University System of Maryland University of Baltimore

Transcription

1 Audit Report University System of Maryland University of Baltimore May 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

2 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested by contacting the Office of Legislative Audits as indicated at the bottom of the next page or through the Maryland Relay Service at Please address specific inquiries regarding this report to the Office of Legislative Audits at (410) Electronic copies of our audit reports can be viewed or downloaded from the Internet via The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at (410) or (301)

3 May 3, 2005 Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the University System of Maryland University of Baltimore (UB) for the period beginning February 9, 2001 and ending June 17, Our audit disclosed that UB had not properly reconciled its accounting records with the related records of the State Comptroller s Office since the implementation of a new computer system in June For example, the student accounts receivable balance exceeded the related balance on the Comptroller s records by approximately $25 million. Additionally, UB had not identified and controlled critical online transactions on their newly implemented automated systems, resulting in numerous individuals having the ability to process critical transactions without independent approvals. We also noted deficiencies with respect to the processing of student accounts and related collections, and certain goods and services were procured in a manner that limited competition and violated USM procurement policies. Additionally, numerous computer security weaknesses were noted which, for example, could allow critical financial information to be inappropriately compromised, and UB did not have adequate procedures addressing resource security and disaster recovery. Finally, various internal control weaknesses and other procedural deficiencies were noted in the areas of student financial aid, equipment, and student grades. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

4 2

5 Table of Contents Executive Summary 5 Background Information 7 Agency Responsibilities 7 Current Status of Findings From Preceding Audit Report 7 Findings and Recommendations 9 Automated Systems * Finding 1 UB Did Not Properly Reconcile Its Accounting Records and 9 Failed to Identify and Resolve Significant Reconciling Items Finding 2 UB Had Not Properly Identified Critical Transactions and 10 Controlled Related Access Student Accounts Finding 3 Procedures and Controls Over the Processing and Collection 11 of Student Accounts Were Inadequate Purchases and Disbursements Finding 4 The Propriety of Certain Sole Source Awards for Executive 12 Search Services and Related Payments Was Questionable Finding 5 UB Did Not Execute a Formal Contract or Obtain Competitive 13 Bids for Purchases of Library Reference Materials Cash Receipts Finding 6 Proper Internal Control Was Not Established for Certain 14 Collections Information Systems Security and Control Finding 7 UB Did Not Have Adequate Programs, Policies, and 15 Procedures Addressing Information Systems Resource Security and Disaster Recovery Finding 8 Certain Critical Operating Aspects of Financial, Student 16 Administration and Human Resources Applications Were Not Sufficiently Controlled Finding 9 System Accounts and Vendor Updates to Critical Software 17 Were Not Adequately Controlled Finding 10 UB s Internal Computer Network Was Not Adequately 18 Secured Finding 11 Account, Password, and Monitoring Controls Over Critical 19 Applications Were Inadequate * Denotes item repeated in full or part from preceding audit report. 3

6 Financial Aid * Finding 12 UB Lacked Adequate Procedures and Controls Over Certain 20 Student Loans Equipment Finding 13 UB Did Not Adequately Maintain Property Records and Did 21 Not Investigate Missing Equipment Items Student Grades Finding 14 Independent Verifications of Certain Grades Recorded in 22 UB s Computer Systems Were Not Performed Audit Scope, Objectives, and Methodology 23 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report. 4

7 Executive Summary Legislative Audit Report on University of Baltimore (UB) May 2005 UB had not reconciled its automated accounting records with the related records of the State Comptroller and, as a result, failed to identify and resolve reconciling items of at least $25 million. UB should take immediate action to resolve the aforementioned differences, and in the future, should periodically reconcile its accounting records with the State Comptroller s records and investigate any reconciling differences. UB failed to identify critical transactions (such as payment processing and student grade updates) and control related accesses resulting in numerous individuals having the ability to process critical transactions without independent approvals. UB should identify all critical capabilities on its automated system and ensure that adequate controls exist for all critical transactions including independent verifications. Procedures and controls over the processing and collection of student accounts were inadequate. Specifically, employees processing non-cash credits had access to related collections and supervisory reviews of noncash credits were not always performed or documented. In addition, UB failed to maintain adequate receivable records and pursue collection for certain accounts totaling $1.3 million, and failed to take administrative action against certain students with delinquent accounts as required. UB should ensure that employees who process accounts receivable transactions do not have access to the related collections and ensure that supervisory personnel verify recorded adjustments to source documentation, at least on a test basis, and document their reviews. UB should also maintain adequate receivable records, pursue collection of outstanding accounts, and take appropriate administrative action as required. UB procured certain goods and services in a manner that limited competition and violated USM s Procurement Policies and Procedures. UB should comply with USM Procurement Policies and Procedures and ensure quotations are solicited from a reasonable number of vendors to foster competition. 5

