Enhancing Fiscal Accountability in Georgia through Educated Financial Reporting

Fiscal Affairs Accounting and Reporting Update Creating A More Educated Georgia September 16, 2015 Claire Arnold, CPA 1

Fiscal Year 2014 Finding Summary External Auditor Results for Fiscal Year 2014 (July 1, 2013 thru June 30, 2014) Total number of findings up 123% from 13 in FY13 to 29 in FY14 Financial Statement findings up 20% from 5 in FY13 to 6 in FY14 Federal/Financial Aid findings up 188% from 8 in FY 13 to 23 in FY 14 Ineffective Logical Access Controls (7) Creating A More Educated Georgia 2

Creating A More Educated Georgia Segregation of Duties 3

Auditing Controls Limit Privilege Functions to appropriate personnel Review your security administrators on campus. Look at users with full access. Do users have access to system utilities/resources such as database tools, sql tools and crystal reports? Creating A More Educated Georgia 4

Auditing Controls Local Security Administration - Maintain Segregation of Duties by separating the following roles: Requesting Access Approving Access Setting up Access Monitoring Access and Violations Performing Rights as a privileged user, and Monitoring a privileged user Creating A More Educated Georgia Ensure Appropriate User Access and Authorization Is there an authorization form on file with the appropriate approvals in place? Are these periodically reviewed for changes or updates? Are terminated employee accounts locked or removed? (BOR_SEC_TERMINATED_USERS) Are user accounts reviewed for segregation of duties issues? 5

Ineffective Logical Access Controls BANNER MODULES Accounts Receivable Student Financial Aid Creating A More Educated Georgia Admissions; Registrar Financial Aid Bursar; Business office S Objects/Screens SPAIDEN R Objects/Screens RPAAPMT RPAAWRD T Objects/Screens TSASPAY Objects/ Screens Release funds to student accounts What they do Create students Award financial aid 6 Reviewed Modify access (BAN_DEFAULT_M) to screens

Ineffective Logical Access Controls Modify Access to: Means: Implication: Someone can add students, award financial aid, and release funds to student accounts. S screens R screens T screens SOD issue likely Creating A More Educated Georgia Someone can add students and award financial aid. S screens R screens SOD issue likely Someone can award financial aid and release to student accounts. R screens T screens SOD issue likely Someone can add students and release funds to their accounts. 7 S screens T screens SOD not likely

Logical Access Controls How to review your institution s access in Banner: User access for all object class roles in Banner Utilize the Auditing Tool Kit - Script - Class Security Report by Object Script must be executed by Banner DBA or Security Admin and run for all objects Creating A More Educated Georgia 8

Logical Access Controls How to review your institution s access in Banner: Listing of Active Employees (Compare to Class Security Report by Object) Isolate Critical Objects: SPAIDEN, RPAAPMT, RPAAWRD, and TSASPAY with BAN_DEFAULT_M Role TSASPAY Student Payment Form that allows users to enter payments or charges for student accounts per term RPAAPMT package maintenance form allows updates to period award status RPAAWRD allows updates to the period award status column in the RPRATRM table SPAIDEN mainly used for updating student information such as: name, address, telephone, bio, email, etc. Creating A More Educated Georgia 9

Logical Access Controls How to review your institution s access in Banner: Other Banner Areas to consider: SAADMS Admissions application SAADCRV Admissions decision forms Registration Fee Assessment Process SFRRGFE Fee Assessment Rules TBRACCD Student Accounting Detail TBBDETC Detail Code Definition SFRSTCR Student Course Registration SFRRFCR Course Refund Percentage Table SSADETL Section Fees SFREFEE Student Registration Additional Fees Repeating Table SFRAFEE Registration Additional Fees Repeating Table SFRFMAX Min/Max Charge for Detail Code/Term SFRBTCH Fee Assessment Collector Table SFRFAUD Fee Assessment Audit History Table Creating A More Educated Georgia 10

Logical Access Controls How to review your institution s access in Banner: Identify conflicting roles Review employee s job descriptions Discuss mitigating controls Creating A More Educated Georgia 11

Logical Access Controls How to review your institution s access in Banner: Determine policies or procedures for authorizing users for Banner Are adequate measures in place to ensure that when a user is terminated or transferred their access is changed accordingly? How long do you retain authorization forms? Does it seem adequate? Verify access to resources and utilities with Banner application is limited Resources FAFSA Financial Aid Data Downloads Utilities Crystal Reports, SQL Creating A More Educated Georgia 12

Change Management Determine policies or procedures for authorizing changes to Banner (Major Changes verses System updates/patches) Is your process well documented to provide audit evidence? (Planned changes verses emergency updates) Are changes or modifications tested prior to being put into production? Can you document that test and user approval? Creating A More Educated Georgia 13

Additional Things to Consider Document Analysis/Review of Segregation of Duties Updated/clear Policies and Procedures for SFA Documented - SFA Risk Assessment Available documentation audit evidence All audits and Full Disclosure Management Reports Engagements will receive SFA Compliance for FY 2015. Additionally, those with a federal finding in FY 2014 or previously unresolved SFA findings will be reviewed. Creating A More Educated Georgia Fort Valley, Clayton, GRU, Ga Southern, GPC, GSU, KSU, VSU, Albany, Columbus, UNG, SSU, ABAC, Darton, GGC, East Ga, Gordon, Middle Ga and South Ga 14

FY 2015 Financial Engagement Cycle DOAA is currently conducting fieldwork on the audits and FDMR engagements Exit Conference Include USO Accounting and Reporting Agreed Upon Procedures (AUP) engagements postponed until January 2016 Modifications to the AUP engagements Reduce testing to areas of importance Balance Sheet Support; Bank Reconciliations, Subsidiary Module reconciliations, SEFA, AFR reflects accounting records activity, etc. Creating A More Educated Georgia 15

Standardized Chart of Accounts Standardized Chart of Accounts verses SHARE Accounts Revisions to Chart of Accounts: Goals: Consistency Information Institutional Functionality Chart of Accounts Committee Committee Members: Bruce Spratt, Nick Henry, Julie Peterson, Ruth Berger, Kim Brown, Jeff Hall, Michelle Hamm, budget representatives, and ITS representatives Submit Suggestions to Claire.Arnold@usg.edu by October 16 Timeframe December 2 and 3 Creating A More Educated Georgia 16

December Workshop Dates: December 1 and 2 Location: Middle Georgia Math Auditorium Time: Day 1 - 9:30 am to 5:00 pm Day 2 - 8:30 am to 4:00 pm Preliminary Topics: New Federal Expenditure Requirements/State Purchasing New Retiree Health Insurance Accounting Process Standardized Chart of Accounts Reviewing Audit Results oneUSG Update Joint Staffing/TRS Eligible Salaries GSFIC/MRR/PPV/Capital Improvements Allowable/Unallowable and Accounting AFR/BCR Improvement Discussion Creating A More Educated Georgia 17