Connecticut State Colleges and Universities Report to Management Year Ended June 30, 2014

Transcription

1 Connecticut State Colleges and Universities Year Ended

2 December 23, 2014 To the Board of Regents of Higher Education of the Connecticut State Colleges and Universities In planning and performing our audits of the combined financial statements of Connecticut Community Colleges ( CCC ) and the combined financial statements of Connecticut State University System (CSUS), including the System Office and the four individual Universities, as of and for the year ended, we considered CCC and CSUS s internal control with respect to financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the combined financial statements, but not for the purpose of expressing an opinion on internal control over financial reporting. Accordingly, we do not express opinions on CCC or CSUS s internal control over financial reporting. Our consideration of internal controls over financial reporting was for the limited purpose described in the preceding paragraph and would not necessarily identify all deficiencies in internal control over financial reporting that might be significant deficiencies or material weaknesses as defined below: Control Deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Significant Deficiency a control deficiency, or combination of control deficiencies, that adversely affects the company s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity s financial statements that is more than inconsequential will not be prevented or detected. Material Weakness a control deficiency, or combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. We noted certain matters involving internal control and its operation, and are submitting for your consideration related recommendations designed to help CCC and CSUS make improvements. We are providing you with a full detail report of all deficiencies and operational or business observations identified through the audit process. Certain of these deficiencies are considered to be significant deficiencies, which are identified below. A description of each matter is further described in the pages to follow. We have determined that the Financial Reporting, Accounting for Debt Service Reserve Funds and the Continuing Disclosure Requirements comments constitute significant deficiencies in CCC and/or CSU s internal control structure. This report has been organized by current year comments and comments still applicable and closed comments. In the current year comments and comments still applicable, detailed comments, findings, observations, recommendations for improvement, and responses from Connecticut State Colleges and Universities (CSCU) are outlined by entity for which the comment is applicable. The closed comments section summarizes prior year findings and recommendations that CSCU have acted upon and have adequately resolved. PricewaterhouseCoopers LLP, 185 Asylum Street, Suite 2400, Hartford, CT T: (860) , F: (860) ,

3 Board of Regents Connecticut State Colleges and Universities December 23, 2014 The accompanying comments, recommendations and summaries are intended solely for the information and use of management and the Board of Regents of CCC and CSUS, and are not intended to be and should not be used by anyone other than these specified parties. We appreciate the cooperation and assistance we have received from CCC and CSUS management and staff in developing our findings, observations and recommendations. We also appreciate the opportunity to have been of service to you, CCC and CSUS. Should you have any questions about our findings, observations and recommendations, this letter, or any other matter, please contact us at your convenience. Very truly yours, Hartford, Connecticut

4 Index to Page(s) Current Year Comments and Prior Year Comments Still Applicable I. CONNECTICUT STATE COLLEGES AND UNIVERSITIES General Comments A. Financial Reporting (significant deficiency)*... 1 B. Accounting for Debt Service Reserve Funds (significant deficiency) C. Federal Award Compliance and Audit Requirements (forward looking) D. Enterprise Wide Risk Management II. CONNECTICUT STATE UNIVERSITY SYSTEM OFFICE General Comments A. Continuing Disclosure Requirements(significant deficiency).. 5 B. Review Procedures over Potential Unrecorded liabilities... 6 III. CENTRAL CONNECTICUT STATE UNIVERSITY Information Technology Comment A. Enhance Periodic Review of User Access Rights... 6 IV. EASTERN CONNECTICUT STATE UNIVERSITY There are no open comments. V. SOUTHERN CONNECTICUT STATE UNIVERSITY General Comments B. Timely P-Card Audits... 6 C. Journal Entry Create, Post and Approval... 7 Information Technology Comments C. Enhance Network Security Settings... 7 D. User Access Termination for Contractors and Temporary Employees *... 7 VI. WESTERN CONNECTICUT STATE UNIVERSITY There are no open comments. VII. CONNECTICUT COMMUNITY COLLEGES General Comments A. Accounting for Leases*... 9 B. Accrued Compensated Absences... 9 Information Technology Comments C. Perform Banner User Access Review* D. Develop Disaster Recovery/Business Continuity Plan * * Prior year comment still applicable for the year ended Closed Comments... 12