8 UB lacked adequate procedures to ensure that all recorded collections were subsequently deposited and had not established an independent process to investigate and resolve bank adjustments. In addition, UB did not verify that credit card payments were properly credited to the State. Independent verifications should be performed to ensure that recorded collections are subsequently deposited and an employee independent of the cash receipts function should investigate adjustments to bank deposits. In addition, UB should ensure that all credit card payments are subsequently credited to the State s account. Numerous security and control deficiencies were noted with regard to UB s information systems. For example, UB did not have adequate programs, policies and procedures addressing information systems resource security and disaster recovery. UB should take the recommended actions to improve controls and security. UB failed to reconcile financial aid posted to students accounts with the related funds received from the lenders. In addition, student loan refund checks were not properly controlled and accounted for and independent accounting records of activity related to the financial aid bank account were not maintained. Procedures should be established to ensure that all financial aid is received. In addition, proper controls should be established for student refunds. Finally, independent accounting records of activity related to the financial aid bank account should be maintained and reconciled with the related bank records. Internal control and recordkeeping deficiencies were noted with respect to equipment and student grades. UB should take the recommended actions to improve controls in these areas. 6

9 Agency Responsibilities Background Information The University of Baltimore (UB) is an urban public institution of the University System of Maryland. UB admits undergraduates for their sophomore, junior, and senior years. UB also offers graduate and professional programs in such fields as law, business, and public administration and for related applications of the liberal arts. Student enrollment for the fall 2004 semester totaled 4,655. Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the four findings contained in our preceding audit report dated October 18, We determined that UB satisfactorily addressed two of the findings. The two remaining findings are repeated in this report. 7

10 8

11 Automated Systems Findings and Recommendations Background The University of Baltimore (UB) converted to a new automated system in June UB uses this system to record all transactions related to cash receipts, student accounts receivable, payroll, purchasing, and disbursements. In addition, the system is used for student registration, to maintain student grades, and for various academic initiatives. The system interfaces activity between the various functions. For example, student registration for a class will automatically update the student s accounts receivable record for the cost of the class on a real-time basis. The financial information on the system is interfaced into the State s Financial Management Information System on a daily basis using a batch process. Finding 1 UB did not properly reconcile its accounting records with the related records of the State Comptroller and, as a result, failed to identify and resolve reconciling items totaling at least $25 million. Analysis UB did not properly reconcile its accounting records with the related records of the State Comptroller. For example, our comparison of UB s student accounts receivable balance, as of June 30, 2004, with the related records of the State Comptroller disclosed that UB s balance exceeded the Comptroller s balance by approximately $25 million. This difference went undetected because UB had not reconciled its records with the related records of the State Comptroller since the new system was implemented in June We were advised by UB management that they have subsequently identified the cause (recording errors) of a significant portion of the aforementioned discrepancy and they are working to reconcile all activity on its system with the related records of the State Comptroller. A similar condition regarding UB s failure to properly reconcile its accounting records with the related records of the State Comptroller was noted in our preceding audit report. Recommendation 1 We again recommend that UB take immediate action to resolve the aforementioned difference and, in the future, periodically reconcile its financial records with the State Comptroller s records and investigate any reconciling differences in a timely manner. 9

