3. Scope of Internal Audit Activities
Access Permissions of work-study students in the application ImageNow, from
the Office of Registrar, Student Financial Services, and Graduate Admission
departments, as of June 30th, 2016
❖User Global Permissions Excel worksheet and the Work-study Groups Global
Permissions Excel worksheet
Audit Duration: July 12th, 2016 - August 8th, 2016
Audit Total hours: Budgeted 90 hours and accounted 87 total hours
Audit Criteria: APQC, COSO
4. Scope Limitations
The GA Administrator adds students and other faculty outside of her department
to ImageNow, and does not follow up on termination dates, does not review on a
regular basis
“The Registrar” is officially called “The Registrar and Operations”: the operations
part of the department (“ESOP”) is not included in the “REG” work-study group,
and does not have a work-study group of its own. Data on ESOP cannot be
provided to us in the same timeline
5. Inherent Risk
Lack of standardized procedures for all departments to provide and remove
access to students that might cause leakage of sensitive information
Graduate Admission ImageNow Administrator will log in on her own account for
the students, which can cause security leakage
Registrar does not have an ImageNow administrator
The ImageNow users group does not meet regularly which can cause
administrative differences between departments
Overall: High Inherent risk
6. Residual Risk
Departments do not review student's status every quarter which can lead to
security breach
A work-study student could share their account details to other personnel in
Graduate Admission that can lead to serious security and information
outbreak
Overall: Medium Residual Risk
7. Risk Rating Criteria
High Priority
Represents a systematic business risk or control deficiency that may significantly prevent the achievement of
strategic objective, damage reputation and relations with stakeholders (employees, vendor, and customers)
or create situations of managed risk that could have significant impact on operating performance or that
would require the attention of Senior Management or the Audit Committee.
Moderate Priority
Represents a systematic business risk or control deficiency that may reasonably prevent the achievement of
strategic objectives, damage reputation and relations with stakeholders (employees, vendors, and
customers) or create situations of managed risk that could have moderate impact on operating performance
or that can be resolved within the authority levels of executive or operating/line management.
Low Priority
Represents business risk (systemic or isolated occurrence) or control deficiency that does not have an
impact on the achievement of strategic objectives, damage to reputation and relations with stakeholders
(employees, vendors, and customers) or results in situations that would have minor impact on operating
performance or that can be resolved by department heads and/or some involvement of local site
management.
8. Executive Summary
Summary Observation Suggested Management Actions Management Priority
No regular meeting between
departments
Hold regular meetings between
departments
High Priority
Management access is
granted to students
Remove Management access
from students
High Priority
SFS has a general passcode
for all employees, the GA
department has no
passcodes
Improve physical restrictions to
computers with ImageNow in each
department
Medium Priority
Reviews are infrequent and
Registrar does not have an
ImageNow administrator
Review monthly/quarterly, and
Appoint and train a Registrar
administrator
Medium Priority
Students’ accounts are active
during vacation quarters
Create a schedule with information
of all students active, inactive, and
termination dates
Low Priority
9. Detailed Findings
Control Observation Management Priority
Regular meetings and
training for the departments
with the System
Administrator (Aaron Boruff)
Have not had a meeting in
over a year, GA and SFS
administrators expressed the
need for more training High Priority
Impact: Departments have different procedures for adding and inactivating a student to
and from the work-study group, which creates confusion between departments and the
System Administrator.
Recommendation: Annual meetings are acceptable; semi-annual are preferable
Benefit: All departments will be able to use the system more efficiently, with more
confidence, and can reduce the risk of a student having excessive access permissions or
permissions after their termination date
10. Detailed Findings
Control Observation Management Priority
Work-study students are
added to the Work-study
group in ImageNow where
access permissions are
restricted
Students from Graduate
Admissions have
management level privileges
(user security, add, remove,
group users, document
review, etc.)
High Priority
Impact: Work-study students could have access to sensitive information, and modify other
ImageNow users
Recommendation: Revoke management level access from students
Benefit: Ensure the integrity and the confidentiality of information
11. Detailed Findings
Control Observation Management Priority
Physical restrictions to
computers with ImageNow in
each department through
individualized door codes,
revoked upon termination of
employment
The Registrar has
individualized passcodes,
SFS has a general passcode
for all employees, the GA
department has no passcodes
Medium Priority
Impact: Students could have access to the ImageNow application, other sensitive
information, or could steal physical equipment
Recommendation: Implement individualized codes to the SFS department, and the GA
department
Benefit: Secure facilities can better prevent theft and unauthorized access to sensitive
information
12. Detailed Findings
Control Observation Management Priority
The Work-study group should
be reviewed on a frequent
basis by each department
administrator to confirm
revocation of permission of
each terminated student
The status of all students’
accounts in the Graduate
Admissions office has never
been reviewed or updated,
the SFS work-study group is
reviewed quarterly by the SFS
Administrator, there is no
Registrar Administrator
Medium Priority
Impact: Students could still have access to ImageNow after they no longer work there.
Recommendation: Perform monthly or quarterly review of students’ working status and
terminate inactive accounts, appoint and train a Registrar administrator
Benefit: Limit the probability of information leakage and unwanted unauthorized access.
13. Detailed Findings
Control Observation Management Priority
Managers of all departments
should have a schedule with
information of all students
active, inactive, and
termination dates.
All students’ accounts are not
temporarily deactivated during
vacation quarters, 2 students
confirmed to have access
beyond termination of
employment, GA and
Registrar Administrators are
unable to account for all
student workers at time asked
Low Priority
Impact: Potential unauthorized accesses
Recommendation: Managers should update these schedules monthly or quarterly
Benefit: All students can be accounted for at a glance, facilitating review of the access
permissions monthly or quarterly