ARIZONA BOARD OF REGENTS AUDIT COMMITTEE Wednesday, April 8, 2015 UNIVERSITY OF ARIZONA INTERNAL AUDIT REPORTS (FULL)

Transcription

1 ARIZONA BOARD OF REGENTS AUDIT COMMITTEE Wednesday, April 8, 2015 UNIVERSITY OF ARIZONA INTERNAL AUDIT REPORTS (FULL) 4.A Decentralized IT General Controls Review: Financial Services Office Number B Department of Intercollegiate Athletics Business Practices Number C Operational Advances Number D Follow-up: UAccess Student Post-Implementation Review Number 15-01

2 This page left blank intentionally.

3 Decentr ralized IT General Controls Review: Financia al Services Office August 2014 FY14 - #09 Submitted to: Financial Services Office Mark A. McGurk, Associate Vice President and Comptrollerr Duc D. Ma, Assistant Vice President Tyson D. Korhonen, Assistant Director, Information Technology Ryan G. Claw, Assistantt Comptroller Copies to: Audit Committee, Arizona Board of Regents Ann Weaver Hart, President Andrew C. Comrie, Senior Vice President for Academic Affairs and Provost & Interim CFO Laura Todd Johnson, Vice President, Legal Affairs and General Counsel Jon Dudas, Senior Associate to the President and Secretary of the University Michele L. Norin, Chief Information Officer Issued by: Sara J. Click, CPA, Chief Auditor Internal Audit Department

4 This page left blank intentionally.

5 Decentralized IT General Controls Summary Our audit of the Information Technology ( IT ) General Controls for the decentralized IT unit within the University of Arizona ( UA ) Financial Services Office ( FSO ) was included in the approved Fiscal Year ( FY ) 2014 Audit Plan. This audit supports the UA s Never Settle Strategic priority of implementing business practices that are effective, efficient and entrepreneurial. This is our first audit of IT general controls within a decentralized unit. Background: The University supports both centralized and decentralized Information Technology services ( IT ). The office of the Chief Information Officer ( CIO ) has direct responsibility for centralized IT services. Within the CIO s office are the Information Security Office ( ISO ), University Information Technology Services ( UITS ), Cloud Strategy, Communications, and a newly established position focused on campus IT operations. The services provided by central IT are considered enterprise and therefore affect all University departments and colleges. Decentralized IT services are provided to one department or college and are managed by that department or college. The level and type of decentralized services differ from unit to unit. In some cases, there are multiple decentralized IT units within a department or college. Departments and colleges can make decisions regarding the centralized products and services they wish to use or opt out of. As a result, some services are duplicated. For example, application development, data center, server operations, help desk, authentication, network, , and remote access are provided by both UITS and some decentralized IT units. For some units, decentralized IT service is a requirement to ensure that customized support is available when needed, for example; application development or desktop/device support. In other cases, it is a preference or perceived cost issue. Currently, the University does not require a cost or risk assessment for IT decisions made at the decentralized level. Organizations in which there are many decentralized IT decision makers may increase institutional risk related to information security if IT controls are ineffective or IT governance is not in place. The University of Arizona Page 1 of 8 August 2014

6 Decentralized IT General Controls ISACA s 1 Governance of Enterprise IT ( GEIT ) Institute defines IT Governance as: IT governance is the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives. The Chief Information Officer s ( CIO ) role as described on the UA website is: encouraging collaboration among central and departmental information-technology units, as well as effective integration of technology into University teaching, research, and administration and is also responsible for the overall vision for the university's information technology environment in the future. There is one clearly defined IT governance process included on the CIO website. This process is the Arizona Board of Regents ( ABOR ) 2002 policy which requires each of the Arizona universities to implement a process for approving projects with a total cost of over $100K. The CIO website includes a list of Campus IT Representatives which contains the Administration Technology Advisory Council ( ATAC ) and the Deans Information Technology Council ( DITC ). The councils are essential for effective communication and relationship management for the CIO. Consensus from the councils is considered important by University executive management for some enterprise wide decisions such as authentication and cloud storage services. A description of the two councils is provided below: ATAC Administration Technology Advisory Council The Administration Technology Advisory Council (ATAC) acts on behalf of the administrative interests of the institution and represents units, departments, and divisions by effectively participating in campus-wide Information Technology (IT) governance and strategic decision-making. DITC Deans Information Technology Council The Deans' Information Technology Council is a body of appointed senior information technology (IT) professionals whose mission is to assist their deans in understanding and advancing the institutional IT agenda as it relates to academic, administrative, and research needs. 1 Formerly the Information Systems Audit and Control Association The University of Arizona Page 2 of 8 August 2014

