Kristina Turner CPA, CISA, MMIS University System of Georgia RACAR – Macon State College April 13, 2011

Audit Request List Frozen Tables BOR Auditing Tool Kit Information Technology Controls Definitions Differences General Controls Categories Examples 2

3

Updated List Added to the DOAA Website each fiscal year Navigation from Home Page: Information/Resources State Government Resources College/University Resources 2009_Updated_Auditors_Request_List.xls 4

5

TBBDETC TBBCTRL TBBEACT TBBTBDS TBRACCD TBRACCT TBRAPPL TBRDEPO TBRMISD TBBETBD 6 Historically the following tables have been frozen at the end of each fiscal year:

The ZURGFTT table alone will meet the needs of the auditor IF the institution maintains detail for the entire fiscal year. SPRIDEN does not need to be frozen at the end of the fiscal year. However, the auditors will request the following fields: PIDM, LAST_NAME, FIRST_NAME, MI 7

BANNER is the system of record for receivables The selected tables include the transaction level detail for all items recorded on the Financial Statements The auditor will use this data to select samples, review transactions, perform analytical procedures, and various other audit tasks. 8

Requests for Frozen Tables are initiated by the Atlanta office. Typically the requests are made to those institutions receiving an audit. The tables are submitted to DOAA through our Secure File Transfer System. DOAA removes the tables from the File Transfer System upon receipt. 9

Tables are imported into DOAA Data Warehouse; All data is stored securely and is encrypted Queries are run against the data by EAD IT Personnel Output files are used by auditors for testing 10

Questions related to the output files can be sent to Atlanta – or 11

12

Useful Scripts for EAD Listing of Detail Codes Listing of Term Codes Fee Assessment Rules Listing of Cashiers and Supervisors Listing of Supervisors and Restricted Users Listing of All Users with Access to AR Objects, Including Class & Roles List of Users with Access to TAISMGR Objects at the Database Level List of Users with Permission to Access Specific Objects in the Database TGRRCON 13

14

Controls in place to ensure data’s: confidentiality integrity availability 15

Midlands Technical College warned employees last month that a flash drive containing some of their personal information was taken from a human resources office at the college. The flash drive, since returned — without the personal data it previously held — could compromise the personal information of some of the college’s 500 employees. But Midlands Tech spokesman Todd Gavin said no problems have been reported by employees so far…. The security breach at Midlands Tech is the second acknowledged by an area college or university in the last week. The University of South Carolina warned employees earlier this month that a breach of computers at its Sumter campus exposed the personal information of 31,000 faculty, staff, retirees and students system-wide. 16

Missouri State University officials are notifying 6,030 College of Education students that their social security numbers may have been compromised as a result of an internal security breach. In October and November 2010, in preparation for an accreditation, the College of Education prepared lists of students by semester. The lists, which included social security numbers, were for nine semesters between 2005 and 2009 (fall, spring, summer). A list was created for each semester, so there were nine lists. The lists were prepared in electronic format in October and November 2010 to be available on secure servers to the College of Education personnel working on the accreditation, as well as the accreditation team. Unfortunately, these lists of names were posted in October/November 2010 on an unsecured server. As a result, all nine lists ended up on Google. In all, 6,030 names with social security numbers were compromised and posted on the web. 17

Those still lining up for free cheese fries and mozzarella sticks after dinner are in for a bitter surprise. Last week Dining Services discovered the glitch in their system that for the past few months had granted students snack bar points even if they had already swiped for dinner, a mishap that students were quick to take advantage of as word swiftly spread across campus. The problem was fixed on Sunday, and 45 students were turned away from snack bar that evening when trying to swipe after dinner. In August and again in December, Dining Services updated its food accounting system, a program that controls at what time students can swipe for meal points, and believes that the error occurred during this process. A mishap during the upgrade altered the equivalency time, essentially allowing students to use their dinner points from the following day’s meals. As the next day’s meals were always accessible on any given day, students were granted dinner equivalency at snack bar regardless of their meal consumption that day. Abayasinghe did not yet calculate the total loss in revenue from the additional snack bar points, but acknowledged that it may be significant. 18

