University System of Maryland Bowie State University

Transcription

1 Audit Report University System of Maryland Bowie State University December 2004 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

2 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested by contacting the Office of Legislative Audits as indicated at the bottom of the next page or through the Maryland Relay Service at Please address specific inquiries regarding this report to the Audit Manager listed on the inside back cover by telephone at (410) Electronic copies of our audit reports can be viewed or downloaded from the Internet via The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at (410) or (301)

3 December 22, 2004 Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Delegate Charles Barkley, Vice-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited Bowie State University (BSU) for the period beginning January 8, 2001 and ending January 12, Our audit disclosed that BSU had not established adequate procedures to ensure that collections initially received were adequately controlled, accounted for, and deposited. Additionally, BSU violated University System of Maryland (USM) policy applicable to students with past due account balances and did not always transfer delinquent student accounts to the Department of Budget and Management s Central Collection Unit timely. We also noted that BSU procured certain goods and services, including bus purchases totaling $750,000, in a manner that limited competition and violated USM policy. Additionally, numerous computer security weaknesses were noted. For example, these weaknesses could allow critical financial information to be inappropriately compromised, and BSU did not have a complete disaster recovery plan. Furthermore, corporate purchasing card activity was not always adequately documented and was not in compliance with established policies and procedures. Finally, various internal control weaknesses and other procedural deficiencies were noted in the areas of purchases and disbursements, student financial aid, residency status determinations, information systems security, payroll, equipment, and working funds. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

4 2

5 Table of Contents Executive Summary 5 Background Information 7 Agency Responsibilities 7 Current Status of Findings from Preceding Audit Report 7 Findings and Recommendations 9 Cash Receipts * Finding 1 BSU Had Not Established Procedures to Ensure that Certain 9 Collections Were Properly Controlled and Deposited Timely Student Accounts * Finding 2 BSU Did Not Always Take Appropriate Action to Collect 10 Outstanding Balances and Reconciliations of Student Accounts Receivable Records Were Not Performed Finding 3 Independent Verifications of Financial Aid Awards and 11 Student Residency Status Were Not Performed Purchases and Disbursements * Finding 4 Proper Internal Control Was Not Established Over the 12 Processing of Certain Disbursement Transactions Finding 5 BSU Did Not Always Procure Goods and Services in 13 Accordance with Established Policies Information Systems Security and Control Finding 6 The Computer Network Was Not Adequately Secured 15 Finding 7 BSU Did Not Have Adequate Plans Addressing Information 16 Systems Security and Disaster Recovery Finding 8 Certain Critical Operating Aspects of BSU s Financial 17 System Were Not Sufficiently Controlled Finding 9 System Accounts, System Passwords, and Program Services 18 Were Not Adequately Controlled On Three Critical Servers * Finding 10 Account, Password, and Monitoring Controls Over Critical 18 Applications Were Inadequate * Denotes item repeated in full or part from preceding audit report. 3

6 Finding 11 The Internal Computer Network Was Not Adequately 19 Protected Because of Software Vulnerabilities Corporate Purchasing Cards Finding 12 Internal Control Over Corporate Purchasing Card Usage 20 Was Inadequate and Established Purchasing Card Policies and Procedures Were Not Always Complied With Payroll Finding 13 Proper Internal Control Was Not Established Over BSU s 21 Payroll Equipment * Finding 14 Equipment Was Not Adequately Controlled and Equipment 22 Balances Were Not Accurately Reported Working Fund Finding 15 Controls Over Internal Working Funds Were Inadequate 23 and BSU Did Not Adequately Prepare Bank Reconciliations and Fund Compositions Audit Scope, Objectives, and Methodology 25 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report. 4

