Florida State College at Jacksonville's 2012 operational audit
Content
REPORT NO. 2012-073 JANUARY 2012
FLORIDA STATE COLLEGE AT JACKSONVILLE
Operational Audit
BOARD OF TRUSTEES AND PRESIDENT
Members of the Board of Trustees and President who served during the 2010-11 fiscal year are listed below:
The Vice Chairs serve with equal rank and status on the Board. The purpose of the dual office is to assure leadership representation from each of the two counties served by the College.
The audit team leader was Lenia Blades, and the audit was supervised by John P. Duffy, CPA. For the information technology portion of this audit, the audit team leader was Sue Graham, CPA, CISA, and the supervisor was Heidi G. Burns, CPA, CISA. Please address inquiries regarding this report to James R. Stultz, CPA, Audit Manager, by e-mail at [email protected] or by telephone at (850) 922-2263. This report and other reports prepared by the Auditor General can be obtained on our Web site at www.myflorida.com/audgen; by telephone at (850) 487-9175; or by mail at G74 Claude Pepper Building, 111 West Madison Street, Tallahassee, Florida 32399-1450.
JANUARY 2012
REPORT NO. 2012-073
FLORIDA STATE COLLEGE AT JACKSONVILLE
SUMMARY
Our operational audit disclosed the following: STUDENT ENROLLMENT Finding No. 1: The College had not provided data for its Continuing Workforce Education (CWE) courses requested by the Florida Department of Education to determine adjustments necessary to the College’s full-time equivalent CWE enrollment for the 2006-07 through 2009-10 fiscal years. As a result, the College may receive State funding that it is not entitled to receive. Finding No. 2: The College needed to strengthen its controls to ensure the accurate reporting of instructional contact hours for adult general education classes to the Florida Department of Education. STUDENT TUITION AND FEES Finding No. 3: The College needed to strengthen its procedures for assessing user fees. ADMINISTRATIVE MANAGEMENT Finding No. 4: A College employee’s employment with another organization doing business with the College may have resulted in a conflict of interest in violation of Section 112.313(7)(a), Florida Statutes. PERSONNEL AND PAYROLL Finding No. 5: The President’s employment agreement included a severance pay provision that is contrary to Section 215.425(4)(a), Florida Statutes. Finding No. 6: Pursuant to the College President’s employment contract, accrued sick leave was transferred to accrued vacation leave, effectively circumventing the limitation for payment of unused sick leave upon termination provided in Section 1012.865(2)(e)2., Florida Statutes. Finding No. 7: The College had not taken action to recover sick leave overpayments totaling $87,098 noted in our prior report. CONSTRUCTION ADMINISTRATION Finding No. 8: The College’s procedures for the administration of construction management projects needed improvement. Finding No. 9: The College needed to enhance its monitoring procedures for ensuring that design professionals and construction managers obtain required insurance coverage. CONFIDENTIAL INFORMATION Finding No. 10: The College did not always provide the required written notification to individuals when their social security numbers were collected, contrary to Section 119.071(5)(a), Florida Statutes. INFORMATION TECHNOLOGY Finding No. 11: Some inappropriate and unnecessary information technology (IT) access privileges existed. Finding No. 12: The College had not developed a written, comprehensive IT risk assessment. Finding No. 13: The College did not retain some access control records, contrary to the requirements of the State of Florida, General Records Schedule . Finding No. 14: The College did not have written policies and procedures for certain IT functions. Finding No. 15: The College’s procedures for managing access to its telecommunications equipment needed improvement. Finding No. 16: The College’s IT security controls related to user authentication needed improvement. 1
JANUARY 2012
REPORT NO. 2012-073
BACKGROUND
Florida State College at Jacksonville (College) is under the general direction and control of the Florida Department of Education, Division of Florida Colleges, and is governed by State law and State Board of Education rules. A board of trustees (Board) governs and operates the College. The Board constitutes a corporation and is composed of nine members appointed by the Governor and confirmed by the Senate. The College President serves as the executive officer and the corporate secretary of the Board, and is responsible for the operation and administration of the College. The College has campuses located in Jacksonville, Florida, and centers located in Jacksonville and Yulee, Florida. Additionally, credit and noncredit classes are offered in public schools and other locations throughout Duval and Nassau Counties. The College reported enrollment of 25,524 full time equivalent students for the 2010-11 fiscal year. The results of our financial audit of the College for the fiscal year ended June 30, 2011, will be presented in a separate report. In addition, the Federal awards administered by the College are included within the scope of our Statewide audit of Federal awards administered by the State of Florida and the results of that audit, for the fiscal year ended June 30, 2011, will be presented in a separate report.
FINDINGS AND RECOMMENDATIONS
Student Enrollment Finding No. 1: Full-Time Equivalent Enrollment Reporting – Continuing Workforce Education Courses
Section 1011.84(1)(a), Florida Statutes, requires that the Florida Department of Education (FDOE) determine the State financial support and the annual apportionment to each college district through the College Program Fund based on the types of programs offered and the related costs of those programs. Section 1011.80(5)(a) (2009), Florida Statutes, provided that for a continuing workforce education course, State funding shall equal 50 percent of the cost of instruction, with student fees, business support, quick-response training funds, or other means making up the remaining 50 percent. Sections 1011.80(5)(d) and 1011.84(1)(f), Florida Statutes, provide that when a public educational institution has been fully funded by an external agency for direct instructional costs of any course or program, the full-time equivalent (FTE) generated shall not be reported for State funding. State Board of Education Rule 6A-14.054(7), Florida Administrative Code, provides that each board of trustees shall have the authority to negotiate tuition fees for courses and programs contracted by external agencies and companies that vary from the tuition fees provided for in this rule, and such negotiated fees may exceed the full cost of instruction; however, the courses and programs of instruction funded from these negotiated fees shall not be reported for State funding purposes. In our report No. 2010-168, we noted that the College reported 3,955 and 3,666 full-time equivalent (FTE) enrollment in the College’s continuing workforce education (CWE) category for the 2008-09 and 2007-08 fiscal years, respectively, for which the College also reported revenues from the Navy and other external agencies and companies exceeding the direct cost of instruction. We also noted that, because the College was fully funded for direct instructional costs for these CWE programs, the College’s reporting of this FTE appeared to be contrary to Sections 1011.80(5)(d) and 1011.84(1)(f), Florida Statutes, and State Board of Education Rule 6A-14.054(7), Florida Administrative Code. We recommended that the College consult with the FDOE on the reporting of FTE for CWE 2
JANUARY 2012
REPORT NO. 2012-073
programs and determine the corrective action necessary to the FTE reported for CWE programs for the 2008-09 and 2007-08 fiscal years. Our current review disclosed that for the 2009-10 fiscal year the College reported FTE for its CWE programs for which it reported revenues from the Navy and other external agencies and companies that collectively exceeded the direct cost of instruction, as shown in Table 1 below: Table 1
Description Total 2009-10 Naval Agreements CWE $ 15,298,751 14,571,033 $ 727,718 104.99% 4,484 Other CWE
CWE Revenues (Fees and Contracts) (1) Direct Instructional Expenses (2) Difference Revenues as a Percentage of Expenses CWE FTE Reported (2) Total FTE Reported (2) CWE FTE as a Percentage of Total FTE
$ 18,137,864 17,086,371 $ 1,051,493 106.15% 4,845 28,808 16.82%
$ 2,839,113 2,515,338 $ 323,775 112.87% 361
Notes: (1) From the College's General Ledger. (2) From the College's Student Enrollment and Cost Analysis Reports.
Effective July 1, 2010, Section 1011.80(5)(a), Florida Statutes, was revised to require that expenditures for CWE programs provided by colleges be fully supported by fees and discontinuance of reporting enrollments in CWE courses for FTE funding purposes. In February 2011, FDOE contacted the College and indicated that the CWE FTE previously reported impacted not only the 2007-08 and 2008-09 fiscal years’ enrollment reporting, but also the 2009-10 fiscal year. FDOE also indicated that the Florida College System’s funding allocation model and prior enrollment growth used to allocate the College’s 2010-11 fiscal year funding relied heavily on the CWE FTE reported by the College during the 2006-07 to 2009-10 fiscal years. FDOE further indicated that, as a result, the College received additional funding in the 2010-11 fiscal year based, in part, on the incorrect CWE FTE previously reported and requested that the College provide the data necessary to accurately assess the reporting of CWE FTE by February 28, 2011. We were advised by FDOE and College personnel that the requested data regarding the CWE FTE reporting had not been provided to FDOE as of November 15, 2011. The failure of the College to provide the accurate enrollment data may result in the College receiving State funding that it is not entitled to receive. Recommendation: Since State funding provided to the College is based partially on the FTE reported to FDOE, the College should consult with FDOE on the reporting of FTE for these programs and determine the corrective action necessary to FTE reported for the CWE programs for the 2006-07 through 2009-10 fiscal years.
3
JANUARY 2012 Finding No. 2: Adult General Education
REPORT NO. 2012-073
Section 1004.02(3), Florida Statutes, defines adult general education, in part, as comprehensive instructional programs designed to improve the employability of the State’s workforce. The College received State funding for adult general education, and proviso language included in Chapter 2010-152, Laws of Florida, Specific Appropriation 112, required that each college report enrollment for adult general education programs identified in Section 1004.02, Florida Statutes, in accordance with Florida Department of Education (FDOE) instructional hours reporting procedures. Procedures provided by FDOE stated that fundable instructional contact hours are those scheduled hours that occur between the date of enrollment in a class and the withdrawal date or end-of-class date, whichever is sooner. The FDOE procedures also provided that colleges develop a procedure for withdrawing students for nonattendance and that the standard for setting the withdrawal date be six consecutive absences from a class schedule, with the withdrawal date reported as the day after the last date of attendance. Additionally, there is a minimum enrollment threshold of 12 hours of attendance per program that must be met before a student can be counted for funding purposes; however, when the threshold is not met the actual hours of attendance should still be included to satisfy other reporting requirements. College procedures require that class instructors maintain student attendance records and enter instructional contact hours in the College’s student records system. The College reported 1,055,700 instructional hours for adult general education classes provided to students during the 2010-11 fiscal year. Our review of the hours reported for ten students enrolled in 35 adult general education classes, for which the College reported 1,966 hours to FDOE, disclosed various errors in reporting instructional contact hours for seven students enrolled in 16 classes, as follows: For one student enrolled in four courses, the College excluded absences from the reported enrollment hours rather than reporting total scheduled hours as provided by FDOE procedures, resulting in 22 hours under reported. For three students enrolled in eight courses, the College over reported enrollment by 159 hours. The over reporting of hours was the result of either the student not meeting the 12 hour threshold, the student not attending any classes, or the College failing to report only those scheduled hours that occurred between the date of enrollment in a class and the withdrawal date, whichever was sooner. For three students enrolled in four courses, attendance records were not available for the entire semester, and as a result the College’s student records did not support attendance for 180 contact hours reported to the FDOE. Since future funding may be based, in part, on enrollment data submitted to FDOE, it is important that the College submit accurate and complete data. Recommendation: The College should enhance its controls to ensure the accurate reporting of instructional contact hours for adult general education classes to FDOE. In addition, the College should contact FDOE to determine what corrective actions are necessary regarding unsupported, over-, and underreported hours. Student Tuition and Fees Finding No. 3: User Fees Section 1009.23(12), Florida Statutes, authorizes each college board of trustees to establish user fees, including laboratory fees, that shall not exceed the cost of the services provided and can only be charged to persons receiving 4
JANUARY 2012
REPORT NO. 2012-073
the service. State Board of Education (SBE) Rule 6A-14.054(6), Florida Administrative Code, authorizes the Board to establish user fees in addition to tuition fees for services that incur unusual costs. Additionally, the Florida College System Council of Business Affairs and the Florida Department of Education, Division of Florida Colleges, have issued guidelines for assessing user fees. These guidelines provide that each college board establish policies for the implementation and justification of additional user fees, defining which costs are in excess of base instructional costs, describing the documentation required to support the fees, the time period for review of such fees, and the manner of presenting such fees to the Board for approval. The College Board adopted Board Rule 6Hx7-4.19, Fees and Charges, establishing policies to be used for assessing user fees. The College also established procedures related to special fees that require the preparation of a Special Fee Request Form (Form) to document the background, rationale, cost basis, and annual fiscal impact of the new or revised fee. The Board Rule also requires that costs supporting such fees be reviewed at least every three years. Laboratory and other user fee collections totaled approximately $5.3 million for the 2010-11 fiscal year. Our review of ten laboratory and other user fees assessed disclosed the following: Although requested, supporting documentation for three laboratory fees, ranging from $12 to $70 per course, was not available. In response to our inquiry, College personnel indicated that two of these fees had been assessed since 1999, when the College transitioned from its previous accounting system, and supporting documentation was not maintained. According to College personnel, supporting documentation for the other laboratory fee could not be located. Absent supporting documentation, College records did not demonstrate that the laboratory fees assessed were properly calculated and did not exceed the cost of services provided. The three laboratory fees noted above and two other laboratory fees, totaling $254 and $781 per course, had not been reviewed within the previous three years, contrary to Board Rule 6Hx7-4.19. In response to our inquiry, College personnel indicated that the College had not reviewed the two fees assessed since 1999, as discussed above, and the other three fees were last reviewed in 2000, 2002, and 2006, respectively. Absent timely periodic reviews of user fees, there is an increased risk that fees will not be adjusted to reflect changes in costs since the fees were initially determined or previously reviewed. Recommendation: The College should ensure that a documented evaluation of each laboratory and other user fee is periodically performed to ensure compliance with Section 1009.23(12), Florida Statutes, and applicable SBE and Board rules. Administrative Management Finding No. 4: Conflict of Interest Section 112.313, Florida Statutes, establishes standards of conduct for public officers and employees. Section 112.313(7)(a), Florida Statutes, provides that no employee should have a contractual relationship with any business entity that is subject to the regulation of, or is doing business with, an agency of which he or she is an officer or employee, except under specific circumstances listed in Section 112.313(12), Florida Statutes. The statute also prohibits an employee of an agency from having or holding any employment or contractual relationship that will create a continuing or frequently recurring conflict between his or her private interests and the performance of his or her public duties or that would impede the full and faithful discharge of his or her public duties. Effective May 31, 2011, the Board approved an administrative procedure relating to standards of conduct for employees that addresses such matters as conflicts of interest, unauthorized compensation, and misusing public position.
5
JANUARY 2012
REPORT NO. 2012-073
The College has developed a business enterprise, referred to as Sirius Academics, to provide for the development and distribution of low-cost instructional materials. Sirius Academics course materials are developed and owned by the College, and are sold and distributed through a contracted bookstore that receives a commission on each sale. Students enrolled in Sirius Academics courses are required to purchase the materials from the contracted bookstore. The College also markets the materials to other educational institutions, primarily through a Federally-funded consortium comprised of 24 colleges and universities referred to as Project DELTA (Disseminating Effective Learning Through Automation). The College administers the Federal grant funding the Project DELTA consortium, and the College provides Sirius Academics course materials to the contracted bookstore for consortium members to purchase. During the 2010-11 fiscal year, we were made aware that a College employee directly involved with the Sirius Academics project and the development and marketing of these course materials had an employment relationship with an out-of-State college that was also a Project DELTA consortium member, and purchased the College’s Sirius Academics course materials. Such an arrangement may represent a conflict of interest as defined by Section 112.313(7)(a), Florida Statutes. Recommendation: The College should ensure that conflicting employment or contractual relationships, as specified in Section 112.313, Florida Statutes, are prohibited. Personnel and Payroll Finding No. 5: Severance Pay Chapter 2011-143, Laws of Florida, was signed into law on June 17, 2011, and amends Section 215.425, Florida Statutes. This law provides that, on or after July 1, 2011, a unit of government that enters into a contract or employment agreement, or renewal or renegotiation of an existing contract or employment agreement, that contains a provision for severance pay with an officer, agent, employee, or contractor must include provisions consistent with the following: A requirement that severance pay provided may not exceed an amount greater than 20 weeks of compensation. A prohibition of a provision for severance pay when the officer, agent, employee, or contractor has been fired for misconduct, as defined in Section 443.036(29), Florida Statute, by the unit of government. On July 12, 2011, the Board approved the 2011-12 fiscal year employment agreement with the College President. Paragraph 5.a.(3) of the employment agreement provides, upon termination without cause, for the payment of an amount equal to the lesser of one year’s annual salary or the annual salary for the remaining term of the agreement ending June 30, 2015, and for certain insurance coverage under the College’s medical and dental plans, at the President’s election, for the same remaining term. This provision is contrary to Section 215.425(4)(a), Florida Statutes, in that it allows for the possibility of the President receiving severance payments that exceed 20 weeks of salary. Recommendation: The College should ensure that employment agreements, including the President’s contract, contain provisions for severance pay that are in accordance with Section 215.425(4)(a), Florida Statutes.
6
JANUARY 2012 Finding No. 6: Transfer of President’s Accrued Sick Leave
REPORT NO. 2012-073
Section 1012.865(2)(e)2., Florida Statutes, provides that sick leave terminal pay for employees other than instructional staff or educational support employees (considered senior management class employees at the College) may not exceed an amount equal to one-fourth of the employee's unused sick leave, or 60 days of the employee's pay, whichever amount is less, for unused sick leave accumulated on or after July 1, 2001. The President’s employment contracts for the 2009-10 and 2010-11 fiscal years provided, in part, that sick leave benefits in excess of 296 hours accrued as of December 31, 2009, be transferred to accrued vacation leave. According to College records, 776 sick leave hours were transferred from the President’s sick leave account to his vacation leave account on January 22, 2010, thereby reducing his sick leave balance to 296 hours. Because the sick leave transferred to annual leave was earned by the President after July 1, 2001, payment for any unused balance remaining when the President separates from the College would be subject to a one-fourth limitation or 60 days of pay, whichever is less; however, there are no such limitations on the payment of vacation leave. Consequently, these provisions may result in circumventing the limitation for payment for accrued leave upon termination of employment, as provided in Section 1012.865(2)(e)2., Florida Statutes. Based on the President’s salary rate as of October 31, 2011, the transfer of accrued sick leave to accrued annual leave would amount to an additional $95,518 in compensation. Upon inquiry, College personnel advised us that the Board’s statutory authority and responsibility over the President’s annual evaluation and the terms and conditions of employment pursuant to Sections 1001.64(19) and (47), Florida Statutes, provided the authority for the Board to permit the transfer of accrued sick leave balances to accrued annual leave balances; however, we are unaware of any authority that would allow the Board to transfer sick leave to annual leave or to provide employment contract provisions that are contrary to specific provisions of Section 1012.865(2)(e)2., Florida Statutes. Recommendation: The College should restore the 776 hours to the President’s accrued sick leave account to ensure any future leave payments are in compliance with Section 1012.865(2)(e)2., Florida Statutes. The College should also consult with its legal counsel to take appropriate actions to revise the President’s employment contract to ensure the provisions are consistent with applicable statutes. Finding No. 7: Terminal Pay for Accumulated Unused Sick Leave In audit report No. 2010-168, we noted the College overpaid 23 former administrative and professional employees a total of $87,098 for accumulated unused sick leave because the College calculated the payments based on 100 percent of the employee’s unused sick leave earned after July 1, 2001, rather than using one-fourth of the unused leave as required by Section 1012.865(2)(e), Florida Statutes. College personnel advised us that when Board Rule 6Hx7-3.38, Sick Leave, was modified on December 3, 2002, the College inadvertently omitted the wording limiting terminal payments to one-fourth of the employee’s unused sick leave. In response to report No. 2010-168, the College President indicated that the College would not attempt to collect overpayments from the 23 former employees that separated from the College. On November 3, 2009, the Board approved revising the Rule to include the one-fourth limitation; however, as of October 31, 2011, the College had not attempted to recover any overpayments, nor had the College documented, of record, the public purpose served by not attempting to recover the overpayments.
