Summary

The Florida Agricultural and Mechanical University (University) utilized the Oracle-PeopleSoft (PeopleSoft) Financials and Student Administration Systems as its enterprise resource planning (ERP) solution.  The PeopleSoft Systems were operated within an Internet-based environment on servers housed and maintained by the Northwest Regional Data Center (NWRDC).

Our audit focused on evaluating selected information technology (IT) controls applicable to the PeopleSoft Financials System, as implemented and administered by the University, and selected internal controls related to the University’s IT environment, for the period August 2005 through March 2006.

As described below, we noted that improvements were needed in certain controls related to the University’s IT functions and practices.

Finding No. 1:        The University did not provide sufficient records and documentation to allow for a timely evaluation of certain IT controls related to the support of the University’s PeopleSoft Financials System.

Finding No. 2:       Deficiencies existed in various information technology (IT) controls over the University’s PeopleSoft Financials System, jeopardizing the integrity of application programs and data.

Finding No. 3:       The University had not developed an entitywide security program to ensure that exposures and vulnerabilities of IT resources had been sufficiently assessed by management and addressed through enforced user and system security controls.  Additionally, the University had not established a security management structure with a central figure (Information Security Manager or similar function) assigned the responsibility of overseeing the security program.

Finding No. 4:       Improvements were needed in University controls protecting the integrity of computer workstations that could access the PeopleSoft systems.

Finding No. 5:       Contrary to University policy, the University did not perform background checks of employees occupying IT positions or positions assigned to the PeopleSoft implementation project.

Finding No. 6:       Deficiencies were noted in certain security controls protecting the PeopleSoft Financials System, in addition to the matters noted in Finding Nos. 2, 3, and 4.

Finding No. 7:       Improvements were needed in environmental controls at the facility that housed the University’s network server.

Finding No. 8:       The University lacked sufficient written policies and procedures for the disposal of IT equipment.

Finding No. 9:       The University did not have a current and comprehensive disaster recovery plan for its IT resources, including the PeopleSoft systems.

Finding No. 10:     The University had not established written performance requirements with NWRDC for the operation of the University’s PeopleSoft servers.

The President's response is included at the end of this report as Appendix A.