General Security Control Conclusions
In general, SCUPPS application security controlling access by campus users was found to be adequate. However, internal security weaknesses in the operating system and database management system expose MnSCU's business data, including campus payroll and personnel data, to significant risks. Many of these weaknesses were reported in 1997 and again in 2000. Specifically:
Generally, SCUPPS accurately processed data once it was input into the system. However, we feel MnSCU can improve controls if it designs and implements more preventative edits or automated controls. We found the system lacked several key edits. Of most significance, the system does not limit faculty and administrators pay to the negotiated bargaining agreement amounts. As a result of few preventative controls, MnSCU placed significant reliance on manual detective controls at each of its institutions. MnSCU could do more, however, to focus campus attention to unedited and high-risk transactions. Other concerns noted the need for improved monitoring of transactions entered directly into SEMA4 and increased automation and accuracy of leave data maintained in SCUPPS.
Financial-Related Audit Reports address internal control weaknesses and noncompliance issues found during our audits of state departments and agencies. The scope of our work at the Minnesota State Colleges and Universities was limited to a review of MnSCU's operating systems and SCUPPS application controls that protect the integrity of its critical business and personnel data.