AUDIT COMMITTEE by IeQib8

VIEWS: 0 PAGES: 44

									                                          AUDIT COMMITTEE
                                          BOARD OF VISITORS
                                                    May 11, 2005

                                                      Mason Hall
                                                       AGENDA



 I. Call To Order

II. Approval of Minutes

    Meeting of October 13, 2004 ........................................................................................ B-3

III. Old Business

IV. New Business

    A. Preliminary Report by Auditor of Public Accounts ............................................... B-7

    B. Fiscal Year 2006 Audit Plan (ACTION ITEM) ................................................... B-9

 V. Reports

    Summary of Audit Workplan ...................................................................................... B-11

    Audit Issues Status Report .......................................................................................... B-13

    Investigations .............................................................................................................. B-44

VI. Adjournment




                                                              B-1
B-2
                                   AUDIT COMMITTEE
                           OF THE BOARD OF VISITORS
                                        MINUTES

                                     October 13, 2004

PRESENT:      Vice Rector Pomata; Vice Chairman Nguyen; Visitors Garcia, Hopper, and Kirby;
              Director Hubble; Audit Manager Rastogi, Student Representative Nichols and
              Secretary pro tem Gladden

ABSENT:       Chairman Klaassen, Visitor Marchant

 I. The meeting was called to order by Vice Rector Pomata at 9:07 a.m.

II. Election of Chairman and Vice Chairman

     The election of Committee Chairman was opened by Vice Rector Pomata. It was MOVED by
     Visitor Garcia and SECONDED by Visitor Nguyen that Visitor Klaassen be appointed
     Chairman of the Audit Committee. MOTION CARRIED UNANIMOUSLY BY VOICE VOTE.

     Vice Rector Pomata opened the floor for nominations for Vice Chairman. It was MOVED
     by Vice Rector Pomata and SECONDED by Visitor Garcia that Visitor Nguyen be
     nominated as Vice Chairman of the Audit Committee. MOTION CARRIED
     UNANIMOUSLY BY VOICE VOTE. Meeting was turned over to Vice Chairman
     Nguyen, in Chairman Klaassen’s absence.

III. Approval of Minutes

     It was MOVED by Vice Rector Pomata and SECONDED by Visitor Garcia to approve
     the minutes of the May 5, 2004, meeting. Minutes were APPROVED as presented.

IV. Old Business

     None

V.   New Business – Internal Audit Department Charter (Action Item)

     Vice Chairman Nguyen stated that the Internal Audit Department charter is reviewed and
     approved when a new Audit Committee Chairman is elected. This particular document was
     revised two years ago. Director Hubble went on to explain that the charter defines the
     purpose, authority and responsibility of the Internal Audit and Management Services
     Department. He went on to say that he reports directly to the Audit Committee, with a
     dotted line to Dr. Scherrens, who provides funding and other resources related to
     accomplishing this charge. Director Hubble informed the committee that Chairman
     Klaassen was the Vice Chairman of the committee when the document was last revised.

     It was MOVED by Visitor Garcia and SECONDED by Visitor Kirby to approve the
     Internal Audit Charter. MOTION CARRIED UNANIMOUSLY BY VOICE VOTE.


                                            B-3
                                                                       AUDIT COMMITTEE
                                                                       October 13, 2004
                                                                       Page 2

VI. Reports

    Auditee Survey

    Director Hubble informed the committee that a survey is sent out to the client at the
    conclusion of each audit. The feedback received from this document helps him to evaluate
    the work that has been done by the auditor and reassures the audit committee that the audit
    department is functioning as intended. Any items marked “fair” or “poor” are followed up
    with a phone call to the auditee.

    Summary of Audit Workplan

    Director Hubble gave the committee background information on how an audit plan is
    compiled. The Audit Plan defines the scheduled audits, follow-ups, indirect time, and
    administrative time planned for the year. A risk assessment is conducted every three years
    to rank the areas of risk in the university. An audit plan is then prepared using data from the
    risk assessment, sent to university management for their input, and ultimately brought
    before the audit committee for final approval. The current audit plan was approved last
    year. This report helps the committee determine how the department is progressing in the
    completion of that plan. It was noted by Director Hubble that revisions to the audit plan
    might be recommended at the next session, due to the loss of a senior auditor.

    Audit Issues Status Report

    Director Hubble stated that a report is provided to the committee members at the close of
    every audit regarding the issues that need to be corrected and the agreed upon corrective
    action plan. These action plans are then entered into a database, which assures follow-up
    action occurs within a twelve-month period as required by the Standards. This report also
    brings these outstanding issues to the committee’s attention as issues that still need
    correction. Director Hubble indicated that on two occasions the auditee was unable to make
    corrections as agreed upon; however, through the committee’s actions, the issues were
    brought to resolution. Director Hubble explained that this report is a work in progress, in
    that “closed” issues are dropped once they have been reported closed and new issues are
    added to the end of the report.

    Investigations

    Director Hubble explained that only limited information could be exchanged on the fraud
    report. The committee would need to go into executive session to receive the full details,
    and this would require advance notice on the agenda. Currently there is one investigation in
    progress alleging the use of state funds for personal travel. Director Hubble indicated that
    once this investigation has been completed, this report will identify if the allegation was
    substantiated or not. Visitor Hopper asked if the individual was aware that he or she was
    under investigation. Director Hubble stated that since this is an allegation, background work
    is being conducted before the individual is approached.


                                               B-4
                                                                    AUDIT COMMITTEE
                                                                    October 13, 2004
                                                                    Page 3

    Director Hubble informed the committee that the Audit Charter provided in the Board
    packet was his charge. He explained that the committee has their own charter, which
    outlines their responsibilities. Director Hubble invited the committee members to meet with
    him one on one to better understand their role as an audit committee member. Director
    Hubble stated the three main responsibilities of the audit committee are: to ensure
    compliance, ensure that risk is assessed and ensure a good system of internal controls. This
    is done through oversight of the internal and external audit function. Director Hubble
    explained that the Auditor of Public Accounts is tasked with the annual review of the
    financial statements for all Commonwealth agencies. A report is given directly to the Audit
    Committee at the completion of this external audit.

    Director Hubble stated that he and Manager Rastogi were looking for ways to provide
    better service to the university and would be doing some strategic planning with other
    organizations in the Commonwealth. He also stated that the department had an opportunity
    to convey what their needs will be in 2010. The plan envisions an Inspector General type
    structure providing compliance along with the typical audit services. Six additional
    resources would be required to bring about this plan.

    Visitor Hopper asked if the current staff opening was a budget or personnel issue. Director
    Hubble indicated it was a personnel issue. The Sarbanes Oxley Act has caused the supply
    and demand for auditors to become unbalanced. Fortunately the university does not have to
    comply with the Act at this time; however, the University does currently abide by a
    majority of its requirements.

VII. Adjournment

    There being no further business, the meeting was adjourned by Vice Chairman Nguyen at
    9:40 a.m.

    Respectfully submitted,



    Debbie Gladden
    Secretary pro tem




                                             B-5
B-6
ITEM NUMBER: IV.A.             Preliminary Report by Auditor of Public
                               Accounts



PURPOSE OF ITEM:               To provide the Board of Visitors with a
                               preliminary review of the recently
                               completed external audit conducted by the
                               State Auditor of Public Accounts for the
                               year ended June 30, 2004.




APPROPRIATE COMMITTEE:         AUDIT



BRIEF NARRATIVE:               The State Auditor of Public Accounts
                               performs an external audit of George Mason
                               University’s accounts and records at the end
                               of each fiscal year. This presentation is to
                               inform the Board of the preliminary results
                               of the audit.



STAFF RECOMMENDATION:          For Board information only.




                         B-7
B-8
ITEM NUMBER: IV.B.             Fiscal Year 2006 Audit Plan



PURPOSE OF ITEM:               To seek approval from the Board of
                               Visitors on the scheduled audits the
                               Internal Audit Department plans to
                               conduct during Fiscal Year 2006.