7 Executive Summary Legislative Audit Report on Bowie State University (BSU) December 2004 BSU had not established procedures to ensure that collections initially received and recorded at various campus locations were adequately controlled prior to deposit and deposited timely. Also, BSU did not verify that the State Treasurer s Office (STO), on behalf of BSU, received credit from credit card companies for student credit card payments. Independent verifications should be performed to ensure that collections received by various campus locations are subsequently forwarded to the student accounts office for deposit, and that collections are deposited timely. Additionally, BSU should agree credit card payments to credits subsequently received by STO. BSU violated University System of Maryland (USM) policy by permitting students with prior or current semester past due balances to attend classes and did not transfer delinquent student accounts to CCU in accordance with specific regulations established by CCU for BSU BSU should pursue the collection of delinquent accounts in accordance with established USM policy and forward accounts to CCU timely. Independent verifications were not performed to ensure that financial aid awards were properly posted to student accounts and that student residency status determinations were proper. BSU should establish procedures to independently verify the propriety of financial aid awards and student residency status determinations recorded in student accounts. Proper internal control was not established over certain purchasing and disbursement transactions. BSU should fully use the security features available on FMIS and limit access to its automated accounting system to only current employees whose job responsibilities require such access. BSU procured certain goods and services, included bus purchases totaling $750,000, in a manner that limited competition and violated USM s Procurement Policies and Procedures. 5

8 BSU should comply with USM Procurement Policies and Procedures and ensure quotations are solicited from a reasonable number of vendors to foster competition. Numerous security and control deficiencies were noted with regard to BSU s information systems. For example, key applications, such as financial information, could be inappropriately compromised and account password and monitoring controls were inadequate. In addition, BSU did not have a formal information systems security policy and a current, complete disaster recovery plan. BSU should take the recommended actions to improve controls and security. BSU should also prepare a formal information systems security policy and disaster recovery plan. BSU had not established adequate internal control over corporate purchasing card usage and did not always comply with established policies and procedures. For example, certain charges were not adequately supported by vendor invoices and approved by supervisory personnel. BSU should establish adequate controls over corporate purchasing cards and related usage by complying with the Comptroller of the Treasury s and BSU s established policies. A $500 change fund plus an estimated $850 in proceeds from ticket sales to sporting events had been stolen, but the theft had not been reported to the proper authorities as required by an October 1996 Governor s memorandum. Also, periodic independent counts of petty cash funds were not performed, bank reconciliations and working fund compositions were not prepared timely, and outstanding advances were not adequately pursued for repayment. BSU should report the theft to the proper authorities in accordance with the Governor s memorandum, periodically perform independent counts of petty cash funds advanced to departments, prepare bank reconciliations and compositions of the working fund timely, and initiate collection efforts to obtain reimbursement for the outstanding advances. Internal control and recordkeeping deficiencies were noted in the areas of payroll and equipment. BSU should take the recommended actions to improve controls in these areas. 6

9 Agency Responsibilities Background Information Bowie State University (BSU) is a comprehensive public institution of the University System of Maryland and operates under the jurisdiction of the System s Board of Regents. BSU is a regional university that provides a broad range of baccalaureate programs in such fields as natural and behavioral sciences, information technology, and mathematics, as well as selected professionallyoriented graduate programs, including a doctoral level program in educational leadership. Student enrollment for the Fall 2003 semester totaled 5,454, including 3,988 undergraduate students and 1,466 graduate students. Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the findings contained in our preceding audit report dated September 28, We determined that BSU satisfactorily addressed one of the seven findings. The remaining six findings are repeated in this report, two of which have been combined into one finding. 7

10 8

11 Findings and Recommendations Cash Receipts Finding 1 BSU had not established procedures to ensure that certain collections were properly controlled and deposited timely. Analysis Certain collections initially received by BSU were not adequately controlled and deposited in a timely manner. Checks initially received by one campus location subsequent to July 2003 were not restrictively endorsed immediately upon receipt. Additionally, this location and two other campus locations had not implemented procedures to independently verify that recorded collections were subsequently transferred to the student accounts office for further processing and deposit. According to BSU s records, collections initially received by these three locations totaled approximately $4.9 million during fiscal year A similar condition was commented upon in our two preceding audit reports. Our test of 15 days receipts, totaling $191,845, collected at three campus locations during fiscal years 2003 and 2004, disclosed that 4 days receipts, totaling $60,373, were not forwarded to BSU s student accounts office timely. Specifically, these funds were not forwarded for deposit for periods ranging from three to eight business days after they were received. A similar condition was commented upon in our preceding audit report. BSU had not verified that the State Treasurer s Office, on BSU s behalf, received credit for credit card payments (such as for tuition) made since August The Comptroller of the Treasury s Accounting Procedures Manual requires that an employee independent of the cash receipts function trace collections from initial point of recordation to the related validated deposit slips, and that receipts be deposited no later than the first business day after receipt. 9

