Finding Text
2023-003 — IT – Material Weakness in Internal Control Over Compliance and
Noncompliance
Federal program information:
Funding agencies: U.S. Department of Interior and
U.S. Department of Education
Titles: Assistance to Tribally Controlled Community
Colleges; Higher Education Institutional Aid; and
Education Stabilization Fund
ALN Number: 15.027, 84.031, and 84.425
Award years: Various
Criteria: Without strong information technology internal controls and established policies and
procedures, there is the potential for integrity of financial records, the confidentiality,
integrity and/or availability of data to be compromised. This compromise could be by an
internal user of the system, by an external source (hacker) and could be intentional or
unintentional.
Condition: The College’s IT control environment is lacking certain key controls. There are
currently no formalized IT policies and procedures, sufficient data backup processes, or a
formalized disaster recovery plan. IT controls are not in place to ensure non-authorized
individuals are restricted from adding new vendors, recording journal entries, and making/or
changes to employee pay records.
Questioned Costs: N/A
Cause: The IT controls have not been properly designed and implemented.
Effect: The College is exposed to many risks regarding the integrity of the financial records,
confidentiality, integrity and/or availability of its data. It is possible that their data could be
compromised. Compromise could be by an internal user of the system, by an external source
(hacker) and could be intentional or unintentional. Additionally, during fiscal year 2024, the
College experienced an outage which resulted in a loss of data. As no backup procedures
were in place, amounts had to be restored in the system using other financial source data.
Auditor’s Recommendations: Establishing IT controls, policies and procedures, off-site
electronic data backups, and a disaster recovery plan would better prepare the College for
technology related issues, system crashes, or data breaches.
Management’s Response: Management concurs with this finding.