7
JANUARY 2012
REPORT NO. 2012-073
Recommendation: The College should attempt to recover the overpayments from former employees, to the extent allowed under Section 95.11, Florida Statutes, or document, of record, the public purpose served by not attempting to recover the overpayments. Construction Administration Finding No. 8: Construction Management Services Pursuant to Section 1013.45(1), Florida Statutes, the College may contract for the construction or renovation of facilities using various delivery methods, including selection of a construction manager (CM) pursuant to Section 287.055, Florida Statutes, which requires that the College publicly announce, in a uniform and consistent manner, each occasion when professional services must be purchased for a project in which the basic construction costs are estimated to exceed a specified amount ($325,000 for the 2010-11 fiscal year). The public notice must include a general description of the project and must indicate how interested consultants may apply for consideration. Under the CM process, contractor profit and overhead are contractually agreed upon, and the contracted firm is responsible for all scheduling and coordination in both design and construction phases and is generally responsible for the successful, timely, and economical completion of the construction project. CM firms may also be required to offer a guaranteed maximum price (GMP). The GMP provision allows for the difference between the actual cost of the project and the GMP amount, or the net cost savings, to be returned to the College. As such, a GMP contract requires close monitoring by College personnel to ensure that the cost of construction is adequately documented. Our review of the College’s controls over construction administration disclosed the following: South Campus Welcome Center Project Our review disclosed that the College utilized a local district school board’s continuing contract to procure construction management services for its $850,000 South Campus Welcome Center project rather than utilizing the public announcement and competitive selection and negotiation process required by Section 287.055, Florida Statutes. Upon inquiry, College personnel advised us they utilized the district school board’s continuing contract for construction management services pursuant to State Board of Education Rule 6A-14.0734, Florida Administrative Code; however, this rule pertains to the general purchase of services or commodities not specifically addressed in the statutes and we know of no legal basis for an administrative rule to supersede the requirements of Sections 1013.45 and 287.055, Florida Statutes. The Legislature has recognized in Section 287.001, Florida Statutes, that fair and open competition is a basic tenet of public procurement and that such competition reduces the appearance and opportunity for favoritism and inspires public confidence that contracts are awarded equitably and economically. Absent utilization of the required competitive selection process, the College's assurances related to the fair, equitable, and economical procurement of professional services are limited. South Campus Fire Training Burn Ship Project The College entered into a GMP contract with a CM for construction of a Fire Training Burn Ship project with a total project cost of approximately $3.2 million. This project was completed during the 2010-11 fiscal year. Our review disclosed that the College could improve its controls over construction administration, as discussed below: The College did not require the CM to include supporting documentation for the itemized amounts it billed to the College. The College’s contract with the CM required that invoices be submitted in detail sufficient for a proper pre-audit and post-audit thereof. Absent supporting documentation for the itemized amounts billed, 8
JANUARY 2012
REPORT NO. 2012-073
College records do not evidence that the amounts requested by the CM were adequately verified prior to payment. College personnel did not attend the bid openings for the first phase of the project with construction costs of approximately $1.7 million. Absent the College’s presence and documented monitoring of the subcontractor selection process, the College has limited assurance that the CM complied with the terms of the contract in the handling and awarding of subcontractor bids. For example, we noted several inconsistencies between subcontractor bids and bid tabulations, and between the apparent low bidders and the subcontractors actually selected. Subsequent to our inquiry, College personnel contacted the CM firm and obtained reasonable explanations for the inconsistencies noted by our review. Although required by the College’s contract with the CM, copies of the project manual and any updates were not provided to the College. The project manual describes the services set forth in the contract and provides a plan for the control, direction, coordination, and evaluation of work performed throughout the project, including identification of key personnel; responsibilities of the CM, College, and architect; work flow diagrams; and strategy for bidding the work. Subsequent to our inquiries, the College requested and obtained a copy of the project manual. The College’s contract with the CM required that copies of subcontracts be provided to the College as part of the project manual and, as noted above, the project manual was not obtained until subsequent to our inquiries. Our review disclosed that several subcontracts were not included in the project manual, and that a number of the subcontracts were executed in amounts that did not agree with bid amounts or bid tabulations without College personnel obtaining explanations for these differences. For example, the subcontract for concrete was $8,286 more than the subcontractor’s bid amount and the subcontract for site-work was $29,431 less than the amount awarded per the bid tabulation. Copies of subcontracts should be maintained for verifying contractor billings, monitoring project contingency funds, and ensuring that cost savings are maximized under the GMP. Additionally, subcontract amounts should agree with bid amounts or reasonable explanations for any differences should be obtained. In response to our inquiry, we were advised by College personnel that the standard procedure for future projects will be to require that a College employee attend bid openings and that bid tabulations, projects manuals, and detailed payment requests, with supporting invoices, be timely provided and utilized in monitoring project progress and billings. Recommendation: The College should enhance its procedures to ensure a formal competitive selection and negotiation process is held for selecting professional services when the basic construction cost or the fee for professional services is estimated to exceed the thresholds specified in Section 287.055, Florida Statutes. Additionally, the College should continue its efforts to improve CM contract monitoring procedures by ensuring that a College employee attends subcontractor bid openings, obtaining project manuals and subcontracts, and requiring that CM payment requests contain adequate supporting documentation to allow verification of the accuracy of amounts billed. Finding No. 9: Insurance Coverage The College’s requests for qualifications (RFQ) for both architectural and constructions managers (CM) and subsequent contracts contain certain requirements related to insurance coverage for architects and CMs selected to perform construction services. Our review of insurance certificates for the South Campus Fire Training Burn Ship project disclosed that the College needed to enhance its procedures for monitoring evidence of insurance coverage, as follows: Although required in the RFQ for CM services, the College was not listed as an additional insured on the certificates of insurance. The certificates of insurance listed the College as the certificate holder; however, to have an interest in the policy, the College must be listed as an additional insured. 9
JANUARY 2012
REPORT NO. 2012-073
The College’s RFQs for both the architectural and CM services required that the certificates of insurance provide at least 30 days advance notice of cancelation or non-renewal. The certificates reviewed addressed the cancelation provision; however, the certificates did not address notifying the College in the event of non-renewal. The contract for CM services required the certificate of insurance to specifically identify the job name and job number. The College initially accepted a certificate of insurance applicable to another project and did not require the CM to provide a project specific certificate of insurance until November 17, 2009, or 225 days after the contract was signed. The RFQ for architectural services required that new certificates of insurance be provided to the College at least 15 days prior to renewal. College records indicated that evidence of renewal was not obtained until November 24, 2010, or 149 days after the renewal date. Failure to ensure that architects and CMs are maintaining adequate insurance could increase the College’s risk of loss in the event of an occurrence causing injury to persons or damage to property. Recommendation: The College should enhance its monitoring procedures to ensure that contractors and architects timely provide proper certificates of insurance as required by contracts and RFQs. Confidential Information Finding No. 10: Collection of Social Security Numbers The Legislature has acknowledged in Section 119.071(5)(a), Florida Statutes, the necessity of collecting social security numbers (SSNs) for certain purposes because of their acceptance over time as a unique numeric identifier for identity verification and other legitimate purposes. The Legislature has also recognized that SSNs can be used to acquire sensitive personal information, the release of which could result in fraud against individuals or cause other financial or personal harm. Therefore, public entities are required to provide extra care in maintaining such information to ensure its confidential status. Section 119.071(5)(a), Florida Statutes, provides that the College may not collect an individual’s SSN unless the College has stated in writing the purpose for its collection and unless it is specifically authorized by law to do so, or is imperative for the performance of the College’s duties and responsibilities as prescribed by law. Additionally, this Section requires that if the College collects an individual’s SSN, it must provide that individual with a written statement indicating whether the collection of the SSN is authorized or mandatory under Federal or State law, and identifying the specific Federal or State law governing the collection, use, or release of SSNs for each purpose for which the SSN is collected. This Section also provides that SSNs collected by the College may not be used for any purpose other than the purpose provided in the written statement. This Section further requires that the College review whether its collection of SSNs is in compliance with the above requirements and immediately discontinue the collection of SSNs for purposes that are not in compliance. Although the College has assigned unique student and employee identification numbers to replace SSNs for record keeping purposes, it continued to collect SSNs from students, employees, and employee applicants. As similarly noted in our report No. 2010-168, College procedures over the collection and use of SSNs needed improvement, as follows: We noted six standard forms available on the College’s Web site that requested SSNs but did not contain or reference to the required written statement regarding the collection and use of SSNs. Four other forms provided general statements regarding the collection and use of SSNs and referenced to a statement in the College’s online catalog. However, the statement in the College’s online catalog did not identify the specific 10
JANUARY 2012
REPORT NO. 2012-073
Federal and State laws governing the collection, use, or release of SSNs and whether the collection was authorized or mandatory under Federal or State law. The Human Resources Department established a written statement addressing the collection and use of SSNs that was to be signed by new employees upon employment; however, a similar statement was not provided to employee applicants who applied online. In the above circumstances, College records did not evidence that individuals were provided the required written notification when their SSNs were collected. Effective controls to properly monitor the need for and use of SSNs and ensure compliance with statutory requirements reduce the risk that SSNs may be used for unauthorized purposes. Recommendation: The College Section 119.071(5)(a), Florida Statutes. should continue its efforts to ensure compliance with
Information Technology Finding No. 11: Access Privileges Access controls are intended to protect data and information technology (IT) resources from unauthorized disclosure, modification, or destruction. Effective access controls provide employees access to IT resources based on a demonstrated need to view, change, or delete data and restrict employees from performing incompatible functions or functions outside of their areas of responsibility. Periodically reviewing IT access privileges assigned to employees promotes good internal control and is necessary to ensure that employees cannot access computer resources inconsistent with their assigned job responsibilities. Our tests of selected access privileges to the finance application disclosed that some employees had access privileges that either permitted the employee to perform incompatible duties or were not necessary for their job responsibilities. Specifically: Two database administrators had security administrator privileges for the finance application. Since the College’s practice was to distribute security administration responsibilities to various departments, this access was unnecessary and contrary to an appropriate separation of duties. In addition, an employee with budget and financial planning responsibilities had security administrator privileges that were no longer necessary for the employee’s job responsibilities. Four current finance employees had update capability in the finance application, including vendor and electronic funds transfers, which was unnecessary for their assigned job responsibilities. Additionally, one former employee who had not been employed by the College since 2001 continued to have update capability in the finance application as of June 29, 2011. Two programmers had update capability in the finance application. Based on their application programming responsibilities in support of the business application system, this access was unnecessary and contrary to an appropriate separation of duties. As also noted in our report No. 2010-168, the College did not have written procedures to provide for a comprehensive review of employees’ access privileges. Without a comprehensive review, inappropriate access privileges may not be timely detected and addressed by the College, increasing the risk of unauthorized disclosure, modification, or destruction of College data and IT resources.
