MONTHLY AUDIT REPORT September 22, 2016
September 2016 TABLE OF CONTENTS Texas A&M University - Central Texas Financial Management Services' Operations and Student Information Systems General and Application Controls Texas A&M University Information Technology for the Office of the Provost
System Internal Audit TEXAS A&M UNIVERSITY CENTRAL TEXAS Financial Management Services Operations and Student Information Systems General and Application Controls September 22, 2016 Charlie Hrncir, C.P.A. Chief Auditor Project #20162401
Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Overall Conclusion Overall, the application controls established over the financial management services operations and the student information system at Texas A&M University - Central Texas are efficient and effective in providing reasonable assurance that the information is accurate, complete and that the university is operating in compliance with applicable laws, policies, rules, and regulations. Opportunities for improvement were noted in the areas of student refund account reconciliations and training for users with access to confidential student data. Detailed Results 1. Student Refund Account Reconciliations Areas Reviewed FAMIS & Banner user account management User access to sensitive functions/data Application controls Reconciliations of Banner and FAMIS transactions The account reconciliation process for student refunds requires improvement to ensure outstanding items are cleared in a timely manner. The clearing account used for student refunds had unexplained outstanding items totaling $41,000 at the time of the review. This total includes $36,000 of outstanding items carried over from fiscal year 2015. The university identified problems with clearing account processes related to the data feed from the student information system (Banner) to the Financial Accounting Management Information System (FAMIS) during the initial implementation of Banner in fiscal year 2015. Since then, the campus has been working to examine the transactions that impact the data feed, correct the issues noted, and research the outstanding items. Accurate and timely reconciliations are an important control for timely detection of errors, discrepancies, and systematic problems. The Committee of Sponsoring Organizations (COSO) requires control activities to help ensure management directives are carried out, which include a range of activities including reconciliations. Also, COSO requires monitoring to ensure that internal controls continue to operate effectively. September 2016 Page 1 Project #20162401
Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Recommendation Reconcile accounts and identify and clear outstanding items in a timely manner. Management s Response Management agrees with the findings and recommendations and will implement changes in the reconciliation process for the student refunds account. Target completion date is March 31, 2017. 2. FERPA Training Banner users with access to confidential student data are not receiving training on the Family Education Rights and Privacy Act (FERPA) requirements on a consistent basis. The campus has relied on the FERPA areas covered within the Information Security Awareness training required for all system employees. Without a more detailed training, there is a risk that employees may inadvertently mishandle confidential student data resulting in a violation of federal law. FERPA requires that student education records are protected for all schools that receive funds under an applicable program of the U.S. Department of Education. Also, the United States Sentencing Commission Guidelines require an effective compliance and ethics program, which must include conducting training programs appropriate for respective roles and responsibilities. Recommendation Require FERPA specific training, such as the electronic course offered within TrainTraq, for all employees with access to student data or records. Management s Response Management agrees with the findings and recommendation. The FERPA Training Course on TrainTraq became mandatory for all employees at A&M-Central Texas on June 29, 2016. This training will be repeated every two years. Page 2 September 2016 Project #20162401
Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Basis of Review Objective and Scope Methodology Criteria The audit of financial management services operations and the student information system at Texas A&M University - Central Texas focused on evaluating the controls in place to determine if resources were used efficiently and effectively in compliance with applicable laws, policies, regulations and rules and that the information was accurate and complete. The audit period focused primarily on activities from June 1, 2015 to May 31, 2016. Areas reviewed included logical security, access to sensitive functions, and application controls within the Business Office. Fieldwork was conducted from June 2016 to July 2016. Our audit methodology included interviews, observation of processes, and review of documentation and testing of data using sampling. To determine if new user processes were followed, the auditors selected a nonstatistical sample of ten new Banner users and eight new FAMIS users through auditor judgment to determine if there were any unexpected results. To determine if users with access to student holds within Banner were appropriate, the auditors selected a nonstatistical sample of eight Banner users through auditor judgment to determine if there were any unexpected results. Our audit was based upon standards as set forth in Texas A&M University System Policies and Regulations; Texas A&M University Central Texas rules and administrative procedures; Texas Administrative Code; the Committee of Sponsoring Organizations Internal Control Integrated Framework (COSO); the United States Sentencing Commission Guidelines; Family Education Rights and Privacy Act; and other sound administrative practices. The audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. Additionally, we conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. September 2016 Page 3 Project #20162401
