STEPHEN F. AUSTIN STATE UNIVERSITY FISCAL YEAR 2013 ANNUAL AUDIT REPORT TABLE OF CONTENTS

Transcription

1

2 I. Executive Summary STEPHEN F. AUSTIN STATE UNIVERSITY FISCAL YEAR 2013 ANNUAL AUDIT REPORT TABLE OF CONTENTS II. Compliance with House Bill 16 III. IV. Internal Audit Plan for FY 2013, Explanation of Changes, and List of Audits Non-Audit Services V. External Quality Assurance Review VI. VII. VIII. IX. Internal Audit Plan for FY 2014 and Risk Assessment External Audit Services ing Fraud Audit Charter

3 I. Executive Summary

4 EXECUTIVE SUMMARY The purpose of this annual audit report is to provide information on the benefits and effectiveness of the internal audit function. In addition, the annual report assists central oversight agencies in their work planning and coordination of efforts. The annual report is submitted in compliance with the Internal Auditing Act of the State of Texas (Government Code Chapter 2102) and the Rules and Regulations of the Board of Regents of Stephen F. Austin State University. The format is recommended by the State Auditor s Office. The mission of the Department of Audit Services is to provide the Board of Regents and President with an independent appraisal of the adequacy and effectiveness of the university s system of internal administrative and accounting controls and the quality of performance when compared with established standards. The primary objective is to assist the Board of Regents, the President, and university management in the effective discharge of their responsibilities. Fiscal Year 2013 was a productive year for Audit Services. We completed audits for Camps/Campus Programs for Minors; Public Funds Investment Act; Equine Center; Poultry Grant; TAC 202; Social Media; and Departmental Audits of five Dean s Offices. We followed up on outstanding management action plans and assisted with external reviews. Internal Audit staff continued to participate as an advisory member on university committees. In addition, our department performed numerous special projects in addition to investigating reports made through the university s fraud and ethics reporting system and the State Auditor s Office hotline. During September 2012, Audit Services continued the conversion to upgrade the department s Teammate electronic audit workpaper software. The software update has helped to increase audit efficiency and reporting capabilities. In June 2013, Audit Services was pleased to have the chief audit executives of the University of Texas at Arlington and the University of Texas at Tyler perform the independent validation of the Quality Assurance Review (QAR). The QAR process was beneficial to identify goals and opportunities to enhance the Department of Audit Services. Audit Services appreciates the support received during the year from the Board of Regents, President, Administration, Faculty, and Staff of the university. Upon approval by the Board of Regents, this report will be distributed to the State Auditor s Office, the Office of the Governor, the Legislative Budget Board, and the Sunset Advisory Commission.

5 II. Compliance with House Bill 16

6 COMPLIANCE WITH HOUSE BILL 16 In order to comply with House Bill 16 regarding posting the Internal Audit Plan, Internal Audit Annual, and other audit information on the internet website, the Department of Audit Services will post the 2013 Internal Audit Annual, which includes the required items, on its internal audit website at within 30 days after approval of the report by the SFASU Board of Regents.

7 III. Internal Audit Plan for FY 2013, Explanation of Changes, and List of Audits

8 PROJECT DESCRIPTION HOURS Financial, Compliance, Efficiency & Effectiveness Audits Assistance to State Auditor's Office Provide internal audit assistance 80 Assistance to State Comptroller's Office Provide internal audit assistance for post payment review 80 National Collegiate Athletic Association Review STEPHEN F. AUSTIN STATE UNIVERSITY Total 2013 University Budget All Funds: $227,891,123 Total 2013 Budgeted Audit Positions: 3.5; Revised July 1, 2013: 4.5 FISCAL YEAR 2013 AUDIT PLAN Provide assistance to external firm performing review of SFASU athletic financial statement as required by NCAA SFASU Charter School Audit Provide assistance to external firm performing financial audit of SFASU Charter School 50 Public Funds Investment Act Verify compliance with PFIA for operating investments 300 Camps Review for compliance with regulations 300 Receivables Audit controls over accuracy, existence, and collectibility of university receivables 400 Departmental Audits Review for compliance with various regulations and efficiency & effectiveness 1119 Carry Forward Audits Complete Bank Reconciliation Review and Departmental Audits in process 60 Information Technology IT Meetings/Banner Conversion/Banner Audits Advise on issues affecting information technology and systems under development/enhancement especially 60 related to implementation of Banner Texas Administrative Code Section 202 Review compliance with Information Security Standards 350 Social Media Review the effectiveness of controls over social media policies and processes Follow-up Audit Obtain representations from management regarding status and perform verification as necessary 320 Special Projects Fraud & Ethics Program Facilitate university anonymous reporting system & committee 40 Hotline/Fraud Investigations Facilitate investigations 200 Other Special Projects Based on requests from Board of Regents, Administration or Departments 275 Meetings & Committee Service Investment Committee Serve as advisory member of committee 30 Financial Advisory Committee Serve as advisory member of committee 30 President's Administrative Meetings Attend administrative meetings as requested 100 Other University Meetings/Events Attend other meetings and events as deemed necessary 40 Regent Meetings Preparation and attendance of meetings 120 Professional Associations Serve on board of professional association 30 Department Activities Annual Audit Plan and Prepare annual audit plan and report 80 Audit Manual Revision Update audit manual and forms 80 Annual Risk Assessment Facilitate annual university risk assessment 120 Quality Assurance Perform internal assessment of compliance with standards 200 Records Management Maintain file system and records for department 200 Software Conversion, Maintenance, and Training Teammate audit software 200 Professional Development and Travel Professional development, maintain certifications, training, and travel 248