12 Recommendation 1 We recommend that checks be restrictively endorsed immediately upon receipt. We also again recommend that employees independent of the cash receipts function verify that collections recorded by campus locations were subsequently forwarded to the student accounts office for deposit, and that these verifications be documented. Additionally, we again recommend that BSU ensure that all collections received are deposited in a timely manner. Finally, we recommend that BSU verify credit card payments to subsequent credits received by the State Treasurer s Office. We advised BSU on accomplishing the necessary separation of duties using existing personnel. Student Accounts Finding 2 BSU did not always take appropriate action to collect outstanding student account balances, and periodic reconciliations of student accounts receivable records were not performed. Analysis BSU did not adequately pursue the collection of certain outstanding student accounts receivable prior to submitting these accounts to the Department of Budget and Management s Central Collection Unit (CCU), and periodic reconciliations of these records were not performed. We tested 20 student accounts with delinquent outstanding account balances totaling $112,738, as of December Our test disclosed that BSU permitted 7 students with outstanding balances to attend classes even though the outstanding balances were not covered by a University System of Maryland (USM) policy exemption (such as pending financial aid). Specifically, 3 of these students had prior semester outstanding balances totaling $7,549, and the other 4 students had current semester unpaid balances totaling $11,717 after completing registration. Our test also disclosed that BSU did not always transfer delinquent student accounts to CCU in accordance with BSU s approved deviation from CCU policy. Although the 20 delinquent student accounts tested were transferred to CCU on December 24, 2003, 5 of these accounts, totaling $33,638, were transferred 12 to 17 months after the required transfer dates. A similar 10

13 condition concerning the transfer of delinquent accounts to CCU was commented upon in our preceding audit report. BSU had not reconciled the aggregate balance of its detail student accounts receivable records with the corresponding control account balance during our audit period. As of January 8, 2004, the aggregate balance of the detail records (approximately $14.1 million) exceeded the control account balance (approximately $12.8 million) by approximately $1.3 million. A similar condition concerning the reconciliation of student accounts receivable records was commented upon in our preceding audit report. USM Board of Regents policy states that tuition and fees are due and payable in full by the stipulated due date unless the student is covered by a specified exemption, and requires that appropriate administrative action (such as barring class attendance) be initiated if timely payment is not received. CCU regulations, as amended for BSU, require that each semester s delinquent accounts be transferred to CCU at the end of the late registration period for the subsequent semester. According to BSU s records, student accounts receivable totaled approximately $14.1 million as of January 8, 2004, of which approximately $2.4 million was at least 90 days old. Recommendation 2 We recommend that BSU pursue the collection of outstanding accounts in accordance with established USM policies. Additionally, we again recommend that BSU forward accounts to CCU in accordance with CCU s regulations, as amended for BSU. Furthermore, we again recommend that BSU periodically reconcile the aggregate balance of its detail student accounts receivable records with the corresponding balance recorded in the control account, that any differences identified be promptly investigated and resolved, and that this reconciliation process be documented. Finding 3 Independent verifications of the propriety of financial aid awards and student residency status determinations recorded in the student records were not performed. Analysis Independent verifications were not performed to ensure the propriety of financial aid awards and student residency status determinations recorded in the student 11

14 records. As a result of these deficiencies, errors or irregularities in the posting of student records could occur without detection. Six financial aid employees could individually record the amount of financial aid to be awarded to each student in BSU s automated financial aid records. Financial aid awards were subsequently posted to the student accounts receivable records via an automated interface. However, an employee independent of the financial aid award process did not compare financial aid posted to student accounts with supporting source documents (such as the students acknowledgement letters accepting the awards). Additionally, admissions office supervisors verified the propriety of each student s residency status recorded by an admissions clerk in the automated student records by reviewing the information reflected on the student s admission application. However, these supervisors were not independent as they also had the ability to record and modify a student s residency status. According to BSU s records, during fiscal year 2003, financial aid awarded to students totaled approximately $27.5 million. Full-time undergraduate tuition charges for the academic year totaled $2,609 for Maryland residents and $6,792 for non-residents a difference of $4,183. Recommendation 3 We recommend that supervisory employees, independent of the student financial aid award and student residency status determination processes, verify, at least on a test basis, the propriety of the award amounts and residency status determinations posted to the student records. We advised BSU on accomplishing the necessary separation of duties using existing personnel. Purchases and Disbursements Finding 4 BSU had not established proper internal controls over the processing of certain disbursement transactions. Analysis Internal control over the processing of certain disbursement transactions was not adequate. While BSU primarily processes transactions through their internal automated accounting system (PeopleSoft), which interfaces with the State s 12

