Maricopa County Community College District report on internal control and compliance 2007 |
Previous | 1 of 6 | Next |
|
This page
All
Subset |
Report on Internal Control and Compliance
A REPORT
TO THE
ARIZONA LEGISLATURE
Maricopa County
Community College
District
Year Ended June 30, 2007
Financial Audit Division
Debra K. Davenport
Auditor General
The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five
senators and five representatives. Her mission is to provide independent and impartial information and specific
recommendations to improve the operations of state and local government entities. To this end, she provides financial
audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and
conducts performance audits of school districts, state agencies, and the programs they administer.
Copies of the Auditor General’s reports are free.
You may request them by contacting us at:
Office of the Auditor General
2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333
Additionally, many of our reports can be found in electronic format at:
www.azauditor.gov
Maricopa County Community College District
Internal Control and Compliance over Financial Reporting
Year Ended June 30, 2007
Table of Contents Page
Comprehensive Annual Financial Report
Issued separately
Report on Internal Control over Financial Reporting and on Compliance and
Other Matters Based on an Audit of Basic Financial Statements Performed in
Accordance with Government Auditing Standards
1
Schedule of Findings and Recommendations 3
District Response
2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051
DEBRA K. DAVENPORT, CPA
AUDITOR GENERAL
STATE OF ARIZONA
OFFICE OF THE
AUDITOR GENERAL WILLIAM THOMSON
DEPUTY AUDITOR GENERAL
Independent Auditors’ Report on Internal Control over Financial Reporting
and on Compliance and Other Matters Based on an Audit of Basic Financial
Statements Performed in Accordance with Government Auditing Standards
Members of the Arizona State Legislature
The Governing Board of
Maricopa County Community College District
We have audited the financial statements of the business-type activities and discretely presented
component unit of Maricopa County Community College District as of and for the year ended June 30,
2007, which collectively comprise the District’s basic financial statements, and have issued our report
thereon dated December 17, 2007. Our report was modified to include a reference to our reliance on other
auditors. We conducted our audit in accordance with U.S. generally accepted auditing standards and the
standards applicable to financial audits contained in Government Auditing Standards, issued by the
Comptroller General of the United States. Other auditors audited the financial statements of the Maricopa
County Community College District Foundation, the discretely presented component unit, as described in
our report on the District’s financial statements. The financial statements of Maricopa County Community
College District Foundation were not audited by the other auditors in accordance with Government
Auditing Standards. This report includes our consideration of the results of the other auditors’ testing of
internal control over financial reporting and compliance and other matters that are reported separately by
those other auditors. However, this report, insofar as it relates to the results of the other auditors, is based
solely on the reports of the other auditors.
Internal Control over Financial Reporting
In planning and performing our audit, we considered the District’s internal control over financial reporting
as a basis for designing our auditing procedures for the purpose of expressing our opinions on the basic
financial statements, but not for the purpose of expressing an opinion on the effectiveness of the District’s
internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of
the District’s internal control over financial reporting.
Our consideration of internal control over financial reporting was for the limited purpose described in the
preceding paragraph and would not necessarily identify all deficiencies in internal control over financial
reporting that might be significant deficiencies or material weaknesses. However, as discussed below, we
and the other auditors identified certain deficiencies in internal control over financial reporting that we
consider to be significant deficiencies.
2
A control deficiency exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control
deficiencies, that adversely affects the District’s ability to initiate, authorize, record, process, or report
financial data reliably in accordance with generally accepted accounting principles such that there is more
than a remote likelihood that a misstatement of the District’s basic financial statements that is more than
inconsequential will not be prevented or detected by the District’s internal control. We consider items 07-
01 through 07-03 described in the accompanying Schedule of Findings and Recommendations to be
significant deficiencies in internal control over financial reporting.
A material weakness is a significant deficiency, or combination of significant deficiencies, that results in
more than a remote likelihood that a material misstatement of the financial statements will not be
prevented or detected by the District’s internal control.
