The legislative audit of Morgan State University, which receives an annual contribution from taxpayers of $67 million dollars reveals widespread fiscal nightmares which ought to scare the bejeevers out of an ordinary accountant but perhaps simply annoys bureaucrats, especially in an election year.
Student Accounts Receivable and Residency
Finding 1
Morgan State University (MSU) had not established adequate controls over changes to student residency status determinations.
Analysis
MSU had not established adequate controls over changes to student residency status determinations for both graduate and undergraduate students. An accurate student residency status is critical because of the significant differences between resident and nonresident tuition rates. For example, full-time undergraduate tuition and fee charges for the Fall 2013 semester totaled $3,609 for Maryland residents and $8,316 for nonresidents. According to MSU’s records, there were 1,318 residency changes (both graduate and undergraduate) from out-of-state to in-state status processed between January 2012 and July 2013.
MSU did not ensure that student residency status changes for graduate students were independently verified to supporting documentation.
Furthermore, the only independent verification of residency status changes performed for undergraduate students during our audit period was conducted in June 2013 and consisted of reviewing 35 such changes, including 25 from out-of-state to in-state. Under these conditions, unauthorized changes in residency could be processed without detection. Our test of 17 student residency status changes from out-of-state to in-state, made between January
2012 and June 2013, disclosed one change without adequate supporting documentation; MSU advised that appropriate documentation was subsequently obtained. Similar conditions regarding controls over changes to student residency status were commented upon in our preceding audit report.
MSU’s Board of Regents Policy on Student Residency Classification for Admission and Tuition Purposes states that a student requesting a change in residency status must submit a MSU Petition for Change in Classification for
Tuition Purposes along with supporting evidence that provides clear and convincing evidence of his or her residency status, such as a valid Maryland driver’s license.
Numerous employees were assigned system capabilities that allowed them to change student residency status in MSU’s automated records even though these system capabilities were not required to perform their normal job duties.
We noted 126 employees in approximately 50 MSU academic departments or 6 schools who were able to modify a student’s residency status, but did not need such capabilities. Subsequent to our inquiries, MSU advised us that steps were taken to restrict the system capabilities granted to these employees.
Recommendation 1
We recommend that MSU improve controls over student residency status changes. Specifically, we recommend that MSU
- ensure that a sufficient number of both graduate and undergraduate residency status changes is reviewed for propriety by independent supervisory personnel, and that the reviews are adequately documented (repeat); and
- assign system capabilities to change student residency to only those employees who require such capabilities to perform their job duties.
Finding 2
Adjustments to room and board charges were not adequately reviewed.
Analysis
MSU had not established adequate controls over adjustments to student room and board charges. Although MSU management advised us that adjustments to student room and board charges processed in MSU’s automated records were reviewed and approved for propriety by supervisory personnel, based on our tests, there was no documentation that such reviews were performed. Our test of 10 students with room and board adjustments that reduced student charges by
$40,140 disclosed that none of these adjustments had been independently approved. Furthermore, MSU waived all room and board charges totaling $7,283 for 2 of these students based upon cancellations received after the start of classes for the semester, which is not consistent with MSU policy. Specifically, MSU policy stipulates that students will not receive a refund of charges when cancellations occur after the first day of class, or in cases where the student withdraws from MSU, a 20 percent penalty will be charged. Without a documented independent review of adjustments made, there is a lack of assurance that adjustments processed were accurate, valid, and complied with MSU policy.
During fiscal year 2013, room and board adjustments to reduce student charges totaled approximately $4.8 million.
Recommendation 2
We recommend that MSU ensure that room and board adjustments processed are reviewed and approved by independent supervisory personnel, that these reviews are documented, and that the adjustments comply with MSU policy.
Grants
Finding 3
MSU had not established adequate accountability over outstanding grant receivables and outstanding grant accounts were not pursued for payment as required by the State’s Central Collection Unit’s (CCU) regulations.
Analysis
MSU had not established adequate accountability over grants received from federal, state, and private entities for research and development. Furthermore, outstanding grant amounts due from the entities were not pursued as required by CCU regulations.