5 Current Year Comments and Prior Year Comments Still Applicable I. Connecticut State Colleges and Universities A. Financial Reporting (significant deficiency)* Prior Year There has been significant change within the organization over the recent period with consideration to the merger of the community colleges (CCC) and state universities (CSUS), a new President and Chief Financial Officer as well as some downsizing of employees across the institution. Given these changes, there is a potential for increased risk within financial reporting. In particular, certain reviews or processes were not be performed, whether due to a change in personnel or as a result of turnover where inadequate training or transition of knowledge has not taken place. Prior Year As part of this transformation, there is great opportunity to take a fresh look at the overall organization and perform an overall risk assessment, focusing on a variety of key aspects of the institution. In particular, as it relates to financial reporting, we recommend management revisit, analyze and assess the organizational structure, including the reporting at each individual school and the system offices, as well as the policies and procedures in place for the combined institutions, implementing best practices from each of the separate systems into one common practice across all schools and formalize a new set of policies and procedures. Recognizing the above will take a considerable amount of time, we recommend management consider making an evaluation of the top risks of the institution identified to date and ensuring appropriate procedures and processes are in immediate place now for such items with a plan to revisit other areas over the upcoming year. Applications to be reviewed should include, but not limited to: treasury, capital assets, purchasing, payroll and revenue. This critical evaluation would also help in the elimination of outdated processes. Current Year Update Management identified a magnet school of CCC (Three Rivers) that was in existence for the duration of fiscal 2013 where management had not given appropriate consideration as it relates to potential reporting considerations of CCC. There was a break down in the operations of the internal controls which was a direct result of the significant turnover in management and lack of awareness of the matter by the new management team. Recognizing the significant change in management and turnover at the institutions as well as limited resources, there is increased risk over financial reporting. In particular, there is limited oversight and review related to various processes performed by members of the accounting staff as further described below. CSU identified a $524 thousand discount related to bonds payable that was inappropriately included (netting down) the premium related to bonds payable as reported in the 2013 financial statements. In preparation of the 2014 financial statements, management reclassified the 2013 financial statement amounts originally reported to correct the $524 thousand of deferred outflows of resources (discount on bonds payable) to deferred inflows of resources (premium on bonds payable). 1