15 Financial Management Information System (FMIS), BSU also has the ability to process transactions directly in FMIS. During our review, we noted the following conditions: BSU did not fully use the security features available on FMIS to restrict user access and prevent unauthorized purchase and disbursement transactions. Specifically, one employee could both initiate and process certain disbursement transactions without being subject to independent approval and could release disbursement transactions to the Comptroller of the Treasury General Accounting Division for payment. During fiscal year 2004, this employee initiated and approved disbursement transactions totaling approximately $400,000. A similar situation was commented upon in our two preceding audit reports. BSU did not sufficiently control access to its automated accounting system. Specifically, two employees had the ability to modify critical purchasing and disbursement transactions even though their job duties did not require such access. Additionally, as of June 2004, five individuals who had terminated employment with BSU between August 2003 and April 2004 still had active userids on the automated accounting system. Recommendation 4 We again recommend that BSU fully use the available FMIS security features by establishing independent on-line approval requirements for all critical disbursement transactions. We also recommend that BSU limit access to its automated accounting system to only those employees whose job responsibilities require such access and that userids be deleted immediately upon employee termination. We advised BSU on accomplishing the necessary separation of duties using existing personnel. Finding 5 BSU did not always procure goods and services in accordance with established policies. Analysis BSU did not procure certain goods and services in accordance with established USM policies and procedures: BSU awarded a contract, totaling approximately $750,000, in a manner that limited competition. Specifically, in April 2003, BSU issued a request for 13

16 proposal (RFP) for the purchase of three previously-owned buses. On May 13, 2003, BSU amended the RFP and requested bidders to also submit prices for new buses. However, bids were still required to be submitted by the original May 20, 2003 due date. Consequently, prospective bidders may not have had sufficient time to submit new or modified bids in response to the addendum. Ultimately, only one vendor submitted a bid that BSU deemed acceptable, and BSU purchased two new buses and one previously owned bus from this vendor. In August 2003, BSU purchased dormitory furniture from a vendor, for approximately $92,000, without soliciting bids or determining if such furniture was available from State Use Industries. In April 2003, BSU awarded a contract, of approximately $27,000, to a vendor to initiate the search for a new athletic director without soliciting bids. BSU management personnel were unable to explain why other vendors were not afforded the opportunity to submit bids for this service and could not provide documentation to support this sole source procurement. As a result of these deficiencies, assurance was lacking that the best possible prices were obtained for the goods and services purchased. USM s Procurement Policies and Procedures require that bid due dates be adjusted to ensure bidders are afforded sufficient time to consider information contained in solicitation addenda. Furthermore, USM s Procurement Policies and Procedures require that, for purchases between $5,000 and $100,000, quotations be solicited from a reasonable number of vendors to foster competition. State law also requires BSU to purchase supplies and services from State Use Industries to the maximum extent practicable. Recommendation 5 We recommend that BSU comply with the aforementioned USM s Procurement Policies and Procedures. Information Systems Security and Control BSU s Office of Information Technology provides information technology support to BSU by the implementation and maintenance of campus-wide administrative applications, including the Financial and Student Administration systems. The Office also operates an integrated administrative and academic computer network, which provides connections to multiple servers used for 14

17 administrative and academic purposes. The campus network also includes separate and file servers and connectivity to the Internet, as well as multiple campus websites that function as entry points into many of BSU s services. Finding 6 The computer network was not adequately secured. Analysis Key administrative systems (for example, the Student Administration system) were not adequately protected from both internal and external exposures: Numerous publicly accessible server systems were located on the internal network rather than being placed into a separate network zone to minimize security risks. These systems included web servers supporting critical financial and student administration applications. These publicly accessible servers, which could potentially be compromised, exposed the internal network to attack from external sources. Untrusted portions of BSU s network (such as student dormitories and computer labs) could access administrative computers running critical applications. Protecting critical administrative portions of BSU s network from untrusted portions of the network by use of proven security measures (for example, a properly configured firewall) is essential in ensuring the integrity of the administrative applications. BSU s Internet firewall allowed various types of insecure connections to the internal network, thereby exposing the network to security risks. Accordingly, critical network data, programs, and administrative systems were susceptible to attacks, which could result in a loss of data integrity, the destruction of critical files, and the interruption of critical network services. Recommendation 6 We recommend that BSU take the necessary actions to protect its key administrative systems. We made detailed recommendations to BSU which, if implemented, should provide for adequate security over the described network components. 15