APPROPRIATE COMMITTEE:         AUDIT



BRIEF NARRATIVE:               The Audit Plan defines the scheduled
                               audits, follow-ups, indirect time, and
                               administrative time planned by Internal
                               Audit and Management Services for
                               Fiscal Year 2006.



STAFF RECOMMENDATION:          For Board’s Approval.




                         B-9
                          GEORGE MASON UNIVERSITY
                    INTERNAL AUDIT & MANAGEMENT SERVICES
                              AUDIT PLAN – FY 06

DIRECT AUDITS                                         BUDGETED HOURS
Housing and Residential Life                                400
Registrar’s Office                                          400
Facilities Construction                                     400
Office of Sponsored Programs                                400
University Life                                             400
Data Warehouse                                              800

FOLLOW-UP & MISC. AUDITS
Application: Payroll Module                                 50
Enterprise Servers: Engineering                             50
Intercollegiate Athletics: Freedom Center                   50
Library                                                     50
Food Service                                                50
Office of International Programs & Services: SEVIS          50
College of Nursing and Health Sciences                      50
Purchasing and Central Receiving                            50

INDIRECT AUDIT TIME
Investigations                                              460
Management Assistance                                       500

ADMINISTRATIVE TIME
Sick Leave                                                  500
Annual Leave                                                520
Holidays                                                    440
Professional Development                                    300
General Administration                                      200
Quality Assurance Review                                    500
Re-Engineering of Department                               1500
Recruiting                                                  200

Total Hours                                                8320




                                               B-10
                                                   GEORGE MASON UNIVERSITY
                                            INTERNAL AUDIT AND MANAGEMENT SERVICES
                                               SUMMARY OF AUDIT WORKPLAN – FY 05

                                             Status of Regularly Scheduled Audits as of May 2005
                                                                                 Scheduled
                                                            In          Not
Audit Area: Regular Audits                  Complete                             Completion        Completion   Percent of
                                                         Progress     Started
                                                                                   Date              Date       Completion

Office of International Programs &                          X                                                     95%
Services: SEVIS
School of Computational Sciences               X                                                    8/24/04       100%
Food Services                                  X                                                    3/16/05       100%
Application: Payroll Module                                 X                      04/29/05                       60%
Library                                                     X                      05/27/05                       85%
College of Nursing & Health Science            X                                                    02/09/05      100%
Purchasing & Central Receiving                              X                      03/15/05                       70%
Enterprise Servers: Engineering                                         X
Intercollegiate Athletics: Freedom Center                   X                      06/30/05                       25%




                                                                    B-11
                                              GEORGE MASON UNIVERSITY
                                       INTERNAL AUDIT AND MANAGEMENT SERVICES
                                          SUMMARY OF AUDIT WORKPLAN – FY 05

                                             Status of Follow-Up Audits as of May 2005


     Audit Area: Follow-Up Audits          Complete      In Progress     Not Started     Scheduled    Completion Date
                                                                                         Start Date

Cash Office Operations*                                       X                            06/04

Information Security Management*                              X                            07/04

Student Financial Aid                         X                                                           1/31/05

Sponsored Research Space Use Data             X                                                           12/1/05

Office of Sponsored Programs                                  X                            11/04
Network Engineering & Technology
Management                                                                    X            02/05

English Language Institute                                    X                            03/05

Facility Planning                                                             X            06/05



*Follow Up completed with minimal outstanding issues




                                                               B-12
                                                    GEORGE MASON UNIVERSITY
                                             INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                SUMMARY OF AUDIT WORKPLAN – FY 05



                    ACTION TO BE TAKEN                            TARGET DATE         RESPONSIBLE           FOLLOW-UP          ACTUAL            STATUS OF
                                                                      FOR               POSITION           REVIEW DATE        FOLLOW-UP         COMPLETION
                                                                  COMPLETION                                                    DATE

INSTITUTE OF BIOSCIENCE, BIOINFORMATICS &
BIOTECHNOLOGY – 6/04/99

RECOMMENDATIONS

 2. Lease Agreement with ATCC                                         June 00          Director, IB3          June 00          September          Revised
                                                                                                                                 2000          implementation
   University management should obtain the lease agreement                                                                                          date
   from DEB with all the necessary approvals, as soon as                                                                                        June 1, 2001*
   possible. Additionally, the terms of this lease should be
   reviewed and re-evaluated, including the financial impact on
   the calculation of the University’s indirect cost rate.
   Consideration should be given to modifying the terms of the
   lease to maximize the benefits received by GMU and the
   Commonwealth of Virginia.




       *   President Merten informed ATCC that the 2002 lease must be executed within a one year period from March 18, 2003. If not signed, “George
           Mason University will have no other option than to declare ATCC in breach of the MUA, and take all appropriate steps to sever our
           relationship at that time.”




                                                                        B-13
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05


                      ACTION TO BE TAKEN                              TARGET DATE FOR          RESPONSIBLE         FOLLOW-UP     ACTUAL        STATUS OF
                                                                        COMPLETION               POSITION         REVIEW DATE   FOLLOW-UP     COMPLETION
                                                                                                                                  DATE


LABORATORY SAFETY – 5/09/02

1.   Laboratory Safety Operation                                     June 1, 2002 – To hire   C. T. Hill, Vice     April 2003   March 2004   Director of Lab
     The University is currently in the process of hiring a          Director of Laboratory     Provost for                                  Safety initially
     Director of Laboratory Safety (new position). This                      Safety.             Research                                    hired in July
     individual will be responsible for updating laboratory safety                                                                           2002. Current
                                                                     December 31, 2002 –        Julie Zobel,                                 Director hired
     operating procedures and implementing necessary
                                                                     To update/implement         Director of                                 on 2/25/04.
     inspections, creating and maintaining training record files,
                                                                       laboratory safety      Laboratory Safety
     establishing appropriate procedure for review of MSDS
     sheets, and conducting inventory of chemicals in each                procedures.
     laboratory in accordance with the GMU Hygiene Plan.
                                                                     December 31, 2002 –
                                                                     To conduct inventory                                                    a. Closed
         a.   Conducting semi-annual chemical fume hoods                 of chemicals.
              inspection

         b.   Conducting annual inventory of lab chemicals                                                                                   b. Closed

         c.   Conducting annual inspection of laboratories                                                                                   c. Revised
                                                                                                                                             Implementation
         d.   Establishing proper chemical safety training                                                                                   date 12/31/04
              requirements for lab users, and monitoring                                                                                     d. Revised
              procedures to ensure compliance with the training                                                                              Implementation
              requirements                                                                                                                   date 12/31/04
         e.   Establishing and implementing procedures to                                                                                    e. Revised
              adequately maintain and review the Material                                                                                    Implementation
              Safety Data Sheets (MSDS) for hazardous                                                                                        date 12/31/04
              chemicals




                                                                                   B-14
                                                           GEORGE MASON UNIVERSITY
                                                    INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                       SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                              TARGET DATE FOR       RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                       COMPLETION            POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                            DATE


CASH OFFICE OPERATIONS – 06/10/03

1.    Controlling Access                                                                   Larry Atienza,    June 2004    July 2004
                                                                    Policy and procedure
                                                                    changes implemented     Cash Office
     As soon as the above issues were brought to Management’s       immediately.             Manager
     attention during the audit, the Cash Office Manager began      Remodeling is
     improving physical security by instituting policies            estimated to be
     restricting physical access to the premises such that:         completed by June
                                                                    2004.
     Only Cash Office employees will be routinely admitted to
     the workroom and be allowed to access the safe.
        During business hours, the hall door to the back offices                                                                       Closed
         will be locked.
        During non-business hours, no employees will be                                                                                Closed
         permitted to enter the Cash Offices premises, and the
         cipher lock logs will be reviewed daily to verify this.
        The lock box has been repaired and all key locks and                                                                           Closed
         combinations to safes and drop boxes will be changed
         each time an employee leaves or transfers out of the
         Cash Office to another department, including those
         who “transfer” to ALM or to Student Accounts.
     Additionally, the workroom will be remodeled to allow the                                                                          Closed
     safe to be moved out of the main flow of traffic between
     the workroom and teller area. The work order has been
     submitted.




