A Performance Audit
An Audit Report on Texas State University’s Compliance with Historically Underutilized Business and State Use Program Requirements
From September 1, 2017, through August 31, 2018, Texas State University (University) complied with most of the statutes, rules, and Comptroller’s Office requirements related to HUB planning and outreach.
In addition, the University complied with most HUB subcontractor monitoring requirements tested. However, it did not ensure that contractors (1) submitted their HUB Subcontracting Plans within the required timeframes or (2) consistently submitted monthly HUB-related Progress Assessment Reports as required.
The University also generally complied with HUB reporting requirements; however, it should improve its HUB reporting process to ensure that it accurately reports certain HUB information.
The University should strengthen its processes to ensure that it complies with all State Use Program requirements to ensure that purchasers verified whether products and services were available through the program for purchases made from September 2017 through February 2019.
Texas State University (University) had processes in place related to the historically underutilized business (HUB) program, and it complied with most of the applicable HUB planning requirements. In addition, the University complied with most of the HUB outreach and mentor-protégé requirements. However, the University should strengthen its processes to ensure that it (1) advertises in trade publications, and (2) obtains written Mentor-Protégé Program agreements as required.
The University Generally Complied with HUB Reporting Requirements; However, It Should Improve the Processes Used to Generate Certain HUB Reports
The University submitted all required reports within the required timeframes. This included the annual and semi-annual report of HUB-related expenditures and the State Agency Progress Report, which documents progress made in increasing the use of historically underutilized businesses. However, the University did not accurately report certain HUB expenditure data and other supplemental data included in the reports to the Comptroller’s Office during fiscal year 2018.
- Followed applicable laws, rules, and its policies and procedures regarding solicitation of HUB subcontractors
- Followed its best value criteria to select HUB subcontractors
- Documented the best value criteria that the University would use in HUB subcontractor selection
- Performed subcontracting analysis as required by its policy
- Included HUB Subcontracting Plan provisions
While the University did not have a comprehensive list of contracts, it provided auditors with the best contracting data available for use on this audit. The lack of a comprehensive list of all contracts makes it difficult for the University to ensure that all HUB information gets reported completely and accurately to internal and external parties. The University should strengthen its process to identify and track all contracts awarded within a fiscal year to ensure HUB data is reported completely and accurately.
The University Complied With Most Subcontractor Monitoring Requirements Tested; However, It Did Not Consistently Obtain Required Documentation
The University complied with most HUB subcontractor monitoring requirements. Specifically, the University developed and documented HUB subcontracting policies and procedures. In addition:
- For the five contracts tested, the contractors submitted HUB Subcontracting Plans, and those plans contained all sections as required.
- For the one contract tested that included certified HUB subcontractors, the University ensured that the subcontractors were HUBs at the time of solicitation.
However, for 2 (40 percent) of the 5 contracts tested, the University did not have documentation showing that the contractors submitted their HUB Subcontracting Plans within the timeframe required by Texas Government Code, Section 2161.
The University Should Strengthen Its Purchasing Processes to Ensure That It Complies with State Use Program Requirements
The University should strengthen its processes to ensure that it complies with all Purchasing from People with Disabilities (State Use Program) requirements. Specifically, the University:
- Had a policy that required its purchasers to check the availability of products and services through TIBH Industries prior to making a purchasing decision. However, it did not have any processes in place to verify that its purchasers complied with the policy.
- Did not track and report exceptions, which are purchases of goods and services available through the State Use Program but not purchased through it, to the Comptroller’s Office as required.
- Did not designate an employee to ensure that the University complies with State Use Program requirements.
From September 2017 through February 2019, the University reported to the Comptroller’s Office that it purchased goods and services totaling $5,953 through the State Use Program. However, as a result of not having processes in place to comply with State Use Program requirements, the University did not report any purchase exceptions to the Comptroller’s Office.
The University should strengthen the logical access and audit trail controls for the system used to track HUB-related expenditures. To minimize the risks associated with public disclosure, auditors provided the details about certain information security control weaknesses and the recommendations separately in writing to the University.
The University Should Strengthen Its Change Management Documentation and Monitoring of Third-party Vendors
The University had documented change management policies and procedures. However, the University should strengthen its change management policies to include all of the policy requirements outlined in the Department of Information Resources' Security Control Standards Catalog.
The University contracted with a third-party vendor for the use of a Web-based contract management and procurement systems. However, the University did not adequately monitor the vendor as required by the Department of Information Resources' Security Controls Standards Catalog.
Graphics, Media, Supporting documents