SALT LAKE CITY — Legislative auditors burned the midnight oil making covert site visits to all state colleges and universities in recent months to assess campus inventory and security controls.
Staff from Utah's Office of the Legislative Auditor General discovered dozens of exterior and interior doors accessible between the hours of midnight and 5 a.m.
The entries "did not involve forceful entry," the 59-page audit notes, but audit supervisor Leah Blevins told legislative leaders there were several instances of doors that were locked but not properly latched. In at least six instances, doors were unlocked.
However, "The ease with which auditors entered buildings is concerning, given that exterior entrances are the first line of defense in protecting assets in the building," according to the new audit requested by state lawmakers and made public Tuesday.
During campus visits conducted January through April, auditors accessed 31 of 76 campus buildings they attempted to enter after-hours.
Legislative auditors also determined that hundreds of master and grandmaster keys at state colleges and universities were lost or unaccounted for — 162 over five years at Utah Valley University alone.
Not only were many buildings, offices and classrooms not secured when auditors visited, they also observed equipment such as projectors, desktop computers, laptops, microscopes and televisions that had no inventory tags to track them or help ensure their return if misplaced or stolen.
"Without proper inventory controls in place, assets may be lost or stolen without institutions knowing about it," auditors wrote.
The audit, which was reported to the Utah Legislature's Audit Subcommittee Tuesday afternoon, shed light on practices that "reflect inadequate security awareness from institution personnel," auditors wrote.
House Speaker Greg Hughes, R-Draper, said a high-profile incident related to lax security on state campuses not only could embarrass the institution, it could result in National Collegiate Athletic Association sanctions depending on inappropriate access or thefts.
"When you see large schools, because they didn't have systems controls, they didn't have access to who was coming on their campus or who was at the stadium or who was there during practice. Agents have found their way onto campus and interacting with college athletes in ways that were not appropriate. Those schools were penalized for the lack of control they had at their campus because of who was able to access their campus," he said.
Hughes said that his fear, "beyond someone who has criminal intent, there is just a culture where these things are not noticed, these things are not kept track of, the access to campus is not being well observed. There are, I think, immense problems that can come from that."
Visits largely unreported
Auditors noted that the majority of their after-hours security tests were not reported to public safety officials "despite our suspicious activities on these campuses in the middle of the night," the audit states.
Doors on six of the buildings auditors accessed had been left unlocked, two of them by janitorial staff. Additionally, custodians allowed auditors to enter five buildings at two institutions by unlocking, propping or opening doors for them "even though we did not identify ourselves," the audit states.
Although most of the tests were conducted while there were public safety officers on campus, auditors were approached and questioned by officers at only two institutions.
"We are concerned with the consistent vulnerabilities found at each institution. While we agree with a Utah System of Higher Education security report that 'no physical controls are completely impregnable,' we feel that our tests demonstrated an alarming weakness in building security and security awareness. Furthermore, it was concerning how many interior rooms in these buildings, even ones containing valuable assets, were left unsecured," the audit states.
Some of the items in 150 rooms accessed by audit staff included live animals, biohazards and radioactive materials, along with technology and other expensive equipment.
"Five of these rooms alone contained assets worth hundreds of thousands of dollars," auditors wrote.
The report noted at least one school has made attempts to address security.
The University of Utah, for instance, reported giving two to four presentations a month on campus safety.
"The presentations included awareness about locking doors, not propping doors open, and not letting other people in building unless they are authorized to be there," the audit states.
Not only have institutions distributed significant numbers of master keys to employees, many of them are unaccounted for or lost, the audit states.
"The majority of institutions have not rekeyed despite the loss of master keys. We are concerned that the security of buildings and rooms may be compromised," the audit states.
At UVU, the audit found no affected buildings have been fully rekeyed.
At Utah State University, 95 building master keys were lost in the last five years and "only two entire buildings have been rekeyed," the audit states.
An inventory of keys at the University of Utah in August 2017 found 77 keys were lost from the U.'s Health Sciences Education Building. This building was not rekeyed either, auditors wrote.
At Salt Lake Community College, 13 campus and grandmaster keys have been misplaced in the last five years and none of the affected buildings have been fully rekeyed, according to the audit.
However, SLCC has rekeyed most of its classroom doors when upgrading them to electronic access, the audit notes.
While the audit acknowledges the costs of rekeying buildings, it recommended that state colleges and universities review controls over issuing master keys and conduct regular inventories of all keys.
"We recommend that institutions of higher education create safeguards in electronic access controls to eliminate access for those who no longer need it," the audit states.
The audit also recommended use of lockboxes that allow facility management employees to check out specific keys when needed to access to certain buildings. The lockboxes keep track of who checks out which keys, notes when they are returned, and can report via email if keys are not returned by a specific time. Such boxes are in use at Weber State University, the audit notes.
Assets not tracked
The audit notes seven of the eight institutions have not consistently tagged and tracked noncapital assets, "which is concerning, given that they purchased at least $27 million in noncapital assets in fiscal year 2017 alone."
Noncapital assets refers to equipment such as laptops, other classroom technology or lab equipment, among other items.
Each institution tracks its assets differently. Half rely on departments to track them, two have no required inventory controls and one has no policy.
"Because there are very few standardized requirements at institutions or from the regents, there is little accountability for noncapital assets," the audit states.
Legislative auditors recommended that the Utah State Board of Regents create and document a policy specifying requirements for noncapital asset tracking procedures.
Utah Commissioner of Higher Education David Buhler said he appreciated that auditors recognize the state's colleges and universities take security of data and capital assets seriously.
"This (referring the audit scope) is an area that needs more attention, which we'll give it," he said.
House Minority Leader Rep. Brian King, D-Salt Lake City, said now that the report is public and the campuses' vulnerabilities have been exposed, higher education officials need to work quickly to improve security practices.
"The knowledge that has been shared here today is very much a two-edged sword in the sense that as information gets out about vulnerability, we become more vulnerable unless we quickly take action," he said.
In his written response to the audit, Buhler noted that the state's colleges and universities "have made concerted efforts to be prudent stewards for higher education assets and I appreciate your recommendations on how we may further secure system assets."
Buhler wrote that the auditors' work to identify potential building security risks during nonbusiness hours was helpful.
"Institutional staff are actively working to correct exterior door deficiencies and to provide the recommended training to ensure interior and exterior doors are secured," he said.
Buhler noted that five of eight Utah institutions have policies that require them to track inventory.
"We agree with the auditors that tracking certain noncapital assets would benefit USHE institutions. I appreciate the auditors' recommendations that allow the Board of Regents to create a noncapital asset tracking policy that would benefit the system and its institutions. I will advance such a policy to the Board of Regents for their consideration and action as soon as possible," he wrote.