7 Decentralized IT General Controls IT governance is mentioned in the ATAC description; however, the CIO website does not define a governance process that includes the role of the councils. A draft of an IT Governance matrix is in progress within the CIO s office. Although the councils may agree on a technology direction or project, they can decide to make a different decision for the department or college for which they are responsible. The decisions of the ATAC and DITC members do not require formal review or risk assessment. In addition to ATAC and DITC, the ISO manages an Information Security Steering Committee. This committee was also created as a result of ABOR policy and has the following charter: The Information Security Steering Committee establishes priorities and policies for campus information security program and investigates and determines University response for breach notifications. Currently, none of the groups mentioned above are charged with making recommendations to executive management for new or modified IT products and services based on a formal risk and impact assessment. We selected the decentralized IT Unit within FSO for this first review of IT Controls. FSO is a unit within Business Affairs; the staff provides financial management services such as accounts payable, payroll, tax services and capital finance. They also provide the following services to the University: Bursar's Office - UA student account and billing information; banking and merchant services for UA departments. CatCard Office - Steward for the official University of Arizona identification card. Investment Office - Investment management of the UA Endowment, Operating Funds and Debt Proceeds. Procurement & Contracting Services - Product/services procurement and contracting services for the University of Arizona. Records Management & Archives - Comprehensive records management program for the University and its departments. In addition to the above list, the FSO IT unit also supports two other Business Affairs departments, Internal Audit and Systems Control. The University of Arizona Page 3 of 8 August 2014

8 Decentralized IT General Controls The table below indicates the services provided by FSO IT (a member of ATAC). There is some overlap in service provided by FSO IT and UITS (central IT) as indicated by the blue shading. IT Service Application Development Service provided by FSO IT Enterprise Service offered by UITS Authentication Business Continuity/Disaster Recovery Data Backup Data Center Help Desk/Desktop Support Network Remote Access Server Administration Cloud Service Procurement As stated earlier, departments and colleges can make decisions regarding IT services; an assessment regarding cost or risk is not required even if the same service is offered by UITS. There is financial risk that the University is funding duplicate services. Financial impact of duplicated products and services is one risk in a decentralized environment; another risk relates to information security. Although the cost of a product or service may be low or even free in some cases, the information security risk could be high. The services and systems that the departments and colleges have autonomy over that are considered to be of high risk for information security and financial impact are: Authentication/Local Data Security Data Center Services Application Development Disaster Recovery Cloud Services Remote Access Due to increasing risk related to the items above, it is critical for the University as well as the decentralized IT units to have effective controls in place to manage cost and risk. The University of Arizona Page 4 of 8 August 2014

9 Decentralized IT General Controls Review Objective: Our objective was to perform a review of IT general controls based on the ISACA Control Objectives for Information and Related Technology ( COBIT ) framework. The COBIT framework will be used to assess reviews of other decentralized and centralized IT units in the future to provide a level of consistency to the reader and objectivity for the reviews. Scope: The scope of the review included current processes and controls for FSO IT that were in place from May to August 2014 for four of the five COBIT framework domains: Align, Plan and Organize Addresses the overall management of IT. Build, Acquire and Implement Addresses application development and project management. Deliver, Service and Support Addresses problem resolution, security management and change management. Monitor, Evaluate and Assess Addresses the strategic management review of IT. The fifth COBIT domain, Evaluate, Direct and Monitor, is related to enterprise level governance and does not address decentralized IT. Therefore, IT governance is mentioned in this report but was not within the scope of this audit. Methodology: Our review objective was accomplished by: Touring the FSO IT facility. Interviewing management and staff of FSO, FSO IT and enterprise level IT: FSO Staff and Management: o Associate Vice President/Comptroller o Bursar/Director CatCard o Director, Initiatives & Outreach o Assistant Director, Operations o Assistant Director, Information Technology o Information Technology Manager of Application Development o Information Technology Manager of Help Desk Support UITS: Assistant Director, Infrastructure Development & Operations Center ISO: Manager of Information Assurance Reviewing existing University policies and standards related to information technology operations and information security. The University of Arizona Page 5 of 8 August 2014

10 Decentralized IT General Controls Reviewing existing processes and standards in place within FSO (both automated and paper-based). Reviewing industry standards related to logical and physical security from ISACA COBIT and the National Institute of Standards ( NIST ) Rev 4 Moderate Baseline. Preparing standard questionnaires and audit procedures to serve as repeatable standard processes for decentralized IT general controls review. Conclusion: The FSO IT unit is an effectively managed organization with sufficiently mature processes for its size and scope. The ISACA COBIT framework provides a rating scheme to assess the processes. See Exhibit A for detailed information regarding the rating levels for process maturity. A review of the IT general controls in place within FSO IT resulted in our opinion that the processes are in the Defined to Managed range. This range indicates that the staff and management have defined processes and that IT cost, benefit and risk is managed. Exhibit B describes the results of the review of FSO IT for each COBIT domain. The level of process maturity within FSO enables them to provide consistently high levels of IT service to their University and department customers and to make informed, risk based IT decisions regarding new products and services. While risk is managed within FSO, there is risk related to the lack of University IT governance that could increase if FSO management or processes were to change and not be as effective. Currently, IT units can make decisions in high IT risk areas without further review by those responsible for University wide IT risk. For example, FSO has implemented decentralized IT products and services in the following areas that could present risk to the University if effective controls were not in place: International Cloud Tax Software Service Windows Based Remote Access Service Two Remote Offsite Networks An Authentication System For Departmental Access to Data Custom Developed Internal and External Facing Web Applications The University of Arizona Page 6 of 8 August 2014

