University System of Maryland University of Maryland, Baltimore

(1)

Audit Report

University System of Maryland

University of Maryland, Baltimore

(2)

• This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested by contacting the Office of Legislative Audits as indicated at the bottom of the next page or through the Maryland Relay Service at 1-800-735-2258.

• Please address specific inquiries regarding this report to the Audit Manager listed on the inside back cover by telephone at (410) 946-5900.

• Electronic copies of our audit reports can be viewed or downloaded from the Internet via http://www.ola.state.md.us.

• The Department of Legislative Services – Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at (410) 946-5400 or (301) 970-5400.

(3)

November 13, 2003

Delegate Van T. Mitchell, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee

Annapolis, Maryland Ladies and Gentlemen:

We have audited the University System of Maryland - University of Maryland, Baltimore (UMB) for the period beginning July 1, 2000 and ending November 30, 2002.

Our audit disclosed that UMB did not receive contractual payments due from the University of Maryland Medical System Corporation and a component hospital in a timely manner and did not assess late payment fees totaling approximately

$260,000 allowed by the contracts. Similar conditions have been commented upon in our audit reports since 1988.

Further, we noted certain deficiencies related to Cigarette Restitution Fund grants. Our audit also disclosed internal control and recordkeeping deficiencies in a

number of significant areas including checking account reconciliations, cash receipts, working fund disbursements, information systems security, student grades, and payroll. We also noted that UMB could not substantiate that amounts due the Medical School Enrichment Fund from the professional associations participating in the Medical Service Plan had been independently verified.

Respectfully submitted,

Bruce A. Myers, CPA Legislative Auditor

(4)

(5)

Executive Summary

Legislative Audit Report on the University of Maryland, Baltimore (UMB)

November 2003

• UMB did not receive timely contractual payments due from the

University of Maryland Medical System Corporation and a component hospital. Furthermore, UMB did not assess related penalty fees totaling $260,000.

UMB should monitor the receipt of payments due from the Corporation and component hospital and when payments are untimely, assess and collect the related late payment fees.

• Certain deficiencies were identified related to grant funds from the Cigarette Restitution Fund (CRF).

UMB should comply with all provisions of the CRF grant agreement.

• UMB did not reconcile a checking account in a timely manner and could not support certain items included in the reconciliations.

UMB should reconcile all checking accounts monthly and maintain documentation to support items included in the reconciliations.

• UMB had not established sufficient controls over certain cash receipts. Specifically, verifications were not performed timely to ensure that all receipts collected by the central cashier were deposited. In addition, no such verifications were performed for student dental clinic receipts.

UMB should verify timely that all recorded cash receipts were deposited. • Controls had not been established to adequately secure UMB’s

information systems. For example, controls over the Student Information Management Information System’s user accounts, passwords, program changes, and security reports need improvement.

UMB should establish controls to provide adequate security over its information systems.

(8)

• Other control and record keeping deficiencies were noted in the areas of working fund, student grades, and payroll.

UMB should take the recommended actions to improve controls and record keeping in these areas.

• UMB could not substantiate that amounts due to the Medical School Enrichment Fund from professional associations participating in the Medical Service Plan had been verified by independent auditors.

UMB should obtain and review the reports prepared by the associations’ independent auditors annually to help ensure that all required contributions are made to the Medical School Enrichment Fund.

(9)

Background Information

Agency Responsibilities

The University of Maryland, Baltimore (UMB) provides professional and graduate level instruction through its schools of Dentistry, Law, Medicine, Nursing,

Pharmacy, and Social Work. Students enrolled at UMB who receive instruction in health care professions obtain clinical experience at various health care facilities. The largest of these facilities is the University of Maryland Hospital which is a component of the University of Maryland Medical Systems Corporation. In addition to their duties at UMB, certain faculty members provide services to the Corporation and also maintain private medical practices with professional associations.

Current Status of Findings From Preceding Audit Report

We reviewed the current status of the six fiscal/compliance findings from our preceding audit report dated April 24, 2001. We determined that UMB satisfactorily addressed two of these findings. The remaining four findings are repeated in this report. In response to that report, the University System of Maryland, on behalf of UMB, generally agreed to comply with our

(10)

(11)

Findings and Recommendations

Contracts with University of Maryland Medical System

Corporation

Finding 1

Contractual payments due from the Corporation were not received in a timely manner, and UMB did not assess approximately $260,000 in associated late payment fees.