9 Total 2013 University Budget All Funds: $227,891,123 Total 2013 Budgeted Audit Positions: 3.5; Revised July 1, 2013: 4.5 FISCAL YEAR 2013 AUDIT PLAN PROJECT DESCRIPTION HOURS General & Administrative Administration (planning, purchasing, payroll, scheduling, reporting, etc) 900 Total Allocated Hours 6,412 Total Hours Per Year All staff 7,400 Less: Sick Leave (256) Vacation (360) Holidays (372) Total Available Hours 6,412

10 LIST OF AUDITS COMPLETED # NAME OF REPORT 12-X Dean of Sciences and Mathematics 13-I Dean of Business 13-II Camps / Campus Programs for Minors 13-III Public Funds Investment Act 13-IV Receivables carried forward 13-V Poultry Grant 13-VI Dean of Liberal and Applied Arts 13-VII Equine Center 13-VIII Social Media 13-IX Texas Administrative Code Section X Dean of Fine Arts 13-XI Dean of Education 13-XII Follow-Up Review Current status of findings/recommendations is based on the following definitions: Fully Implemented: Successful development and use of a process, system, or policy to implement a prior recommendation. Substantially Implemented: Successful development but inconsistent use of a process, system or policy to implement a prior recommendation. Incomplete/Ongoing: Ongoing development of a process, system, or policy to address a prior recommendation. Not Implemented: Lack of a formal process, system, or policy to address a prior recommendation. Detailed information is included in the schedule that follows.

11 CHANGES TO FISCAL YEAR 2013 AUDIT PLAN Almost all audits on the 2013 audit plan were completed during the audit year except for the following: Receivables Audit Carried forward to fiscal year 2014 audit plan.

12 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 12-X June 30, 2012 Dean of the College of Sciences and Mathematics The objective of our audit was to determine that the Office of the Dean of the College of Sciences and Mathematics is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our procedures, we noted the following: The office did not have written department specific policies and procedures. The procurement card procedures lacked a segregation of duties in recording, reconciling, and approving. 1 out of 24 expenditures had an invoice that did not match the purchase order for quantity ordered or amount. The office should develop written department policies and procedures. While performing our audit of expenditures, we noted that the university did not have a specific policy to guide the expenditure of discretionary funds. The university should adopt a policy to guide the expenditure of discretionary funds. Fully Implemented Fully Implemented 13-I August 31, 2012 Dean of the College of Business The objective of our audit was to determine that the Office of the Dean of the College of Business is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our procedures, we noted the following: The employee time approval process lacked a segregation of duties in the process to approve time for non-exempt employees. Procurement card use forms have not been updated to reflect changes in employees of the office. The non-exempt employee time approval process should be strengthened, and procurement card use forms should be updated. We noted that receipt handling duties are not included in the job description for the Assistant to the Dean, and the office does not display the required receipt signage. The job description for the Assistant to the Dean needs to be updated to include receipt handling functions, and the office needs to display receipt signage. Fully Implemented Fully Implemented With the conversion to the Banner system, the university started using the Banner fixed assets module and opted out of using the State Property Accounting (SPA) system effective fiscal year Policy C-42 needs to be updated to reflect the change. The university should update Policy C-42, Property Inventory and Management. Fully Implemented 1