11
JANUARY 2012
REPORT NO. 2012-073
Recommendation: The College should establish written procedures for reviewing the appropriateness of IT access privileges, including those employees who have been granted security administrator authority, and timely remove or adjust any inappropriate or unnecessary access detected to ensure that access privileges are compatible with employee job duties. Finding No. 12: Risk Assessment Management of IT-related risks is a key part of enterprise IT governance. Incorporating an enterprise perspective into day-to-day governance actions helps an entity understand its greatest security risk exposures and determine whether planned controls are appropriate and adequate to secure IT resources from unauthorized disclosure, modification, or destruction. IT risk assessment, including the identification of risks and the evaluation of the likelihood of threats and the severity of threat impact, helps support management’s decisions in establishing cost-effective measures to mitigate risk and, where appropriate, formally accept residual risk. The College had not developed a written, comprehensive IT risk assessment. The absence of a written, comprehensive IT risk assessment may limit the College’s assurance that all likely threats and vulnerabilities have been identified, the most significant risks have been addressed, and appropriate decisions have been made regarding which risks to accept and which risks to mitigate through security controls. Recommendation: The College should develop a written, comprehensive IT risk assessment to provide a documented basis for managing IT-related risks. Finding No. 13: Access Control Records The State of Florida, General Records Schedule GS1-SL, for State and local Government Agencies (General Records Schedule), revised by the Department of State effective August 2010, provides that access control records must be retained for one anniversary year after superseded or after the employee separates from employment. Contrary to the General Records Schedule requirements, the College’s practice was to delete an employee’s application account from the system and disable the employee’s network account upon termination of employment and automatically delete the network account 60 days thereafter. Without adequate retention of access control records, the risk is increased that the College may not have sufficient documentation to assist in future investigations of security incidents, should they occur. Additionally, the College is not in compliance with the State’s record retention requirements. Recommendation:
General Records Schedule .
The College should ensure that access control records are retained as required by the
Finding No. 14: Policies and Procedures Each IT function needs complete, well-documented policies and procedures to describe the scope of the function and its activities. Sound policies and procedures provide benchmarks against which compliance can be measured and contribute to an effective control environment. Although informal procedures were followed, the College lacked written policies and procedures for the following IT functions: Removing confidential College information from consultant or vendor equipment upon completion of contractual services. 12
JANUARY 2012 Granting and management of administrative rights by end-users. Sanitizing computer hard drives prior to disposal of the equipment.
REPORT NO. 2012-073
A similar finding was noted in our report No. 2010-168. Without written policies and procedures, there is an increased risk that IT controls may not be followed consistently and in accordance with management’s expectations. Recommendation: The College should establish written policies and procedures to document management’s expectations for the performance of the above-listed IT functions. Finding No. 15: Access to Telecommunications Equipment Physical access controls include restricting physical access to IT resources to minimize the risk of intentional or unintentional loss or impairment. Access to telecommunications equipment located in storage closets, throughout the various College campuses, was not restricted or centrally managed through the IT Department. Consequently, the IT Department was not always notified of individuals who were granted access to the telecommunications equipment. Although our audit did not disclose any unauthorized use of telecommunications equipment, the inability to determine who may have accessed telecommunications equipment may limit the College’s ability to appropriately respond to and take action against an individual attempting unauthorized actions or causing damage to connections or equipment. Recommendation: The College should establish procedures for limiting access to telecommunications equipment, including notification to the IT Department of all individuals granted such access. Finding No. 16: Security Controls – User Authentication Security controls are intended to protect the confidentiality, integrity, and availability of data and IT resources. Our audit disclosed certain College security controls related to user authentication that needed improvement. We are not disclosing specific details of the issues in this report to avoid the possibility of compromising College data and IT resources. However, we have notified appropriate College management of the specific issues. Without adequate security controls related to user authentication, the confidentiality, integrity, and availability of data and IT resources may be compromised, increasing the risk that College data and IT resources may be subject to improper disclosure, modification, or destruction. A similar finding was noted in our report No. 2010-168. Recommendation: The College should improve security controls related to user authentication to ensure the continued confidentiality, integrity, and availability of College data and IT resources.
PRIOR AUDIT FOLLOW-UP
Except as discussed in the preceding paragraphs, the College had taken corrective actions for findings included in our report No. 2010-168.
13
JANUARY 2012
REPORT NO. 2012-073
OBJECTIVES, SCOPE, AND METHODOLOGY
The Auditor General conducts operational audits of governmental entities to provide the Legislature, Florida’s citizens, public entity management, and other stakeholders unbiased, timely, and relevant information for use in promoting government accountability and stewardship and improving government operations. We conducted this operational audit from February 2011 to October 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The objectives of this operational audit were to: (1) obtain an understanding and make overall judgments as to whether College internal controls promoted and encouraged compliance with applicable laws, rules, regulations, contracts, and grant agreements; the economic and efficient operation of the College; the reliability of records and reports; and the safeguarding of assets; (2) evaluate management’s performance in these areas; and (3) determine whether the College had taken corrective actions for findings included in our report No. 2010-168 . Also, pursuant to Section 11.45(7)(h), Florida Statutes, our audit may identify statutory and fiscal changes to be recommended to the Legislature. The scope of this operational audit is described in Exhibit A. Our audit included examinations of various records and transactions (as well as events and conditions) occurring during the 2010-11 fiscal year and selected transactions through October 31, 2011. Our audit methodology included obtaining an understanding of the internal controls by interviewing College personnel and, as appropriate, performing a walk-through of relevant internal controls through observation and examination of supporting documentation and records. Additional audit procedures applied, to determine that internal controls were working as designed, and to determine the College’s compliance with the above-noted audit objectives, are described in Exhibit A. Specific information describing the work conducted to address the audit objectives is also included in the individual findings.
AUTHORITY
Pursuant to the provisions of Section 11.45, Florida Statutes, I have directed that this report be prepared to present the results of our operational audit.
MANAGEMENT’S RESPONSE
Management’s response is included as Exhibit B.
David W. Martin, CPA Auditor General
14
JANUARY 2012 EXHIBIT A AUDIT SCOPE AND METHODOLOGY
Scope (Topic) Information Technology (IT) policies and procedures.
REPORT NO. 2012-073
Methodology Reviewed the College’s written IT policies and procedures to determine whether they addressed certain important IT control functions. Tested select application access privileges to determine whether access privileges granted to sensitive finance and human resources applications were appropriately granted and authorized. Tested access privileges to data files for employees who terminated employment during the audit period and verified that the College terminated access privileges. Reviewed Board minutes to determine whether Board approval was obtained for policies and procedures placed in effect during the audit period and for evidence of compliance with Sunshine law requirements (i.e., proper notice of meetings, ready access to public, maintain minutes). Examined written policies, procedures, and Board of Trustees Rules governing the proper storage, handling, transmission, use, and format of sensitive and confidential information. Examined written policies, procedures, and supporting documentation related to the College’s fraud policy and related procedures. Examined supporting documentation to determine whether the College had provided individuals with a written statement of the purpose of collecting their social security numbers. Reviewed the College’s policies and procedures related to its identity theft prevention program for compliance with the Federal Trade Commission’s Red Flags Rule. Determined whether the unencumbered balance in the unrestricted current fund of the Board of Trustees approved operating budget was below five percent at June 30, 2011, and if so, whether the College notified the Florida Department of Education, as required by Section 1011.84(3)(e), Florida Statutes. Tested student registrations to determine whether the College documented Florida residency and correctly assessed tuition in compliance with Section 1009.21, Florida Statutes, and State Board of Education Rule 6A-10.044, Florida Administrative Code. Reviewed the College’s procedures and determined whether they were approved by the Board of Trustees. Tested technology, laboratory, and user fees and examined supporting documentation to determine whether the College properly calculated these fees. Determined whether the College properly reported FTE student enrollment for its continuing workforce education programs.
IT access privileges and separation of duties.
Procedures to timely prohibit former employees’ access to electronic data files. Board meetings.
Sensitive and confidential information.
Fraud policy and related procedures.
Social security number requirements of Section 119.071(5)(a), Florida Statutes. Identity theft prevention program (Red Flags Rule).
Fund equity controls.
Florida residency determination and tuition.
Technology, laboratory, and other user fees.
Student enrollment reporting.
15
JANUARY 2012 EXHIBIT A (CONTINUED) AUDIT SCOPE AND METHODOLOGY
Scope (Topic) Adult general education program enrollment reporting.
REPORT NO. 2012-073
Methodology Examined supporting documentation on a test basis to determine whether the College reported instructional and contact hours in accordance with Florida Department of Education requirements. Reviewed the business plan, contracts, and financial activity related to the College’s Sirius Academics project to determine whether College personnel properly administered and accounted for project revenues and expenses and monitored compliance with contract terms. Tested payroll transactions to determine the accuracy of the rate of pay, accuracy of the retirement contribution, validity of employment contracts, adequacy of qualifications, completion of performance evaluations, accuracy of leave records, and certifications by supervisory personnel of employee time reports. Also, tested new hires to determine whether personnel records evidenced that employees had the necessary qualifications, degrees, experience, necessary background checks, etc. Performed analytical procedures of overtime payments to determine reasonableness. Reviewed the College’s rules and procedures for terminal pay to ensure consistency with Florida law. Tested former employees to determine appropriateness of terminal pay. Reviewed policies and procedures to determine whether the College had a Board-approved leave policy pursuant to Section 1001.64(18), Florida Statutes. Tested transactions to determine whether purchasing cards were administered in accordance with College policies and procedures. Also, tested former employees to determine whether purchasing cards were timely cancelled upon termination of employment. Reviewed contractual agreements to determine compliance with applicable laws, rules, and contractual requirements. Reviewed policies and procedures to determine whether the College limited the use of, and documented the level of service for, wireless communication devices. Also, determined whether the College paid Federal, State, or local taxes or fees for which it was exempt. For selected major construction projects, tested payments and supporting documentation to determine compliance with College policies and procedures and provisions of law and rules. Also, for construction management contracts, determined whether the College monitored the selection process of subcontractors by the construction manager and, for delivery order contracts, determined whether the College implemented procedures to ensure that construction cost estimates were independently evaluated for validity and reasonableness.
Sirius Academics project.
Personnel and payroll.
Overtime payments. Terminal pay.
Leave policies.
Purchasing card transactions.
Contractual agreements. Wireless communication devices.
Construction administration.
16
JANUARY 2012 EXHIBIT A (CONTINUED) AUDIT SCOPE AND METHODOLOGY
Scope (Topic) Earmarked capital project resources.
REPORT NO. 2012-073
Methodology Determined, on a test basis, whether Public Education Capital Outlay expenditures were in compliance with the restrictions imposed on the use of these resources. Determined whether the Board had adopted a policy establishing minimum insurance coverage requirements for design professionals, such as architects and engineers. Examined recent construction projects to determine whether architects and engineers provided evidence of the required insurance. Tested significant construction projects to determine whether the College made use of its sales tax exemption to make direct purchases of materials, or documented its justification for not doing so. Tested purchases to determine that the asset was properly capitalized or expensed, and was an allowable use of restricted capital outlay resources. Determined whether amounts reported to the Florida Department of Education for State-funded capital outlay programs were supported by the College’s accounting records.
Insuring architects and engineers.
State sales tax exemption for direct purchase of construction materials.
Capital outlay purchases.
State-funded capital outlay program reporting.