                                                                                 B-15
                                                           GEORGE MASON UNIVERSITY
                                                    INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                       SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                              TARGET DATE FOR         RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                       COMPLETION              POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                              DATE


CASH OFFICE OPERATIONS – 06/10/03
2. Safety and Security Measures                                      Maintenance, safety,    Larry Atienza,    June 2004    July 2004
     As soon as the above issues were brought to                     and security policies    Cash Office
     Management’s attention during the audit, the Cash Office           implemented            Manager
     Manager began the following maintenance activities:                immediately.
       The silent alarms were repaired and tested, including                                                                             Closed
        alarms for the workroom and the Manager’s Office.
        The ADT alarm service contract was reviewed to
        include monthly testing, response time, repair
        responsibilities. Monthly testing has begun and
        includes alarm company notification to GMU Police,
        which takes seconds under test conditions.
       The mechanism controlling the electronic steel grate                                                                              Closed
        has been fitted with a manual override.
       Two additional closed circuit cameras have been                                                                                   Closed
        installed and positioned to capture views of customers
        at all teller windows. Cameras will not be relied upon
        to substitute for active supervision of cashiers, which is
        being improved with the remodeling and relocation of
        the supervisor’s workstation.
                                                                                                                                          Revised
Additionally, the Manager instituted the following policies:                                                                            completion
       Teller drawer cash will be limited to $1,500.                                                                                   date 3/31/05

       A policy regarding background checks for Cash                                                                                     Closed
        Office job applicants has been established. It
        includes provisions to check routine substitute
        personnel from the ALM and Student Accounts
        Offices.
                                                                                                                                          Closed
        All staff will now receive periodic training for
         emergencies.



                                                                                  B-16
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                               TARGET DATE FOR         RESPONSIBLE       FOLLOW-UP     ACTUAL       STATUS OF
                                                                      COMPLETION              POSITION       REVIEW DATE   FOLLOW-UP    COMPLETION
                                                                                                                             DATE


CASH OFFICE OPERATIONS – 06/10/03

3. Accountability: Teller Trays                                    Policies implemented     Larry Atienza,    June 2004    July 2004
                                                                     immediately, except     Cash Office
   Cash Office Management has begun to increase teller                   performance          Manager
   tray accountability with the following new policies:             standards, which will
                                                                   become effective June
       Each teller/cashier will have sole access and              30, 2003. Safe and/or                                                   Closed
        responsibility for their own individual, physical tray     drawer equipment will
        contents, which will include all batches and window          be installed by June
        sessions, eliminating “virtual” trays.                              2004.
       Cashiers will be accountable for final tray balancing                                                                          Closed - partial
        on a daily basis, which will include tracking of daily                                                                           completion.
        results (over and shorts, voids, adjustments).                                                                                 Mgmt accepts
        Balanced tray contents will be accepted and receipted                                                                           residual risk.
        by the deposit preparer, relieving the teller of
        responsibility for the day’s tray receipts.
       Documented tray balancing standards will be made
                                                                                                                                       Closed - partial
        part of each employee’s performance standards
                                                                                                                                         completion.
        (Employee Work Profile).
                                                                                                                                       Mgmt accepts
                                                                                                                                        residual risk.
       Each teller will have and be accountable for (by                                                                                  Revised
        denomination) their own change fund.                                                                                           completion date
                                                                                                                                          3/31/05
       Additionally, depending on the outcome of
        management’s research into the purchase of a safe                                                                                 Revised
        versus teller drawers (above), each employee with                                                                              completion date
        tasks that include custody of receipts will have his                                                                              3/31/05
        own lockable tray and/or his own assigned, lockable
        compartment in the safe, to store their work when they
        are on break, as well as to be able to control access so
        that accountability can be maintained.



                                                                                 B-17
                                                              GEORGE MASON UNIVERSITY
                                                       INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                          SUMMARY OF AUDIT WORKPLAN – FY 05

                       ACTION TO BE TAKEN                               TARGET DATE FOR         RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                          COMPLETION              POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                                 DATE


CASH OFFICE OPERATIONS – 06/10/03

4. Accountability: Use of Operator ID and “Cashier ID”                 Logical access control   Larry Atienza,    June 2004    July 2004
                                                                        policies implemented     Cash Office
     As soon as the issue was brought to their attention,               immediately. Teller       Manager
     Management amended its logical access security policies            change funds will be
     to ensure that:                                                     available as soon as
          Each Cash Office employee is issued their own               the safe and/or drawer                                                Closed
           access account, and only one account.                         equipment has been
                                                                              installed.
          No generic accounts will be created or used.                                                                                      Closed
          Accounts will be closed promptly when a Cash
           Office employee transfers to ALM or to Student                                                                                    Closed
           Accounts.
           All BRS accountability tracking will use system                                                                                  Closed
            controlled OPERID. The “Cashier ID” will only be
            used to identify batches.
          Cash Office Manager will review the BRS and                                                                                       Closed
           Banner transaction reports daily to spot warning
           indicators/anomalies.

5.       Accountability: Use of Departmental Cash Register                 Implemented          Larry Atienza,    June 2004    July 2004
                                                                           immediately.          Cash Office
         Cash Office Management has begun to increase                                             Manager
         departmental register accountability with the
         following new policies:
          The register tray will be treated as any other tray, with                                                                         Revised
           one teller or cashier assigned the register “tray” with                                                                         completion
           locking key per day.                                                                                                            date 3/31/05
          Consistent methods for entering and validating register                                                                           Closed
           transactions will be adhered to.



                                                                                     B-18
                                                          GEORGE MASON UNIVERSITY
                                                   INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                      SUMMARY OF AUDIT WORKPLAN – FY 05


                    ACTION TO BE TAKEN                              TARGET DATE FOR   RESPONSIBLE       FOLLOW-UP     ACTUAL       STATUS OF
                                                                      COMPLETION        POSITION       REVIEW DATE   FOLLOW-UP    COMPLETION
                                                                                                                       DATE


CASH OFFICE OPERATIONS – 06/10/03
6. Accountability: Batch Transaction Processing                       Implemented     Larry Atienza,    June 2004    July 2004
                                                                      immediately      Cash Office
   Cash Office Management has revised their policies,
   designing a batch control transmittal slip to provide                                Manager
   accountability and reduce processing stages to a minimum
   so that:                                                                                                                      Closed - partial
                                                                                                                                   completion.
      Summarized mail/drop box receipts will be prelisted,
                                                                                                                                 Mgmt accepts
       with envelopes accounted for.
                                                                                                                                  residual risk.
      Transition of receipts between processors will include
       formal documentation of processor(s) handing off the                                                                          Closed
       receipts as well as the acknowledgement of the amount
       received by the receiver.
      At no point will the receipts be “stored” waiting                                                                             Closed
       assignment to the next processor(s). Proper skimming
       and depositing procedures will be followed, with the
       prelist and tally tape used to keep the tray in balance.
                                                                                                                                     Closed
      Batch processing performed at the ALM workstations
       will be limited to peak periods, and only after release
       from the workroom with the prelist for accountability.

7. Accountability: “Skimmed” Receipts and “Settled                    Implemented     Larry Atienza,    June 2004    July 2004
   Work”                                                              immediately      Cash Office
   Cash Office policies for accountability over teller trays, use                       Manager
   of system controlled “OPERID,” accountability over the
   cash register, and batch processing controls have been
   designed to prevent the evolution of risky practices such as
   those noted directly above. Further,




                                                                              B-19
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                             TARGET DATE FOR   RESPONSIBLE       FOLLOW-UP      ACTUAL       STATUS OF
                                                                      COMPLETION        POSITION       REVIEW DATE    FOLLOW-UP    COMPLETION
                                                                                                                        DATE


CASH OFFICE OPERATIONS – 06/10/03
7. Accountability: “Skimmed” Receipts and “Settled                    Implemented     Larry Atienza,    June 2004    July 2004
   Work” (Cont’d)                                                     immediately      Cash Office
                                                                                        Manager                                      Revised
         Final balanced tray contents will be accepted and
                                                                                                                                   completion
          receipted by the deposit preparer, relieving the teller
                                                                                                                                   date 3/31/05
          of responsibility for the day’s tray receipts.
         Once deposits are prepared, they will not be
                                                                                                                                     Revised
          accessible to anyone until picked up by the courier.
                                                                                                                                   completion
          The deposit preparer, who signs the deposit tickets
                                                                                                                                   date 3/31/05
          will have his/her own locked compartment in the safe
          where they store the deposit bags. If the bank shows a
          difference, the deposit preparer will be held
          accountable.

