Bismarck State College Risk Assessment Results

October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Bismarck State College

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Mr. Larry Skogen Bismarck State College 1500 Edwards Avenue PO Box 5587 Bismarck, ND 58506-5587 Dear Mr. Skogen, This report provides you, Bismarck State College (BSC) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Bismarck State College with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Bismarck State College. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Bismarck State College

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  6 

Appendix
Impact Criteria Vulnerability Criteria

16 
16  16 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Bismarck State College

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Bismarck State College. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Bismarck State College.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Bismarck State College

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Bismarck State College

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Bismarck State College can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Bismarck State College

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Bismarck State College and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting, foundation, donor concentrations, foundation investment strategy Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student/financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance

Grant Administration

Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Bismarck State College

Approach
With the assistance of Bismarck State College management, LarsonAllen identified 15 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Bismarck State College

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process level based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Bismarck State College

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Implement a formal communication and followup process between middle management and staff to improve communications of day-to-day responsibilities. Consider involving end users, as applicable, when developing policies and procedures to ensure the processes and personnel that are directly impacted can provide input, resulting in smoother implementations. Identify opportunities on how to reach out to a broader group of potential students. In addition, market studies should be performed on potential course offerings to improve attendance. Identify potential opportunities to improve data storage and utilize a single source location for non BSC related external academic data and information. Focus on expanding and improving online programs currently available to students and continue to expand online education courses. Internal controls should be reviewed to identify potential risks related to existing cash receipts processes. No proposed recommendation. BSC will work with the NDUS internal auditor to identify procedures to review these internal controls.

Institution Response
BSC Operations Council will follow-up to further assess this risk to determine a proper response to resolve this issue. The Operations Council will review the policies and procedures process for improvements relative to this risk.

Moderate Middle management is not always knowledgeable of the responsibilities their staff is performing as management does not always have time to spend with the staff. Moderate Policies and procedures are developed without input from end users who utilize the documents on a day-to-day basis.

Academic Affairs

Low

Increasing concerns related to declining North Dakota graduation rate.

Low

External academic data and information (non BSC) is not maintained in a central repository (database). This has an impact on quality and timeliness of decision making. Potential risk of online/virtual schools coming to North Dakota which could impact student enrollment.

Low

Athletics

Moderate Adequacy of cash handling and monitoring controls around concessions, ticket and fund raising revenue. Low Controls and procedures related to granting of scholarships and NJCAA compliance.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking
Athletics Low

Identified Risk
Adequacy of standards and ethics within the athletic department.

Proposed Recommendations
No proposed recommendation. BSC should identify additional security officers/resources to improve overall safety concerns.

Institution Response

Moderate Increase overall security force size to improve monitoring of campus activities.

Campus Safety & Security

BSC recently hired a security guard to complement the law enforcement supervisor who is a licensed police officer. An MOU is being finalized with Bismarck PD for added services. Additionally, cameras have been installed on all campus-owned facilities. Operational times are monitored so buildings are open only when needed. Additional security checks are provided on buildings open after standard hours. Computerized locking devices are being considered for the future.

Moderate Improvements potentially needed in relation to BSC should review current policies related to “open campus” and overall building security. open/close times for individual campus buildings. Buildings should only remain unlocked based on operational needs with appropriate security.

Low

Program currently does not receive funding and must create revenue internally. Risk of funding if the number of conferences or open enrollment classes, etc. declines.

Continuing Education

BSC should monitor attendance in current programs to identify decreasing attendance and enrollment. Also, continue to identify additional continuing education programs based on market demands.

Low

Overall reporting needs are not being met (i.e. BSC’s information technology team should PeopleSoft is not as feasible for this program. identify potential solutions to report generation They need to run revenue reports several times concerns within PeopleSoft. throughout the year as it is earned since they do not receive funding). Identify and implement additional emergency procedure training across the campus. BSC should assess the need to develop and maintain a formal business continuity plan. This is a high priority for BSC. The emergency manual is currently being reviewed and training is being developed. BSC will go through an assessment process related to the development of a formal business continuity plan.

Moderate There is a lack of training as it relates to the Emergency Procedures Manual. Emergency Preparedness Moderate Lack of formal policy and procedures related to business continuity.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking
Environmental Health & Safety Low

Identified Risk

Proposed Recommendations

Institution Response

There are concerns related to the overall safety BSC should continually monitor the overall of campus facilities. safety of all buildings on campus to identify potential need for improvements. The cash reconciliation process should be reviewed and assessed to identify potential capabilities to automate the process. In addition, identify existing inefficiencies or process breakdowns. The cash reconciliation process has been reviewed. Inefficiencies have been corrected and reassignment of duties has been made to improve timeliness of the process.

