January 7, 2010

Towson U. criticized for undercharging students, computer security

Print More

By Natalie Neumann
Natalie@MarylandReporter.com

State auditors found eight “significant deficiencies” in the way Towson University operates, including undercharging out-of-state students and poor computer network security, according to a report released Thursday.

More than 21,000 students enrolled in the state’s second-largest public university in 2008, but the Office of Legislative Audits found Towson didn’t properly verify student residency.

For a full-time undergraduate student, in-state status can amount to a savings of more than $10,000 each year. The university has agreed to review some students’ residency statuses, as the auditors recommend. The admissions office will evaluate the residency of a 10 percent sample of new undergraduate students each term. The audit found four students who had been improperly given in-state status.

The OLA audits Towson every three years, as it does other state agencies, and some of the issues aren’t new to the university, including student residency tracking problems and computer security concerns.

Bruce Myers, the chief legislative auditor, said it’s not unusual to see to see computer issues and spending oversight problems in the audits, but he said he’s “disappointed at the number of repeat items.”

The latest audit found four deficiencies that were repeats or related to past problems. In the Towson audit completed in 2006, auditors found some employees could change students’ residency status, resulting in improper tuition refunds. Similar issues were found in the 2009 audit, especially concerning access to accounts.

Auditors also found Towson didn’t have secure computer networking. As found in the past, some user accounts had the ability to make changes to user profiles, and other data. Old employee accounts were active sometimes up to a year after termination, an issue not seen in previous audits.

Sometimes, default passwords weren’t changed. Plus, auditors found the university didn’t have sufficient security measures to protect Towson’s computer network from internal and external threats, an issue that also was found in a previous audit.

The university says it has done its best to improve security.

“Since the last audit, the university has done significant work to implement a … security strategy,” Towson’s response reads. “The university also feels it has adopted the best strategy for each firewall interface and will make necessary adjustments to meet this requirement.”

The audit was conducted March 16, 2006 through Feb. 8, 2009. In response to the auditors’ list of deficiencies, the university, with clarifications, agreed with their recommendations and has fixed or is in the process of fixing the problems.

The General Assembly can use the audit in assisting with its oversight responsibilities. During fiscal year 2008, the state appropriated $82.5 million to the university. Towson officials declined to comment about the audit.

The full audit report, along with Towson’s response to the audit can be found here.