Straight and narrow, Vol. 2, Issue 3 (Jan. 18, 2008)

The STRAIGHT and NARROW
Office of Internal Audit, Board of Regents of the University System of Georgia, (404) 657-2237

January 18, 2008 Volume 2, Issue 3

Special Interest Articles Page 1 - Small Value Property means just that Page 2 Does your campus use Generic User ID's? Page 3 - P-Card Audit Observations & Recommendations
"Creating A More Educated Georgia"
www.usg.edu
Words to live by: "A Fool and his money... ...are soon audited!"

From the Desk of Ron Stark

A Happy New Year to our newsletter audience!
As a new calendar year begins, I want to reflect on some of the Office of Internal Audit's accomplishments during the past year:
Facilitated the Fraud Hotline implementation.
Streamlined BOR Policy approval and authority limits.
Accomplished our annual Audit Plan, with a record 18 audits for fiscal 2007.
Provided two value-

added consulting engagements.
Once again exceeded our GAAP reporting requirements.
My entire staff is now immersed in purchasing card audits through February. I believe it is a very worthwhile exercise and that it will, at a minimum, assist in curbing future malfeasance by assisting each campus in identifying weak areas in its policies and procedures.
Although our desire is to report that malfeasance

does not exist on our campuses, we have already uncovered several instances of it in relation to P-card use. The employees involved have either resigned or been terminated and face possible criminal prosecution.
Articles in this issue of our newsletter include what we have found so far on our audits. We are working on a "Frequently Asked Questions" reference surrounding p-card use and welcome your questions related to the subject.

Tracking Small Value Property

What items are required to be tracked as Small Value Property (SVP)?
According to BPM Section 11 :
Nonconsumable items with an acquisition cost of over $3,000 but less than $5,000 and a life expectancy of greater than three years. Examples are motor vehicles, appliances and equipment.
Other items not meeting the criteria

above that an institution desires to track for valid management reasons.
Capital Asset items exceeding $3,000 but not meeting Building, Infrastructure or Facilities thresholds for capitalization are not required to be tracked as SVP by institutions.
The State Accounting Office is currently developing policies and procedures for accounting aspects relating to capital assets, including SVP. If

there are any changes to the University System's current procedures as defined in the BPM as a result, these will be communicated.

2 The STRAIGHT and NARROW

Who is USER1?
Online computer systems have brought significant new capabilities to Higher Education. We are now able to register on-line, pay tuition on-line and even data mine vast amounts of sensitive data. However, putting large amounts of sensitive data on a computer and making it available on-line has also brought a new set of problems and concerns. We now need to be concerned about properly controlling access to this sensitive data.
There are two major controls that need to be implemented in any computer system which contains sensitive data: Authentication and Authorization.
Authentication is the process of ensuring that a user is really who they say they are. When a user attempts to make an entry using Banner or PeopleSoft, the system needs to be able to 1) identify the user and be able to determine, to a sufficient level of confidence, that the user is who they say they are and 2) determine what functions the user is allowed to perform.
With most computer systems this identification is made by creating a unique User id and password. Each user should have their own User id which uniquely identifies them to the system. The User id is often tied to a user's name such as first initial and last name i.e. JWILSON. Where a more secure method of authentication is required, the user may be required to provide a second piece of information such as biometric fingerprint or have a physical device such as a smart card.
Authorization is what actions a user is allowed to perform. This could include the ability to view data or change data. The level of authorization is then tied to a User id.
In a number of recent audits it has been found that these basic security controls have been circumvented and defeated by the creation of Generic User ids. This generic user id is not tied to a specific user but can be used by anyone knowing the id and the password. This is the USER1 id or the TELLER id.
At one institution it was determined that there was a generic REPORTS id where the password was well known across campus. In fact, at this institution you could get the password by calling the help desk and asking.
The REPORTS id provided access to sensitive student SSN and grade data.

A second REPORTS2 id was also available which provided sensitive student financial data. Since the id and password were shared, there was no method to determine who had access to the data. There was no method of determining if the user were still an employee of the institution, had recently left, or was even affiliated with the institution.
In order to protect the institution, all users must be assigned a unique id which has specific levels of authorization tied to it. The use of generic user ids provides a level of security which should not be allowed with any system containing sensitive student data.
Have you Registered?
The fiscal 2008 Year-End Workshop is being held in Athens, Georgia at the UGA Center for Continuing Education Conference Center & Hotel.
The dates of the workshop are April 14h and a half-day on April 15th.
Hotel reservations may be made by calling: 1-800-884-1381 (from 8 a.m. 5 p.m. Monday through Friday). Specify: "Board of Regents Year-End Training, Event #65383".
Reservations must be made by March 19, 2008 in order to receive our guaranteed rates of $89-$99 per night.
Registration is $85 per person and includes breakfast on both days and lunch on the first day. The deadline for registration is April 4th, 2008. Please contact Diane Hickey, Yvette Usher or Carla Exum if you need a registration form.
This is an opportune time to bring up any training or other topics that you desire to be included in this year's workshop. Please call or e-mail Diane Hickey at 404-6571301 or diane.hickey@usg.edu.
We'll see you in April!

3 The STRAIGHT and NARROW

3

P-Card Audits What We Are Seeing

As of December 31st, we have completed roughly one-quarter of our p-card audits. Here are some of the issues that we've seen so far that were violations of campuses' own p-card policies, DOAS policy or both:
Poor documentation, including missing receipts and lack of explanation of purchase, including business purpose.
Review by the appropriate official was cursory or nonexistent.
P-card use for Agency account expenditures. The only allowable

Agency account expenditure using a Pcard is in connection with Study Abroad programs.
Shared P-cards
Gift card purchases were not adequately documented and generally did not show why the gift card was purchased or who received the card. **Please note that Pcards may no longer be used to purchase gift cards.**
Corporate credit card, rather than P-card was used for non-travel purchases.

P-card expenditures that include coaches' or other employee travel expenses. These should be paid by the employee and submitted for reimbursement on a separate travel expense statement.
Overall, we have found that there is a lack of understanding regarding allowable use of P-cards; inadequate training for users and approvers of Pcards; and an overall need for annual refresher training.
Stay tuned for our recommendations...

Board of Regents of the University System of Georgia Office of Internal Audit 270 Washington Street S.W. Atlanta, GA 30334-1450
Phone (404)657-2237
Fax (404) 651-9444

P-Card Audits What We Recommend

Based on our audits to date and applicable DOAS policy, here are some recommendations for tightening controls surrounding your campus' purchasing card program:
Campus policies and procedures should be expanded to include clear guidance on appropriate purchases to include:
o Who is allowed to use the card,
o Who can sign as an approver
o Transaction limits
o What constitutes sufficient support documentation
o Disciplinary procedures for inappropriate use
o Procedures for using State

contract vendors
o Non-payment of Georgia sales tax
o Non-use for Agency account transactions, with the exception of Study Abroad programs
o Authorized work orders are used for Plant Operations purchases
o Competitive bidding requirements on known cumulative purchases exceeding $5,000 per year
Purchasers and approvers should sign that they have read and understand the policies and procedures.
New cardholders and approvers should receive formal training prior to

receipt of the card and annual refresher training should be mandatory for all cardholders.
Cardholders must submit receipts, invoices, etc. and explanation of the purchase.
Approving officials should review all individual transactions, supporting documentation, and appropriateness of purchase. Blanket approvals are insufficient and indicative of inadequate review.
Approvers should not have a span of approval that is so large that appropriate detailed review can not be performed.

"Creating A More Educated Georgia"
www.usg.edu
We're on the Web! See us at: www.usg.edu/offices/audit .phtml