Office of the Legislative Auditor - Financial Audit Division

Key Conclusion:

The Minnesota State Colleges and Universities (MnSCU) designed adequate application controls to help ensure that the Degree Audit Reporting System (DARS) and the Course Applicability System (CAS) properly processed transactions. It did not, however, design and implement adequate security controls to protect the integrity and confidentiality of its DARS and CAS data.

Findings:

• MnSCU did not design and implement an effective security infrastructure for DARS and CAS.
• DARS allowed users to view, alter, or delete data from uncontrolled environments.
• Several people and software accounts had unnecessary access to DARS and CAS.
• Controls used to confirm the identity of CAS users were weak.
• MnSCU did not remove unnecessary and insecure services from its CAS server or perform important system maintenance procedures in a timely manner.
• DARS and CAS were not adequately monitored for unauthorized or inappropriate attempts.

Audit Period:
As of May 2004

• Security Controls
• Application Controls

DARS and CAS are commercial software applications purchased by MnSCU.

DARS is used to define the requirements for every degree offered. It can be used to help students plan and monitor their academic progress. College employees also use it to ensure students meet graduation requirements. Each of MnSCU’s 32 institutions has its own DARS database.

CAS is a web-based system that allows anyone with access to the Internet to research the degrees offered by each MnSCU institution as well as the requirements for them. Also, students can identify courses that transfer from one institution to another. Each of MnSCU’s institutions shares a single CAS database. As of the time of our audit, nine of MnSCU’s institutions had implemented CAS.