University System of Maryland University of Maryland Biotechnology Institute

Transcription

1 Audit Report University System of Maryland University of Maryland Biotechnology Institute August 2006 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

2 This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland The Office may be contacted by telephone at , , or Electronic copies of our audit reports can be viewed or downloaded from our website at Alternate formats may be requested through the Maryland Relay Service at The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at or

3 August 28, 2006 Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the University System of Maryland University of Maryland Biotechnology Institute (UMBI) for the period beginning February 14, 2003 and ending February 2, Our audit disclosed that procedural and internal control deficiencies existed in the areas of grant receivables, computer security, and cash receipts. For example, UMBI s computer network, which supports technical research and development, was not adequately secured from external exposures. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

4 2

5 Table of Contents Background Information 4 Agency Responsibilities 4 Current Status of Findings From Preceding Audit Report 4 Findings and Recommendations 5 Grants * Finding 1 Adequate Collection Efforts Were Not Performed for 5 Certain Delinquent Grant Reimbursement Requests Information Systems Security and Control Finding 2 Disaster Recovery Plans Did Not Exist or Were Not Sufficient 6 * Finding 3 UMBI s Network Was Not Adequately Secured 6 Finding 4 Controls For Network Authentication Were Inadequate 7 Cash Receipts Finding 5 Collections Received at Two Locations Were Not 8 Transferred Timely for Deposit Audit Scope, Objectives, and Methodology 9 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report 3

6 Agency Responsibilities Background Information The University of Maryland Biotechnology Institute (UMBI) is a non-degree granting institution whose primary purpose is to foster intense scientific research of biotechnology and its application with regard to human health, marine environment, agriculture, and protein engineering/structural biology. Additionally, UMBI trains graduate and post-doctoral students from various University System of Maryland campuses. In order to accomplish its purpose, UMBI operates five independent but interactive research centers: the Center for Advanced Research in Biotechnology, located in Montgomery County; the Center for Biosystems Research, located in College Park; and the Center for Marine Biotechnology, the Institute for Human Virology, and the Medical Biotechnology Center, all located in Baltimore City. The central administrative office for UMBI is also located in Baltimore City at the Christopher Columbus Center. According to the State s accounting records, fiscal year 2005 revenues totaled approximately $55.7 million, which included a State general fund appropriation of approximately $15 million. Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the eight findings contained in our preceding audit report dated August 20, We determined that UMBI satisfactorily addressed six of these findings. The remaining two findings are repeated in this report. 4

7 Findings and Recommendations Grants Finding 1 UMBI did not make an adequate effort to collect delinquent accounts related to certain outstanding grant reimbursement requests. Analysis Adequate collection efforts were not performed for delinquent accounts related to certain unpaid grant reimbursement requests. Specifically, written payment demands had not been sent to the grantors at predetermined intervals for these accounts as required by the State s Central Collection Unit (CCU). Our test of 10 delinquent grant accounts totaling approximately $401,000 disclosed that UMBI sent collection notices for these accounts 37 days to 108 days later than required. CCU requires State agencies to issue collection notices for past due accounts within 30 days of the date of the original invoice. According to its records, receivables due UMBI from grantors totaled approximately $4 million as of February 17, 2006, including approximately $1.1 million that had been outstanding for more than 90 days. A similar condition was commented upon in our two preceding audit reports. Recommendation 1 We again recommend that UMBI comply with CCU regulations related to the collection efforts of unpaid accounts. Information Systems Security and Control Background UMBI was created for intensive technical research and development in biotechnology, and is composed of a headquarters unit and five research centers. Each research center is responsible for information technology acquisitions and processing in support of each center s research efforts. This environment includes an extensive wide area network that provides Internet connectivity and connections to a substantial number of servers and workstations. Firewalls and intrusion prevention systems were installed at all but one of the UMBI locations. 5

8 Finding 2 Information technology disaster recovery plans did not exist or were insufficient. Analysis Four of the research centers did not have disaster recovery plans for recovering from disaster scenarios (for example, a fire). Furthermore, UMBI did not have comprehensive information technology disaster recovery plans for its headquarters unit and the Center for Advanced Research in Biotechnology. Specifically, the plans for these two locations did not adequately address certain requirements of the Department of Budget and Management s (DBM) IT Disaster Recovery Guidelines, such as employee contact information, specific assignment of staff roles and responsibilities, and equipment replacement. Without complete disaster recovery plans, a disaster could cause significant delays (for an undetermined period of time) in restoring operations above and beyond the expected delays that would exist in a planned recovery scenario. Recommendation 2 We recommend that, in accordance with the aforementioned IT Disaster Recovery Guidelines, UMBI develop and implement comprehensive information systems disaster recovery plans, which cover all critical functions, at its headquarters unit and five research centers. Finding 3 UMBI s internal computer network was not adequately secured. Analysis Adequate security measures had not been established to protect UMBI s internal computer network from external threats: Numerous publicly accessible servers were located on UMBI s internal network rather than being placed in a neutral network zone. Publicly accessible servers should be placed in a neutral network zone, separate from the internal network, to enhance protection of sensitive data and systems on the internal network. We were advised that, in some cases, UMBI employees had placed publicly accessible servers on the internal network to facilitate public access to research information without the awareness or authorization of management of UMBI s Office of Information Systems. Also, UMBI did 6

