Internal Audit Summary Reports

By Gladys Allen,2014-11-25 10:33
9 views 0
Internal Audit Summary Reports

    Internal Audit Quarterly Report

    University of Missouri

    Listed below are the internal audit reports that were issued from May 28, 2009 through September 30, 2009. A summary of action items by category and an executive summary of the audits along with a copy of each audit report is included for your information. PricewaterhouseCoopers LLP (PwC) will be presenting a summary overview of the audits and will be available to answer questions. The date indicated on each audit is the date when the audit report was issued. There is a time-lag between when field work is completed and when a report is issued in order to provide appropriate time for audit recommendations and the corresponding management responses to be written.

    Observations by Risk


    1. Restricted Gift Spending, UM System Wide, May 2009- - -

    2. Data Retention Assessment, UM System, September 20095 3 1

    3. Decentralized IT Security Controls, UMKC, September 20095 2 -

    4. Executive Expense Reports, UM System Wide, October 2009- 3 -

    Total 810 1

    In addition, PwC has included a summary of the follow-up results from 20 prior internal audit reports.

    The reports include our findings and assessed level of risk, as well as management's remediation plan for the findings. Below is the criteria used for the assessment of risk.

Assessment of Risk:

    High (H) Significant impact to the Institution, campus, or unit. Individually or aggregately material in terms of financial impact, external compliance violation, adverse publicity, significant or pervasive weakness in control environment, significant inefficiencies, etc.

    Medium (M) Moderate in terms of impact to the Institution, campus, or unit. Individual instance or an aggregate of low risk items considered moderate terms of financial impact, compliance violation, adverse publicity, weakness in control environment, efficiency, etc.

    Low (L) Low in terms of impact to the Institution, campus, or unit. Relatively immaterial in terms of financial impact, no external compliance violation, little adverse publicity, minor inefficiencies, etc.

     October 22-23, 2009


    Observations by Risk Internal Audit Summary Report

    H M L UM System Wide Restricted Gift Spending

    Report Date: May 11, 2009 - - -


    This project was an assessment of the internal controls surrounding the use of endowment funds across the University. It was included in the internal audit plan due to the size of the University's endowment accounts and the need to ensure that endowed funds are being spent in compliance with the donor's intent.

    The endowment for the University of Missouri System represents those gifts, bequests, and other funds directed to support University programs in perpetuity. Endowments are governed by endowment agreements, most often between the donor(s) and the University. Most endowments are commingled for investment purposes in one of two large investment pools: the Balanced Pool and the Fixed Income Pool. The expendable portion of the Balanced Pool (the Pool) is calculated by the Treasurer's Office at UM System based on a moving average of the market value of the Pool, with a cap and floor system. Once per year, the expendable portion of the Pool is transferred from each endowment principal account to each of the respective endowment spending accounts. In Fiscal Year 2009 $37 million was transferred to the respective endowment spending accounts. Each campus school or department is responsible for monitoring compliance with the terms of the endowment agreement. Each Campus Development Office maintains the responsibility for reporting on the distributions and expenditures from the endowment funds, with assistance from the Treasurer’s Office.

Scope and Approach:

    Our evaluation included the following procedures related to restricted endowments across the University of Missouri System:

    ; Developed an understanding of the processes and controls in place around the

    calculation and distribution of endowment revenues.

    ; Evaluated the accuracy and completeness of the calculation of the endowment

    distribution to the campuses.

    ; Developed an understanding of how endowment funds are monitored for compliance

    with spending requirements set by the University and the donor.

    ; Evaluated a sample of University endowment spending accounts for compliance with

    the requirements set by the University and donor.

Key Highlights:

    ; The internal controls related to the distribution and use of endowment funds at the

    UM System, campus and department level appear to be well designed to ensure the

    endowment funds are spent in compliance with the donor's intent.

; For the sample of expenditures selected no observations were noted.

     October 22-23, 2009


    Observations by Risk Internal Audit Summary Report

    H M L UM System Data Retention Assessment

    Report Date: September 25, 2009 5 3 1


    This project was a high-level assessment of the University's policies and procedures for data retention and records management, focusing on both hard copy and electronic records. It was included in the internal audit plan due to changes in technology, changes in the forms in which records can now be retained, and the proliferation electronic records.

    The University of Missouri System Records Management program establishes the criteria for retention of records to ensure the University retains the necessary information to meet legal, financial, administrative, research, and historical needs.

Scope and Approach:

    Our scope included data retention within the following areas:

    ; PeopleSoft retention and purging procedures

    ; Data center operations and back-up media

    ; ImageNow for the retention and purging of imaged documents

    ; File system data residing on the network

    ; Email retention and disposal

    Our approach included reviewing available documentation related to data retention policies, procedures and practices. We conducted interviews with selected individuals within the areas of: Information Technology, Legal, Archives, and Records Management.