8. Segregation of Duties, Authorization, and Supervision              Implemented     Larry Atienza,    June 2004      July 2004
   Although staffing limits the number of ways to implement           immediately      Cash Office
   adequate segregation of duties, Cash Office Management                               Manager
   will exercise a greater degree of control by its new
   accountability policies. (See actions 1-6 above.)
   Additionally,
        Two people will continue to prepare the deposits;                                                                           Closed
         however, only one person will accept responsibility and
         accountability for the deposit, the other person acting
         as “witness.”
        The numerous “verifications” will be replaced by                                                                            Revised
         meaningful transfer of custody and acceptance of                                                                          completion
         responsibility signatures.                                                                                                date 3/31/05
        Authorization requests for adjustments will be carefully
                                                                                                                                     Revised
         reviewed by a supervisor who has adequate authority to
                                                                                                                                   completion
         challenge a request, especially requests to “back off”
                                                                                                                                   date 3/31/05
         cash or checks in order to post a credit card payment.



                                                                              B-20
                                                           GEORGE MASON UNIVERSITY
                                                    INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                       SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                             TARGET DATE FOR         RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                      COMPLETION              POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                             DATE


CASH OFFICE OPERATIONS – 06/10/03

9. Withholding Certain Receipts from the Deposit                        Implemented         Larry Atienza,    June 2004    July 2004
                                                                        immediately          Cash Office
    Cash Office Management has reinforced the following                                       Manager
    policies:
       All negotiable receipts will be in the sealed, secured                                                                           Revised
        deposit bags no later than the close of the next business                                                                      completion
        day, with no exceptions.                                                                                                       date 3/31/05

       All receipts representing State revenue will be                                                                                  Closed
        deposited directly to the State bank account.

                                                                        Programming          Beth Brock,      June 2004    July 2004     Closed
10. Writing Checks to Solve Accounting or System Issues
                                                                      modifications are     Assistant Vice
   There is currently no way to conclude some of the wire             targeted for May      President and
   transactions with the receipt of the wire transfer to the        2004, in coordination     Controller
   proper bank account, without modifying the system                with implementation
   interface programs. However, once the programming is             of the new cashiering
   changed, bank documentation for wire transfers will not                 system.
   pass through the Cash Office. The process will be between
   General Accounting who receive notice of the transfer, and
   the accountants who post the transactions to the proper
   accounts.




                                                                                 B-21
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                             TARGET DATE FOR         RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                    COMPLETION              POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                           DATE


CASH OFFICE OPERATIONS – 06/10/03

11. Use and Reconciliation of the “Over and Short”                A new employee in        Beth Brock,      June 2004    July 2004
    Account                                                       General Accounting      Assistant Vice
                                                                  will assume the duty    President and
    Cash Office Management, along with collaboration from          of reconciling the       Controller
    Student Accounts and General Accounting, have revised         BBD100. This is an
    their reconciliation policies as follows:                    active recruitment and
       The Cash Office will no longer reconcile the BBD100      the position should be                                                Revised
       data. The BBD100 will be reconciled by Student              filled by June 30,                                                completion
       Accounts and General Accounting.                                   2003.                                                      date 3/31/05
       “Adjustments not done” will be reported to General
                                                                                                                                       Revised
       Accounting by Student Accounts who have no access to
                                                                                                                                      completion
       the receipts and cannot use the “adjustments not done”
                                                                                                                                     date 10/31/04
       to cover a shortage.
      The “Over & Short” account will be restricted to Cash                                                                           Revised
       Office receipts only.                                                                                                          completion
                                                                                                                                     date 10/31/04
       IVR credit card differences and other types of
                                                                                                                                       Revised
       “accounting only differences” will be eliminated from
                                                                                                                                     completion
       Cash Office tasks and will not be posted to the Cash
                                                                                                                                     date 3/31/05
       Office over & short clearing account since they do not
       represent any physical receipts for which the Cash
       Office had custody.
      Credit card clearinghouse timing differences will be                                                                             Closed
       cleared on a daily basis, watching for overages that do
       not “self-clear.”




                                                                               B-22
                                                              GEORGE MASON UNIVERSITY
                                                       INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                          SUMMARY OF AUDIT WORKPLAN – FY 05


                         ACTION TO BE TAKEN                            TARGET DATE FOR   RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                         COMPLETION        POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                          DATE


CASH OFFICE OPERATIONS – 06/10/03

12.       Staffing                                                       Implemented     Larry Atienza,    June 2004    July 2004
                                                                         immediately      Cash Office
      With its revisions of policies to increase cashier                                   Manager
      accountability, Cash Office Management is also focusing
      on supervision and staff coverage policy so that:
            Turnover and unexpected vacancies will be quickly and                                                                    Closed
             adequately covered, especially supervisory & manager
             positions.
            Student workers will be actively supervised and                                                                          Closed
             restricted to limited duties whenever possible.
            Staff and workloads are being balanced so that a                                                                         Closed
             “dedicated employee” who “does it all” is not allowed
             to emerge.
            With the exception of Parking Services, the Cash                                                                         Closed
             Office will hold all depositing departments to the same
             procedures, eliminating the numerous “special cases”
             that had increased Cash Office manual processing
             requirements.




                                                                                 B-23
                                                          GEORGE MASON UNIVERSITY
                                                   INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                      SUMMARY OF AUDIT WORKPLAN – FY 05

                    ACTION TO BE TAKEN                             TARGET DATE FOR   RESPONSIBLE     FOLLOW-UP      ACTUAL         STATUS OF
                                                                     COMPLETION        POSITION     REVIEW DATE    FOLLOW-UP      COMPLETION
                                                                                                                     DATE


INFORMATION SECURITY MANAGEMENT – 07/01/03

1. Business Continuity/Disaster Recovery Plan                         July 2005      Cathy Hubbs,    July 2005       Interim       In Progress:
                                                                                      Information                    Review:      65% Complete
  The University has formed the University Crisis Committee                           Technology                  February 2005
  under the leadership of the President’s Chief of Staff. A                             Security                                    Revised
  major component of the committee is the Business                                    Coordinator                                  Completion
  Continuity Working Group (BCWG), under the leadership of                                                                           Date:
  the Senior Vice President. The BCWG will identify what                                                                           December
  services need to be operational in order for the University to                                                                     2005
  function in the event of a crisis. It is expected that the
  services will vary depending on the nature of the crisis.

  The IT Security Coordinator will work with the BCWG to
  identify the IT systems that are associated with the services
  that have been identified as critical to business continuity.
  (Many of the high priority services have no specific IT
  component – e.g., water, electricity; but many do have an IT
  component.) The ITU will focus its disaster recovery plans
  on the IT systems which are under the control of the ITU.
  The BCWG chairperson will allocate responsibility for the
  development of the remaining disaster recovery plans (e.g.,
  for the water system or for IT systems not under the ITU).

  It is likely that the disaster recovery plans will require
  significant resources to implement. The chair of the BCWG
  will work with the knowledgeable parties to develop a
  budget proposal to the Budget and Planning Group. Once
  the Budget and Planning Group informs the BCWG as to the
  resources that can be made available, the BCWG will
  finalize the revised disaster recovery plans and these will be
  implemented by the responsible parties.




