The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Similar documents
The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Texas A&M University: Learning Management System General & Application Controls Review

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Subject: University Information Technology Resource Security Policy: OUTDATED

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

General Information Technology Controls Follow-up Review

Departmental Change in Management Audit Fiscal Year 2012

Office of Internal Audit

UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Cyber Security Program

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

EMERGENCY MANAGEMENT

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Computer Administrative Rights Report No

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Office of Internal Audit 800 W. Campbell Rd. SPN 32, Richardson, TX Phone Fax December 12, 2016

Article II - Standards Section V - Continuing Education Requirements

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2018

Office of MN.IT Services Data Centers

Article I - Administrative Bylaws Section IV - Coordinator Assignments

Auditing and Monitoring in an Effective Institutional Compliance Program

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Internal Quality Assurance Report. Inspector General Department

NERC Staff Organization Chart Budget 2019

STATE OF NORTH CAROLINA

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

STATE OF NORTH CAROLINA

TAC 202 Requirements 2017

Opportunities to Integrate Technology Into the Classroom. Presented by:

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

University of North Texas System Administration Identity Theft Prevention Program

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Information Technology General Control Review

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Tools & Techniques I: New Internal Auditor

The Texas A&M University System. Internal Audit Department. Fiscal Year 2014 Audit Plan

REPORT TO MANAGEMENT ON FOLLOW-UP AUDIT OF DATA, VOICE, AND VIDEO NETWORKING LAMAR INSTITUTE OF TECHNOLOGY

EXAM PREPARATION GUIDE

Internal Quality Assurance Report. Inspector General Department

Audit and Compliance Committee - Agenda

A Global Look at IT Audit Best Practices

Postal Inspection Service Mail Covers Program

Decentralized IT General Controls Review: Student Affairs Systems Group

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

DIPLOMA COURSE IN INTERNAL AUDIT

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

NERC Staff Organization Chart Budget 2017

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Judiciary Judicial Information Systems

ART CENTER AND SATELLITE PLANT

NERC Staff Organization Chart Budget 2017

EXAM PREPARATION GUIDE

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Policies and Procedures Date: February 28, 2012

Application for Certification

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

IS Audit and Assurance Guideline 2001 Audit Charter

Virginia Commonwealth University School of Medicine Information Security Standard

STATE OF NORTH CAROLINA

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

University System of Maryland Frostburg State University

Request for Qualifications for Audit Services March 25, 2015

UCLA AUDIT & ADVISORY SERVICES

Office of Inspector General Office of Professional Practice Services

Privacy Breach Policy

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Internal Audit Report DATA CENTER LOGICAL SECURITY

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Electronic Signature Policy

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

TxDOT Internal Audit Materials and Testing Audit Department-wide Report

Central IT Executive Commission (CITEC) Town Hall July 12, 2017

Red Flags Program. Purpose

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

CASA External Peer Review Program Guidelines. Table of Contents

REPORT 2015/149 INTERNAL AUDIT DIVISION

FOLLOW-UP REPORT Industrial Control Systems Audit

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

Health Insurance Portability and Accountability Act, Security Rule

CISA EXAM PREPARATION - Weekend Program

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

Information Security Policy

EXAM PREPARATION GUIDE

NERC Staff Organization Chart

Virginia Commonwealth University School of Medicine Information Security Standard

NERC Staff Organization Chart Budget

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Palo Alto Unified School District OCR Reference No

Wireless Communication Stipend Effective Date: 9/1/2008

IT Attestation in the Cloud Era

Transcription:

MONTHLY AUDIT REPORT September 22, 2016

September 2016 TABLE OF CONTENTS Texas A&M University - Central Texas Financial Management Services' Operations and Student Information Systems General and Application Controls Texas A&M University Information Technology for the Office of the Provost

System Internal Audit TEXAS A&M UNIVERSITY CENTRAL TEXAS Financial Management Services Operations and Student Information Systems General and Application Controls September 22, 2016 Charlie Hrncir, C.P.A. Chief Auditor Project #20162401

Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Overall Conclusion Overall, the application controls established over the financial management services operations and the student information system at Texas A&M University - Central Texas are efficient and effective in providing reasonable assurance that the information is accurate, complete and that the university is operating in compliance with applicable laws, policies, rules, and regulations. Opportunities for improvement were noted in the areas of student refund account reconciliations and training for users with access to confidential student data. Detailed Results 1. Student Refund Account Reconciliations Areas Reviewed FAMIS & Banner user account management User access to sensitive functions/data Application controls Reconciliations of Banner and FAMIS transactions The account reconciliation process for student refunds requires improvement to ensure outstanding items are cleared in a timely manner. The clearing account used for student refunds had unexplained outstanding items totaling $41,000 at the time of the review. This total includes $36,000 of outstanding items carried over from fiscal year 2015. The university identified problems with clearing account processes related to the data feed from the student information system (Banner) to the Financial Accounting Management Information System (FAMIS) during the initial implementation of Banner in fiscal year 2015. Since then, the campus has been working to examine the transactions that impact the data feed, correct the issues noted, and research the outstanding items. Accurate and timely reconciliations are an important control for timely detection of errors, discrepancies, and systematic problems. The Committee of Sponsoring Organizations (COSO) requires control activities to help ensure management directives are carried out, which include a range of activities including reconciliations. Also, COSO requires monitoring to ensure that internal controls continue to operate effectively. September 2016 Page 1 Project #20162401

Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Recommendation Reconcile accounts and identify and clear outstanding items in a timely manner. Management s Response Management agrees with the findings and recommendations and will implement changes in the reconciliation process for the student refunds account. Target completion date is March 31, 2017. 2. FERPA Training Banner users with access to confidential student data are not receiving training on the Family Education Rights and Privacy Act (FERPA) requirements on a consistent basis. The campus has relied on the FERPA areas covered within the Information Security Awareness training required for all system employees. Without a more detailed training, there is a risk that employees may inadvertently mishandle confidential student data resulting in a violation of federal law. FERPA requires that student education records are protected for all schools that receive funds under an applicable program of the U.S. Department of Education. Also, the United States Sentencing Commission Guidelines require an effective compliance and ethics program, which must include conducting training programs appropriate for respective roles and responsibilities. Recommendation Require FERPA specific training, such as the electronic course offered within TrainTraq, for all employees with access to student data or records. Management s Response Management agrees with the findings and recommendation. The FERPA Training Course on TrainTraq became mandatory for all employees at A&M-Central Texas on June 29, 2016. This training will be repeated every two years. Page 2 September 2016 Project #20162401

Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Basis of Review Objective and Scope Methodology Criteria The audit of financial management services operations and the student information system at Texas A&M University - Central Texas focused on evaluating the controls in place to determine if resources were used efficiently and effectively in compliance with applicable laws, policies, regulations and rules and that the information was accurate and complete. The audit period focused primarily on activities from June 1, 2015 to May 31, 2016. Areas reviewed included logical security, access to sensitive functions, and application controls within the Business Office. Fieldwork was conducted from June 2016 to July 2016. Our audit methodology included interviews, observation of processes, and review of documentation and testing of data using sampling. To determine if new user processes were followed, the auditors selected a nonstatistical sample of ten new Banner users and eight new FAMIS users through auditor judgment to determine if there were any unexpected results. To determine if users with access to student holds within Banner were appropriate, the auditors selected a nonstatistical sample of eight Banner users through auditor judgment to determine if there were any unexpected results. Our audit was based upon standards as set forth in Texas A&M University System Policies and Regulations; Texas A&M University Central Texas rules and administrative procedures; Texas Administrative Code; the Committee of Sponsoring Organizations Internal Control Integrated Framework (COSO); the United States Sentencing Commission Guidelines; Family Education Rights and Privacy Act; and other sound administrative practices. The audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. Additionally, we conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. September 2016 Page 3 Project #20162401

Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Audit Team Amanda Dotson, CPA, CIA, Director David Maggard, CPA, CISA, Audit Manager Chesney Cote, CPA, CISA Whitney Glenz, CISA Distribution List Dr. Marc Nigliazzo, President Dr. Peg Gray-Vickrey, Provost and Vice President for Academic & Student Affairs Ms. Gaylene Nunn, Vice President for Finance and Administration Mr. Todd Lutz, Assistant Vice President for Information Technology/CIO Ms. Deserie Rivera, University Compliance Officer Page 4 September 2016 Project #20162401

System Internal Audit TEXAS A&M UNIVERSITY Information Technology for the Office of the Provost September 22, 2016 Charlie Hrncir, C.P.A. Chief Auditor Project #20160211

Texas A&M University: Information Technology for the Office of the Provost Overall Conclusion The information technology governance processes and general controls at the Texas A&M University Office of the Provost are effective in providing reasonable assurance that the confidentiality, integrity, and availability of the information resources and data are maintained in accordance with laws, policies, regulations and rules. General control areas reviewed for the Provost IT Office (PITO) included logical security of workstations; change management; Information Technology Departments Reviewed: Provost IT Office Open Access Labs Instructional Media Services backup and recovery; identity and account management; and incident management. General control areas reviewed for Open Access Labs (OAL) included logical security of staff workstations, backup and recovery, and identity and account management. General control areas reviewed for Instructional Media Services (IMS) included logical security of classroom workstations and network devices. OAL manages the classroom workstations for IMS. Logical security testing in all three areas included system patch management, password management, and program version management. The centralized management of logical security processes in both PITO s technology services group and OAL contributed to the strong controls noted during testing. These groups each manage a large number of machines efficiently and effectively. Change management processes and controls within PITO s information services group help them meet the software application needs for non-academic departments across campus. September 2016 Page 1 Project #20160211

Texas A&M University: Information Technology for the Office of the Provost Basis of Review Objective and Scope Methodology The audit of information technology processes and general controls at the Texas A&M Office of the Provost focused on ensuring that the confidentiality, integrity, and availability of information resources and data were maintained in accordance with laws, policies, regulations and rules. The audit period focused primarily on activities from July 1, 2015 to June 30, 2016. Areas reviewed included change management, backup and recovery, logical security, identity and account management, and incident management. Fieldwork was conducted from July to August, 2016. Our audit methodology included interviews, observation of processes, review of documentation and testing of data using sampling. To test the logical security controls in place over workstations and the change controls in place over development of applications, auditors utilized nonstatistical samples selected through auditor judgement. Criteria Our audit was based upon standards as set forth in Texas A&M University System Policies and Regulations; Texas A&M University Rules and Standard Administrative Procedures; Texas Administrative Code; and other sound administrative practices. The audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. Additionally, we conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Page 2 September 2016 Project #20160211

Texas A&M University Information Technology for the Office of the Provost Audit Team Robin Woods, CPA, Director David Maggard, CPA, CISA, Senior Manager Chesney Cote, CPA, CISA Whitney Glenz, CISA Distribution List Mr. Michael K. Young, President Dr. Karan L. Watson, Provost and Executive Vice President for Academic Affairs Dr. Jerry R. Strawser, Vice President for Finance and Administration Mr. Joseph P. Pettibon II, Associate Vice President for Academic Services Mr. Juan E. Garza, Assistant Vice President for Academic Services Ms. Margaret Zapalac, Associate Vice President Risk and Compliance September 2016 Page 3 Project #20160211

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback