College of Medicine - Phoenix: Controls over Business Operations and Building/Data Security

Transcription

1 Internal Audit of College of Medicine - Phoenix: Controls over Business Operations and Building/Data Security October 2010 FY10 - #13 Submitted to: College of Medicine Phoenix Stuart D. Flynn, Dean Gail P. Barker, Special Assistant to the Dean Howard D. Silverman, Associate Dean, Information Resources and Educational Technology Nancy H. Tierney, Associate Dean, Planning and Facilities Judith M. Apostolik, Director, Financial Affairs Patricia L. Knox, Manager, Campus Operations Marshall J. MacFarlane, Coordinator, Facilities Management Copies to: Audit Committee, Arizona Board of Regents Robert N. Shelton, President Meredith Hay, Executive Vice President and Provost Robert R. Smith, Interim Senior Vice President for Business Affairs William M. Crist, Vice President, Health Affairs Administration B. Glenn George, Vice President, Legal Affairs and General Counsel Jacqueline L. Mok, Vice President and Chief of Staff, President s Office Charles E. Ingram, Associate Vice President, Financial Services Office Michele L. Norin, Chief Information Officer Issued by: Sara J. Click, CPA, Chief Auditor Internal Audit Department

2 Summary This is our first audit of building/data security and internal controls over business operations at the College of Medicine Phoenix, and it was included in the approved Fiscal Year ( FY ) 2009 and 2010 Audit Plans. As part of its Strategic Plan, The University of Arizona is leading the development of the Phoenix Biomedical Campus, which includes the College of Medicine Phoenix, to expand clinical services and increase the number of health professionals to meet the needs of the population of the state of Arizona. Absent good controls, there is the risk of inappropriate access to University buildings/rooms by unauthorized individuals resulting in the theft of assets, physical harm to persons or property, or disruption of University operations. Additionally, with its remote location from the main campus, there is the risk that university policies and procedures may not be properly or consistently applied. Background: According to the website ( The University of Arizona ( UA ) College of Medicine Phoenix is a full, four-year program that was dedicated in October It is an expansion to downtown Phoenix of the UA College of Medicine program begun in 1992, which offered third and fourth year medical students the opportunity to complete their training at Phoenix-area hospitals. Initially, the College of Medicine ( COM ) Phoenix was a partnership between UA and Arizona State University ( ASU ); however, ASU withdrew from the partnership in April The Phoenix program is located in three renovated historic buildings on the Phoenix Biomedical Campus ( PBC ) in downtown Phoenix. A fourth building, Arizona Biomedical Collaborative ( ABC ), houses the Department of Basic Medical Sciences and the Arizona State University Department of Biomedical Informatics. Additional PBC buildings are planned including the Health Sciences Education Building, Vivarium Phase I, and Arizona Cancer Center Phoenix. There are approximately 450 regular campus users, e.g., students, employees, and faculty, at the COM Phoenix. The inaugural class of 24 students will be graduating in May Currently, COM Phoenix business operations, building access, and information technology functions housed at the Phoenix campus ultimately report to the COM Phoenix Dean. The Associate Dean for Information Resources and Educational Technology has other responsibilities in addition to information technology. The University of Arizona Page 1 of 17 October 2010

3 Amer-X Security Inc., the UA s authorized sole source provider of electronic access management services and equipment, provides building electronic access management services and equipment for PBC. Audit Objectives: Our audit objectives were to determine whether: access to University buildings/rooms is controlled, data is secured in accordance with applicable policies and procedures, and the internal control structure in place is adequate to ensure that financial transactions are supported, authorized, and safeguard University assets. Scope: The scope of the audit was FY Our work on building/room access focused on the PBC access card ( PBC card ), because the electronic key is required to access building perimeter doors. Existing internal controls over selected types of financial transactions (e.g., cash handling and receiving, petty cash, payroll processing, purchasing card transactions) were evaluated, as well as management reports, effort reporting, and conflict of interest. Methodology: We accomplished our audit objectives through: discussions and/or correspondence with COM Phoenix representatives, including the Dean s Office, Campus Operations, Facilities Management, Information Resources, Financial Affairs, and Basic Medical Sciences; discussions and correspondence with University of Arizona main campus representatives from COM - Administration and Information Technology Services; University Information Technology Services Chief Information Officer and Information Security Office; Facilities Management; Procurement and Contracting Services Contracting and PCard Administration; University of Arizona Police Department; Risk Management and Safety; Sponsored Projects Services; Parking and Transportation Services; University of Arizona Bookstores; and Financial Services Office Tax Compliance, Bursar: Banking Services/Bursar Representatives and UA CatCard Office, Financial Management: Cash & Clearing, Financial Compliance, Operating Funds, and Payroll Operations; meeting with third party vendor Amer-X Security Inc. senior management; onsite visit on February 18, 2009 to observe PBC on-site building access procedures, Information Technology ( IT ) processes, and Amer-X controls; use of Audit Command Language ( ACL ) data mining software for assistance in identifying a random sample of 25 issued PBC cards for detailed review; The University of Arizona Page 2 of 17 October 2010