6 Current year recommendation Key management roles have now been filled and the CSCU management team has begun strengthening its internal control structure. However, given the significant turnover and learning curve a large GASB organization, we encourage management to hold training sessions as it relates to potential concerns and areas of risk. In addition, we recommend regular and recurring meetings with various accounting personnel which discuss, in depth, the CSCU policies and procedures and determines where enhancements should be made. Management's Response The details concerning the Three Rivers magnet school was reviewed in detail by the former CFO prior to inception, and the resulting agreement was approved by the board. It was evaluated in the current year and deemed not to be a component unit. As the previous CFO was not available to discuss the evaluation made or not made in FY 2013, there is no basis to assume that there was a break down in the operations of internal controls. However, we agree that high turnover in CSCU management is cause for concern, and processes and policies require more review and rigor. The CSCU CFO has now been in place for a year and has hired a CSCU Controller to oversee the accounting and financial reporting function for the CSCU system. The CSCU Controller is implementing additional controls and financial reviews of information that may impact the annual financial statements. Financial policies vary to a great degree between the CSUs and CCCs and are currently under review. The goal is to establish system wide policies as appropriate. The CFO currently meets regularly with the CSU VPs of Finance and separately with the CCC Deans of Administration. Internal controls and other financial matters will be addressed at these meetings more frequently. Additionally, a system wide finance steering committee made up of the CSCU Controller, university Controllers and college Directors of Finance has been established to review system wide financial policies and procedures as well as the system accounting structure and reporting methods. B. Accounting for Debt Service Reserve Funds (significant deficiency) CSUS had inconsistent accounting for its debt service reserve funds, those funds that were set aside to make principle payments on its CHEFA bonds. At Southern Connecticut State University (SCSU), bond funds were recorded as part of restricted expendable net position, while at other institutions; debt service reserve funds were recorded as part of unrestricted net position. GASB accounting pronouncements indicate that restricted assets are those assets with restrictions on their use that are externally imposed (by creditors, grantors, contributors, or the laws or regulations of other governments) or that are imposed by the government s own constitutional provisions or enabling legislation. Management engaged legal counsel to conclude on whether the debt service reserve funds met the definition of restricted assets and a conclusion was reached that these assets should be reported as part of unrestricted net position. In preparation of the 2014 financial statements, management reclassified $18 million of net position from restricted expendable to unrestricted on the CSUS 2013 Statements of Net Position. CSUS management identified the error in the current year and has resolved the matter by the reclassification, but due to the dollar amount and the timing of when the error was identified by management, we consider this out of period error to be a significant deficiency. Management should ensure that all Universities are consistent in their accounting policies and accounting and any other discrepancies be identified and resolved. As part of this process, management should 2

7 consider implementing procedures where an additional level of review will be performed by the System office over the various components of net position meeting a set threshold which would help in the prevention of a material misstatement. Management believes that this was an isolated error due to misinterpretation of the definitions. To ensure there are no future misinterpretations, the CSCU Controller will include in the abovereferenced periodic meetings a systematic review of all balance sheet items, with emphasis on judgmental areas, to ensure accurate and consistent interpretation of the accounting definitions. In addition, all new GASB pronouncements will be discussed. C. Federal award compliance and audit requirements (forward looking) The OMB published Sweeping Reform guidance, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (the guidance). This represents the culmination of a process undertaken by OMB to accomplish several objectives including streamlining existing federal administrative, cost and audit circulars, reducing administrative burden, and reducing the risk of fraud, waste, abuse and improper payments. This guidance replaces several existing OMB circulars including A-110, A-21, and A-133. The guidance includes numerous changes from existing compliance and audit rules that CCC and CSUS should now be considering and planning to implement by the effective date. CSU has recorded approximately $61 million and CCC has recorded approximately 97 million as federal grant and contracts revenue. The more significant items are included below but this is not a complete list of all changes. Federal agencies must provide award performance goals, indicators and milestones, and recipients must relate award financial data to the performance goals and provide cost information to demonstrate cost efficiencies. There is some relief for research and development awards. Procurement requirements are largely taken from A-102 rather than A-110. Because of this, there is much more emphasis on competition and competitive bids. Recipients must maintain effective internal controls. COSO and the federal Green Book (federal agency internal control framework) are listed as two examples that "should" be followed as a best practice. Subrecipient monitoring has largely not changed and there is specific emphasis on performing a risk assessment of each subrecipient. The traditional three examples of effort reporting have been removed. Emphasis is placed upon using existing payroll distribution systems, and strengthening internal controls to assure an accurate distribution of payroll. OMB plans to develop new required compliance audit procedures for auditors to follow. The procedures will be designed to focus on and have greater emphasis on the goal of reducing fraud, waste, abuse, and improper payments. The new OMB guidance represents the first time in decades where OMB and the federal agencies have focused on reducing the burden of compliance and audits while still achieving effective program management and accountability of public funds. The changes are extensive, and many of 3

