Overall, we identified most state agencies maintain computer systems which hold a variety of sensitive data or process payments that must be protected. Although the state is responsible for these sensitive data or payment systems, it lacks an enterprise-level approach to IT security. We also found that 17 of 45 agencies (38%) that process payments or maintain large amounts of highly sensitive data have not had an independent evaluation of their security measures in the past three years. In addition, we learned the state lacks a complete set of three-year IT Plans as required by law, and that agencies’ submitted plans have been made public despite containing sensitive security information.
We also reviewed IT security resources at 10 selected agencies. As part of that review, we found the reporting structures at seven agencies created a risk that important security issues may not be communicated to top management. Additionally, three agencies’ lead IT security positions were not filled with sufficiently qualified staff, and two agencies lacked enough staff to perform necessary IT security tasks. Lastly, IT security software products agencies reported using in five security categories appeared to be adequate except for one agency, which lacked software to back up its system databases and electronic files stored on its network since November 2013.
State Universities: Can State Universities Provide Postsecondary Education More Efficiently To Reduce Costs? (A K-GOAL Audit)
Our focus was on general-use operating expenditures funded with State General Fund and tuition revenues; we excluded restricted funds like federal grants and student fees, the University of Kansas Medical School, and Kansas State’s Veterinary Medicine School and Extension Programs. In fiscal year 2008, general use operating expenditures per FTE student ranged from $8,330 at Fort Hays State to $14,191 at the University of Kansas. Overall, Emporia State and the University of Kansas spent about $2,000 more per FTE student than their in-State counterparts. The vast majority of the universities’ general use operating expenditures were for education-related expenditures (72% to 85% of the total). Most of the differences in the amounts spent for educational programs appeared to be caused by differences among the six universities in staffing and salary levels. Numerous options exist for delivering universities’ academic programs and courses more economically or efficiently. Actions that universities in other states have reported taking to help reduce academic spending include eliminating or combining low-enrollment course sections, academic departments, or degree programs within universities; collaborating across universities to share course content, teachers, and instructional programs; increasing the number of courses offered online or through distance learning; and increasing faculty workloads. Actions they’ve reported taking to help reduce their institutional spending include maximizing the use of existing classroom and laboratory space to reduce the need for additional space; consolidating or changing administrative functions or processes—both within and across universities; outsourcing some non-academic services such as food service and grounds maintenance; sharing purchasing costs, and reducing energy costs. The State’s six universities have implemented some of these ideas to varying degrees, but there are numerous opportunities for additional efficiencies. Given recent budget cuts, the universities already may have taken some of the actions described in this report.
Business Procurement Cards: Expanding Their Use To Increase Cash Rebates to the State
For fiscal year 2008, we estimated that $27 million of the non-procurement-card purchases agencies made from the 37 highest-volume vendors potentially could have been charged to a procurement card. Charging all those purchases would have generated more than $380,000 in cash-back rebates. Agencies also made $327 million of similar non-procurement-card purchases from the thousands of other vendors we didn’t analyze. If just 20% of these purchases could have been charged, agencies would have generated $940,000 in additional cash-back rebates, for a total of $1.3 million. Among other things, agency officials told us they didn’t always use their procurement cards when they could because of concerns about the complexity of tracking such purchases, and the perceived lack of thorough controls over procurement card purchases.
Regents’ Information Systems: Following Up On Computer-Security Issues at Various Universities
This audit followed up on a 2005 computer-security audit of Kansas State University, Emporia State University, and the University of Kansas. That audit included a large number of recommendations related to missing or inadequate security policies, and to non-policy areas such as the authority of the security officer position and the efficiency of the policy-setting process. In this audit, we found that the three universities have fully implemented very few of the policy recommendations from the 2005 report. While ESU did the best, fully complying with 28 of 41 recommendations, KSU complied with only 7 of 33, and KU complied with only 5 of 33. In testing some of the areas, we found significant access control problems at one university. Finally, we found that the universities have implemented most of the non-policy recommendations from the 2005 audit report.
Board of Regents’ Information Systems: Reviewing Computer Security at Various Universities
Universities must balance the need for computer security in an extremely complex environment with the need for a free and open exchange of information. Our review of computer security policies at Kansas State and Emporia State Universities and the University of Kansas showed that in many areas the security procedures described were adequate, but hadn’t been adopted as official written policies. Written policies are important in security because they help ensure consistency and communicate the intent of upper-level management. We also noted many instances of no or inadequate policies in such areas as encrypting confidential data, having disaster recovery plans, and planning for security in new systems. The policy-setting process at these universities can be lengthy and cumbersome, requiring review and sometimes approval by many campus committees. The security function is strongest at the two larger universities. They both have taken a proactive approach to managing computer security by developing policies and incident response teams, actively promoting security awareness to their users, and protecting computers belonging to students living in the residence halls from computer viruses.Because of security considerations, specific problems with security policies were not discussed in any detail in this report. We provided separate confidential reports and recommendations to each university.