Analysis

UMB did not obtain contractual payments due from the University of Maryland Medical System Corporation in a timely manner. In addition, UMB frequently failed to assess late payment fees as permitted under the terms of these contracts. The contract provided that UMB was to be reimbursed for administrative, faculty and physician services provided to the Corporation. Specifically, our review disclosed the following issues:

• Our test of 58 payments received from the Corporation during fiscal years 2001, 2002 and 2003 disclosed that 54 payments totaling approximately $68 million were received after the applicable due dates. Moreover, UMB did not assess related late payment fees totaling approximately $106,000. • All quarterly payments due from the component hospital during fiscal years

2001 and 2002 were received late. These payments, which totaled

approximately $3.3 million, were received from 242 days to 332 days after the required due dates. Related late payment fees totaling approximately $154,000 were not assessed by UMB.

• UMB did not recover from the component hospital late payment fees totaling approximately $103,000 applicable to fiscal years 1999 and 2000 which were identified during our preceding audit.

According to its records, UMB’s net revenues from the contracts with the

Corporation and the component hospital totaled approximately $36 million during fiscal year 2002. Similar conditions regarding the timeliness of related payments and the assessment of late fees have been commented upon in our five preceding audit reports dating back to 1988. In response to our preceding report, the University System of Maryland, on behalf of UMB, stated that representatives

(12)

from UMB and the Corporation would meet to discuss the issue of prompt payment of invoices and the related late payment fees. Further, the response indicated that UMB would pursue the collection of prior year’s penalty fees from the Corporation and would determine whether the collection of late fees from the component hospital was appropriate.

Recommendation 1

We again recommend that UMB monitor the receipt of payments related to these contracts, and assess related penalties when payments from the

Corporation and component hospital are untimely. We also again recommend that UMB assess and take appropriate action to collect the aforementioned late payment fees from the Corporation and component hospital.

Cigarette Restitution Fund Grant

Finding 2

Certain deficiencies were identified related to Cigarette Restitution Fund (CRF) grants applicable to fiscal years 2002 and 2003.

Analysis

Our review of Cigarette Restitution Fund grant funds applicable to fiscal years 2002 and 2003 disclosed certain deficiencies. Specifically, we noted the following conditions:

• During April 2003, UMB requested and received CRF grant funds totaling approximately $870,000 applicable to the quarter ended March 31, 2003 although the related costs had not been incurred. As of August 15, 2003, UMB had only expended approximately $120,000 of the aforementioned $870,000. Although we were advised by the grantor agency (Department of Health and Mental Hygiene- DHMH) that its policies permitted grantees to request and receive grant funds on an advance basis under certain circumstances provided that the grantees exercised prudent cash

management practices, the related award agreements provided that UMB would receive these funds on a cost-reimbursable basis (that is, after the expenditures had been incurred).

• A DHMH audit report dated June 24, 2003 recommended that costs totaling $977,305 claimed by UMB applicable to its fiscal year 2001 CRF grant awards be disallowed. The majority of these costs were considered

(13)

by the auditor to lack adequate supporting documentation. In its response dated July 24, 2003 to that report, UMB advised DHMH that it intended to appeal the recommendation that certain claimed costs totaling $881,803 be disallowed. As of October 16, 2003, UMB had not appealed the remaining costs ($95,502) recommended for disallowance, nor had DHMH rendered a decision regarding the amount that was appealed by UMB.

• During the course of our review, it also came to our attention that UMB charged payments totaling $4,500 against its CRF grant award funds for the purchase of tickets for regional sporting events and/or related dining services. We were advised by UMB management that these tickets were intended to be used to encourage persons to participate in oral cancer screenings. Although we were advised by DHMH management that these expenditures were an acceptable use of CRF grant funds, the grant

documents did not specifically authorize UMB to use the grant funds to purchase tickets for sporting-related events. Furthermore, UMB could not document to whom these tickets had been issued or that the tickets were used as intended.

