FY 2003 MnSCU Audits MnSCU Audit Committee September 17, 2003
FY 2003 Audit Contract 10 College Audits –Internal Control –Legal Compliance Statewide Assurances –SCUPPS IT Review –SEMA4 IT Review –Certifications
Typical College Audit Scope Financial Management Tuition and Fees Payroll Administrative Expenditures Auxiliary Enterprises Excludes Federal Financial Aid
College Audits/Findings Alexandria (9) Anoka (7) Anoka Ramsey (6) Dakota (5) Lake Superior (7) North Hennepin (4) Pine (14) Ridgewater (3) South Central (0) Saint Paul (12)
College Audit Findings 67 Audit Findings –25 % decrease from prior audit Internal Audit Classification – 9 Critical –35 Important –23 Management Discretion
Critical Findings Access to Computerized Business Systems (4 colleges) –Cashiering and accounts receivable –Purchasing and accounts payable –Sharing user Ids and passwords –Access unrelated to job duties Reconciliations (1 college) –Resolution of old outstanding items
Critical Findings (continued) Collateral (1 college) –Compliance with statutory requirements Revenue and Receivables (2 colleges) –Monitoring outstanding receivables –Control over backdated registrations and tuition deferments Study Abroad Program (1 college) –Collection of travel fees –Potential conflict of interest
Personnel/PayrollPersonnel/Payroll SCUPPS –Salary and work assignments –Biweekly transactions –Feed transactions to SEMA4 SEMA4 –Fringe benefits –Employee deductions –Checks or bank transfer –Feed transactions to SCUPPS/Accounting
SCUPPS IT Audit General Controls –Relate to all MnSCU business systems –Focused on “Security” Operating system Application Database Application Controls –SCUPPS processing logic –Focused on data integrity controls
General Controls – Conclusions Application security adequate Ongoing concerns with operating system and database security Substantial improvement needed Seven findings categorized as critical
FindingsFindings No standards or procedures for access Unnecessary and excessive privileges Some programs not properly secured Several users can alter critical data from uncontrolled environments Ineffective password management Ineffective monitoring of security-related events Interface files not secured during transmission
Application Controls - Conclusions SCUPPS accurately processed data Few preventive controls, emphasis on detective controls Three findings, one critical –Improved monitoring of human resource transactions entered directly into SEMA4 –Computerized edits could improve data integrity –Improved automation for faculty leave