18 Finding 7 BSU did not have adequate procedures addressing information systems security and disaster recovery. Analysis BSU s plans and policies did not adequately address critical issues involving information systems security and recovering computer operations from a disaster: BSU did not have a formal information systems security policy to ensure that proper computer security existed. BSU did not have a current and complete disaster recovery plan for recovering from disaster scenarios, such as a fire. For example, the general portion of BSU s recovery plan was last updated in May 1995 and related to an outdated system. Also, the plan s network recovery procedures only addressed creating and restoring backup files for certain network devices (firewall and servers), without addressing connectivity issues that could arise if computer operations were relocated. Without a current and complete plan, a disaster could cause significant delays (for an undetermined period of time) in restoring connectivity above and beyond the expected delays that would exist in a planned recovery scenario. BSU did not store backup copies of certain critical servers configurations and related data at an offsite facility. Accordingly, if the facilities which currently house both the servers and the related backup copies were destroyed, uncertainty exists as to whether certain information could be recreated. Recommendation 7 We recommend that BSU prepare an official information systems security policy to address all critical security issues involved with its information systems. We also recommend that a complete disaster recovery plan be developed to support the current information systems environment, including procedures for fully restoring network operations in the event of a disaster. Finally, we recommend that BSU store backup copies of its critical servers configurations and related data at an offsite, secure, and environmentally-controlled location. 16

19 Finding 8 Certain critical operating aspects of BSU s Financial system were not sufficiently controlled. Analysis BSU did not adequately control certain critical operating aspects of its Financial system. Our review of the financial application security disclosed inadequacies that could allow improper changes to critical applications, including financial information: Two employees were assigned unnecessary access to application maintenance tools that could be used to make unauthorized changes to menus, screens, and individual records. Although not needed for their job duties, these same two individuals could also modify application security, including user profiles and screen permissions. Accordingly, these individuals could give themselves unnecessary system privileges. Three employees (including two programmers) and BSU s Financial system consultants had unnecessary, unrestricted, and unlogged modification access to critical production programs. Accordingly, these individuals could make improper changes to application programs without detection. Program change control procedures for documenting, reviewing, and updating modified programs were inadequate. For example, for four of five program changes tested, we determined that the modified programs were moved into production by the programmer who made the changes. Recommendation 8 We recommend that access to application maintenance tools be limited to personnel whose job duties require use of the tools. We also recommend that the maintenance of application security be restricted to only those employees responsible for maintaining security information. Furthermore, we recommend that BSU limit direct modification accesses to critical production programs to personnel responsible for maintenance of the programs. Finally, we recommend that BSU establish adequate control over production program changes to ensure that all direct changes to these programs are properly documented, reviewed, and updated. 17

20 Finding 9 System accounts, system passwords, and services were not adequately controlled. Analysis Our tests of three servers used to process certain critical financial applications revealed control weaknesses over certain system accounts, system passwords, and services. For example, two database accounts on one server were using vendor default passwords, which are known to the public. Also, numerous unnecessary services were enabled on two of these servers. Unnecessary installed services can be used to take advantage of known vulnerabilities, which can be exploited to maliciously compromise a computer system. Recommendation 9 We recommend that adequate controls be established over system accounts, system passwords, and services on critical servers. We made detailed recommendations to BSU which, if implemented, should provide for adequate security over critical servers. Finding 10 Account, password, and monitoring controls over critical applications were inadequate. Analysis Account, password, and monitoring controls over critical financial applications were inadequate: User account and password controls defined for the operating system, database and application software on certain critical Financial system servers had numerous security deficiencies. For example, minimum password lengths, in some cases, were not adequate for effective security and control, and we noted instances where password aging, password history, and account lockout were not used. Accordingly, defined control settings for accounts and passwords did not comply with the University System of Maryland s Guidelines in Response to the State s IT Security Policy, dated June In addition, identical account and password information existed on both production and test (nonproduction) versions of the critical financial applications and databases, which increased security exposures. Deficiencies in password lengths were commented upon in our preceding audit report. 18

