Finding Text
2024-002 — IT – Material Weakness in Internal Control Over Compliance and Noncompliance (Repeat of finding 2023-003)
Federal program information:
Funding agencies: U.S. Department of Interior and
U.S. Department of Education
Titles: Assistance to Tribally Controlled Community
Colleges; Higher Education Institutional Aid;
Education Stabilization Fund; and SFA Cluster-
Pell Grant Program
ALN Number: 15.027, 84.031, 84.425, and 84.063
Award years: Various
Criteria: Without strong information technology internal controls and established policies and procedures, there is the potential for integrity of financial records, the confidentiality, integrity and/or availability of data to be compromised. This compromise could be by an internal user of the system, by an external source (hacker) and could be intentional or unintentional.
Condition: The College’s IT control environment is lacking certain key controls. There are currently no formalized IT policies and procedures, sufficient data backup processes, or a formalized disaster recovery plan. IT controls are not in place to ensure non-authorized individuals are restricted from adding new vendors, recording journal entries, and making/or changes to employee pay records.
Questioned Costs: N/A
Cause: The IT controls have not been properly designed and implemented.
Effect: The College is exposed to many risks regarding the integrity of the financial records, confidentiality, integrity, and/or availability of its data. It is possible that their data could be compromised. Compromise could be by an internal user of the system, by an external source (hacker) and could be intentional or unintentional. Additionally, during fiscal year 2024, the College experienced an outage which resulted in a loss of data. As no backup procedures were in place, amounts had to be restored in the system using other financial source data.
Auditor’s Recommendations: Establishing IT controls, policies and procedures, off-site electronic data backups, and a disaster recovery plan would better prepare the College for technology related issues, system crashes, or data breaches.
Management’s Response: The College is implementing policies and procedures.