Moderate Cash reconciliation process is complex and very time intensive. In addition requires the use of multiple spreadsheets in the process.

Moderate Lack of controls in CETI’s registration system to properly secure credit card information.

Controls should be established to properly secure A NDUS-wide system for continuing credit card information in accordance with education activities is currently being policy. investigated which will have improved credit card security. A schedule of all reconciliations should be The recommendation is being implemented, created to identify the individual responsible for beginning with FY 12. executing the reconciliation and expected timeframe for completion. This schedule should be reviewed by management on an ongoing basis to identify any delays. BSC should review all significant processes and BSC will work with the NDUS internal identify the potential need for additional controls auditor to identify procedures to review these to enforce appropriate segregation of duties. internal controls.

Financial Close & Reporting

Moderate Balance sheet reconciliations are not being completed on a consistent basis.

Moderate Segregation of duties controls should be reviewed on key cash receipts areas. In addition, noted that the person who enters payments and prints the checks also has the ability to set up a vendor. Low Bad debt and other reserves that are applicable are only analyzed and adjusted on an annual basis.

Accounting estimates and judgments should be reviewed on a timely basis to minimize any inadequacies.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking
High

Identified Risk
BSC has concerns related to compliance with internal audit standards, policy and procedures and federal/state regulatory guidelines.

Proposed Recommendations
BSC should assess the need to hire a director of internal audit and compliance to perform ongoing reviews.

Institution Response
Due to lack of resources to hire an internal auditor, BSC will work with the NDUS internal auditor to identify areas of high risk and a process for completing ongoing reviews. Policies and procedures have been recently grouped by topic on the website to assist in ease of search.

Moderate Lack of understanding by end users related to how policies are categorized and where they are stored. In addition, policies are not always clearly titled to reflect content. Need to align BSC policies with NDUS policies in relation to direction and approach, content and format. Better correlation could bring some efficiency. Governance Moderate Concerns with electronic document imaging and the need to increase use across most functional areas to enhance security of information. Moderate Inability to properly obtain statistical data to adequately measure success and obstacles related to strategic vision and plan.

BSC should inventory all current policies and procedures. Existing policies and procedures should be reviewed for adequacy and accuracy based on current operations. For areas that are deficient, key stakeholders should create detailed policies and procedures.

Policies and procedures are reviewed regularly by the operations council for relevance and accuracy. Human Resource BSC should work closely with the System Office department tracks all changes, deletions and to better align policy quality, format and content. new policies. Identify additional opportunities to utilize electronic document imaging and enhance the security of information. BSC should assess the need to develop a central repository to maintain statistical data. BSC should work closely with the System Office as well as other Campuses to identify any leading practices. BSC will be proceeding with enhancement of document imaging across campus in FY 12. Security and internal control concerns will be considered in the roll-out. BSC is waiting to hear the results of an application for a Title III grant that would provide significant resources to assist in development of statistical data for measurements and assessment.

Low

Overall System office relationship with BSC is BSC should work in conjunction with key good. However, certain improvements related System Office stakeholders to identify specific to communications of policies and procedures, areas to improve the overall relationship. training, and regulatory interpretation could be improved.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking
Low Grant Administration Low

Identified Risk
Legislative changes related to federal grant recipients. Donor base concentration and investment strategy.

Proposed Recommendations
No proposed recommendation. No proposed recommendation. Human Resources and senior management should assess current FTE workload by department. Identify areas of concern and suggest departmental changes to better manage existing workload. Information technology personnel should work in conjunction with payroll personnel to identify potential automated controls within the existing PeopleSoft system. An automated workflow should be established to properly secure employee information.

Institution Response

Moderate Employee work load is a concern.

BSC regularly assesses workload in various departments and strategically adds new positions as it fits within the budget. Departments are also encouraged to review workflow to enhance operations and reduce workload through improved efficiencies. BSC is collaborating with an NDUS-wide team reviewing payroll procedures for improved efficiencies for all the campuses.

