September 16, 2015 Claire Arnold, CPA Creating A More Educated Georgia Fiscal Affairs Accounting and Reporting Update 1 Fiscal Year 2014 Finding Summary • Total number of findings up 123% from 13 in FY13 to 29 in FY14 • Financial Statement findings up 20% from 5 in FY13 to 6 in FY14 • Federal/Financial Aid findings up 188% from 8 in FY 13 to 23 in FY 14 Ineffective Logical Access Controls (7) Creating A More Educated Georgia External Auditor Results for Fiscal Year 2014 (July 1, 2013 thru June 30, 2014) 2 Creating A More Educated Georgia Segregation of Duties 3 Limit Privilege Functions to appropriate personnel • Review your security administrators on campus. • Look at users with full access. • Do users have access to system utilities/resources such as database tools, sql tools and crystal reports? Creating A More Educated Georgia Auditing Controls 4 Local Security Administration - Maintain Segregation of Duties by separating the following roles: • Requesting Access • Approving Access • Setting up Access • Monitoring Access and Violations • Performing Rights as a privileged user, and • Monitoring a privileged user Ensure Appropriate User Access and Authorization • Is there an authorization form on file with the appropriate approvals in place? • Are these periodically reviewed for changes or updates? • Are terminated employee accounts locked or removed? (BOR_SEC_TERMINATED_USERS) • Are user accounts reviewed for segregation of duties issues? Creating A More Educated Georgia Auditing Controls 5 Ineffective Logical Access Controls Objects/ Screens What they do Reviewed Student Financial Aid Accounts Receivable Admissions; Registrar Financial Aid Bursar; Business office S Objects/Screens SPAIDEN R Objects/Screens RPAAPMT RPAAWRD T Objects/Screens TSASPAY Create students Award financial aid Modify access (BAN_DEFAULT_M) to screens Release funds to student accounts Creating A More Educated Georgia BANNER MODULES 6 Ineffective Logical Access Controls S screens R screens T screens Means: Someone can add students, award financial aid, and release funds to student accounts. Implication: SOD issue likely S screens R screens Someone can add students and award financial aid. SOD issue likely R screens T screens Someone can award financial aid and release to student accounts. SOD issue likely S screens T screens Someone can add students and release funds to their accounts. Creating A More Educated Georgia Modify Access to: 7 SOD not likely Logical Access Controls How to review your institution’s access in Banner: • Utilize the Auditing Tool Kit - Script - Class Security Report by Object Script must be executed by Banner DBA or Security Admin and run for all objects Creating A More Educated Georgia • User access for all object class roles in Banner 8 Logical Access Controls • Listing of Active Employees (Compare to Class Security Report by Object) • Isolate Critical Objects: SPAIDEN, RPAAPMT, RPAAWRD, and TSASPAY with BAN_DEFAULT_M Role • TSASPAY – Student Payment Form that allows users to enter payments or charges for student accounts per term • RPAAPMT – package maintenance form allows updates to period award status • RPAAWRD – allows updates to the period award status column in the RPRATRM table • SPAIDEN – mainly used for updating student information such as: name, address, telephone, bio, email, etc. Creating A More Educated Georgia How to review your institution’s access in Banner: 9 Logical Access Controls How to review your institution’s access in Banner: • Other Banner Areas to consider: • Registration Fee Assessment Process • • • • • • • • • • • SFRRGFE Fee Assessment Rules TBRACCD Student Accounting Detail TBBDETC Detail Code Definition SFRSTCR Student Course Registration SFRRFCR Course Refund Percentage Table SSADETL Section Fees SFREFEE Student Registration Additional Fees Repeating Table SFRAFEE Registration Additional Fees Repeating Table SFRFMAX Min/Max Charge for Detail Code/Term SFRBTCH Fee Assessment Collector Table SFRFAUD Fee Assessment Audit History Table Creating A More Educated Georgia • SAADMS – Admissions application • SAADCRV – Admissions decision forms 10 Logical Access Controls • Identify conflicting roles • Review employee’s job descriptions • Discuss mitigating controls Creating A More Educated Georgia How to review your institution’s access in Banner: 11 Logical Access Controls • Determine policies or procedures for authorizing users for Banner • Are adequate measures in place to ensure that when a user is terminated or transferred their access is changed accordingly? • How long do you retain authorization forms? Does it seem adequate? • Verify access to resources and utilities with Banner application is limited • Resources – FAFSA – Financial Aid Data Downloads • Utilities – Crystal Reports, SQL Creating A More Educated Georgia How to review your institution’s access in Banner: 12 • Determine policies or procedures for authorizing changes to Banner (Major Changes verses System updates/patches) • Is your process well documented to provide audit evidence? (Planned changes verses emergency updates) • Are changes or modifications tested prior to being put into production? Can you document that test and user approval? Creating A More Educated Georgia Change Management 13 • • • • • Document Analysis/Review of Segregation of Duties Updated/clear Policies and Procedures for SFA Documented - SFA Risk Assessment Available documentation – audit evidence All audits and Full Disclosure Management Reports Engagements will receive SFA Compliance for FY 2015. Additionally, those with a federal finding in FY 2014 or previously unresolved SFA findings will be reviewed. Fort Valley, Clayton, GRU, Ga Southern, GPC, GSU, KSU, VSU, Albany, Columbus, UNG, SSU, ABAC, Darton, GGC, East Ga, Gordon, Middle Ga and South Ga Creating A More Educated Georgia Additional Things to Consider 14 • DOAA is currently conducting fieldwork on the audits and FDMR engagements • Exit Conference – Include USO Accounting and Reporting • Agreed Upon Procedures (AUP) engagements postponed until January 2016 • Modifications to the AUP engagements • Reduce testing to areas of importance – Balance Sheet Support; Bank Reconciliations, Subsidiary Module reconciliations, SEFA, AFR reflects accounting records activity, etc. Creating A More Educated Georgia FY 2015 Financial Engagement Cycle 15 Standardized Chart of Accounts • Standardized Chart of Accounts verses SHARE Accounts • Revisions to Chart of Accounts: Goals: Information Institutional Functionality • Chart of Accounts Committee Committee Members: Bruce Spratt, Nick Henry, Julie Peterson, Ruth Berger, Kim Brown, Jeff Hall, Michelle Hamm, budget representatives, and ITS representatives • Submit Suggestions to Claire.Arnold@usg.edu by October 16 • Timeframe – December 2 and 3 Creating A More Educated Georgia Consistency 16 December Workshop Preliminary Topics: • New Federal Expenditure Requirements/State Purchasing • New Retiree Health Insurance Accounting Process • Standardized Chart of Accounts • Reviewing Audit Results • oneUSG Update • Joint Staffing/TRS Eligible Salaries • GSFIC/MRR/PPV/Capital Improvements – Allowable/Unallowable and Accounting • AFR/BCR Improvement Discussion Creating A More Educated Georgia Dates: December 1 and 2 Location: Middle Georgia Math Auditorium Time: Day 1 - 9:30 am to 5:00 pm Day 2 - 8:30 am to 4:00 pm 17