                                                                             B-24
                                                          GEORGE MASON UNIVERSITY
                                                   INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                      SUMMARY OF AUDIT WORKPLAN – FY 05


                    ACTION TO BE TAKEN                             TARGET DATE FOR   RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                                     COMPLETION        POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                      DATE


INFORMATION SECURITY MANAGEMENT – 07/01/03

2. Security Program Project Plan                                      July 2005      Cathy Hubbs,      July 2005     Interim     In Progress:
                                                                                      Information                    Review:    70% Complete
   The President has appointed a Privacy and Security                                 Technology                    December
   Compliance Team (PSCT), which includes four members                                  Security                      2005
   from the University’s Information Technology Unit, as well                         Coordinator
   as representatives from other major units. The IT Security
   Coordinator will be working with this team to develop the                         Robert Nakles,
   time frame for the project plan, assigning responsibility for                        Director,
   developing and managing the project plan, and ensuring                             Information
   resources are available to carry out the plan.                                     Technology
                                                                                     Project Office
   The IT Security Coordinator, in collaboration with the
   PSCT, will develop the structure for compiling the base-line
   inventory of systems so that it can be used to:
      Define the universe for conducting and updating risk
       analysis.
      Develop a structure to perform “gap analysis,” so that
       identification of current practices can be matched to the
       systems they protect, to ensure the information gathered
       is complete.
      Focus the project plan into manageable tasks.
       Obtain the buy-in of the members of the President’s
       Council since they will need to do much of the inventory
       work.

   The PSCT chair will develop a budget proposal to the
   Budget and Planning Group to obtain the resources needed
   to conduct and carry out the plan.




                                                                            B-25
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05

                    ACTION TO BE TAKEN                            TARGET DATE FOR   RESPONSIBLE     FOLLOW-UP       ACTUAL         STATUS OF
                                                                    COMPLETION        POSITION     REVIEW DATE     FOLLOW-UP      COMPLETION
                                                                                                                     DATE


INFORMATION SECURITY MANAGEMENT – 07/01/03

3. Business Impact & Risk Assessment                                October 2005    Cathy Hubbs,   October 2005      Interim       In Progress:
                                                                                     Information                     Review:      85% Complete
   The IT Security Coordinator will gather data from the                             Technology                   February 2005
                                                                                       Security                                     Revised
   institutions in VASCAN that have risk assessment                                                                                Completion
   programs in place so that she can develop an organizational                       Coordinator
                                                                                                                                     Date:
   chart, proposed set of activities, and proposed budget for a                                                                    November
   risk assessment program. The report will be submitted to                                                                          2005
   the University Privacy and Security Compliance Team
   (PSCT) for review.

   The PSCT will coordinate a pilot risk assessment process in
   the Information Technology Unit, prior to developing a
   proposal to extend risk assessment to all computer systems
   in the University.

       After analyzing the results of the pilot, the PSCT will
       make recommendations to the University Budget and
       Planning Group as to which activities should be given
       high priority and what resources are needed to
       accomplish these. Once the resources are allocated,
       risk assessment will be extended beyond the ITU to
       other areas of the University.




                                                                            B-26
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05


                      ACTION TO BE TAKEN                             TARGET DATE FOR   RESPONSIBLE       FOLLOW-UP      ACTUAL         STATUS OF
                                                                       COMPLETION        POSITION       REVIEW DATE    FOLLOW-UP      COMPLETION
                                                                                                                         DATE


INFORMATION SECURITY MANAGEMENT – 07/01/03

4.   Role of the Security Officer in the Systems Development                                                             Interim         Closed
                                                                       March 2004      Robert Nakles,   March 2004
     Life Cycle                                                                                                          Review:
                                                                                          Director,                                    Completed
                                                                                                                      February 2005
                                                                                        Information                                   January 2005
     The Information Technology Unit will ensure that the                               Technology
     required security reviews and sign-offs are included in its                       Project Office
     IT project documents. These project documents will be
     complete and auditable.

     The Director of the Project Office will work with the
     Systems Administrator Leadership Team (SALT) to
     develop a plan for security review of development projects
     not under the purview of the ITU. The Vice President for
     Information Technology (VPIT) will discuss the proposed
     plan with the Executive Council in preparation for a
     discussion with the President’s Council. Buy-in from the
     President’s Council is critically important since it is they
     who will need to implement the new plan for security
     reviews of their system development projects. The VPIT
     will draft modifications to the University Policy on Projects
     that incorporate security reviews of system development
     projects and then submit these to the University Policy
     Officer so that he can initiate the formal policy
     modification steps.




                                                                              B-27
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05

                      ACTION TO BE TAKEN                           TARGET DATE FOR   RESPONSIBLE     FOLLOW-UP      ACTUAL         STATUS OF
                                                                     COMPLETION        POSITION     REVIEW DATE    FOLLOW-UP      COMPLETION
                                                                                                                     DATE


INFORMATION SECURITY MANAGEMENT – 07/01/03
                                                                                                                     Interim       In Progress:
5. Security Awareness                                               September 2004   Cathy Hubbs,    September
                                                                                                                     Review:      80% Complete
                                                                                      Information      2004
                                                                                                                  February 2005
     The Chief Human Resources Officer (CHRO) and the                                 Technology                                    Revised
     Training Council will work with the IT Security                                    Security                                   Completion
     Coordinator to develop a training program for all                               Coordinator                                     Date:
     employees, including new employees. The CHRO and IT                                                                           December
     Security Coordinator will work cooperatively to obtain                                                                          2005
     approval for the mandatory components. The CHRO will
     submit a budget request for a training program to the
     Budget and Planning Group.
                                                                    September 2004   Cathy Hubbs,    September       Interim         Closed
6.   Specialized Technical Training                                                                                                Completed
                                                                                      Information      2004          Review:
                                                                                      Technology                  February 2005   February 2005
     The IT Security Coordinator will work with SALT to
     develop draft guidelines and standards for the position of                         Security
     system administrator. These documents will include                              Coordinator
     requirements for ongoing security training.

     The documents will then be forwarded for review,
     modification if necessary, and approval by the University’s
     Security Review Panel (SRP). The approved guidelines
     and standards will be presented to the Executive Council
     for review. The VPIT will then present the guidelines and
     standards to the President’s Council so that implementation
     strategies can be developed collaboratively. The VPIT, in
     conjunction with the Provost, will obtain signoffs and
     funding commitments from the Presidents Council to
     implement the standards. Next, they will submit a budget
     request for whatever additional funds are needed to
     implement the guidelines and standards to the Budget and
     Planning Group.



                                                                             B-28
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                          TARGET DATE FOR    RESPONSIBLE      FOLLOW-UP       ACTUAL      STATUS OF
                                                                 COMPLETION         POSITION      REVIEW DATE     FOLLOW-UP   COMPLETION
                                                                                                                    DATE


SPONSORED RESEARCH SPACE – 09/08/03

  The University Controller will meet with the space           October 31, 2003    Beth Brock,   September 2004   November      Closed
  liaisons for the four units that were audited and review                         University                       2004
  the audit results with them. These four individuals are                           Controller
  aware that they may be interviewed by the federal
  auditor and will need to justify the numbers they entered
  into the space database. The Controller will discuss the
  discrepancies between the worksheets and the database
  to determine each liaison’s opinion as to the accuracy of
  his/her portion of the database, since it contains the
  numbers that will be submitted to the federal
  government. Use of the worksheets required by Fiscal
  Services procedures provides a mechanism for
  documenting the index number of the sponsored
  project(s) that was conducted in the room. The
  Controller will request that all four liaisons link their
  room numbers to their unit’s significant research
  projects, using the worksheet or some other document.
  For the next reporting cycle, Fiscal Services will ask the
  Space Database Administrator to add a column for
  project index number in the space database and will
  recommend but not require the worksheets if the column
  is added to the database.

  The University Controller will also request all invalid
  codes and those for projects that ended prior to FY 2003
  be removed from the database and percentages corrected
  as necessary.