4 review of documentation in support of building access processes, information systems backup procedures and other IT-related documentation, and selected financial transactions; review of applicable University policies and procedures; and review of Departmental Responsibility Assignments Review matrices ( matrix ) that selected COM-Phoenix departments were requested to complete. The matrix was developed by Internal Audit based on University policies to identify responsible employees for business processes. Conclusion: Overall, we found that the existing internal control structure is adequate to ensure that financial transactions are supported, authorized, and safeguard University assets; however, controls related to University building access and data security are not adequate and require improvement. Some of the opportunities for improvement, e.g., building access card, resulted from the manner in which the College of Medicine Phoenix partnership was originally set-up, that is, a less-secure PBC card was agreed upon as a compromise between UA and ASU. Information technology is considered high risk. The current structure, wherein the person responsible for campus information technology has other non-it responsibilities, may have been acceptable for the initial campus structure. However, as the Phoenix campus expands, a dedicated, full-time director of information technology will be required to effectively manage this high risk area. We found that employees responsible for building access, information technology, and financial affairs were receptive for suggestions to improve processes/controls and took action to improve controls and obtain necessary training. Management is supportive of our recommendations and has actively begun the process of implementing their identified action plan items. According to the Institute for Internal Auditors International Professional Practices Framework, an organization is expected to establish and maintain effective risk management and control processes. These control processes are expected to ensure, among other things, that: financial and operational information is reliable and possesses integrity, operations are performed efficiently and achieve established objectives, assets are safeguarded, and actions and decisions of the organization are in compliance with laws, regulations, and contracts. The University of Arizona Page 3 of 17 October 2010

5 General Control Objectives Control Environment Recommendation Reliability and Integrity of Financial and Operational Information Controls over payroll processing, cash handling and receiving, purchasing card transactions, petty cash fund expenditures, and effort reporting were adequate to ensure accurate reporting. Effectiveness and Efficiency of Operations Monthly financial reports were provided to management. PBC card issuance processes and controls were adequate. Safeguarding of Assets Reasonable to Strong Controls in Place Reasonable to Strong Controls in Place Opportunity for Improvement No Page Checks and cash were adequately safeguarded prior to deposit. Reasonable to Strong Controls in Place Petty cash funds were adequately safeguarded. Reasonable to Strong Controls in Place Physical access controls are adequate. Opportunity for Improvement Access to server room and backup data Opportunity for tapes are restricted to authorized Improvement persons. Compliance with Laws and Regulations Compliance with UA policies and procedures regarding payroll processing, cash handling and receiving, effort reporting, conflict of interest, and petty cash. Compliance with UA PCard Policies pertaining to service/tax exempt purchases and assessment of use tax. Compliance with UA Information Security standards, procedures, and industry best practices. Reasonable to Strong Controls in Place Opportunity for Improvement Opportunity for Improvement 2,3,4 9,11, ,4 5,13 We appreciate the assistance of UA staff during the audit. /s/ Kurt M. Weirich, CIA, CISA Auditor-In-Charge (520) weirichk@arizona.edu /s/ Sara J. Click, CPA Chief Auditor (520) clicks@arizona.edu The University of Arizona Page 4 of 17 October 2010