11 Decentralized IT General Controls These products and services are considered risk areas for information security, yet they require no additional review or risk assessment beyond FSO management prior to purchasing or implementation. Since FSO manages IT at a high level, the risk to the University was considered low at the time of this review. Discussions with UITS and the ISO indicated that there was no process in place to review products and services from a risk perspective. Additionally, the UITS and ISO have no authority or role regarding the decisions made within the decentralized IT units. The ISO stated that they did not have sufficient staff to be involved in decision making at the decentralized IT level. Services such as data center, data storage and backup are areas of potential cost savings and increased efficiency as the services could be provided centrally. However many decentralized IT units, including FSO IT, provide these services. FSO initially used the UITS backup service but determined that purchasing a dedicated system would result in long term cost savings. Discussion with UITS indicated that they did not have the staff to work on keeping the rates up to date. Strengthening enterprise IT governance could help the University to determine if services could be centralized. Effective governance would also assist the University with ensuring that appropriate review of products and services selected for use within the departments and colleges was completed. The results of this review indicate that IT units with effective controls in place, such as FSO IT, help to decrease risk. However, without effective governance processes, there is no guarantee that the controls will remain effective if FSO management were to change. According to the Institute of Internal Auditors ( IIA ) International Professional Practices Framework, an organization is expected to establish and maintain effective risk management and control processes. These control processes are expected to ensure, among other things, that: The organization s strategic objectives are achieved; Financial and operational information is reliable and possesses integrity; Operations are performed efficiently and achieve established objectives; Assets are safeguarded; and Actions and decisions of the organization are in compliance with laws, regulations, and contracts. Our assessment of these control objectives as they relate to the decentralized FSO IT unit is presented on the following page. The University of Arizona Page 7 of 8 August 2014

12 Decentralized IT General Controls General Control Objectives Control Environment Audit Result Organizational Strategic Objectives are Achieved A plan exists for decentralized IT that supports departmental goals and objectives. The department s IT framework is managed (staff, budget, service levels, relationships). Reliability and Integrity of Financial and Operational Information Controls over financial data are in place and effective. Effectiveness and Efficiency of Operations Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place No. Page Problem and Request management processes are in place and effective. Application development processes and controls are in place and effective. IT operational processes to manage change, performance and availability are in place and effective. Project Management processes are in place and effective. Business Continuity and Disaster Recovery processes are in place and effective. Safeguarding of Assets Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Decentralized IT information security controls exist and are effective. Processes for asset management are in place and effective. Compliance with Laws and Regulations Controls over regulated data are in place and effective. Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place We appreciate the assistance of UA Staff during the audit. Rosemary R. Casteel, CISA Auditor-In-Charge (520) casteelr@ .arizona.edu Sara J. Click, CPA Chief Auditor (520) clicks@ .arizona.edu The University of Arizona Page 8 of 8 August 2014

13 Decentralized IT General Controls Exhibit A 5 - Optimized COBIT Maturity Model Rating Scheme An enterprise-wide risk and control program provides continuous and effective control and risk issue resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements. There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly 4 - Managed reviewed. Management is likely to detect most control issues, and Measurable but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls. Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is 3 - Defined not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control. 2 - Repeatable but Intuitive 1 - Initial/Ad hoc Enterprise View / Department Knowledge Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not be aware of their responsibilities. Instance View / There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities. There is no recognition of the need for internal control. 0 - Non-existent Control is not part of the organization s culture or mission. There is a high risk of control deficiencies and incidents. Individual knowledge The University of Arizona Exhibit A August 2014