                                                                         B-29
                                                           GEORGE MASON UNIVERSITY
                                                    INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                       SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                              TARGET DATE FOR         RESPONSIBLE         FOLLOW-UP       ACTUAL      STATUS OF
                                                                       COMPLETION              POSITION         REVIEW DATE     FOLLOW-UP   COMPLETION
                                                                                                                                  DATE


OFFICE OF SPONSORED PROGRAMS – 12/03/03

1.   Fixed Price Grants                                             All procedures have     Melinda Barnhart,   November 2004   November
                                                                    been implemented.         Assoc. Dir.,                        2004
     OSP has implemented a billing setup/review procedure to                                    Financial
     ensure timely billing of all fixed-price and payment                                    Management
     schedule invoices. Before the project is set up, the
     invoicing team will review and identify the invoicing
     instructions. The invoicing terms for funds that require an
     invoice based on deliverables or based on a sponsor
     dictated schedule will be recorded on a spreadsheet
     including the month(s) that invoicing should occur. Each
     month the spreadsheet and project files will be reviewed for
     appropriate invoicing action. In addition, the spreadsheet
     will also be used to track progress payments that should be
     received by GMU without invoicing. The invoicing team
     will track the months that the progress payments are due on
     the spreadsheet and will monitor the receipt of these
     payments utilizing the same.

2.   Billing & Receivables                                           Target date for full   Melinda Barnhart,   November 2004   November
                                                                     implementation of        Assoc. Dir.,                        2004
     OSP is developing a revised information sheet to capture          new invoicing            Financial
     the billing/invoicing information, including the billing       information sheet is     Management
     address, type of invoice form, frequency of invoicing,               8/31/04.
     requirements of any backup information that is sent with
     the invoice and who will provide the backup (OSP, PI, or           Aging Report
     department administrator), sponsor contact person for          produced in Nov. will
     invoicing questions, if known. If invoicing schedule is not      be used to report
     monthly, the actual invoicing dates will be listed and          receivables both to
     checked off when billing occurs. The dates that progress        invoicing team and
     payments are due to GMU will also be listed and checked             Controller.
     off as received.



                                                                                  B-30
                                                           GEORGE MASON UNIVERSITY
                                                    INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                       SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                              TARGET DATE FOR           RESPONSIBLE        FOLLOW-UP       ACTUAL      STATUS OF
                                                                       COMPLETION                POSITION        REVIEW DATE     FOLLOW-UP   COMPLETION
                                                                                                                                   DATE


OFFICE OF SPONSORED PROGRAMS – 12/03/03

2.   Billing & Receivables (Cont’d)                                    Target date for full       Melinda        November 2004   November
                                                                    implementation of new     Barnhart, Assoc.                     2004
     Aging Report: OSP now has the capability to run a reliable      invoicing information     Dir., Financial
     Aging Analysis Report from the Banner System. A more               sheet is 8/31/04.      Management
     formal process of using the Aging Report will be
     implemented. The report will be run monthly and a list of          Aging Report
     receivables over 90 days due will be given to the invoicing    produced in Nov. will
     team for review and action. This list and any necessary          be used to report
     action to be taken, including sending the receivable to Loan    receivables both to
     Management, will also be discussed at OSP's monthly             invoicing team and
     meeting with the University Controller.                             Controller.

3.   Close Out of Expired Projects                                  Wages Position due to         Melinda        November 2004   November
                                                                      begin work on           Barnhart, Assoc.                     2004
     OSP is in the process of hiring a wage employee to work on      December 8, 2003.         Dir., Financial
     the close-out of projects. This employee will work with the                               Management
     OSP grant specialists in processing the backlog of projects    Target for clearing up
     that need to be closed on both the sponsor side and the           closeouts on old
     university side. The grant specialists have instructions on    projects is August 31,
     processing the top half of the close-out checklist and have            2004.
     already processed more than fifty project funds for
     closeout. With the additional space recently allocated for
     OSP files on site, the closeout process will proceed in a
     more organized manner. Finally, OSP will continue to use
     a hierarchical notification process when PIs are delinquent
     in submission of the technical reports; i.e., if the PI does
     not respond, the PI’s Chair and/or Dean will be notified. In
     some instances, delinquent technical reports may prohibit
     the university from submitting and/or receiving new awards
     from a sponsor.




                                                                                  B-31
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                            TARGET DATE FOR      RESPONSIBLE         FOLLOW-UP       ACTUAL      STATUS OF
                                                                   COMPLETION           POSITION         REVIEW DATE     FOLLOW-UP   COMPLETION
                                                                                                                           DATE


OFFICE OF SPONSORED PROGRAMS – 12/03/03

4. Overspent Grants/Projects                                        Immediate         Ann McGuigan,      November 2004   November
                                                                                       Director, OSP                       2004
   The review and cleanup caused by overexpenditures
   continues to be a substantial drain on OSP resources. OSP
   will continue to monitor overspent funds monthly in order
   to alert the PI in a timely manner that their fund is
   overspent. If the PI does not respond, notification will
   include higher levels of administration (i.e., Chair and
   Dean). And, if the departments/colleges/units are also
   unresponsive, senior university academic and business
   administrators will be notified to request intervention for
   resolution.

5. Letter of Credit Draw Downs and Holding Account                The procedures     Melinda Barnhart,   November 2004   November
                                                                 have already been     Assoc. Dir.,                        2004
   OSP and Fiscal Services have finalized procedures for           implemented.          Financial
   Letter of Credit and other types of draw downs to satisfy                          Management
   monthly invoices. OSP will provide the total amount to
                                                                                     Carol McGinnis,
   draw down from each agency and the specific amount to
                                                                                         Associate
   apply to each fund. Fiscal Services will inform OSP when
                                                                                        Controller
   the initial amount is requested and again when the amounts
                                                                                      Fiscal Services
   have been applied on the payment screen in the Grants
   Module of the Finance System. OSP will then do an audit
   of the application of payments. The goal is for all draw
   downs and application of payments to occur in the month
   following the month for which the invoiced amounts were
   provided. Fiscal Services continues to have the
   responsibility of reconciling the holding fund.




                                                                            B-32
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                           TARGET DATE FOR            RESPONSIBLE       FOLLOW-UP      ACTUAL      STATUS OF
                                                                  COMPLETION                 POSITION       REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                             DATE


NETWORK ENGINEERING & TECH MGMT– 2/2/04

1. Managing Physical Access Controls                                See estimated         Chris Nayeri,       Through
                                                                 completion dates in     Manager, Network   January 2006
      NET has begun a “TC Security” project that includes          Attachment A,          Operations
       purging its cipher locks of all anonymous, generic, or        ranging from
       otherwise unnecessary access, as well as developing                                John Hanks, Sr.
                                                                  implemented as of
       procedures to ensure that future access grants and                                Manager, Network
                                                                the date of the report
       deletions are timely managed, including working out a                               Engineering &
                                                                 to end of fiscal year
       way to coordinate with Field Services for effectively                                Operations
                                                                        2005.
       managing access to the back hallway.                                              Randy Anderson,
      By calendar year-end 2003, NET completed the                                       Director, NET
       deletion of the “generic” access codes to the NOC.
      By the end of calendar year 2004, NET will have
       completed an inventory of all telecomm closets, to
       include identifying decentralized responsible parties
       who are authorized to grant access to various closets.
      NET began a project in October 2003 to rekey all the
       TC spaces, including a new lock system devised with
       the assistance of University Key Control. NET is
       working with Physical Plant to review access
       requirements so that procedures will be in place to
       monitor accesses granted to NET or ITU controlled TC
       closet space and to ensure that access is only granted
       on a specific, least privilege basis.
      Within two years, NET plans to ensure that its vendor
       contracts include security and confidentiality
       provisions as a safeguard for any access granted.




