1 / 0

Auditing Banner

Auditing Banner. Karen Helderman Kyle Webb October 3, 2013. What is Banner. Commercially available administrative application suite for higher education institutions.

kamil
Télécharger la présentation

Auditing Banner

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing Banner

    Karen Helderman Kyle Webb October 3, 2013
  2. What is Banner Commercially available administrative application suite for higher education institutions. Similar to PeopleSoft and Oracle e-Business Suite, but specifically designed for higher education. It includes higher education specific modules such as financial aid.
  3. Banner Features Dozens of modules Hundreds of screens (forms) per module Obtaining a user manual is difficult Training for auditors is non-existent Like PeopleSoft or Oracles, identifying key application controls requires extensive reading and walk-throughs.
  4. Key Internal Controls Auditing Standards requires the auditor to identify the key internal controls used by the university to ensure that: 1. Assets and liabilities exist and transactions actually occurred. 2. Transactions that should have been recorded are actually recorded. 3. Transactions are recorded at the proper amount. 4. Transactions are in the correct accounting period. 5. Transactions are recorded in the proper account.
  5. Key Internal Controls Banner is delivered with many internal controls and the auditor may request Internet Native Banner (INB) access to review screens (called “forms”) and understand how the university is using Banner features.
  6. Examples Management defines the accounting period within Banner and system automatically assigns transactions to the proper accounting period (Key Internal Control 4) Management loads the Board of Visitor approved rates into Banner and the system automatically charges the student each semester based on student criteria and registration info (Key Internal Controls 3&5)
  7. Disclaimer The non-use of Banner functionality does not mean the University does not have internal controls, but rather that the controls may exist outside of Banner (i.e. manual or in another system). When the auditor finds Banner functionality not being used, the auditor will ensure he/she understands internal controls over the alternative process.
  8. Banner Finance FTMCOAS (Chart of Accounts Code Maintenance Form) – auditor may examine to understand what accounts may have been added or changed since prior period. The auditor may review COA mapping for new and altered accounts.
  9. FTMCOAS
  10. Banner Finance FTMRUCL (Rules Maintenance Form) – auditor may examine to understand if any new rules have been added to Banner and inquire as to why.
  11. Banner Finance FTMFSYR (Fiscal Year Maintenance Form) – examined to determine that the proper fiscal year period is defined.
  12. Banner Finance FOASYSC (System Control Maintenance Form) – examined to determine approval processing, bypass, explicit, implicit for various document types; to see whether Non-Sufficient Funds (NSF) checking is used, and whether procurement document matching occurs in Banner.
  13. Banner Finance FGAENCB (Encumbrance/Reservation Maintenance Form) – this form allows the university to encumber funds outside of the purchasing process. This form also allows the university to turn off NSF checking for these items. Auditor will check to see if this is occurring because this would override the previous control (FOASYSC) if management chose to require NSF checking.
  14. Banner Finance FTMCARD (Purchase Card Maintenance Form) – auditor will look to verify that purchase card numbers are not stored in this form.
  15. Banner Finance FAICARD (Purchase Card Query Form) this query displays purchase card numbers if they are stored in FTMCARD. If so, access should be limited.
  16. Banner Finance FOMPROF (User Profile Maintenance Form) – auditor is concerned with who has access to this form because they can change user profiles. In this form the administrator can also set up flags to ensure compliance with university policy. For example, they can allow NSF override authority, invoice overage tolerances, receiving overrides and tolerances, etc.
  17. Banner Finance FAARUIV (Recurring Payables Form) – auditor will establish whether the university uses the feature which can create efficiencies in areas such as lease or rent payments.
  18. Banner Finance FGIJVCD (List of Suspended Journal Voucher Form) – auditor may use this online query to search for pending journal vouchers that did not post properly before year end and propose adjusting journal entries if material.
  19. Banner Finance FGRTBEX (Trial Balance Exception Report) – auditor may ask if management is running this report to identify out-of-balance conditions.
  20. Banner Finance FGRTRNR (Transaction Error Report) – auditor may discuss this report with management and how frequently it is run, the types of errors typically discovered, and how the errors are resolved.
  21. Banner Finance FAIIREC (Receiving/Matching Status Query Form) – the auditor may run this query to consider the quantity and age of invoices awaiting receipt of goods. Could assist in identifying AP’s that need accrual because goods were actually received by financial statement date but just not noted in the system timely.
  22. Banner Finance FTMVEND (Vendor Maintenance Form) – auditor will examine who has modify access to this form since these individuals can add vendors and change vendor information such as mailing address.
  23. Banner Finance FMTSHIP (Ship to Address Maintenance Form) – concerned about access as user can add inappropriate shipping address. Auditor can review address to ensure they appear reasonable for the campus locations or set up data match to employee addresses in the payroll system.
  24. Banner Finance FPARCVD (Receiving Goods Form) – using receiving within Banner ensures the three way match will work properly. Access to this form should be to appropriate users.
  25. Banner Finance FAAPAYC (Payment Control Form) – users with access to this form can remove AP holds on invoices, thereby overriding system controls.