17
JANUARY 2012 EXHIBIT B MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
18
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
19
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
20
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
21
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
22
FLORIDA STATE COLLEGE AT JACKSONVILLE
Operational Audit
BOARD OF TRUSTEES AND PRESIDENT
Members of the Board of Trustees and President who served during the 2010-11 fiscal year are listed below:
The Vice Chairs serve with equal rank and status on the Board. The purpose of the dual office is to assure leadership representation from each of the two counties served by the College.
The audit team leader was Lenia Blades, and the audit was supervised by John P. Duffy, CPA. For the information technology portion of this audit, the audit team leader was Sue Graham, CPA, CISA, and the supervisor was Heidi G. Burns, CPA, CISA. Please address inquiries regarding this report to James R. Stultz, CPA, Audit Manager, by e-mail at [email protected] or by telephone at (850) 922-2263. This report and other reports prepared by the Auditor General can be obtained on our Web site at www.myflorida.com/audgen; by telephone at (850) 487-9175; or by mail at G74 Claude Pepper Building, 111 West Madison Street, Tallahassee, Florida 32399-1450.
JANUARY 2012
REPORT NO. 2012-073
FLORIDA STATE COLLEGE AT JACKSONVILLE
SUMMARY
Our operational audit disclosed the following: STUDENT ENROLLMENT Finding No. 1: The College had not provided data for its Continuing Workforce Education (CWE) courses requested by the Florida Department of Education to determine adjustments necessary to the College’s full-time equivalent CWE enrollment for the 2006-07 through 2009-10 fiscal years. As a result, the College may receive State funding that it is not entitled to receive. Finding No. 2: The College needed to strengthen its controls to ensure the accurate reporting of instructional contact hours for adult general education classes to the Florida Department of Education. STUDENT TUITION AND FEES Finding No. 3: The College needed to strengthen its procedures for assessing user fees. ADMINISTRATIVE MANAGEMENT Finding No. 4: A College employee’s employment with another organization doing business with the College may have resulted in a conflict of interest in violation of Section 112.313(7)(a), Florida Statutes. PERSONNEL AND PAYROLL Finding No. 5: The President’s employment agreement included a severance pay provision that is contrary to Section 215.425(4)(a), Florida Statutes. Finding No. 6: Pursuant to the College President’s employment contract, accrued sick leave was transferred to accrued vacation leave, effectively circumventing the limitation for payment of unused sick leave upon termination provided in Section 1012.865(2)(e)2., Florida Statutes. Finding No. 7: The College had not taken action to recover sick leave overpayments totaling $87,098 noted in our prior report. CONSTRUCTION ADMINISTRATION Finding No. 8: The College’s procedures for the administration of construction management projects needed improvement. Finding No. 9: The College needed to enhance its monitoring procedures for ensuring that design professionals and construction managers obtain required insurance coverage. CONFIDENTIAL INFORMATION Finding No. 10: The College did not always provide the required written notification to individuals when their social security numbers were collected, contrary to Section 119.071(5)(a), Florida Statutes. INFORMATION TECHNOLOGY Finding No. 11: Some inappropriate and unnecessary information technology (IT) access privileges existed. Finding No. 12: The College had not developed a written, comprehensive IT risk assessment. Finding No. 13: The College did not retain some access control records, contrary to the requirements of the State of Florida, General Records Schedule . Finding No. 14: The College did not have written policies and procedures for certain IT functions. Finding No. 15: The College’s procedures for managing access to its telecommunications equipment needed improvement. Finding No. 16: The College’s IT security controls related to user authentication needed improvement. 1
JANUARY 2012
REPORT NO. 2012-073
BACKGROUND
Florida State College at Jacksonville (College) is under the general direction and control of the Florida Department of Education, Division of Florida Colleges, and is governed by State law and State Board of Education rules. A board of trustees (Board) governs and operates the College. The Board constitutes a corporation and is composed of nine members appointed by the Governor and confirmed by the Senate. The College President serves as the executive officer and the corporate secretary of the Board, and is responsible for the operation and administration of the College. The College has campuses located in Jacksonville, Florida, and centers located in Jacksonville and Yulee, Florida. Additionally, credit and noncredit classes are offered in public schools and other locations throughout Duval and Nassau Counties. The College reported enrollment of 25,524 full time equivalent students for the 2010-11 fiscal year. The results of our financial audit of the College for the fiscal year ended June 30, 2011, will be presented in a separate report. In addition, the Federal awards administered by the College are included within the scope of our Statewide audit of Federal awards administered by the State of Florida and the results of that audit, for the fiscal year ended June 30, 2011, will be presented in a separate report.
FINDINGS AND RECOMMENDATIONS
Student Enrollment Finding No. 1: Full-Time Equivalent Enrollment Reporting – Continuing Workforce Education Courses
Section 1011.84(1)(a), Florida Statutes, requires that the Florida Department of Education (FDOE) determine the State financial support and the annual apportionment to each college district through the College Program Fund based on the types of programs offered and the related costs of those programs. Section 1011.80(5)(a) (2009), Florida Statutes, provided that for a continuing workforce education course, State funding shall equal 50 percent of the cost of instruction, with student fees, business support, quick-response training funds, or other means making up the remaining 50 percent. Sections 1011.80(5)(d) and 1011.84(1)(f), Florida Statutes, provide that when a public educational institution has been fully funded by an external agency for direct instructional costs of any course or program, the full-time equivalent (FTE) generated shall not be reported for State funding. State Board of Education Rule 6A-14.054(7), Florida Administrative Code, provides that each board of trustees shall have the authority to negotiate tuition fees for courses and programs contracted by external agencies and companies that vary from the tuition fees provided for in this rule, and such negotiated fees may exceed the full cost of instruction; however, the courses and programs of instruction funded from these negotiated fees shall not be reported for State funding purposes. In our report No. 2010-168, we noted that the College reported 3,955 and 3,666 full-time equivalent (FTE) enrollment in the College’s continuing workforce education (CWE) category for the 2008-09 and 2007-08 fiscal years, respectively, for which the College also reported revenues from the Navy and other external agencies and companies exceeding the direct cost of instruction. We also noted that, because the College was fully funded for direct instructional costs for these CWE programs, the College’s reporting of this FTE appeared to be contrary to Sections 1011.80(5)(d) and 1011.84(1)(f), Florida Statutes, and State Board of Education Rule 6A-14.054(7), Florida Administrative Code. We recommended that the College consult with the FDOE on the reporting of FTE for CWE 2
JANUARY 2012
REPORT NO. 2012-073
programs and determine the corrective action necessary to the FTE reported for CWE programs for the 2008-09 and 2007-08 fiscal years. Our current review disclosed that for the 2009-10 fiscal year the College reported FTE for its CWE programs for which it reported revenues from the Navy and other external agencies and companies that collectively exceeded the direct cost of instruction, as shown in Table 1 below: Table 1
Description Total 2009-10 Naval Agreements CWE $ 15,298,751 14,571,033 $ 727,718 104.99% 4,484 Other CWE
CWE Revenues (Fees and Contracts) (1) Direct Instructional Expenses (2) Difference Revenues as a Percentage of Expenses CWE FTE Reported (2) Total FTE Reported (2) CWE FTE as a Percentage of Total FTE
$ 18,137,864 17,086,371 $ 1,051,493 106.15% 4,845 28,808 16.82%
$ 2,839,113 2,515,338 $ 323,775 112.87% 361
Notes: (1) From the College's General Ledger. (2) From the College's Student Enrollment and Cost Analysis Reports.
Effective July 1, 2010, Section 1011.80(5)(a), Florida Statutes, was revised to require that expenditures for CWE programs provided by colleges be fully supported by fees and discontinuance of reporting enrollments in CWE courses for FTE funding purposes. In February 2011, FDOE contacted the College and indicated that the CWE FTE previously reported impacted not only the 2007-08 and 2008-09 fiscal years’ enrollment reporting, but also the 2009-10 fiscal year. FDOE also indicated that the Florida College System’s funding allocation model and prior enrollment growth used to allocate the College’s 2010-11 fiscal year funding relied heavily on the CWE FTE reported by the College during the 2006-07 to 2009-10 fiscal years. FDOE further indicated that, as a result, the College received additional funding in the 2010-11 fiscal year based, in part, on the incorrect CWE FTE previously reported and requested that the College provide the data necessary to accurately assess the reporting of CWE FTE by February 28, 2011. We were advised by FDOE and College personnel that the requested data regarding the CWE FTE reporting had not been provided to FDOE as of November 15, 2011. The failure of the College to provide the accurate enrollment data may result in the College receiving State funding that it is not entitled to receive. Recommendation: Since State funding provided to the College is based partially on the FTE reported to FDOE, the College should consult with FDOE on the reporting of FTE for these programs and determine the corrective action necessary to FTE reported for the CWE programs for the 2006-07 through 2009-10 fiscal years.