“Payroll has failed to take out medical and dental deductions from 6 paychecks so far upon starting employment. they claimed it was computer error, and states the money is retroactive. Why should the employee be liable for a company/ computer error? I feel the company should eat the fees and make sure the deductions are taken out going forward. Am I wrong? Do I have a fight? This is well over ” ~Question from Employee on Business Forum 19

20

21

22

§ 60 IT also poses specific risks to an entity's internal control, including: 1.Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both. 2.Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. 3.Unauthorized changes to data in master files. 23

§ 60 IT also poses specific risks to an entity's internal control, including: 4.Unauthorized changes to systems or programs. 5.Failure to make necessary changes to systems or programs. 6.Inappropriate manual intervention. 7.Potential loss of data or inability to access data as required. 24

Integrated Approach – Technology Risk & Assurance Division and Education Audit Division TRA addresses IT General Controls significant to the CAFR PeopleSoft FN PeopleSoft HCM or ADP P-Card Works (SAS 70 Review) BANNER Model maintained by ITS EAD addresses entity level controls and application (business process) controls related to BANNER 25

Two Categories General Controls “Represent the foundation of the IT control structure. They ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable.” Wikipedia Application Controls “Fully-automated [controls] designed to ensure the complete and accurate processing of data from input through output.” Wikipedia 26

General controls support the continued effectiveness of applications. Application controls support the continued effectiveness of business processes. 27

Categories of General Controls Logical Access Change Management IT Operations 28

Controls designed to manage access to applications based on business need. “An entity must then establish sound policies and procedures for granting authorized users access while simultaneously protecting itself from unauthorized access.” Mitigating IT Risks for Logical Access, ISACA Journal, Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CMA, CPA 29

General System Security Settings Password Settings Access to privileged IT functions is limited to appropriate individuals Access to system resources and utilities is limited to appropriate individuals User Access is authorized and appropriately established Physical access to computer hardware is limited to appropriate individuals Segregation of duties exists within the logical access environment. 30

Firewall Anti-Virus Software Malware & Spyware Auto Updates Time Out of Session Re-authentication Encryption Security Questions Password Settings Minimum Length (6-8 char) Initial Log-on One Time Password Password composition (alphanumeric / special characters) Frequency of forced changes Locked Accounts Idle Session Time Out 31

Security Administrators Full Access Access to System Utilities / Resources Database tools SQL Tools Crystal Reports 32

Initiation of Access Request Standard access request forms Standard requests by business role Approval of Access Requests Supervisor Periodic Monitoring of Access & Access Logs Removal of Access Termination Transfers 33

Access to Data Center Access to Hardware Fire Suppression Temperature Control UPS (uninterruptible power supply) 34

Performance of the following roles should be separate: Requesting Access Approving Access Setting Up Access Monitoring Access & Violations Performing the rights of a privileged user Monitoring the privileged user 35

Changes to the application are: Authorized Tested Approved Monitored Segregation of Duties within Change Management Functions 36

Types of Changes Updates Functionality Changes vs. Report Changes Bugs Procedures Required Approvals Required Testing Required Documentation Monitoring Ensure these procedures are operating effectively 37

Performance of the following roles should be separate: Request / approval of program development or program change Development Test the change Move the programs in and out of production Monitor program development and changes 38

Financial data is backed-up and recoverable Deviations from scheduled processing are identified and resolved in a timely manner IT operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner 39

Procedures should include: Format Frequency and Retention Period Location (on-site or off) Testing Monitoring 40

Disaster Recovery Returning to “normal” operations Vendors for Equipment Restoration Procedures Key Personnel and Alternate Processes 41

Batch Processes Back-up Processes Procedures should include: Responsible official Monitoring Process Identification & Resolution Procedures Documentation Requirements 42

Procedures for ensuring IT issues are resolved in a timely manner include: Process for alerting key officials of a problem Method for analysis Resolution procedures Review of the resolution 43

Questions? 44