Human Resources & Payroll

Moderate Payroll processes are very manual (i.e. Excel spreadsheets are used to calculate hourly employees payroll, sick and vacation time and manually key into PeopleSoft upon manual approval). Low Payroll orders are currently being sent via regular mail and concerns about employee IDs being exposed if the payroll orders do not arrive to their destination.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking
High

Identified Risk
No formal disaster recovery plan.

Recommendations
BSC should assess the need to develop and maintain a formal disaster recovery plan. This would include, but are not limited to,  Risk exposures  Recovery team responsibilities  First response process/procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance/testing  Training BSC should assess the need to develop and maintain a formal and comprehensive information security plan. BSC management should work closely with the information technology department to identify opportunities to improve system capabilities to produce reports on an as needed basis.

Institution Response
BSC recognizes this risk and plans to begin developing a formal disaster recovery plan within the next year.

Information Technology Moderate Lack of a comprehensive information security policy and procedure manual. Low Inability to extract data for BSC to report to the state, leadership, auditors, etc.

Information services will meet with the operations council to assess the need for an information security plan.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
BSC should identify criteria necessary to assess key performance indicators and work closely with the information technology department to identify system capabilities to produce the required information. BSC should identify additional marketing opportunities on how to reach out to a broader group of potential students. BSC should identify opportunities on how to reach out to a broader group of potential students.

Institution Response
BSC is waiting to hear the results of an application for a Title III grant that would provide significant resources to assist in development of statistical data for measurements and assessment. BSC has dedicated funding to improve marketing efforts as well as implementing other strategies as identified in the Enrollment Management Plan. BSC has been aware of this risk for years. Our online programming success is a result of efforts to reach out to a broader group. The Enrollment Management Plan was developed in part to address this risk.

Moderate Improvements needed to report on key performance indicators (i.e. how much does it cost per student for marketing techniques, how are dollars being spent, and how can they adjust the dollars to create more opportunities). Moderate Need to improve marketing locally and nationally to impact additional potential students. Marketing & Communications Moderate Competition is a growing concern with the other universities and colleges in ND.

Low

Lack of approval and review related to changes made to the BSC’s internet web page.

Controls should be established to limit who has the capabilities to make media changes. In addition, a formal approval policy should be established. Overall internal controls should be reviewed and assessed to identify potential risks related to all auxiliary services. BSC should review current conflict of interest policy for adequacy. In addition, identify the potential need for additional controls to enforce appropriateness of vendor/employee relationships.

Operations & Auxiliary Services

Low

Adequacy of financial controls from auxiliary services. Conflict of interest in relation to vendors and employees.

Low Faculty & Staff

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Additional controls should be implemented to properly secure academic records and other privacy specific information in accordance with federal/state regulatory requirements.

Institution Response
A team will be developed to include the Registrar/Academic Records, Counseling Office, Safety and Security and Academic Affairs in developing guidelines and procedures for sharing student information (outside of Campus Connection System) to ensure federal and state compliance as well as used to assist students.

Moderate Confidentiality of academic records.

Moderate Additional needs from the System Office related to training for compliance (i.e. SFA changes).

BSC should identify the specific needs related to an appropriate learning and development plan in relation to compliance.

Student Affairs

BSC representatives on the various NDUS Councils (Academic Affairs, Administrative, and Student Affairs) will work through those councils in communicating and collaborating Upon completion, BSC should work closely with with the system to assist with federal the System Office to identify opportunities to regulations impacting the 11 campuses. receive the necessary training or identify if other methods are needed. Key BSC stakeholders should identify areas for The background check committee will assess improvements related to the existing background the current procedures and bring check process for future and current students. recommendation forward to the appropriate offices on campus. BSC should assess the need to develop and maintain formal policies in relation to social event hosting with outside groups utilizing BSC facilities.

Moderate Improved controls needed for background checks for students.

Low

Concern related to BSC policies that conflict with other partnership groups utilizing campus services (i.e. when they have K-12 programs on campus or when BSC host/maintain events with alcohol. Lack of policies and liability concerns.)

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Bismarck State College

Functional Risk Area / Process Ranking

Identified Risk

Recommendations

Institution Response
BSC recently completed a comprehensive review of course fees which resulted in the development of course fee criteria and a process for requesting course fees and changes to course fees. Additionally, course fee fund balances will be reviewed on a semiannual basis to assure funds are being spent appropriately and timely.