14 Decentralized IT General Controls Exhibit B COBIT Domain Align, Plan and Organize (APO) Build, Acquire and Implement (BAI) Deliver, Service and Support (DSS) Monitor, Evaluate and Assess (MEA) Results The majority of the processes in this domain are considered to be in the level 3-4 range of the COBIT maturity rating scale. FSO IT demonstrated the following: Documented processes and results were produced. Interviews indicated that they had an overall departmental view of the impact of their work rather than an individual or task level view. The overall work environment is managed from the highest level of non-it management to the IT unit level. The group works in a proactive and preventative mode as opposed to a reactionary environment which tends to operate in a crisis mode. The majority of the processes associated with this domain are considered to be in level 3-4 range of the COBIT maturity rating scale. FSO IT demonstrated the following: Project management and asset management processes are in the level 4 range. The processes are documented, automated and are at the FSO department level rather than just at the IT unit level. Processes for availability and change management are in the level 3 to 4 range as they are automated and therefore repeatable but not documented and measured. The process for project initiation and approval is at a level 4 and could be a best practice for other IT Units and at the enterprise level. The majority of the processes associated with this domain are considered to be in level 3-4 range of the COBIT maturity rating scale. FSO IT demonstrated the following: Problem management processes and practices are in the level 4 range as they are managed, measurable and at the department level. Security management at the department level is at a level 3-4 as it is defined and managed. However, department level authentication is separate from CatNet and requires s to be sent to the staff for notification for user access changes to be made. Continuity management is in the level 3 range as the plans exist but are not tested and are out of date. The current IT plans in continuity planning documents may not fully support the business plan. Risk management is a factor in IT operations and planning; sufficient risk mitigation is in place for the unit s size and scope. The majority of the processes associated with this domain are considered to be in level 4-5 range of the COBIT maturity rating scale. FSO IT demonstrated the following: The project rating system is a valuable tool that permits FSO to make informed decisions. Management can focus on services and products that are required and meet business goals. The FSO department management team meets consistently to review departmental goals as well as University strategic goals to ensure that they are working on tasks that support the goals. Risks are discussed during meetings as needed and appropriate. Budgets and staffing are managed consistently. Initiatives and accomplishments are documented, monitored and presented on a yearly basis. FSO management and IT staff participate in CIO sponsored collaboration councils and committees. The University of Arizona Exhibit B August 2014

15 Departm ment of Intercollegiate Athletics Business Practices October 2014 FY14 - #10 Submitted to: Gregory K. Byrne, Vice President and Director of Athletics Ross Cobb, Senior Associate Athletic Director, Business Affairs Copies to: Audit Committee, Arizona Board of Regents Ann Weaver Hart, President Andrew C. Comrie, Senior Vice President for Academic Affairs and Provost Gregg Goldman, Senior Vice President for Business Affairs and Chief Financial Officer Laura Todd Johnson, Vice President for Legal Affairs and General Counsel Jon Dudas, Senior Associate to the President and Secretary of the University Michele L. Norin, Chief Information Officer Duc D. Ma, Assistant Vice President for Financial Services Issued by: Sara J. Click, CPA, Chief Auditor Internal Audit Department

16 This page left blank intentionally.

17 Department of Intercollegiate Athletics Business Practices Summary Our audit of the Department of Intercollegiate Athletics ( ICA ) business practices was included in our approved Fiscal Year ( FY ) 2014 Audit Plan. The University of Arizona s ( UA ) Never Settle plan calls for a business model that rewards productivity, effectiveness, and entrepreneurship. As an auxiliary enterprise of UA, ICA s business practices are critical to its ability to meet its goals and support UA s overall mission. While previous audits have covered portions of ICA s business processes, this is our first comprehensive audit of ICA business practices. Background: ICA is led by the Vice President and Director of Athletics, who reports directly to the UA President. The department oversees 20 National Collegiate Athletic Association ( NCAA ) sports and employs approximately 150 service professionals, 75 classified staff, and 180 student workers. Additional part-time employees work at games and events. According to the Independent Accountants Report on the Application of Agreed-upon Procedures for the Year Ended June 30, 2014, ICA had revenues and expenses of approximately $100 million. ICA has developed a set of five Goals and Principles to guide the department. These are: 1. Graduate student-athletes; 2. Follow the rules; 3. Represent the University and Athletics Department in a first-class manner; 4. Practice sound fiscal management and maximize revenue opportunities; and 5. Compete for championships. Within UA s decentralized model, ICA, like other UA departments, is responsible for developing and implementing business practices in compliance with UA policy. To do this, ICA has established a business office, overseen by a Senior Associate Athletic Director, Business Affairs, and managed by an Associate Director of Athletics, Business Affairs. Certain business processes, including handling rental revenues and monitoring capital assets, fall under the Senior Associate Director of Athletics, Operations. All ticket sales and cash deposits are handled by the ticket office, led by the Associate Athletic Director, Tickets and Donor Technology. ICA is classified as an auxiliary unit of UA. The Financial Services Office ( FSO ) provides the following expectations for auxiliary units: Develop and follow a budget; Be self-supporting; Have expenditures directly related to the revenue producing process; and Charge fees that are directly related to the cost of the goods or services that are provided. The University of Arizona Page 1 of 24 October 2014

