Straight and narrow, Vol. 5, Issue 21 (Jan. 2013)

The STRAIGHT and NARROW

Volume 5, Issue 21

January 2013

Office of Internal Audit & Compliance, BOR -- USG, (404) 962-3020

The Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.
We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.

From the Chief Audit Officer John M. Fuchko, III
Good Governance Improving USG Operations
A basic starting point for effective governance includes accessible and easily understood policies and procedures. To that end, our office was requested to assist with recommending improvements to policy and procedure management. Several elements of our recommendations are still in progress; however, we worked with the various policy and procedure "owners" and with ITS Web Services to improve accessibility to University System policy and procedures. We highlight several of those improvements below.
First, links to several additional procedure manuals were added to the http:// www.usg.edu/policies site. These additions should ensure that respective stakeholders are fully aware of the various procedures guiding University System operations. Second, we worked in coordination with BOR policy owners and ITS Web Services to develop a meta-search function for the USG website. This new search function provides USG stakeholders the ability to easily search the BOR Policy Manual and USG administrative procedures, http://www.usg.edu/policies.
Finally, we developed a BOR Policy-USG Procedures Matrix. The Matrix is a spreadsheet that identifies affiliated or related procedures within the framework of the Board Policy manual. In other words, our staff worked to identify those procedure manual sections that add to or further explain requirements associated with specific Board Policy Manual sections. The Matrix was current as of the time of our report and should serve as a good reference tool a copy can be found here: http://www.usg.edu/audit/resources.

Inside this issue:

From the

1

Chief Audit Officer

Contract Management 2-4 Audit Program

Principles of Good

5

Governance

Why Worry About an IT

6-8

Audit?

Did You Know?

9

Going forward, we plan to periodically update the Matrix as part of an overall effort to improve Policy and Procedure management.
Your input on any of these tools is most appreciated. I can be reached directly at john.fuchko@usg.edu or 404-962-3025.
John M. Fuchko, III Chief Audit Officer & Associate Vice Chancellor

Contact Us

10

The STRAIGHT and NARROW

Page 2

A New Audit Program Contract Management

The Georgia Procurement Manual (GPM) provides guidance on operational and administrative contracting and procurement rules. The rules are derived from the laws in the Georgia code.
The State Purchasing Department (SPD) provides training for state suppliers, state entities, and DOAS employees. SPD training courses are designed to support agency and DOAS personnel in their respective purchasing roles, and to provide information to suppliers on doing business with the state of Georgia.
The SPD provides the following procurement support services:
eSource,
Team Georgia Marketplace,
Georgia Procurement Registry, and
NIGP Commodity Codes
For more information:
http://doas.ga.gov/ StateLocal/SPD/Pages/ Home.aspx

At the beginning of the audit year, the OIAC distributed three new audit programs to audit directors at each institution. The three programs included Financial Aid, Reserve Analysis, and Contract Management. In this issue of the Straight and Narrow we are re-issuing the Contract Management Audit Program as a reminder. The OIAC plans to follow up on this audit during the Winter/Spring rolling audit plan.
Audit Overview
Background: Deficiencies in contract administration are typically related to violations of good management principles and/or lack of monitoring controls. Oftentimes, adequate monitoring controls are not in place because an organization:
Needs to establish criteria for evaluating vendor performance;
Believes its role and responsibility are to develop partnerships instead of enforcing rules, regulations, or contract provisions;
Focuses on rules and regulations, but not outcomes;
Underestimates the value of conducting follow-up reviews to ensure that corrective action was taken; and,
Misjudges the risk and level of review necessary for each vendor.
Objective/Purpose
To determine the level of effectiveness and efficiency of contract administration by USG institutions, which includes the following:
a. Is there evidence that established the need for the contract (new and/or renewal)?
b. Is there evidence the contract was properly reviewed (by attorney, or agency procurement official, for example)?
c. Are contracts signed in accordance with delegated signing authority (the individual who signs the contract may be personally liable for the contract); and

The STRAIGHT and NARROW
Contract Management Audit, cont'd

Page 3

d. Are adequate contract performance measures in place, and is the contract being monitored?
Scope
The audit scope should include contracts entered into (new or renewed) after July 1, 2011. Also, include contracts for outsourced services such as dining service and bookstore regardless of the contract date. Campus auditors may change the scope of the audit depending on their evaluation of contract risks or current practices on their campus.
Risks
Contracts not correctly written may not meet all Board of Regents, state, and external agency requirements. Terms and conditions on a vendor's contract may conflict with state requirements.
Contracts not properly monitored may result in loss of financial benefit to the institution and USG due to vendor not meeting contractual obligations, or receiving overpayment for work performed. Conversely, the institution may not be receiving commissions as outlined in the contracts in the case of outsourced services.
Contracts not properly monitored may also result in inadequate reserve funding (for example, contracts for dining services may require reserving funds for build-outs).
Vendors who were unable to participate in the process may perceive unfairness or a lack of transparency in the process.
Contracts may violate the gratuities clause of the state constitution (Article 3, Section 6, Paragraph 6, sub-paragraph a) if the contract contains clauses benefiting third parties.

