Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary


Financial-Related Audit

Minnesota State Colleges and Universities

SCUPPS Information Technology Audit


General Security Control Conclusions

In general, SCUPPS application security controlling access by campus users was found to be adequate. However, internal security weaknesses in the operating system and database management system expose MnSCU's business data, including campus payroll and personnel data, to significant risks. Many of these weaknesses were reported in 1997 and again in 2000. Specifically:

  • MnSCU has not established standards for granting access to its IT professionals. IT staff were found to have excessive system privileges and too many had ability to update security transactions.
  • In addition, certain SCUPPS computer programs are not properly and consistently secured, certain users could alter or delete data in uncontrolled ways, effective password management practices and monitoring methods were weak, and data transferred between SCUPPS and SEMA4 was not encrypted.
Application Control Conclusions

Generally, SCUPPS accurately processed data once it was input into the system. However, we feel MnSCU can improve controls if it designs and implements more preventative edits or automated controls. We found the system lacked several key edits. Of most significance, the system does not limit faculty and administrators pay to the negotiated bargaining agreement amounts. As a result of few preventative controls, MnSCU placed significant reliance on manual detective controls at each of its institutions. MnSCU could do more, however, to focus campus attention to unedited and high-risk transactions. Other concerns noted the need for improved monitoring of transactions entered directly into SEMA4 and increased automation and accuracy of leave data maintained in SCUPPS.

Financial-Related Audit Reports address internal control weaknesses and noncompliance issues found during our audits of state departments and agencies. The scope of our work at the Minnesota State Colleges and Universities was limited to a review of MnSCU's operating systems and SCUPPS application controls that protect the integrity of its critical business and personnel data.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155