18 Department of Intercollegiate Athletics Business Practices Audit Objective: Our primary audit objective was to ensure that ICA business processes were in compliance with University policies and procedures. Scope: The scope of this review included FY 2014 transactions and processes. Based on our risk assessment, the following 11 higher-risk business processes were selected for audit: Ticket revenue, Information technology, Capital asset management, Non-capital asset monitoring, Gifts and donations, Part-time and temporary employee pay, Account monitoring and reconciliation, Team and group travel, Rental revenue, Building security, and Purchasing card exceptions. Methodology: Our audit objective was accomplished by performing the following: Performing a preliminary risk assessment of ICA business practices and selecting the 11 higher-risk areas for audit. Using UAccess Analytics to identify all transactions during FY 2014 and sorting by object code and account to identify transactions related to the 11 selected business processes. Meeting with the following ICA staff to discuss their roles and observe their procedures: o Senior Associate Athletic Director, Business Affairs; o Senior Associate Athletic Director, Development; o Senior Associate Director of Athletics, Operations; o Assistant Athletic Director, Video and Information Technology; o Associate Athletic Director, Tickets and Donor Technology; o Associate Director of Athletics, Business Affairs; o Director, Athletic Facilities; o Director, Special Events and Community Service; o Director, Ticket Operations and Customer Relations The University of Arizona Page 2 of 24 October 2014

19 Department of Intercollegiate Athletics Business Practices o Associate Director, Information Technology; o Accounting Manager; o Accountant; o Office Specialist, Senior; and o Program Coordinator. Communicating with other UA representatives: o Financial Services Office ( FSO ) Bursar s Office: Associate Bursar; two Program Coordinator, Seniors o FSO Procurement and Contracting Services: Program Coordinator, Senior; Business Analyst, Principal; o FSO Financial Management: Assistant Comptroller; Assistant Director, Capital Finance; Assistant Director, Operations; Accountant, Senior; Financial Services Specialist; o Risk Management and Safety: Assistant Vice President; o Facilities Management: Assistant Vice President; Locksmith Supervisor; o Human Resources: Consultant, Organizational; Human Resources Specialist, Senior; o Office of General Counsel: University Attorney; o University Analytics and Institutional Research: Executive Director; o Budget Office: Manager, Local Funds and Budget Operations; Associate Fiscal Analyst; o Planning, Design and Construction: Assistant Director, Construction; o University Information Technology Services: Enterprise Applications Security Team; and o Real Estate Administration: Director. Evaluating procedures for compliance with UA policy and best practices, reviewing documentation supporting transactions, and sampling as needed for each area selected for detailed audit. The University of Arizona Page 3 of 24 October 2014

20 Department of Intercollegiate Athletics Business Practices Conclusion: ICA has had a business structure in place for many years to carry out the daily and fiscal needs of the department. However, ICA business processes have not been updated to take full advantage of technology, data, and resources currently available within UA. The growth of ICA revenues and expenses and the implementation of new UA enterprise systems have increased the need for updated procedures; however, existing processes have not been optimized for efficiency and effectiveness. In addition, a number of processes, including rental revenue, capital asset management, and building key monitoring, were delegated to areas within ICA without any training or oversight from the ICA Business Office. In the case of capital asset management, issues with affixing capital asset tags began 20 or more years ago and grew over the years to become a much larger and more time-consuming issue to resolve. By improving business practices, ICA may be able to increase building and asset security, make better use of limited employee time, increase revenues in certain areas, and streamline processes to better serve the department s needs. Due to the retirement of a long-term employee, ICA hired a new Senior Associate Athletic Director, Business Affairs, who took over as of July 1, ICA staff is working to implement their action plan that resulted from this audit as well as review other business practices and improve processes. According to the Institute of Internal Auditors International Professional Practices Framework, an organization is expected to establish and maintain effective risk management and control processes. These control processes are expected to ensure, among other things, that: The organization s strategic objectives are achieved; Financial and operational information is reliable and possesses integrity; Operations are performed efficiently and achieve established objectives; Assets are safeguarded; and Actions and decisions of the organization are in compliance with laws, regulations, and contracts. Our assessment of these control objectives as they relate to ICA business practices is presented on the following page. The University of Arizona Page 4 of 24 October 2014

