Upload File

ut health · bursar's office staff are adequate to support the enforcement of appropriate...

  • Home
  • Documents
  • UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems
7
UT Health San Antonio Internal Audit & Consulting Services Date: August 29, 2018 Internal Audit & Consulting Services 7703 Floyd Curl Dr. MC#7974 San Antonio, Texas 78229-3900 210-567-2370 Fax: 210-567-2373 www.uthscsa.edu To: Gerard Long, Assistant Vice President for Business Affairs From: John Lazarine, Chief Audit Executive Internal Audit & Consulting Subject: Review of Bursar's Office Segregation of Duties and User Access As part of our FY 2018 Audit Plan, we recently completed a Review of Bursar's Office Segregation of Duties and User Access. Attached is the report detailing the results ofthis review. We appreciate the cooperation and assistance we received throughout the review. Respectfully, . e, IA, CISA, CRISC i cutive Clit & Consulting Services

Upload: others

Post on 05-Jul-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

UT Health San Antonio

Internal Audit & Consulting Services

Date: August 29, 2018

Internal Audit & Consulting Services 7703 Floyd Curl Dr. MC#7974 San Antonio, Texas 78229-3900 210-567-2370 Fax: 210-567-2373 www.uthscsa.edu

To: Gerard Long, Assistant Vice President for Business Affairs

From: John Lazarine, Chief Audit Executive Internal Audit & Consulting

Subject: Review of Bursar's Office Segregation of Duties and User Access

As part of our FY 2018 Audit Plan, we recently completed a Review of Bursar's Office Segregation of Duties and User Access. Attached is the report detailing the results ofthis review.

We appreciate the cooperation and assistance we received throughout the review.

Respectfully,

. e, IA, CISA, CRISC i cutive

Clit & Consulting Services

Page 2: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

Distribution:

cc: Dr. William Henrich, President Michael Black, Sr. EVP & COO Andrea Marks, VP & CFO Y eman Collier, VP & CIO Kathy Jam es, Interim Chief Compliance Officer Jack Park, Chief Legal Officer

External Audit Committee Members: Pat Frost Regina Conklin Ed Garza Brian Kelly

Page 3: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

UT Health San Antonio

Internal Audit & Consulting Services

Audit Report Review of Bursar's Office

Segregat ion of Duties and User Access (Project #18-04)

Internal Audit Staff:

August 29, 2018

John Lazarine, CIA, CISA, CRISC Chief Audit Executive

Robert Morgan, IT Audit Director, CISA, C/SSP, GSNA, OCP

Page 4: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

Review of Bursar's Office Segregation of Duties

Audit Results

As part of our approved annual Audit Plan, we conducted an audit of the Bursar's Office staff access and segregation of duties within both the PeopleSoft Student Administration and Information - Campus Solutions (Student) and PeopleSoft Financial Supply Chain Management (Finance) systems. The audit objectives, conclusions, and background information follow.

Audit Objectives

The primary objectives of this audit were to review the access roles assigned to Bursar's Office staff and to evaluate whether an appropriate level of segregation of duties is in place and enforced.

Conclusion and Management Actions

Based on our review, we concluded that the roles and permission lists assigned to Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems.

In June 2016, the Texas Higher Education Coordinating Board (THECB) conducted a compliance audit on formula funding data of UT Health San Antonio. Following the issuance, the Director of Internal Audit and Compliance for the Texas Higher Education Coordinating Board noted in his closing Management Letter to President Henrich that his team observed employees at lower levels within the Bursar's Office having "Super'' admin level profiles within PeopleSoft Student.

During the audit, we confirmed that this privileged access had been removed from the lower level employees, and that the current "Super" administrative PeopleSoft role assignments within the Bursar's Office staff are appropriate and limited to a small number of senior managers and functional leads. In addition, this access is reviewed annually by the Director of Student Financials and Treasury Services to ensure that they are still appropriate. IMS Business Support Services Application Security staff currently facilitate the completion of annual PeopleSoft role access reviews by role owners that include the PeopleSoft Student and PeopleSoft Finance roles assigned to Bursar's Office staff.

There are no issues within this report requiring management action.

Acknowledgement

We appreciate the courtesy and cooperation we received from the Office of the VP for Business Affairs & Chief Financial Officer and the Office of Student Financials and Treasury Services.

Page 5: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

Review of Bursar's Office Segregation of Duties

Background

The UT Health San Antonio Office of the Bursar is organized under Business Affairs Operations within the Office of the VP for Business Affairs & Chief Financial Officer, and is managed by the Director of Student Financials and Treasury Services.

The mission of the Office of the Bursar is to manage: • Student accounting includes collection of student tuition and fees; student tuition

and fee installments program, management, billing and collection of student long and short-term accounts receivable.

• Cashier functions include serving as the depository for institutional funds and administering the institution's petty cash fund.

