ACTION Agenda Item I ANNUAL AUDIT REPORT December 6, 2002

Transcription

1 ACTION Agenda Item I ANNUAL AUDIT REPORT December 6, 2002 Recommendation That the KCTCS Board of Regents receive the financial audit results for the fiscal year. Rationale The resolution approved by the Board of Regents in December 1998 accepting financial management of KCTCS as authorized by KRS 164A.570 requires that an annual financial audit be performed. The resolution states: The Kentucky Community and Technical College System Board of Regents elects to engage a qualified firm of certified public accountants for the purpose of submitting an independent opinion concerning the internal accounting controls and compliance with the provisions of KRS 164A.560, 164A.565, 164A.575, and 164A.620. The engagement of the qualified firm, scope of the audit, and report of findings shall be in accordance with the provisions of KRS 164A.570. The independent opinion issued by Deloitte and Touche, LLP is an unqualified opinion. This opinion means that the KCTCS financial statements present fairly, in all material respects, the KCTCS financial position on June 30, The KCTCS financial statements and the audit firm s opinion letter are included in the document titled Annual Financial Report. The audit firm also has reported that there are no weaknesses in the KCTCS internal controls considered to be material. The audit firm s management letter, the KCTCS response to the management letter, and other related correspondence from the audit firm is attached. The audit firm also has audited the KCTCS major federal programs in compliance with the requirements of the U.S. Office of Management and Budget Circular A-133. That audit report is in the document titled Independent Auditors Reports for the Year Ended June 30, 2002, and Schedules Required by Government Auditing Standards and OMB Circular A-133 for the Year Ended June 30, Background Deloitte and Touche, LLP was selected through a competitive RFP process to perform the annual audit. 201

2

3

4

5

6

7

8

9

10

11

12 BANK RECONCILIATIONS Observation Bank account reconciliations were not performed on a timely basis during the year and were often prepared incorrectly without investigation of significant reconciling items. KCTCS s primary bank accounts (vendor and payroll) were not reconciled for the last several months before year end, due to a vacancy in the accounting department staff. We noted multiple reconciling items that were greater than one year old on the reconciliations that had been completed. The accounting staff were unable to identify the source or disposition of many of these old reconciling items and they were written off as a charge or credit to operations at June 30, 2002 during the year end closing process. We also noted that there appeared to be no management review of any of the bank reconciliations. Recommendation KCTCS should create a template for all bank reconciliations to standardize the reconciliation process. The proper use of this template should be communicated to personnel and enforced. In addition, all reconciling items should be researched and resolved, and the general ledger should be adjusted on a timely basis. Bank reconciliations should be performed timely, including timely review by management. The accounting department staff should be adequately cross-trained so that the reconciliation process will continue in the event of employee absences. In addition, KCTCS management may want to review the nature of its numerous bank accounts and consider reducing the volume of the accounts to make the reconciliation process more manageable. We also suggest management investigate utilizing an automated reconciliation process for the primary vendor and payroll accounts to facilitate the reconciliation process. KCTCS Response KCTCS accounting issued a bank reconciliation template to colleges last year to resolve this issue as recommended during the FY 2001 audit. KCTCS will issue a revised business procedure (B.P. 3.7) applicable to colleges requiring submission of bank reconciliations by the 20 th of each month for the previous month. This procedure will include a revised template and more detailed instructions to be followed to complete the bank reconciliation. Outstanding items that are two months old will be expensed to a college account by system accounting if the college has failed to resolve and clear the item. The procedure will require that the chief business officer of each college review and sign the reconciliation. In addition, the system accountant with bank reconciliation review responsibility will provide bank reconciliation status to the system comptroller during the monthly key indicator meetings to ensure that the reconciliations are being completed on a timely basis. The system comptroller and accounting management will review 212