13 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-II August 31, 2012 Camps/ Campus Programs for Minors The objective of our audit was to determine that controls exist to ensure compliance with the state law and university requirements for camps and campus programs for minors. The university mitigated risk by adopting guidelines for its summer camps and programs for minors prior to the finalizing of the official state regulations in the Texas Administrative Code. While many camps and campus programs for minors registered with the SFA Camps and Conferences Office, all programs involving minors such as those held at the Piney Woods Conservation Center in Broaddus and others, did not register with a central university office. The SFA Camps and Conferences Office utilized a registration form for the programs that did register. The format of the registration form made it hard to delineate whether a camp/program was sponsored by the university or a third party; how many event workers required mandatory training; and the actual number of camp or contact days for the program. While guidelines are available for campus programs for minors, the guidelines could be clarified by addressing the following: Fully Implemented Definitions for the university s use of key terms; such as camp, programs for minors, third party programs for minors, operator, sponsor, participant, number of days, contact, program workers, etc. Approval process and registration for programs for minors; Assignment of oversight and responsibilities; Record retention plan; Required training; Proof of training; Monitoring requirements, etc. The university should consider updating policy B-4, Camp and Conference Reservations, or creating a separate policy for campus programs for minors to clarify definitions, approvals, oversight, record retention, training, monitoring, etc. With a new or updated policy, the registration form could be improved to delineate whether a camp/program is sponsored by the university or a third party and include other details necessary to ensure compliance. 2

14 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-II Continued August 31, 2012 Camps/ Campus Programs for Minors The objective of our audit was to determine that controls exist to ensure compliance with the state law and university requirements for camps and campus programs for minors. We reviewed certificates of insurance for eleven camps sponsored by third parties and noted the following: 2/11 did not specifically identify sexual abuse or molestation coverage on the certificate of insurance. 3/11 did not specifically identify medical expense coverage on the certificate of insurance. 6/11 did not specifically identify automobile coverage on the certificate of insurance. Insurance contract requirements should be reviewed for applicability, especially relating to automobile liability for programs that do not utilize transportation. Monitoring of the insurance requirements could be increased by involving the University s Environmental Health, Safety, and Risk Management Department in the process. Fully Implemented We found that duties for campus programs for minors were not specifically included in job descriptions for the employees currently involved in the process. In addition, the Director of Student Services/Student Center job description has not been updated for change of title and duties. Job descriptions should be updated to include duties related to campus programs for minors. Fully Implemented 13-III August 31, 2012 Public Funds Investment Act The objective of our audit was to ensure the university is in compliance with the Public Funds Investment Act as of August 31, While performing our audit procedures, we noted that cash in a bank account managed by the investment advisor was $370,368 at August 31, Federal Deposit Insurance Corporation (FDIC) insurance related to this balance was $250,000 leaving $120,368 uncollateralized. To strengthen internal controls, the university should increase monitoring procedures for cash under management by the investment advisor. Fully Implemented 3

15 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-V August 31, 2012 Poultry Grant The objective of our audit was to determine that grant expenditures are appropriate and in compliance with grant guidelines and university policies and procedures. We noted that the grant expenditure report was submitted on August 27, 2012 which was after the deadline. In addition, based on our examination of the expenditures submitted by the Poultry Science Program in the report, we found the following: $176 or 6% appeared to be expenditures related to recruiting; $289 or 10% did not appear to be expenditures related to recruiting; and $2,535 or 84% did not appear to be expenditures related to recruiting but could possibly be considered expenditures in the broader category of recruiting and retention. These reported expenditures were made from various poultry program non-grant accounts. The Poultry Science Director should review the expenditures and provide documentation of the recruiting purpose of the funds or determine other expenditures that were used for recruiting. A revised expenditure report should be submitted to the grantor following university procedures. In addition, on the grant request form for future years, the Poultry Science Director should investigate changing the purpose of the use of funds to include the broader category of recruiting and retention. Incomplete/Ongoing Target implementation date is October 18, The Poultry Science Program did not follow university procedures for the following: Incomplete/Ongoing The internal Proposal Clearance Form was not submitted prior to funding. The Banner Fund Account Request was not completed prior to funding. The grant expenditure report was submitted by the program director/project director instead of the Controller s Office. The funds were deposited into a sales and services account instead of a grant account. The Controller s Office and ORSP were not involved in the process until after the grant period was over. The internal paperwork has been completed after the fact. The Poultry Science Program employees involved in grants should undergo additional grant training and take advantage of available grant resources to ensure that university policies and procedures are followed. The Poultry Science Director should establish and document internal grant procedures to help ensure compliance. Target implementation date is October 18,