Our consideration of internal control over financial reporting was for the limited purpose described in the
first paragraph of this section and would not necessarily identify all deficiencies in internal control that
might be significant deficiencies and, accordingly, would not necessarily disclose all significant
deficiencies that are also considered to be material weaknesses. However, of the significant deficiencies
described above, we consider finding number 07-02 to be a material weakness.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether the District’s basic financial statements are free
of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations,
contracts, and grant agreements, noncompliance with which could have a direct and material effect on the
determination of financial statement amounts. However, providing an opinion on compliance with those
provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The
results of our tests disclosed no instances of noncompliance or other matters that are required to be
reported under Government Auditing Standards.
Managements’ responses to the findings identified in our audit have been included herein. We did not
audit managements’ responses and, accordingly, we express no opinion on them.
This report is intended solely for the information and use of the members of the Arizona State Legislature,
the Governing Board, federal awarding agencies, and pass-through entities and is not intended to be and
should not be used by anyone other than these specified parties. However, this report is a matter of public
record, and its distribution is not limited.
Dennis L. Mattheisen, CPA
Financial Audit Director
December 17, 2007
Maricopa County Community College District
Schedule of Findings and Recommendations
Year Ended June 30, 2007
3
07-01
Maricopa County Community College District
The District should test its disaster recovery plans for its computer information systems
The District uses three computerized information systems to process, record, and store information that is
vital to its daily operations. Therefore, it is critical that the District have an up-to-date contingency plan in
place to provide continued operations and to ensure electronic files are not lost due to a major computer
hardware or software failure or other interruption. However, the District did not have a disaster recovery
plan for its student information system. In addition, the District’s disaster recovery plans for its general
ledger and payroll systems have not been updated or tested since 2003. Additionally, the District has
alternate computer facilities that can be used to process daily transactions for its critical information
systems; however, these facilities have not been tested. Further, the District did not monitor its college
campuses to ensure that each campus was backing up the student information system and that the
backup tapes were tested and stored at an off-site location. As a result, the District risks losing valuable
data during a disruption or disaster.
To help ensure that the District’s systems are protected against system or equipment failure and to help
prevent data loss from a service interruption, the District should have a current disaster recovery plan for
each of its critical systems. The District should update and test these disaster recovery plans annually. In
addition, the District should ensure the plans include the following for each of its critical information
systems:
• A current listing of employees assigned to disaster teams, including emergency telephone
numbers.
• Employee assignments and responsibilities.
• A risk analysis identifying critical applications.
• Details of off-site storage locations and availability of information stored at these locations.
• A list of procedures for processing critical transactions, including forms or other documents to use.
• Details of hardware and software requirements needed to run critical systems and the applicable
vendors where the hardware and software can be obtained.
• Restoration procedures for backup tapes and servers.
• Overall testing strategies, testing frequencies, and documentation of test results.
In addition, the District should communicate and distribute copies of the disaster recovery plans to the
necessary employees and ensure that they are aware of and are properly trained in their recovery
responsibilities. The District should store a printed copy of the disaster recovery plans at the District’s off-site
data storage facility. Further, the District should monitor its college campuses to ensure that they are
backing up the student information system and storing these backup tapes at the off-site facility daily.
Maricopa County Community College District
Schedule of Findings and Recommendations
Year Ended June 30, 2007
4
Component Unit Findings
The other auditors that audited the Maricopa County Community College District Foundation
reported the following material weakness and significant deficiencies for that component unit:
07-02
Maricopa County Community College District Foundation
Financial Statement Preparation
It appears from the year-end adjustments that the Foundation’s financial statements did not include all the
necessary adjustments to provide financial statements comparable to the audited financial statements
distributed to outside users. We recommend that the Foundation review the contents of the new audit
adjustments made to the year-end financial statements and incorporate them into the closing process so
that the financial statements are complete, accurate, and comparable. The following instances in particular
lead to audit adjustments:
• The Foundation accountant did not adjust the allowance for doubtful pledges and bad debt
expense for two pledges whose payment is in question;
• The Foundation accountant did not reverse the prior year accounts payable accrual when payment
was made in the current year;
• The Foundation accountant did not accrue an invoice received subsequent to year end that was
for services provided during the year ended June 30, 2007.
Management response: None reported.
07-03
Maricopa County Community College District Foundation
Segregation of Duties
The Foundation has a limited number of office personnel and, accordingly, does not have sufficient
internal controls in certain areas because of an inadequate segregation of duties. Effective internal control
contemplates an adequate segregation of duties so that no one individual handles a transaction from its
inception to its completion. While we recognize that the Foundation’s office staff may not be large enough
to permit an adequate segregation of duties in all respects for an effective internal control structure, it is
important that management be aware of this condition, and realize that this concentration of duties is not
ideal, but unavoidable. Under these conditions, the most effective control lies in the Board’s and
management’s knowledge of matters relating to the Foundation’s operations.
Management response: None reported.
1
January 24, 2008
Ms. Debbie Davenport
Auditor General
2910 N. 44th Street, Suite 410
Phoenix, AZ 85018
Dear Ms. Davenport:
The accompanying corrective action plan has been prepared as required by
Government Auditing Standards. Specifically, we are providing you with the names
of the contact people responsible for the corrective action, the corrective action
planned, and the anticipated completion date for the audit finding included in the
Schedule of Findings and Recommendations for the fiscal year ended June 30, 2007.
We would like to emphasize that we have not responded to items 07-02 and 07-03.
These items relate to the Maricopa County Community College District Foundation
which is a discretely presented component unit. The component unit is a separate,
legal entity that is not subject to management by the District. As such, it would not
be appropriate for us to respond to issues pertaining to the entity.
Sincerely,
Kimberly Brainard Granio, CPA
Director, Financial Services and Controller
MARICOPA COUNTY COMMUNITY COLLEGE DISTRICT
Corrective Action Plan
Year Ended June 30, 2007
Financial Audit Findings
07-01
Contact persons: Kim Granio, Steve Creswell
Anticipated completion date: June 2008
Corrective Action Planned:
The District has disaster recovery plans and equipment in place for two of its systems:
CFS (financial system) and HRMS (human resources/payroll system). These plans will
be reviewed annually and updated as necessary and include roles and responsibilities of
employees assigned to disaster teams along with pertinent contact information. The plans
also include a list of procedures for processing critical transactions along with forms and
other documents necessary for the District to operate for a limited amount of time after a
disaster occurs. Recoverability testing plans have been developed and are executed
annually. These plans will be distributed to the applicable staff and we will ensure that
all staff is aware and properly trained to perform their role within the disaster recovery
plan. A hardcopy of the plan will be maintained at the District’s offsite data storage
facility and in other locations as necessary.
A risk analysis identifying critical applications and exposures and an assessment of the
impact to the District was completed in May 2007.
Back-up tapes are removed to an offsite storage facility twice weekly. Remote backup
tapes are a 3rd level of protection as follows: 1) the failover server being the primary
mechanism, 2) the on-site backup tapes being the second, 3) and in a truly extraordinary
failure the off-site backup tapes constitute the third level. The failover server and backup
tapes are tested annually to ensure that the tapes and data on them are recoverable and
usable in an emergency.
The District purchased a building in July 2007 for a dedicated disaster recovery facility
that is expected to come on line in 2008. Until then we will continue to use separate
college facilities for HRMS and CFS.
The District’s third critical system, the Student Information System (Legacy SIS) is
decentralized and is operated out of the individual college sites. The college systems are
backed up nightly. The District’s new SIS application is scheduled to go live in February
2008 and will be centralized. Accordingly, the District has developed a separate business
continuity plan specifically for the new system that will be in place at go-live. In the
interim, the District Office Information Technology Services Department will ensure that
the colleges are following back up procedures for Legacy SIS and properly safeguarding
such data. Due to network cost considerations the failover server for the new SIS will be
co-located at the District Office site until a failover server can be setup at the new
dedicated disaster recovery facility.
Object Description
| Rating | |
| TITLE | Maricopa County Community College District report on internal control and compliance year ended... |
| CREATOR | Arizona Office of the Auditor General |
| SUBJECT | Arizona--Maricopa County Community College District; Finance, public--Arizona--Auditing; Community Colleges--Arizona--Auditing |
| Browse Topic |
Government and politics Education |
| DESCRIPTION | This title contains one or more publications |
| Language | English |
| Publisher | Arizona Office of the Auditor General |
| Material Collection | State Documents |
| Source Identifier | LG 6.3:A 82 M 16 |
| Location | o828146251 |
| REPOSITORY | Arizona State Library, Archives and Public Records--State Library of Arizona |