12 Finding 2 UB failed to identify and control access to critical transactions (such as payment processing and student grade updates) and, as a result, numerous individuals had the ability to process critical transactions without independent approvals. Analysis UB had not properly identified critical transactions on its automated system nor controlled related accesses, resulting in numerous individuals having the ability to process critical transactions without independent approvals. Specifically, we noted the following conditions: Our test of 15 employees disclosed that 6 employees could process disbursement transactions and 1 could issue purchase orders without independent approvals. As a result, unauthorized transactions could be processed which may not be readily detected. According to the State s accounting records, UB processed disbursements totaling approximately $12 million during fiscal year Access to online student accounts receivable records was not properly controlled. Specifically, 2 of 12 employees tested could process non-cash credits on the system without independent approvals even though their job duties did not require such access. Our test of online capabilities for posting and changing student grades for 10 employees disclosed that 3 of these employees had the ability to change student grades on the system without independent approvals even though their job duties did not require such access. Recommendation 2 We recommend that UB identify all critical transactions and ensure that adequate controls exist including appropriate assignment of system capabilities to employees and independent approvals. 10

13 Student Accounts Finding 3 Procedures and controls over the processing and collection of student accounts were inadequate. Analysis Procedures and controls over the processing and collection of student accounts were inadequate. As of June 30, 2004, UB s student accounts receivable balance totaled approximately $7.7 million and an additional $2.7 million in accounts were pending collection at the State s Central Collection Unit (CCU). Our review disclosed the following conditions: Internal control over the processing of students accounts receivable transactions was inadequate. Specifically, three employees who processed student accounts receivable non-cash credits also had access to the related collections. In addition, non-cash credit adjustments to student accounts, which totaled approximately $2.5 million during fiscal year 2004, were not independently verified to source documentation, such as course withdrawal slips. As a result, unauthorized adjustments could be processed and collections could be misappropriated without detection. Delinquent student accounts were not sent to CCU or were not sent timely as required. Our test of 20 delinquent accounts disclosed that 10 accounts, with balances totaling $82,793, were not referred to CCU within 150 days of the end of the semester as required by UB s collection policy as approved by CCU. For example, one $10,018 account, outstanding since the fall 2002 semester, had not been referred to CCU as of June 28, UB failed to maintain adequate records or pursue collection of approximately $1.3 million in outstanding balances (dating back to spring 2001) related to third party contracts that are not reflected in the aforementioned student accounts receivable balance. UB enters into third party contracts with private companies and government agencies (including foreign countries) that commit to pay tuition and fees on behalf of students. However, our review disclosed that UB failed to maintain adequate receivable records for these accounts. For example, one account valued at $310,907, actually comprised numerous small accounts that UB could not readily identify. In addition, UB had not maintained an aging of these accounts, had not billed the students after the initial billings, and had not referred any delinquent accounts to CCU. 11

14 UB did not withhold diplomas and transcripts and/or block registrations in subsequent semesters for students with delinquent accounts as required by University System of Maryland (USM) and UB policy. For example, our test of 18 December 2003 graduates with delinquent balances disclosed that UB improperly issued diplomas to 8 graduates with delinquent balances totaling $33,883. By not taking stricter administrative action, UB is missing an opportunity to use an effective collection tool. Recommendation 3 We recommend that employees who process accounts receivable transactions be denied access to the related collections. In addition, we recommend that independent supervisory personnel verify recorded adjustments to source documentation, at least on a test basis, and that such reviews be documented. We further recommend that all delinquent accounts be referred to CCU in a timely manner and that UB maintain adequate receivable records and pursue for collection amounts due from third parties. Finally, we recommend that UB take appropriate administrative action for all students with delinquent accounts. Purchases and Disbursements Finding 4 The propriety of certain sole source awards for executive search services and certain related payments was questionable. Analysis The propriety of sole source awards and certain related vendor payments were questionable. Payments related to these awards totaled $175,000. UB entered into two contracts with a vendor in fiscal year 2004 to provide executive search services for a new provost and a dean for the Yale Gordon College of Liberal Arts. However, in our opinion, documentation supporting the basis for the sole source selection of the vendor was not sufficient to preclude a competitive procurement process. The documentation for both procurements did not substantiate that other vendors were unable to provide these services. For example, the written justification for the sole source procurement for the new provost indicated that the determination was made because (1) UB was to receive the personal attention of a senior executive at the vendor, (2) the firm was familiar with UB because of previous work, and (3) the vendor had done a good job selecting the current President. 12

