Two-thirds of the 20 agencies we reviewed between 2014 and 2016 did not substantively comply with all applicable IT security standards. Specifically, few agencies properly scanned their workstations and servers or patched known vulnerabilities, increasing the number of weaknesses hackers might exploit. Many agencies used unsupported software or had vulnerable websites, creating risks which can be difficult to mitigate. Half the agencies had poor access or environmental controls for their data centers, increasing the risk of data loss. Several agencies did not adopt strong password settings, increasing their exposure to brute force attacks. Additionally, several agencies did not adequately protect their network boundaries or did not sufficiently protect their systems from malicious code, and they did not conduct background checks or follow security protocols for departing staff, all of which could lead to security incidents. Lastly, many agencies did not conduct security awareness training, and our social engineering tests demonstrated a lack of understanding for security protocols.
State of Kansas: OMB Circular A-133 Audit of Fiscal Year 2013
State law calls for an annual financial-compliance audit of the general purpose financial statements and “the financial affairs and transactions of a state agency required to comply with federal government audit requirements…” RubinBrown, under contract with Legislative Post Audit, conducted this two-part audit. The first part was the report on the state’s Comprehensive Annual Financial Report (report R-13-016, released in December 2013). This second part, the Report on Federal Awards in Accordance with OMB Circular A-133, reports on compliance with laws, regulations, and provisions of contracts and grant agreements.
The auditors concluded that the state complied, in all material respects, with the requirements applicable to each of the federal programs audited. However, the auditors reported 26 deficiencies in internal control. The auditors also identified questioned costs for a number of programs. Six of the findings were repeated from prior years.
State of Kansas: OMB Circular A-133 Audit of Fiscal Year 2012
State law calls for an annual financial-compliance audit of the general purpose financial statements and “the financial affairs and transactions of a state agency required to comply with federal government audit requirements…” RubinBrown, under contract with Legislative Post Audit, conducted this two-part audit. The first part was the report on the state’s Comprehensive Annual Financial Report (report R-13-005, released in March 2013). This second part, the Report on Federal Awards in Accordance with OMB Circular A-133, reports on compliance with laws, regulations, and provisions of contracts and grant agreements.
The auditors concluded that, except for the Unemployment Insurance program, the state complied, in all material respects, with the requirements applicable to each of the federal programs audited. However, the auditors reported 28 deficiencies in internal control, two of which were material weaknesses. The auditors also projected up to $73.4 million in questioned costs ($65,000 in known questioned costs). Six of the findings were repeated from prior years.
Accounts Receivable: Reviewing Agencies' Efforts To Collect Amounts Owed to the State (A K-GOAL Audit)
For the State, accounts receivable represent moneys expected to be collected for unpaid taxes, overpayments, fines, or goods and services provided. Our survey of 53 State agencies with significant accounts receivable found that many State agencies could improve their debt collection efforts if they strengthened their collection policies and adopted other collection best practices. Four of the six programs we reviewed in detail failed to meet many of the collection best practices applicable to their operations; three of those four also had inadequate collection policies. Overall, the four poor-performing programs had deficiencies in some or all of the following areas: monitoring receivables, aggressively pursuing debts, using enforcement tools, and using outside collection options, including the State’s Setoff Program. If those four programs improve their collection efforts, they might be able to collect a significant amount of additional revenue: collecting just 5% more of those programs’ delinquent receivables would generate almost $3 million in one-time revenues. We also noted that not all of the $2 billion accounts receivable shown in the State’s financial report is collectible because it includes aged, and therefore doubtful, receivables for a number of agencies.
State Universities: Can State Universities Provide Postsecondary Education More Efficiently To Reduce Costs? (A K-GOAL Audit)
Our focus was on general-use operating expenditures funded with State General Fund and tuition revenues; we excluded restricted funds like federal grants and student fees, the University of Kansas Medical School, and Kansas State’s Veterinary Medicine School and Extension Programs. In fiscal year 2008, general use operating expenditures per FTE student ranged from $8,330 at Fort Hays State to $14,191 at the University of Kansas. Overall, Emporia State and the University of Kansas spent about $2,000 more per FTE student than their in-State counterparts. The vast majority of the universities’ general use operating expenditures were for education-related expenditures (72% to 85% of the total). Most of the differences in the amounts spent for educational programs appeared to be caused by differences among the six universities in staffing and salary levels. Numerous options exist for delivering universities’ academic programs and courses more economically or efficiently. Actions that universities in other states have reported taking to help reduce academic spending include eliminating or combining low-enrollment course sections, academic departments, or degree programs within universities; collaborating across universities to share course content, teachers, and instructional programs; increasing the number of courses offered online or through distance learning; and increasing faculty workloads. Actions they’ve reported taking to help reduce their institutional spending include maximizing the use of existing classroom and laboratory space to reduce the need for additional space; consolidating or changing administrative functions or processes—both within and across universities; outsourcing some non-academic services such as food service and grounds maintenance; sharing purchasing costs, and reducing energy costs. The State’s six universities have implemented some of these ideas to varying degrees, but there are numerous opportunities for additional efficiencies. Given recent budget cuts, the universities already may have taken some of the actions described in this report.