13 cash processes and accounts to determine how the reconciliation process can be more effective and efficient and to determine if the number of bank accounts can be reduced. Accounting department staff will be cross-trained to ensure that the bank reconciliation process continues in a timely manner. ACCOUNT RECONCILIATIONS Observation The detail of various receivable accounts, accrued expense accounts, clearing accounts, and fixed asset accounts were not reconciled to the general ledger on a monthly/quarterly basis. This has resulted in delays in the year end closing process as it became necessary for the accounting department to research a year of activity in these accounts in order to reconcile them to the general ledger balances and make necessary adjusting entries. Recommendation Formal procedures should be established for monthly account reconciliations, including the specific responsibilities of the various personnel involved. KCTCS Response KCTCS will revise the quarterly closing process to include a quarterly trial balance as a part of the closing. Additionally, system accounting staff will work with colleges so that the college will be able to reconcile balance sheet and clearing accounts on a regular basis. A quarterly ledger check process will be established and reported during the key indicator meetings with the system comptroller to ensure that account reconciliations are being completed on a timely basis. SEGREGATION OF DUTIES Observation Account clerks at certain colleges have authority to both prepare and approve purchase requisitions. This lack of segregation of duties gives rise to the possibility of misuse of approval authority, which can result in inappropriate expenses charged to KCTCS. Cashiers at certain colleges make daily deposits. Persons handling cash and in charge of endorsing all checks "For Deposit Only" at the time they are received should not make deposits, as this lack of segregation of duties provides the possibility of misappropriation of assets. Recommendation Management of the colleges business office functions, in conjunction with the System s central office accounting and internal audit functions, should review the duties assigned to business office personnel to maximize segregation of duties given the number of personnel available and considering the risk of fraud or misappropriation. 213

14 KCTCS Response A review of authority granted in the requisition process will be completed the end of calendar 2002 by the system comptroller. The situation will be discussed with the chief business officers in the colleges where the audit observation was made. A communication with all business officers to reinforce the separation of duties procedure will be issued by the comptroller. The internal auditors will continue their review of these and any other areas for separation of duties conflicts and detail any findings in their internal audit reports. FIXED ASSETS Observation Property, plant and equipment additions, deletions and transfers are not recorded in a timely manner in the general ledger, which has resulted in certain fixed assets being recorded in an incorrect period. In addition, KCTCS personnel do not maintain a detail of projects included in the general ledger account, construction in process. Recommendation The fixed assets department and the accounting department should work together closely to ensure all transactions are properly recorded on a timely basis in both the general ledger and the fixed assets system. Formal cut-off procedures should be established for fixed assets. Internal audit should be involved in testing these procedures at year end. KCTCS Response KCTCS anticipated that the interface of the asset management module in PeopleSoft to the general ledger would correct these problems during FY However, the interface has not worked as well as anticipated. While some problems have recently been resolved, the remaining problems will be resolved during FY A monthly purchase order receiving report from PeopleSoft financials will be run by facilities management staff for follow up with colleges to ensure that capital assets are added to the asset management module in a timely manner. In addition, the annual closing instructions will be changed to include instructions to ensure that fixed assets received during June will be posted to the asset management module and the general ledger during the correct fiscal year. A new business procedure (B.P. 2.2) will be issued to ensure that the fixed asset inventory is completed and reconciled on a timely basis prior to year end. Periodic meetings between facilities management staff and accounting staff will be held during the year to ensure proper implementation. 214

15 USE OF FUND ACCOUNTING Observation KCTCS operates as a Business Type Activity (BTA), as defined in Governmental Accounting Standards Board (GASB) Statement # 35 Basic Financial Statements and Management s Discussion and Analysis for Public Colleges and Universities. As a BTA, KCTCS reports its financial activities as a single fund, and its external financial statements are similar to those of a commercial enterprise. The current financial accounting system is designed to account for the System s activities on fund accounting basis. This requires the Accounting Department to convert the financial statement information from a fund accounting basis presentation to a BTA basis presentation for external financial reporting. Maintaining the fund accounting basis also adds to the complexity of the KCTCS account coding. Recommendation KCTCS should investigate the necessity of maintaining the accounts on the fund accounting basis. We understand the PeopleSoft financial accounting module is capable of providing information needed to account for restrictions on funding sources in a single fund. Use of a single fund would simplify the financial statement preparation process. KCTCS Response Currently, KCTCS is using PeopleSoft Financials (public sector version 7.5), which is based on fund accounting methodology. Plans to implement version 8.4 or 8.8 are tentatively scheduled for July Both of these versions are combined for both commercial and public sectors. A workgroup composed of system and college financial, business, and budget staffs will review the possibility of changing methodologies before upgrading to the new versions. Input will be obtained from other higher education institutions that have already changed to single fund accounting. During the interim period, a review of accounts, including cash and asset accounts, will be conducted to streamline the account structure. ACCOUNTING RESOURCES Observation The Central Office accounting department appeared to be somewhat overwhelmed during the year end closing process and the year end closing was delayed approximately thirty days. Also, as noted above, certain critical reconciliation processes were not done throughout the year. Recommendation Some of the delay in closing can be attributed to the implementation of the new reporting requirements of GASB No. 35. However, we suggest KCTCS management review the current central office accounting department staffing in light of work load requirements, giving due consideration to required skill sets, ability to meet deadlines in peak activity periods, and the need for accuracy in the monthly, quarterly and year end closing processes. 215

