The UCA Audit Committee reviewed and accepted three finished audit projects Feb. 20 concerning a data breach in the athletic ticket office, safety measures for the Student Accounts vault and improvements needed for temporary access cards.
The meeting opened with quorum of trustees present, consisting of board members Robert “Bunny” Adcock, Shelia Vaught and Elizabeth Farris, with Farris the newest addition to the committee. Adcock was unanimously elected as the committee chair.
Internal Audit Director Pamela Massey reviewed each audit report, beginning with the athletic ticket office review.
Former Athletic Ticket Manager Steve Schoenhut’s post-termination review was added to the Internal Audit audit plan due to his abrupt resignation July 31, 2013. The review began the same day as his resignation.
The review’s purpose was to examine documentation and computer files with specific interest given to sale of athletic event ticket sales in the office.
Findings were inconclusive as to whether fraudulent activity occurred due to an incomplete audit trail and lack of available records, but a breach of personal account information was noted during the review.
According to the report, Internal Audit became aware of a data breach of personal account information related to the examination of an outside email account established by the ticket office to conduct university business regarding athletic ticket sales.
A spreadsheet containing personally identifiable cardholder data for fewer than 30 individuals was found unencrypted as an email attachment on a public email server to which Schoenhut had access following his resignation, thereby compromising the security of the data.
Arkansas State Code requires any person or business that maintains electronic data that includes personal information to report when that information may be suspected of being acquired by an unauthorized person, so management notified the affected cardholders following the notification of breach. The report includes a quote from Athletic Director Brad Teague
“Athletics agrees with the recommendation to use university email accounts,” Teague said. “The employee who used a Yahoo account for university nosiness is no longer employed. Athletics employees are [using]and will [continue to]use official UCA email accounts only for university business. This corrective action occurred as soon as the former employee was no longer with UCA.”
Interim Ticket Manager Derek Walter said this email was sent because Schoenhut wanted to “stick it to us” on his way out.
“He emailed himself every file and then deleted it off his computer so I couldn’t get to it kinda so we would need him,” Walter said.
Walter said they currently have a third-party system that protects cardholder’s information. Once an order has been processed, the card information cannot be retrieved by the ticket office, aside from the last four digits.
The expiration date and full card number are relinquished to the third party, eliminating the potential for customers to call in and renew their tickets with information they believe to be stored in the athletic ticket office.
Walter said the email containing cardholder information was created before the new system was introduced to his office in March 2013.
Vice President of Finance and Administration Diane Newton said “management agrees with all the recommendations made by the internal audit.”
The second audit project found that the student accounts office vault conveyed “adequate security measures,” but the official report, read aloud by Massey, noted two improvements needed.
The security review was added to the Internal Audit’s 2013-2014 plan Aug. 15, 2013 with the purpose of examining the policies and procedures of the student accounts office with specific interest given to the security of the vault and safe in McCastlain Hall 144.
According to the report, a Jan. 28 observation of the vault and safe revealed that its contents were not being properly maintained. The lack of inventory increased the risk that misplacement or removal of documents might not be properly recorded or detected.
Student Accounts Director Jason Rankin responded to the review, saying “management agrees with and appreciates the recommendation” and that an inventory will be performed no later than Feb. 28. Rankin added in the report that “management does not believe that a maintained inventory of the entire vault contents is appropriate for its function.”
The management and Internal Audit agreed on the types of records that should be inventoried in the vault during a closing conference Feb. 13.
The review also found that Rick McCollum, housing and contract services vice president, had access to a sub-master key allowing access to McCastlain Hall, 144, a key pad combination to the vault and the combination to the safe located within the vault.
The auditors recommended management ensure no one individual has complete, unaccompanied access to the vault and safe contents.
Rankin responded to the review, saying “as of [Feb. 12], Rick McCollum has turned in his keys to McCastlain Hall.”
He said McCollum turned over the sealed envelope containing the safe combination to controller Jeremy Bruner, who agreed to keep the safe combination in his departmental safe. McCollum will continue to safeguard the vault key pad combinations in the housing safe in a bank deposit bag. The two keys to the bag are in the possession of McCollum and Rankin.
The final complete audit project conveyed that improvements were needed regarding Bear Card access and security.
According to the report, Internal Audit recommended training and awareness programs related to controls issuance and accountability of temporary access cards be enhanced to ensure residence hall security.
The review also recommended management enhance monitoring procedures of housing staff to ensure controls are properly implemented related to the security, issuance and deactivation of cards.
With ownership transfer, temporary access cards were transferred between Bear Card staff, housing lock shop staff and RSC coordinators without written acknowledgment of the transfer of responsibility, therefore not maintaining documentation that indicated the number of cards issued to the lock shop, which were then issued to RCs. Examination of card issuance logs revealed that a standard issuance log was not used, thereby not consistently documenting information such as date of issue, card number, resident’s signature or room number.
The review additionally noted RCS coordinators are not immediately notifying the Lock Shop to deactivate temporary access cards not returned within the 72-hour period. This causes housing staff to not be aware of the location of all cards, along with who may have current access to a particular building.
The review also noted that unused temporary access cards were not cards were stored in a secure location, some being stored on bulletin boards, desk tops or unlocked desk drawers.
The lock shop provided auditors with a report from Jan. 29 in which 227 temporary access cards were active for all 11 residence halls. Fourty four of those cards could not be located. The lock shop was notified deactivated the missing cards soon after.
The audit found that deposits and housing assessment forms weren’t being turned in to RCS. From July 1, 2013 to Jan. 4, only $60 in assessment fees was charged to students’ accounts for unreturned temporary access cards, according to a housing assessment form log for all residence halls.
Because of reporting limitations from the lock shop, management was unable to obtain a complete list of all temporary access cards and their current status at any given time.
McCollum said management agrees with the audit’s findings, according to the quote in the report.
Management listed ways in which RCs and assistant directors will work to fix problems with temporary access card security, mainly mandatory meetings scheduled to provide more specific instructions with emphasis on regulation, documentation and overall security of the issuance and card deactivation.
According to the report, management is exploring the possibility of using key lock boxes to house cards in by punching a hole in the temporary card so it can hang in the box.
Depending on the method of storage selected, the time frame to implement could be longer. The report from management said a storage method will be identified and in operation by March 14.
The committee reviewed tentative meeting dates for 2014, which will be released once they are decided. Committee members decided that an executive session was not needed, and adjourned the meeting.