Our audit focused on evaluating selected application controls related to the SCT Banner System Payroll Module, as implemented by the University, and selected general controls within the overall information technology (IT) environment applicable to the University for the period February 2005 through May 2005.  We also evaluated University actions taken in response to selected IT-related deficiencies noted in audit report No. 2004-013.

As described below, we noted deficiencies in certain controls related to the University’s functions and practices. 

Finding No. 1:     The University had not developed an entitywide security program to ensure that exposures and vulnerabilities of IT resources had been sufficiently assessed by management and addressed through enforced user and system security controls.   Additionally, during our field work, the University had not established a security management structure with a central figure (Information Security Manager or similar function) assigned the responsibility of overseeing the security program.

Finding No. 2:    Deficiencies were noted in the University’s access security controls within the SCT Banner application environment.

Finding No. 3:    Improvements were needed in certain security controls within the overall operations of the application and the supporting network environment at the University.  

The University provided responses to our preliminary and tentative findings. This letter is included in its entirety at the end of this report.