  26. Banner Student SOATERM (Term Control Form) – auditor will use this form to understand the term days and also when fee assessment occurred.
  27. Banner Student SFARGFE (Registration Fee Assessment Rules Form) – auditor will review that tuition and fee rates per term agree to approved rates. Auditor will also look for limited update access to this form.
  28. Banner Student SLALMFE (Room/Meal/Phone Rate Code Rules Form) – auditor may determine if rates agree to approved rates. Auditor may also ask about third party systems that handle housing and meal plans.
  29. Banner Student SOAHOLD (Hold Information Form) – auditor will be interested in access to this form since users can manually release holds.
  30. Banner Student SFARFND (Registration Fee Assessment Refund by Total Rules Form) – auditor may examine access to this form since users can modify rules regarding how student refunds are handled.
  31. Efficiency Recommendations After the auditor understands how the university is using Banner, the auditor may make recommendations to use Banner functionality in lieu of other processes to improve efficiency. Examples include: Use Fixed Asset Module rather than a separate system Use recurring AP feature for leases Consider using Banner workflow/approvals Use encumbrance feature rather than manual budget checking. Use three way match feature rather than matching paper invoices, receiving reports and purchase orders
  32. Review of User Access After understanding modules and processes used by the University, we will typically perform a user access review We prefer that the University perform this review and we verify their control is working properly; however, a typical annual user access review is inadequate. Managers usually receive a listing of staff having access to their system and perhaps their role
  33. Review of User Access To be thorough, Managers need comprehensive information about their staff including roles granted in other departments and the forms they can access by virtue of their role. Also indirect access may compromise “roles” Our review slices and dices users, roles, and forms in many ways.
  34. User Access Reviews
  35. Review of User Access Gain an understanding of the modules in use How does the University use Banner? How does University review user access? Is the review adequate and reasonable? Development of Audit Tool
  36. Gain an Understanding of Modules in Use What modules has the University purchased? Many schools don’t use all modules Payroll Fixed Assets Human Resources For purpose of reviews, all access to unused modules is likely irrelevant Access granted to unused modules Evidence of control environment Makes management’s review more difficult
  37. How does the University use Banner? What actions in Banner are critical? Journal Entries Approvals Purchases Holds Does the university rely on Banner approval controls? Supported or replaced by hardcopy? What are the controls external to Banner? Once critical processes are determined, then you can review access to those processes
  38. How does the University Review Access? Is there a regular review of access? Is it performed by competent data owners? Is it sufficient?
  39. Is the review sufficient? Do you speak Banner? Here’s a quick overview….
  40. Naming Convention FGAJVCQ Position 1 Identifies the Banner system owning the form, report, process or table Position 2 Identifies the module owning the form, report, process or table Position 3 Identifies the type of form, report, process or table Position 4 Identifies a unique four-character code for the form, report, process or table
  41. Roles BAN_DEFAULT_M Maintenance or “Update” access This is the focus of the review BAN_DEFAULT_Q Read-only access Be aware of sensitive information
  42. Understanding the Hierarchy of Access Great News! The Heirarchy doesn’t matter!
  43. Is the University’s review adequate? All that matters is User, Role, and Object(Screen) User = Who? (JDSMITH) Role = Maintenance vs. Query (BAN_DEFAULT_M) Object = What process or action (SFARGFE) Everything else is for efficiency in granting access, not reviewing
  44. Is the University’s review adequate? Common Problems There is no formalized review Review is Infrequent (Once every year or 2 years) Review is limited to Users by Class JSMITH has the AR_SUPERVISOR Class. JSMITH is a supervisor in Accounts Receivable, Review done. Fails to consider conflicting screens within class, or across classes, or reasonableness of access within class Also doesn’t consider “Direct” Access This is why class/group style reviews are ineffective The “Class” has no meaning
  45. So What do we do? Obtain the GUVUACC table view from Banner (This is a view of the GURUACC Table) It should contain the following fields: TYPE USER OBJECT ROLE CLASS GROUP RANK It can be a big table = 200k to 1mil records.
  46. So What do we do? Develop a Banner Form “Information Table” for Critical Roles. Create Conflict Matrix for known segregation of duties problems. Then Import all 3 tables into Access
  47. Develop Table of Critical Roles (Example) Banner Form (FTMVEND) Form Name (Vendor Maintenance Form) Description (Use this form to add, change, or terminate vendor information) Audit Consideration (Access to this form should be limited to the accounts payable staff)
  48. Banner Tool Allows Vertical “Silo” Review Is this access reasonable for the employee? Is the number of people with access to this Object reasonable?
  49. Banner Tool Allows for Horizontal (Cross-object) review for conflicts
  50. The Results What’s Next?
  51. The Results We have used our tool so far for 2 universities Met with Management, and IT Agreed that their process was inadequate Agreed to implement changes to make their reviews more efficient and effective Eliminating unused module access Reviewing by object, not class Training business owners on proper reviewing Increasing accountability, formalizing process
  52. Banner Audit Tool Demonstration Here is what it looks like:
  53. Q & A Karen Helderman karen.helderman@apa.virginia.gov Kyle Webb kyle.webb@apa.virginia.gov
More Related