15 USM s Procurement Policies and Procedures provide for the use of sole source awards for contracts over $5,000 if the procurement officer determines that there is only one source that will satisfy the requirements and/or circumstances present. We further noted that certain payments to the vendors were not adequately supported. The contract for the provost provided that, in addition to the established fees (which totaled $73,300), the vendor would be reimbursed for expenses, which would be billed at cost, and general and administrative expenses of 15 percent of the professional fees. All individual expenses exceeding $25 were to be supported with receipts. However, our review disclosed that the vendor was paid for expenses totaling $27,072, of which at least $16,000 should have been supported with receipts, but no supporting documentation was provided. As a result, there is a lack of assurance that all amounts paid were proper. Recommendation 4 We recommend that UB properly comply with USM procurement policies. Specifically, we recommend that UB use competitive bidding, as provided for in USM policy, unless adequate justification exists to support a noncompetitive award. We further recommend that UB ensure that related payments are made and supported in accordance with contract terms. Finding 5 UB did not execute formal contracts or obtain competitive bids for goods purchased from one vendor totaling approximately $319,000. Analysis UB did not use appropriate procurement practices when procuring reading materials for its law library. Specifically, during fiscal years 2002 through 2004, UB paid one vendor approximately $319,000 for library reference materials (such as legal books and periodicals) without a formal contract and did not obtain competitive bids for these purchases, even though the goods were available from another vendor. As a result, there was a lack of assurance that UB received the best prices. UB s Procurement Policies and Procedures Manual requires that all procurements over $100,000 be competitively bid. Recommendation 5 We recommend that UB ensure that formal written contracts are executed for goods purchased. We also recommend that UB ensure that it uses competitive procurement practices as required. 13

16 Cash Receipts Finding 6 UB lacked adequate control procedures for certain collections. Analysis UB lacked adequate procedures for collections applicable to student registration transactions processed at UB s Business Office and for credit card collections. According to the State s accounting records, during fiscal year 2004, deposits totaled approximately $22.4 million, which primarily related to student registration transactions, and credit card collections totaled $12.1 million. Our review of procedures and controls over collections disclosed the following conditions: Independent verifications of recorded collections with the related bank records were not performed to ensure that all recorded collections were deposited intact. In addition, follow-up and review of adjustments to bank deposits (such as checks returned for insufficient funds), which totaled approximately $300,000 during fiscal years 2003 and 2004, were not performed by an individual independent of the cash receipt function. Specifically, the employee who was responsible for preparing the bank deposits was also responsible for receiving returned checks from the bank, investigating the reasons for the adjustments, and initiating corrective actions. Consequently, this employee could misappropriate checks without detection. UB did not ensure that credit card payments credited to student accounts were subsequently deposited to the State s account and credited to UB. In addition, UB was unable to generate automated reports of credit card activity posted to student accounts to enable such reconciliations. Credit card payments are processed at UB s Business Office and are also processed online (for example via the online registration process). Recommendation 6 We recommend that UB establish procedures to immediately reconcile recorded collections to deposit including the period covered in our audit, continue such reconciliations in the future, and investigate any differences. In addition, we recommend that an employee independent of the cash receipts function investigate and resolve adjustments to bank deposits. We advised UB on accomplishing the necessary separation of duties using 14

17 existing personnel. We also recommend that UB establish procedures to identify all credit card payments posted to student accounts and ensure that such payments were properly credited to the State and posted to UB s accounts. Information Systems Security and Control UB s Office of Technology Services provides information systems support to UB through the implementation and maintenance of campus-wide administrative applications, including financial, student administration and human resources. The Office also operates an integrated administrative and academic computer network, which provides connections to multiple servers used for administrative and academic purposes. The campus network also includes separate and file servers, a firewall, and connectivity to the Internet, as well as multiple campus websites that function as entry points into many of UB s services. Finding 7 UB did not have adequate programs, policies, and procedures addressing information systems resource security and disaster recovery. Analysis UB s information security programs, policies, and procedures did not adequately address several critical security issues: UB did not have a formal program to ensure that proper information system security controls existed. The USM s Guidelines in Response to the State s IT Security Policy, dated June 2004, prescribe that an institution must have a written information systems security program that clearly describes the entity s security standards and procedures and management structure required to support the program. Also, a specific policy did not exist for firewall operations. A current disaster recovery plan did not exist for recovering from disaster scenarios, such as a fire. UB s most recent disaster recovery plan was prepared in December 1999; however, UB s information systems environment has changed significantly since In addition, the plan lacked several critical elements addressed by the Department of Budget and Management s November 2002, IT Disaster Recovery Guidelines. Without a current and 15