6 Audit Results, Recommendations and Responses 1. Information Technology Issues Condition: The following logical and physical control weaknesses were identified. Lack of Required Documentation Roles and responsibilities are not clearly defined or documented for PBC IT functions, e.g. server maintenance duties. PBC IT network and data flow diagrams have not been documented. PBC IT data backup written procedures have not been documented. Completed documentation for the PBC 2008 Personal Information Sweep, due December 31, 2008, was received by the University Information Security Office in the fall of Unauthorized Access A total of 128 issued metal keys permit access to the server room located in Building 1. Some of the metal keys have been issued to Tucson Facilities Management personnel who would not routinely require access to the server room. A PBC card reader has not been installed on the inner server room door. A visitor log has not been created for server room visitors. PBC IT staff does not know how many individuals have access via metal key to the storage room containing the backup data tapes. The backup tape storage room is located in the ABC building, a different building than the server room. PBC IT staff does not have metal key access to this room. A total of 42 individuals have electronic access to the storage room that contains the backup data tapes. Of these, 28 (67%) have no business need for access. Other Issues There is no inventory listing of the backup data tapes located in the storage room. Environmental monitoring remote notification software 1 is currently installed; however it is not utilized. 1 Environmental monitoring software continuously monitors server room temperatures and humidity levels required for server hardware to operate effectively. The software provides automatic notification to IT personnel via telephone or when critical operating temperatures or humidity thresholds are exceeded in the server room. The University of Arizona Page 5 of 17 October 2010

7 Criteria: University of Arizona Information Security Office Business Continuity and Disaster Recovery, IS-S900, states, University units must establish procedures and policies for backup and recovery of the units data. IT Governance Institute Information Security Audit and Control Association ( ISACA ), Control Objectives for Information and Related Technology (CobiT 4.1) states, Establish and maintain an enterprise information model to enable application development and decision-supporting activities consistent with IT plans. Establish and communicate roles and responsibilities for IT personnel. University of Arizona Office of Information Security, Personal Information Sweep, IS- P301, states, UA personnel are responsible for the security of UA information stored, sent or displayed using computing resources and communications resources, whether or not those resources are owned by the University. If you work with personal information, you must be aware of and comply with applicable legal requirements and policies. Vice Presidents, Deans, Directors, Department Heads and Heads of Centers have ultimate responsibility for computing resources, including personal information, and for their units compliance with legal requirements and policies. Office of the President, Personal Information Sweep, Memorandum, states, I ask all personnel who use computerized UA information to complete the Personal Information Sweep between October 1 and December 31, University of Arizona Office of Information Security, Data Facility Physical Security, IS-S501, states, Access control procedures must be in place to reasonably ensure that only authorized personnel have access to a data facility. Cause: The Associate Dean for Information Resources and Educational Technology advised the auditor that the Chief Information Officer at the COM Tucson would be developing and documenting PBC IT network and data flow diagrams, and data backup written procedures, and that he has requested this information numerous times from the Chief Information Officer. However, the Chief Information Officer is not located in Phoenix and may not be aware of their processes. The Chief Information Officer advised the auditor that he does not have knowledge of PBC IT data flows and is therefore unable to complete the Phoenix IT diagrams. Additionally, there is no reporting relationship between the Associate Dean for Information Resources and Educational Technology and the Chief Information Officer. When the information was not provided, the Associate Dean for Information Resources and Educational Technology did not follow-up and/or take ownership of tasks for which he was responsible. The University of Arizona Page 6 of 17 October 2010

8 The Facilities Management Lock Shop Manager, who is located in Tucson, advised the auditor that the Lock Shop was unaware that this was a server room; thus, the Lock Shop had not performed a special server room doors and locks review. Effect: Absent written procedures appropriately implemented and monitored, employees may leave with institutional knowledge, which could lead to delays or errors by new employees. Unauthorized individuals could have access to the server room and backup data tapes. Backup data may not be available or accessible if needed. Recommendations: 1. Document PBC IT roles and responsibilities, network and data flow diagrams, and backup data procedures; then, communicate in writing to COM personnel. 2. Complete the Lock Shop special server room review; change server room metal locks; provide metal key to PBC IT staff; install an electronic PBC card reader on the inner server room door. Periodically, review physical access (via both metal and electronic keys) to the server room and the storage room containing the backup data tapes; once identified, remove unnecessary access. 3. Create and utilize a visitor log for the server room; monitor for compliance. 4. Inventory backup data tapes. 5. Utilize the remote notification environmental control software feature and monitor environmental conditions in the server room. Management Responses: 1. Target Implementation Date: December 31, IT roles and responsibilities have been discussed over the years with the Dean COM Phoenix, the Vice President Health Affairs Administration and the COM PBC Associate Dean for Information Resources and Educational Technology during several meetings conducted in February 2009 through April The COM PBC Associate Dean for Information Resources and Educational Technology met with the University Chief Information Officer to discuss IT services coordination during February This topic was the focus of considerable work in Tucson utilizing a consultant (Vantage) during May 2007; however, this consultation did not include discussion of Tucson-Phoenix roles and responsibilities. Conversations about analysis and planning server responsibilities have been ongoing for the past two years. We have defined a planning process and a group including Phoenix and Tucson COM staff. The University of Arizona Page 7 of 17 October 2010