21 The logging feature of certain significant security-related events for the Financial system was not enabled. Specifically, selected activities, such as failed accesses to critical screens, changes to user account security settings, and changes to permissions over certain critical files, were not logged for subsequent review. Furthermore, there was no documentation that the security reports generated were reviewed. These conditions could result in unauthorized or inappropriate changes to program and data files, which could go undetected. Deficiencies concerning the review of security logs were commented upon in our four preceding audit reports. Recommendation 10 We recommend that adequate security be established over user accounts and passwords for financial applications. We made detailed recommendations to BSU which, if implemented, should provide this security. Furthermore, we recommend that logging capabilities be enabled for all significant security events on critical servers, to permit monitoring of those events. Finally, we again recommend that reviews of the related security reports be documented for audit verification. Finding 11 The internal computer network was not adequately protected because of numerous software vulnerabilities. Analysis Adequate security measures had not been established to protect BSU s internal computer network against software vulnerabilities. Specifically, our tests disclosed that several key network servers had numerous software vulnerabilities. These software vulnerabilities, which are recognized by a national cooperative research and education organization, exposed the servers to internal and external attacks which could disrupt operations or destroy data. Recommendation 11 We recommend that BSU establish adequate security measures to protect its internal computer network against software vulnerabilities. We made detailed recommendations to BSU which, if implemented, should provide the needed security. 19

22 Corporate Purchasing Cards Finding 12 BSU had not established adequate control over corporate purchasing card usage and had not always complied with purchasing card policies and procedures. Analysis BSU had not established adequate control over corporate purchasing card usage, and administration over purchasing cards was not always in compliance with policies and procedures established by the Comptroller of the Treasury and BSU. As of November 2003, corporate purchasing cards had been issued to 67 employees, and related expenditures totaled approximately $800,000 during fiscal year Our review disclosed the following conditions: Cardholder transaction logs were not reviewed timely. As of February 2004, logs had not been submitted for supervisory review by nine employees for periods ranging from two to six months past the required due dates and BSU lacked documentation to substantiate that any effort was made to obtain the logs. All nine cardholders were allowed to continue to use their cards. As of November 2003, five active purchasing cards were issued to employees who had no purchasing activity for periods ranging from 8 to 21 months. For two of these cardholders, BSU failed to promptly cancel the cards when these employees terminated employment with BSU. In these cases, the employees cards remained active for periods ranging from 6 to 16 months after employment was terminated. Our test of 20 cardholder transaction logs from fiscal years 2003 and 2004 disclosed six transaction logs, with charges totaling $23,375, that were not supported by vendor invoices and two logs, with charges of $22,810, that were not approved by supervisory personnel. For example, one of the six logs contained hotel costs totaling approximately $8,300 that were not supported by vendor invoices and that related to an August training activity for BSU student resident assistants in Ocean City, Maryland. Additionally, for four logs reviewed, the charges reflected on the monthly bank statements exceeded charges recorded in the logs by $19,430, thus indicating the lack of a proper reconciliation between the logs and the corresponding bank statements. 20

23 Our test also disclosed one purchase of portfolio bags totaling $3,600 that was intentionally split into three smaller purchases in order to circumvent the imposed single transaction limit of $1,200. Purchases totaling $5,678 were also made for items not permitted by established policy (such as laptop computers). The Comptroller of the Treasury s Corporate Purchasing Card Program Policy and Procedures Manual states that transaction logs and supporting documentation are to be reviewed by the cardholders supervisors and reconciled with the corresponding charges on the bank statement. The Manual further requires that cards be cancelled when no purchasing activity has been recorded for an extended period and that established credit limits be enforced. Additionally, the BSU Corporate Purchasing Card Policy and Procedure User s Guide requires that cardholder transaction logs and related supporting documentation be submitted within 12 days of the end of the month, and that purchasing cards only be used for items appropriate to the legitimate needs of BSU, but specifically excludes certain items, such as laptop computers. Recommendation 12 We recommend that BSU comply with the requirements of the Comptroller s Corporate Purchasing Card Program Policy and Procedures Manual, and the BSU Corporate Purchasing Card Policy and Procedure User s Guide. Payroll Finding 13 Proper internal control was not established over BSU s payroll. Analysis Three employees had the ability to both prepare the online electronic payroll reports, and approve and transmit the reports to the Central Payroll Bureau for processing, without independent review and approval. As a result, these employees could record unauthorized adjustments to BSU s payroll reports without detection. According to BSU s records, payroll adjustments initiated and approved by the same employee during calendar year 2003 totaled approximately $1 million. Recommendation 13 We recommend that the employees who prepare BSU s electronic payroll reports not have the ability to approve and transmit the reports to the Central Payroll Bureau. We advised BSU on accomplishing the necessary separation of duties using existing personnel. 21