MSU did not record grant amounts due from entities in centralized accounts receivable records. Rather, MSU recorded outstanding grant receivables on a combination of handwritten logs and computer files. Manual billings were primarily recorded on handwritten logs, while electronic draw-downs of funds were recorded on other automated records, neither of which reflected the total outstanding amounts due. As a result, there was a lack of accountability over grant activity to ensure that all billings and collections were accounted for.
Furthermore, the informal manner in which the grant records were kept precluded MSU from readily producing an aging report to identify unpaid accounts, the amounts due, and the length of time they had been outstanding.
MSU did not ensure that billing adjustments on the handwritten logs were adequately documented and reviewed by an independent supervisory employee for propriety. Furthermore, the handwritten logs were accessible to several MSU employees. Consequently, errors or other discrepancies could occur without timely detection. Our analysis of the logs for fiscal years 2011 through 2013 identified 34 billings totaling $912,634 that had been crossed through on the logs without notations adequately explaining the reason for the deletions or an indication that the deletions had been reviewed by independent supervisory personnel. We were advised that these adjustments were usually made to indicate that revised billings had been issued; however, the records did not clearly support this assertion. According to MSU’s records, manual grant billings totaled approximately $6 million during fiscal year 2013.
Written payment demands for outstanding grant reimbursement requests were not sent to grantor entities at predetermined intervals as required. We were advised by MSU management personnel that, after the initial billings, MSU generally relied on telephone contacts with the grantor entities to request payment. Our test of 10 grant billings totaling $1.3 million for fiscal years 2011 through 2013 disclosed that MSU did not receive payment until 3 to 18 months after the dates billed, and MSU had not sent dunning notices to pursue collection while these accounts were outstanding as required. Similar conditions were commented upon in our two preceding audit reports. Delays in the pursuit of outstanding debts may decrease the likelihood of collecting the funds. State regulations generally require that three written demands for payment be made on accounts at 30-day intervals. If payment is not received within 75 days of the original demand for payment, outstanding accounts should be transferred to CCU for further collection efforts.
Recommendation 3
We recommend that MSU
- establish centralized grant accounts receivable records to account for all billing and collection activity,
- routinely prepare reports to track and monitor the age of outstanding accounts,
- ensure that adjustments to accounts receivable are adequately documented and that an independent supervisory employee periodically reviews adjustments for propriety,
- investigate the propriety of the aforementioned 34 adjustments we noted as being crossed out on the accounts receivable logs, and
- send written payment demands to the applicable grantor agencies and submit delinquent accounts to CCU in accordance with State regulations
(repeat).
Payroll
Finding 4
Controls over electronic timesheets for regular and contractual employees were not sufficient to ensure the validity of all time reported.
Analysis
Controls over electronic timesheets for regular and contractual employees were not adequate to ensure they were properly completed and approved. Generally, MSU employees prepared their own timesheets on an automated payroll system and supervisors approved their employees’ timesheets on that system. According to the State’s records, MSU’s payroll expenditures totaled approximately $96 million during fiscal year 2013 for 1,107 regular and 525 contractual employees.
Our review of the records of the automated timekeeping system for fiscal year 2013 disclosed the following conditions:
According to the automated system, 24 employees approved their own timesheets one or more times during fiscal year 2013. In total, 151 timesheets, for which the related earnings totaled $313,309, were approved by these employees. One of these employees did not have supervisory approval for any timesheet for the entire year. Although MSU’s written policies and procedures require supervisory approval of timesheets, the automated controls in place were not sufficient to ensure that this occurred in all cases.
Thirteen employees (primarily human resources and payroll employees) had been assigned system capabilities that allowed them to prepare, modify, and approve the electronic timesheets of all MSU employees without independent supervisory review and approval. MSU advised us that these capabilities were generally used to prepare and submit an employee’s electronic timesheet when the employee was unable to prepare his or her own timesheet (for example, the employee was on extended leave). According to MSU’s records, 10,604 electronic timesheets were prepared or modified by the aforementioned employees during fiscal years 2011, 2012, and 2013. A similar condition was commented upon in our preceding audit report.
