Summary

Our operational audit for the fiscal year ended June 30, 2008, disclosed the following:

Finding No. 1:         The University had not completed its comprehensive written policies and procedures manual pertaining to its financial operations and related activities.

Finding No. 2:        The University reported information to the Board of Governors for institutes and centers that was incorrect.

Finding No. 3:        For insurance purposes, the University valued its buildings and other structures $8.8 million more than the actual cash value (ACV) maximum that would be covered by the State’s Division of Risk Management in the event of a loss.

Finding No. 4:        The University did not effectively manage contractual arrangements with its independent contractors who provided services for the University’s Supplemental Educational Services program.

Finding No. 5:        The University had not implemented a formal ongoing security awareness program to protect information technology resources.

Finding No. 6:        The University had not developed a formal information technology security program.

Finding No. 7:        The University’s security controls needed improvement in the areas of protecting data center equipment and securing the accounting ERP system.

Management’s response is included as Exhibit B.