APRIL 4, 2002 02-23

Financial Audit Division The Office of the Legislative Auditor (OLA) is a professional, nonpartisan office in the legislative branch of Minnesota State government. Its principal responsibility is to audit and evaluate the agencies and programs of state government (the State Auditor audits local governments). OLA's Financial Audit Division annually audits the state's financial statements and, on a rotating schedule, audits agencies in the executive and judicial branches of state government, three metropolitan agencies, and several "semi-state" organizations. The division also investigates allegations that state resources have been used inappropriately. The division has a staff of approximately fifty auditors, most of whom are CPAs. The division conducts audits in accordance with standards established by the American Institute of Certified Public Accountants and the Comptroller General of the United States.

Consistent with OLA's mission, the Financial Audit Division works to: · Promote Accountability, · Strengthen Legislative Oversight, and · Support Good Financial Management. Through its Program Evaluation Division, OLA conducts several evaluations each year and one best practices review.

OLA is under the direction of the Legislative Auditor, who is appointed for a six-year term by the Legislative Audit Commission (LAC). The LAC is a bipartisan commission of Representatives and Senators. It annually selects topics for the Program Evaluation Division, but is generally not involved in scheduling financial audits.

All findings, conclusions, and recommendations in reports issued by the Office of the Legislative Auditor are solely the responsibility of the office and may not reflect the views of the LAC, its individual members, or other members of the Minnesota Legislature.

This document can be made available in alternative formats, such as large print, Braille, or audio tape, by calling 651-296-1727 (voice), or the Minnesota Relay Service at 651-297-5353 or 1-800-627-3529. All OLA reports are available at our Web Site: https://www.auditor.leg.state.mn.us

If you have comments about our work, or you want to suggest an audit, investigation, evaluation, or best practices review, please contact us at 651-296-4708 or by e-mail legislative.auditor@state.mn.us

State Agricultural Society Table of Contents Page Report Summary 1 Report on Compliance and Internal Control over Financial Reporting 2 Current Finding and Recommendation 4 Status of Prior Audit Issues 5 State Agricultural Society's Response 6

Audit Participation Claudia Gudvangen, CPA Deputy Legislative Auditor Jeanine Leifeld, CPA, CISA Audit Manager Chris Buse, CPA, CISA Audit Manager Sonya Johnson, CPA Auditor-in-Charge John Hakes, CPA Auditor Marisa Zenk Auditor

Exit Conference We discussed the results of the audit at an exit conference with the following staff of the State Agricultural Society on March 26, 2002:

Jerry Hammer Executive Vice President Marshall Jacobson Controller Manley Bona Computer Services Coordinator

Report Summary Key Finding and Recommendation: The State Agricultural Society has not appropriately resolved its information technology security risks. We found significant security weaknesses during our review of information technology controls at the Society. It should build a comprehensive security infrastructure that addresses current information technology risks.

The State Agricultural Society operates Minnesota's annual state fair and maintains the state fairgrounds. The Society earned about $27.9 million in operating revenues during fiscal year 2001 and had total assets of over $32 million on October 31, 2001. The primary objective of our audit was to issue an opinion on the financial statements of the State Agricultural Society for the year ended October 31, 2001. The Society's Annual Report for fiscal year 2001 includes our opinion thereon dated March 8, 2002. This management letter addresses an internal control weakness we found during our audit. The Society's response to the issue is included in the report.

