Subject TitleAuditing Banner Karen Helderman Kyle Webb October 3, 2013.
-
Upload
victor-morgan -
Category
Documents
-
view
215 -
download
0
Transcript of Subject TitleAuditing Banner Karen Helderman Kyle Webb October 3, 2013.
Subject TitleAuditing Banner
Auditing Banner
Karen Helderman
Kyle Webb
October 3, 2013
Auditing Banner
What is Banner
• Commercially available administrative application suite for higher education institutions.
• Similar to PeopleSoft and Oracle e-Business Suite, but specifically designed for higher education. It includes higher education specific modules such as financial aid.
Auditing Banner
Banner Features
• Dozens of modules• Hundreds of screens (forms) per module• Obtaining a user manual is difficult• Training for auditors is non-existent• Like PeopleSoft or Oracles, identifying
key application controls requires extensive reading and walk-throughs.
Auditing Banner
Key Internal Controls
• Auditing Standards requires the auditor to identify the key internal controls used by the university to ensure that:1. Assets and liabilities exist and transactions actually
occurred.
2. Transactions that should have been recorded are actually recorded.
3. Transactions are recorded at the proper amount.
4. Transactions are in the correct accounting period.
5. Transactions are recorded in the proper account.
Auditing Banner
Key Internal Controls
• Banner is delivered with many internal controls and the auditor may request Internet Native Banner (INB) access to review screens (called “forms”) and understand how the university is using Banner features.
Auditing Banner
Examples
• Management defines the accounting period within Banner and system automatically assigns transactions to the proper accounting period (Key Internal Control 4)
• Management loads the Board of Visitor approved rates into Banner and the system automatically charges the student each semester based on student criteria and registration info (Key Internal Controls 3&5)
Auditing Banner
Disclaimer
• The non-use of Banner functionality does not mean the University does not have internal controls, but rather that the controls may exist outside of Banner (i.e. manual or in another system).
• When the auditor finds Banner functionality not being used, the auditor will ensure he/she understands internal controls over the alternative process.
Auditing Banner
Banner Finance
• FTMCOAS (Chart of Accounts Code Maintenance Form) – auditor may examine to understand what accounts may have been added or changed since prior period. The auditor may review COA mapping for new and altered accounts.
Auditing Banner
FTMCOAS
Auditing Banner
Banner Finance
• FTMRUCL (Rules Maintenance Form) – auditor may examine to understand if any new rules have been added to Banner and inquire as to why.
Auditing Banner
Auditing Banner
Banner Finance
• FTMFSYR (Fiscal Year Maintenance Form) – examined to determine that the proper fiscal year period is defined.
Auditing Banner
Auditing Banner
Banner Finance
• FOASYSC (System Control Maintenance Form) – examined to determine approval processing, bypass, explicit, implicit for various document types; to see whether Non-Sufficient Funds (NSF) checking is used, and whether procurement document matching occurs in Banner.
Auditing Banner
Auditing Banner
Banner Finance
• FGAENCB (Encumbrance/Reservation Maintenance Form) – this form allows the university to encumber funds outside of the purchasing process. This form also allows the university to turn off NSF checking for these items. Auditor will check to see if this is occurring because this would override the previous control (FOASYSC) if management chose to require NSF checking.
Auditing Banner
Auditing Banner
Banner Finance
• FTMCARD (Purchase Card Maintenance Form) – auditor will look to verify that purchase card numbers are not stored in this form.
Auditing Banner
Auditing Banner
Banner Finance
• FAICARD (Purchase Card Query Form) this query displays purchase card numbers if they are stored in FTMCARD. If so, access should be limited.
Auditing Banner
Auditing Banner
Banner Finance
• FOMPROF (User Profile Maintenance Form) – auditor is concerned with who has access to this form because they can change user profiles. In this form the administrator can also set up flags to ensure compliance with university policy. For example, they can allow NSF override authority, invoice overage tolerances, receiving overrides and tolerances, etc.
Auditing Banner
Auditing Banner
Banner Finance
• FAARUIV (Recurring Payables Form) – auditor will establish whether the university uses the feature which can create efficiencies in areas such as lease or rent payments.