Texas A&M University Central Texas: Financial Management Services Operations and Student Information Systems General and Application Controls Audit Team Amanda Dotson, CPA, CIA, Director David Maggard, CPA, CISA, Audit Manager Chesney Cote, CPA, CISA Whitney Glenz, CISA Distribution List Dr. Marc Nigliazzo, President Dr. Peg Gray-Vickrey, Provost and Vice President for Academic & Student Affairs Ms. Gaylene Nunn, Vice President for Finance and Administration Mr. Todd Lutz, Assistant Vice President for Information Technology/CIO Ms. Deserie Rivera, University Compliance Officer Page 4 September 2016 Project #20162401
System Internal Audit TEXAS A&M UNIVERSITY Information Technology for the Office of the Provost September 22, 2016 Charlie Hrncir, C.P.A. Chief Auditor Project #20160211
Texas A&M University: Information Technology for the Office of the Provost Overall Conclusion The information technology governance processes and general controls at the Texas A&M University Office of the Provost are effective in providing reasonable assurance that the confidentiality, integrity, and availability of the information resources and data are maintained in accordance with laws, policies, regulations and rules. General control areas reviewed for the Provost IT Office (PITO) included logical security of workstations; change management; Information Technology Departments Reviewed: Provost IT Office Open Access Labs Instructional Media Services backup and recovery; identity and account management; and incident management. General control areas reviewed for Open Access Labs (OAL) included logical security of staff workstations, backup and recovery, and identity and account management. General control areas reviewed for Instructional Media Services (IMS) included logical security of classroom workstations and network devices. OAL manages the classroom workstations for IMS. Logical security testing in all three areas included system patch management, password management, and program version management. The centralized management of logical security processes in both PITO s technology services group and OAL contributed to the strong controls noted during testing. These groups each manage a large number of machines efficiently and effectively. Change management processes and controls within PITO s information services group help them meet the software application needs for non-academic departments across campus. September 2016 Page 1 Project #20160211
Texas A&M University: Information Technology for the Office of the Provost Basis of Review Objective and Scope Methodology The audit of information technology processes and general controls at the Texas A&M Office of the Provost focused on ensuring that the confidentiality, integrity, and availability of information resources and data were maintained in accordance with laws, policies, regulations and rules. The audit period focused primarily on activities from July 1, 2015 to June 30, 2016. Areas reviewed included change management, backup and recovery, logical security, identity and account management, and incident management. Fieldwork was conducted from July to August, 2016. Our audit methodology included interviews, observation of processes, review of documentation and testing of data using sampling. To test the logical security controls in place over workstations and the change controls in place over development of applications, auditors utilized nonstatistical samples selected through auditor judgement. Criteria Our audit was based upon standards as set forth in Texas A&M University System Policies and Regulations; Texas A&M University Rules and Standard Administrative Procedures; Texas Administrative Code; and other sound administrative practices. The audit was conducted in conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. Additionally, we conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Page 2 September 2016 Project #20160211
Texas A&M University Information Technology for the Office of the Provost Audit Team Robin Woods, CPA, Director David Maggard, CPA, CISA, Senior Manager Chesney Cote, CPA, CISA Whitney Glenz, CISA Distribution List Mr. Michael K. Young, President Dr. Karan L. Watson, Provost and Executive Vice President for Academic Affairs Dr. Jerry R. Strawser, Vice President for Finance and Administration Mr. Joseph P. Pettibon II, Associate Vice President for Academic Services Mr. Juan E. Garza, Assistant Vice President for Academic Services Ms. Margaret Zapalac, Associate Vice President Risk and Compliance September 2016 Page 3 Project #20160211