Moderate Course fees are currently not a key area of Internal monitoring controls should be reviewed focus at BSC. For example: to evaluate course fees.  What is being done with the course fees, usage, can unused funds be carried over or Student Financial counted as reserves? Processing  Is the fee established at the right dollar amount?  Is the fee too high, is the College charging too much?

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Bismarck State College

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

16

Dakota College Bottineau Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dakota College Bottineau

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. David Fuller Minot State University 500 University Avenue West Minot, ND 58707 Dr. Fuller, This report provides you, Dakota College Bottineau (DCB) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Dakota College Bottineau with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Dakota College Bottineau. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  7 

Appendix
Impact Criteria Vulnerability Criteria

37 
37  37 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Dakota College Bottineau. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Dakota College Bottineau.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Dakota College Bottineau can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Dakota College Bottineau and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Approach
With the assistance of Dakota College Bottineau management, LarsonAllen identified 14 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:  Continuing education

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Perform an assessment to determine if athletic expenses are subsidized by enrollment and develop actions plans based on the results.

Institution Response
Dakota College at Bottineau (DCB) has three varsity sports that are atypical of the athletic programs at North Dakota Community Colleges. They are as follows: Ice Hockey, Football, and Fast Pitch Softball. For 2011-2012, we expect 28 participants in Ice Hockey, 55 in Football, and 15 in Fast Pitch Softball. Hockey has a 36 year history at the College and participant numbers have been stable over the years. Football and Softball are relatively new and participant numbers have been increasing from yearto-year. It is a fair assumption that nearly all the student-athletes in these three varsity sports would not have attended DCB if we didn’t have these programs. It is also fair to say that the income derived from enrolling nearly 100 additional studentathletes more than covers the expense of operation. Auxiliaries also benefit from additional students who require services, e.g. bookstore, residence halls, dining. However, a detailed review of revenue vs. expense ratio for the entire athletic program is appropriate and ought to be done to confirm our assumptions with a detailed analysis.

Moderate Enrollment is significantly dependent on athletics and there are concerns whether the current and future expenses/costs are appropriately subsidized by enrollment.

Academic Affairs

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Indentify additional marketing opportunities to reach a broader market, including networking with other colleges and universities within North Dakota, additional services to support programs fees, and identify additional grant opportunities.

Institution Response
The Entrepreneurial Center for Horticulture (ECH) staff has formed beneficial relationships with North Dakota State University (NDSU), Turtle Mountain Community College and Montana State University. The ECH Director partnered with NDSU and the Scaling Up Local Food team to host a Local Food Summit on May 19th. The summit hosted almost 50 academics and researchers, many of them employed at NDSU, to explore the current research and programs being conducted in this area and gaps in knowledge base or data that could be addressed by university and college personnel. The ECH Director worked with a consultant and NDSU faculty to design an appropriate agenda using NDSU’s GroupSystems electronic meeting system. On July 11th, NDSU personnel involved with the project as well as two members of the Scaling Up Local Foods team worked to interpret the data. Results of the meeting are expected to be published fall of 2011. In addition, the ECH has conducted high tunnel build workshops that have been attended by NDSU faculty, grad students and interns. These workshops were an important connection between the two colleges as NDSU explores the possibility of larger scale research on high tunnel production that will complement the ECH’s technical transfer mission. Harlene Hatterman Valenta, High Value Crop Specialist in the Department of Plant Sciences at NDSU, works with the ECH Director to share producer contact information and needs and to ensure gaps in producer education are being met.

Moderate Concerns related to funding for future growth of the Entrepreneur Center for Horticulture.

Academic Affairs

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Moderate

Identified Risk

Proposed Recommendations

Institution Response
Dakota College at Bottineau’s neighboring college, Turtle Mountain Community College, has worked with the ECH on several occasions and the staffs at both colleges are continuing to explore partnerships. The TMCC Improving Family Health through Gardening Program provides at least 10 families per district (over a four year time span) educational opportunities (gardening basics, Native American gardening, food safety, nutrition, food preservation, weed & pest control, horticulture, and cottage industry) and gardening assistance (tilling of garden, seeds, and seedlings). The ECH Director has been a guest lecturer at these classes on more than one occasion. As the ECH builds its Sustainable Vegetable Production program and outreach to producers, TMCC and ECH staff hopes to integrate the courses and facilities of both programs for the benefit of students. Although Montana State University is not within North Dakota, they are a neighboring college and they are currently running a program that serves needs of producers in 11 counties in the western portion of the state. The Farm-to-Table project is administrated by Montana State University Extension personnel and funded by Community Giving Assistance Towards Employment (GATE), a 501(c)3 non-profit based in Glendive, MT. Their mission is to develop a sustainable local food system in eastern Montana and western North Dakota, increasing the vitality of rural communities. Farm-toTable works collaboratively with all sectors of the local food economy, including growers,