Business Procurement Cards: Expanding Their Use To Increase Cash Rebates to the State
For fiscal year 2008, we estimated that $27 million of the non-procurement-card purchases agencies made from the 37 highest-volume vendors potentially could have been charged to a procurement card. Charging all those purchases would have generated more than $380,000 in cash-back rebates. Agencies also made $327 million of similar non-procurement-card purchases from the thousands of other vendors we didn’t analyze. If just 20% of these purchases could have been charged, agencies would have generated $940,000 in additional cash-back rebates, for a total of $1.3 million. Among other things, agency officials told us they didn’t always use their procurement cards when they could because of concerns about the complexity of tracking such purchases, and the perceived lack of thorough controls over procurement card purchases.
Regents’ Information Systems: Following Up On Computer-Security Issues at Various Universities
This audit followed up on a 2005 computer-security audit of Kansas State University, Emporia State University, and the University of Kansas. That audit included a large number of recommendations related to missing or inadequate security policies, and to non-policy areas such as the authority of the security officer position and the efficiency of the policy-setting process. In this audit, we found that the three universities have fully implemented very few of the policy recommendations from the 2005 report. While ESU did the best, fully complying with 28 of 41 recommendations, KSU complied with only 7 of 33, and KU complied with only 5 of 33. In testing some of the areas, we found significant access control problems at one university. Finally, we found that the universities have implemented most of the non-policy recommendations from the 2005 audit report.
Board of Regents’ Information Systems: Reviewing Computer Security at Various Universities
Universities must balance the need for computer security in an extremely complex environment with the need for a free and open exchange of information. Our review of computer security policies at Kansas State and Emporia State Universities and the University of Kansas showed that in many areas the security procedures described were adequate, but hadn’t been adopted as official written policies. Written policies are important in security because they help ensure consistency and communicate the intent of upper-level management. We also noted many instances of no or inadequate policies in such areas as encrypting confidential data, having disaster recovery plans, and planning for security in new systems. The policy-setting process at these universities can be lengthy and cumbersome, requiring review and sometimes approval by many campus committees. The security function is strongest at the two larger universities. They both have taken a proactive approach to managing computer security by developing policies and incident response teams, actively promoting security awareness to their users, and protecting computers belonging to students living in the residence halls from computer viruses.Because of security considerations, specific problems with security policies were not discussed in any detail in this report. We provided separate confidential reports and recommendations to each university.
State-Held-Lands: Reviewing the Management and Use of Those Lands in Kansas
Kansas lacked a good centralized system for inventorying and managing State-owned and leased land. Through direct surveys of all State agencies we learned that they owned more than 335,600 acres and leased another 256,000 acres for State use. Most of that land was used for highway right-of-way and for parks and wildlife habitat. About 4,800 acres worth $6.9 million was potentially surplus. Nothing would prevent the State from selling this land, but conditions, like toxic waste on some parcels, may make it difficult to sell. State agencies will continue to have little incentive to identify surplus lands, despite a new law requiring that guidelines and criteria for identifying and selling surplus land be put into place. The new law didn't set up an independent authority to make the decision about whether potentially surplus land should be sold, and it lacked a financial incentive for agencies to sell land. When agencies lease out State-owned land, they usually do it on a competitive-bid basis; only 4 agencies weren't using competitive bids to let their leases or didn't rebid the leases frequently enough. Finally, we found a few cases where agencies weren't paying property taxes on land when they should have been, and at least one case where an agency was paying taxes it shouldn't have been paying.
Reviewing the Efficiency of State Printing Plant Operations (100-hour audit)
With few exceptions, standard jobs (such as letterhead, envelopes, and business cards) being printed at State agencies with their own printing facilities could be done by the State Printing Plant or a private-sector printing firm. For our limited sample of such printing jobs, the State Printer’s estimated charges were less to print most items than commercial printers or other State agencies, even though the other State agencies don’t include all costs of operation in their estimated charges.
Compliance and Control Audit: Kansas State University Fiscal Year 1993
Four of the nine mainframes reviewed were operating at or near capacity. The five remaining computers, which generally were in the early to middle years of their life expectancy, appeared underused at this time. In those cases, agency officials generally indicated that planned applications would increase mainframe use in the future or that federal funding used to acquire and operate their computers limited the possible uses. Finally, available data storage for several main frames was full or nearly full, and the affected agencies may need to take some action to acquire more storage capacity soon.
