DEPUTY STATE AUDITOR STATE OF UTAH Joe Christensen CPA FINANCIAL by armedman2

VIEWS: 0 PAGES: 6

									                                                                                    DEPUTY STATE AUDITOR:
                                             STATE OF UTAH                           Joe Christensen, CPA

                                    Office of the State Auditor                     FINANCIAL AUDIT DIRECTORS:
                                             211 STATE CAPITOL                       H. Dean Eborn, CPA
                                         SALT LAKE CITY, UTAH 84114                  Deborah A. Empey, CPA
                                                (801) 538-1025                       Stan Godfrey, CPA
                                              FAX (801) 538-1383
                                                                                     Jon T. Johnson, CPA
Auston G. Johnson, CPA
  UTAH STATE AUDITOR



                                          REPORT NO. 02-13


    November 1, 2002


    To the Board of Trustees
        and
    Dr. F. Ann Millner, President
    Weber State University

    We have completed our audit of the financial statements of Weber State University (the University)
    for the year ended June 30, 2002. Our report thereon, dated September 27, 2002, was issued under
    separate cover. This management letter contains the Report on Compliance and on Internal Control
    Over Financial Reporting required by Government Auditing Standards issued by the Comptroller
    General of the United States. We have not yet completed the University’s portion of the statewide
    federal compliance audit for the year ended June 30, 2002. Any audit findings and recommendations
    resulting from that portion of our statewide federal compliance audit will be communicated to you
    in a separate report. The federal programs being tested as major programs at the University are the
    Vocational Education program and Financial Aid cluster of programs. Our report on the statewide
    federal compliance audit for the year ended June 30, 2002 should be issued by April 2003.

    This report by its nature focuses on exceptions, weaknesses, and problems. This should not be
    understood to mean there are not also various strengths and accomplishments. We appreciate the
    courtesy and assistance extended to us by the personnel of the University during the course of our
    audit, and we look forward to a continuing professional relationship. If you have any questions,
    please call Dean Eborn, Audit Director, at 538-1352.

    Sincerely,



    Auston G. Johnson, CPA
    Utah State Auditor

    cc: Dr. Norman C. Tarbox, Vice President for Administrative Services
        Steven E. Nabor, Assistant Vice-President of Financial Services
                               WEBER STATE UNIVERSITY
                        FOR THE FISCAL YEAR ENDED JUNE 30, 2002

                                       TABLE OF CONTENTS


                                                                                       Page

REPORT ON COMPLIANCE AND ON INTERNAL CONTROL OVER FINANCIAL
REPORTING BASED ON AN AUDIT OF FINANCIAL STATEMENTS PERFORMED
IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS                                        1


FINDINGS AND RECOMMENDATIONS:

1. INADEQUATE SEPARATION OF PROGRAMMER DUTIES (Reportable Condition, Repeat Finding)    3

2. INADEQUATE SEPARATION OF SECURITY AND COMPUTER OPERATIONS DUTIES
   (Reportable Condition, Repeat Finding)                                               3
                                                                                     DEPUTY STATE AUDITOR:
                                             STATE OF UTAH                            Joe Christensen, CPA

                                   Office of the State Auditor                       FINANCIAL AUDIT DIRECTORS:
                                              211 STATE CAPITOL                       H. Dean Eborn, CPA
                                          SALT LAKE CITY, UTAH 84114                  Deborah A. Empey, CPA
                                                 (801) 538-1025                       Stan Godfrey, CPA
                                               FAX (801) 538-1383
                                                                                      Jon T. Johnson, CPA
Auston G. Johnson, CPA
  UTAH STATE AUDITOR




     REPORT ON COMPLIANCE AND ON INTERNAL CONTROL OVER FINANCIAL
         REPORTING BASED ON AN AUDIT OF FINANCIAL STATEMENTS
     PERFORMED IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS


   To the Board of Trustees
       and
   Dr. F. Ann Millner, President
   Weber State University

   We have audited the financial statements of Weber State University (the University) as of and for
   the year ended June 30, 2002, and have issued our report thereon dated September 27, 2002. We
   conducted our audit in accordance with auditing standards generally accepted in the United States
   of America and the standards applicable to financial audits contained in Government Auditing
   Standards, issued by the Comptroller General of the United States.

