Business Managers Meeting May 15, 2017 Presented by Management Advisory Services Sharon Doherty-Ritter, Director David Sohns, Management Analyst
Agenda USM OIA Legislative Audit Follow Up Other USM OIA Audits P-card News and Reminders Questions/Comments
USM Legislative Audit Follow-Up
USM Legislative Audit Follow-up USM OIA Legislative Audit Follow-up audit recently concluded. 7 compliance findings; 14 recommendations. Follow-up Audit found 12 recommendations were fully implemented (FI). 2 recommendations not fully implemented (NFI).
USM Legislative Audit Follow-Up Finding 1: Student Residency- FI Finding 2: Payroll (multiple agency)- NFI Finding 3: Payroll (PS Access)- FI Finding 4: Network Security- FI Finding 5: Financial Aid- FI Finding 6: Purchasing Cards- NFI Finding 7: Disbursements- FI 1)Auditors found that too many people on Campus had the capability to change residency status in PeopleSoft and there wasn’t a process in place to verify residency changes (at least on a test basis). We have restricted the number of people who have access to change residency status and have implemented a procedure to verify residency changes at least on a test basis. 2) During the course of the audit, USM issued much anticipated guidance regarding the process of investigating employees appearing on multiple State payrolls significantly reducing the number of employees to be investigated; using this guidance (which does not require us to follow-up on terminated employees) we will investigate (at least on a test basis) employees appearing on multiple State payrolls. We will document our investigative efforts. 3) The auditors found that users in the Human Resource and Payroll areas had access to critical functions in PeopleSoft that were not necessary for their job duties; we have since restricted user access. 4) Performed documented SSL inspections as recommended, and applied IDPS and/or HIPS as found appropriate, to address network security risk for all of our high risk systems; Discontinued the use of shared accounts and assigned individual accounts to all individuals who are authorized to make administrative changes on our firewalls; Enabled the vendor password complexity feature on our firewalls to ensure our passwords meet USM requirements, and Reviewed and updated our network access controls to limit access to only required servers over necessary ports. 5) The auditors found that we did not have an adequate process in place to verify awards posted to student accounts (at least on a test basis); we have now established an adequate procedure to have an independent employee verify awards to student accounts on a test basis. 6) The auditor found that we had frequently been using 1 vendor to purchase chemicals without having a competitively bid contract in place; we have subsequently issued a competitive bid and a contract is now in place. Additionally, in their test of P-Card envelopes, the auditors found 4 instances where although the P-Card envelopes were signed by the cardholder and supervisor, the bank statements were not. We will reemphasize the necessity of this required signature to all of our cardholders and supervisors. 7) Basically, the auditors found that the 3 people in accounts payable who released disbursement transmittals to GAD also had the ability to alter the file. We will ensure that the individual (s) who transmit the file to GAD, do not have the ability to alter the file.
USM/Legislative Audit When will they be back? USM will return to follow-up on Legislative Audit Follow-Up (6 -12 months from now). Interval for next legislative audit will range from 3-4 years. MAS anticipates our next Legislative audit in 2019-2020. Notes: The interval between Legislative audits by OLA can now range from 3 to 4 years (determined on a per case basis). Audit period will be March 19, 2015 forward.
USM Office of Internal Audit
Other USM OIA Audits Campus Traffic Safety Project Follow-Up (issued with recommendations fully implemented) Affiliated Foundations (issued with 2 areas for improvement identified and recommendations subsequently implemented) Campus Card Operations (issued with 4 areas for improvement identified and implementation of recommendations in process) Research & Technology Park - Follow-Up (TBD) 2 findings (ensure bonding increases are provided and ensure COI name required additional insureds and certificate holder) were fully implemented. 2 areas with opportunity for improvement (i.e. ensure the Annual Agreement with RPC contains the required language and appropriately quantifies UMBC resources and RPC should have an annual report of transfers to UMBC audited and submitted to USMO, in addition to all other required documentation, within the required time period. ) We have implemented the recommendations. 4 areas where there were opportunities for improvement (i.e. the monthly campus card reconciliation is accurate and complete; establish a regular schedule to monitor and deactivate cards and address remaining balances; DCARD procedures and compliance should be improved by ensuring adequate oversight and monitoring over the DCARD program; proper segregation of duties over requesting, activating, issuing, and inventory of guest and gift cards).
USM OIA Audits Security Policy Development (TBD) Division of Professional Studies Systems – Logical Access (In process) Contracts and Grants – Follow-Up (in process) Child Care Center (YMCA) (in process) PII-Personally Identifiable Information (TBD)
P-Card News and Reminders
P-card Online Training MAS and Instructional Technology, in conjunction with Procurement, developing online refresher training for all P-card holders and Supervisors. Training created in CourseArc- a web-based content authoring tool for creating online courses. Online course will be accessed via Blackboard. Online training will mitigate scheduling constraints of face-to-face training sessions. Notes: The plan is to launch this online training in July 2017 Goal is to make this available for all new-cardholders.
P-Card Transaction Log GAD granted UMBC permission to utilize PeopleSoft-based electronic P-Card logs. MAS and Procurement, in conjunction with DoIT, developed template. New transaction log opened to campus on April 12.
Any Questions/Comments?
UMBC Audit Update Meeting MAS Staff Sharon Doherty-Ritter (5-1620) Dave Sohns (5-6257)
Business Managers Meeting May 15, 2017 Presented by Management Advisory Services Sharon Doherty-Ritter, Director David Sohns, Management Analyst