Staff Report
An audit of procedures at LSU Eunice by the Louisiana Legislative Auditor made several recommendations for improvement.
“We performed procedures on selected controls and transactions relating to cash collection procedures, student accounts receivable, reconciliation of the general ledger to subsidiary ledger, and payroll and personnel,” stated the audit released in August.
LSUE Chancellor Nancee Sorenson said, “We are happy to get the review and notification of long standing procedures that need our attention. LSUE is making all necessary changes and is committed to transparency. The ransomware attack illuminated needed improvement to our IT security which we have implemented.”
Sorenson was named chancellor in May 2019 and arrived on the campus in July of that year.
The ransomware attack occurred on Oct. 23, 2019, and audit stated it “impacted operational processes such as the permanent loss of e-mails, certain local data on user PCs, online application for admission, schedule of online courses, and the ability to run reports.”
The audit stated “there was limited impact on financial reporting due to the accounting system and student system servers not being impacted. Some backups were impacted by the attack. LSU Eunice, under the advice of the State Office of Information Technology, implemented a remediation plan that rebuilt most servers (rather than restore from back-ups) to ensure the virus was not reintroduced into the network.”
The audit stated when the attack occurred there was no incident response plan in place.
The management response stated it would complete a plan by Oct. 31.
Other areas in the audit concern operational procedures and management either concurred or partially agreed, but with its own remedies.
— LSU Eunice failed to reconcile student payment plan transactions processed by a third-party organization for LSU Eunice. The organization posted $2.6 million in payments to students’ accounts from July 1, 2018, through December 31, 2019.
— LSU Eunice uses a third-party organization that is responsible for collecting online installment plan payments from students. The organization deposits the students’ payments into LSU Eunice’s bank account and interfaces with LSU Eunice’s system to post payments to students’ accounts. The deposits from the organization are recorded by LSU Eunice personnel into the LSU Eunice’s general ledger directly from the amounts posted to the bank statements. LSU Eunice does not reconcile the transactions posted by the organization in the students’ accounts to the payments deposited by the organization.
— LSU Eunice has inadequate controls over student refunds. Refunds for overpayments of tuition and fees are compiled, edited, sent for payment, posted to student accounts, and reconciled by one employee without an independent review. Good internal control requires segregation of duties and shared responsibilities of key processes. Inadequate segregation of duties increases the risk that students are refunded incorrect amounts due to error or fraud.
— LSU Eunice failed to maintain adequate controls over cash receipts and, as a result, was unable to account for missing receipt numbers from handwritten receipt booklets in the supporting documentation. Inadequate controls over cash receipts increases the risk of error and theft of cash.
Receipts for cash payments received by the business office are normally produced electronically from the cashiering system (system) at the time of the transaction. Handwritten receipts from a pre-numbered receipt booklet are used at times when the system is temporarily unavailable.
— LSU Eunice did not submit past-due student accounts receivable to the Louisiana Attorney General for collection in accordance with state law and its written procedures. Failure to submit these accounts for collection increases the risk that the accounts will become uncollectible.
— LSU Eunice unclassified employees who earn leave did not certify time and attendance records as required by R.S. 17:3311.A(3). Lack of controls over monthly certifications increases the risk of fraud or error related to time worked going undetected and noncompliance with state laws.