                                                                              B-33
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05

                     ACTION TO BE TAKEN                             TARGET DATE FOR            RESPONSIBLE       FOLLOW-UP      ACTUAL      STATUS OF
                                                                      COMPLETION                 POSITION       REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                                 DATE


NETWORK ENGINEERING & TECH MGMT– 2/2/04

2.   Configuration Management                                       Partial progress has      John Hanks, Sr.     Through
                                                                    been made as of the      Manager, Network   January 2006
        NET has been continuing with their documentation and       date of this report as      Engineering
         diagramming project as staff time and financial budgets        noted above.
                                                                                             Randy Anderson,
         permit. Diagramming of critical subnets is ongoing,        Completion of long-
                                                                                              Director, NET
         with allocation of responsibility for specific network        term actions is
         segments/buildings to specific engineers for              anticipated by the end
         diagramming.                                               of fiscal year 2005,
                                                                      contingent upon
        By the end of two years, NET anticipates having
                                                                     available funding.
         finalized its naming conventions and changing all
         documentation and major equipment to reflect
         consistent conventions. This should enable better
         inventory control along with providing better
         management information related to equipment
         maintenance and replacement scheduling, in addition to
         more efficient trouble-shooting and problem solving.
        NET has begun discussions with key personnel and
         stakeholders related to developing and documenting
         filter and firewall configuration (rules) standards and
         policies.
        NET has begun the evaluation process to select and
         obtain a commercial configuration management
         application for use on all its key network devices to
         help ensure the integrity and security of its router
         configuration files. The final purchase of such a
         package is contingent on available funding.




                                                                                  B-34
                                                          GEORGE MASON UNIVERSITY
                                                   INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                      SUMMARY OF AUDIT WORKPLAN – FY 05


                    ACTION TO BE TAKEN                         TARGET DATE FOR            RESPONSIBLE       FOLLOW-UP      ACTUAL      STATUS OF
                                                                 COMPLETION                 POSITION       REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                            DATE


NETWORK ENGINEERING & TECH MGMT– 2/2/04

2. Configuration Management (Cont’d)                           Partial progress has      John Hanks, Sr.     Through
                                                               been made as of the      Manager, Network   January 2006
       NET well-recognizes that complete sets of              date of this report as      Engineering
        updated, comprehensive network diagrams and                noted above.
                                                                                        Randy Anderson,
        configuration documentation are a cornerstone of       Completion of long-
                                                                                         Director, NET
        network management best practices; however,               term actions is
        working within State and University budgetary         anticipated by the end
        realities, NET does not foresee that this level of     of fiscal year 2005,
        documentation can be accomplished in the near            contingent upon
        future. NET will continue its efforts to improve        available funding.
        network documentation and mitigate attendant
        risks incrementally as budgetary feasibility
        permits.

       NET has increased its headcount by 2.5 positions
        which will provide NET staff the flexibility to
        allocate resources to improving router
        configuration file management standards and
        procedures, which would include procedures for
        back-up and offsite storage of configuration files,
        configuration change management, and
        documentation requirements. By the end of
        calendar year 2003, recruitment for one additional
        approved position should be underway.




                                                                             B-35
                                                        GEORGE MASON UNIVERSITY
                                                 INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                    SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                            TARGET DATE FOR           RESPONSIBLE       FOLLOW-UP      ACTUAL      STATUS OF
                                                                   COMPLETION                POSITION       REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                             DATE


NETWORK ENGINEERING & TECH MGMT– 2/2/04

3. Physical Environment                                               Inventory and       Chris Nayeri,       Through
                                                                      environmental      Manager, Network   January 2006
      In order to improve the physical environment of the            checklists are       Operations
       NOC, NET has placed a work order with University             anticipated to be
                                                                                         John Hanks, Sr.
       Physical Plant to perform necessary renovations to       completed by early in
                                                                                            Manager,
       increase the usable space in the Thompson Hall lower      calendar year 2004.
                                                                                            Network
       levels rooms, especially to enable engineers to reduce    NOC housekeeping
                                                                                          Engineering &
       the crowded clutter in work spaces where critical           improvements are
                                                                                           Operations
       equipment is housed, such as the Thompson Hall             underway and will
       routers and the network management console.               continue to improve     Randy Anderson,
                                                                 as the useable space     Director, NET
      NET requested additional office space from University
                                                                 improves. NET has
       Space Management in October 2003. With adequate
                                                                received no feedback
       office space for the engineers, NET can improve the
                                                                     as yet related to
       housekeeping in critical areas of the NOC by reducing
                                                                    completion dates
       the clutter and overcrowding created by the current
                                                                 from Physical Plant
       insufficient space for engineer cubicles and small
                                                                    or Space Mgmt.
       equipment parts and tools.
                                                                Additional equipment
      As part of the TC inventory project noted above, NET     to improve humidity/
       has begun developing an environmental checklist to        temperature control
       assess the state of each TC. Once this checklist has       in deficient TC’s is
       been adopted, NET will institute policy and procedures    hoped to be in place
       to perform regular periodic checks of the TC’s             during 2005, but is
       assessing their environmental status so that necessary     heavily contingent
       maintenance and improvements can be performed.                 upon available
                                                                       funding. See
      For TC’s that are identified in the assessments as
                                                                   Attachment A for
       deficient in humidity/temperature control, NET hopes
                                                                 specific actions and
       to have the budget to add auxiliary cooling where
                                                                estimated completion
       necessary to provide adequate protection of the
                                                                          dates.
       equipment.




                                                                              B-36
                                                           GEORGE MASON UNIVERSITY
                                                    INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                       SUMMARY OF AUDIT WORKPLAN – FY 05


                    ACTION TO BE TAKEN                               TARGET DATE FOR           RESPONSIBLE       FOLLOW-UP      ACTUAL      STATUS OF
                                                                       COMPLETION                POSITION       REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                                 DATE


NETWORK ENGINEERING & TECH MGMT– 2/2/04

4. Reliability, Recovery & Incident Response                        NET hopes to be able      John Hanks, Sr.     Through
                                                                         to complete its     Manager, Network   January 2006
       NET’s major intention to ensure continuity of                internal action plans     Engineering &
        University network services is to add a redundant fiber       by the end of fiscal      Operations
        circuit between campuses. Currently, vendor                 year 2004. For plans
                                                                                             Randy Anderson,
        discussions are on going, but the project has yet to be        that involve units
                                                                                              Director, NET
        funded and, therefore, a completion date cannot be set,         exterior to NET,
        although NET hopes the project can be accomplished              action plans are
        within the next three years.                                  anticipated to be in
                                                                           progress or
       The University Business Continuity Task Force is in
                                                                     implemented by the
        the process of identifying critical business functions as
                                                                       end of fiscal year
        part of its IT Security Compliance action plans. When
                                                                     2005. For details of
        these functions have been identified, NET will identify
                                                                    estimated completion
        its most critical systems that support these functions
                                                                    dates, see Attachment
        and implement coordinated Disaster Recovery plans.
                                                                               A.
       ITU has established a “TRAP” Team (Threat Response
        Action Planning Team) to develop incident response
        plans and procedures. This team is made up of
        representatives from various ITU units, including the
        Security Coordinator and NET representative.
       Within the NET unit itself, increased staffing will
        enable NET to better utilize its NetInfo logging system
        and Desktop Support Services “Magic” system to track,
        monitor, identify, escalate, analyze, and resolve
        incidents and problems related to network operations
        and availability.




                                                                                  B-37
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                                  TARGET DATE FOR        RESPONSIBLE        FOLLOW-UP      ACTUAL      STATUS OF
                                                                           COMPLETION             POSITION        REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                                   DATE


NETWORK ENGINEERING & TECH MGMT– 2/2/04

5. Monitoring, Metrics, Logging, & Analysis                                Actions directly     John Hanks, Sr.     Through
      With the increased headcount in NET staffing, a                   related to improved       Manager,       January 2006
       formalized schedule for NOC duty has been put in place.                  security,          Network
       This will improve NET’s ability to proactively monitor              availability, and     Engineering &
       network activity, including adhering to the previously                  reliability        Operations
       designed log review procedures, especially various levels            objectives are
                                                                                                    Randy
       of router access controls.                                        anticipated to be in
                                                                                                 Anderson,
                                                                         place by the end of
      Currently, commercial configuration management                                           Director, NET
                                                                          FY 2004. Actions
       applications are being evaluated to improve NET’s ability               related to
       to manage device configurations and changes. Some log                 performance
       filtering features on newer network mgmt packages may                 metrics and
       be useful to NET to provide more manageable means to                 benchmarking
       monitor and analyze network activity as it relates to                 standards of
       problem and incident response.                                      performance for
      Included in the features being evaluated in the selection of          NET will be
       a commercial router management tool, above, are                    determined if and
       capabilities for effective log filtering and activity analysis,      when funding
       as well as more granular logical access. The priority             becomes available.
       features will be tied to providing reliable service, ensuring      See attachment A
       availability, and enhancing security.                                  for details.