Beginning in fiscal year 2001, the University of Maryland School of Medicine, working collaboratively with the University of Maryland Medical System and University of Maryland Medical Group, received grant funds from the Cigarette Restitution Fund administered by the Department of Health and Mental Hygiene. During fiscal years 2001, 2002 and 2003, the School of Medicine received CRF grant funds totaling $34,294,831 for the primary purpose of conducting cancer research and research on tobacco-related illnesses other than cancer (such as cardiovascular disease).

We recommend UMB comply with all provisions of the CRF grant

agreement. Specifically, we recommend that UMB clarify with DHMH how CRF grant funds are to be received under the applicable grant agreements and exercise prudent grant cash management practices. We also

recommend UMB resolve the aforementioned audit findings and restrict its use of CRF grant funds to those costs specifically authorized in the grant agreements. Furthermore, we recommend UMB investigate the use of the aforementioned tickets and refund DHMH for any funds related to tickets which were not used for authorized purposes. In addition, we recommend that UMB maintain adequate supporting documentation to substantiate all charges made against its CRF grant funds.

(14)

Finding 3

A checking account used to process student loan disbursements was not reconciled in a timely manner.

Analysis

UMB did not reconcile in a timely manner a checking account used to process student loan disbursement transactions. Specifically, the account reconciliations for the months of January 2002 through November 2002 were not prepared until January 2003 (after we requested to review the reconciliations). In addition, the reconciliation for December 2002 included a number of unsupported reconciling items totaling approximately $219,000. We were advised by the supervisor responsible for approving the reconciliation that one unsupported item totaling $196,507 was included for the specific purpose of balancing the reconciliation. Moreover, none of these monthly account reconciliations were reviewed and approved by supervisory personnel.

This checking account received electronic fund transfers of student loan funds from Federal student loan agencies. UMB subsequently issued checks from the account to pay related student tuition and fees. According to UMB’s records, calendar year 2002 disbursements made from this account totaled approximately $56 million.

We recommend that UMB reconcile this checking account and resolve all differences in a timely manner. We also recommend that completed reconciliations be reviewed and approved by independent supervisory personnel. We further recommend that the reconciliation and subsequent independent review be adequately documented and retained for future reference.

(15)

Cash Receipts

Finding 4

Controls over cash receipts were inadequate. Analysis

UMB lacked adequate controls over cash receipts. Specifically, we noted the following control deficiencies:

• The deposit of cash receipts collected and recorded by the central cashiering office was not verified in a timely manner. Our test of 39 deposits made during fiscal years 2002 and 2003 totaling approximately $16.2 million disclosed that for 35 of these deposits totaling $14.5 million the required verifications were not performed for periods which ranged from 11 to 74 days. According to its records, during fiscal year 2002 UMB collected cash receipts (excluding lockbox remittances) totaling approximately $163 million.

• No verifications were performed to ensure that recorded cash receipts collected by UMB’s student dental clinics were deposited. According to UMB’s records, fiscal year 2002 dental clinic cash receipts totaled approximately $4.6 million. This condition was commented upon in our two preceding audit reports.

We again recommend that employees independent of UMB’s cash receipts functions verify daily that all recorded cash receipts were deposited.

Working Fund

Finding 5

Certain employees had excessive control over the account. Analysis

Both the fund custodian and responsible supervisor had excessive control over UMB’s working fund checking account. Specifically, the fund custodian had access to blank checks, operated the automated system used to print and sign checks, and routinely prepared all critical documents required to reimburse the account. In addition, there was no independent review of the propriety of account

(16)

disbursements. Furthermore, the responsible supervisor who prepared the monthly account reconciliation and fund composition had access to blank checks, processed disbursements, and also verified the numerical continuity of checks used. Similar conditions were commented upon in our preceding audit report.

UMB maintained a working fund checking account to process various types of disbursements including, for example, financial aid settlements and travel expenses. According to UMB’s records, calendar year 2002 working fund disbursements totaled approximately $10.5 million.

We again recommend that independent supervisory personnel review

documentation supporting fund disbursements for propriety prior to checks being issued and also verify the numerical continuity of checks used. We also again recommend that these verification procedures be documented for future reference. We advised UMB how to accomplish the necessary separation of duties using existing personnel.

Information Systems Security and Control

Background

The Center for Information Technology Services (CITS) provides campus-level information technology support to UMB and the associated professional schools by developing and maintaining campus-wide administrative applications, such as the Student Information Management System (SIMS) and the Financial

Accounting System (FAS).