3
JANUARY 2012 Finding No. 2: Adult General Education
REPORT NO. 2012-073
Section 1004.02(3), Florida Statutes, defines adult general education, in part, as comprehensive instructional programs designed to improve the employability of the State’s workforce. The College received State funding for adult general education, and proviso language included in Chapter 2010-152, Laws of Florida, Specific Appropriation 112, required that each college report enrollment for adult general education programs identified in Section 1004.02, Florida Statutes, in accordance with Florida Department of Education (FDOE) instructional hours reporting procedures. Procedures provided by FDOE stated that fundable instructional contact hours are those scheduled hours that occur between the date of enrollment in a class and the withdrawal date or end-of-class date, whichever is sooner. The FDOE procedures also provided that colleges develop a procedure for withdrawing students for nonattendance and that the standard for setting the withdrawal date be six consecutive absences from a class schedule, with the withdrawal date reported as the day after the last date of attendance. Additionally, there is a minimum enrollment threshold of 12 hours of attendance per program that must be met before a student can be counted for funding purposes; however, when the threshold is not met the actual hours of attendance should still be included to satisfy other reporting requirements. College procedures require that class instructors maintain student attendance records and enter instructional contact hours in the College’s student records system. The College reported 1,055,700 instructional hours for adult general education classes provided to students during the 2010-11 fiscal year. Our review of the hours reported for ten students enrolled in 35 adult general education classes, for which the College reported 1,966 hours to FDOE, disclosed various errors in reporting instructional contact hours for seven students enrolled in 16 classes, as follows: For one student enrolled in four courses, the College excluded absences from the reported enrollment hours rather than reporting total scheduled hours as provided by FDOE procedures, resulting in 22 hours under reported. For three students enrolled in eight courses, the College over reported enrollment by 159 hours. The over reporting of hours was the result of either the student not meeting the 12 hour threshold, the student not attending any classes, or the College failing to report only those scheduled hours that occurred between the date of enrollment in a class and the withdrawal date, whichever was sooner. For three students enrolled in four courses, attendance records were not available for the entire semester, and as a result the College’s student records did not support attendance for 180 contact hours reported to the FDOE. Since future funding may be based, in part, on enrollment data submitted to FDOE, it is important that the College submit accurate and complete data. Recommendation: The College should enhance its controls to ensure the accurate reporting of instructional contact hours for adult general education classes to FDOE. In addition, the College should contact FDOE to determine what corrective actions are necessary regarding unsupported, over-, and underreported hours. Student Tuition and Fees Finding No. 3: User Fees Section 1009.23(12), Florida Statutes, authorizes each college board of trustees to establish user fees, including laboratory fees, that shall not exceed the cost of the services provided and can only be charged to persons receiving 4
JANUARY 2012
REPORT NO. 2012-073
the service. State Board of Education (SBE) Rule 6A-14.054(6), Florida Administrative Code, authorizes the Board to establish user fees in addition to tuition fees for services that incur unusual costs. Additionally, the Florida College System Council of Business Affairs and the Florida Department of Education, Division of Florida Colleges, have issued guidelines for assessing user fees. These guidelines provide that each college board establish policies for the implementation and justification of additional user fees, defining which costs are in excess of base instructional costs, describing the documentation required to support the fees, the time period for review of such fees, and the manner of presenting such fees to the Board for approval. The College Board adopted Board Rule 6Hx7-4.19, Fees and Charges, establishing policies to be used for assessing user fees. The College also established procedures related to special fees that require the preparation of a Special Fee Request Form (Form) to document the background, rationale, cost basis, and annual fiscal impact of the new or revised fee. The Board Rule also requires that costs supporting such fees be reviewed at least every three years. Laboratory and other user fee collections totaled approximately $5.3 million for the 2010-11 fiscal year. Our review of ten laboratory and other user fees assessed disclosed the following: Although requested, supporting documentation for three laboratory fees, ranging from $12 to $70 per course, was not available. In response to our inquiry, College personnel indicated that two of these fees had been assessed since 1999, when the College transitioned from its previous accounting system, and supporting documentation was not maintained. According to College personnel, supporting documentation for the other laboratory fee could not be located. Absent supporting documentation, College records did not demonstrate that the laboratory fees assessed were properly calculated and did not exceed the cost of services provided. The three laboratory fees noted above and two other laboratory fees, totaling $254 and $781 per course, had not been reviewed within the previous three years, contrary to Board Rule 6Hx7-4.19. In response to our inquiry, College personnel indicated that the College had not reviewed the two fees assessed since 1999, as discussed above, and the other three fees were last reviewed in 2000, 2002, and 2006, respectively. Absent timely periodic reviews of user fees, there is an increased risk that fees will not be adjusted to reflect changes in costs since the fees were initially determined or previously reviewed. Recommendation: The College should ensure that a documented evaluation of each laboratory and other user fee is periodically performed to ensure compliance with Section 1009.23(12), Florida Statutes, and applicable SBE and Board rules. Administrative Management Finding No. 4: Conflict of Interest Section 112.313, Florida Statutes, establishes standards of conduct for public officers and employees. Section 112.313(7)(a), Florida Statutes, provides that no employee should have a contractual relationship with any business entity that is subject to the regulation of, or is doing business with, an agency of which he or she is an officer or employee, except under specific circumstances listed in Section 112.313(12), Florida Statutes. The statute also prohibits an employee of an agency from having or holding any employment or contractual relationship that will create a continuing or frequently recurring conflict between his or her private interests and the performance of his or her public duties or that would impede the full and faithful discharge of his or her public duties. Effective May 31, 2011, the Board approved an administrative procedure relating to standards of conduct for employees that addresses such matters as conflicts of interest, unauthorized compensation, and misusing public position.
5
JANUARY 2012
REPORT NO. 2012-073
The College has developed a business enterprise, referred to as Sirius Academics, to provide for the development and distribution of low-cost instructional materials. Sirius Academics course materials are developed and owned by the College, and are sold and distributed through a contracted bookstore that receives a commission on each sale. Students enrolled in Sirius Academics courses are required to purchase the materials from the contracted bookstore. The College also markets the materials to other educational institutions, primarily through a Federally-funded consortium comprised of 24 colleges and universities referred to as Project DELTA (Disseminating Effective Learning Through Automation). The College administers the Federal grant funding the Project DELTA consortium, and the College provides Sirius Academics course materials to the contracted bookstore for consortium members to purchase. During the 2010-11 fiscal year, we were made aware that a College employee directly involved with the Sirius Academics project and the development and marketing of these course materials had an employment relationship with an out-of-State college that was also a Project DELTA consortium member, and purchased the College’s Sirius Academics course materials. Such an arrangement may represent a conflict of interest as defined by Section 112.313(7)(a), Florida Statutes. Recommendation: The College should ensure that conflicting employment or contractual relationships, as specified in Section 112.313, Florida Statutes, are prohibited. Personnel and Payroll Finding No. 5: Severance Pay Chapter 2011-143, Laws of Florida, was signed into law on June 17, 2011, and amends Section 215.425, Florida Statutes. This law provides that, on or after July 1, 2011, a unit of government that enters into a contract or employment agreement, or renewal or renegotiation of an existing contract or employment agreement, that contains a provision for severance pay with an officer, agent, employee, or contractor must include provisions consistent with the following: A requirement that severance pay provided may not exceed an amount greater than 20 weeks of compensation. A prohibition of a provision for severance pay when the officer, agent, employee, or contractor has been fired for misconduct, as defined in Section 443.036(29), Florida Statute, by the unit of government. On July 12, 2011, the Board approved the 2011-12 fiscal year employment agreement with the College President. Paragraph 5.a.(3) of the employment agreement provides, upon termination without cause, for the payment of an amount equal to the lesser of one year’s annual salary or the annual salary for the remaining term of the agreement ending June 30, 2015, and for certain insurance coverage under the College’s medical and dental plans, at the President’s election, for the same remaining term. This provision is contrary to Section 215.425(4)(a), Florida Statutes, in that it allows for the possibility of the President receiving severance payments that exceed 20 weeks of salary. Recommendation: The College should ensure that employment agreements, including the President’s contract, contain provisions for severance pay that are in accordance with Section 215.425(4)(a), Florida Statutes.
6
JANUARY 2012 Finding No. 6: Transfer of President’s Accrued Sick Leave
REPORT NO. 2012-073
Section 1012.865(2)(e)2., Florida Statutes, provides that sick leave terminal pay for employees other than instructional staff or educational support employees (considered senior management class employees at the College) may not exceed an amount equal to one-fourth of the employee's unused sick leave, or 60 days of the employee's pay, whichever amount is less, for unused sick leave accumulated on or after July 1, 2001. The President’s employment contracts for the 2009-10 and 2010-11 fiscal years provided, in part, that sick leave benefits in excess of 296 hours accrued as of December 31, 2009, be transferred to accrued vacation leave. According to College records, 776 sick leave hours were transferred from the President’s sick leave account to his vacation leave account on January 22, 2010, thereby reducing his sick leave balance to 296 hours. Because the sick leave transferred to annual leave was earned by the President after July 1, 2001, payment for any unused balance remaining when the President separates from the College would be subject to a one-fourth limitation or 60 days of pay, whichever is less; however, there are no such limitations on the payment of vacation leave. Consequently, these provisions may result in circumventing the limitation for payment for accrued leave upon termination of employment, as provided in Section 1012.865(2)(e)2., Florida Statutes. Based on the President’s salary rate as of October 31, 2011, the transfer of accrued sick leave to accrued annual leave would amount to an additional $95,518 in compensation. Upon inquiry, College personnel advised us that the Board’s statutory authority and responsibility over the President’s annual evaluation and the terms and conditions of employment pursuant to Sections 1001.64(19) and (47), Florida Statutes, provided the authority for the Board to permit the transfer of accrued sick leave balances to accrued annual leave balances; however, we are unaware of any authority that would allow the Board to transfer sick leave to annual leave or to provide employment contract provisions that are contrary to specific provisions of Section 1012.865(2)(e)2., Florida Statutes. Recommendation: The College should restore the 776 hours to the President’s accrued sick leave account to ensure any future leave payments are in compliance with Section 1012.865(2)(e)2., Florida Statutes. The College should also consult with its legal counsel to take appropriate actions to revise the President’s employment contract to ensure the provisions are consistent with applicable statutes. Finding No. 7: Terminal Pay for Accumulated Unused Sick Leave In audit report No. 2010-168, we noted the College overpaid 23 former administrative and professional employees a total of $87,098 for accumulated unused sick leave because the College calculated the payments based on 100 percent of the employee’s unused sick leave earned after July 1, 2001, rather than using one-fourth of the unused leave as required by Section 1012.865(2)(e), Florida Statutes. College personnel advised us that when Board Rule 6Hx7-3.38, Sick Leave, was modified on December 3, 2002, the College inadvertently omitted the wording limiting terminal payments to one-fourth of the employee’s unused sick leave. In response to report No. 2010-168, the College President indicated that the College would not attempt to collect overpayments from the 23 former employees that separated from the College. On November 3, 2009, the Board approved revising the Rule to include the one-fourth limitation; however, as of October 31, 2011, the College had not attempted to recover any overpayments, nor had the College documented, of record, the public purpose served by not attempting to recover the overpayments.
