Finding 498851 (2023-001)

Finding 2023-001 – Information Technology General Controls Identification of the federal program: Federal Program: Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing No. 84.063) and Federal Direct Student Loans (Assistance Listing No. 84.268) Federal Agency: United States Department of Education BJC HealthCare Location: Goldfarb School of Nursing (GSON) Award Periods: January 1, 2023 through June 30, 2023 (included in award year July 1, 2022 through June 30, 2023), and July 1, 2023 through December 31, 2023 (included in award year July 1, 2023 through June 30, 2024) Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: BJC HealthCare (BJC) did not fully implement all Logical Access and Change Management controls to support effective information technology general controls (ITGCs) for the Banner application. The controls that were not fully implemented during the current period relate to user provisioning, user termination, user access reviews and change management processes. As a result, Banner ITGCs and, therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Management did not appropriately implement Logical Access and Change Management controls for the period under audit. Effect or potential effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the Banner student financial aid system may be inappropriately created or modified. Effective testing of the required logical access controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned costs: None. Context: Procedures over the Banner application were performed during FY23 to determine if controls were in place and operating as designed. We noted the following: • User provisioning documentation was not consistently retained for three of four samples. Documentation for the fourth sample did not include enough information to support that the access requested is what was provisioned. • Access terminations were not consistently removed from the application timely, though active directory access was removed. • Through review of the semi-annual access review in September, the removals (or modifications) of six of six users were not completed following the conclusion of the user access review. a. The review is sent to each user and there is no overall, independent review of all user’s access by an overseer / manager. b. There was no review evidence for three of 44 accounts with access to Banner. • Documentation evidencing testing or approval for three of six patches applied to production was not retained or available. Total expenditures for the Student Financial Assistance Cluster were $6,709,387 for the year ended December 31, 2023. Identification as a repeat finding, if applicable: This is a partial repeat of finding 2022-002 from the prior year. Recommendation: Management should enhance the user access review, user provisioning, user termination and change management controls, and retain documentation of the operation of controls. Views of responsible officials: BJC agrees with the findings as reported. GSON is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, GSON has instituted the following controls: • Establishment of a formal provisioning and deprovisioning process for Banner system access. • Refinements to formal access review process to include an independent review of system access, as well as an overseer or manager approval. • Establishment of a formal testing process for Banner system patches or updates to include review from key functional areas within GSON.