Criteria
State of Georgia Department of Administrative Services (DOAS) State Purchasing Policies and Procedures - Georgia Procurement Manual Archives and Official Announcements (http:// www.doas.georgia.gov/StateLocal/SPD/Policies)
Official Announcement #1-12
Official Announcement #2-12
Official Announcement #3-12
Georgia Procurement Manual (http:// www.doas.georgia.gov/StateLocal/SPD/ Docs_SPD_Official_Announcements/ GeorgiaProcurementManual.pdf)
Note: The Georgia Procurement Manual (GPM) provides operational and administrative rules derived from the laws set forth by Georgia code. The rules are an authorized legal extension, bearing the weight, significance and effect of Georgia law.
The Georgia Procurement Manual (GPM) is the official source for all administrative rules issued by the Georgia Department of Administrative Services (DOAS) through its State Purchasing Division (SPD) to govern purchases made by certain state government entities. The GPM serves as a resource for both suppliers desiring to do business with the state of Georgia and state procurement officials in the performance of their duties.
BOR Policy Section 8.2.13 Gratuities (http://www.usg.edu/policymanual/section8/policy/ C224/#p8.2.13_gratuities)

The STRAIGHT and NARROW
Contract Management Audit, cont'd
Business Procedures Manual Section 3.0 "Purchasing and Contracts" (http://www.usg.edu/business_procedures_manual/section3/)

Page 4

Components of an Effective Contract Monitoring System white paper prepared by DOAA's Performance Audit Operations division - available for download at: (http://www.dca.ga.gov/housing/housingdevelopment/BestPractices_ContractMonitoring.pdf)

Objective

Audit Steps
Read the Georgia Procurement Manual and highlight the procurement responsibilities related to Agency Procurement Officer and the following stages of procurement:
(a) Contract initiation; and

Gain an understanding of the procurement process at your university and the environment in which it operates.

(b) Contract administration.
Interview the Institution's Agency Procurement Official (APO) and request evidence that they have assumed the APO responsibilities as outlined in the Georgia Procurement Manual (GPM).

Interview other procurement officials, as needed, to determine if procurement responsibilities have been properly executed.

Assess the effectiveness and efficiency of contract administration
Ascertain whether the contracts may violate the gratuities clause of the state constitution.

Select a sample of contracts from those defined in your scope. Determine whether each contract meets the attributes of: Established need? Proper review? Delegated signing authority? Performance monitoring?
With the understanding that we are not qualified to perform a legal review, read a sample of contracts particularly those for outsourced services. Do you see any benefits to third parties? Some examples may be payments promised to a foundation, or personal catering or other services provided to specific individuals.

The STRAIGHT and NARROW

Principles of Good Governance by Jeanne Severns

Page 5

This month's column focuses on the importance of good governance. Making the Auditors Happy: Principles of Good Governance.
1. What is the primary mission of your department?
2. What goals have been set to achieve that mission?
3. How does your job help your department fulfill that mission?
No matter who you are or what your job may be, the answer to question #1 was certainly not: "to make the auditors happy". Nonetheless, many times I have heard employees say, "We are doing this because the auditors asked us to." And, believe it or not, the purpose of our job as auditor is not to see how many additional tasks we can encourage our audit clients to perform. Actually, it is quite the opposite. We want to help our clients achieve their objectives in the most direct way possible while adhering to the principles of good governance and internal controls.
One of those principles of good governance is: a focus on operations. Here are some ideas to help you improve your operations (based on the Six Sigma tenets of DMAIC). How many of these tenets do you recognize, and how can you benefit by using them?
D: Define the goals remember the SMART acronym? Your goals should be specific, measurable, attainable, realistic, and timely. Don't say, "We strive to be better or we strive for accuracy." Instead say, "Our goal is to reduce student waiting time at the registrar's office by five minutes or less".
M: Measure the results - This step is sometimes overlooked in the interest of "saving time". But how else will you and your employees know if you are achieving your target?
A: Analyze - What are the results telling you? Are your goals realistic? Are your employees trained to meet