18 comprehensive plan, a disaster could cause significant delays (for an undetermined period of time) in restoring computer operations above and beyond the expected delays that would exist in a planned recovery scenario. Backup copies of system, network, firewall, and application files were not stored at an appropriate offsite location. Accordingly, if the facilities which currently house both the original data and the related backup copies were destroyed, uncertainty exists as to whether certain information could be recreated. Recommendation 7 We recommend that UB develop a formal information systems security program. Such a program should include a specific policy for firewall operations. We also recommend that UB update its disaster recovery plan to reflect current conditions and follow Department of Budget and Management s disaster recovery guidelines. Finally, we recommend that UB store backup copies of system, network, firewall, and application files at an appropriate offsite location. Finding 8 Certain critical operating aspects of UB s financial, student administration and human resources applications were not sufficiently controlled. Analysis UB did not adequately control certain critical operating aspects of its financial, student administration and human resources applications: Numerous employees were assigned unnecessary access to application maintenance tools that could be used to make unauthorized changes to system menus, screens, and individual records. Several users had unnecessary, direct modification access to certain files used in the operation of the financial, student administration and human resources databases. Certain privileged network users had unnecessary, unrestricted, and unlogged modification access to critical production program files. Accordingly, these individuals could make improper changes to application programs without detection. 16

19 Program change control procedures for documenting, reviewing, and updating modified programs were inadequate. For example, for six of seven program changes tested, we determined that the modified programs were moved into production by the programmer who made the changes. Recommendation 8 We recommend that access to application maintenance tools be limited to personnel whose job duties require use of the tools. We also recommend that direct modification access to files used in the operation of critical databases and critical production program files be limited to personnel whose job duties require such access. Finally, we recommend that adequate controls be established over changes to production programs to ensure that all direct changes to these programs are properly documented, reviewed, and updated. Finding 9 System accounts and vendor updates to critical software were not adequately controlled. Analysis System accounts and vendor updates to critical system and application software were not adequately controlled for four key servers including the servers used to process the financial, student administration and human resources applications. For example, three servers were running outdated versions of the operating system software, which had known security weaknesses that could be exploited by attackers. Also, a vendor-installed system account (which is known to the public as a powerful account) had not been renamed on all four of the servers. Recommendation 9 We recommend that UB use current versions of vendor software for critical systems. We also recommend that the powerful vendor installed system accounts be renamed so that they cannot be readily identified. 17

20 Finding 10 UB s internal computer network was not adequately secured. Analysis Adequate security measures had not been established to protect UB s internal network: UB s firewall rules were not configured to adequately secure connections between UB s internal network and the Internet. Additionally, the firewall logs were not complete, and we were advised that the firewall log files were not regularly reviewed to identify significant security events. Finally, the firewall log files were not stored in a secure manner. UB did not use intrusion detection system software for critical portions of its network as required by the USM s Guidelines in Response to the State s IT Security Policy dated June Intrusion detection system software gathers and analyzes network traffic to identify network security breaches and attacks, and alerts network administrators of these situations. Strong network security relies upon formal policies that guide the process of protecting information system resources as well as a layered approach to security to detect and respond to network security breaches and attacks. Security measures did not exist to adequately protect a critical network device which provided internal connectivity within UB s network. Specifically, weaknesses existed on a critical network device which distributed traffic to all of UB s internal network components. For example, a service used to maintain and monitor this device was not limited to internal computers that required access to this device, and, certain unnecessary and potentially dangerous services were enabled on this device, thereby increasing the risk that the device could be compromised and network services disrupted. Recommendation 10 We recommend that adequate security measures be established to protect the internal network. We made detailed recommendations to UB, which if implemented, should enhance the security over its internal network. 18