8 them will require institutions to take a critical look at their internal compliance structure and processes to determine where change is required to existing institutional practice. Given the relatively short time to the effective date, CCC and CSUS should be examining each of the more significant items, the impact to the institutions, and develop an implementation plan and timetable. We believe the most significant impact to CCC and CSUS will be the greater emphasis on internal control best practices. This will necessitate the institutions to document and put into place internal controls over compliance at a minimum. CCC and CSUS should begin to document these policies to determine whether there may be significant gaps that should be addressed. We agree that these changes to Federal award compliance are significant. CSCU management will engage its various institutions on the implications of these new guidelines and work to develop the necessary controls to comply with the new OMB guidance. D. Enterprise Wide Risk Management Risks continue to expand and grow in every organization, especially in large decentralized organizations such as Connecticut State Colleges and Universities (CSCU). Strategic minded organizations cannot completely eliminate risk, however they do strive to understand their risks and how those risks can impact the organization s academic profile, reputation, health and safety of its students and financial profile. Risk cannot be avoided, but it can be better understood and balanced in order for CSCU to effectively pursue its strategic goals. Enterprise wide risk assessments are important, as it is the best way in which organizations can get a handle on the significance of each risk is to the achievement of its overall goals. CSCU should explore the possibilities of a risk management program and function. When considering this program, it should seek synergies among institutional compliance, internal audit, and risk management functions. In order for these risk identification and mitigation activities to be successful within an institution, it is important to embed the key components of the risk and compliance framework within the entire organization. It is also important to determine what the criteria are for success and how success will be measured. In order for any risk or compliance program to be regarded as a long-term, viable option for the identification, assessment, and monitoring of risks, there must be perceived and real value derived from execution of the framework. As educational institutions appropriately increase their focus on enhancing enterprise-wide risk, compliance, and internal functions, it will be important to focus on the efficiency and effectiveness of the integrated risk and compliance program. Ensuring that the return on investment in these individual functions is realized and that institutional accountability for risk identification, monitoring, training, and internal auditing is clear We agree that enterprise risk management is a critical assessment and have kicked off the first of a series at CSCU. We are beginning with the system offices and will extend to the institutions when the framework is stable. 4

9 II. Connecticut State Universities Systems Office ( CSUSO ) A. Continuing disclosure requirements (significant deficiency) CSUS was not in compliance with its Continuing Disclosure Requirements. Specifically, In November 2009 and April 2010 Moody s Investors Service (Moody s) upgraded the credit rating of the State of Connecticut and as a result, the ratings of the State of Connecticut Health and Educational Facilities Authority Revenue Bonds (CHEFA) Series F, G, H, and I, which were issued on behalf of CSUS were upgraded. In October, 2010 and November 2011, Standard & Poor s Ratings Services (S&P) downgraded the insurer financial strength rating of Assured Guaranty Municipal Corporation and as a result CHEFA Series F, G, H, and I which were issued on behalf of CSU were downgraded. Although these bond rating changes were made at the State level, the state credit rating impacts the CSUS credit rating. CSUS was not informed of the credit rating change by the State of Connecticut and therefore did not previously report such rating changes in a material event notice. As such, CSUS was not in compliance with its continuing disclosure requirements. Anti-fraud rules Rule 15c2-12 generally prohibits any underwrite from purchasing or selling municipal securities unless the Issuer has committed to providing continuing disclosure regarding the security and Issuer, including information about its financial condition and operating data. Rule 15c2-12 also generally requires that any final official statement prepared in connection with a primary offering of municipal securities contain a description of any instances in the previous five years in which the issuer failed to comply, in all material respects, with any previous commitment to provide such continuing disclosure. The Securities Exchange Commission may file enforcement actions under either Section 17(a) of the Securities Act of 1933 and/or Section 10(b) of the Exchange Act against issuers for inaccurately stating in final official statements that they have substantially complied with their prior continuing disclosure obligations. We recommend management revisit the current procedures in place to monitor debt compliance and look to enhance such procedures to prevent future noncompliance. The failure to comply with the provisions as defined in the bond agreements could have significant consequences to the institution. The bonds issued by CHEFA on behalf of the CSUS carry the credit rating of the State of Connecticut. When a credit rating change is issued a disclosure is issued by the State related to the debt backed by the State. However, CSCU management still recognize its role in making the necessary disclosures related to material events that effect debt issued on behalf of CSUS. Management has put in place a review structure to assess continuing disclosure requirements related to its debt, on a quarterly, biannually and an annually basis. 5