9 COM IT Tucson staff provided some verbal guidance to PBC IT staff during telephone discussions from late November 2009 through February 2010 regarding IT data backup processes. By December 31, 2010, PBC Associate Dean for Information Resources and Educational Technology will develop and document backup IT data procedures, IT Data Flows, and IT roles and responsibilities. 2. Implemented. A review of key access to server room was initiated in March 2010 and will be done on an annual basis. The server room was rekeyed in March 2010 based upon recommendations received from the UA Lock Shop and access restricted. A quote was obtained in July 2010 to install a PBC access card reader on the server room inner door and the PBC Safety Committee reviewed the quote in August A decision was made not to install the inner server room card reader because of the improved physical access controls; the outer server room door locks have been changed and access restricted to individuals who require access; the building s perimeter doors are now kept locked and reviews of electronic access to the server room are now regularly performed by PBC IT management. The backup tape storage room was originally a storage room, and included a variety of assigned access levels. The access levels that were not needed for business purposes have since been removed. A metal key to the storage room was issued to PBC IT staff in March Implemented. A server room visitor log was created and implemented during March Implemented. A backup data tape inventory log was created on June 12, 2009 and periodic audits of the backup data tapes were started at that time by PBC IT staff. 5. Implemented. A phone line was installed in March 2010 for the remote notification software alarm to dial out to the Trane technician s 24/7 phone when the server room temperature or humidity level exceeds the operational threshold. Trane is the third-party heating, ventilation and air conditioning systems ( HVAC ) vendor contracted by PBC; their technician is located on-site at PBC. The University of Arizona Page 8 of 17 October 2010

10 2. Physical Building Access Condition: Weaknesses with current PBC building access processes could permit unauthorized access. These weaknesses are: Building 1 remains unlocked during normal business hours and the receptionist s location does not permit her to see who enters the building. Locked main entrance doors can be inadvertently opened when an individual inside the building approaches the door to see who is knocking; when approached from the inside, a motion detector automatically unlocks the doors. With the campus urban location, members of the general public frequently knock on the locked main entrance doors to gain entrance. On March 26, 2009, an Arizona Telemedicine Program ( ATP ) employee advised the auditor about incidents in which she was frightened, and fearful of her safety, by unauthorized individuals who were present in the locked building. Criteria: Good business practices include reviewing physical access controls on a regular basis. Cause: Building 1 is unlocked during the day to allow visitors to access the building. The Amer-X Security, Inc. Chief Executive Officer advised the auditor that the architect s design of the main entrance doors required an automated motion sensor to meet City of Phoenix building codes. Effect: Unauthorized individuals could gain access to University buildings placing staff, students, and visitors at risk of physical harm. Recommendation: Lock Building 1 during normal business hours; contact Risk Management and Safety and the University of Arizona Police Department ( UAPD ) to request a building security risk analysis to address staff concerns expressed regarding physical safety. The University of Arizona Page 9 of 17 October 2010

11 Management Responses: a. Implemented. The building is locked during normal business hours instituted on June 15, A Security Task Force, which includes UAPD and Risk Management, reviewed PBC security on-site in December b. Implemented. We have consulted with Amer-X Security, but options are limited at this time due to the design of the door and City of Phoenix Fire Code Requirements. We will continue to explore options. At the time of orientation, our students and employees are informed about the 7-second delay in the relocking of the doors. Door closers have been adjusted to close as fast as allowed by the Americans with Disabilities Act ( ADA ). This process was implemented in January c. Implemented. After the staff member reported the incidents to PBC management, panic buttons were provided to all three ATP staff on the third floor of Building 2. In addition, security staff have included the third floor of Building 2 on their security rounds. They visit the floor no less than twice daily. The employee stated she has currently no concerns about her physical safety since these measures have been put in place. These changes were implemented in December The University of Arizona Page 10 of 17 October 2010