      Monitoring, data capture, and analysis features for
       providing statistical information about the network’s
       availability and reliability for purposes of developing
       benchmark metrics and NET standards for providing
       service are, at present, unaffordable luxuries for NET.
       These capabilities may or may not materialize over the
       next 3-5 years, depending on budget and staff availability.
      If feasible, NET intends to buy or develop an improved
       network information logging system.



                                                                                    B-38
                                                       GEORGE MASON UNIVERSITY
                                                INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                   SUMMARY OF AUDIT WORKPLAN – FY 05


                   ACTION TO BE TAKEN                       TARGET DATE FOR         RESPONSIBLE       FOLLOW-UP     ACTUAL      STATUS OF
                                                              COMPLETION              POSITION       REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                     DATE


STUDENT FINANCIAL AID– 2/13/04

  Reconciling GAPS Activity                                 Reconciliations were   Carol McGinnis,    July 2004    July 2004     Closed
                                                             begun immediately        Associate
  Monthly reconciliations of CWS expenses and quarterly     and are expected to       Controller
  reconciliations between GMU’s records and GAPS will           be current by
  be performed by the Restricted Funds Accountant and         March 31, 2004.
  reviewed by her supervisor, the Accounting Director for
  Financial Reporting. Draw down of funds will be
  performed by the Accounting Director for Banner
  Finance.




                                                                         B-39
                                                          GEORGE MASON UNIVERSITY
                                                   INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                      SUMMARY OF AUDIT WORKPLAN – FY 05


                     ACTION TO BE TAKEN                           TARGET DATE FOR        RESPONSIBLE         FOLLOW-UP      ACTUAL       STATUS OF
                                                                    COMPLETION             POSITION         REVIEW DATE    FOLLOW-UP    COMPLETION
                                                                                                                             DATE


ENGLISH LANGUAGE INSTITUTE– Compliance Audit
4/30/04

1.   Cash Receipts                                                September 30, 2004    Kathryn Trump       January 2005   March 2005
                                                                                       Director, English
     ELI will work with the Office of Fiscal Services and the                          Language Institute
     Director of Internal Controls and Cost Accounting to
     review and redesign existing cash receipting procedures in
     order to ensure internal control objectives are met in
     accordance with the University’s cash handling policy and
     guidelines.

2.   Students with Tuition Waivers                                September 30, 2004    Kathryn Trump       January 2005   March 2005
                                                                                       Director, English
     ELI will work with the Provost’s Office and will                                  Language Institute
     implement procedures to ensure all students registered for
     ELI courses are set up on SIS, irrespective of tuition
     waivers.




                                                                              B-40
                                                            GEORGE MASON UNIVERSITY
                                                     INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                        SUMMARY OF AUDIT WORKPLAN – FY 05


                      ACTION TO BE TAKEN                              TARGET DATE FOR   RESPONSIBLE        FOLLOW-UP     ACTUAL      STATUS OF
                                                                        COMPLETION        POSITION        REVIEW DATE   FOLLOW-UP   COMPLETION
                                                                                                                          DATE


FACILITIES PLANNING– 9/22/04

1.   Selection of the Architect/Engineer                               March 31, 2005    Jim Miller,       June 2005
                                                                                          University
     The Facilities Planning Office will develop a checklist that                         Architect
     will cover the requirements of the A/E selection process.
     In addition, a central file for each capital project will be
     established to include all supporting documentation.

2.   Construction Procurement                                          March 31, 2005    Jym Stampp,       June 2005
                                                                                          Director of
     The Facilities Planning Office will develop a checklist that                       Capital Finance
     will cover the requirements of the construction
     procurement process. In addition, a central file for each
     capital project will be established and will include all
     supporting documentation.
                                                                                                           June 2005
3. Capital Outlay Expenditures

     Since July 1, the Office of Capital Finance has instituted the
     requirement for Project Managers to sign and date A/E
     invoices as evidence of approval for disbursement purposes.




                                                                                 B-41
                                                         GEORGE MASON UNIVERSITY
                                                  INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                     SUMMARY OF AUDIT WORKPLAN – FY 05


                    ACTION TO BE TAKEN                            TARGET DATE FOR      RESPONSIBLE       FOLLOW-UP      ACTUAL      STATUS OF
                                                                    COMPLETION           POSITION       REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                         DATE


COLLEGE OF NURSING AND HEALTH SCIENCE –
Compliance Audit 2/7/05

Cash Receipts                                                     September 15, 2005    Lisa Joyner     January 2006
                                                                                         Director,
CNHS will work with the Office of Fiscal Services and the                              Operations and
Director of Internal Controls and Cost Accounting to strengthen                           Budget
existing cash receipting procedures in order to ensure internal
control objectives are met in accordance with the university’s
cash handling policy and guidelines.




                                                                              B-42
                                                          GEORGE MASON UNIVERSITY
                                                   INTERNAL AUDIT AND MANAGEMENT SERVICES
                                                      SUMMARY OF AUDIT WORKPLAN – FY 05

                     ACTION TO BE TAKEN                             TARGET DATE FOR          RESPONSIBLE           FOLLOW-UP      ACTUAL      STATUS OF
                                                                      COMPLETION               POSITION           REVIEW DATE    FOLLOW-UP   COMPLETION
                                                                                                                                   DATE


FOOD SERVICES– 3/16/05

1.   Contract Administration And Financial Provisions                  The procedures        Chris Chisler,       October 2005
     Of The Contract                                               document has already         Director,
                                                                   been developed. The     University Services
     University Services will create a procedures document that     format for reporting
     will account for in writing the major contract provisions.     of accrual funds and
     Sodexho has agreed to provide a quarterly statement             expenses has been
     showing all accruals and expenses against accrued accounts         established.
     along with an annual summary. This includes all equipment       Memorandums of
     accruals, renovation accruals, and commission accruals. On      understanding and
     a yearly basis there will be a settlement document            settlement document
     accounting for close out and carry-forward of commission,       will be developed
     fee to Sodexho, variable fee, all accrual accounts, and the     when appropriate.
     net return to the University. Any substantial deviation of
     contract provisions which would not require a contract
     amendment will be documented with a memorandum of
     understanding between the parties. University Services will
     also consult with Fiscal Services on the adequacy of
     carrying forward balances from year to year based on
     netting of funds.

2.   Guaranteed Return Due The University                              June 30, 2005          Chris Chisler,      October 2005
                                                                                           Director, University
     Reconciliation of commission will be documented.                                           Services

3. Equipment Replacement And Renovation Account                       June 30, 2005           Chris Chisler,      October 2005
                                                                                           Director, University
     Sodexho has agreed to provide a quarterly statement                                        Services
     showing all accruals and expenses against accrued accounts
     along with an annual summary.




                                                                                B-43
                 GEORGE MASON UNIVERSITY
          INTERNAL AUDIT AND MANAGEMENT SERVICES
             INVESTIGATIONS FOR FISCAL YEAR 2005




1.   Alleged Travel Fraud – Complete (Unsubstantiated)

2.   Alleged Workers Comp Fraud – Complete (Unsubstantiated)

3.   Alleged Abuse of Time – In Progress

4.   Alleged Receipt of Kickbacks – In Progress

5.   Alleged Abuse of Time/Leave – In Progress

6.   Alleged Abuse of State Resources – In Progress




                                    B-44

								
To top