10 B. Review Procedures over Potential Unrecorded Liabilities As a result of the search for unrecorded liabilities, PwC identified invoices that were improperly accounted for at year-end. Review of invoices received subsequent to year end helps to ensure a complete and accurate payable balance. CSUS should review the procedures in place to accumulate and record invoices received subsequent to the closing of the accounts payable system to capture all the liabilities at period end. Disbursements issued subsequent to year end should be monitored to identify any related liabilities that should have been recorded at year-end. We agree with this recommendation and have documented procedures to strengthen the unrecorded liabilities process and properly account for annual accruals after year end. III. Central Connecticut State University ( CCSU ) Information Technology Comments A. Enhance Periodic Review of User Access Rights As a result of the periodic review of user access to the Banner application, PwC identified (1) one user who was denoted for removal as a result of the review; however, per inspection of Banner user access list, access was not removed from the application. Timely revocation of terminated employee access helps reduce the risk of unauthorized access to sensitive data. Management should ensure that all access to the system is commensurate with the reviews performed and ensure each identified modifications are adequately followed up and completed in accordance to the results of the assessment. Management agrees with the observation and recommendation. Corrective actions have already been taken to independently verify that each identified modification is removed in a timely fashion in accordance to the reviews performed. IV. Eastern Connecticut State University ( ECSU ) There are no comments applicable to ECSU. V. Southern Connecticut State University ( SCSU ) SCSU General Comments A. Timely P-Card Reviews Per policy, P-Card holders are subject to annual audits of P-Card activity. Testing revealed that P- Card audits were not done timely in accordance with policy in four (4) out of fifteen (15) instances reviewed. 6

11 Management should ensure that P-Card audits are performed timely in order to deter and detect misuse or fraudulent spending. Management agrees with the observation. The University is reviewing p-card procedures related to the scope of annual audits and due to the growth of the program (from 100 to over 600 cards) is realign personnel resources to provide timely audit reviews. B. Journal Entry Create, Post and Approve In order to ensure appropriate segregation of duties, a single person should not have the authority to create, post and approve journal entries. We noted two (2) out of thirty (30) instances tested, where a single individual created, posted and approved a journal entry Management should ensure that they implement and enforce a policy to allow for segregation of duties with respect to journal entries such that an individual person does not have the ability to approve a journal entry that they have created and posted. Management agrees with the observation. Beginning with the new fiscal year (FY2015), changes to the journal entry process have been addressed with clearer documentation on the entries in question to insure that an individual person does not have the ability to approve a journal entry that they have created and posted. SCSU Information Technology Comments C. Enhance Network Security Settings The Windows Active Directory is configured with a minimum password length of eight (8) characters; however, there is currently no password expiration. Strong password parameters help to ensure the integrity of the information. Management should consider enhancing the network security settings to force periodic password changes to mitigate the risk of unauthorized access to the network. Management's Response Management agrees. OIT will modify the password policy to include a forced expiration period, and once that is formalized, we will enforce it. D. User Access Termination for Contractors and Temporary Employees End user access to systems and applications is removed upon formal communication from the HR department. Our review of the termination process identified that formal HR communication excludes user provisioning for contractors and temporary employees. Currently there is no formalized process for communicating contractors and temporary employees to the IT department that no longer require access to systems and applications. The lack of a formalized process for communicating contractors and temporary employees that no longer require system and application access increases the risk that access may remain active past the date for which it 7