• Cash management functions include maintenance of adequate liquidity to fund short-term cash needs and management and coordination of Health Science Center banking services.

• Investment functions include managing investable cash assets to optimize return and liquidity in compliance with pertinent federal, state and University of Texas System investment policies.

The Office of the Bursar utilizes both PeopleSoft Financial Supply Chain Management (FCSM) and PeopleSoft Student Administration and Information - Campus Solutions (Student) to support this mission.

The Texas Higher Education Coordinating Board (THECB) conducted a compliance audit on formula funding data of UT Health San Antonio and issued its report June 8, 2016. Following the issuance, the Director of Internal Audit and Compliance - Texas Higher Education Coordinating Board noted in his closing Management Letter to UT Health San Antonio President Henrich that his team observed employees of various levels within the Bursar's Office having "super'' admin level profiles within PeopleSoft Student. The Director further noted that he had discussed this with university representatives on May 25, 2016.

UT Health San Antonio's Assistant Vice President for Business Affairs, in email correspondence to Internal Audit and the CFO on June 21, 2016, stated that Business Affairs had taken action on the THECB auditor's recommendation. Business Affairs removed the Super Administrator role in PeopleSoft Student from the security profiles of three employees within the Bursar's Office.

Following the THECB's report, the CFO agreed with Internal Audit that a follow-up review of segregation of duties within the Bursar's Office would be completed.

Page2

Page 6: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

Review of Bursar's Office Segregation of Duties

Audit Scope and Methodology

Our review included, but was not limited to, discussions with UT Health San Antonio Office of the VP for Business Affairs & Chief Financial Officer staff, as well as personnel within the Office of Student Financials and Treasury Services

Additionally, we examined the roles and permission lists assigned to Bursar's Office staff within both PeopleSoft FCSM and PeopleSoft Student, as well as the PeopleSoft role access reviews performed by the role owners and facilitated by IMS Business Support Services Application Security staff.

We conducted this audit in accordance with the standards set forth by the Institute of Internal Auditors' International Professional Practices Framework. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

This audit was conducted by Robert Morgan, IT Audit Director, CISA, CISSP, GSNA, OCP of the UT Health San Antonio Internal Audit Department.

Page 7: UT Health · Bursar's Office staff are adequate to support the enforcement of appropriate segregation of duties within both the PeopleSoft Student and PeopleSoft Finance systems

Review of Bursar's Office Segregation of Duties

Appendix A - Audit Issue Ranking Definitions

Audit issues are ranked according to the following University of Texas System Administration issue ranking guidelines:

• Priority - A Priority Finding is defined as an issue identified by internal audit that, if not addressed immediately, has a high probability to directly impact achievement of a strategic or important operational objective of the Health Science Center or the UT System as a whole.

• High - A finding identified by internal audit that is considered to have a medium to high probability of adverse effects to the Health Science Center either as a whole or to a significant college/school/unit level.

• Medium - A finding identified by internal audit that is considered to have a low to medium probability of adverse effects to the Health Science Center either as a whole or to a college/ school/unit level.

• Low - A finding identified by internal audit that is considered to have minimal probability of adverse effects to the Health Science Center either as a whole or to a college/ school/unit level.

Page4


The 4 factors to a successful security and segregation of duties implementation in PeopleSoft

PeopleSoft 8.3 Resume Processing PeopleBook - Oracle 1 About the PeopleSoft 8.3 Resume Process PeopleBook Chapter 2 PeopleSoft Resume Processing Overview Understanding PeopleSoft Resume

DICKINSON, NORTH DAKOTA Audit Report€¦ · • Reviewed segregation of duties in all program areas. • Interviewed appropriate agency personnel. • Queried the ConnectND (PeopleSoft)

PeopleTools 8.4: PeopleSoft Mobile Agent · PeopleSoft Mobile Agent Preface This PeopleBook covers PeopleSoft Mobile Agent, which extends PeopleSoft Application Designer to enable

PeopleSoft Supply Chain Management 9.1 Common Information ... · PDF file• PeopleSoft Order Management. • PeopleSoft Enterprise Pricer. • PeopleSoft Supplier Contract Management

PeopleSoft 8.8 Mobile Time Management PeopleBook€¦ · PeopleSoft Mobile Time Management Integrations.....6 PeopleSoft Proprietary and Confidential iii. Contents Understanding PeopleSoft

PeopleSoft HCM Update and Roadmap · @PeopleSoft_Info Oracle PeopleSoft Development Group Oracle PeopleSoft Page Click Images For More Information Blogs Social Media PeopleSoft Information

Northern Segregation ◦ De jure segregation Segregation by law ◦ De facto segregation Segregation by practice and custom Harder to fight Requires

peoplesoft admin training | peoplesoft admin course | peoplesoft admin online training