16 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-V Continued August 31, 2012 Poultry Grant The objective of our audit was to determine that grant expenditures are appropriate and in compliance with grant guidelines and university policies and procedures. $2,072 or 69% of the reported grant expenditures were made using university procurement cards. We noted the following in our testing: Procurement card expenditures were not appropriately documented as to how they related to recruiting. Food purchases were not appropriately documented. The monthly transaction detail reports were not signed to show review and approval by the cardholder and department head/reviewer. Employees are purchasing, entering information into Banner, and preparing the monthly transaction detail summary which does not provide an adequate segregation of duties. Supervisory review or cardholder approval of procurement card purchases made by an approved user was not documented. Incomplete/Ongoing The employees who use the procurement cards should have additional procurement card training to ensure that procurement card rules and regulations are understood. The university s procurement card coordinator should review the poultry program s procurement card purchases to determine ramifications of procurement card non-compliance. The Poultry Science Director should establish and document internal procurement card procedures, and the department chair should establish oversight. Target implementation date is October 18, Private gift donors and private grant fund providers often interchangeably use the terms gift and grant which can be confusing to the recipient. The university has a grant vs. gift brochure to help delineate the differences, but further clarification would be helpful. The university guidelines should be updated to more clearly delineate the university definitions of gift and grant. An internal document could be created to help with the process. Fully Implemented 5

17 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-VI December 31, 2012 Dean of the College of Liberal and Applied Arts The objective of our audit was to determine that the Office of the Dean of the College of Liberal and Applied Arts is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our procedures, we noted the office did not have written specific policies and procedures. The office should develop written policies and procedures. Audit Services selected a random sample of 20 property inventory items for verification with the following results: 14 (70%) items were verified without exception. 4 (20%) items were verified but in a different location. 1 (5%) item was verified but listed twice on the university property records. 1 (5%) item could not be verified. The office needs to add procedures to ensure that property records are updated on a timely basis and university regulations are followed. Fully Implemented Fully Implemented We found instances where internal controls are weak because of a lack of segregation of duties or oversight including: Fully Implemented The Assistant to the Dean performs all functions in the receipt process for receipts collected that are not through Marketplace. For 3 out of 4 procurement cards holders, there is no second signature evidencing review on the transaction detail summary report. The Assistant to the Dean can requisition, approve, and receive items in Banner. The office should mitigate risk by adding procedures to ensure that an appropriate segregation of duties exists in the processes for procurement card use, expenditures, and receipts. The use of Marketplace for receipts should be considered. 6

18 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-VI Continued December 31, 2012 Dean of the College of Liberal and Applied Arts The objective of our audit was to determine that the Office of the Dean of the College of Liberal and Applied Arts is in compliance with various laws, policies, and regulations and to test for fraudulent activities. We noted that receipt handling duties are not included in the job descriptions for the Assistant to the Dean, Administrative Assistant, and Director of the SFA Press. All receipt documentation for the University Interscholastic League competition hosted by the office was not maintained. In addition, the office does not display the required receipt signage in locations where receipts are collected. Procedures should be strengthened to ensure compliance with university policy for receipts including job descriptions, receipt record retention, and signage. While performing our audit procedures, we noted the following: 13/73 (18%) of procurement card purchases and 1/31 (3%) of expenditures tested did not follow university procedures related to food purchases. 5/73 (7%) of purchases tested were not appropriate for the fund used. 5/31 (16%) of expenditures tested were not requisitioned on a timely basis. The office is not documenting leave time using the university approved form. Procurement card use forms have not been updated to reflect changes in employees of the office. Fully Implemented Fully Implemented Procedures should be strengthened to ensure compliance with university policies and procedures. The SFA Press is operated on a cash basis. As a result, inventory is expensed when received, cost of goods sold is not established, and a break even analysis is not performed. Inventory records are maintained manually. The SFA Press lacks a segregation of duties within the department for receipts, procurement card procedures, and inventory. The SFA Press also hosts fundraisers and events from the same account as the press operations. Additional accounting procedures to ensure a segregation of duties are needed along with procedures to assess the financial viability of the SFA Press. Substantially Implemented Target implementation date is December 15, The Director of the SFA Press is lacking receipts, PCIDSS, and property training. The Administrative Assistant has not attended receipts training. The employees need to attend the required trainings. Substantially Implemented Target implementation date is November 1,