State-Held-Lands: Reviewing the Management and Use of Those Lands in Kansas
Kansas lacked a good centralized system for inventorying and managing State-owned and leased land. Through direct surveys of all State agencies we learned that they owned more than 335,600 acres and leased another 256,000 acres for State use. Most of that land was used for highway right-of-way and for parks and wildlife habitat. About 4,800 acres worth $6.9 million was potentially surplus. Nothing would prevent the State from selling this land, but conditions, like toxic waste on some parcels, may make it difficult to sell. State agencies will continue to have little incentive to identify surplus lands, despite a new law requiring that guidelines and criteria for identifying and selling surplus land be put into place. The new law didn't set up an independent authority to make the decision about whether potentially surplus land should be sold, and it lacked a financial incentive for agencies to sell land. When agencies lease out State-owned land, they usually do it on a competitive-bid basis; only 4 agencies weren't using competitive bids to let their leases or didn't rebid the leases frequently enough. Finally, we found a few cases where agencies weren't paying property taxes on land when they should have been, and at least one case where an agency was paying taxes it shouldn't have been paying.
Reviewing the Efficiency of State Printing Plant Operations (100-hour audit)
With few exceptions, standard jobs (such as letterhead, envelopes, and business cards) being printed at State agencies with their own printing facilities could be done by the State Printing Plant or a private-sector printing firm. For our limited sample of such printing jobs, the State Printer’s estimated charges were less to print most items than commercial printers or other State agencies, even though the other State agencies don’t include all costs of operation in their estimated charges.
Compliance and Control Audit: University of Kansas
Four of the nine mainframes reviewed were operating at or near capacity. The five remaining computers, which generally were in the early to middle years of their life expectancy, appeared underused at this time. In those cases, agency officials generally indicated that planned applications would increase mainframe use in the future or that federal funding used to acquire and operate their computers limited the possible uses. Finally, available data storage for several main frames was full or nearly full, and the affected agencies may need to take some action to acquire more storage capacity soon.
Reviewing State-Funded Medical Scholarships in Kansas
Since the inception of the Kansas Medical Scholarship Program, requirements have become more restrictive regarding designated areas of practice, types of medical specialties, and repayment provisions. In 1986, the emphasis of the Program changed from distributing physicians to underserved areas to placing primary-care physicians into rural areas. Since 1978, more than $36 million in medical scholarships has been awarded to 1,476 students. Approximately 46 percent of those recipients have fulfilled their service obligations. Many graduates are fulfilling their obligations under provisions of the law that allow them to practice in urban areas. The Program appears to be achieving the goals of retaining more Medical Center graduates in Kansas and distributing more doctors to underserved areas. In future years, because fewer than 35 new scholarships are being awarded annually, significantly fewer doctors will be distributed to underserved or rural areas as a result of the Program.
Personal Computer Sales by State University Bookstores
The University of Kansas, Kansas State University, Wichita State University, and the University of Kansas Medical Center are selling computers through their bookstores. The bookstores at the University of Kansas and Kansas State University sold a combined total of 1,573 computers during the last two fiscal years. Both sold a small number of customers more than one computer, which was not allowed under their contracts with computer companies, and both also sold a small number of computers to people who were not eligible to purchase them. Computer sales are not being financed with State moneys at either university. However, the University of Kansas makes loan funds available through federal loan programs, and the Kansas University Endowment Association also makes loans for computer purchases.
Faculty Salaries in Kansas and the Resources Committed to Pay Them
On a per-credit-hour basis, both the University of Kansas and Kansas State University had less money than the average of their peer schools to spend on faculty salaries during fiscal year 1987. Kansas schools receive more of their funding from the State General Fund than the average of the peer schools. Factors that may impact on the amount of money available for faculty salaries in Kansas include a somewhat lower tax effort, a large postsecondary student population, and a somewhat smaller portion of the State budget going to support higher education. If adjusted for the cost of living, faculty salaries in Kansas appear to provide comparable or better purchasing power than in most of the peer states.
Determining the Effect of Eliminating University Degrees and Programs
Between 1983 and 1987, the Board of Regents and the State universities eliminated or modified 185 individual degrees and made16 additional changes to departments or subject areas. Of those changes, 29 allowed the universities to reallocate a total of about $1 million to other university activities. The remaining changes generally did not affect the numbers of faculty and courses, often because another degree was still offered in the same subject area.
New faculty members generally have less experience and lower rank than the faculty members they replace, but are paid nearly as much. Universities have some difficulties recruiting qualified applicants for positions; about one-fourth the job offers made were declined. Comparisons show that percentage increases in Regents’ faculty salaries between 1974 and 1985 generally kept up with inflation, but actual salaries and fringe benefits are generally lower than at the Regents’ peer institutions.
Entry Into Retirement Annuity Plans at the Regents’ Institutions
Most employees who were signed up immediately for a retirement annuity plan either had a valid contract or the required experience when they started work. But many of those employees got their contract just before they started; they had not been enrolled in a valid plan at another school. The State incurs a cost of about $250,000 a year to pick up these employee’ retirement contributions. The Legislature will need to determine if it intended for these contibutions to be picked up.
This report lists average classes taught and average hours spent each week in class for all levels of instructor, by school and by department. Graduate teaching assistants served as primary instructors for two-thirds of the 768 courses they were assigned to, mostly in math and English.