16 KCTCS Response The vice president for finance and the system comptroller will review system accounting personnel and assignments following completion of the audit. This review will result in more effective and efficient processes throughout the accounting department. The year end closing schedule will be modified to include deadlines for the accounting staff for the closing process. Also, it is anticipated that the experience gained during this audit will assist in preparing future closings based on GASB 35. PEOPLESOFT STUDENT FINANCIAL AID SYSTEM CONTROLS Observation Through examination of the security and job processing controls of the PeopleSoft Student Financial Aid system, the following concerns were identified: Analysis of the PeopleSoft security privileges that allow users to modify individual financial aid types and awards data found that seventy-four (74) of the two-hundred thirty-one (231) personnel that have been given this access do not need it to perform current job responsibilities. The PeopleSoft Mass Packaging job has been created for financial aid administrators to allow for the batch processing of financial aid information. Formal controls to ensure that any batch processing errors are identified and resolved have not been developed. Recommendation KCTCS should consider further restricting the ability to modify individual financial aid types and awards to only personnel who need it to complete current job responsibilities. Also, formal controls should be established that provide Student Financial Aid management the ability to identify and review all batch processing errors to ensure they have been resolved in a timely and effective manner. KCTCS Response KCTCS has reviewed the list of 231 personnel with this security privilege. There were 74 individuals identified granted this level of access which was not necessary in order for them to perform their current job responsibilities. The 74 individuals will have this security access removed. PeopleSoft 8 will provide additional security features that will allow KCTCS to even further restrict this level of access to fewer staff members. Beginning July 1, 2002, KCTCS instituted a formal control process to identify and review all batch processing errors to ensure they have been resolved in a timely and effective manner. The batch processes are generally run each Saturday evening. A PeopleSoft maintenance report is run 216

17 to identify such errors and a list of all batch processing errors is sent to the appropriate college for correction by the following Monday. A follow-up review is conducted to ensure all colleges have corrected these errors in a timely matter. PEOPLESOFT STUDENT ADMINISTRATION SECURITY Observation Within the Student Administration module of PeopleSoft, the SASYSADM operator class grants full administrative privileges over system functions and data. Currently twenty (20) KCTCS personnel have been included in the SASYSADM class. Recommendation Management should evaluate the current access privileges to the PeopleSoft Student Administration module and in particular the SASYSADM operator class and ensure that all access is necessary and consistent with current job responsibilities. KCTCS Response KCTCS will evaluate the current holders of the SASYSADM operator class. Although some changes may result from that evaluation, the total number of persons holding that class will probably not be reduced. The 20 persons that hold the class are 8 system developers, 4 system level financial aid and student financial officers, 2 student affairs officers, 2 security officers, 2 system level trainers, and 2 persons charged with correcting duplicate student entries. All of these employees need this access to do their jobs. Critical fields are audited so that changed data and the person who changed the data can be tracked. This arrangement has worked well for KCTCS since the inception of the KCTCS Student System in Fall No data problems or administrative irregularities have occurred during that period. As part of the implementation of PeopleSoft 8, the SASYSADM operator class will be separated into functional components. The components are enrollment services, student financials, and financial aid. The SASYSADM operator class will be removed after the enrollment services (ESSYSADM), student financials (SFSYSADM), and financial aid (FASYSADM) permission lists are created. These permission lists will be assigned to PeopleSoft "roles" as deemed necessary to perform their business function. For example, the director of financial aid would only need the FASYSADM permission list assigned to his role and less powerful "read-only" permissions assigned to see student financial and enrollment services information. 217