   As part of obtaining reasonable assurance about whether the University’s financial statements are
   free of material misstatement, we performed tests of its compliance with certain provisions of laws,
   regulations, contracts and grants, noncompliance with which could have a direct and material effect
   on the determination of financial statement amounts. However, providing an opinion on compliance
   with those provisions was not an objective of our audit and, accordingly, we do not express such an
   opinion.

   Internal Control Over Financial Reporting
   In planning and performing our audit, we considered the University’s internal control over financial
   reporting in order to determine our auditing procedures for the purpose of expressing our opinion
   on the financial statements and not to provide assurance on the internal control over financial
   reporting. However, we noted certain matters involving the internal control over financial reporting
   and its operation that we consider to be reportable conditions. Reportable conditions involve matters
   coming to our attention relating to significant deficiencies in the design or operation of the internal
   control over financial reporting that, in our judgment, could adversely affect the University’s ability
   to record, process, summarize and report financial data consistent with the assertions of management
   in the financial statements. The two reportable conditions are described in the accompanying
   schedule of findings and recommendations.

   A material weakness is a condition in which the design or operation of one or more of the internal
   control components does not reduce to a relatively low level the risk that misstatements in amounts
   that would be material in relation to the financial statements being audited may occur and not be

                                                      1
detected within a timely period by employees in the normal course of performing their assigned
functions. Our consideration of the internal control over financial reporting would not necessarily
disclose all matters in the internal control that might be reportable conditions and, accordingly,
would not necessarily disclose all reportable conditions that are also considered to be material
weaknesses. However, we believe that neither of the reportable conditions described above is a
material weakness.

This report is intended solely for the information and use of the University’s Board of Trustees and
management and is not intended to be and should not be used by anyone other than these specified
parties.



UTAH STATE AUDITOR
September 27, 2002




                                                 2
                                WEBER STATE UNIVERSITY
                            FINDINGS AND RECOMMENDATIONS
                         FOR THE FISCAL YEAR ENDED JUNE 30, 2002


1.   INADEQUATE SEPARATION OF PROGRAMMER DUTIES
     (Reportable Condition) (Repeat Finding)

     The University’s application programmers have access to production programs and data and are
     moving programs from test to production. In addition, the systems programmers also have
     computer operation responsibilities. A separation of these duties is necessary to reduce the
     opportunity for an employee to commit and conceal errors or fraud in the normal course of their
     duties. Proper assignment of responsibilities helps prevent or detect deliberate or accidental
     errors caused by improper use of data files, unauthorized or incorrect use of a computer
     program, and/or improper use of computer resources. If the separation of duties is weak or
     lacking, the integrity of a computer system may be affected. An alternate course of action, that
     is less desirable, would be to log all programmer access to production areas and designate an
     employee without programming duties to review the logs. At the current staffing level,
     implementing adequate controls in this area is difficult, but nonetheless important.

     Recommendation:

     We recommend that the University restrict application programmers’ access to
     production data and programs. If proper separation of duties is not achieved, we
     recommend that the University log all programmer access to production areas and
     designate an employee without programming duties to review these logs.

     University’s Response:

     We agree with the recommendation. Much progress has been made over the past year to fully
     implement the recommendation. We expect to be in full compliance within 18 months.


2.   INADEQUATE SEPARATION OF SECURITY AND COMPUTER OPERATIONS
     DUTIES (Reportable Condition) (Repeat Finding)

     The University’s information technology area does not separate the security function from the
     computer operations/systems programming function. Security duties include setting up new
     users and controlling and reviewing audit logs. To ensure adequate control of all system activity
     and to help prevent unauthorized/inappropriate access to critical files, the security function
     should be organizationally separate from other computer-related activity. At the current staffing
     level, implementing adequate controls in this area is difficult, but nonetheless important.

     Recommendation:

     We recommend that the University separate security duties from computer operations/
     systems programming duties and limit the security privilege to security administrators.

                                                    3
                         WEBER STATE UNIVERSITY
                      FINDINGS AND RECOMMENDATIONS
                   FOR THE FISCAL YEAR ENDED JUNE 30, 2002


University’s Response:

We agree with the recommendation. We expect to fully implement this recommendation within
12 months.




                                           4

								
To top