21 Finding 11 Account, password, and monitoring controls over critical applications were inadequate. Analysis Account, password, and monitoring controls over the critical financial, student administration and human resources applications were inadequate: User account and password controls for these critical applications and the operating systems for critical network and support servers were inadequate. For example, we noted instances where controls over password aging, history, and composition, and account lockout were not utilized. Accordingly, defined control settings for accounts and passwords did not comply with the USM s Guidelines in Response to the State s IT Security Policy dated June In addition, identical account and password information existed on production, development, and test versions of the same critical applications and databases, increasing the risk that production accounts could be compromised. Logging of certain significant security-related events for these critical applications, the related database and support servers, and the UB network was either not performed or, if performed, was not regularly reviewed. These conditions could result in unauthorized or inappropriate changes to critical data, which could go undetected. Recommendation 11 We recommend that UB establish adequate user account and password controls over its critical applications and network in accordance with the aforementioned guidelines. We further recommend that all significant security-related events be logged and that these logs be regularly reviewed by appropriate personnel and that unusual items be investigated. Finally, we recommend that these reviews and investigations be documented and retained for subsequent audit verification. 19

22 Financial Aid Finding 12 UB lacked adequate procedures and controls over certain student loans which totaled approximately $25 million during fiscal year Analysis UB lacked adequate procedures and controls over certain student loans which totaled approximately $25 million during fiscal year Our review disclosed the following conditions: Financial aid was posted to student accounts based on data provided by the lenders, but no procedures were in place to ensure that all financial aid posted was subsequently received from the lenders. As a result, if a lender failed to forward the funds to UB it would not be detected even though the student s account was credited for the payment. We attempted to verify that funds were received for selected amounts posted to student accounts but UB lacked adequate documentation to perform the test. Student loan refund checks were not properly controlled and accounted for. Specifically, although supervisors were to review all refund checks prior to issuance, automated reports of all student refund checks were not used to conduct the reviews. Rather, supervisory personnel only reviewed student refund checks submitted to them for review by the employees who generated the checks. As a result, fictitious checks could be issued and may not be subject to detection. In this regard, our test of 15 refunds totaling $82,722 disclosed that there was no documentation of an independent supervisory review for 6 of these refunds totaling $40,009. We further noted that refund checks could be misappropriated without detection because UB did not maintain a log of all refund checks awaiting student pick up and refund checks were not properly secured during the day. Students receive refund checks when the amount of their loans exceeds the amounts due to UB. UB failed to maintain independent accounting records of activity related to the financial aid bank account used to process student loans and, therefore, was unable to properly reconcile activity to the related bank records. As a result, any adjustments or improper disbursements from the account would not be detected. Similar conditions regarding the control over student refunds were noted in our preceding audit report. According to bank records, during fiscal year 2004, 20

23 disbursements from this financial aid account totaled approximately $26 million. As of September 2004 there were 44 checks totaling $36,095 that were awaiting pickup by students for up to nine months. Recommendation 12 We recommend that UB verify that all financial aid previously credited to student accounts was subsequently received, and that all financial aid credited to student accounts in the future be similarly verified. In addition, we again recommend that refunds be subject to independent supervisory review and approval. We also recommend that financial aid refund checks be properly accounted for and safeguarded. Finally, we recommend that adequate records of financial aid activity be maintained and used to reconcile with the related bank records. Equipment Finding 13 UB did not maintain an equipment control account and did not investigate missing equipment items valued at $874,000. Analysis UB did not maintain adequate equipment records and did not investigate missing equipment items valued at $874,000. According to UB s detail records, as of November 18, 2004, UB s capital and non-capital sensitive equipment totaled approximately $9.7 million. Specifically, our review disclosed the following conditions: An equipment control account was not maintained to provide a continuing summary of transactions and a total dollar value control over amounts recorded in the related detail records. UB did not investigate missing items noted during its physical inventory of equipment. In April 2003, UB completed a physical inventory of its equipment and noted that 438 items (including sensitive items such as computer equipment), with a value of approximately $874,000, were missing. However, as of November 5, 2004, UB had not investigated these missing items. USM and UB policies require that detailed records be maintained for all capital equipment (equipment valued over $5,000) and non-capital sensitive equipment, 21