During fiscal year 2013 a total of 286 timesheets for 194 employees, for which related earnings totaling $392,607, were approved by supervisors at least seven days prior to the end of the pay period. Further examination of 10 of these timesheets disclosed that 704 hours totaling $20,719 were recorded as worked after supervisory approval. For example, one contractual employee’s timesheet, indicating 80 hours of work for the pay period ending June 11, 2013, had an approval date of May 17, 2013—11 days before the pay period began.
Recommendation 4
We recommend that MSU improve controls over the preparation, approval, and submission of employee timesheets. Specifically, we recommend that MSU
- revise system capabilities to ensure that all timesheets are subject to independent supervisory review and approval (repeat), and
- ensure that timesheets are approved after the end of the pay period and the employee has finalized his or her timesheet.
Information Systems Security and Control
Background
MSU’s information technology department provides information technology support to MSU by maintaining its campus-wide administrative applications, such as the student administration, human resources, and financial systems. The information technology department also operates an integrated administrative and academic computer network, which provides connections to multiple servers used for administrative applications and related databases. The campus network also includes separate email and file servers, Internet connectivity, and firewalls and routers. MSU also maintains a website that functions as an entry point to many of MSU’s services.
Finding 5
Access, monitoring, password, and account controls over the student administration, human resources, and financial systems were not sufficient.
Analysis
Access, monitoring, password, and account controls over the student administration, human resources, and financial systems were not sufficient.
Specifically, our review disclosed the following conditions:
Powerful privileges on the database used for the student administration, human resources, and financial systems were not properly restricted. We noted that 16 accounts (assigned to 16 individuals) were unnecessarily assigned powerful privileges that allowed direct read and modification access to critical tables in this database.
Monitoring of security events for the aforementioned systems’ database and applications was not adequate. For example, the use of numerous database critical system privileges was not logged and although MSU personnel advised that reviews of logged database and application security events were performed, documentation did not exist to support these reviews.
Password and account controls over the aforementioned database were not in accordance with the requirements of the Department of Information Technology’s (DoIT) Information Security Policy. For example, password age, length, complexity, and history were not in accordance with the aforementioned Policy. Furthermore, the password file was not adequately secured.
These conditions could result in unauthorized or inappropriate activities (affecting the confidentiality, integrity, and/or availability of the production database) which could go undetected by management.
Recommendation 5
We recommend that MSU
- restrict the use of powerful database privileges;
- log the use of all critical database privileges, review the use of these privileges, document these reviews, and retain the documentation for verification purposes; and
- ensure that password and account controls are in accordance with the DoIT Information Security Policy requirements and that the password file is properly secured.
Finding 6
The MSU intrusion detection prevention system (IDPS) was not properly protecting the network.
Analysis
The MSU intrusion detection prevention system (IDPS) was not properly protecting the network. Specifically, we noted the following conditions:
Although MSU used a network-based IDPS to monitor traffic, certain network devices were improperly configured and, as a result, untrusted traffic to numerous critical servers was not subject to IDPS coverage.
At the time of our testing, the IDPS signatures (used to detect malicious traffic) had not been updated for at least 19 months and the IDPS configurations were not backed-up.
MSU did not use host-based intrusion protection systems (HIPS) on numerous servers that processed encrypted network traffic. The absence of HIPS coverage for such traffic created a network security risk in that MSU’s network-based IDPS cannot read encrypted traffic flowing into its network, whereas HIPS can read and analyze such traffic and protect critical servers from encrypted malicious traffic.
Password complexity and history and account lockout were not enabled for users authenticating to the IDPS modules; accordingly, these authentication settings were not in accordance with the DoIT Information Security Policy requirements.
Complete IDPS coverage includes use of properly configured network-based IDPS that is supplemented, where necessary, with HIPS to aid significantly in the detection/prevention of and response to potential network security breaches and attacks. Furthermore, without proper monitoring, critical network security breaches may occur that could otherwise possibly be detected and prevented.