21 Department of Intercollegiate Athletics Business Practices General Control Objectives Control Environment Audit Result No. Page Achievement of the Organization s Strategic Objectives ICA complies with the expectations of auxiliary Reasonable to Strong units in order to support its own and UA s Controls in Place strategic objectives. Reliability and Integrity of Financial and Operational Information Procedures for recording, reporting, and paying part-time and temporary employees ensure accurate pay. Effectiveness and Efficiency of Operations PCard exceptions are authorized by Procurement and Contracting Services and are necessary to efficiently make ICA purchases. Procedures exist to ensure information systems are used efficiently and effectively monitor business processes and financial activity. Facility rental charges were billed, monitored, collected, and recorded in order to ensure all revenue was received. Safeguarding of Assets Gifts and donations are received, recorded, and deposited accurately and timely. Ticket Office procedures ensure tickets are protected, sales are accurately recorded, and deposits are made timely. Building security is adequate. Capital assets were recorded, monitored, and disposed of accurately and timely. Away game ticket purchases and sales were reconciled. Compliance with Laws and Regulations Travel Authorization Forms are completed prior to travel in compliance with UA policy. Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Opportunity for Improvement Opportunity for Improvement Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Opportunity for Improvement Opportunity for Significant Improvement Opportunity for Improvement Opportunity for Improvement We appreciate the assistance of UA employees during this audit. 4, 6 15, Amanda L. Perkins, CPA Auditor-In-Charge (520) alperkin@ .arizona.edu Sara J. Click, CPA Chief Auditor (520) clicks@ .arizona.edu The University of Arizona Page 5 of 24 October 2014

22 Department of Intercollegiate Athletics Business Practices Audit Results, Recommendations and Responses 1. Capital Assets are Not Adequately Monitored. Condition: ICA does not have adequate procedures in place to monitor the capital asset inventory. According to the UAccess Financials capital asset listing, ICA has approximately 300 capital assets with an initial purchase price over $5,000. The following issues were identified with capital asset management within Athletics: Asset tags were not always affixed to equipment. Cannabilized assets were not properly recorded. Items no longer in use but that have remaining book value were not removed and/or written down. Item descriptions were not updated when assets were first purchased to ensure staff knew which asset tags were assigned to different items. Buildings and room numbers were not updated when assets were moved. Two asset custodians have been assigned within ICA, but these two may not have firsthand knowledge of asset locations and may not be able to fully monitor all the assets within the department. Recently, many items were sent to Surplus Property to prepare for a renovation of McKale. However, many of these assets did not have an asset tag affixed, so the asset tag numbers were not included in the surplus request. Therefore the assets were not removed from the capital asset listing. Based on a sample of 19 capital assets included in the capital asset listing in UAccess Financials, we determined the following: o Only three items were able to be traced to the building and room number and had an asset tag affixed. o Eight additional items were located based on descriptions, but either did not have an asset tag or did not have an accurate building and room number. o The remaining eight items were thought by Athletics staff to have been sent to Surplus Property, but no asset tag information was available. The University of Arizona Page 6 of 24 October 2014

23 Department of Intercollegiate Athletics Business Practices Criteria: Per the Financial Services Office ( FSO ) Property Management Manual: 3.10 "The department head is charged with the responsibility of monitoring the cannibalization of University equipment." 7.10 "University departments are to keep their offices...and storage areas free of excess, broken, dilapidated and surplus equipment." 9.20 "All purchased capital equipment for use by the University shall be assigned a University property A-tag number...the custodial department is responsible for affixing tags, painting and/or engraving tag numbers on items within one week of receipt of the tags from Property Management." "The temporary or permanent relocation of University...equipment must be reported to Property Management." Causes: Over the course of many years, employee turnover and a lack of good processes caused asset tags to be filed rather than be affixed to newly purchased items. Technology items, such as VCR's and video recording equipment, became outdated quickly and staff may not have known that specific surplus procedures should be followed to dispose of outdated equipment. Annual inventories prepared by ICA did not always include all required details and, as a result, FSO was unable to update the asset listing accurately. Procedures were not in place to monitor all items that were moved, or to update the asset listing accordingly. Based on interviews with ICA staff, we determined that there was confusion over whether equipment purchased as part of a building project received asset tags. Athletics staff thought that tags were not assigned to these items. FSO Property Management did assign asset tags, but Athletics staff did not follow-up when no tags were put on the equipment. Effect: Assets may be at increased risk for loss, theft, or misuse if they are not tagged and monitored in compliance with UA policy. Assets with remaining book value that have been surplused but not removed from the capital asset listing result in inaccurate financial statement reporting. Large numbers of assets that are no longer in use create inefficient use of space when they are stored rather than surplused. Large numbers of assets that have been surplused but not removed from the capital asset listing create excessive work when completing the annual physical inventory and result in inaccurate inventory reporting. The University of Arizona Page 7 of 24 October 2014

