of the modules in

use

• How does the University use Banner?

• How does University review user access?

• Is the review adequate and reasonable?

• Development of Audit Tool

Auditing Banner

Gain an Understanding of Modules in Use

• What modules has the University purchased?• Many schools don’t use all modules

– Payroll– Fixed Assets– Human Resources

• For purpose of reviews, all access to unused modules is likely irrelevant

• Access granted to unused modules– Evidence of control environment– Makes management’s review more difficult

Auditing Banner

How does the University use Banner?

• What actions in Banner are critical? – Journal Entries– Approvals– Purchases– Holds

• Does the university rely on Banner approval controls?– Supported or replaced by hardcopy?– What are the controls external to Banner?

• Once critical processes are determined, then you can review access to those processes

Auditing Banner

How does the University Review Access?

1. Is there a regular review of access?

2. Is it performed by competent data owners?

3. Is it sufficient?

Auditing Banner

Is the review sufficient?

• Do you speak Banner?

• Here’s a quick overview….

Auditing Banner

Naming Convention

FGAJVCQ• Position 1

– Identifies the Banner system owning the form, report, process or table

• Position 2– Identifies the module owning the form, report, process or table

• Position 3– Identifies the type of form, report, process or table

• Position 4– Identifies a unique four-character code for the form, report,

process or table

Auditing Banner

Roles

• BAN_DEFAULT_M– Maintenance or “Update” access– This is the focus of the review

• BAN_DEFAULT_Q– Read-only access– Be aware of sensitive information

Auditing Banner

Understanding the Hierarchy of AccessUser

Group

Class

Object (Screen)

Role (Q vs M)

Great News! The Heirarchy doesn’t matter!

Auditing Banner

Is the University’s review adequate?

• All that matters is User, Role, and Object(Screen)

• User = Who? (JDSMITH)

• Role = Maintenance vs. Query (BAN_DEFAULT_M)

• Object = What process or action (SFARGFE)

• Everything else is for efficiency in granting access, not reviewing

Auditing Banner

Is the University’s review adequate?

Common Problems• There is no formalized review• Review is Infrequent (Once every year or 2 years)• Review is limited to Users by Class

– JSMITH has the AR_SUPERVISOR Class. JSMITH is a supervisor in Accounts Receivable, Review done.

– Fails to consider conflicting screens within class, or across classes, or reasonableness of access within class

– Also doesn’t consider “Direct” Access

This is why class/group style reviews are ineffective

The “Class” has no meaning

User

Group

Class

Object

(Screen)

Role(M vs Q)

Auditing Banner

So What do we do?

Obtain the GUVUACC table view from Banner

(This is a view of the GURUACC Table)

It should contain the following fields:1. TYPE

2. USER

3. OBJECT

4. ROLE

5. CLASS

6. GROUP

7. RANK

It can be a big table = 200k to 1mil records.

Auditing Banner

So What do we do?

1. Develop a Banner Form “Information Table” for Critical Roles.

2. Create Conflict Matrix for known segregation of duties problems.

3. Then Import all 3 tables into Access

Auditing Banner

Develop Table of Critical Roles (Example)

• Banner Form (FTMVEND)• Form Name (Vendor Maintenance Form)• Description (Use this form to add,

change, or terminate vendor information)

• Audit Consideration (Access to this form should be limited to the accounts payable staff)

Auditing Banner

Create Conflict Matrix

Form 1 Form 2FTMVEND FAAINVE

FAAINVE FOAUAPP

FAAINVE FOAAINP

FGAJVCD FOAUAPP

FGAJVCQ FOAUAPP

FGAJVCM FOAUAPP

FGAJVCD FOAAINP

Auditing Banner

Banner Tool

• Allows Vertical “Silo” Review– Is this access reasonable for the

employee?– Is the number of people with access to this

Object reasonable?FGAJVCD

•JDOE•JSMITH

SFARGFE

•JSMITH•FJOHNSON•TPAYNE•LWILLIAMS

SOAHOLD

•TWILLIAMS•JDOE•275 others

Auditing Banner

Banner Tool

• Allows for Horizontal (Cross-object) review for conflicts

FGAJVCD•JDOE•JSMITH•BFAVRE

FOAUAPP•TWILLIAMS•JDOE•ESMITH

Auditing Banner

The Results

What’s Next?

Auditing Banner

The Results

• We have used our tool so far for 2 universities• Met with Management, and IT• Agreed that their process was inadequate• Agreed to implement changes to make their

reviews more efficient and effective– Eliminating unused module access– Reviewing by object, not class– Training business owners on proper reviewing– Increasing accountability, formalizing process

Auditing Banner

Banner Audit Tool Demonstration

• Here is what it looks like:

Auditing Banner

Q & A

Karen Helderman

karen.helderman@apa.virginia.gov

Kyle Webb

kyle.webb@apa.virginia.gov