24 that the detailed records be reconciled to a control account, and that physical inventories be conducted on a biennial basis and any discrepancies investigated. Recommendation 13 We recommend that UB establish and maintain an independent control account, periodically reconcile the account to the related detail records, and investigate any discrepancies. We further recommend that UB immediately investigate the aforementioned missing items to determine their proper disposition and adjust the property records accordingly. Student Grades Finding 14 Independent verifications of certain grades recorded in UB s computer systems were not performed to ensure that only authorized and accurate grades were recorded. Analysis Independent verifications of certain grades recorded in UB s computer systems were not always performed to ensure that only authorized and accurate grade changes were recorded by the Records Office and initial grades were recorded by the School of Law. As a result, there was a lack of assurance that all grades were properly recorded on the system. Specifically, one Records Office employee responsible for reviewing grade changes on the system also had the ability to process the related grade changes. Student grades are generally posted by faculty directly onto UB s computer systems (except for the School of Law as noted below). Any changes to student grades are processed centrally by staff in the Records Office based on written requests approved by appropriate faculty and the Dean of the respective schools. In addition, School of Law faculty forwarded student grades to clerical staff that input the grades into UB s computer systems. However, output reports were not verified to related input documents, such as authorized grade rosters to ensure the propriety of the recorded grades. Recommendation 14 We recommend that employees independent of UB s student grade processing functions verify that recorded grades were authorized and accurately processed. Specifically, we recommend that recorded grades as reflected on output reports be verified to related authorized input documents and that these verifications be documented. 22

25 Audit Scope, Objectives, and Methodology We have audited the University System of Maryland - University of Baltimore (UB) for the period beginning February 9, 2001 and ending June 17, The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine UB s financial transactions, records, and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations. We also determined the current status of the findings included in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of UB s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services (such as endowment accounting and bond financing) provided to UB by the University System of Maryland Office. These support services are included within the scope of our audits of the Office. In addition, we did not audit UB s federal financial assistance programs for compliance with Federal laws and regulations because the State of Maryland engages an independent accounting firm to annually audit such programs administered by State agencies, including the components of the University System of Maryland. Our audit scope was limited with respect to UB s cash transactions because the Office of the State Treasurer was unable to reconcile the State s main bank accounts during the audit period. Due to this condition, we were unable to determine, with reasonable assurance, that all UB cash transactions were accounted for and properly recorded on the related State accounting records as well as the banks records. UB s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable 23

26 assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect UB s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to UB that did not warrant inclusion in this report. The response from the University System of Maryland Office, on behalf of UB, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise the System regarding the results of our review of its response. 24

27

28 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF BALTIMORE FEBRUARY 9, 2001 TO JUNE 17, 2004 Automated Systems Finding 1 UB did not properly reconcile its accounting records with the related records of the State Comptroller and, as a result, failed to identify and resolve reconciling items totaling at least $25 million. University Response: The University agrees with the finding. Techniques are currently being developed to reconcile University financial records with the State Comptroller s Records. As noted by audit, a significant portion of the $25 million difference was due to the automated mapping of Stafford Loan activity in the amount of $25,452,596 into an incorrect fund in the State Comptroller s records. No monies were lost as a result of the misclassification. The University has developed a schedule to have complete reconciliation of all accounting records including the Stafford Loan misclassification by the close of fiscal year Finding 2 UB failed to identify and control access to critical transactions (such as payment processing and student grade updates) and, as a result, numerous individuals had the ability to process critical transactions without independent approvals. University Response: The University agrees with this finding. This task will involve a collaborative effort between the Office of Technology Services and functional users of the newly installed Peoplesoft automated computer system. Critical transactions with high risk status will be identified and access privileges will be assessed. Processes will be developed to include periodic reviews of access to ensure adequate control is present. These tasks are expected to be completed by the end of the first quarter of fiscal year In addition, where necessary, an independent approval process will be instituted and documentation will be retained for external audit review. This action is expected to be completed by May 31, 2005.

29 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF BALTIMORE FEBRUARY 9, 2001 TO JUNE 17, 2004 Student Accounts Finding 3 Procedures and controls over the processing and collections of student accounts were inadequate. University Response: The University agrees with the finding. However, two of the employees who process accounts receivable transactions also act as Chief Cashier and back-up Chief Cashier as part of their normal duties. As a compensating control, all non-cash credits processed will be independently verified by the Business Office Manager. The University is current with regard to submission of delinquent student accounts to the Central Collection Unit. In addition, all accounts that become delinquent will be submitted in a timely manner. With regard to third party (sponsored) accounts all have been identified and aged. Follow up is proceeding and delinquent accounts are being prepared for referral to the Central Collection unit. All delinquent accounts will be transferred by June 30, Lastly, administrative blocks are being placed on all delinquent accounts to hold transcripts and diplomas and block registrations for subsequent semesters. Purchases and Disbursements Finding 4 The propriety of certain sole source awards for executive search services and certain related payments was questionable. University Response: The University recognizes its responsibility for ensuring a competitive procurement process. Considering the circumstances identified in the audit note, the University continues to believe justification existed for the sole source selection. The missing supporting documentation was misfiled and could not be located at the time of the audit. All of the supporting documentation has been located except for support for two invoices. To complete University records, duplicate copies have been requested from the vendor.