24 Department of Intercollegiate Athletics Business Practices Recommendations: 1. Contact FSO- Property Management to obtain guidance in updating the capital asset listing. In addition, discuss with them the duties of asset custodians and identify whether additional custodians should be added to ensure location and other asset information is updated as needed. 2. Update purchasing and receiving procedures to improve capital asset information available in UAccess Financials. Adding additional details in the Notes and Attachments section of both the purchasing document and the capital asset item information in UAccess Financials will allow staff to better identify and monitor capital assets and will ensure the information is stored in a central system that can be accessed by others in the case of employee turnover. This additional information may include: a. Specific descriptions of the equipment, b. Vendor and manufacturer names, c. Model numbers, d. Serial numbers, e. Detailed location descriptions, and f. Photographs. 3. Update procedures for cannibalizing assets to ensure compliance with policy. 4. When items with remaining book value are determined to have no future use, prepare a request in the Surplus Property Management System to ensure that the items are removed from the asset listing in a timely manner. Management Response: Target Implementation Date: July 31, ICA will contact FSO-Property Management to obtain guidance in updating the capital asset listing. We will also discuss with them the duties of asset custodians and identify whether or not additional custodians are needed to ensure location and other asset information is updated as needed. ICA will update purchasing and receiving procedures in order to improve capital asset information available in UAccess Financials. We will add additional data such as specific descriptions, vendor and manufacturer name, model number, serial number, detailed location descriptions, and possibly photographs. The University of Arizona Page 8 of 24 October 2014

25 Department of Intercollegiate Athletics Business Practices ICA will also update procedures in conjunction with FSO-Property Management to ensure compliance with UA policy. ICA will ensure that the proper forms are filled out to remove items from ICA asset listing that have been deemed to have no future use. Our target implementation date will be after completion of 2016 UA inventory count, though we will begin taking action steps as soon as possible. The University of Arizona Page 9 of 24 October 2014

26 Department of Intercollegiate Athletics Business Practices 2. Metal Key Issuance and Monitoring Procedures are not Adequate. Condition: ICA procedures for monitoring outstanding keys, collecting keys upon employee termination or transfer, and reporting lost keys were not adequate. According to the Facilities Management Key Desk ( FMKD ), as of April 2014 ICA staff, associates, and volunteers were assigned 1,750 individual keys. Of these, 110 (6%) were not returned to the FMKD in compliance with UA guidelines. The keys were as follows: 69 keys were assigned to former ICA employees who did not turn the keys in to the FMKD upon termination or transfer, and for which Lost Key Replacement Request Forms were not prepared; 32 keys were assigned to former employees who ICA believes turned their keys into someone within ICA and whose keys are now being used by other ICA employees or associates; and 9 keys were assigned to former Designated Campus Colleagues 1 ( DCC ) whose DCC status was expired but who, according to ICA, still needed access to the buildings. Criteria: Per the University of Arizona Facilities Management Key Issuance & Return Guidelines: 1. It is the responsibility of each department to instruct outgoing departmental personnel in possession of University building keys to return all keys to the FM Key Desk prior to their departure.authorized departmental key signers are welcome to contact the Key Desk for assistance with key returns for outgoing personnel; and 2. If a department is unable to contact an individual key holder to request that a key be turned in, the Lost Key Replacement Request Form is to be completed and turned into the FM Key Desk. 1 UA uses the DCC designation to register affiliates, associates, and volunteers in the UA human resources system. This allows DCCs to obtain keys, gain access to UA systems, and access other UA services as may be required for their position. The University of Arizona Page 10 of 24 October 2014

27 Department of Intercollegiate Athletics Business Practices Causes: ICA s Events Management staff stated that they periodically remind ICA divisions that terminating employees are to return keys to the FMKD. However, there is not a process in place to monitor UAccess Employee for terminated or transferring employees and ensure the keys have been returned or reported as lost. In 2011, ICA worked to identify old lost keys and have them removed from FM s Current Key Holder Report; however, former ICA employees who were still employed by other UA departments could not be removed by the FMKD without a Lost Key Replacement Request Form. Effect: Personal, building, and asset security may be at risk. The inclusion of many old, lost keys on the Current Key Holder Report creates additional work for those responsible for monitoring outstanding keys. Recommendations: 1. Reconcile the FMKD Current Key Holder Report to the actual keys held by current employees and affiliates. Contact the FMKD for assistance in preparing Lost Key Replacement Request Forms to report outstanding keys as lost. 2. Assess the risk of outstanding keys. Consider increasing the use of electronic building access for perimeter doors or rekeying perimeter doors. 3. Improve existing procedures over issued key monitoring. Consider including the following: a. Evaluate whether additional staff in various ICA divisions should be trained in key processes to assist in monitoring for lost keys and employee terminations within their areas. b. Remind all ICA employees that if they receive keys from a terminated employee, the keys are to be returned to the FMKD and are not to be shared with others. c. During the annual Room Privilege Card update, lost keys, terminated or transferred employees, and employees with keys that are no longer required could be identified. The University of Arizona Page 11 of 24 October 2014

