Feb. 04--A new state audit says the University of Wisconsin System's payroll and benefits system continues to be at risk for security breaches that could lead to unauthorized payments to current employees or even fictional employees because access is not as tightly regulated as it should be.
The Legislative Audit Bureau audit of fiscal 2012-'13 found "material weakness in internal control"around security in the UW System's nearly 3-year-old automated Human Resource System.
The audit report recommends changes to increase security and improve overall operation of the payroll and benefits system -- changes that the UW System already is in the process of making, according to UW officials.
"What we are down to with the security risk is a known workflow of what we have to do," said David L. Miller, the UW System's senior vice president for administration and fiscal affairs.
The security risk involves having different people touching different parts of the process so one person cannot manipulate payroll or benefits, Miller said.
The UW System has "a very specific plan" to eliminate that risk by June 30, the end of the fiscal year, Miller said.
"We have 2,000 people with access to the (payroll and benefits) system," he said. "We have to go through each one and evaluate their touch....There are many steps to authenticating users and many ways to have internal controls built in that filter access and input and provide supervisory feedback."
The new audit of oversight of the Human Resource System and payroll and benefits processing was ordered after a January 2013 audit found the UW System had made an estimated $15.4 million in overpayments for health insurance premiums and overpaid pension contributions by an estimated $17.5 million between May 2011 and September 2012.
The audit bureau now estimates that state group health insurance billing errors between April 2011 and May 2013 will result in a loss of between $10.6 million and $12.7 million. The bureau noted the UW System had reduced overpayments for pension contributions by 90% between 2011 and 2012 -- from $17.5 million in 2011 to $1.8 million in 2012.
Miller said Tuesday that the UW System is current for both health insurance and pension contributions. Any errors that occur now are caught within the recovery period, so there are no financial losses, he said.
The system processed about 1.2 million payroll checks and nearly $2.9 billion in payroll-related expenses during the 2012-'13 fiscal year, which ended in June.
The new report said ongoing problems increased the cost of implementing the new Human Resource System, which the UW System had spent $78.6 million to plan and implement as of June 2012. Last fiscal year, the system spent nearly $3 million for efforts to correct immediate concerns. And another $2.8 million is budgeted for fiscal 2013-'14, the audit noted.
One of the key failings revealed by the audit was that UW System officials failed to significantly standardize and simplify business processes before putting the new $80 million system online.
Vast array of benefits
For example, the UW System offers its employees more than 50 different benefit plans, including five separate life insurance programs. Across the system, there are more than 900 separate payroll calendars. And a single employee may have four different job classifications and six different funding sources.
Auditors reported concerns in several areas, including the adequacy of the UW System's preparedness for implementation, problematic software modifications, incomplete implementation of Human Resource System components at some UW institutions, inadequate staff training, and the use of manual processes for benefit reconciliation.
While issues related to benefits overpayments have been resolved, the remaining issue of the system's security is a top priority to correct, Miller said.
The new audit of fiscal 2012-'13 found that 18 of 22 Human Resource System users identified a year ago as having "incompatible access," continued to have that access "that did not provide for proper separation of duties."