PowerPoint Slides - University System of Georgia

advertisement
September 16, 2015
Claire Arnold, CPA
Creating A More Educated Georgia
Fiscal Affairs Accounting
and Reporting Update
1
Fiscal Year 2014 Finding Summary
• Total number of findings up 123% from 13 in
FY13 to 29 in FY14
• Financial Statement findings up 20% from 5 in
FY13 to 6 in FY14
• Federal/Financial Aid findings up 188%
from 8 in FY 13 to 23 in FY 14
Ineffective Logical Access Controls (7)
Creating A More Educated Georgia
External Auditor Results for Fiscal Year
2014 (July 1, 2013 thru June 30, 2014)
2
Creating A More Educated Georgia
Segregation of Duties
3
Limit Privilege Functions to appropriate personnel
• Review your security administrators on campus.
• Look at users with full access.
• Do users have access to system
utilities/resources such as database tools, sql
tools and crystal reports?
Creating A More Educated Georgia
Auditing Controls
4
Local Security Administration - Maintain Segregation of Duties by separating the following roles:
•
Requesting Access
•
Approving Access
•
Setting up Access
•
Monitoring Access and Violations
•
Performing Rights as a privileged user, and
•
Monitoring a privileged user
Ensure Appropriate User Access and Authorization
• Is there an authorization form on file with the appropriate approvals in place?
• Are these periodically reviewed for changes or updates?
• Are terminated employee accounts locked or removed? (BOR_SEC_TERMINATED_USERS)
• Are user accounts reviewed for segregation of duties issues?
Creating A More Educated Georgia
Auditing Controls
5
Ineffective Logical Access Controls
Objects/
Screens
What they do
Reviewed
Student
Financial Aid
Accounts
Receivable
Admissions; Registrar
Financial Aid
Bursar; Business office
S Objects/Screens
SPAIDEN
R Objects/Screens
RPAAPMT
RPAAWRD
T Objects/Screens
TSASPAY
Create students
Award financial aid
Modify access (BAN_DEFAULT_M) to screens
Release funds to
student accounts
Creating A More Educated Georgia
BANNER MODULES
6
Ineffective Logical Access Controls
S screens
R screens
T screens
Means:
Someone can add
students, award
financial aid, and
release funds to
student accounts.
Implication:
SOD issue likely
S screens
R screens
Someone can add
students and award
financial aid.
SOD issue likely
R screens
T screens
Someone can award
financial aid and
release to student
accounts.
SOD issue likely
S screens
T screens
Someone can add
students and release
funds to their
accounts.
Creating A More Educated Georgia
Modify Access to:
7
SOD not likely
Logical Access Controls
How to review your institution’s access in Banner:
• Utilize the Auditing Tool Kit - Script - Class Security Report by Object
Script must be executed by Banner DBA or Security Admin and run for all objects
Creating A More Educated Georgia
• User access for all object class roles in Banner
8
Logical Access Controls
• Listing of Active Employees (Compare to Class Security Report by Object)
• Isolate Critical Objects: SPAIDEN, RPAAPMT, RPAAWRD, and TSASPAY with
BAN_DEFAULT_M Role
• TSASPAY – Student Payment Form that allows users to enter payments or charges for
student accounts per term
• RPAAPMT – package maintenance form allows updates to period award status
• RPAAWRD – allows updates to the period award status column in the RPRATRM table
• SPAIDEN – mainly used for updating student information such as: name, address,
telephone, bio, email, etc.
Creating A More Educated Georgia
How to review your institution’s access in Banner:
9
Logical Access Controls
How to review your institution’s access in Banner:
• Other Banner Areas to consider:
• Registration Fee Assessment Process
•
•
•
•
•
•
•
•
•
•
•
SFRRGFE Fee Assessment Rules
TBRACCD Student Accounting Detail
TBBDETC Detail Code Definition
SFRSTCR Student Course Registration
SFRRFCR Course Refund Percentage Table
SSADETL Section Fees
SFREFEE Student Registration Additional Fees Repeating Table
SFRAFEE Registration Additional Fees Repeating Table
SFRFMAX Min/Max Charge for Detail Code/Term
SFRBTCH Fee Assessment Collector Table
SFRFAUD Fee Assessment Audit History Table
Creating A More Educated Georgia
• SAADMS – Admissions application
• SAADCRV – Admissions decision forms
10
Logical Access Controls
• Identify conflicting roles
• Review employee’s job descriptions
• Discuss mitigating controls
Creating A More Educated Georgia
How to review your institution’s access in Banner:
11
Logical Access Controls
• Determine policies or procedures for authorizing users for Banner
• Are adequate measures in place to ensure that when a user is terminated or
transferred their access is changed accordingly?
• How long do you retain authorization forms? Does it seem adequate?
• Verify access to resources and utilities with Banner application is limited
• Resources – FAFSA – Financial Aid Data Downloads
• Utilities – Crystal Reports, SQL
Creating A More Educated Georgia
How to review your institution’s access in Banner:
12
• Determine policies or procedures for authorizing changes to
Banner
(Major Changes verses System updates/patches)
• Is your process well documented to provide audit evidence?
(Planned changes verses emergency updates)
• Are changes or modifications tested prior to being put into
production? Can you document that test and user approval?
Creating A More Educated Georgia
Change Management
13
•
•
•
•
•
Document Analysis/Review of Segregation of Duties
Updated/clear Policies and Procedures for SFA
Documented - SFA Risk Assessment
Available documentation – audit evidence
All audits and Full Disclosure Management Reports Engagements will
receive SFA Compliance for FY 2015. Additionally, those with a federal
finding in FY 2014 or previously unresolved SFA findings will be reviewed.
Fort Valley, Clayton, GRU, Ga Southern, GPC, GSU, KSU, VSU, Albany, Columbus, UNG,
SSU, ABAC, Darton, GGC, East Ga, Gordon, Middle Ga and South Ga
Creating A More Educated Georgia
Additional Things to Consider
14
• DOAA is currently conducting fieldwork on the audits
and FDMR engagements
• Exit Conference – Include USO Accounting and
Reporting
• Agreed Upon Procedures (AUP) engagements
postponed until January 2016
• Modifications to the AUP engagements
• Reduce testing to areas of importance – Balance Sheet Support; Bank
Reconciliations, Subsidiary Module reconciliations, SEFA, AFR reflects
accounting records activity, etc.
Creating A More Educated Georgia
FY 2015 Financial Engagement Cycle
15
Standardized Chart of Accounts
• Standardized Chart of Accounts verses SHARE Accounts
• Revisions to Chart of Accounts:
Goals:
Information
Institutional Functionality
• Chart of Accounts Committee
Committee Members: Bruce Spratt, Nick Henry, Julie Peterson, Ruth
Berger, Kim Brown, Jeff Hall, Michelle Hamm, budget representatives, and
ITS representatives
• Submit Suggestions to Claire.Arnold@usg.edu by October 16
• Timeframe – December 2 and 3
Creating A More Educated Georgia
Consistency
16
December Workshop
Preliminary Topics:
• New Federal Expenditure Requirements/State Purchasing
• New Retiree Health Insurance Accounting Process
• Standardized Chart of Accounts
• Reviewing Audit Results
• oneUSG Update
• Joint Staffing/TRS Eligible Salaries
• GSFIC/MRR/PPV/Capital Improvements – Allowable/Unallowable
and Accounting
• AFR/BCR Improvement Discussion
Creating A More Educated Georgia
Dates: December 1 and 2
Location: Middle Georgia Math Auditorium
Time: Day 1 - 9:30 am to 5:00 pm
Day 2 - 8:30 am to 4:00 pm
17
Download