12 was authorized. In addition, testing performed to ensure that user access was removed from the Windows Active Directory as well as the Banner financial modules identified that three (3) of five (5) users sampled continue to have an active account. Management should work towards implementing a formalized process to ensure that all contractors and temporary employees have their access to systems and applications disabled/removed in a timely manner. Ensuring that all system and application users have their access disabled/removed timely will help management gain comfort that only authorized end users have active access to key financial and student information. In addition, management should continue to emphasize the importance of removing access which is no longer required to ensure that only authorized users have access to systems and applications Current Year Update This comment is open. Testing revealed that of 20 terminated users tested, one (1) user had an active Windows Active Directory account. Upon identification of the active user, the account was immediately disabled by the network administrator. The auto-generated report of Terminated Employees that Windows Server Team has been relying upon to determine account eligibility, has not always been in sync with HR s most accurate and up-t0-date records. Therefore, we will be modifying the current process so that the Windows Server Team will regularly receive notification and modify each individual Terminated User notice, as they occur, rather than relying on the auto-generated report. This should resolve the issue as well as streamline the process. In addition to this process, per a prior agreement, on a quarterly basis HR will be providing lists from CORE-CT the following lists: These are the lists that PWC requests every year in preparation for their visit. New employees from last date supplied to present Transferred employees/new roles assigned from last date supplied to present Terminated employees from last date supplied to present All current and active employees These lists will be provided to the Windows Server team and they will use them as a further check for any missed terminations in the interim. Lastly, the Windows Server team is exploring the feasibility of implementing more automated solutions that will eliminate manual intervention in regards to employee terminations. VI. Western Connecticut State University ( WCSU ) There are no comments applicable to WCSU. 8

13 VII. Connecticut Community Colleges ( CCC ) CCC General Comments A. Accounting For Leases* Prior Year CCC does not formally evaluate its leases at inception to determine the appropriate accounting in accordance with SFAS 13, Accounting for Leases (GASB guidance for leases refers to non-codified FASB guidance, SFAS 13). Although there were no errors identified in the classification of leases during the year, there were new leases, some of which were significant, which were not formally assessed to determine if they were a capital lease or an operating lease. Prior Year Management should develop formal policies and procedures for the evaluation of leases at inception. This policy should include the review of the four criteria established by SFAS 13 to determine whether the lease should be classified as a capital or operating lease. As the accounting rules for lease transactions are complex, an individual within finance familiar with the accounting rules should be given the responsibility for understanding and evaluating all lease transactions. Management s Prior Year Response The CCC does maintain a set of policies, including one entitled Fixed Asset Inventory and Accounting Policy which has a section entitled Capital Leases. This section appropriately defines the consideration for capital versus operating leases. We will send a reminder to the Deans of Finance and Administration to review the policy carefully in making decisions, and to consult with System Office whenever there is a question concerning proper lease classification at the inception of a lease. Further, we will request that Facilities notify System Office at the onset of a lease so that we may opine on its classification. Current Year Update This comment is still applicable. Further, CCC does not perform a formal review over the preparation of the financial statement footnote related to Operating Leases. As part of audit testing, we compared the list of new lease contracts to the original schedule used as a basis for reviewing the financial statement footnote, and found that a contract had been omitted. Upon review of the updated schedule, it was found that the omitted contract had only been partially included. We agree that there should be a central review of capital leases to verify they are properly accounted for. The CCC does maintain a set of policies, including one entitled Fixed Asset Inventory and Accounting Policy which has a section entitled Capital Leases. This section appropriately defines the consideration for capital versus operating leases. We will send a reminder to the Deans of Finance and Administration to review the policy carefully in making decisions, and to consult with System Office whenever there is a question concerning proper lease classification at the inception of a lease. Further, we will request that Facilities notify System Office at the onset of a lease so that we may opine on its classification. B. Accrued Compensated Absences No review by someone other than the preparer of the estimate for accrued compensated absences is performed. As part of detailed testing over accrued compensated absences, an error was identified in the calculation of the accrued salary and fringe liability which resulted in an overstatement of the liability of $600k. Accrued Compensated Absences is a significant liability and estimate of CCC and as such warrants a more robust review of the calculation. 9