24 Equipment Finding 14 Equipment was not adequately controlled and equipment balances were not accurately reported to the USM Office. Analysis BSU s equipment was not adequately controlled and the fiscal year-end balance of equipment was not accurately reported to the USM Office (USMO). As of April 2004, the book value of equipment, as recorded in BSU s records, totaled approximately $12.5 million. Specifically, we noted the following conditions: BSU did not maintain an equipment control account, as required by the USM Policy for Capitalization and Inventory Control. BSU s detail equipment records were not always adequately maintained, as required by the aforementioned Policy. Specifically, our test of 20 equipment purchases made during fiscal years 2003 and 2004, totaling $32,055, disclosed that 9 purchases, totaling $9,864, were not recorded in the detail records. Additionally, 6 of the 15 equipment items on hand that we sighted were not included in the detail records. Finally, the detail records for firearms, maintained by the BSU police department, did not contain the acquisition dates, acquisition costs, physical locations, and custodial employees. An independent physical inventory of firearms, in the possession of the BSU police department, had not been conducted during our audit period. BSU s Materials Management Policy and Procedures Manual requires that a physical inventory of sensitive equipment, including firearms, be conducted at least annually. BSU reported to USMO a capital equipment balance of approximately $10.4 million as of June 30, 2003; however, the aggregate balance of the related detail equipment records as of that date totaled approximately $9.8 million. Our review determined that this $600,000 overstatement was attributable to equipment additions, disposals, and transfers to other State agencies that were not collectively considered in the amount reported. Similar conditions concerning BSU s failure to maintain an equipment control account and accurately report its equipment balance to the USMO were commented upon in our preceding audit report. Additionally, the failure to 22

25 properly maintain detail equipment records has been commented upon in our four preceding audit reports. Recommendation 14 We again recommend that BSU maintain an equipment control account independent of the detail records and that the control account balance be periodically reconciled with the aggregate balance of the detail records. In addition, we again recommend that BSU ensure that equipment is properly recorded in its detail records. We also recommend that BSU conduct a physical inventory of all sensitive equipment items annually, in accordance with its established policy. Finally, we again recommend that BSU accurately report its year-end capital equipment balance to the USMO. Working Fund Finding 15 Internal controls over BSU working funds were inadequate and a cash shortage was not reported to appropriate authorities as required. Analysis BSU had not established adequate control over its working funds, and a cash shortage was not reported to the proper authorities: BSU did not perform periodic independent counts of petty cash funds advanced to departments from the working funds to ensure that the advances could be accounted for. BSU advised us that, during January 2003, a petty cash fund of $500 and an estimated $850 in proceeds from ticket sales to sporting events had been reported stolen. Although the shortage was reported to and investigated by BSU police, it was not reported to the Office of the Attorney General Criminal Investigations Division as required by a Governor s memorandum dated October 27, From the September 2003 working fund composition, we selected for testing 20 unreimbursed working fund expenditures, totaling $18,489, made during the period from January 1998 to September Our test disclosed that 11 expenditures, totaling $5,516, had not been reimbursed as of April 2004 and BSU could not substantiate that any effort had been made to obtain reimbursement. These unreimbursed expenditures included 2 travel advances 23

26 totaling $736 made between October 2001 and February 2003 to individuals still employed by BSU as of April As of January 2004, our review disclosed that working fund reconciliations and fund compositions had only been prepared for fund activity through September As a result of these deficiencies, assurance was lacking that proper accountability and control had been established over working fund activity. During fiscal year 2004, disbursements from the working fund totaled approximately $218,000. Recommendation 15 We recommend that BSU periodically (for example, quarterly) perform independent counts of petty cash funds advanced to departments. Additionally, we recommend that BSU report the aforementioned theft to the Office of the Attorney General Criminal Investigations Division in accordance with the aforementioned Governor s memorandum. We also recommend that BSU obtain reimbursement of working fund expenditures and prepare bank reconciliations and fund compositions timely. 24