Auditing Banner
Auditing Banner
Banner Finance
• FGIJVCD (List of Suspended Journal Voucher Form) – auditor may use this online query to search for pending journal vouchers that did not post properly before year end and propose adjusting journal entries if material.
Auditing Banner
Auditing Banner
Banner Finance
• FGRTBEX (Trial Balance Exception Report) – auditor may ask if management is running this report to identify out-of-balance conditions.
Auditing Banner
Banner Finance
• FGRTRNR (Transaction Error Report) – auditor may discuss this report with management and how frequently it is run, the types of errors typically discovered, and how the errors are resolved.
Auditing Banner
Banner Finance
• FAIIREC (Receiving/Matching Status Query Form) – the auditor may run this query to consider the quantity and age of invoices awaiting receipt of goods. Could assist in identifying AP’s that need accrual because goods were actually received by financial statement date but just not noted in the system timely.
Auditing Banner
Banner Finance
• FTMVEND (Vendor Maintenance Form) – auditor will examine who has modify access to this form since these individuals can add vendors and change vendor information such as mailing address.
Auditing Banner
Banner Finance
• FMTSHIP (Ship to Address Maintenance Form) – concerned about access as user can add inappropriate shipping address. Auditor can review address to ensure they appear reasonable for the campus locations or set up data match to employee addresses in the payroll system.
Auditing Banner
Banner Finance
• FPARCVD (Receiving Goods Form) – using receiving within Banner ensures the three way match will work properly. Access to this form should be to appropriate users.
Auditing Banner
Banner Finance
• FAAPAYC (Payment Control Form) – users with access to this form can remove AP holds on invoices, thereby overriding system controls.
Auditing Banner
Banner Student
• SOATERM (Term Control Form) – auditor will use this form to understand the term days and also when fee assessment occurred.
Auditing Banner
Auditing Banner
Banner Student
• SFARGFE (Registration Fee Assessment Rules Form) – auditor will review that tuition and fee rates per term agree to approved rates. Auditor will also look for limited update access to this form.
Auditing Banner
Auditing Banner
Banner Student
• SLALMFE (Room/Meal/Phone Rate Code Rules Form) – auditor may determine if rates agree to approved rates. Auditor may also ask about third party systems that handle housing and meal plans.
Auditing Banner
Auditing Banner
Banner Student
• SOAHOLD (Hold Information Form) – auditor will be interested in access to this form since users can manually release holds.
Auditing Banner
Auditing Banner
Banner Student
• SFARFND (Registration Fee Assessment Refund by Total Rules Form) – auditor may examine access to this form since users can modify rules regarding how student refunds are handled.
Auditing Banner
Efficiency Recommendations
• After the auditor understands how the university is using Banner, the auditor may make recommendations to use Banner functionality in lieu of other processes to improve efficiency. Examples include:– Use Fixed Asset Module rather than a separate system– Use recurring AP feature for leases– Consider using Banner workflow/approvals– Use encumbrance feature rather than manual budget
checking.– Use three way match feature rather than matching paper
invoices, receiving reports and purchase orders
Auditing Banner
Review of User Access
• After understanding modules and processes used by the University, we will typically perform a user access review
• We prefer that the University perform this review and we verify their control is working properly; however, a typical annual user access review is inadequate.
• Managers usually receive a listing of staff having access to their system and perhaps their role
Auditing Banner
Review of User Access
• To be thorough, Managers need comprehensive information about their staff including roles granted in other departments and the forms they can access by virtue of their role. Also indirect access may compromise “roles”
• Our review slices and dices users, roles, and forms in many ways.
Auditing Banner
User Access Reviews
Auditing Banner
Review of User Access
• Gain an understanding of the modules in
use
• How does the University use Banner?
• How does University review user access?
• Is the review adequate and reasonable?
• Development of Audit Tool
Auditing Banner
Gain an Understanding of Modules in Use
• What modules has the University purchased?• Many schools don’t use all modules
– Payroll– Fixed Assets– Human Resources
• For purpose of reviews, all access to unused modules is likely irrelevant
• Access granted to unused modules– Evidence of control environment– Makes management’s review more difficult
Auditing Banner
How does the University use Banner?