Examining Universities’ Use of Margin of Excellence Moneys
The Board of Regents provided only general instructions to its institutions for budgeting Margin of Excellence moneys, but it approved all Margin budget requests before those requests were submitted to the Legislature. Individual institutions' plans for spending their Margin money appeared to comply with their mission statements. Except for Wichita State University, all the Regents' institutions pooled their Margin salary parity and merit pay moneys before distributing any salary increases in fiscal years 1989 and 1990. Tenured or tenure-track faculty at Wichita State and Kansas State Universities received average salary increases of 8-10 percent for 1989 and 1990; University administrators received average raises that were comparable to or less than faculty pay raises. Finally, both Wichita State and Kansas State used their Margin of Excellence program enhancement moneys for a variety of items such as hiring unclassified staff and purchasing library materials and equipment.
Personal Computer Sales by State University Bookstores
The University of Kansas, Kansas State University, Wichita State University, and the University of Kansas Medical Center are selling computers through their bookstores. The bookstores at the University of Kansas and Kansas State University sold a combined total of 1,573 computers during the last two fiscal years. Both sold a small number of customers more than one computer, which was not allowed under their contracts with computer companies, and both also sold a small number of computers to people who were not eligible to purchase them. Computer sales are not being financed with State moneys at either university. However, the University of Kansas makes loan funds available through federal loan programs, and the Kansas University Endowment Association also makes loans for computer purchases.
Reviewing Increases in Kansas State University’s Fiscal Year 1989 Utilities Costs (100-hour audit)
In general, the audit shows that Kansas State University’s nearly $700,000 supplemental request for utilities for fiscal year 1989 was the result of substantial utility rate increases combined with unexpectedly heavy usage. The supplemental request does not appear to be connected with the new Bramlage Coliseum, nor with a recent change in the Board of Regents policy related to the State’s full payment of athletic facilities’ operating costs.
Faculty Salaries in Kansas and the Resources Committed to Pay Them
On a per-credit-hour basis, both the University of Kansas and Kansas State University had less money than the average of their peer schools to spend on faculty salaries during fiscal year 1987. Kansas schools receive more of their funding from the State General Fund than the average of the peer schools. Factors that may impact on the amount of money available for faculty salaries in Kansas include a somewhat lower tax effort, a large postsecondary student population, and a somewhat smaller portion of the State budget going to support higher education. If adjusted for the cost of living, faculty salaries in Kansas appear to provide comparable or better purchasing power than in most of the peer states.
County extension agents spend most of their time on 4-H and youth activities, even though the Legislature has made it clear on several occasions that agriculture should be the main focus of extension programs in Kansas. The agents' priorities are primarily set by local officials. Other states put a greater proportion of state money into their extension programs than Kansas, and have a correspondingly greater amount of State control over those programs.
Determining the Effect of Eliminating University Degrees and Programs
Between 1983 and 1987, the Board of Regents and the State universities eliminated or modified 185 individual degrees and made16 additional changes to departments or subject areas. Of those changes, 29 allowed the universities to reallocate a total of about $1 million to other university activities. The remaining changes generally did not affect the numbers of faculty and courses, often because another degree was still offered in the same subject area.
New faculty members generally have less experience and lower rank than the faculty members they replace, but are paid nearly as much. Universities have some difficulties recruiting qualified applicants for positions; about one-fourth the job offers made were declined. Comparisons show that percentage increases in Regents’ faculty salaries between 1974 and 1985 generally kept up with inflation, but actual salaries and fringe benefits are generally lower than at the Regents’ peer institutions.
Entry Into Retirement Annuity Plans at the Regents’ Institutions
Most employees who were signed up immediately for a retirement annuity plan either had a valid contract or the required experience when they started work. But many of those employees got their contract just before they started; they had not been enrolled in a valid plan at another school. The State incurs a cost of about $250,000 a year to pick up these employee’ retirement contributions. The Legislature will need to determine if it intended for these contibutions to be picked up.
Wage Rates for Construction of the Coliseum at Kansas State University
For Riley County, some of the specific hourly wage rates developed through surveys by the Department of Human Resources are significantly higher or lower than rates for surrounding and similar counties. Several rates also changed significantly from 1985 to 1986. The use of data supplied by one contractor for individual rate determinations and other weaknesses in the Department’s methodology have helped cause such variations.
Student Wage Expenditures at the Regents’ Institutions
Universities’ actual expenditures for student wages may differ significantly from the amount authorized by the General Fund line-item appropriation for student salaries and wages because student wages can be paid from other funds. Controls on student wage expenditures also vary between the universities and have different purposes. The audit presents options for increasing legislative control and oversight in this area.
This report lists average classes taught and average hours spent each week in class for all levels of instructor, by school and by department. Graduate teaching assistants served as primary instructors for two-thirds of the 768 courses they were assigned to, mostly in math and English.
Examing Space Utilization At The Kansas State University Veterinary Medicine Complex