19 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-VII December 31, 2012 Equine Center Our audit objectives are to determine that the Equine Center has internal controls to ensure compliance with various laws, policies, and regulations and to minimize the risk of fraud, waste, and abuse. We reviewed the Equine Center s February 2012 certified inventory listing, a listing prepared by the Equine Director in December 2012, and a current university property inventory listing as of February We noted differences due to the following: Horses are sold or disposed of without following university procedures; thus, Procurement and Property Services has not been involved. The Equine Center has not maintained an updated listing of horses. Receipt documentation for horse sales deposited with the university does not identify the horses sold. Horses under the $5,000 capitalization threshold are not recorded on the university s official inventory. The university should establish additional procedures for inventorying horses, such as defining them as a controlled property and/or requiring a more frequent inventory. Procedures for selling horses should be established for the Equine Center to follow. All sales receipts should include documentation as to horse sold, date, amount and purchaser and any other relevant terms. Fully Implemented While performing our procedures, we noted that the Equine Center does not have a records management system, and horses are not tagged or identified for property inventory purposes. In addition, information for registered horses was not up to date with the registration agencies. The Equine Center should develop a records management system, including a record retention plan, for information related to university owned and boarded horses at the Center including details such as name; birth date; breed; registration; brands; deworming; farrier visits; vaccinations; medications; injuries; veterinary visits; dentistry; temperature, pulse, and respiratory rate readings; distinguishing marks; and pictures. In addition, horse registration records with the registration agencies need to be updated. The Equine Center and Procurement and Property Services should identify an appropriate method for identifying horses. Incomplete/Ongoing Target implementation date is December 31,

20 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-VII Continued December 31, 2012 Equine Center Our audit objectives are to determine that the Equine Center has internal controls to ensure compliance with various laws, policies, and regulations and to minimize the risk of fraud, waste, and abuse. Boarder contract and receipt procedures are lacking. We noted the following: Equine Center employees are accepting payments, which is not an appropriate segregation of duties. Horses have been boarded without contracts. Some contracts are not complete, i.e. missing signatures or other information. Boarder payments and deposits are inconsistent and not monitored to ensure payment. Employee horses are boarded for free with no contract. Boarder contracts need to be updated to include required language and additional contract terms. After meeting with the Controller, it was determined that the boarding fees should be charged to the student s university account in Banner or paid through Marketplace for nonstudents to provide a proper receivable and payment mechanism. Payments should be made to the Bursar s Office instead of the Equine Center employees. In addition, we recommend: Incomplete/Ongoing The Equine Center should document department policies and procedures for boarder contracts and receipts. Contracts should be executed prior to accepting a boarder horse. The propriety of boarding employee horses for free should be reviewed including pertinent IRS guidelines; and employees should have a boarding contract with any change in terms documented. The standard Boarder contract should be updated for payment due date; cancellation notice clause; and include the required State of Texas language - Under Texas law (Chapter 87, Civil Practice and Remedies Code), an equine professional is not liable for an injury or the death of a participant in equine activities resulting from the inherent risks of equine activities. The Equine Center should determine if balances are due from any boarders. Target implementation date is November 1,

21 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-VII Continued December 31, 2012 Equine Center Our audit objectives are to determine that the Equine Center has internal controls to ensure compliance with various laws, policies, and regulations and to minimize the risk of fraud, waste, and abuse. While performing our audit, we noted the following: Veterinary services, pest control, food purchases, and vehicle repairs purchased with a procurement card did not follow university policies. Purchases for veterinary services did not always include details of the horses treated or services provided in order to ensure that services to horses were separated and billed to the appropriate party. The Equine Center should document its internal policies and procedures for expenditures. Additional training on expenditure polices would be beneficial for the new employees. Target implementation date is November 1, Incomplete/Ongoing We noted only one job description for the Equine Center exists. The description is for a Research Assistant who is currently referred to as the Farm Manager. The Equine Center Director does not have a job description. The Equine Center should review the job title and description for the Research Assistant position and establish a job description for the Equine Director. Incomplete/Ongoing Target implementation date is January 31, The Equine Center Director is selling horses and signing the boarder contracts. Contracting authority should be reviewed and specifically designated for the Equine Center. Fully Implemented While performing our audit we noted that the Equine Director had not attended property training, and the Research Assistant/Farm Manager had not attended receipts training and would benefit from procurement card training. The employees should take the appropriate trainings. Substantially Implemented Target implementation date is November 1,

22 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-VII Continued December 31, 2012 Equine Center Our audit objectives are to determine that the Equine Center has internal controls to ensure compliance with various laws, policies, and regulations and to minimize the risk of fraud, waste, and abuse. In some of our recent audits, we noted that new directors/department heads/managers were not aware of some university policies and procedures, and required trainings were not up to date. The university should increase controls over orienting new directors/department heads/managers by expanding or enhancing methods to convey important university policies and procedures that are necessary to oversee a university department or organization. In addition, a university-wide tracking mechanism is needed to ensure that employee trainings are tracked and monitored for timeliness. Target implementation date is August 31, Incomplete/Ongoing 13-VIII May 31, 2013 Social Media The objective of our audit was to determine whether the university has appropriate controls to mitigate social media risks. Currently 54 out of 95 university departments surveyed are utilizing some type of social media. Through our procedures, we noted that the university does not have social media guidelines for the university community to follow. We judgmentally selected five departments responding affirmatively to the survey to determine if the departments have procedures related to social media. One department, Athletics, has social media guidelines applicable to student athletes. The university should consider establishing social media guidelines for the university community. Incomplete/Ongoing Target implementation date is October 31, IX May 31, 2013 TAC 202 Our overall objective was to determine whether the university s information security program is in compliance with the TAC 202 security standards. The university has policies and procedures along with an information security plan document to evidence compliance with TAC 202. However, the information security plan could be more formally documented related to information technology governance to provide for centralized oversight of information security practices required by TAC 202. Target implementation date is May 31, Incomplete/Ongoing 11