18 WINDOWS NT ACCESS SECURITY Observation The Windows NT KCTCS domain, which is used for general access to the KCTCS network, has sixtytwo (62) active NT accounts with ACCOUNT OPERATOR privileges. These privileges grant users limited administrative privileges. Recommendation KCTCS has indicated that the future implementation of Microsoft Active Directory will allow these access privileges to be further restricted. Until the implementation of Active Directory, management should consider reviewing each of the accounts noted above to verify the appropriateness of their current system privileges. Once Active Directory is implemented, security administrators should take steps to ensure that the ACCOUNT OPERATOR privilege is only granted to individuals that need it to perform current job responsibilities. KCTCS Response KCTCS changed environments during FY 2002 to an application service provider (ASP), Crestone International, as a critical first step in implementing changes recommended in the FY 2001 audit. These issues will be fully resolved when KCTCS implements PeopleSoft 8 and Active Directory and have the ability to decentralize the appropriate portions of the security environment rather than having to give all system administration rights to local administrators or give none. The hardware is being installed for this implementation and a project plan is in place to bring up the first phase of Active Directory in December Since KCTCS has over 60 sites on the network, until Active Directory is in place, KCTCS must provide technical staff at colleges access to the system to respond to local needs. Active Directory is scheduled to be completed in January 2003 and PeopleSoft 8 is scheduled to be completed in June USER ACCOUNT AND PASSWORD SECURITY Observation The following concerns regarding the user account and password security controls in the Windows NT and PeopleSoft environments were identified. Windows NT KCTCS Domain (general access to the KCTCS network) Passwords are not set to expire. PeopleSoft Passwords can be 1 character in length. Passwords are not set to expire. User accounts do not become locked after a certain pre-determined number of unsuccessful login attempts. (The above concerns are limitations of PeopleSoft 7.5 that are addressed in PeopleSoft 8.0) 218

19 Recommendation Management should define and implement formal policies concerning user account and password security and ensure that they are consistent with overall Information Technology security policies. With regard to PeopleSoft, these security policies should be activated with the implementation of PeopleSoft v8.0. These security settings should include the following best practice security levels: Minimum Password Length: Password Expiration: Password History: Account Lockout: 6 characters Every days Users cannot re-use their last 6 passwords Accounts become indefinitely locked after 3 unsuccessful login attempts KCTCS Response KCTCS changed environments during FY 2002 to an application service provider (ASP), Crestone International, as a critical first step in implementing changes recommended in the FY 2001 audit. These issues will be fully resolved with the implementation of the Active Directory and PeopleSoft 8. These projects are scheduled to be completed in January 2003 and June 2003, respectively. In PeopleSoft 8, the password length will be eight characters or more, passwords will expire in 90 days, users will not be able to reuse their last six passwords, and accounts will be locked after 3 unsuccessful login attempts. The Active Directory will be used with similar security levels to authenticate student self-service use of PeopleSoft 8 features. INFORMATION TECHNOLOGY HELP DESK Observation KCTCS IT support personnel currently utilize Microsoft Outlook mailboxes to collect and address user support requests for the PeopleSoft Student Administration module and the RDM Database system. Analysis of the controls associated with this process yielded the following concerns: The Microsoft accounts do not provide a satisfactory way of tracking all open or unresolved support requests that have been submitted. Currently, the only way to quickly identify an unresolved request is if an has not been opened. The current help desk tools do not provide methods for management to easily summarize and review all help desk support requests in order to identify common problems or trends. Various PeopleSoft support requests, for all modules, are made directly to PeopleSoft Tech Leads and are not formally documented by help desk personnel. Current KCTCS procedures call for all support request resolutions to be clearly documented within outgoing help desk s to users. Upon review of the RDM help desk account; these resolutions are not being documented consistently. 219

20 Recommendation The KCTCS IT department is considering the purchase of a new help desk software application that would provide all of the necessary functionality to address the above control concerns. Management should support the acquisition of this type of software or the implementation of more robust help desk controls. KCTCS Response KCTCS has identified and is purchasing software that will provide the required functionality. KCTCS has a combined help desk for PeopleSoft applications and reporting system. KCTCS believes that the help desk is adequately staffed to respond to user concerns. KCTCS does not believe that any support requests are being left unresolved; feedback from users has been excellent. PCANYWHERE Observation pcanywhere is a software product that can be loaded onto a personal computer or server and be used to dial into that machine from a remote computer. KCTCS IT administrators currently utilize pcanywhere to gain remote access to Windows servers and limited personal computers on the KCTCS network. Given the nature of the KCTCS network, these Windows servers are not protected by a firewall or other levels of network security. Additionally, the standard security configurations (including the use of encryption and passwords) for pcanywhere have not been formally documented and consistently utilized when installing the software. Recommendation Despite the enhanced remote access granted by this tool, management should evaluate the use of pcanywhere as a method to gain remote access to the KCTCS information systems. If the decision to use this product is made, the current procedures for requesting, approving, and installing this software should be formalized and documented to maximize the configuration of controls and control procedures. A formal awareness policy to inform users and support staff of the risks of using the software should also be implemented. KCTCS Response KCTCS will eliminate the use of pcanywhere. A state-supplied Virtual Private Network (VPN) with two levels of security, individual and group, will allow all present users of pcanywhere to gain remote access to the KCTCS information systems with improved security. All present pcanywhere users will have VPN access by December

21

22

23

24

25

26

27

28

29

30