"Good governance requires clear definitions of responsibility and a clear understanding of relationships." Governance in the Public Sector: A Governing Body Perspective, August 2001
~The International Federation of Accountants
the goal? Where are the obstacles, the complexities, and the missed opportunities? Is the process clear?
I: Improve OK, you've set the goals, measured the results, and analyzed the performance. Have you focused on the points in the process with opportunities for improvements? If you met your goals, raise the bar and/or move on to your next biggest challenge.
C: Control Even after you've attained your goal and your processes are working smoothly, periodically review them to ensure procedure and performance are on target.
The next time an auditor makes a recommendation, do not implement it until you understand the reason for the recommendation. If the recommendation is incongruent with your organizations' goals and strategy, discuss it with your auditor prior to the issuance of the audit report. The auditor will be happy to hear you and your employees say, "We are doing this because it's a good process, resulting from good governance, and resulting in improved performance."
Jeanne Severns, CPA, MBA, CIA Email: jrseverns@valdosta.edu

The STRAIGHT and NARROW
Why Worry about an IT Audit?
by USG Information Technology Services

Page 6

What is an IT Audit? (In A Nutshell)
An IT audit is an examination of the checks and balances, or controls, within an information technology group. Collects and evaluates "evidence" of
an organization's information systems, practices, and operations. Determines if the information systems:
Safeguard the information assets
Maintain data integrity and operate effectively and efficiently to achieve the organization's business goals or objectives.
New User Access

The role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS). IT control and audit procedures also aid in preventing security breaches.
IT auditing is an integral part of the audit function because it supports the IT auditor's judgment on the quality Of the information processed by computer systems.
The IT auditor's role has evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with management. The IT audit's primary role, except in management advisory services, is to provide a statement of assurance indicating adequate and reliable internal controls are in place and are operating in an efficient and effective manner.
User Management in PeopleSoft Financials
User management in PeopleSoft Financials is a key component of protecting your organization's data and maintaining system integrity. It is vital that an organization limit privileged user access to a small number of personnel who job requires access and hold those personnel accountable for managing their system users.

Is the user authorized to be in the system? Are the appropriate forms or documentation in place that dictates the user's level of required access? Does that documentation contain the required level of authorization? The local security administrator should ensure that the level(s) of authorized access is limited to the data that user specifically needs. If users are authorized too broad an access, overlapping authorization may negate segregation of duties. This may become a BIG audit finding!

User Maintenance
This is probably the hardest level of user management to track. Each time a user changes positions or transfers departments, a thorough security review is required. This review should not be limited to user roles.

The STRAIGHT and NARROW

Page 7

Why Worry about an IT Audit?, cont'd

What do Auditors Want?
"Auditors are interested in ensuring data integrity,
availability, and confidentiality."

User preferences, commitment control budget override authority, and approval access is a critical component of security access as well. This access works hand in hand with the user's security access. New forms and authorizations are needed for every transfer or position change. Additionally, a comprehensive review of user access should be performed on a regular basis.

Auditors look for:
General application controls Backup procedures Monitored and documented job
scheduling
There are nine ways to maintain general and application controls: 1. Establish strong password settings 2. Limit privileged functions 3. Maintain segregation of duties 4. Ensure appropriate user access and
authorization 5. Maintain general security settings 6. Control access 7. Change management 8. Maintain segregation of duties within
change management 9. Institute user acceptance testing

User Termination
It is critical that each institution has its own business process for handling terminations. The human resources department should provide the finance department with a listing of terminations at least weekly, but should be proactive, (see the section below for a discussion of tools to help assist with this). Upon notification, the local security administrator should immediately lock the user's account, and remove the base role. User preferences, budget override access, and approval access should be removed to ensure that transactions in the system do not continue to route to a terminated user. It is vital to an IT audit to document your terminations!
Campus Security Tools and Processes
On April, 18, 2012, a Campus Security Guide was sent out by ITS containing a checklist of items the local campus security administrators should review. This guide also contains campus security tools, processes, and queries to assist with identifying potential audit issues. The guide can be found on the GeorgiaFIRST Financials website (http:// www.usg.edu/gafirst-fin/).
The Campus Security Guide is a resource tool and a secondary method for identifying potential audit issues. Each institution is responsible for ensuring that changes in personnel status result in immediate change in access to PeopleSoft Financials as well as any other system to which the user has access.

The STRAIGHT and NARROW
Why Worry about an IT Audit?, cont'd

Page 8

Each campus must document and implement primary procedures to handle new hires, position transfers, and terminations.

BOR_SEC_TERMINATED_USERS Query
As local security administrators, it is imperative that the results of this query are closely monitored, reviewed, and validated. Once the institution has followed its primary procedure for terminations, the BOR_SEC_TERMINATED_USERS query can be used to validate that all terminations have been handled within the PeopleSoft Financials system. Personnel/Users that appear on the query will need to be reviewed to ensure that they are actually terminated [and are not a multi-campus user].