23 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-IX Continued May 31, 2013 TAC 202 Our overall objective was to determine whether the university s information security program is in compliance with the TAC 202 security standards. We performed procedures to verify that security awareness training is completed on a timely basis. We found the following: 74/1079 (7%) of employees in security sensitive positions or with access to Banner have either not taken or not passed the training. 59/146 (40%) of student employees with access to Banner have not taken the training. The university should consider consequences for not taking or passing training to ensure that training is taken in a timely manner. In addition, the student employees should be reviewed to determine if the students are currently employed and need training, or if they should be removed as employees in the system. Incomplete/Ongoing Target implementation date is January 31, As of the May 31, 2013 review date, the overall university security risk analysis had not been completed. The risk assessment process included seventeen university departments/areas. As of the audit date, eleven departments had completed and formalized their assessment; while six departments had not finished the risk assessment. The university should add procedures to ensure the security risk analysis is completed and certified on a timely basis. Incomplete/Ongoing Target implementation date is September 30, As of the audit date, three departments had a disaster recovery plan that appears to be in compliance with TAC 202, while four department s plans need improvement and two department s plans need to be developed. Departments not using centralized Information Technology Services should ensure that disaster recovery plans meet the requirements of TAC 202. Disaster recovery planning should be strengthened by improving IT Governance to require all departments not using centralized Information Technology Services to submit their plans and documentation of annual testing for review and approval by the Information Security Officer. Incomplete/Ongoing Target implementation date is April 30,

24 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-X June 30, 2013 Dean of the College of Fine Arts The objective of our audit was to determine that the Office of the Dean of the College of Fine Arts is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our procedures, we noted the Office did have written specific policies and procedures, but they need to be updated. The Office should update its written policies and procedures. Target implementation date is January 31, Audit Services selected a sample of 10% of 56 property inventory items for verification with the following results: 4 (67%) items were verified without exception. 2 (33%) items were verified with exception. Incomplete/Ongoing Incomplete/Ongoing In addition, one of the items selected was a work of art. We noted this item was not catalogued for identification purposes. The Office needs to ensure that property records are updated in a timely manner. In addition, Procurement and Property Services should strengthen procedures for identifying university property including works of art. Target implementation date is May 30, While performing our audit, we noted that three accounts operated by the Office have had a deficit fund balance for the past four years. Factors contributing to the continuation of the deficit fund balances appear to be overestimation of revenues, expenditures and revenues not matched to the same account and/or the appropriate period, and lack of monitoring. The Office should work with the Budget Office to formalize a plan to eliminate the deficit fund balances and more accurately estimate and match revenues. Incomplete/Ongoing Target implementation date is December 15, We found that the Assistant to the Dean and the Administrative Assistant approved their own time in Time Clock Plus. The Office should add procedures for appropriate review and approval of time for employees using Time Clock Plus. Incomplete/Ongoing Target implementation date is September 30,

25 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-X Continued June 30, 2013 Dean of the College of Fine Arts The objective of our audit was to determine that the Office of the Dean of the College of Fine Arts is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our audit procedures, we noted the following: 2/25 (8%) of expenditures tested were not processed on a timely basis to ensure prompt payment. 1/25 (4%) of expenditures tested had an invoice date prior to the purchase approval date. 1/24 (4.1%) of procurement card purchases inadvertently included sales tax. The Assistant to the Dean/Designee signed the annual inventory report certification instead of the Dean/Equipment Manager. The Office is not documenting leave time using the university approved form. Procurement card use forms need to be updated to reflect changes in employees of the Office. Incomplete/Ongoing The Office should add or strengthen procedures to ensure compliance with university policies and procedures. Target implementation date is September 30, The Assistant to the Dean and the Administrative Assistant handle receipts in the Office and should take receipts training. Incomplete/Ongoing Target implementation date is November 15, XI July 31, 2013 Dean of the College of Education The objective of our audit was to determine that the Office of the Dean of the College of Education is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our procedures, we noted the Office did not have written specific policies and procedures. The Office should develop written policies and procedures. Target implementation date is November 15, Audit Services selected a sample of 10% of 45 property inventory items for verification with the following results: 3 (60%) items were verified without exception. 2 (40%) items were verified with exception. The Office needs to add procedures to ensure that property records are updated in a timely manner. Incomplete/Ongoing Incomplete/Ongoing Target implementation date is September 30,