9 not have a security policy regarding the implementation of publicly accessible servers on the internal network. DBM s Information Technology Security Policy and Standards require that all publicly accessible servers be placed in a neutral network zone. The UMBI Center for Biosystems Research (CBR) is located on the University of Maryland College Park (UMCP) campus. The CBR local network was connected to both the UMBI and UMCP internal networks without use of a firewall and intrusion detection/prevention system to protect CBR and the remainder of UMBI from security risks associated with the UMCP network. For the one firewall that we reviewed, firewall rules were not configured to adequately secure connections between UMBI s internal network and the Internet. Accordingly, critical information was susceptible to attack, which could result in a loss of data integrity or the destruction of critical files. A similar situation was commented upon in our preceding audit report. UMBI did not optimally configure the intrusion prevention systems installed on its network and did not adequately monitor these systems. Intrusion prevention systems gather and analyze network traffic to identify potential network security breaches and attacks. Furthermore, such systems can block inappropriate traffic and alert network administrators to these situations. Recommendation 3 We recommend that UMBI take the necessary actions to improve network security to protect its network. We made detailed recommendations to UMBI which, if implemented, should provide adequate security over its internal network. Finding 4 Controls for network authentication were inadequate. Analysis The controls for network authentication were inadequate. For example, passwords were set to never expire and accounts were not locked out after a defined number of failed logon attempts. Accordingly, the control settings for 7

10 accounts and passwords did not comply with the University System of Maryland s (USM) Guidelines in Response to the State Information Technology Security Policy and Standards. Recommendation 4 We recommend that UMBI comply with account and password requirements of the aforementioned USM Guidelines in Response to the State Information Technology Security Policy and Standards. Cash Receipts Finding 5 Cash receipts collected at two of UMBI s locations were not transferred timely for deposit. Analysis Cash receipts collected by two UMBI s operating units were not transferred to the University of Maryland, College Park for deposit in a timely manner. Our test of 26 receipts, totaling $683,062, collected by these units disclosed that 21 receipts, totaling $440,683, were not transferred for deposit for periods ranging from 3 to 15 business days after the dates of collection. The Comptroller of the Treasury s Accounting Procedures Manual requires that cash receipts be deposited no later than the first business day after the day of receipt. Failure to transfer cash receipts for deposit in a timely manner increases the possibility of misappropriation and results in a loss of investment income. During calendar year 2005, UMBI s cash receipts totaled approximately $6 million, of which approximately $5.7 million was received by these two units. Recommendation 5 We recommend that UMBI transfer all cash receipts for deposit in a timely manner as required by the Comptroller of the Treasury. 8

11 Audit Scope, Objectives, and Methodology We have audited the University System of Maryland (USM) University of Maryland Biotechnology Institute (UMBI) for the period beginning for the period beginning February 14, 2003 and ending February 2, The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine UMBI s financial transactions, records, and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations. We also determined the current status of the findings included in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of UMBI s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services, such as processing vendor payment transmittals and depositing cash receipts, provided to UMBI by the University of Maryland, Baltimore, and University of Maryland, College Park. These support services are included within the scope of our audits of these System units. In addition, we did not audit UMBI s federal financial assistance programs for compliance with federal laws and regulations because the State of Maryland engaged an independent accounting firm to annually audit such programs administered by State agencies, including the components of the USM. Our audit scope was limited with respect to UMBI s cash transactions because the Office of the State Treasurer was unable to reconcile the State s main bank accounts during the audit period. Due to this condition, we were unable to determine, with reasonable assurance, that all UMBI cash transactions were accounted for and properly recorded on the related State accounting records as well as the banks records. UMBI s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, 9

12 effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect UMBI s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to UMBI that did not warrant inclusion in this report. The response from the USM Office, on behalf of UMBI, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise USM regarding the results of our review of its response. 10

13

14 Grants RESPONSE TO THE LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF MARYLAND BIOTECHNOLOGY INSTITUTE FOR THE PERIOD FEBRUARY 14, 2003 FEBRUARY 2, 2006 Findings and Recommendations Finding 1 UMBI did not make an adequate effort to collect delinquent accounts related to certain outstanding grant reimbursement requests. Recommendation 1 We again recommend that UMBI comply with CCU regulations related to the collection efforts of unpaid accounts. Response 1 As was documented by the auditors, the sample accounts were all selected within a timeframe when our contract and grant accountant was on medical leave. This situation left us with only one staff person to handle more than $25M in grant expenditure activity for this time period. It is our procedure to issue dunning notices at 30 day intervals past the original invoice date, and this process did resume within a reasonable time of the contract and grant accountant returning to work, and continues to be followed to date. Information Systems Security and Control Finding 2 Information technology disaster recovery plans did not exist or were insufficient. Recommendation 2 We recommend that, in accordance with the aforementioned IT Disaster Recovery Guidelines, UMBI develop and implement comprehensive information systems disaster recovery plans, which cover all critical functions, at its headquarters unit and five research centers. Response 2 The OIS headquarters unit has developed and implemented a disaster recovery environment which addresses ALL of the services provided by the unit and not just critical systems. The written plan will be enhanced to