7
JANUARY 2012
REPORT NO. 2012-073
Recommendation: The College should attempt to recover the overpayments from former employees, to the extent allowed under Section 95.11, Florida Statutes, or document, of record, the public purpose served by not attempting to recover the overpayments. Construction Administration Finding No. 8: Construction Management Services Pursuant to Section 1013.45(1), Florida Statutes, the College may contract for the construction or renovation of facilities using various delivery methods, including selection of a construction manager (CM) pursuant to Section 287.055, Florida Statutes, which requires that the College publicly announce, in a uniform and consistent manner, each occasion when professional services must be purchased for a project in which the basic construction costs are estimated to exceed a specified amount ($325,000 for the 2010-11 fiscal year). The public notice must include a general description of the project and must indicate how interested consultants may apply for consideration. Under the CM process, contractor profit and overhead are contractually agreed upon, and the contracted firm is responsible for all scheduling and coordination in both design and construction phases and is generally responsible for the successful, timely, and economical completion of the construction project. CM firms may also be required to offer a guaranteed maximum price (GMP). The GMP provision allows for the difference between the actual cost of the project and the GMP amount, or the net cost savings, to be returned to the College. As such, a GMP contract requires close monitoring by College personnel to ensure that the cost of construction is adequately documented. Our review of the College’s controls over construction administration disclosed the following: South Campus Welcome Center Project Our review disclosed that the College utilized a local district school board’s continuing contract to procure construction management services for its $850,000 South Campus Welcome Center project rather than utilizing the public announcement and competitive selection and negotiation process required by Section 287.055, Florida Statutes. Upon inquiry, College personnel advised us they utilized the district school board’s continuing contract for construction management services pursuant to State Board of Education Rule 6A-14.0734, Florida Administrative Code; however, this rule pertains to the general purchase of services or commodities not specifically addressed in the statutes and we know of no legal basis for an administrative rule to supersede the requirements of Sections 1013.45 and 287.055, Florida Statutes. The Legislature has recognized in Section 287.001, Florida Statutes, that fair and open competition is a basic tenet of public procurement and that such competition reduces the appearance and opportunity for favoritism and inspires public confidence that contracts are awarded equitably and economically. Absent utilization of the required competitive selection process, the College's assurances related to the fair, equitable, and economical procurement of professional services are limited. South Campus Fire Training Burn Ship Project The College entered into a GMP contract with a CM for construction of a Fire Training Burn Ship project with a total project cost of approximately $3.2 million. This project was completed during the 2010-11 fiscal year. Our review disclosed that the College could improve its controls over construction administration, as discussed below: The College did not require the CM to include supporting documentation for the itemized amounts it billed to the College. The College’s contract with the CM required that invoices be submitted in detail sufficient for a proper pre-audit and post-audit thereof. Absent supporting documentation for the itemized amounts billed, 8
JANUARY 2012
REPORT NO. 2012-073
College records do not evidence that the amounts requested by the CM were adequately verified prior to payment. College personnel did not attend the bid openings for the first phase of the project with construction costs of approximately $1.7 million. Absent the College’s presence and documented monitoring of the subcontractor selection process, the College has limited assurance that the CM complied with the terms of the contract in the handling and awarding of subcontractor bids. For example, we noted several inconsistencies between subcontractor bids and bid tabulations, and between the apparent low bidders and the subcontractors actually selected. Subsequent to our inquiry, College personnel contacted the CM firm and obtained reasonable explanations for the inconsistencies noted by our review. Although required by the College’s contract with the CM, copies of the project manual and any updates were not provided to the College. The project manual describes the services set forth in the contract and provides a plan for the control, direction, coordination, and evaluation of work performed throughout the project, including identification of key personnel; responsibilities of the CM, College, and architect; work flow diagrams; and strategy for bidding the work. Subsequent to our inquiries, the College requested and obtained a copy of the project manual. The College’s contract with the CM required that copies of subcontracts be provided to the College as part of the project manual and, as noted above, the project manual was not obtained until subsequent to our inquiries. Our review disclosed that several subcontracts were not included in the project manual, and that a number of the subcontracts were executed in amounts that did not agree with bid amounts or bid tabulations without College personnel obtaining explanations for these differences. For example, the subcontract for concrete was $8,286 more than the subcontractor’s bid amount and the subcontract for site-work was $29,431 less than the amount awarded per the bid tabulation. Copies of subcontracts should be maintained for verifying contractor billings, monitoring project contingency funds, and ensuring that cost savings are maximized under the GMP. Additionally, subcontract amounts should agree with bid amounts or reasonable explanations for any differences should be obtained. In response to our inquiry, we were advised by College personnel that the standard procedure for future projects will be to require that a College employee attend bid openings and that bid tabulations, projects manuals, and detailed payment requests, with supporting invoices, be timely provided and utilized in monitoring project progress and billings. Recommendation: The College should enhance its procedures to ensure a formal competitive selection and negotiation process is held for selecting professional services when the basic construction cost or the fee for professional services is estimated to exceed the thresholds specified in Section 287.055, Florida Statutes. Additionally, the College should continue its efforts to improve CM contract monitoring procedures by ensuring that a College employee attends subcontractor bid openings, obtaining project manuals and subcontracts, and requiring that CM payment requests contain adequate supporting documentation to allow verification of the accuracy of amounts billed. Finding No. 9: Insurance Coverage The College’s requests for qualifications (RFQ) for both architectural and constructions managers (CM) and subsequent contracts contain certain requirements related to insurance coverage for architects and CMs selected to perform construction services. Our review of insurance certificates for the South Campus Fire Training Burn Ship project disclosed that the College needed to enhance its procedures for monitoring evidence of insurance coverage, as follows: Although required in the RFQ for CM services, the College was not listed as an additional insured on the certificates of insurance. The certificates of insurance listed the College as the certificate holder; however, to have an interest in the policy, the College must be listed as an additional insured. 9
JANUARY 2012
REPORT NO. 2012-073
The College’s RFQs for both the architectural and CM services required that the certificates of insurance provide at least 30 days advance notice of cancelation or non-renewal. The certificates reviewed addressed the cancelation provision; however, the certificates did not address notifying the College in the event of non-renewal. The contract for CM services required the certificate of insurance to specifically identify the job name and job number. The College initially accepted a certificate of insurance applicable to another project and did not require the CM to provide a project specific certificate of insurance until November 17, 2009, or 225 days after the contract was signed. The RFQ for architectural services required that new certificates of insurance be provided to the College at least 15 days prior to renewal. College records indicated that evidence of renewal was not obtained until November 24, 2010, or 149 days after the renewal date. Failure to ensure that architects and CMs are maintaining adequate insurance could increase the College’s risk of loss in the event of an occurrence causing injury to persons or damage to property. Recommendation: The College should enhance its monitoring procedures to ensure that contractors and architects timely provide proper certificates of insurance as required by contracts and RFQs. Confidential Information Finding No. 10: Collection of Social Security Numbers The Legislature has acknowledged in Section 119.071(5)(a), Florida Statutes, the necessity of collecting social security numbers (SSNs) for certain purposes because of their acceptance over time as a unique numeric identifier for identity verification and other legitimate purposes. The Legislature has also recognized that SSNs can be used to acquire sensitive personal information, the release of which could result in fraud against individuals or cause other financial or personal harm. Therefore, public entities are required to provide extra care in maintaining such information to ensure its confidential status. Section 119.071(5)(a), Florida Statutes, provides that the College may not collect an individual’s SSN unless the College has stated in writing the purpose for its collection and unless it is specifically authorized by law to do so, or is imperative for the performance of the College’s duties and responsibilities as prescribed by law. Additionally, this Section requires that if the College collects an individual’s SSN, it must provide that individual with a written statement indicating whether the collection of the SSN is authorized or mandatory under Federal or State law, and identifying the specific Federal or State law governing the collection, use, or release of SSNs for each purpose for which the SSN is collected. This Section also provides that SSNs collected by the College may not be used for any purpose other than the purpose provided in the written statement. This Section further requires that the College review whether its collection of SSNs is in compliance with the above requirements and immediately discontinue the collection of SSNs for purposes that are not in compliance. Although the College has assigned unique student and employee identification numbers to replace SSNs for record keeping purposes, it continued to collect SSNs from students, employees, and employee applicants. As similarly noted in our report No. 2010-168, College procedures over the collection and use of SSNs needed improvement, as follows: We noted six standard forms available on the College’s Web site that requested SSNs but did not contain or reference to the required written statement regarding the collection and use of SSNs. Four other forms provided general statements regarding the collection and use of SSNs and referenced to a statement in the College’s online catalog. However, the statement in the College’s online catalog did not identify the specific 10
JANUARY 2012
REPORT NO. 2012-073
Federal and State laws governing the collection, use, or release of SSNs and whether the collection was authorized or mandatory under Federal or State law. The Human Resources Department established a written statement addressing the collection and use of SSNs that was to be signed by new employees upon employment; however, a similar statement was not provided to employee applicants who applied online. In the above circumstances, College records did not evidence that individuals were provided the required written notification when their SSNs were collected. Effective controls to properly monitor the need for and use of SSNs and ensure compliance with statutory requirements reduce the risk that SSNs may be used for unauthorized purposes. Recommendation: The College Section 119.071(5)(a), Florida Statutes. should continue its efforts to ensure compliance with
Information Technology Finding No. 11: Access Privileges Access controls are intended to protect data and information technology (IT) resources from unauthorized disclosure, modification, or destruction. Effective access controls provide employees access to IT resources based on a demonstrated need to view, change, or delete data and restrict employees from performing incompatible functions or functions outside of their areas of responsibility. Periodically reviewing IT access privileges assigned to employees promotes good internal control and is necessary to ensure that employees cannot access computer resources inconsistent with their assigned job responsibilities. Our tests of selected access privileges to the finance application disclosed that some employees had access privileges that either permitted the employee to perform incompatible duties or were not necessary for their job responsibilities. Specifically: Two database administrators had security administrator privileges for the finance application. Since the College’s practice was to distribute security administration responsibilities to various departments, this access was unnecessary and contrary to an appropriate separation of duties. In addition, an employee with budget and financial planning responsibilities had security administrator privileges that were no longer necessary for the employee’s job responsibilities. Four current finance employees had update capability in the finance application, including vendor and electronic funds transfers, which was unnecessary for their assigned job responsibilities. Additionally, one former employee who had not been employed by the College since 2001 continued to have update capability in the finance application as of June 29, 2011. Two programmers had update capability in the finance application. Based on their application programming responsibilities in support of the business application system, this access was unnecessary and contrary to an appropriate separation of duties. As also noted in our report No. 2010-168, the College did not have written procedures to provide for a comprehensive review of employees’ access privileges. Without a comprehensive review, inappropriate access privileges may not be timely detected and addressed by the College, increasing the risk of unauthorized disclosure, modification, or destruction of College data and IT resources.
11
JANUARY 2012
REPORT NO. 2012-073
Recommendation: The College should establish written procedures for reviewing the appropriateness of IT access privileges, including those employees who have been granted security administrator authority, and timely remove or adjust any inappropriate or unnecessary access detected to ensure that access privileges are compatible with employee job duties. Finding No. 12: Risk Assessment Management of IT-related risks is a key part of enterprise IT governance. Incorporating an enterprise perspective into day-to-day governance actions helps an entity understand its greatest security risk exposures and determine whether planned controls are appropriate and adequate to secure IT resources from unauthorized disclosure, modification, or destruction. IT risk assessment, including the identification of risks and the evaluation of the likelihood of threats and the severity of threat impact, helps support management’s decisions in establishing cost-effective measures to mitigate risk and, where appropriate, formally accept residual risk. The College had not developed a written, comprehensive IT risk assessment. The absence of a written, comprehensive IT risk assessment may limit the College’s assurance that all likely threats and vulnerabilities have been identified, the most significant risks have been addressed, and appropriate decisions have been made regarding which risks to accept and which risks to mitigate through security controls. Recommendation: The College should develop a written, comprehensive IT risk assessment to provide a documented basis for managing IT-related risks. Finding No. 13: Access Control Records The State of Florida, General Records Schedule GS1-SL, for State and local Government Agencies (General Records Schedule), revised by the Department of State effective August 2010, provides that access control records must be retained for one anniversary year after superseded or after the employee separates from employment. Contrary to the General Records Schedule requirements, the College’s practice was to delete an employee’s application account from the system and disable the employee’s network account upon termination of employment and automatically delete the network account 60 days thereafter. Without adequate retention of access control records, the risk is increased that the College may not have sufficient documentation to assist in future investigations of security incidents, should they occur. Additionally, the College is not in compliance with the State’s record retention requirements. Recommendation:
General Records Schedule .