28 Department of Intercollegiate Athletics Business Practices Management Response: Target Implementation Date: August 30, ICA will reconcile the FMKD Current Key Holder Report to the actual keys held by current employees and affiliates. We will contact FMKD for assistance in reporting outstanding keys as lost. ICA will assess the risk of outstanding keys and consider increasing the use of electronic building access for perimeter doors or rekeying perimeter doors. Financial considerations will have significant impact on this assessment. ICA will evaluate whether or not additional staff in various divisions should be trained in the key process. Reminders will continue to be sent to all ICA employees that if they receive keys from a terminated employee, the keys are to be returned to FMKD and not to be reissued to others. ICA will identify keys that are no longer required during the annual Room Privilege Card update. The University of Arizona Page 12 of 24 October 2014

29 Department of Intercollegiate Athletics Business Practices 3. Away Game Ticket Invoices, Sales, and Remaining Tickets are Not Reconciled. Condition: The ICA Business Office does not ensure all away game tickets are accounted for by performing a reconciliation following each game. The ICA Ticket Office purchases tickets to away games for sale to fans and use by coaches and players guests. For football and men s basketball games, a large number of tickets (1,000+) may be purchased. For the remaining sports, ICA purchases tickets for their guests; the other team only bills for the actual number of guests attending. For all scheduled games, the invoice for the tickets is sent after the game. Certain special game events, however, may send a ticket invoice prior to the game. During FY 2014, ICA spent approximately $850,000 on away game tickets. After an away football or men s basketball game, documentation indicating how the tickets were used is maintained in the Ticket Office vault. However, the documentation is not reconciled to the record of ticket usage in the Paciolan system or to the invoice from the away team s ticket office. Criteria: Financial Services Manual describes controls over value-added inventory, such as tickets, and requires that reports be prepared following events that include the following information: i. Total items available. ii. Number of items sold by individual price. iii. Number of complimentary tickets issued and signed for. iv. Number of unsold items. Cause: The Business Office does not request information on the use of the tickets and the physical tickets that were unused prior to approving the ticket invoice for payment. Effect: Risk that tickets could be sold without cash deposited or could be given to unauthorized users. Invoices from the away team s ticket office may not be accurate, and could result in under- or over-payment. The University of Arizona Page 13 of 24 October 2014

30 Department of Intercollegiate Athletics Business Practices Recommendations: 1. The Business Office should develop an away game ticket form that can be filled out by the Ticket Office following each away game. The form should include information on how many physical tickets are stored in the vault and how many were used. 2. When the invoice from the away team s ticket office arrives, the Business Office should reconcile the number of tickets purchased to the ticket form that shows how the tickets were used and to the list of tickets in Paciolan. On a periodic basis, the information on the ticket form could be verified against the physical tickets and other documentation stored in the Ticket Office vault. Any variances should be resolved before payment of the invoice. Management Response: Target Implementation Date: September 30, ICA Business Office (in conjunction with ICA Ticket Office) will develop an away game ticket form that can be filled out by the Ticket Office following each away game in which tickets were purchased by UA ICA. The form will include information on the number of physical tickets stored in the vault and how many were sold. Upon receipt of the invoice from the away team s ticket office, the Business Office will reconcile the number of tickets purchased to the ticket form that shows how the tickets where used and to the list of tickets in Paciolan. Periodically this information will be verified against the physical tickets and other documentation and any variances will be resolved. The University of Arizona Page 14 of 24 October 2014

31 Department of Intercollegiate Athletics Business Practices 4. New System Implementation Procedures are Not in Place. Condition: ICA purchased a new financial budgeting and forecasting system, Elevation, in March However, procedures were not in place to ensure the system was implemented accurately, efficiently, and effectively. As of December 15, 2014, ICA considers the system implementation complete but has not regularly used it for reporting or monitoring. Approximately $50,000 had been paid to the company. The following issues were noted: Existing options for budgeting and forecasting data within UAccess Analytics were not evaluated prior to purchasing the new system. The contract with the vendor did not specify how UA data would be protected. The contract allowed the vendor to use UA data as part of compilations of information shared with other users of the system. No implementation plan was in place. Training paid for by UA and provided by the vendor was only available during the first year. Specific data storage and security terms were not included in the contract and no service level expectations were defined. Criteria: Industry best practices suggest that new system implementation be systematically managed to ensure the process is successful. ISACA s Cobit IT Governance framework suggests the following areas be considered when planning, selecting, implementing, and monitoring new systems: Ensure relevant stakeholders are engaged; Allocate sufficient resources; Develop requirements for the system and ensure they meet the business needs; Evaluate possible solutions and identify best option; Follow an implementation plan; Measure performance against key criteria such as schedule, quality, cost, and risk; Plan for changes in the system and business needs; and Monitor and evaluate the implemented solution and adjust as needed. The University of Arizona Page 15 of 24 October 2014