MnSCU Audit Reports
Presentation to the MnSCU Audit Committee
Office of the Legislative Auditor
September 21, 2004
Today’s Agenda
• Information technology audits
– Presented by Eric Wion, IT Audit Director
• Internal control and compliance audits of
selected colleges
– Presented by Jim Riebe, Audit Manager
Why Audit Technology?
•
Computer systems process and house data that is
vital to MnSCU’s operations
– Integrity – inaccurate or incomplete data can lead to
improper decisions
– Confidentiality – unauthorized disclosures can have
significant legal implications and undermine public trust
– Availability – administrators and students now rely on 24/7
access
•
Commercial products have many well-publicized
vulnerabilities and are a prime target for hackers
•
Audits provide management and the board an
independent assessment of controls
Most Recent Audits
• Data Warehouse Controls
• Degree Audit Reporting and Course
Applicability Systems (DARS and CAS)
• Information Technology Security Follow-up
• 4th audit that has focused on ISRS security
controls
The Big Picture
• Progress has been made to resolve audit
findings
– 2 Resolved
– 2 Significantly Resolved
– 4 Partially Resolved
• Shortcomings still exist
Insufficient Security Planning
•
No comprehensive
security program
– IT risks not assessed
organization-wide
– Insufficient security staff
– Reactive, rather than
proactive
– Excessive reliance on
key IT professionals
•
Underlying cause of
security findings
Assess
Business
Risks
Define
Policies &
Procedures
Monitor
Compliance
With Policies
Deploy
Tools
Documentation Shortcomings
•
Lack of documentation
causes a security
infrastructure to erode
over time
•
Knowledgeable staff
may leave
•
Remaining people are
afraid to touch anything
security-related
Inappropriate Access
• People have security clearances that they do
not need to fulfill their job duties
– Information technology professionals given
excessive security clearances
– Software products have powerful security
clearances that are not needed
* Our follow-up audit found significant
improvement
Server Configuration Weaknesses
• Unnecessary “services”, often susceptible to
exploit, have not been removed
• Security-related software patches have not
been applied
Weak Authentication Processes
• Strong password controls not enforced
• Unencrypted passwords sent over networks
or stored in files
Inadequate Monitoring
• Security-related events not defined, logged,
or reviewed
• Compliance monitoring responsibilities not
properly defined
–
–
–
–
Information technology professionals
Security staff
Consultants
Internal and external auditors
• Vulnerability assessment tools not deployed
Staffing Issues
• Often unclear who is responsible for making
critical security decisions or performing
critical security duties
• Insufficient number of staff dedicated to
security
What Can A Trustee Do?
•
Make security a priority
•
Help management obtain more trained security
professionals
•
Encourage management to
– Adopt a formal security framework or model
– Assess risks and document detailed security policies,
procedures, and standards for all major systems
– Utilize tools to monitor security and perform vulnerability
assessments
•
Ascertain that management has put processes,
technology and assurance in place for information
security
IT Audits - Q & A
Audits of Selected Colleges
• Audit Objectives
– Internal control
• Safeguarding assets
• Accuracy of accounting information
– Compliance with significant legal provisions
•
•
•
•
State statutes
Bargaining unit provisions
Board policies
Contract provisions
Audits of Selected Colleges
• Audit Scope
– Two or three year period ended June 30, 2003
– Limited program areas including
•
•
•
•
Computer system access
Tuition and fees
Payroll
Administrative expenditures
Audits of Selected Colleges
• Colleges Audited
–
–
–
–
–
–
–
Central Lakes (2 year audit)
Hibbing (3 year audit)
Inver Hills (3 year audit)
Itasca (2 year audit)
Normandale (2 year audit)
Riverland (3 year audit)
St. Cloud Technical College (3 year audit)
Overall Conclusion
• Colleges included in our scope generally:
– Safeguarded assets
– Correctly recorded financial activity
– Complied with significant legal provisions
Key Finding
• Certain colleges need to ensure that access
to computerized business systems is
adequately restricted (3 colleges)
Other Findings
• Lack of adequate documentation supporting
backdated registrations (2 colleges)
• Incompatible duties over payroll/personnel
data entry
• Noncompliance with contracting and bidding
requirements
• Noncompliance with board policy requiring
written tuition waiver guidelines (3 colleges)
Questions