MnSCU Audit ReportsMnSCU Audit ReportsMnSCU Audit ReportsMnSCU Audit Reports

Presentation to the MnSCU Audit Committee

Office of the Legislative Auditor

September 21, 2004

Today’s AgendaToday’s AgendaToday’s AgendaToday’s Agenda

• Information technology audits – Presented by Eric Wion, IT Audit Director

• Internal control and compliance audits of selected colleges – Presented by Jim Riebe, Audit Manager

Why Audit Technology?Why Audit Technology?Why Audit Technology?Why Audit Technology?

• Computer systems process and house data that is vital to MnSCU’s operations– Integrity – inaccurate or incomplete data can lead to

improper decisions– Confidentiality – unauthorized disclosures can have

significant legal implications and undermine public trust – Availability – administrators and students now rely on 24/7

access

• Commercial products have many well-publicized vulnerabilities and are a prime target for hackers

• Audits provide management and the board an independent assessment of controls

Most Recent AuditsMost Recent AuditsMost Recent AuditsMost Recent Audits

• Data Warehouse Controls

• Degree Audit Reporting and Course Applicability Systems (DARS and CAS)

• Information Technology Security Follow-up• 4th audit that has focused on ISRS security

controls

The Big PictureThe Big PictureThe Big PictureThe Big Picture

• Progress has been made to resolve audit findings– 2 Resolved

– 2 Significantly Resolved

– 4 Partially Resolved

• Shortcomings still exist

Insufficient Security PlanningInsufficient Security PlanningInsufficient Security PlanningInsufficient Security Planning

• No comprehensive security program – IT risks not assessed

organization-wide

– Insufficient security staff

– Reactive, rather than proactive

– Excessive reliance on key IT professionals

• Underlying cause of security findings

AssessBusiness

Risks

DefinePolicies &

Procedures

DeployTools

MonitorComplianceWith Policies

Documentation ShortcomingsDocumentation ShortcomingsDocumentation ShortcomingsDocumentation Shortcomings

• Lack of documentation causes a security infrastructure to erode over time

• Knowledgeable staff may leave

• Remaining people are afraid to touch anything security-related

Inappropriate AccessInappropriate AccessInappropriate AccessInappropriate Access

• People have security clearances that they do not need to fulfill their job duties– Information technology professionals given

excessive security clearances

– Software products have powerful security clearances that are not needed

* Our follow-up audit found significant improvement

Server Configuration WeaknessesServer Configuration WeaknessesServer Configuration WeaknessesServer Configuration Weaknesses

• Unnecessary “services”, often susceptible to exploit, have not been removed

• Security-related software patches have not been applied

Weak Authentication ProcessesWeak Authentication ProcessesWeak Authentication ProcessesWeak Authentication Processes

• Strong password controls not enforced

• Unencrypted passwords sent over networks or stored in files

Inadequate MonitoringInadequate MonitoringInadequate MonitoringInadequate Monitoring

• Security-related events not defined, logged, or reviewed

• Compliance monitoring responsibilities not properly defined – Information technology professionals

– Security staff

– Consultants

– Internal and external auditors

• Vulnerability assessment tools not deployed

Staffing IssuesStaffing IssuesStaffing IssuesStaffing Issues

• Often unclear who is responsible for making critical security decisions or performing critical security duties

• Insufficient number of staff dedicated to security

What Can A Trustee Do?What Can A Trustee Do?What Can A Trustee Do?What Can A Trustee Do?

• Make security a priority

• Help management obtain more trained security professionals

• Encourage management to– Adopt a formal security framework or model– Assess risks and document detailed security policies,

procedures, and standards for all major systems– Utilize tools to monitor security and perform vulnerability

assessments

• Ascertain that management has put processes, technology and assurance in place for information security

IT Audits - Q & AIT Audits - Q & AIT Audits - Q & AIT Audits - Q & A

Audits of Selected Colleges Audits of Selected Colleges Audits of Selected Colleges Audits of Selected Colleges

• Audit Objectives– Internal control

• Safeguarding assets• Accuracy of accounting information

– Compliance with significant legal provisions• State statutes• Bargaining unit provisions• Board policies• Contract provisions

Audits of Selected CollegesAudits of Selected CollegesAudits of Selected CollegesAudits of Selected Colleges

• Audit Scope– Two or three year period ended June 30, 2003

– Limited program areas including• Computer system access• Tuition and fees• Payroll• Administrative expenditures

Audits of Selected CollegesAudits of Selected CollegesAudits of Selected CollegesAudits of Selected Colleges

• Colleges Audited– Central Lakes (2 year audit)

– Hibbing (3 year audit)

– Inver Hills (3 year audit)

– Itasca (2 year audit)

– Normandale (2 year audit)

– Riverland (3 year audit)

– St. Cloud Technical College (3 year audit)

Overall ConclusionOverall ConclusionOverall ConclusionOverall Conclusion

• Colleges included in our scope generally:– Safeguarded assets

– Correctly recorded financial activity

– Complied with significant legal provisions

Key FindingKey FindingKey FindingKey Finding

• Certain colleges need to ensure that access to computerized business systems is adequately restricted (3 colleges)

Other FindingsOther FindingsOther FindingsOther Findings

• Lack of adequate documentation supporting backdated registrations (2 colleges)

• Incompatible duties over payroll/personnel data entry

• Noncompliance with contracting and bidding requirements

• Noncompliance with board policy requiring written tuition waiver guidelines (3 colleges)

QuestionsQuestionsQuestionsQuestions