Overview of PeopleSoft PeopleSoft Training 2014 1

Segregation in Istanbul: Measuring segregation in …socialspacejournal.eu/9 numer/Ela Atac- Segregation in Istanbul.pdfSegregation in Istanbul: Measuring segregation in an ever

Improve ROI and Lower Costs by Mastering PeopleSoft ... · PeopleSoft PeopleTools Upgrade and ... Improve ROI and Lower Costs by Mastering PeopleSoft ... PeopleSoft PeopleTools Tips

PeopleSoft 8.9 BasicsIntroduction to PeopleSoft Version · PDF filePeopleSoft 8.9 BasicsIntroduction to PeopleSoft Version 9.2version 8.9version 9.2 OUHSC - PeopleSoft Financials 9.2

PeopleSoft Keynote: PeopleSoft Investment Strategy and Roadmap

PeopleSoft, the PeopleSoft logo, PeopleTools, PS/nVision ... · PeopleSoft, the PeopleSoft logo, PeopleTools, PS/nVision, PeopleCode, PeopleBooks, and Red Pepper are registered trademarks,

PeopleSoft and ElasticSearch Security Examined - PeopleSoft... · 2020. 7. 17. · PeopleSoft Elasticsearch Plugins Installed Oracle PeopleSoft Security Plugin (orcl-security-plugin)

Introduction to PeopleSoft PeopleSoft Training v4.0 2010 1

Oracle PeopleSoft PeopleTools Learning Subscription€¦ · Developer PeopleSoft Integration Specialist PeopleSoft Reports Developer PeopleSoft System Administrator PeopleTools Curriculum

PeopleSoft v9.2 Update - Digital Transformation | …€¢ PeopleSoft Images are cumulative and contain updates from ... specific object reference . PeopleSoft Patching Process . PeopleSoft

PeopleTools 8.12 PeopleSoft Cube Manager PeopleBook · PeopleSoft Customer Connection. The PeopleSoft Press Web site is a joint venture between PeopleSoft and Consolidated Publications

The Civil Rights Movement Ch. 18. Segregation Divides America De jure segregation- segregation upheld by law De facto segregation- segregation by unwritten

peoplesoft fscm training | peoplesoft fscm online training | peoplesoft fscm course

PeopleSoft Enterprise 9.2 Introduction to PeopleSoft …spearmc.com/wp-content/uploads/2015/02/HCM1_-_PeopleSoft_HCM… · PeopleSoft Enterprise 9.2 Introduction to PeopleSoft Human

JDE & Peoplesoft 3 _ Marc Weintraub _ PeopleSoft Roadmap.pdf

PeopleSoft Enterprise Supply Chain Management Integration ... · PeopleSoft Enterprise Supply Chain Management ... Data for the SRS Application and the PeopleSoft System ... PeopleSoft

The Case for ERP Security and Segregation of …...Improved Management of Security and Segregation of Duties policy within your PeopleSoft applications Founded by Oracle/PeopleSoft

PeopleSoft Test Framework - Hexawarehexaware.com/fileadd/Hexaware-PeopleSoft-Test-Framework-June20… · PeopleSoft Test Framework. 5 ... PeopleSoft application. 6. Stop recording

Automating PeopleSoft Segregation of Duties: …ww1.prweb.com/prfiles/2015/05/06/12704691/Automating SoD...Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions

Administrative Segregation, Isolation, A and Segregation... · Administrative Segregation, ... Liman overview segregation June 25, 2013 final 1 The Project and Its Goals ... Arthur

SAS/ACCESS 9.1 Interface to PeopleSoft · PDF filequery the PeopleSoft database and build SAS views of PeopleSoft tables. ... Interface to PeopleSoft ... PeopleSoft Metadata 5 a Use

PeopleSoft 8.3 FSA Administration PeopleBook · PEOPLESOFT 8.3 FSA ADMINISTRATION PEOPLEBOOK PEOPLESOFT PROPRIETARY AND CONFIDENTIAL PREFACE ix of PeopleSoft Customer Connection

PeopleSoft 8.4 Managing Items Reports · PEOPLESOFT 8.4 MANAGING ITEMS REPORTS PREFACE vi PEOPLESOFT PROPRIETARY AND CONFIDENTIAL Internet From the main PeopleSoft internet site,

Getting Started on PeopleSoft Installation · • Oracle’s PeopleSoft Change Impact Analyzer • Oracle’s PeopleSoft Data Mover ... • Oracle’s PeopleSoft Enterprise Performance

SppgearMC Consulting PeopleSoft Solutions Consulting PeopleSoft Solutions PeopleSoft EPM v9.0 Product Review and Release Higgghlights

Oracle PeopleSoft Enterprise HCM Data Privacy - Challenges ... · PDF fileOracle PeopleSoft Enterprise HCM Data Privacy ... Oracle PeopleSoft Enterprise HCM Data ... Oracle PeopleSoft