SEGREGATE_DUTY_BOR Query
The segregation of duties query list users with potential audit issues. However, there may not be an actual issue. User preferences, in conjunction with certain security roles, may allow users to have too much access. It is vital to evaluate security as a whole, and not just place the focus on security roles.
If a user has a segregation of duties issue, then either (a) remove the offending roles or (b) create a proper compensating control, and (c ) document that the business area agrees with retaining the increased risk.

Contact ITS: helpdesk@usg.edu 706-583-2001

RESOURCES INFORMATION SECURITY & ePRIVACY
www.usg.edu/infosec USG SECURITY ADMIN LISTSERV
USGSECURITYADML@listserv.uga.edu ARCHIVED WIMBA SESSION: PREPARING FOR AN IT AUDIT, December 8, 2011
www.usg.edu/gafirst-fin/training/archives ITS HELPDESK
FOR BUSINESS IMPACT EMERGENCY ISSUES: (706) 583-2001 or 1 (888) 875-3697 (toll free within Georgia)
Visit us on the web: www.usg.edu/audit www.usg.edu/gafirst-fin www.usg.edu/customer_services

The STRAIGHT and NARROW

Did You Know?

Page 9

Recent addion to USG Business
Procedures Manual
3.1.3 Background Checks of Vendor
Employees
Institutions shall review services provided to the institution by a vendor when the services require regular interaction with students, employees, monies, sensitive/ confidential data, or facilities. In instances when the institution determines that the scope of work being performed by a vendor's employee is such that a background check should be required, the institution should seek appropriate contractual protections, include requiring the vendor obtain appropriate background checks for all such vendor employees. Examples of services could include outsourced bookstore operations, food services, maintenance, custodial workers, and call centers that involve access to confidential data.
Vendors maintain full responsibility for the actions of their employees and are fully responsible for implementing and enforcing an appropriate background check requirement. The vendor will review the results of the background check. The institution should not obtain the results of these checks. If appropriate, the requirement for a vendor to conduct background checks on its employees and to indemnify the institution against the actions of vendor employees must be specified in the contract for services.

Expiration of FDIC Insurance Coverage, Collateralization and Securitization of Public Funds
The unlimited FDIC coverage for non-interest bearing accounts expired on December 31, 2012. The coverage for non-interest bearing accounts will revert back to $250,000 if no action is taken by Congress. There is no indication that this insurance provision (Section 343) of the Dodd-Frank Act will be modified or extended.
The State Depository Board (SDB) has directed the Office of the State Treasurer (OST) to work with state agencies, authorities, colleges, and universities to ensure that state funds are in qualified state depositories and are fully insured or collateralized.
The SDB has adopted the State of Georgia Depository and Bank Fee Policy and designated OST to implement the policy. The policy is posted on the OST website, www.ost.georgia.gov, and includes the following requirements:
Any state entity that has a need to open a new deposit account must request and receive approval of the SDB by making application through OST.
All state demand and time deposits exceeding amounts fully covered by FDIC deposit insurance shall be collateralized. In lieu of collateral and with approval from OST, state entities may accept letters of credit issued by the Federal Home Loan Bank or surety bonds issued by financial institutions approved for such purpose by the SDB. The value of collateral shall not be less than 110% of the funds being secured after the deduction of the amount of deposit insurance.
The aggregate state deposit limit for accounts in the State Bank Fee program at any state depository shall not exceed 100% of the depository's equity capital. The State Treasurer may temporarily increase the total state deposit limit at any state depository to 125% of equity capital to allow for fluctuation in demand deposit balances.
Please contact Vikki L. Williamson, Assistant Vice Chancellor, Fiscal Affairs Accounting and Reporting at (404) 962-3210 to verify that you have properly secured your accounts. You will be requested to validate that state funds are in qualified state depositories and are fully insured or collateralized.

Reference Reading
Managerial Aids
The Financially Sustainable University, Jeff Denneen and Tom Dretler, Bain & Company, Inc., 2012 The Speed of Trust: One Thing That Changes Everything, Stephen M.R. Covey, Jr., 2006
Professional Aids
The Vital Core of Successful Leaders: What These Leaders Know and Do, Audrey Dorsey, 2008 What's the Value of a Brand?, Governing, December 2012

Board of Regents of the University System of Georgia
Office of Internal Audit & Compliance (OIAC) 270 Washington Street, SW Suite 7093 Atlanta, GA 30334-1450
Phone: (404) 962-3020
Fax: (404) 962-3033
Website: www.usg.edu/audit/

? Ask the Auditor ?
If you have a governance, risk management, compliance or control question that has been challenging you, let us help you find the answer. Your question can help us to become better auditors.
Want to Contribute to the Straight and Narrow?
We invite you to send your questions and ideas for future articles to us for feature in upcoming Straight and Narrow newsletters.
Contact Us: USG-OIACNewsletter@usg.edu

"Creating A More Educated Georgia" www.usg.edu