12 3. Electronic Building Access Card Condition: The PBC card was created to provide electronic building access for PBC employees, students and vendors. This access process is different from the main UA campus in Tucson that utilizes the CatCard for electronic building access. The following weaknesses were identified with the PBC card: New PBC electronic access cards, produced by the CatCard Office, are delivered to an unsecured mail room; mail distribution duties are not assigned. PBC access cards utilize pre-programmed dumb prox chip technology that provides lower security capability than currently available smart chip (programmable) technology. The cardholder s photograph is not included on the electronic access card. Criteria: FRS Departmental Manual, Policy #8.10 states The department is responsible for the control of value added inventory, for example, UA CatCards, and photocopy cards. Cause: The auditor was advised by CatCard Office personnel that the decision to use non-programmable chips was a compromise between the University of Arizona and Arizona State University based upon cost considerations. Effect: Unauthorized individuals may gain access to buildings placing staff, students, and visitors at risk. Recommendations: 1. Secure mail room doors and ensure only authorized individuals have access; consider hand delivering electronic access cards to the appropriate personnel. 2. Contact the CatCard Office to discuss potential deployment of programmable chip card technology and displaying the cardholder s photograph. The University of Arizona Page 11 of 17 October 2010

13 Management Responses: 1. Implemented. Securing PBC mail room doors is hard to implement. This room also serves as the third floor Work Room. Virtually everyone on this floor, and in fact on this campus needs access to that room. We believe we can address this through administrative controls. The new administrative controls include producing PBC Cards at PBC starting in February 2010 and the cards are no longer distributed via the mail room effective February 2010, rather they are provided to employees in person. The perimeter doors of the building where the mail room is located are now kept locked as of June 15, 2009 and unauthorized individuals can no longer walk into the building without a PBC Card; and the PBC Facilities Management Coordinator s and the Campus Operations Manager s office location permits visual observation of mail room contents. 2. Implemented. PBC Cards are printed in-house beginning in February 2010 and are no longer sent from Tucson via courier. We keep stock for PBC Cards on hand and have a local supplier. All new cards currently include a photograph. The University Committee for the Coordinated Integration of Security Technologies is reviewing PBC Card technology and potential changes beginning on May 26, The University of Arizona Page 12 of 17 October 2010

14 4. Access Card Issuance Condition: The following weaknesses were identified with the electronic building access process: PBC building access reviews have not been conducted. Building access levels are not reviewed and/or modified, as necessary, when an employee s job responsibilities change. Required Phoenix Biomedical Campus Access Card Agreement form listing cardholder responsibilities, was not obtained for 8 (32%) of the 25 sampled cardholders. A total of 4 (16%) of the 25 sampled cardholders were terminated employees that still had active electronic building access cards. Standardized electronic building access templates have not been developed; supervisors determine electronic access levels on a case-by-case basis. Written procedures for issuing electronic building access cards to vendors have not been developed. Thus, vendors have been issued generic cards, e.g., cards assigned to the company as opposed to a specific individual, and multiple cards to a single individual. DSX System, the electronic access system, user passwords are not changed and do not have minimum password construction requirements. Criteria: The PBC Card Request Flowchart requires that individuals receiving PBC cards complete a PBC card acknowledgement form prior to card issuance. Good business practices include regularly reviewing logical access controls and obtaining required documentation to ensure cardholders acknowledge their responsibilities regarding electronic building/room access. University of Arizona Information Security Office, Password Construction and Maintenance, IS-G701, states, Users should construct a password/passphrase that meets the minimum following criteria: Passwords should ALWAYS contain: At least eight characters (but more is highly recommended). The recommended password/passphrase change interval is every 180 days. The University of Arizona Page 13 of 17 October 2010

15 Cause: PBC cards were distributed before the Phoenix Biomedical Campus Access Card Agreement forms were developed. As a new branch campus, PBC had not yet developed processes to identify terminated employees and deactivate their electronic building access, conduct access reviews, develop standardized access templates and issue cards to vendors. The DSX System does not have an automated system reminder to change the password and PBC staff were not aware of the requirement to change the password. Effect: Without a regular review of access levels, it is not possible to know if access levels are appropriate or if terminated employees have access. Thus, unauthorized individuals may have access to buildings placing staff, students, and visitors at risk. Recommendations: 1. Periodically review building/room access levels provided by PBC cards to ensure access is appropriate; remove access for terminated employees in a timely manner; create standard access templates; develop written access review procedures that include controls for change management and issuing cards to vendors and employees; obtain signed PBC access cardholder responsibilities documentation for all PBC current and future cardholders; monitor for compliance. 2. Change DSX System passwords every 180 days and construct passwords in accordance with University Information Security Office guidelines. The University of Arizona Page 14 of 17 October 2010