• What actions in Banner are critical? – Journal Entries– Approvals– Purchases– Holds
• Does the university rely on Banner approval controls?– Supported or replaced by hardcopy?– What are the controls external to Banner?
• Once critical processes are determined, then you can review access to those processes
Auditing Banner
How does the University Review Access?
1. Is there a regular review of access?
2. Is it performed by competent data owners?
3. Is it sufficient?
Auditing Banner
Is the review sufficient?
• Do you speak Banner?
• Here’s a quick overview….
Auditing Banner
Naming Convention
FGAJVCQ• Position 1
– Identifies the Banner system owning the form, report, process or table
• Position 2– Identifies the module owning the form, report, process or table
• Position 3– Identifies the type of form, report, process or table
• Position 4– Identifies a unique four-character code for the form, report,
process or table
Auditing Banner
Roles
• BAN_DEFAULT_M– Maintenance or “Update” access– This is the focus of the review
• BAN_DEFAULT_Q– Read-only access– Be aware of sensitive information
Auditing Banner
Understanding the Hierarchy of AccessUser
Group
Class
Object (Screen)
Role (Q vs M)
Great News! The Heirarchy doesn’t matter!
Auditing Banner
Is the University’s review adequate?
• All that matters is User, Role, and Object(Screen)
• User = Who? (JDSMITH)
• Role = Maintenance vs. Query (BAN_DEFAULT_M)
• Object = What process or action (SFARGFE)
• Everything else is for efficiency in granting access, not reviewing
Auditing Banner
Is the University’s review adequate?
Common Problems• There is no formalized review• Review is Infrequent (Once every year or 2 years)• Review is limited to Users by Class
– JSMITH has the AR_SUPERVISOR Class. JSMITH is a supervisor in Accounts Receivable, Review done.
– Fails to consider conflicting screens within class, or across classes, or reasonableness of access within class
– Also doesn’t consider “Direct” Access
This is why class/group style reviews are ineffective
The “Class” has no meaning
User
Group
Class
Object
(Screen)
Role(M vs Q)
Auditing Banner
So What do we do?
Obtain the GUVUACC table view from Banner
(This is a view of the GURUACC Table)
It should contain the following fields:1. TYPE
2. USER
3. OBJECT
4. ROLE
5. CLASS
6. GROUP
7. RANK
It can be a big table = 200k to 1mil records.
Auditing Banner
So What do we do?
1. Develop a Banner Form “Information Table” for Critical Roles.
2. Create Conflict Matrix for known segregation of duties problems.
3. Then Import all 3 tables into Access
Auditing Banner
Develop Table of Critical Roles (Example)
• Banner Form (FTMVEND)• Form Name (Vendor Maintenance Form)• Description (Use this form to add,
change, or terminate vendor information)
• Audit Consideration (Access to this form should be limited to the accounts payable staff)
Auditing Banner
Create Conflict Matrix
Form 1 Form 2FTMVEND FAAINVE
FAAINVE FOAUAPP
FAAINVE FOAAINP
FGAJVCD FOAUAPP
FGAJVCQ FOAUAPP
FGAJVCM FOAUAPP
FGAJVCD FOAAINP
Auditing Banner
Banner Tool
• Allows Vertical “Silo” Review– Is this access reasonable for the
employee?– Is the number of people with access to this
Object reasonable?FGAJVCD
•JDOE•JSMITH
SFARGFE
•JSMITH•FJOHNSON•TPAYNE•LWILLIAMS
SOAHOLD
•TWILLIAMS•JDOE•275 others
Auditing Banner
Banner Tool
• Allows for Horizontal (Cross-object) review for conflicts
FGAJVCD•JDOE•JSMITH•BFAVRE
FOAUAPP•TWILLIAMS•JDOE•ESMITH
Auditing Banner
The Results
What’s Next?
Auditing Banner
The Results
• We have used our tool so far for 2 universities• Met with Management, and IT• Agreed that their process was inadequate• Agreed to implement changes to make their
reviews more efficient and effective– Eliminating unused module access– Reviewing by object, not class– Training business owners on proper reviewing– Increasing accountability, formalizing process
Auditing Banner
Banner Audit Tool Demonstration
• Here is what it looks like:
Auditing Banner
Q & A
Karen Helderman
Kyle Webb