26 LIST OF AUDITS FOR FISCAL YEAR Number Audit Date Name of High-Level Audit Objective(s) Observations/Findings and Recommendations Current Status 13-XI Continued July 31, 2013 Dean of the College of Education The objective of our audit was to determine that the Office of the Dean of the College of Education is in compliance with various laws, policies, and regulations and to test for fraudulent activities. While performing our audit, we noted that six accounts had not been used by the Office. The Office should work with the Controller s Office and Budget Office to determine the appropriate account manager or use for the six accounts. Target implementation date is September 30, We found that one employee approved her own time in Time Clock Plus and that grant time and effort reports were not completed in a timely manner. The Office should add or strengthen procedures to ensure compliance with university policies and procedures for time reporting. Target implementation date is September 30, Incomplete/Ongoing Incomplete/Ongoing While performing our audit procedures, we noted the following: Incomplete/Ongoing 1/28 (3.5%) of expenditures tested did not have a travel requisition approved prior to the travel date. 1/28 (3.5%) of expenditures tested had an incorrect amount paid. 4/37 (11%) of procurement card purchases were coded to the wrong account. 1/37 (3%) of procurement card purchases did not have a supporting invoice. 1/3 (33%) of procurement card detail transaction reports tested did not have the approving signature. The Office should add or strengthen procedures to ensure compliance with university policies and procedures. Target implementation date is November 15, XII August 31, 2013 Follow-Up Review Our objective is to determine whether progress has been made toward implementing management action plans in a timely and appropriate manner. Though progress has been made toward implementing the management action plans as evidenced by the 28 plans or 64% implemented, additional action is needed to ensure that plans are implemented on a timely basis. Incomplete/Ongoing 15

27 IV. Non-Audit Services

28 NON AUDIT SERVICE ACTIVITIES Audit Services did not perform any consulting engagements as defined in the Internal Audit Charter, but we did perform other internal audit services as listed below. ACTIVITY Facilitate anonymous internet and hotline reporting system Co-facilitate university wide risk assessment Serve as advisory member of Investment Committee Serve as advisor to departments for various issues Serve on committees for information technology issues Provide assistance on NCAA Review Provide assistance on Charter School financial audit Provide assistance to SAO for audits and other projects Provide assistance to other agencies such as State Comptroller s Office, federal agencies, etc. for audits or reviews Review policies Investigate Fraud and Ethics s Other Special Projects IMPACT Promote awareness of fraud and ethics issues across the university Identify university risks Provide guidance on issues relating to university investments Provide guidance and strengthen department controls Increase awareness of controls and security Coordinate and assist with external review to ensure compliance Coordinate and assist with external audit Coordinate and assist to aid in efficiency and provide expertise Coordinate and assist to aid in efficiency and provide expertise Review new or updated policies for internal control purposes Investigate alleged claims relating to fraud and ethics issues Provide information and analysis

29 V. External Quality Assurance Review

30 Stephen F. Austin State University Department of Audit Services Quality Assurance Review June 28, 2013 Gina Oglesbee, CPA, CFE, Director David McFarland, CPA, CISA, Assistant Director Norma Doan, Auditor Sarah Wood, Graduate Assistant Box 6121, SFA Station Nacogdoches, Texas Phone Fax

31 Stephen F. Austin State University Department of Audit Services 2013 Quality Assurance Review Table of Contents I. Quality Assurance Review Letter, Dated June 28, 2013 II. III. Independent Assessors Opinion Quality Assurance Review Self-Assessment Revised, Dated April 19, 2013 Page 2 of 11

32

33

34

35

36 Attachment to the Quality Assurance Review June 28, 2013 Stephen F. Austin State University Department of Audit Services 2013 Quality Assurance Review Self-Assessment - Revised April 19, 2013 Gina Oglesbee, CPA, CFE Director of Audit Services Page 7 of 11