15 RESPONSE TO THE LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF MARYLAND BIOTECHNOLOGY INSTITUTE FOR THE PERIOD FEBRUARY 14, 2003 FEBRUARY 2, 2006 comply with the University System of Maryland Guidelines in Response to the State IT Security Policy, dated April Centers which had no plan or had components of the plan needing improvement will develop and document plans by December, Finding 3 UMBI s internal computer network was not adequately secured. Recommendation 3 We recommend that UMBI take the necessary actions to improve network security to protect its network. We made detailed recommendations to UMBI which, if implemented, should provide adequate security over its internal network. Response 3 Publicly Accessible Servers: UMBI agrees that it s internal computer network must be protected from external threats and has in fact gone to great lengths to ensure that it is secure. However, placing publicly available information in a neutral network zone, as suggested by the auditors, will either make such information less secure or require an unnecessary, costly and burdensome level of redundant security systems. UMBI has in fact placed great emphasis on protecting all information, including that information accessible to the public, as we deem making information accessible remotely an important part of our mission. Yet we do so in a way that while not in strict accordance with State guidelines, using the flexibility explicitly allowed for per USM policy, achieves the same functional compatibility with State guidelines required by USM policies. The mere presence of information accessible to the public within UMBI s internal network does not create an unacceptable security risk. Unauthenticated access to UMBI information is only available via the Web for viewing purposes and UMBI has protection systems to prevent this information from being modified or manipulated. Access to all other data requires additional layers of security which are time-proven and state-of-theart methods to ensure an appropriate level of protection. Due to UMBI s mission as a research institution much information is required to be remotely (i.e., publicly) accessible, and we feel that all

16 RESPONSE TO THE LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF MARYLAND BIOTECHNOLOGY INSTITUTE FOR THE PERIOD FEBRUARY 14, 2003 FEBRUARY 2, 2006 information requires a great degree of protection. One reason is because UMBI faculty and staff regularly need to access services from all of our servers from remote locations due to their extensive travel and collaborations with researchers. Along the same lines, often research collaborators also must be able to access data remotely. In cases where the data are of a proprietary nature, authenticated access and other appropriate methods are used to ensure that only those persons authorized to access the data can do so. UMBI has no financial, personnel, student nor patient data on any UMBI publicly accessible servers. UMBI feels that it has achieved an acceptable level of security given the mission critical need for UMBI faculty and staff to access information remotely and share research results and collaborating on research activities with researchers worldwide. We will diligently continue to enhance and add layers of security wherever appropriate. CBR Network Protection: UMBI will work with UMCP to implement firewalls and Intrusion Prevention Systems for CBR. We will strive to have such systems in place by December 2006 Firewall Rules: UMBI will continue to enhance firewall rules and monitor regularly for rules that may no longer be required. Such efforts are expected to be completed by December Intrusion Prevention System: UMBI s intrusion prevention systems not only report inappropriate traffic but also automatically blocks such intrusions, and therefore are indeed effective and do not necessarily require alerts and reporting of blocked activity. Additionally, daily monitoring of these systems are done to make sure they are operating and functional. Appropriate alerts and monitoring of reports for blocked traffic will be implemented. Such efforts are expected to be completed by December 2006.

17 RESPONSE TO THE LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND UNIVERSITY OF MARYLAND BIOTECHNOLOGY INSTITUTE FOR THE PERIOD FEBRUARY 14, 2003 FEBRUARY 2, 2006 Finding 4 Controls for network authentication were inadequate. Recommendation 4 We recommend that UMBI comply with account and password requirements of the aforementioned USM Guidelines in Response to the State Information Technology Security Policy and Standards. Response 4 UMBI will implement a stronger password mechanism that is in compliance with USM IT security guidelines. This implementation is expected to be completed by December Cash Receipts Finding 5 Cash receipts collected at two of UMBI s locations were not transferred timely for deposit. Recommendation 5 We recommend that UMBI transfer all cash receipts for deposit in a timely manner as required by the Comptroller of the Treasury. Response 5 UMBI uses the services of the Bursar at University of Maryland College Park for all cash deposits. This is necessary to ensure that deposits are recorded accurately in our accounting system as we utilize UMCP systems. Although not documented, we believe that we transferred all deposits to the UMCP Bursar s office timely as required. It is likely that deposits were either held and batched by the UMCP Bursar s office, or delayed due to the time required for them to make their way through the UMCP mail system. We will now send all deposits via overnight express directly to the UMCP Bursar s office to document our transmission of cash receipts in a timely manner.

18 AUDIT TEAM Peter J. Klemans, CPA Audit Manager Stephen P. Jersey, CPA, CISA A. Jerome Sokol, CPA Information Systems Audit Managers Heather A. Warriner Senior Auditor Albert E. Schmidt, CPA Information Systems Senior Auditor Julie R. Newton Staff Auditor Veronica Arze Information Systems Staff Auditor