MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

Slides:



Advertisements
Similar presentations
Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management.
Advertisements

North Carolina Office of the State Auditor Honesty Integrity Professionalism.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Auditing Concepts.
PRE-AUDIT/POST AUDIT PRESENTATION
Internal Audit Awareness
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.
Auditing Computer Systems
Auditing Computer-Based Information Systems
Security Controls – What Works
Information Security Policies and Standards
Office of the Legislative Auditor Report #06-28 Minnesota State Colleges and Universities System Internal Control and Compliance Audits of Selected Colleges.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Control environment and control activities. Day II Session III and IV.
Website Hardening HUIT IT Security | Sep
Internal Auditing and Outsourcing
FY 2003 MnSCU Audits MnSCU Audit Committee September 17, 2003.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
An Educational Computer Based Training Program CBTCBT.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
HIPAA COMPLIANCE WITH DELL
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
Audit objectives, Planning The Audit
Planning an Audit The Audit Process consists of the following phases:
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
Roles and Responsibilities
1 The Auditor’s Perspective Division of Sponsored Research Research Administration Training Series Presented by: Joe Cannella Audit Manager,
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Internal Control in a Financial Statement Audit
Agency Risk Management & Internal Control Standards (ARMICS)
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
Auditing Information Systems (AIS)
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Audit Committee Roles & Responsibilities Audit Committee July 20, 2004.
MnSCU Institution Audits Presentation to the MnSCU Audit Committee September 18, 2002 by Jim Riebe, Audit Manager Office of the Legislative Auditor.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Office of the Legislative Auditor Report #07-25 Minnesota State Colleges and Universities System Internal Control and Compliance Audits of Selected Colleges.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Chapter 8 Auditing in an E-commerce Environment
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
MnSCU Audit Committee September 18, 2002 Discussion on the Role of the Audit Committee MnSCU Audit Committee September 18, 2002.
The Minnesota State Colleges and Universities System is an Equal Opportunity employer and educator. MnSCU Audit Committee Review Office of Legislative.
PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Chapter 3-Auditing Computer-based Information Systems.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
ITIL® Service Asset & Configuration Management Foundations Service Transition Thatcher Deane 02/17/2010.
Audit Management from a Monitoring perspective 20 September 2014.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
Auditing Concepts.
Compliance with Framework of Quality Control - General & Specific Controls CA Vimal Chopra, Ex Chairman of CIRC of ICAI.
Auditing Cloud Services
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Move this to online module slides 11-56
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Legislative-Citizen Commission on Minnesota Resources July 18, 2018
Presentation transcript:

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004

Today’s Agenda Information technology audits –Presented by Eric Wion, IT Audit Director Internal control and compliance audits of selected colleges –Presented by Jim Riebe, Audit Manager

Why Audit Technology? Computer systems process and house data that is vital to MnSCU’s operations –Integrity – inaccurate or incomplete data can lead to improper decisions –Confidentiality – unauthorized disclosures can have significant legal implications and undermine public trust –Availability – administrators and students now rely on 24/7 access Commercial products have many well-publicized vulnerabilities and are a prime target for hackers Audits provide management and the board an independent assessment of controls

Most Recent Audits Data Warehouse Controls Degree Audit Reporting and Course Applicability Systems (DARS and CAS) Information Technology Security Follow-up 4th audit that has focused on ISRS security controls

The Big Picture Progress has been made to resolve audit findings –2 Resolved –2 Significantly Resolved –4 Partially Resolved Shortcomings still exist

Insufficient Security Planning No comprehensive security program –IT risks not assessed organization-wide –Insufficient security staff –Reactive, rather than proactive –Excessive reliance on key IT professionals Underlying cause of security findings

Documentation Shortcomings Lack of documentation causes a security infrastructure to erode over time Knowledgeable staff may leave Remaining people are afraid to touch anything security-related

Inappropriate Access People have security clearances that they do not need to fulfill their job duties –Information technology professionals given excessive security clearances –Software products have powerful security clearances that are not needed *Our follow-up audit found significant improvement

Server Configuration Weaknesses Unnecessary “services”, often susceptible to exploit, have not been removed Security-related software patches have not been applied

Weak Authentication Processes Strong password controls not enforced Unencrypted passwords sent over networks or stored in files

Inadequate Monitoring Security-related events not defined, logged, or reviewed Compliance monitoring responsibilities not properly defined –Information technology professionals –Security staff –Consultants –Internal and external auditors Vulnerability assessment tools not deployed

Staffing Issues Often unclear who is responsible for making critical security decisions or performing critical security duties Insufficient number of staff dedicated to security

What Can A Trustee Do? Make security a priority Help management obtain more trained security professionals Encourage management to –Adopt a formal security framework or model –Assess risks and document detailed security policies, procedures, and standards for all major systems –Utilize tools to monitor security and perform vulnerability assessments Ascertain that management has put processes, technology and assurance in place for information security

IT Audits - Q & A

Audits of Selected Colleges Audit Objectives –Internal control Safeguarding assets Accuracy of accounting information –Compliance with significant legal provisions State statutes Bargaining unit provisions Board policies Contract provisions

Audits of Selected Colleges Audit Scope –Two or three year period ended June 30, 2003 –Limited program areas including Computer system access Tuition and fees Payroll Administrative expenditures

Audits of Selected Colleges Colleges Audited –Central Lakes (2 year audit) –Hibbing (3 year audit) –Inver Hills (3 year audit) –Itasca (2 year audit) –Normandale (2 year audit) –Riverland (3 year audit) –St. Cloud Technical College (3 year audit)

Overall Conclusion Colleges included in our scope generally: –Safeguarded assets –Correctly recorded financial activity –Complied with significant legal provisions

Key Finding Certain colleges need to ensure that access to computerized business systems is adequately restricted (3 colleges)

Other Findings Lack of adequate documentation supporting backdated registrations (2 colleges) Incompatible duties over payroll/personnel data entry Noncompliance with contracting and bidding requirements Noncompliance with board policy requiring written tuition waiver guidelines (3 colleges)

QuestionsQuestions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.