BANNER & The Financial Audit

Kristina Turner CPA, CISA, MMISUniversity System of GeorgiaRACAR – Macon State CollegeApril 13, 2011

2

Overview

• Audit Request List• Frozen Tables• BOR Auditing Tool Kit• Information Technology Controls•Definitions•Differences

• General Controls•Categories•Examples

3

Audit Request List

4

Audit Request List

• Updated List Added to the DOAA Website each fiscal year• http://www.audits.ga.gov/EAD/CollegeResources.html

•Navigation from Home Page:• Information/Resources• State Government Resources• College/University Resources

•2009_Updated_Auditors_Request_List.xls

5

Frozen Tables

6

Frozen Tables

•TBBDETC•TBBCTRL•TBBEACT•TBBTBDS•TBRACCD

•TBRACCT•TBRAPPL•TBRDEPO•TBRMISD•TBBETBD

Historically the following tables have been frozen at the end of each fiscal year:

7

Frozen Tables

• The ZURGFTT table alone will meet the needs of the auditor IF the institution maintains detail for the entire fiscal year.• SPRIDEN does not need to be frozen at the end of the fiscal year. However, the auditors will request the following fields:•PIDM, LAST_NAME, FIRST_NAME, MI

8

Purpose of Frozen Tables

• BANNER is the system of record for receivables• The selected tables include the

transaction level detail for all items recorded on the Financial Statements• The auditor will use this data to

select samples, review transactions, perform analytical procedures, and various other audit tasks.

9

Requesting Frozen Tables

• Requests for Frozen Tables are initiated by the Atlanta office. • Typically the requests are made to

those institutions receiving an audit.• The tables are submitted to DOAA

through our Secure File Transfer System.• DOAA removes the tables from the File

Transfer System upon receipt.

10

Requesting Frozen Tables

• Tables are imported into DOAA Data Warehouse; All data is stored securely and is encrypted• Queries are run against the data by EAD IT Personnel• Output files are used by auditors for testing

11

Questions & Concerns

•Questions related to the output files can be sent to Atlanta – turnerka@audits.ga.gov or shepard@audits.ga.gov

12

BOR Auditing Toolkit Issued by ITS

13

BOR Auditing Tool Kit

• Useful Scripts for EAD• Listing of Detail Codes• Listing of Term Codes• Fee Assessment Rules• Listing of Cashiers and Supervisors• Listing of Supervisors and Restricted Users• Listing of All Users with Access to AR Objects, Including

Class & Roles• List of Users with Access to TAISMGR Objects at the

Database Level• List of Users with Permission to Access Specific Objects

in the Database• TGRRCON

14

Information Technology Controls

15

Information Technology Controls

•Controls in place to ensure data’s: •confidentiality •integrity•availability

16

Midlands Tech warns employees of security breach – March 9, 2011

Midlands Technical College warned employees last month that a flash drive containing some of their personal information was taken from a human resources office at the college.

The flash drive, since returned — without the personal data it previously held — could compromise the personal information of some of the college’s 500 employees. But Midlands Tech spokesman Todd Gavin said no problems have been reported by employees so far….

The security breach at Midlands Tech is the second acknowledged by an area college or university in the last week. The University of South Carolina warned employees earlier this month that a breach of computers at its Sumter campus exposed the personal information of 31,000 faculty, staff, retirees and students system-wide.http://www.thestate.com/2011/03/09/1728561/midlands-tech-warns-employees.html

17

College of Education students notified of security breach – March 3, 2011Missouri State University officials are notifying 6,030 College of Education students that their social security numbers may have been compromised as a result of an internal security breach.

In October and November 2010, in preparation for an accreditation, the College of Education prepared lists of students by semester. The lists, which included social security numbers, were for nine semesters between 2005 and 2009 (fall, spring, summer). A list was created for each semester, so there were nine lists.

The lists were prepared in electronic format in October and November 2010 to be available on secure servers to the College of Education personnel working on the accreditation, as well as the accreditation team.

Unfortunately, these lists of names were posted in October/November 2010 on an unsecured server. As a result, all nine lists ended up on Google. In all, 6,030 names with social security numbers were compromised and posted on the web. http://news.missouristate.edu/2011/03/03/coe-security-breach

18

Dining Services catches meal equivalency glitch - 2008Those still lining up for free cheese fries and mozzarella sticks after dinner are in for a bitter surprise. Last week Dining Services discovered the glitch in their system that for the past few months had granted students snack bar points even if they had already swiped for dinner, a mishap that students were quick to take advantage of as word swiftly spread across campus. The problem was fixed on Sunday, and 45 students were turned away from snack bar that evening when trying to swipe after dinner.

In August and again in December, Dining Services updated its food accounting system, a program that controls at what time students can swipe for meal points, and believes that the error occurred during this process. A mishap during the upgrade altered the equivalency time, essentially allowing students to use their dinner points from the following day’s meals. As the next day’s meals were always accessible on any given day, students were granted dinner equivalency at snack bar regardless of their meal consumption that day.

Abayasinghe did not yet calculate the total loss in revenue from the additional snack bar points, but acknowledged that it may be significant.http://record.williams.edu/wp/?p=12034

19

“Why should i have to pay for a payroll errors?”

