Summary

Our operational audit for the fiscal year ended June 30, 2007, disclosed the following:

Finding No. 1:    The College’s controls over petty cash funds needed improvement.

Finding No. 2:    For a land acquisition, the College did not follow the recommendations of their independent inspection provider and did not document all considerations and negotiations in the determination of the purchase price.

Finding No. 3:    The College did not provide for adequate monitoring of a food service contractor’s compliance with the terms of a written contract.

Finding No. 4:    The College’s policies and procedures relating to employee background checks and fingerprinting needed enhancement.

Finding No. 5:    Controls over purchasing card transactions needed improvement.

Finding No. 6:    College records did not always evidence that student activity and service fee expenditures benefited the student body in general.

Finding No. 7:    The College’s information technology (IT) policies and procedures were not complete and had not been officially approved and implemented.

Finding No. 8:    The College had not developed a comprehensive security awareness and training program, and the College’s security awareness and training policies and procedures needed improvement.

Finding No. 9:    Physical access to the Data Center and network communication closets was not appropriately restricted to allow access for only appropriate employees who required access for performance of their job duties.

Finding No. 10: Access controls related to the College’s financial management system needed improvement to protect the College’s data from inappropriate modification or disclosure.

Finding No. 11: The College’s change management control procedures for application programs needed improvement.

Finding No. 12: Current and comprehensive service continuity controls were not approved or in place for the College’s IT resources, including the College’s financial management system.

Finding No. 13: The risk of water damage to the Data Center had not been adequately addressed by the College.

Finding No. 14: The College had not completed a comprehensive risk assessment and security program plan to identify weaknesses in its security controls and to document security controls to be used to mitigate risks to its IT resources, including the financial management system.

Finding No. 15: The College had not completely  developed and implemented security incident response procedures for the financial management system and the IT infrastructure that supports it, and had not  developed specific procedures regarding system performance monitoring.

The College's response is included as Appendix A of this report.