Presentation is loading. Please wait.

Presentation is loading. Please wait.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

Published byNaomi York Modified over 8 years ago

Similar presentations

Presentation on theme: "MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004."— Presentation transcript:

1 MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004

2 Today’s Agenda Information technology audits –Presented by Eric Wion, IT Audit Director Internal control and compliance audits of selected colleges –Presented by Jim Riebe, Audit Manager

3 Why Audit Technology? Computer systems process and house data that is vital to MnSCU’s operations –Integrity – inaccurate or incomplete data can lead to improper decisions –Confidentiality – unauthorized disclosures can have significant legal implications and undermine public trust –Availability – administrators and students now rely on 24/7 access Commercial products have many well-publicized vulnerabilities and are a prime target for hackers Audits provide management and the board an independent assessment of controls

4 Most Recent Audits Data Warehouse Controls Degree Audit Reporting and Course Applicability Systems (DARS and CAS) Information Technology Security Follow-up 4th audit that has focused on ISRS security controls

5 The Big Picture Progress has been made to resolve audit findings –2 Resolved –2 Significantly Resolved –4 Partially Resolved Shortcomings still exist

6 Insufficient Security Planning No comprehensive security program –IT risks not assessed organization-wide –Insufficient security staff –Reactive, rather than proactive –Excessive reliance on key IT professionals Underlying cause of security findings

7 Documentation Shortcomings Lack of documentation causes a security infrastructure to erode over time Knowledgeable staff may leave Remaining people are afraid to touch anything security-related

8 Inappropriate Access People have security clearances that they do not need to fulfill their job duties –Information technology professionals given excessive security clearances –Software products have powerful security clearances that are not needed *Our follow-up audit found significant improvement

9 Server Configuration Weaknesses Unnecessary “services”, often susceptible to exploit, have not been removed Security-related software patches have not been applied

10 Weak Authentication Processes Strong password controls not enforced Unencrypted passwords sent over networks or stored in files

11 Inadequate Monitoring Security-related events not defined, logged, or reviewed Compliance monitoring responsibilities not properly defined –Information technology professionals –Security staff –Consultants –Internal and external auditors Vulnerability assessment tools not deployed

12 Staffing Issues Often unclear who is responsible for making critical security decisions or performing critical security duties Insufficient number of staff dedicated to security

13 What Can A Trustee Do? Make security a priority Help management obtain more trained security professionals Encourage management to –Adopt a formal security framework or model –Assess risks and document detailed security policies, procedures, and standards for all major systems –Utilize tools to monitor security and perform vulnerability assessments Ascertain that management has put processes, technology and assurance in place for information security

14 IT Audits - Q & A

15 Audits of Selected Colleges Audit Objectives –Internal control Safeguarding assets Accuracy of accounting information –Compliance with significant legal provisions State statutes Bargaining unit provisions Board policies Contract provisions

16 Audits of Selected Colleges Audit Scope –Two or three year period ended June 30, 2003 –Limited program areas including Computer system access Tuition and fees Payroll Administrative expenditures

17 Audits of Selected Colleges Colleges Audited –Central Lakes (2 year audit) –Hibbing (3 year audit) –Inver Hills (3 year audit) –Itasca (2 year audit) –Normandale (2 year audit) –Riverland (3 year audit) –St. Cloud Technical College (3 year audit)

18 Overall Conclusion Colleges included in our scope generally: –Safeguarded assets –Correctly recorded financial activity –Complied with significant legal provisions

19 Key Finding Certain colleges need to ensure that access to computerized business systems is adequately restricted (3 colleges)

20 Other Findings Lack of adequate documentation supporting backdated registrations (2 colleges) Incompatible duties over payroll/personnel data entry Noncompliance with contracting and bidding requirements Noncompliance with board policy requiring written tuition waiver guidelines (3 colleges)

21 QuestionsQuestions

Download ppt "MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004."

Similar presentations

Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management.

Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management.
North Carolina Office of the State Auditor Honesty Integrity Professionalism.

North Carolina Office of the State Auditor Honesty Integrity Professionalism.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Auditing Concepts.

Auditing Concepts.
PRE-AUDIT/POST AUDIT PRESENTATION

PRE-AUDIT/POST AUDIT PRESENTATION
Internal Audit Awareness

Internal Audit Awareness
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.

Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Office of the Legislative Auditor Report #06-28 Minnesota State Colleges and Universities System Internal Control and Compliance Audits of Selected Colleges.

Office of the Legislative Auditor Report #06-28 Minnesota State Colleges and Universities System Internal Control and Compliance Audits of Selected Colleges.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
FY 2003 MnSCU Audits MnSCU Audit Committee September 17, 2003.

FY 2003 MnSCU Audits MnSCU Audit Committee September 17, 2003.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google