Academic Affairs

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Moderate

Identified Risk

Proposed Recommendations

Institution Response
value-add producers, restaurants, stores, institutional food services and individual consumers to achieve our goal of a local food system. The ECH Director and Bruce Smith of MSU-Extension and Farm to Table have cooperated on several educational and outreach activities. The ECH will continue this relationship to form a long lasting relationship with MSU-Extension for the benefit of western North Dakota producers. To provide additional revenue for the ECH, the program has initiated talks with the Colleges’ food service provider, Sodexo. Sodexo also services the Minot State University campus. The ECH staff has been working with Sodexo representatives on campus and in their main office to identify products that could be grown at the ECH demonstration facilities and incorporated into the meals served on both DCB and MSU campuses. Additionally, the ECH is in its second year as a CSA provider. A CSA, Community Supported Agriculture, garden sells shares in its produce to community members who then receive weekly allotments of the harvest. The CSA will increase in shareholders and produce sold as the demonstration facilities are constructed making longer season sales possible.

Academic Affairs

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Moderate

Identified Risk

Proposed Recommendations

Institution Response
Beginning in the spring of 2012, the ECH will register students into its Sustainable Vegetable Production Program which will increase revenue for the school and the center. A faculty person has been hired for this program, the program has been approved by the board of Higher Education and Academic Affairs Council, all instructors have been identified and course outlines have been published. Additionally, the faculty person hired will have the main responsibility of teaching small business management specifically to vegetable producers across the state. This position is partially supported by funding through the North Dakota Department of Career and Technical Education and all students are tuition based. These additional revenues will add to the sustainability of the center. Although the ECH did not apply in the 2011-2012 funding cycle on its own behalf, the program did submit a Specialty Crop Block Grant application on behalf of the North Dakota Farmers Market and Growers Association which it administers. This grant has provided funding to the ECH in the past and will provide administrative costs in the 2011-2012 granting cycle to the program. The ECH will continue to apply for this grant in each funding cycle.

Academic Affairs

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Moderate

Identified Risk

Proposed Recommendations

Institution Response
The Federal EDA University Center funds, which got the ECH off to a fantastic start in 2007, will again be available for competitive grant application in 2012. The EDA has encouraged the ECH to reapply for funding through this program and has kept the ECH Director informed of any changes or update to this program in anticipation of that application. A new change within this program is that it has moved from a three year to a five year grant. If successful in receiving another round of University Center funding, the ECH would have a reliable income for a five year period. In addition, other granting sources have been identified which include but are not limited to: the Organic Farming Research Fund, the Sustainable Agriculture Research and Education Fund, the Ceres Trust, and several USDA sponsored programs. The ECH will apply for these grants as they become available and match the activities and needs of the ECH and its clients.

Academic Affairs

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to continue classes, programs, and majors that have low enrollment.

Institution Response
Dakota College conducts an ongoing analysis of low enrollment classes and programs. In recent years, the following programs have been dropped because of low enrollment: Water Technology, Geographical Information Systems, Database Technology, Information Assurance, Music, Operating Systems, Legal Secretary, and others. Some low enrollment classes do remain because they provide critical content for a variety of major programs. It is advisable that the College construct a valid and reliable formula that can be applied to all academic programs to determine cost of program vs. tuition revenue derived. By so doing, the institution can make more astute decisions about the benefit of retaining low enrollment courses and programs.

Moderate Concerns related to certain classes that are being offered due to low enrollment and programs that are offered with no majors.

Academic Affairs

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Provide ongoing training and class schedule update information for advisors to be the most effective for students. In addition, consider implementing a student feedback process for the advisors and the institution to gain visibility to strengths and weaknesses of the academic advising process.

Institution Response
A way to measure student satisfaction with DCB’s academic advising function is to employ a measurement instrument that uses performance gap scores. A large performance gap score, for example a score of 1.5, shows that the institution is not meeting students’ expectations, whereas a zero or small gap score such as .50 indicates that the institution is close to meeting students’ expectations. When the College’s academic advising component was measured in March, 2010, the gap score was .54, the national performance gap was .94, and the North Dakota University System performance gap score was .87 for four-year institutions and .56 for twoyear institutions. The data shows that Dakota College compares favorably to its national and NDUS college peers in regard to the effectiveness of its academic advising practices. However, more information is needed concerning the relative strength of the elements that comprise the advising process. This information will give direction to the College’s desire to hire an advising/retention specialist.