16 Management Responses: 1.a. Implemented. Beginning in July 1, 2009, annual Phoenix Biomedical Campus Access Card Agreement forms were sent to all cardholders with the original held in their personnel file and a copy sent to them for their records. This process was fully implemented in February b. Implemented. As of February 16, 2009, PBC card access for terminated employees is being removed within 2-3 days of notification from the department. 1.c. Implemented. The PBC Access Control Coordinator/PBC Management began a process in October 2009 to review PBC access levels on an annual basis. The review will include employee and student status and access levels assigned, current department, etc. The review is ongoing; several access levels have been eliminated, or combined with other levels. 1.d. Target Implementation Date: January The PBC Facilities Management Coordinator will implement an improved annual (minimum) review of PBC cardholders. All PBC access card holders will be required to complete a new Phoenix Biomedical Campus Access Card Agreement form and a more detailed review of access levels for active cardholders will be completed by the PBC Facilities Management Coordinator by the end of January This new access review process will be much more detailed than the prior access reviews that were started in October e. Target Implementation Date: December The PBC Facilities Management Coordinator will develop standardized access level templates. This has been a work-in progress since mid February We plan to complete standardization access level templates by December f. Implemented. Multiple cards issued to the same individual have only occurred with vendors in the past. This practice has ceased and we have completed updating our records in January Additionally, PBC access cards are currently issued in names only beginning in January 2010, not generic company names, and are currently the practice with most vendors. 1.g. Implemented. Beginning in March 2010, all cards are now requested through an online system. We follow the same procedure for vendor cards that we use for PBC card issuance for everyone else. We will document specific procedures for vendors. 2. Implemented. The password update process was initiated in April We will find out how to automate changing of DSX System passwords every 180 days and have set a reminder in Outlook, for now. The University of Arizona Page 15 of 17 October 2010

17 5. Use Tax Assessed on Purchasing Card ( PCard ) Transactions Condition: Controls over PCard purchases were adequate to ensure items purchased were valid business-related expenses. However, we found issues with use tax assessments on service and/or tax exempt purchases that resulted in unnecessary charges to departmental accounts. A total of $622 in use tax was unnecessarily assessed on 20 (35%) of the 57 sampled PCard purchases. Criteria: University of Arizona Purchasing Card Reconciliation/Approval Review Training Guide states, If the transaction was not charged tax by the vendor and the purchase was for a service or tax exempt item, check the service/tax exempt box PaymentNet protects users from being charged Use Tax in error by not assessing Use Tax if the vendor is from Arizona or if any of the following Object Codes are used Freight/Shipping and handling The list below identifies some types of purchases that are NOT assessed State Sales tax or Use Tax. They should be coded as service/tax exempt Airline Tickets...Transactions subject to Use Tax where the invoice includes freight charges must be split to break out the freight on a separate line. Freight charges should be coded with object code 5560 to prevent Use Tax from being charged on the freight portion of the invoice. Procurement and Contracting Services Tax Information states, Purchases that are exempt include equipment and chemicals used in research. Cause: PaymentNet reconcilers and/or approvers were unaware of the policy regarding service and/or tax exempt purchases and the requirement to check the Service/Tax Exempt button to prevent the unnecessary assessment of use tax. Effect: Noncompliance with University policy; use tax was unnecessarily assessed, and paid, from departmental accounts. The University of Arizona Page 16 of 17 October 2010

18 Recommendations: 1. Re-train PaymentNet reconcilers and approvers about the importance of correctly identifying service/tax exempt purchases in PaymentNet; monitor for compliance. 2. Management should evaluate whether prior use tax assessments should be reviewed and corrections made as necessary. The Financial Services Office ( FSO ) will permit use tax corrections to be made for three years the current fiscal year and the prior two fiscal years. Should management determine that use tax corrections should be made, Request for Accounting Assistance ( RFAA ) forms will need to be completed; contact FSO for assistance. Management Responses: 1. Implemented. The finance staff for COM Phoenix Administration and Basic Medical Sciences ( BMS ) had a training session on August 26, 2010 with the PCard Office and the FSO Tax Compliance Office to discuss the policies and procedures for not paying Use Tax on shipping/freight expenses on PCard charges. Additionally, the new BMS finance office staff who reconcile purchasing card transactions attended PCard Summer School on July 28, Implemented. With more than 10,000 PCard purchases within the last three years, management determined that it was more cost effective to prevent future payment of Use Tax instead of the time-consuming and costly process of looking at past transactions. The University of Arizona Page 17 of 17 October 2010