CITS also operates UMB’s core network, which is used for both administrative and academic purposes. The network has Internet and dial-up connectivity, connections to the various University System of Maryland institutions and

connections with the computer networks of several affiliated entities (for example, the University of Maryland Medical System). Although not reviewed during our audit, UMB’s professional schools support their own local processing needs.

(17)

Finding 6

UMB’s internal computer network was not adequately secured. Analysis

Adequate security measures had not been established to protect several portions of UMB’s internal network.

• UMB’s main firewall operating software was not the most current version available, and therefore did not contain the most up-to-date security features. Also, firewall rules were not configured to adequately secure connections between UMB’s internal network and the Internet. Additionally, while we were advised that the firewall’s log files were regularly reviewed, these reviews were not documented.

• A critical network device was not configured to adequately restrict traffic flowing to and from network servers running critical administrative systems.

• Remote dial-up access to the internal network represented a security vulnerability because the network device controlling the remote dial up was not properly configured.

• Key web servers were not protected from both internal and external exposures. For example, web servers for both UMB’s main website and a student information website were placed inside the campus network rather than being placed into a separate zone outside the internal network to minimize security risks.

We made detailed recommendations to UMB which, if implemented, should provide for adequate security over the described network components.

(18)

Finding 7

Controls over the Student Information Management System’s (SIMS) user accounts, passwords, program changes and security reports need

improvement.

Analysis

Our review disclosed that controls over SIMS’s user accounts, passwords, program changes and security event reporting need improvement.

• User account and password policies were not adequate. For example, minimum password lengths were set to only one character, passwords never expired and accounts were not disabled after several invalid logon attempts. Furthermore, we noted numerous active SIMS operating system accounts which had not been used since January 1, 2002.

• Program change control procedures did not include a review of differences between modified and original versions of computer programs or a review of key portions of source code for newly developed programs. A similar condition was commented upon in our preceding audit report.

• UMB did not use SIMS’s security capabilities which allowed for logging of direct changes to database tables (for example, student account balances), or logging the use of privileged database accounts. Also, we were advised that infrequent and undocumented reviews were made of operating system log files (which could include entries related to use of privileged system accounts or failed access attempts).

SIMS includes a database for student admissions, registration, student accounts receivable, financial aid and student grades. SIMS uses a combination of application, database and operating system security software to provide security over critical data. According to its records, as of December 31, 2002, UMB’s student accounts receivables totaled approximately $26 million.

We made detailed recommendations to UMB which, if implemented, should provide for adequate security over SIMS’s user accounts, passwords,

(19)

Finding 8

UMB’s information systems disaster recovery plan needed certain improvements.

Analysis

UMB’s information systems disaster recovery plan did not address recovery procedures for key network devices and restoration of campus network

connectivity in the event of a disaster. In addition, backup copies of SIMS data and program files were stored in a building connected to the building housing UMB’s computer room. In the event of a major disaster (for example, a fire) both buildings could be rendered inaccessible for a prolonged period of time. These issues are addressed in the IT Disaster Recovery Guidelines recently published by the Department of Budget and Management.

Without a complete disaster recovery plan, a disaster could cause significant delays (for an undetermined period of time) in restoring operations above and beyond the expected delays that would exist on a planned recovery scenario.

We recommend that UMB follow the guidance provided in the

aforementioned IT Disaster Recovery Guidelines, with respect to network devices, network connectivity and backup of critical system files.

Verification of Student Grades

Finding 9

Changes to student grades were not verified. Analysis

Independent verifications of changes to student grades recorded in UMB’s computer system were not performed. In this regard, UMB did not generate output reports of changes made to existing student grades needed to perform this verification. As a result, unauthorized modifications could be made to student grades without detection. According to a report generated by UMB at our request, approximately 7,400 grade changes were processed during the 21-month period which ended on November 30, 2002.

(20)

We recommend that output reports of changes to recorded student grades be generated and verified to the related source documents by employees

independent of UMB’s student grade change processing functions. We further recommend that this verification be adequately documented and retained for future reference.