Moderate Lack of training for academic advisors to allow advisors to be the most effective for students, including being knowledgeable about what classes are only offered every other year, etc.

Academic Affairs

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk
Identifying a faculty member for the new program starting this fall in the Entrepreneur Center for Horticulture.

Proposed Recommendations

Institution Response

Continue to focus on identifying a faculty A faculty member has been hired for this new member the new program within the program that is connected to the Entrepreneurial Entrepreneur Center for Horticulture, Center for Horticulture including networking with other colleges and universities. Continue to identify opportunities on how to reach out to a broader group of potential students. In addition, market studies should be performed on potential major and course offerings to improve enrollment. Faced with declining numbers of North Dakota high school graduates, the campus has aggressively sought new markets for potential students. A clear example is the out-of-state student market and the efforts DCB has undertaken to attract this segment. Over the last five years, the percent of non-residents in the College’s new student population has risen from 13% to 20% to 24% to 38% to 49%. Online enrollment has also increased dramatically since a modest beginning in 2001. In Fall 2001, the Online Program enrolled nine students in three classes for a total of nine registrations; in Fall 2010, 269 students were enrolled and there were 616 registrations of online students. A similar scenario has unfolded for the Dual Credit Program. Up until five or six years ago, a handful of Bottineau students, schedules permitting, walked to campus to earn college credit in general education classes. During the Fall of 2010, DCB enrolled 161 Dual Credit students from ten area high schools. In an effort to serve the adult working population in the state, the College has developed a comprehensive Prior Learning Credit Program whereby citizens can have their occupational experiences evaluated for college credit. The Prior Learning initiative is in its

Low

The number of high school students graduating from North Dakota is declining and competition is high with other North Dakota colleges and universities to attract and retain students.

Academic Affairs

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk

Proposed Recommendations

Institution Response
second year and is gaining momentum. It is proving to be an ideal program for adults who have close to enough credits for a degree, diploma, or certificate in that they can supplement the credits they have earned with work experiences. Prior Learning credits will be an especially valuable tool for the University System’s Non-Traditional No More initiative. Dakota College at Bottineau has also taken the necessary steps to be officially named a Military Friendly Campus by the United States Armed Services. As such, the military promotes DCB to service men and women through programs titled MyCAA and GEM. The College has begun to provide for-credit coursework to soldiers through this two-year old program. The faculty and staff at DCB monitor potential major and course offerings on an ongoing basis. Examples of new major offerings are Paraeducation, Caregiver Services, Paramedic (EMT) Technology, Sustainable Vegetable Production, and Farm ManagementVegetable Production. Examples of new major offerings being studied are Right-of-Way Technician, Certified Nurse Assistant Online, and options for our Laboratory and Field Technology and Natural Resource Management Programs that match oil industry workforce needs. The campus will continue to identify opportunities to reach out to a broader constituency as well as examining new curricular offerings that fit North Dakota’s workforce needs.

Academic Affairs

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if an open position should be created to allow for a trainer to be on campus.

Institution Response
Dakota College does hire the part-time services of a trainer for its contact sports. In each of the last three years, the hours allocated to the part-time trainer have increased. In addition, the Bottineau Ambulance Service and their EMT’s are present at all football and hockey contests and a physical therapist attends most home hockey games. Thus, there are first responders present at home football and hockey games. For 2011-2012, the Athletic Director has been asked to negotiate for expanded athletic trainer services and for ambulance service/EMT coverage at all home contests for all varsity sports. A goal of the College is to hire a full-time athletic trainer who will tend to the health needs of all student athletes. The position is included on a list of potential new hires that will be considered on a priority an affordability base.

Moderate There is not a trainer to support the athletics programs, therefore, there is not a dedicated first responder on site and reflects on the perception of the institution when targeting athletic program students.

Athletics

©2011 LarsonAllen LLP

17

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to increase amenities specific to athletics and replace or purchase additional equipment.