OFFICE OF THE LEGISLATIVE AUDITOR State of Minnesota ° James Nobles, Legislative Auditor Report on Compliance and on Internal Control over Financial Reporting Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards

Mr. Howard Recknor, President Board of Managers State Agricultural Society Members of the State Agricultural Society Mr. Jerry Hammer, Executive Vice President State Agricultural Society

We have audited the financial statements of the State Agricultural Society as of and for the year ended October 31, 2001, and have issued our report thereon dated March 8, 2002. We conducted our audit in accordance with auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. Compliance As part of obtaining reasonable assurance about whether the State Agricultural Society's financial statements are free of material misstatement, we performed tests of its compliance with

certain provisions of laws, regulations, contracts, and grants, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of noncompliance that are required to be reported under Government Auditing Standards. Internal Control Over Financial Reporting In planning and performing our audit, we considered the State Agricultural Society's internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on the internal control over financial reporting. However, we noted certain matters involving the internal control over financial reporting and its operation that we consider to be reportable conditions. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could adversely affect the State Agricultural Society's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

Room 140, 658 Cedar Street, St. Paul, Minnesota 55155-1603 ° Tel: 651/ 296-4708 ° Fax: 651/ 296-4712 E-mail:legislative.auditor@state.mn.us ° TDD Relay: 651/ 297-5353 ° Website: www.auditor.leg.state.mn.us

State Agricultural Society We describe a reportable condition as Finding 1 in the accompanying section entitled, Current Finding and Recommendation. A material weakness is a condition in which the design or operation of one or more of the internal control components does not reduce, to a relatively low level, the risk that misstatements in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Our consideration of the internal control over financial reporting would not necessarily disclose all matters in the internal control that might be reportable conditions and, accordingly, would not necessarily disclose all reportable conditions that are also considered to be material weaknesses. However, we consider the reportable condition, described in the Current Finding and Recommendation, to be a material weakness. This report is intended solely for the information and use of the State Agricultural Society's management and the Legislative Audit Commission and is not intended to be and should not be used by anyone other than these specified parties.

/s/ James R. Nobles /s/ Claudia J. Gudvangen James R. Nobles Claudia J. Gudvangen, CPA Legislative Auditor Deputy Legislative Auditor

March 8, 2002

Current Finding and Recommendation 1. The State Agricultural Society has not appropriately resolved its information technology security risks. We identified significant security weaknesses during our review of information technology controls at the State Agricultural Society. The Society's security infrastructure includes computer hardware, as well as computer software and data. The Society lacks a comprehensive security policy foundation and it has not addressed many relevant information technology risks. As a result, the Society's systems are vulnerable to unauthorized access. To remedy these weaknesses, the Society needs to allocate resources to build a comprehensive security program.

The Society does not have a written information technology security policy, procedures, or standards. This documentation is important because it constitutes the framework to positively control information technology resources. A security policy should outline such things as the roles and responsibilities of employees and the management structure for making security decisions. Procedures should provide structured guidance to help employees comply with management's directives. Finally, standards should include the technical tools and methods needed to implement the key security decisions.

Recommendation The State Agricultural Society should build a comprehensive security infrastructure that addresses current information technology risks.

Status of Prior Audit Issues As of March 8, 2002 Most Recent Audit An audit of the State Agricultural Society is performed annually by the Office of the Legislative Auditor. Legislative Audit Report 01-19, dated April 20, 2001, covered the fiscal year ended October 31, 2000. The audit scope included those areas material to the Society's financial statements. There were three findings in the report related to the Society's computerized accounting systems, fair time payroll, and Pronto pass tickets. The Society has resolved the prior findings.

MINNESOTA STATE FAIR THE GREAT MINNESOTA GET-TOGETHER 12 DAYS OF FUN ENDING LABOR DAY

Jeanine Leifeld, CPA, CISA Office of the Legislative Auditor Room 140 Centennial Building 658 Cedar St. St. Paul, MN 55155 March 27, 2002

Dear Jeanine, We agree with the finding regarding the State Fair's information technology infrastructure. Work has already begun on addressing the security issues, and we expect to make significant progress in improving our IT security systems during the next year. Our thanks to you and the audit team for your efforts on our behalf.

Sincerely, /s/ Jerry Hammer Jerry Hammer Executive Vice President

1265 Snelling Avenue North St. Paul, MN 55108-3099 (651) 642-2200 FAX (651) 642-2440 TTY (651)-642-2372 e-mail: fairinfo@mnstatefair.org web: www.mnstatefair.org