The College should ensure that access control records are retained as required by the
Finding No. 14: Policies and Procedures Each IT function needs complete, well-documented policies and procedures to describe the scope of the function and its activities. Sound policies and procedures provide benchmarks against which compliance can be measured and contribute to an effective control environment. Although informal procedures were followed, the College lacked written policies and procedures for the following IT functions: Removing confidential College information from consultant or vendor equipment upon completion of contractual services. 12
JANUARY 2012 Granting and management of administrative rights by end-users. Sanitizing computer hard drives prior to disposal of the equipment.
REPORT NO. 2012-073
A similar finding was noted in our report No. 2010-168. Without written policies and procedures, there is an increased risk that IT controls may not be followed consistently and in accordance with management’s expectations. Recommendation: The College should establish written policies and procedures to document management’s expectations for the performance of the above-listed IT functions. Finding No. 15: Access to Telecommunications Equipment Physical access controls include restricting physical access to IT resources to minimize the risk of intentional or unintentional loss or impairment. Access to telecommunications equipment located in storage closets, throughout the various College campuses, was not restricted or centrally managed through the IT Department. Consequently, the IT Department was not always notified of individuals who were granted access to the telecommunications equipment. Although our audit did not disclose any unauthorized use of telecommunications equipment, the inability to determine who may have accessed telecommunications equipment may limit the College’s ability to appropriately respond to and take action against an individual attempting unauthorized actions or causing damage to connections or equipment. Recommendation: The College should establish procedures for limiting access to telecommunications equipment, including notification to the IT Department of all individuals granted such access. Finding No. 16: Security Controls – User Authentication Security controls are intended to protect the confidentiality, integrity, and availability of data and IT resources. Our audit disclosed certain College security controls related to user authentication that needed improvement. We are not disclosing specific details of the issues in this report to avoid the possibility of compromising College data and IT resources. However, we have notified appropriate College management of the specific issues. Without adequate security controls related to user authentication, the confidentiality, integrity, and availability of data and IT resources may be compromised, increasing the risk that College data and IT resources may be subject to improper disclosure, modification, or destruction. A similar finding was noted in our report No. 2010-168. Recommendation: The College should improve security controls related to user authentication to ensure the continued confidentiality, integrity, and availability of College data and IT resources.
PRIOR AUDIT FOLLOW-UP
Except as discussed in the preceding paragraphs, the College had taken corrective actions for findings included in our report No. 2010-168.
13
JANUARY 2012
REPORT NO. 2012-073
OBJECTIVES, SCOPE, AND METHODOLOGY
The Auditor General conducts operational audits of governmental entities to provide the Legislature, Florida’s citizens, public entity management, and other stakeholders unbiased, timely, and relevant information for use in promoting government accountability and stewardship and improving government operations. We conducted this operational audit from February 2011 to October 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The objectives of this operational audit were to: (1) obtain an understanding and make overall judgments as to whether College internal controls promoted and encouraged compliance with applicable laws, rules, regulations, contracts, and grant agreements; the economic and efficient operation of the College; the reliability of records and reports; and the safeguarding of assets; (2) evaluate management’s performance in these areas; and (3) determine whether the College had taken corrective actions for findings included in our report No. 2010-168 . Also, pursuant to Section 11.45(7)(h), Florida Statutes, our audit may identify statutory and fiscal changes to be recommended to the Legislature. The scope of this operational audit is described in Exhibit A. Our audit included examinations of various records and transactions (as well as events and conditions) occurring during the 2010-11 fiscal year and selected transactions through October 31, 2011. Our audit methodology included obtaining an understanding of the internal controls by interviewing College personnel and, as appropriate, performing a walk-through of relevant internal controls through observation and examination of supporting documentation and records. Additional audit procedures applied, to determine that internal controls were working as designed, and to determine the College’s compliance with the above-noted audit objectives, are described in Exhibit A. Specific information describing the work conducted to address the audit objectives is also included in the individual findings.
AUTHORITY
Pursuant to the provisions of Section 11.45, Florida Statutes, I have directed that this report be prepared to present the results of our operational audit.
MANAGEMENT’S RESPONSE
Management’s response is included as Exhibit B.
David W. Martin, CPA Auditor General
14
JANUARY 2012 EXHIBIT A AUDIT SCOPE AND METHODOLOGY
Scope (Topic) Information Technology (IT) policies and procedures.
REPORT NO. 2012-073
Methodology Reviewed the College’s written IT policies and procedures to determine whether they addressed certain important IT control functions. Tested select application access privileges to determine whether access privileges granted to sensitive finance and human resources applications were appropriately granted and authorized. Tested access privileges to data files for employees who terminated employment during the audit period and verified that the College terminated access privileges. Reviewed Board minutes to determine whether Board approval was obtained for policies and procedures placed in effect during the audit period and for evidence of compliance with Sunshine law requirements (i.e., proper notice of meetings, ready access to public, maintain minutes). Examined written policies, procedures, and Board of Trustees Rules governing the proper storage, handling, transmission, use, and format of sensitive and confidential information. Examined written policies, procedures, and supporting documentation related to the College’s fraud policy and related procedures. Examined supporting documentation to determine whether the College had provided individuals with a written statement of the purpose of collecting their social security numbers. Reviewed the College’s policies and procedures related to its identity theft prevention program for compliance with the Federal Trade Commission’s Red Flags Rule. Determined whether the unencumbered balance in the unrestricted current fund of the Board of Trustees approved operating budget was below five percent at June 30, 2011, and if so, whether the College notified the Florida Department of Education, as required by Section 1011.84(3)(e), Florida Statutes. Tested student registrations to determine whether the College documented Florida residency and correctly assessed tuition in compliance with Section 1009.21, Florida Statutes, and State Board of Education Rule 6A-10.044, Florida Administrative Code. Reviewed the College’s procedures and determined whether they were approved by the Board of Trustees. Tested technology, laboratory, and user fees and examined supporting documentation to determine whether the College properly calculated these fees. Determined whether the College properly reported FTE student enrollment for its continuing workforce education programs.
IT access privileges and separation of duties.
Procedures to timely prohibit former employees’ access to electronic data files. Board meetings.
Sensitive and confidential information.
Fraud policy and related procedures.
Social security number requirements of Section 119.071(5)(a), Florida Statutes. Identity theft prevention program (Red Flags Rule).
Fund equity controls.
Florida residency determination and tuition.
Technology, laboratory, and other user fees.
Student enrollment reporting.
15
JANUARY 2012 EXHIBIT A (CONTINUED) AUDIT SCOPE AND METHODOLOGY
Scope (Topic) Adult general education program enrollment reporting.
REPORT NO. 2012-073
Methodology Examined supporting documentation on a test basis to determine whether the College reported instructional and contact hours in accordance with Florida Department of Education requirements. Reviewed the business plan, contracts, and financial activity related to the College’s Sirius Academics project to determine whether College personnel properly administered and accounted for project revenues and expenses and monitored compliance with contract terms. Tested payroll transactions to determine the accuracy of the rate of pay, accuracy of the retirement contribution, validity of employment contracts, adequacy of qualifications, completion of performance evaluations, accuracy of leave records, and certifications by supervisory personnel of employee time reports. Also, tested new hires to determine whether personnel records evidenced that employees had the necessary qualifications, degrees, experience, necessary background checks, etc. Performed analytical procedures of overtime payments to determine reasonableness. Reviewed the College’s rules and procedures for terminal pay to ensure consistency with Florida law. Tested former employees to determine appropriateness of terminal pay. Reviewed policies and procedures to determine whether the College had a Board-approved leave policy pursuant to Section 1001.64(18), Florida Statutes. Tested transactions to determine whether purchasing cards were administered in accordance with College policies and procedures. Also, tested former employees to determine whether purchasing cards were timely cancelled upon termination of employment. Reviewed contractual agreements to determine compliance with applicable laws, rules, and contractual requirements. Reviewed policies and procedures to determine whether the College limited the use of, and documented the level of service for, wireless communication devices. Also, determined whether the College paid Federal, State, or local taxes or fees for which it was exempt. For selected major construction projects, tested payments and supporting documentation to determine compliance with College policies and procedures and provisions of law and rules. Also, for construction management contracts, determined whether the College monitored the selection process of subcontractors by the construction manager and, for delivery order contracts, determined whether the College implemented procedures to ensure that construction cost estimates were independently evaluated for validity and reasonableness.
Sirius Academics project.
Personnel and payroll.
Overtime payments. Terminal pay.
Leave policies.
Purchasing card transactions.
Contractual agreements. Wireless communication devices.
Construction administration.
16
JANUARY 2012 EXHIBIT A (CONTINUED) AUDIT SCOPE AND METHODOLOGY
Scope (Topic) Earmarked capital project resources.
REPORT NO. 2012-073
Methodology Determined, on a test basis, whether Public Education Capital Outlay expenditures were in compliance with the restrictions imposed on the use of these resources. Determined whether the Board had adopted a policy establishing minimum insurance coverage requirements for design professionals, such as architects and engineers. Examined recent construction projects to determine whether architects and engineers provided evidence of the required insurance. Tested significant construction projects to determine whether the College made use of its sales tax exemption to make direct purchases of materials, or documented its justification for not doing so. Tested purchases to determine that the asset was properly capitalized or expensed, and was an allowable use of restricted capital outlay resources. Determined whether amounts reported to the Florida Department of Education for State-funded capital outlay programs were supported by the College’s accounting records.
Insuring architects and engineers.
State sales tax exemption for direct purchase of construction materials.
Capital outlay purchases.
State-funded capital outlay program reporting.
17
JANUARY 2012 EXHIBIT B MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
18
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
19
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
20
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
21
JANUARY 2012 EXHIBIT B (CONTINUED) MANAGEMENT’S RESPONSE
REPORT NO. 2012-073
22