Institution Response
The institution is aware of its responsibility to support its athletic programs at an optimum level and has been fulfilling this commitment to the best of its ability. A purposeful goal of the institution is to continually strive for peak support of its sports program and to not become satisfied with the status quo. At present, there are no safety concerns connected to faulty equipment issues, teams are suitably turned out for games, and resources are allocated each year for upgrades. In fact, for 20112012, approximately 20 percent of new equipment purchases will be expended on athletic equipment. Dakota College considers amenities yearly taking into consideration affordability and athletic program priorities and needs. Evidence would suggest that since the College has begun two new sports and has seven varsity teams in total, it has concluded that it makes good business sense to increase amenities and purchase additional equipment for its athletic programs.

Moderate The amenities and equipment for athletics needs to be enhanced or replaced.

Athletics

©2011 LarsonAllen LLP

18

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Continue to evaluate whether there are additional opportunities to perform fundraising activities. Develop a short and long term plan for fundraising ideas, how many events will take place annually, how many dollars are needed to be raised at each event, etc

Institution Response
The Logrollers organization is the fundraising arm for college athletics and their primary focus is raising scholarship dollars for student athletics. They have a set agenda of activities that have proved to be successful fundraising events. Following is the Logroller itinerary of events: 1. Business drive 2. Calendar sales 3. Gorder Golf Tournament 4. Trip to Anywhere The number of dollars to be raised at each event is set through the annual budgeting process. For 20112012, Logrollers increased its scholarship budget by $12,000 and in total will award $51,500 to student athletes for the academic year. A significant percent of this money is raised in the local community; however, contributions are collected from throughout North Dakota, Manitoba, and Saskatchewan as well. During the current academic year, two new fundraising initiatives will evolve, both of which target prospective donors from outside the city of Bottineau. One of the initiatives involves former Lumberjack and Lady Jack athletes who are now well into a career and located throughout the country. A database of these hopefully loyal alumni is being developed and in the winter they will be contacted in a sequential manner and asked for a significant donation. The second initiative involves the farming community from Bottineau county and its four contiguous counties. Producers will be asked to pledge X number of bushels of wheat to the Logroller organization for scholarships. Both of these new programs have great potential to raise meaningful

Moderate It is difficult to continually raise money for athletics via fundraising activities due to the size of the community.

Athletics

©2011 LarsonAllen LLP

19

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Moderate Low

Identified Risk

Proposed Recommendations

Institution Response
scholarship funds and to do so without going back to the same sources over and over.

There is not a formal process or POS system to track inventory and cash for concessions, ticket sales, and fund raising, resulting in concerns related to the accuracy of inventory and cash. In addition, there is no documentation to support the cash deposited to determine if the appropriate amount was received and deposited based on sales or fund raising.

Perform a review of the internal controls surrounding concessions, ticket sales, and fund raising processes to determine if appropriate controls are in place and operating effectively or if additional controls should be implemented or existing controls remediated. In addition, consider providing documentation to support cash deposits.

Athletics

Most fund raising for athletics is performed by a booster organization known as the Logrollers. This component unit does not fall under the purview of the college Business Office. Annual income from concessions average less than $6,000, and ticket revenue for all sports is approximately $17,000. Business Office personnel handle most ticket sales and pre-numbered tickets are used. Volunteers are utilized for concessions. We recognize that a formal process for tracking athletic concessions, ticket sales and fund raising does not exist. Given the immaterial revenue generated by athletics, having formal controls (e.g. POS, cash receipts, etc.) would be burdensome on the volunteers and coaches. However, we believe that an informal review of current internal controls conducted by a small group representing the Business Office and Athletics could be beneficial. This review could be completed prior to the end of FY2012. The College will continue to identify drivers for the athletics activities bus and throughout the year will attempt to develop a roster of potential, qualified drivers. It will also continue to try to attach a bus driving responsibility to a staff, Physical Plant position. In October, Dakota College will begin a Commercial Driver’s License (C.D.L.) Training Program. It may provide an opportunity for interested individuals to earn a bus driver endorsement on their driver’s licenses.

Low

It is difficult to identify a driver for the Continue to focus on identifying drivers athletics activities bus and there are for the athletics activities bus, including concerns that there may not be a driver networking with the local community. available in future semesters.

©2011 LarsonAllen LLP

20

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk
Appropriate security resources are not in place to perform sufficient ongoing monitoring across campus.

Proposed Recommendations
Review the available security resources or time allotted for police force to be on campus and determine if additional resources are needed or if additional security measures should be implemented.