Key Highlights:

    ; Data retention policies and procedures for electronic records need improvement when

    compared to the policies and procedures for paper-based records. (H)

    ; The University, as do other organizations, has a large volume of email that continues

    to grow and exists in various locations distributed throughout the University and these

    emails could contain records. This increases the risk in the areas of compliance,

    litigation support, storage management, and knowledge management as records may

    not be properly retained. (H)

    ; The University should consider creating a process to move email data into an archive

    where they can be centrally controlled for retention, holds, and purging. One possible

    solution is automated email archiving. (H)

    ; The University currently has well developed data retention policies and procedures

    for paper-based records, but we noted during interviews that increased awareness is

    needed for faculty and staff. (H)

     October 22-23, 2009


     Observations by Risk Internal Audit Summary Report

    H M L UMKC Decentralized IT Security Controls

     5 2 - Report Date: September 25, 2009


    This project was an information security assessment of the UMKC's decentralized IT systems. It was included in the internal audit plan due to the risks related to information security and the need for the University to understand the security standards in place for these systems.


    UMKC currently has a Central Information Services division (Central IS) which is responsible for maintaining servers in the data centers. However, certain UMKC data resides on servers housed in various other locations across the campus owned and managed by the departments/schools. Central IS manages system security and support for approximately 209 UMKC Systems. For the remaining 94 systems, security and support is managed on a decentralized basis by the respective UMKC departments/schools.

    UMKC became subject to the Data Classification standards defined in the University's Information Security Program in April 2009. The purpose of the Data Classification standards is to apply security measures in the most appropriate and cost effective manner, data stored electronically must be evaluated and assigned a Data Classification Level (DCL) of 1, 2, 3, or 4. The DCL of the data establishes the extent and type of information security measures that must be implemented.

Scope and Approach:

    We selected a sample of decentralized servers and gained an understanding of these servers through interview, observation and limited testing of selected controls in the following areas:

    ; Departmental processes and controls in place to enforce security on servers in

    decentralized environments. This included consideration of the University of

    Missouri Data Classification levels and relevant recommended practices. ; Logical and physical security controls for a selection of servers administered directly

    by various departments/schools.

    ; Computer operations for servers not administered by Central IS management. .

    Key Highlights:

    ; Deviations from the Data Classification standards for decentralized systems were

    noted and consideration should be given to centralized server administration. (H)

    ; Weak administrative and user account management processes were noted across

    multiple departments. (H)

    ; Decentralized IT systems do not follow a standard set of policies and procedures as a

    baseline for secure deployment and access governance of their systems. (H)

     October 22-23, 2009


     Internal Audit Summary Report Observations by Risk

    UM System Wide Executive Expense Reports H M L

    Report Date: October 7, 2009 - 3 -


    This project was an assessment of executive expense reports for select senior administrators of the University of Missouri. It was included in the internal audit plan to ensure adequate internal controls are in place for executive expenses. .

    Senior administrators process expense reports through the same controls and reviews of other University employees. In addition to expense reports, senior administrators have access to Special Expense Funds which are subjected to additional controls and reviews outside of the University's expense report processes. Generally, the use of Special Expense Funds is to allow the specified administrators of the University to incur expenses for promotion and other purposes in furtherance of their duties of carrying out the missions of the University. Special Expense Funds are approved by the President or the Board of Curators and reviewed annually by the Chair of the Audit Committee...

Scope and Approach:

    The scope of our work focused on the use of Special Expense Funds and expense reports by senior administrators. We evaluated the processes for the reporting and approval of expenses for senior administrators. Additionally, we evaluated the processes the Office of the Treasurer regularly conducts to search for undisclosed bank and expense accounts across the University. Our detailed testing focused on compliance with the following policies:

    Expense Reports

    ; Business Policy Manual - 218 Accountable Plan Business Expense Reimbursements ; Business Policy Manual - 505 Allowable Travel Expenses

Special Expense Funds

    ; University Special Expense Fund Policies and Procedures

Key Highlights:

    ; Overall we noted the design of the internal controls surrounding executive expense

    reports appeared to be appropriate and no inappropriate activity was noted. We did

    note the individual reconciling the account for the UMKC Chancellor had the ability

    to sign check as well. Additionally, the UM System Vice President for Finance &

    Administration Special Expense Fund account was only reviewed in the aggregate

    and an independent detail review of the activity was not in place. Corrective action

    has already been completed for both items (M)

    ; We noted generally documentation surrounding selected Special Expense Fund

    transactions was adequate. However, for four transactions did not include the

    business purpose per the Special Expense Fund Guidelines for tax purposes. (M)

     October 22-23, 2009


Report this document

For any questions or suggestions please email