“Payroll has failed to take out medical and dental deductions from 6 paychecks so far upon starting employment. they claimed it was computer error, and states the money is retroactive. Why should the employee be liable for a company/ computer error? I feel the company should eat the fees and make sure the deductions are taken out going forward. Am I wrong? Do I have a fight? This is well over 600.00”~Question from Employee on Business Forum

20

Why Do the Financial Auditors look at Information Technology Controls?

21

SAS 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

§ 59 Generally, IT provides potential benefits of effectiveness and efficiency for an entity's internal control because it enables an entity to:

1. Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

2. Enhance the timeliness, availability, and accuracy of information.

3. Facilitate the additional analysis of information.

22

SAS 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

§ 59 Generally, IT provides potential benefits of effectiveness and efficiency for an entity's internal control because it enables an entity to:

4. Enhance the ability to monitor the performance of the entity's activities and its policies and procedures.

5. Reduce the risk that controls will be circumvented.6. Enhance the ability to achieve effective segregation

of duties by implementing security controls in applications, databases, and operating systems.

23

SAS 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

§ 60 IT also poses specific risks to an entity's internal control, including:

1. Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both.

2. Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

3. Unauthorized changes to data in master files.

24

SAS 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

§ 60 IT also poses specific risks to an entity's internal control, including:

4. Unauthorized changes to systems or programs.

5. Failure to make necessary changes to systems or programs.

6. Inappropriate manual intervention. 7. Potential loss of data or inability to

access data as required.

25

Department Of Audits & Accounts Approach

• Integrated Approach – • Technology Risk & Assurance Division and Education Audit

Division

• TRA addresses IT General Controls significant to the CAFR• PeopleSoft FN• PeopleSoft HCM or ADP• P-Card Works (SAS 70 Review)• BANNER Model maintained by ITS

• EAD addresses entity level controls and application (business process) controls related to BANNER

26

Information Technology Controls

• Two Categories•General Controls • “Represent the foundation of the IT control

structure. They ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable.” Wikipedia

•Application Controls • “Fully-automated [controls] designed to

ensure the complete and accurate processing of data from input through output.” Wikipedia

27

General Vs. Application Controls

• General controls support the continued effectiveness of applications.• Application controls support the continued effectiveness of business processes.

28

General Controls

•Categories of General Controls•Logical Access•Change Management•IT Operations

29

Logical Access• Controls designed to manage access

to applications based on business need.• “An entity must then establish sound

policies and procedures for granting authorized users access while simultaneously protecting itself from unauthorized access.”•Mitigating IT Risks for Logical Access, ISACA Journal, Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CMA, CPA 

30

Logical Access Primary Controls• General System Security Settings• Password Settings• Access to privileged IT functions is limited to

appropriate individuals• Access to system resources and utilities is limited

to appropriate individuals• User Access is authorized and appropriately

established• Physical access to computer hardware is limited to

appropriate individuals• Segregation of duties exists within the logical

access environment.

31

General Security Settings & Passwords

• Firewall• Anti-Virus Software• Malware & Spyware• Auto Updates• Time Out of Session• Re-authentication• Encryption• Security Questions

• Password Settings•Minimum Length (6-8 char)• Initial Log-on One Time Password• Password composition (alphanumeric / special characters)• Frequency of forced changes• Locked Accounts• Idle Session Time Out

32

Privileged Access

• Security Administrators• Full Access• Access to System Utilities / Resources•Database tools •SQL Tools•Crystal Reports

33

Authorized and Appropriate Access

• Initiation of Access Request• Standard access request forms• Standard requests by business role

• Approval of Access Requests• Supervisor

• Periodic Monitoring of Access & Access Logs

• Removal of Access• Termination• Transfers

34

Physical Access & Environmental Controls

• Access to Data Center• Access to Hardware• Fire Suppression• Temperature Control• UPS (uninterruptible power supply)

35

Segregation of Duties for Access

• Performance of the following roles should be separate:•Requesting Access•Approving Access•Setting Up Access•Monitoring Access & Violations•Performing the rights of a privileged user•Monitoring the privileged user

36

Change Management Primary Controls

• Changes to the application are:•Authorized•Tested•Approved•Monitored

• Segregation of Duties within Change Management Functions

37

Types of Changes and Procedures

• Types of Changes• Updates• Functionality Changes vs. Report Changes• Bugs

• Procedures• Required Approvals• Required Testing• Required Documentation

• Monitoring• Ensure these procedures are operating effectively

38

Separation of Duties for Change Management

• Performance of the following roles should be separate:•Request / approval of program development or program change•Development•Test the change•Move the programs in and out of production•Monitor program development and changes

39

IT Operations Primary Controls

• Financial data is backed-up and recoverable• Deviations from scheduled processing

are identified and resolved in a timely manner• IT operations problems or incidents

are identified, resolved, reviewed, and analyzed in a timely manner

40

Back Up Procedures

• Procedures should include:•Format•Frequency and Retention Period•Location (on-site or off)•Testing•Monitoring

41

Back Up Procedures

• Disaster Recovery•Returning to “normal” operations•Vendors for Equipment•Restoration Procedures•Key Personnel and Alternate Processes

42

Job Scheduling

• Batch Processes• Back-up Processes• Procedures should include:•Responsible official•Monitoring Process• Identification & Resolution Procedures•Documentation Requirements

43

Issue Management

• Procedures for ensuring IT issues are resolved in a timely manner include:•Process for alerting key officials of a problem•Method for analysis•Resolution procedures•Review of the resolution

44

Questions?