37 Attachment to the Quality Assurance Review June 28, 2013 OVERALL CONCLUSION After completing the self-assessment for our 2013 peer review, we conclude that the Stephen F. Austin State University Department of Audit Services is in compliance with the Institute of Internal Auditors (IIA) Standards for the Professional Practice of Internal Auditing, the U.S. Government Accountability Office s Government Auditing Standards, the IIA Code of Ethics, and the Texas Internal Auditing Act. Our conclusion is based on completion of a self-assessment using the State Agency Internal Audit Forum (SAIAF) Master Peer Review Program, which included the review of a complete set of working papers using the SAIAF Working Paper Review Tool. As part of our commitment to continuous improvement, we identified opportunities to enhance our processes and have included them in the final section of this report entitled Goals for the Department of Audit Services. More detail regarding our self-assessment is found below. It includes an assessment of compliance with The IIA Code of Ethics, followed by eleven sections presented in the order of The IIA Standards. DETAILED CONCLUSIONS IIA Code of Ethics Our self-assessment indicates that the Internal Audit Charter documents the expectation that auditors will conform to the IIA Code of Ethics. Also, the Audit Manual specifies that all Department of Audit Services personnel must abide by the Code of Ethics. In addition, personnel complete an Independence Statement that references the IIA Code of Ethics. I Purpose, Authority, and Responsibility The purpose, authority and responsibility of Internal Audit are specified in the Internal Audit Charter. The Internal Audit Charter defines the nature of assurance and consulting services. It was approved by the Board of Regents (BOR). Additional guidance is provided in the BOR Rules and Regulations. II Independence and Objectivity Based on the self-assessment, our conclusion is that the Department of Audit Services is independent and free from impairments, and the auditors are objective in performing their work. The Director of Audit Services reports to the BOR, and they approve the Internal Audit Charter. The BOR reviews and approves the Annual Audit Plan and significant deviations to it. The BOR reviews and accepts all audit reports before they are issued. The Department of Audit Services has not experienced any scope limitations and has been able to report all findings and conclusions objectively. No instances of conflict of interest have occurred, but the Department of Audit Services has a process for addressing such situations if they arise. III Proficiency and Due Professional Care Our conclusion is that Department of Audit Services work is performed with proficiency and due care; professional judgment is used in planning, performing, and reporting; and the staff collectively possesses adequate professional competence. The Director of Audit Services is licensed as a Certified Public Accountant (CPA) and Certified Fraud Examiner (CFE) and has over 26 years of experience in auditing and accounting, including eight years as the Director of Page 8 of 11

38 Attachment to the Quality Assurance Review June 28, 2013 Audit Services at SFA. The Assistant Director has three certifications including CPA, Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC). The audit staff has sufficient knowledge to identify indicators of fraud and information technology risks. The budget provides funding for auditors to earn continuing education credits and maintain professional certifications. IV Quality Assurance and Improvement Program We found that the Department of Audit Services has an effective quality assurance program that includes external peer review and internal review processes. The Director of Audit Services approves all audit plans and audit programs and reviews audit work papers. The SAIAF checklist is completed for each audit to review compliance with Standards. The Director reviews all audit reports. The audit staff has regular meetings to discuss issues. Audit reports state that they are performed in accordance with Standards. The Audit Director has open communication with all audit clients. V Managing the Internal Audit Activity Our self-assessment review indicated that the Department of Audit Services is managed in accordance with relevant Standards. The Department s Audit Manual and TeamMate Protocol Document are available on a network drive that is accessible to all audit staff but restricted to access by others. The Director prepares a risk-based Annual Audit Plan that is approved by the BOR; monitors and communicates the progress of projects; coordinates with other audit entities to prevent duplication; and prepares an Annual Audit. Audit reports provide value-added recommendations to address the risks and issues that are identified. Follow-up reviews add value by informing the BOR and management of the status of audit issues identified in previous reports. VI Nature of Work Our conclusion based on the self-assessment is that the Department of Audit Services contributes to the improvement of risk management, control, and governance processes through its audits and management assistance services. The Director of Audit Services and the Vice President of Finance and Administration co-facilitate a university wide annual risk assessment that forms the basis for the Annual Audit Plan. The risk assessment survey considers areas of risk such as the reliability of information, safeguarding of assets, compliance, efficiency and effectiveness of operations, and the accomplishment of goals and objectives. Audit Programs ensure that fraud risks are considered. The Director has provided significant input on ethics and fraud prevention policies and facilitates the fraud awareness program through administration of the EthicsPoint hotline and distribution of fraud posters and brochures. VII Engagement Planning Based on our review of the working papers for the Campus Program for Minors/Camps Audit, we conclude that the Department of Audit Services is in compliance with the Standards. The auditors develop an Audit Plan for each audit, which specifies the audit scope and objectives. An Audit Program is prepared for each audit that identifies the activities to be performed in order to accomplish the audit objectives. The Audit Director assigns audits in the Audit Plan according to the knowledge, skills, and experience of the auditors. Page 9 of 11