14 Management should develop formal policies and procedures to include the review of accounting estimates as well as period end financial reporting processes which have a significant impact on the financial statements which are prone to human error. Management's Response We agree and CSCU management will develop a procedure around additional reviews of the accrued compensated absence calculation. CCC Information Technology Comments C. Perform Banner User Access Review A periodic review of Banner user access rights was not completed during the 2013 fiscal year. Performing a timely periodic review of user access rights helps to ensure that access rights are commensurate with user job responsibilities. In addition, the review will also aid in detecting terminated or transferred users that may not have been processed through the standard working practices. Management should conduct a periodic and cooperative review by both IT and business area owners of user access rights for the Banner application. Such regular reviews of access rights assigned to user accounts would help to ensure that user access to the application's functions and features are commensurate with their jobs responsibilities. Current Year Update This comment remains open, as no periodic access review was performed during fiscal year2014. Management's Response Management is working on a process that will allow each Colleges IT and Business areas to review their own access rights. This will be completed by September 12 th. This job will be automated to run twice a year for each college to review. The intervals will be October 1 st and March 1 st. Each college will be asked by the BOR to confirm they have reviewed the reports via a confirmation e- mail from their security coordinator. D. Develop Disaster Recovery/Business Continuity Plan Management has not formally documented a disaster recovery or business continuity plan. Disaster recovery and business continuity plans together will help ensure that management will be able to recover in the event there is an operational failure resulting in a significant business interruption. Management should continue to work on developing formal disaster recovery and business continuity plans. In addition, once developed, the plan should be tested and updated on a periodic basis. Although management has received funding and approval to conduct Business Impact Analysis with SunGard (in 2005); a formal disaster recovery/business continuity plan has not yet been finalized. 10

15 Current Year Update This comment remains open. A full scale disaster recovery/business continuity plan continues to be an objective of the organization; however, management has not yet finalized a formal plan. Although no formally documented, the current disaster recovery strategy includes the establishment of a warm site in Enfield, CT. Management is moving forward to contract with a third party to design the warm site, expected to occur in December Management's Response Under the Transform 2020 IT Initiatives, there are a number of projects to lay the foundation for disaster recovery architecture and operations. These projects and the funding associates are required in the development of a DR plan, since no architecture or hardware exists to support DR operations. Once the architecture is in place and tested, then the actual plan will be developed, staff will be trained and the plan will be exercised to ensure operability. 11

16 Closed comments The following prior year observations were resolved by Connecticut State Colleges and Universities: CSUSO Review Date Center Access on a Periodic Basis - This comment has been closed. No exceptions were noted during FY2014 testing and therefore it is concluded that this control has been remediated. SCSU Update IT Strategic Plan- This comment is closed, as it is governed by the overall CSU System IT Strategic Plan. Developer Segregation of Duties- This comment is closed. PwC retested this control in FY2014, no exceptions were noted. Use of Generic ID s- This comment is closed. PwC retested this control in FY2014, no exceptions were noted. WCSU Perform the Banner User Access and Data Center Access Reviews - This comment is closed. PwC retested this control in FY2014, no exceptions were noted. Perform the Firewall Change Review - This comment is closed. PwC retested this control in FY2014, no exceptions were noted. CCC Capitalization Policy This comment is closed. No exceptions were noted during FY2014 testing. Perform Direct Data Change Review - This comment is closed. PwC retested this control in FY2014, no exceptions were noted. Perform Program Change Review - This comment is closed. PwC retested this control in FY2014, no exceptions were noted. Rename Windows Administrator Account and Change Password - This comment is closed. PwC retested this control in FY2014, no exceptions were noted. 12