Salem State University
September 30, 2011 · Read the full official report (PDF) ↗ · official site ↗
source
“Based on our audit, we have concluded that SSU had implemented appropriate controls to reduce the risk of loss or theft of cash and checks received at the University.”
Read the plain-English breakdown
This is a Massachusetts State Auditor follow-up audit of Salem State University covering July 1, 2009 through October 31, 2011.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State Auditor (OSA) performed an audit of SSU for the period July 1, 2009 through October 31, 2011.”
The auditor checked whether Salem State had corrected problems found in earlier audits, including past thefts of funds and weaknesses in IT controls.
“Our audit included follow-up testing on issues identified in two previous audits conducted by the OSA.”
Public universities use taxpayer-supported resources and student payments, so weak controls over money, computers, and emergency recovery can lead to lost property, missing records, or interrupted services.
“Furthermore, SSU was unaware that the 17 computers had been missing because it had not conducted physical inventories of these items.”
If you are a student, parent, employee, or taxpayer, this audit says Salem State improved safeguards over cash and checks, but still needed better protection for computers and systems people rely on.
“Our current audit determined that SSU had implemented appropriate controls to significantly reduce the risk of theft of cash and checks.”
The money-handling issues were largely fixed, but computer inventory controls and disaster recovery planning were still not good enough.
“However, it still needs to improve its controls over its inventory of computer equipment and enhance its disaster recovery and business continuity plans.”
The auditor recommended Salem State record all computer equipment, do annual inventories, improve oversight, follow disposal rules, train staff, and complete and test disaster recovery and business continuity plans.
“SSU should complete a DRP and a BCP that incorporate criticality and impact assessments; business continuity planning development; risk management; and recovery plan testing, maintenance, training, and communication.”
A disaster recovery plan and business continuity plan are the university's playbooks for restoring important computer systems and keeping essential work going after a major outage or emergency.
“Disaster recovery planning is a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data.”
5 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Follow up on issues identified in OSA audit report No. 2004-0184-4T by determining whether sufficient corrective measures had been taken by SSU to implement adequate internal controls to provide reasonable assurance that computer equipment would be properly recorded in an inventory system and that IT systems could be recovered within an acceptable period of time should IT systems be rendered inoperable.
- Complied Determine whether appropriate corrective actions had been taken by SSU to reduce the risk of loss or theft of cash and checks processed at SSU.
What the Auditor found
Why it matters: SSU could not rely on its inventory system to account for computer equipment, support IT configuration management, or safeguard assets.
Standard: Chapter 647 of the Acts of 1989, Office of the State Comptroller fixed-asset guidelines, and Operational Services Division surplus property requirements. ( Chapter 647 of the Acts of 1989; 802 Code of Massachusetts Regulations (CMR) 3.00: Disposition of Surplus State Property )
9 recommendations
- Ensure that all purchased computer equipment is properly recorded in the ITRM.
- Complete an annual inventory and reconciliation of the inventory system of record for computer equipment.agency: already implemented
- Develop formal policies and procedures to ensure adequate segregation of duties for inventory control of computer equipment.
- Provide Finance and Facilities Department oversight and review SSU’s ITS inventory system and related internal control practices.
- Develop written detailed procedures and assurance mechanisms for a complete annual physical inventory and reconciliation of computer equipment.agency: already implemented
- Develop written policies and procedures requiring that all users assigned notebook computers sign a control sheet for their equipment.agency: already implemented
- Comply with OSD fixed-asset regulations requiring prior written approval before disposing Commonwealth assets and maintain adequate disposal records.agency: already implemented
- Strengthen internal controls to provide prompt notification and update the inventory record when equipment is purchased, relocated, or disposed of.
- Develop written policies and procedures and train all staff responsible for monitoring and safeguarding computer equipment to ensure Chapter 647 reporting compliance.agency: already implemented
Agency response & Auditor reply
Agency: "A 100% physical inventory of SSU computers was initiated in November 2011 and is still continuing."
Why it matters: SSU risked being unable to restore mission-critical business functions and IT systems within an acceptable time after a data center or IT outage.
Standard: Generally accepted practices and industry standards for computer operations requiring ongoing business continuity planning. ( Generally accepted practices and industry standards for computer operations )
4 recommendations
- Complete a DRP and a BCP that incorporate criticality and impact assessments, planning development, risk management, testing, maintenance, training, and communication.
- Document recovery strategies for disaster scenarios and periodically test the DRP and BCP.
- Identify an alternate site for recovery if SSU’s data center becomes inaccessible for an extended period.
- Reassess on-site and off-site backup media storage and increase the frequency of off-site storage.
Agency response & Auditor reply
Agency: "In 2012 Salem State will turn its attention to strengthening disaster recovery and business continuity planning in regard to the potential loss of the data center."
Prior findings revisited
"Our current audit determined that SSU had implemented appropriate controls to significantly reduce the risk of theft of cash and checks."
"Our follow-up audit disclosed that SSU has not taken sufficient corrective measures to address the issues raised in a prior OSA report (No. 2004-0184-4T) regarding (a) inventory controls over computer equipment and (b) enhancements to the disaster recovery and business continuity plans, as discussed below."
More audits of this entity
Other Office of the State Auditor reports on Salem State University , including the prior audits referenced above.
-
Audit of the Salem State University (November 4, 2024)College / University · November 4, 2024 -
Salem State UniversityCollege / University · November 13, 2017