Payroll

Finding 10

Controls over the payrolls for certain departments were not adequate. Analysis

The payrolls for several departments were not adequately controlled. Specifically, in 5 of 10 departments reviewed related duties were not properly separated. In each of these 5 departments, for which payroll expenditures totaled approximately $31.6 million during fiscal year 2002, the employee who delivered the approved payroll certification journal to UMB’s central payroll office for paycheck processing also had access to the related payroll checks. These employees also verified the accuracy of the payroll checks prior to distribution. According to its records, UMB’s payroll expenditures for fiscal year 2002 totaled approximately $295 million.

We recommend that employees who have access to approved payroll certification journals be denied access to the related payroll checks.

Medical Service Plan

Finding 11

UMB could not substantiate that amounts due the Medical School Enrichment Fund (MSEF) were verified by independent auditors. Analysis

UMB could not substantiate that amounts due to MSEF from the professional associations participating in the Medical Service Plan were verified by the associations’ independent auditors for fiscal years 2001 and 2002. Specifically, UMB did not receive the independent auditor’s reports regarding certain agreed

(21)

upon procedures to verify the amounts due to MSEF. In addition, although UMB did receive the associations’ annual audited financial statements, it could not document that it had reviewed the statements and reconciled certain amounts identified in the statements with contributions made to MSEF.

The Medical Service Plan provides for faculty members of the School of Medicine to establish professional associations to engage in private medical practices within UMB and at affiliated hospitals and other specified locations. The Plan also provides for the establishment of University Physicians, Inc. (UPI), a non-profit corporation, to coordinate the activities of the various associations operated under the Plan. As of June 30, 2002, there were 20 such associations which were

generally established along departmental specialties (for example, neurology). The Plan and related agreement specify financial and operational arrangements between the School of Medicine, UPI, and the participating professional associations. For example, 7.5% of the gross income of each professional association is to be contributed to MSEF for the operation of the School of Medicine. The funds contributed to MSEF may be transferred to UMB, or held and disbursed by UPI on behalf of the School. According to the School’s records, UPI collected approximately $9.4 million from the associations applicable to MSEF and transferred approximately $1.8 million to UMB on behalf of the School during fiscal year 2002.

We recommend that UMB obtain and review annually independent auditors’ reports to ensure that each participating professional association has made all financial contributions required by the Medical Service Plan and related agreement. We also recommend that UMB annually perform reconciliations to ensure that all contributions made can be accounted for as being either on deposit with or disbursed by UPI on behalf of the School of Medicine, or transferred to UMB. In addition, we recommend that UMB maintain documentation to substantiate the completion of the reconciliations and the reviews of the associations’ annual audited financial statements.

(22)

(23)

Audit Scope, Objectives and Methodology

We have audited the University System of Maryland - University of Maryland, Baltimore (UMB) for the period beginning July 1, 2000 and ending November 30, 2002. The audit was conducted in accordance with generally accepted

government auditing standards.

As prescribed by the State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine UMB’s financial transactions, records and internal control, and to evaluate its compliance with applicable State laws, rules and regulations. Our audit included a review of

UMB’s responsibilities under a contract with the Department of Health and Mental Hygiene for providing certain support services to the Maryland Psychiatric

Research Center. We also determined the status of the findings contained in our preceding audit report.

In planning and conducting our audit, we focused on the major financial related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of UMB’s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services provided to UMB by other components of the University System of Maryland, such as endowment fund accounting and bond financing. These support services are included within the scope of our audits of the component units. In addition, our audit did not include the activities of the School of Nursing’s Governor’s Wellmobile Program for the period under audit because a separate report dated January 24, 2003 was issued on the Program. Finally, we did not audit UMB’s Federal financial assistance

programs for compliance with Federal laws and regulations because the State of Maryland engages an independent accounting firm to annually audit such programs administered by State agencies, including the components of the University System of Maryland.

UMB’s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records,

(24)

effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules and regulations are achieved.

Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. In addition, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate.

Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly.

This report includes findings relating to conditions that we consider significant deficiencies in the design or operation of internal control that could adversely affect UMB’s ability to maintain reliable financial records, operate effectively and efficiently and/or comply with applicable laws, rules and regulations. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules or regulations.

The response from the University System of Maryland, on behalf of UMB, to our findings and recommendations is included as an appendix to this report. As

prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise the System regarding the results of our review of its response.