30 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF BALTIMORE FEBRUARY 9, 2001 TO JUNE 17, 2004 Finding 5 UB did not execute formal contracts or obtain competitive bids for goods purchased from one vendor totaling approximately $319,000. University Response: The University agrees with this finding. Competitive procurement practices will be used. For instances of sole source awards, appropriate documentation will be retained. For the procurement referenced by audit, although the University did not document sole source justification for this vendor, there would be no economical advantage to procure the hundreds of pieces of Law Library reference material from a variety of sources. Any financial savings on the price of the periodicals would be more than offset by the administrative costs related to the procurement. Cash Receipts Finding 6 UB lacked adequate control procedures for certain collections. University Response: The University agrees with the finding. All collections, i.e., over the counter, web payments and ACH wire transfers will be traced from source documentation to bank credit to University ledgers. Procedures to perform this accountability are nearly complete. The reconciliations will be made for collections covered by the audit, since the audit, and for the future. All documentation will be retained for external audit review. In addition, an employee independent of the cash receipts function will investigate and resolve adjustments. Reassignment of this duty will be made before July 2005.

31 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF BALTIMORE FEBRUARY 9, 2001 TO JUNE 17, 2004 Information Systems Security and Control Finding 7 UB did not have adequate programs, policies, and procedures addressing information systems resource security and disaster recovery. University Response: The University agrees with this finding and plans to have a draft security program, a draft firewall policy and revised disaster recovery plan completed in the first quarter of FY The University has procured the services of an industry-leading vendor and is storing copies of system, network, firewall and application files at an appropriate offsite location. Finding 8 Certain critical operating aspects of UB s financial, student administration and human resources applications system were not sufficiently controlled. University Response: The University agrees that further restriction on access is required. Although restrictions are in place that prevents users from using the maintenance tools, the actual privileges should be revoked. The University also agrees that people should only have access as their job duties require and that adequate controls are established. Because of staffing at UB, several staff members have been forced to handle job responsibilities that would otherwise be separated. The University is in the process of hiring a Director of Application Development that will be responsible for managing program change control. This will allow UB to establish better checks and balances and greatly reduce the amount of access developers and database administrators need in development and production environments.

32 RESPONSE TO LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF BALTIMORE FEBRUARY 9, 2001 TO JUNE 17, 2004 Finding 9 System accounts and vendor updates to critical software were not adequately controlled. University Response: The University accepts the recommendation to change the names of the system accounts. The University does not agree with the terminology System accounts were not adequately controlled as the Office of Legislative Audits is making a recommendation to change what is a standard configuration. While the University agrees that this change will improve security, UB doesn t agree that using the standard configuration represents inadequate control. The University will complete the renaming of the system accounts by the end of first quarter of FY The University does agree that critical software updates must be installed as quickly as is appropriate to mitigate the related risk. All security-related operating system updates are being installed as soon as possible. In the case of the Peoplesoft environment (financial, student administration and human resources applications), security-related updates are being installed only after they have been put through rigorous testing and quality assurance processes. Minor release updates to the Peoplesoft applications will be installed only after they have been put through rigorous testing and quality assurance processes. Major release updates for Peoplesoft will only be installed with user concurrence and after rigorous testing, quality assurance and change control processes have been met. Finding 10 UB s internal computer network was not adequately secured. University Response: The University agrees with all findings related to firewall configuration and will make all recommended changes as part of its upcoming firewall replacement project to be completed before the end of FY An enterprise log management appliance has been procured to support the regular review of significant security events. The University agrees with the audit finding relating to intrusion detection and has implemented this technology. The University will use the enterprise log management appliance to support regular review of significant security events and plans to expand its intrusion detection implementation in FY The Office of Legislative Audit made four recommendations to enhance internal network security and UB has implemented three of these. The fourth, which involves SNMP configuration, will be implemented in the first quarter of FY 2006.