27 Audit Scope, Objectives, and Methodology We have audited the University System of Maryland - Bowie State University (BSU) for the period beginning January 8, 2001 and ending January 12, The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine BSU s financial transactions, records, and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations. We also determined the current status of the findings included in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of BSU s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services (such as endowment accounting and bond financing) provided to BSU by the University System of Maryland Office. These support services are included within the scope of our audits of the Office. In addition, we did not audit BSU s federal financial assistance programs for compliance with Federal laws and regulations because the Office engages an independent accounting firm to annually audit such programs administered by components of the System. Our audit scope was limited with respect to BSU s cash transactions because the Office of the State Treasurer was unable to reconcile the State s main bank accounts during the audit period. Due to this condition, we were unable to determine, with reasonable assurance, that all BSU cash transactions were accounted for and properly recorded on the related State accounting records as well as the banks records. BSU s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. 25

28 Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect BSU s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to BSU that did not warrant inclusion in this report. The response from the University System of Maryland Office, on behalf of BSU, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise the System regarding the results of our review of its response. 26

29

30 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND BOWIE STATE UNIVERSITY JANUARY 8, 2001 TO JANUARY 12, 2004 Cash Receipts Finding 1 BSU had not established procedures to ensure that certain collections were properly controlled and deposited timely. University Response: The University agrees with the finding. All offices authorized to receive checks have restrictive endorsement stamps and understand their responsibility to restrictively endorse checks upon receipt. Procedures have been established to ensure that there is independent verification that all receipts are forwarded to the Student Accounts Office for deposit. These verifications are being documented. Periodic review of the timeliness of deposit will be made by Controller s Office personnel to ensure that timely deposit practices are maintained. Credit card payments are verified to subsequent credits received by the State Treasurer s Office on a daily basis and the verification is current and documented. These procedures have been implemented. Student Accounts Finding 2 BSU did not always take appropriate action to collect outstanding student account balances, and periodic reconciliations of student accounts receivable records were not performed. University Response: The University agrees with the finding. The University will pursue the collection of outstanding accounts in accordance with the USM and University policies. Procedures have been modified to limit the authority to override existing policy to the Vice President for Finance and Administration. Student Accounts will transfer all delinquent accounts to the State Central Collection Unit in accordance with the University s approved deviation. During implementation of new software, Student Accounts found that the legacy system report was not identifying all accounts with account balances. This will not occur with the new software. The Controller s Office has developed and implemented procedures for completion of a monthly reconciliation of the aggregate balance of the detail student accounts receivable record to the general ledger account.

31 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND BOWIE STATE UNIVERSITY JANUARY 8, 2001 TO JANUARY 12, 2004 Finding 3 Independent verifications of the propriety of financial aid awards and student residency status determinations recorded in the student records were not performed. University Response: The University agrees with the finding. The Financial Aid Office and the Office of Admissions have established procedures to ensure independent verification of financial aid disbursements and residency status on a test basis. Financial Aid has designated a supervisor, who is independent of the financial aid award process, to review financial aid disbursements on a test basis and this process has been implemented. The supervisor s system access has been modified to eliminate access to record financial aid awards. The Admissions Office has designated an employee. who does not have access to enter or update student residency, to review a monthly report of residency entries and will verify to source documents any discrepancies noted on the report. Purchases and Disbursements Finding 4 BSU had not established proper internal controls over the processing of certain disbursement transactions. University Response: The University agrees with the finding. The FMIS security has been reviewed for the employee noted and the recommended changes have been implemented. The University financial system access of the two employees noted as having inappropriate access was modified immediately. Procedures have been established for the monthly review of the University s automated accounting system security by the application data steward to ensure that assigned access is appropriate; that persons are still employed and that the system has been accessed within 90 days. In addition, the data steward receives notification of employee resignation or termination from the Office of Human Resources and immediately notifies the system security officer to remove access for that employee. Further, to ensure that all terminations have been identified, a list of active users is reviewed by Human Resources on a quarterly basis. The reviews have been conducted monthly since July 2004.