(25)

(26)

RESPONSE TO THE LEGISLATIVE AUDIT REPORT UNIVERSITY SYSTEM OF MARYLAND

UNIVERSITY OF MARYLAND, BALTIMORE OCTOBER 2003 REPORT

Contracts with University of Maryland Medical System Corporation

We again recommend that UMB monitor the receipt of payments related to these contracts, and assess related penalties when payments from the Corporation and component hospital are untimely. We also again recommend that UMB assess and take appropriate action to collect the aforementioned late payment fees from the Corporation and component hospital.

Response 1

Most payments at issue were received 3 to 5 business days after the due date. We have

informally extended a grace period to UMMS for the support it provides to the Medical School. We will put a clause for a grace period in future contracts. The University will continue to meet with the UMMS and stress the issue concerning timely payments. We will pursue collecting the outstanding late payment fees cited by the auditor.

The component hospital is not part of the University of Maryland Medical Hospital Corporation. The University will work with the School of Medicine to pursue the collection of late payment fees from the component hospital for Fiscal Years 2001 and 2002. In regard to Fiscal Years 1999 and 2000, the contracts were signed after the contract period was over, therefore, we will

not pursue collection.

Finding 1

Contractual payments due from the Corporation were not received in a timely manner, and UMB did not assess approximately $260,000 in associated late payment fees.

(27)

Cigarette Restitution Fund Grant

We recommend UMB comply with all provisions of the CRF grant agreement. Specifically, we recommend that UMB clarify with DHMH how CRF grant funds are to be received under the applicable grant agreements and exercise prudent grant cash management

practices. We also recommend UMB resolve the aforementioned audit findings and restrict its use of CRF grant funds to those costs specifically authorized in the grant agreements. Furthermore, we recommend UMB investigate the use of the aforementioned tickets and refund DHMH for any funds related to tickets which were not used for authorized purposes. In addition, we recommend that UMB maintain adequate supporting documentation to substantiate all charges made against its CRF grant funds.

Response 2

• The $871,232 represents projects that were approved as sub-awards within the

University. Beginning in FY 2002, separate accounts are maintained for Cigarette Restitution Fund (CRF) projects to document project expenses. The payment of grant funds for Field Outreach Projects to separate accounts takes place once a project is approved. Currently, the process is to transfer the project monies to a separate project account as soon as the project commences and the account is established. In each case there is a formal signed agreement committing these funds. University staff worked with the staff of the Department of Health and Mental Hygiene (DHMH) to clarify the issues raised and to develop a process addressing the Department’s and the Legislative

Auditor’s concerns. The Department has shared with the University a response to the Legislative Auditor’s comments regarding grant advances which provides guidance on how these payments should be handled. The University believes that the

recommendation to “advance funds to sub-recipients prudently and periodically” has clarified the process. Prior to issuing future projects, the process of awarding projects, issuing sub-accounts for each project and transferring monies to the new account will be reviewed and modified as appropriate.

Finding 2

Certain deficiencies were identified related to Cigarette Restitution Fund (CRF) grants applicable to fiscal years 2002 and 2003.

(28)

Response 2 (cont.)

• Of the $977,000 that DHMH has disallowed for the FY 2001 award, the University is

appealing $910,082. $613,232 was used to support Field Outreach Projects conducted by University faculty who were awarded the funds through a competitive process. Research findings from the Community Field Outreach Projects were presented at a

Scientific Forum,held on April 10-11, 2003 and final reports (excluding protected

research data) were provided to DHMH. Because the FY 2001 projects have been completed and reported upon, we do not concur with the auditor’s recommendation that the $613,232 be returned. This is being appealed. $36,850 was disallowed by DHMH because of no supporting documentation. It was provided to DHMH at our exit

conference on January 28, 2003. We have again, appealed this disallowance in a letter dated July 24, 2003. $260,000 relates to a change order to the Bressler Research Building Renovation Project. This change order brought the total project amount to $480,000. The University provided documentation to DHMH on July 24, 2003 that supports the total actual cost of the project in the amount of $462,971. Accordingly, this would reduce the audit adjustment from $260,000 to $17,029. The University, along with UMMS will settle with DHMH pending the final outcome of the appeals currently filed.

