View
219
Download
0
Category
Tags:
Preview:
Citation preview
MnSCU Audit ReportsMnSCU Audit ReportsMnSCU Audit ReportsMnSCU Audit Reports
Presentation to the MnSCU Audit Committee
Office of the Legislative Auditor
September 21, 2004
Today’s AgendaToday’s AgendaToday’s AgendaToday’s Agenda
• Information technology audits – Presented by Eric Wion, IT Audit Director
• Internal control and compliance audits of selected colleges – Presented by Jim Riebe, Audit Manager
Why Audit Technology?Why Audit Technology?Why Audit Technology?Why Audit Technology?
• Computer systems process and house data that is vital to MnSCU’s operations– Integrity – inaccurate or incomplete data can lead to
improper decisions– Confidentiality – unauthorized disclosures can have
significant legal implications and undermine public trust – Availability – administrators and students now rely on 24/7
access
• Commercial products have many well-publicized vulnerabilities and are a prime target for hackers
• Audits provide management and the board an independent assessment of controls
Most Recent AuditsMost Recent AuditsMost Recent AuditsMost Recent Audits
• Data Warehouse Controls
• Degree Audit Reporting and Course Applicability Systems (DARS and CAS)
• Information Technology Security Follow-up• 4th audit that has focused on ISRS security
controls
The Big PictureThe Big PictureThe Big PictureThe Big Picture
• Progress has been made to resolve audit findings– 2 Resolved
– 2 Significantly Resolved
– 4 Partially Resolved
• Shortcomings still exist
Insufficient Security PlanningInsufficient Security PlanningInsufficient Security PlanningInsufficient Security Planning
• No comprehensive security program – IT risks not assessed
organization-wide
– Insufficient security staff
– Reactive, rather than proactive
– Excessive reliance on key IT professionals
• Underlying cause of security findings
AssessBusiness
Risks
DefinePolicies &
Procedures
DeployTools
MonitorComplianceWith Policies
Documentation ShortcomingsDocumentation ShortcomingsDocumentation ShortcomingsDocumentation Shortcomings
• Lack of documentation causes a security infrastructure to erode over time
• Knowledgeable staff may leave
• Remaining people are afraid to touch anything security-related
Inappropriate AccessInappropriate AccessInappropriate AccessInappropriate Access
• People have security clearances that they do not need to fulfill their job duties– Information technology professionals given
excessive security clearances
– Software products have powerful security clearances that are not needed
* Our follow-up audit found significant improvement
Server Configuration WeaknessesServer Configuration WeaknessesServer Configuration WeaknessesServer Configuration Weaknesses
• Unnecessary “services”, often susceptible to exploit, have not been removed
• Security-related software patches have not been applied
Weak Authentication ProcessesWeak Authentication ProcessesWeak Authentication ProcessesWeak Authentication Processes
• Strong password controls not enforced
• Unencrypted passwords sent over networks or stored in files
Inadequate MonitoringInadequate MonitoringInadequate MonitoringInadequate Monitoring
• Security-related events not defined, logged, or reviewed
• Compliance monitoring responsibilities not properly defined – Information technology professionals
– Security staff
– Consultants
– Internal and external auditors
• Vulnerability assessment tools not deployed
Staffing IssuesStaffing IssuesStaffing IssuesStaffing Issues
• Often unclear who is responsible for making critical security decisions or performing critical security duties
• Insufficient number of staff dedicated to security
What Can A Trustee Do?What Can A Trustee Do?What Can A Trustee Do?What Can A Trustee Do?
• Make security a priority
• Help management obtain more trained security professionals
• Encourage management to– Adopt a formal security framework or model– Assess risks and document detailed security policies,
procedures, and standards for all major systems– Utilize tools to monitor security and perform vulnerability
assessments
• Ascertain that management has put processes, technology and assurance in place for information security
IT Audits - Q & AIT Audits - Q & AIT Audits - Q & AIT Audits - Q & A
Audits of Selected Colleges Audits of Selected Colleges Audits of Selected Colleges Audits of Selected Colleges
• Audit Objectives– Internal control
• Safeguarding assets• Accuracy of accounting information
– Compliance with significant legal provisions• State statutes• Bargaining unit provisions• Board policies• Contract provisions
Audits of Selected CollegesAudits of Selected CollegesAudits of Selected CollegesAudits of Selected Colleges
• Audit Scope– Two or three year period ended June 30, 2003
– Limited program areas including• Computer system access• Tuition and fees• Payroll• Administrative expenditures
Audits of Selected CollegesAudits of Selected CollegesAudits of Selected CollegesAudits of Selected Colleges
• Colleges Audited– Central Lakes (2 year audit)
– Hibbing (3 year audit)
– Inver Hills (3 year audit)
– Itasca (2 year audit)
– Normandale (2 year audit)
– Riverland (3 year audit)
– St. Cloud Technical College (3 year audit)
Overall ConclusionOverall ConclusionOverall ConclusionOverall Conclusion
• Colleges included in our scope generally:– Safeguarded assets
– Correctly recorded financial activity
– Complied with significant legal provisions
Key FindingKey FindingKey FindingKey Finding
• Certain colleges need to ensure that access to computerized business systems is adequately restricted (3 colleges)
Other FindingsOther FindingsOther FindingsOther Findings
• Lack of adequate documentation supporting backdated registrations (2 colleges)
• Incompatible duties over payroll/personnel data entry
• Noncompliance with contracting and bidding requirements
• Noncompliance with board policy requiring written tuition waiver guidelines (3 colleges)
QuestionsQuestionsQuestionsQuestions
Recommended