Kristina Turner CPA, CISA, MMIS University System of Georgia RACAR – Macon State College April 13, 2011 • • • • Audit Request List Frozen Tables BOR Auditing Tool Kit Information Technology Controls • Definitions • Differences • General Controls • Categories • Examples 2 3 • Updated List Added to the DOAA Website each fiscal year • http://www.audits.ga.gov/EAD/CollegeResources.html • Navigation from Home Page: • Information/Resources • State Government Resources • College/University Resources • 2009_Updated_Auditors_Request_List.xls 4 5 Historically the following tables have been frozen at the end of each fiscal year: •TBBDETC •TBBCTRL •TBBEACT •TBBTBDS •TBRACCD • TBRACCT • TBRAPPL • TBRDEPO •TBRMISD • TBBETBD 6 • The ZURGFTT table alone will meet the needs of the auditor IF the institution maintains detail for the entire fiscal year. • SPRIDEN does not need to be frozen at the end of the fiscal year. However, the auditors will request the following fields: • PIDM, LAST_NAME, FIRST_NAME, MI 7 • BANNER is the system of record for receivables • The selected tables include the transaction level detail for all items recorded on the Financial Statements • The auditor will use this data to select samples, review transactions, perform analytical procedures, and various other audit tasks. 8 • Requests for Frozen Tables are initiated by the Atlanta office. • Typically the requests are made to those institutions receiving an audit. • The tables are submitted to DOAA through our Secure File Transfer System. • DOAA removes the tables from the File Transfer System upon receipt. 9 • Tables are imported into DOAA Data Warehouse; All data is stored securely and is encrypted • Queries are run against the data by EAD IT Personnel • Output files are used by auditors for testing 10 • Questions related to the output files can be sent to Atlanta – turnerka@audits.ga.gov or shepard@audits.ga.gov 11 12 • Useful Scripts for EAD • • • • • • • • • Listing of Detail Codes Listing of Term Codes Fee Assessment Rules Listing of Cashiers and Supervisors Listing of Supervisors and Restricted Users Listing of All Users with Access to AR Objects, Including Class & Roles List of Users with Access to TAISMGR Objects at the Database Level List of Users with Permission to Access Specific Objects in the Database TGRRCON 13 14 • Controls in place to ensure data’s: •confidentiality •integrity •availability 15 Midlands Technical College warned employees last month that a flash drive containing some of their personal information was taken from a human resources office at the college. The flash drive, since returned — without the personal data it previously held — could compromise the personal information of some of the college’s 500 employees. But Midlands Tech spokesman Todd Gavin said no problems have been reported by employees so far…. The security breach at Midlands Tech is the second acknowledged by an area college or university in the last week. The University of South Carolina warned employees earlier this month that a breach of computers at its Sumter campus exposed the personal information of 31,000 faculty, staff, retirees and students system-wide. http://www.thestate.com/2011/03/09/1728561/midlands-tech-warns-employees.html 16 Missouri State University officials are notifying 6,030 College of Education students that their social security numbers may have been compromised as a result of an internal security breach. In October and November 2010, in preparation for an accreditation, the College of Education prepared lists of students by semester. The lists, which included social security numbers, were for nine semesters between 2005 and 2009 (fall, spring, summer). A list was created for each semester, so there were nine lists. The lists were prepared in electronic format in October and November 2010 to be available on secure servers to the College of Education personnel working on the accreditation, as well as the accreditation team. Unfortunately, these lists of names were posted in October/November 2010 on an unsecured server. As a result, all nine lists ended up on Google. In all, 6,030 names with social security numbers were compromised and posted on the web. http://news.missouristate.edu/2011/03/03/coe-security-breach 17 Those still lining up for free cheese fries and mozzarella sticks after dinner are in for a bitter surprise. Last week Dining Services discovered the glitch in their system that for the past few months had granted students snack bar points even if they had already swiped for dinner, a mishap that students were quick to take advantage of as word swiftly spread across campus. The problem was fixed on Sunday, and 45 students were turned away from snack bar that evening when trying to swipe after dinner. In August and again in December, Dining Services updated its food accounting system, a program that controls at what time students can swipe for meal points, and believes that the error occurred during this process. A mishap during the upgrade altered the equivalency time, essentially allowing students to use their dinner points from the following day’s meals. As the next day’s meals were always accessible on any given day, students were granted dinner equivalency at snack bar regardless of their meal consumption that day. Abayasinghe did not yet calculate the total loss in revenue from the additional snack bar points, but acknowledged that it may be significant. http://record.williams.edu/wp/?p=12034 18 “Payroll has failed to take out medical and dental deductions from 6 paychecks so far upon starting employment. they claimed it was computer error, and states the money is retroactive. Why should the employee be liable for a company/ computer error? I feel the company should eat the fees and make sure the deductions are taken out going forward. Am I wrong? Do I have a fight? This is well over 600.00” ~Question from Employee on Business Forum 19 20 Generally, IT provides potential benefits of effectiveness and efficiency for an entity's internal control because it enables an entity to: 1. Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data. 2. Enhance the timeliness, availability, and accuracy of information. 3. Facilitate the additional analysis of information. 21 Generally, IT provides potential benefits of effectiveness and efficiency for an entity's internal control because it enables an entity to: 4. Enhance the ability to monitor the performance of the entity's activities and its policies and procedures. 5. Reduce the risk that controls will be circumvented. 6. Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. 22 § 60 IT also poses specific risks to an entity's internal control, including: 1. Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both. 2. Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. 3. Unauthorized changes to data in master files. 23 § 60 IT also poses specific risks to an entity's internal control, including: 4. Unauthorized changes to systems or programs. 5. Failure to make necessary changes to systems or programs. 6. Inappropriate manual intervention. 7. Potential loss of data or inability to access data as required. 24 • Integrated Approach – • Technology Risk & Assurance Division and Education Audit Division • TRA addresses IT General Controls significant to the CAFR • PeopleSoft FN • PeopleSoft HCM or ADP • P-Card Works (SAS 70 Review) • BANNER Model maintained by ITS • EAD addresses entity level controls and application (business process) controls related to BANNER 25 • Two Categories • General Controls • “Represent the foundation of the IT control structure. They ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable.” Wikipedia • Application Controls • “Fully-automated [controls] designed to ensure the complete and accurate processing of data from input through output.” Wikipedia 26 • General controls support the continued effectiveness of applications. • Application controls support the continued effectiveness of business processes. 27 • Categories of General Controls •Logical Access •Change Management •IT Operations 28 • Controls designed to manage access to applications based on business need. • “An entity must then establish sound policies and procedures for granting authorized users access while simultaneously protecting itself from unauthorized access.” • Mitigating IT Risks for Logical Access, ISACA Journal, Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CMA, CPA 29 • General System Security Settings • Password Settings • Access to privileged IT functions is limited to appropriate individuals • Access to system resources and utilities is limited to appropriate individuals • User Access is authorized and appropriately established • Physical access to computer hardware is limited to appropriate individuals • Segregation of duties exists within the logical access environment. 30 • • • • • • • • Firewall Anti-Virus Software Malware & Spyware Auto Updates Time Out of Session Re-authentication Encryption Security Questions • Password Settings • Minimum Length (6-8 char) • Initial Log-on One Time Password • Password composition (alphanumeric / special characters) • Frequency of forced changes • Locked Accounts • Idle Session Time Out 31 • Security Administrators • Full Access • Access to System Utilities / Resources • Database tools • SQL Tools •Crystal Reports 32 • Initiation of Access Request • Standard access request forms • Standard requests by business role • Approval of Access Requests • Supervisor • Periodic Monitoring of Access & Access Logs • Removal of Access • Termination • Transfers 33 • • • • • Access to Data Center Access to Hardware Fire Suppression Temperature Control UPS (uninterruptible power supply) 34 • Performance of the following roles should be separate: • Requesting Access • Approving Access • Setting Up Access • Monitoring Access & Violations • Performing the rights of a privileged user • Monitoring the privileged user 35 • Changes to the application are: • Authorized • Tested • Approved • Monitored • Segregation of Duties within Change Management Functions 36 • Types of Changes • Updates • Functionality Changes vs. Report Changes • Bugs • Procedures • Required Approvals • Required Testing • Required Documentation • Monitoring • Ensure these procedures are operating effectively 37 • Performance of the following roles should be separate: • Request / approval of program development or program change • Development • Test the change • Move the programs in and out of production • Monitor program development and changes 38 • Financial data is backed-up and recoverable • Deviations from scheduled processing are identified and resolved in a timely manner • IT operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner 39 • Procedures should include: • Format • Frequency and Retention Period • Location (on-site or off) • Testing •Monitoring 40 • Disaster Recovery • Returning to “normal” operations • Vendors for Equipment • Restoration Procedures • Key Personnel and Alternate Processes 41 • Batch Processes • Back-up Processes • Procedures should include: • Responsible official • Monitoring Process • Identification & Resolution Procedures • Documentation Requirements 42 • Procedures for ensuring IT issues are resolved in a timely manner include: • Process for alerting key officials of a problem • Method for analysis • Resolution procedures • Review of the resolution 43 Questions? 44