Recommendation 6
We recommend that MSU
- perform a documented review and assessment of its network security risks and identify how IDPS coverage (including HIPS coverage) should be best applied to its network, and implement such coverage for all critical portions of its network;
- update its IDPS signatures as they are released by the vendor and back up its IDPS configurations to an offsite, secure, environmentally controlled location; and
- ensure that IDPS authentication control settings for user accounts and passwords comply with the aforementioned DoIT requirements.
Finding 7
Malware protection on MSU workstations and servers needs improvement.
Analysis
Malware protection on MSU workstations and servers needs improvement.
Specifically, we noted the following conditions:
MSU did not have a centralized management console to monitor and ensure that the anti-malware software was installed and up-to-date on approximately 200 servers. Without the use of a centralized management console, there is a lack of assurance that all MSU servers are properly protected with up-to-date anti-malware software.
Certain workstations were improperly configured with users having administrator rights. Administrator rights are the highest permission level that can be granted to users and it allows users to install software and change configuration settings. Our testing of five workstations disclosed that all five employees’ user accounts were defined with administrator rights, rather than with user rights, and did not need these administrative rights. As a result, if these workstations were infected with malware, the malware would run with administrative rights and expose these workstations to a greater risk of compromise than if the workstations’ user accounts operated with only user rights.
Computers tested had not been updated with the latest releases for software products that are known to have significant security software-related vulnerabilities. Although the vendors for these software products frequently provide software patches to address these vulnerabilities, MSU had not updated its computers for these patches. For example, 10 computers tested for one of these software products noted that 7 computers were running older versions of this software.
Four of 10 computers tested had not been updated with the latest releases of the anti-malware software. Furthermore, users on all 10 of these computers could disable features of the anti-malware software that would render it unable to protect against attack.
The DoIT Information Security Policy states that agencies should configure security settings of information technology products to the most restrictive mode consistent with operational requirements.
Recommendation 7
We recommend that MSU
- use a centralized management console to monitor and ensure that antimalware software was installed and up-to-date on its servers,
- ensure that administrative privileges on workstations are restricted to system/network administrators,
- keep its computers up-to-date for all critical security related updates to potentially vulnerable installed software, and
- continually update all computers for the latest versions of the antimalware software and adjust the software settings so that users cannot disable features of this software.
Audit Scope, Objectives, and Methodology
We have conducted a fiscal compliance audit of Morgan State University (MSU) for the period beginning March 24, 2010 and ending June 30, 2013. The audit was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
As prescribed by the State Government Article, Section 2-1221 of the Annotated
Code of Maryland, the objectives of this audit were to examine MSU’s financial transactions, records and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations.
In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of significance and risk. The areas addressed by the audit included purchases and disbursements, student accounts receivable, financial aid, cash receipts, payroll, federal funds, and information technology systems. We also determined the status of the findings contained in our preceding audit report.
To accomplish our audit objectives, our audit procedures included inquiries of appropriate personnel, inspections of documents and records, observations of MSU’s operations, and tests of transactions. We also performed various data extracts of pertinent information from the State’s Financial Management Information System (such as revenue and expenditure data) and the State’s Central Payroll Bureau (payroll data), as well as from the contractor administering the State’s Corporate Purchasing Card Program (credit card activity). The extracts are performed as part of ongoing internal processes established by the
Office of Legislative Audits and were subject to various tests to determine data reliability. We determined that the data extracted from these various sources were sufficiently reliable for the purposes the data were used during this audit. We also extracted data from MSU’s financial system for the purpose of testing payroll, purchases, disbursements, financial aid, and student accounts receivable. We performed various tests of the relevant data and determined that the data were sufficiently reliable for the purposes the data were used during the audit. Finally, we performed other auditing procedures that we considered necessary to achieve our objectives. The reliability of data used in this report for background or informational purposes was not assessed.
Our audit did not include an evaluation of internal controls for federal financial assistance programs and assessment of MSU’s compliance with federal laws and regulations pertaining to those programs because the State of Maryland engages an independent accounting firm to annually audit such programs administered by State agencies, including MSU.
MSU’s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including the safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved.
Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate.
Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly.
This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect MSU’s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to MSU that did not warrant inclusion in this report.
MSU’s response to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise MSU regarding the results of our review of its response.