• The University believes that the purchase of the baseball tickets in question was an

authorized use of grant funds and the tickets were used for their authorized purpose. The Maryland Statewide Health Network (MSHN) participated in an oral cancer campaign with the Delmarva Shorebirds and the Hagerstown Suns baseball teams to promote oral cancer screenings and to discourage the use of smokeless tobacco. The MSHN received 500 tickets for Hagerstown Suns games and 100 restaurant level tickets for a Delmarva Shorebirds game. In both cases, the distribution of tickets was tied to participation in oral cancer screenings. To maintain confidentiality, names and/or signatures of individuals participating in programs are not collected due to regulations that prohibit the collection of names unless prior approval is obtained.

• The University believes that the expenses associated with the purchase of these baseball

tickets are authorized under the MSHN grant budget. Specifically, the MSHN FY 2002 Budget Modification Narrative included a section describing Field Support/Regional Office Operations and Programs. The narrative for this section states: “To better address the local communities, each regional office has developed programs, requested by local organizations and communities, targeted to effectively reach the diverse

(29)

populations of each region. These activities are in collaboration with local communities and focus on educating the community about the importance of early screening and the prevention and control of cancer and other tobacco related diseases.” In FY 2002, the Western Maryland and Eastern Shore regional offices implemented a series of special

programs, and the baseball activities fell under this area. Therefore the University does

not concur with the auditor’s recommendation that any funds related to the purchase of the baseball tickets be refunded to DHMH.

• However, to address the auditor’s concerns that documentation be maintained in the

future, identifying to whom tickets had been issued and/or that the tickets were used as intended, the University will keep a record of any groups (i.e. the American Cancer Society) to which tickets are provided in conjunction with programmatic or screening activities and the number of tickets provided. In addition, in accordance with federal regulations and University policies, the MSHN will document the number of tickets distributed to individuals, who will be unnamed to protect their privacy.

Checking Account Reconciliations

We recommend that UMB reconcile this checking account and resolve all differences in a timely manner. We also recommend that completed reconciliations be reviewed and approved by independent supervisory personnel. We further recommend that the

reconciliation and subsequent independent review be adequately documented and retained for future reference.

Finding 3

A checking account used to process student loan disbursements was not reconciled in a timely manner.

(30)

Response 3

The University agrees with the auditor’s recommendation. The loan disbursement account reconciliation is now current and will be prepared on a monthly basis in the future. The reconciliation will be reviewed and approved by the supervisor and his initials and date of review will be affixed. We will maintain supporting documentations for all reconciling items and investigate and resolve any unaccounted for difference immediately. In reference to the eight unsupported reconciling items, we have located the supporting documentation and these items were resolved by June 30, 2003.

Cash Receipts

We again recommend that employees independent of UMB’s cash receipts functions verify daily that all recorded cash receipts were deposited.

Response 4

Central Cashier

The University agrees that cash receipts should be verified in a timely manner. Verified cash deposit slips were received from the Bank of America. They were then matched to that day’s deposit. The University was totally dependent upon the bank to send us this information in a timely manner.

It should be noted that the Banking Division of the State Treasurer’s Office recognized this as an issue statewide. They worked with Bank of America to implement a Depository Plus feature, an online system which is now in place. This allows us to view and verify our deposits on a daily basis.

Finding 4

(31)

Student Dental Clinics

The full charge bookkeeper is independent of the cash receipts function. This employee will verify that all recorded student dental clinic cash receipts are deposited.

Payments received by clinic receptionists are initially recorded in our software (currently, Densyst). The Densyst Daily Receipt Ledger figures will be verified by the full charge bookkeeper to the validated deposit tickets faxed to us daily by Bank of America.

Mail payments received by the Business Office are initially recorded in a daily log. The daily log figures will be verified by the full charge bookkeeper to the validated deposit tickets faxed to us daily by Bank of America.

Working Fund

We again recommend that independent supervisory personnel review documentation supporting fund disbursements for propriety prior to checks being issued and also verify the numerical continuity of checks used. We also again recommend that these verification procedures be documented for future reference. We advised UMB how to accomplish the necessary separation of duties using existing personnel.

Response 5

An individual has been reviewing the working fund requests in relation to the Working Fund Policies and Procedures and affixing their initials and date of review. We will make every effort to review all walk-in working fund requests in the same manner as above. An individual will be assigned the task of verifying the numerical continuity of working fund checks used by

maintaining a log, as well as the control of the working fund check stock on the same log. We will revise the Working Fund Policies and Procedures No. 3352 to incorporate the

aforementioned changes as requested. Finding 5

(32)

Information Systems Security and Control

We made detailed recommendations to UMB which, if implemented, should provide for adequate security over the described network components.

Response 6

The University concurs; although, given the nature of our academic environment, the campus firewall is not configured to typical industry accepted standards. The University has a plan to implement securing the internal computer network (as delineated by its academic environment) by June 30, 2004. For further information on our approach, see the ECAR Research Study, Volume 5, 2003, pages 128-129, entitled, Information Technology: Governance, Strategy & Practice in Higher Education.

We made detailed recommendations to UMB which, if implemented, should provide for adequate security over SIMS’s user accounts, passwords, program changes and security reporting.

Response 7

The University concurs. The recommendations will be implemented by June 30, 2004. Finding 6

UMB’s internal computer network was not adequately secured.

Finding 7

Controls over the Student Information Management System’s (SIMS) user accounts, passwords, program changes and security reports need

(33)

We recommend that UMB follow the guidance provided in the aforementioned IT Disaster

Recovery Guidelines, with respect to network devices, network connectivity and backup of

critical system files.

Response 8

The University concurs. The Disaster Recovery Plan will be completed by September 30, 2004. Verifications of Student Grades

We recommend that output reports of changes to recorded student grades be generated and verified to the related source documents by employees independent of UMB’s student grade change processing functions. We further recommend that this verification be adequately documented and retained for future reference.

Response 9

The University concurs. The report was implemented the week of October 27, 2003. Finding 8

UMB’s information systems disaster recovery plan needed certain improvements.

Finding 9

(34)

Payroll

We recommend that employees who have access to approved payroll certification journals be denied access to the related payroll checks.

Response 10

The University no longer uses Payroll Certification Journals for payroll. The entire payroll system was replaced March 23, 2003. The five Departments cited in the audit have been

reviewed for separation of duties within the new system. The Campus has verified that there are

adequate internal controls in place requiring separation of duties for the entire campus.

Medical Service Plan

We recommend that UMB obtain and review annually independent auditors’ reports to ensure that each participating professional association has made all financial contributions required by the Medical Service Plan and related agreement. We also recommend that UMB annually perform reconciliations to ensure that all contributions made can be accounted for as being either on deposit with or disbursed by UPI on behalf of the School of Medicine, or transferred to UMB. In addition, we recommend that UMB maintain documentation to substantiate the completion of the reconciliations and the reviews of the associations’ annual audited financial statements.

Finding 10

Controls over the payrolls for certain departments were not adequate.

Finding 11

UMB could not substantiate that amounts due the Medical School Enrichment Fund (MSEF) were verified by independent auditors.

(35)

Response 11

We are in agreement with the auditor’s recommendation and have already taken corrective action. However, some clarification is in order. Although the special report entitled “Independent Accountants Report on Applying Agreed-Upon Procedures” was just recently completed for FY 2000 and FY 2001, University Physicians, Inc.’s external auditors must accomplish the “agreed-upon procedures” as part of the annual audits of the practice plans. The School of Medicine will ensure that it receives the report “Independent Accountants Report

on Applying Agreed-Upon Procedures” by December 31st of each year. The University will

maintain detailed documentation to substantiate the completion of the Annual Reconciliation of the amounts due the Medical School Enrichment Fund. We will also document the review of the Association’s Annual Audited Financial Statements.

(36)

A

UDIT

T

EAM

Peter J. Klemans, CPA

Audit Manager

Stephen P. Jersey, CPA, CISA

Information Systems Audit Manager

Abdullah I. Adam Catherine M. Easter, CPA Robert W. Lembach, CPA

Senior Auditors

R. Anthony Vaccare, Jr., CPA, CISA Matthew T. Williams, CISA

Information Systems Senior Auditor

Henriette A. Browne Sharon V. Carrington

Lisa M. Pawlowski

University System of Maryland University of Maryland, Baltimore

Audit Report