Institution Response
The College is engaged in an ongoing process to monitor the campus for security through the use of cameras. A plan for coverage of the entire facility has been developed in cooperation with a reputable vendor and should be completed in the next biennium. Each of the institution’s biennial budgets include a line item for security enhancement and the College has initiated its safety upgrade by utilizing cameras and by implementing a key card system. The system can track who has entered a building and can change entrance codes for cards that have been lost or not returned after termination of employment. The key card installation should also be completed in the next biennium. Dakota College has a Memorandum of Agreement with the Bottineau County Sheriff that stipulates how the campus and the Sheriff will collaborate to help insure campus safety. The College is in discussion with the County Sheriff about using off-duty deputies to staff an all-night alert desk in the residence halls. A night watchman currently conducts hourly checks of campus buildings and grounds checking doors and windows and reporting suspicious activity. A new classroom security procedure was implemented in late spring of 2011. Additional security measures will be installed each biennium. The line item in the budget designated for this purpose, helping to insure that resources to enhance security are in place over the long term.

Campus Safety & Security

©2011 LarsonAllen LLP

21

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Identify additional ways to communicate emergency response procedures and provide training and testing that involves several areas across the institution.

Institution Response
The College has developed emergency response procedures and they are included in the institution’s Risk Management Handbook. Risk management policy and procedures are reviewed annually at separate in-service programs for faculty and staff. A simulated crisis or disaster situation needs to be set up on campus so that emergency training and response can be tested and evaluated. An emergency response testing activity ought to be set up semiannually to help insure preparedness and refine process and procedure.

Emergency Preparedness

Moderate Lack of communication related to emergency response procedures and concerns that the involvement of training and testing of the procedures are not campus-wide.

©2011 LarsonAllen LLP

22

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk
Current facilities will not support another significant increase in headcount, both academically and athletically. In addition, office space is not available for administration offices to allow for enrollment growth.

Proposed Recommendations
Perform a cost/benefit analysis to determine if additional capital projects should be pursued to support current and potential future increase in enrollment.

Institution Response
The College is able to extend its term class schedule to later in the afternoon and into the evening. Taking this action will allow the use of open classrooms and labs in the event that enrollment increases necessitate additional space in which to conduct classes. This resolution would serve a secondary purpose of helping to avoid class time conflicts, thus, expanding students’ course choices. Weekend classes are also an option. Office space is limited at the current staffing level; only two or three more offices can be set up for additional personnel without creating extreme crowding and inconvenience. Two possibilities exist to alleviate this problem. One is the adaptive reuse project currently being investigated for the institution’s Old Main building. The other is the offer from the community’s Economic Development Corporation to gift their headquarters building to the College. Dakota College is researching both projects and should determine their feasibility in a year.

Environmental Health & Safety

Low

The Environmental Protection Agency is changing regulations for coal burning and the institution utilizes coal boilers. There are concerns related to the impact the changes will have on the institution.

Continue to monitor changes set forth by the Environmental Protection Agency to ensure the institution is compliant with regulations.

The North Dakota Department of Health keeps the campus informed of all environmental regulations affecting campus operations.

©2011 LarsonAllen LLP

23

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consider performing an in-depth analysis of previous years’ budgets and the dollars allotted for the current year to determine if available funds should be allocated differently from previous years.

Institution Response
All department budgets are funded at minimal funding levels. They cannot operate effectively if the amounts are reduced and all of them would certainly benefit from increases amounting to more than the rate of inflation. In order to facilitate budget increases, programs have to be eliminated so other programs can benefit financially from their demise. The College has recently undergone a fairly comprehensive process through which low enrollment offerings have been dropped. Additional reductions will compromise the mission of the institution. Thus, without additional resources, there is little wiggle room to construct budgets without beginning with and utilizing a same-as-last-year approach. Few budgets require growth simply because they experience a headcount increase in students—more students do not always exponentially raise the cost of offering a program. Once fixed costs are in place to begin a curriculum, funding requirements in operating the offering do not kick in incrementally on a per-student-basis. Although funding using a cost-per-student model is not an alternative to the same-as-last-year model, DCB will continue to analyze if there is another allocation model that would work.

Moderate The institution budgeting process utilizes the “same as last year” approach and does not perform an indepth analysis to determine if dollars should be allocated differently from the previous year.

Financial Close & Reporting

©2011 LarsonAllen LLP

24

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate There is a lack of appropriate segregation of duties in the Business office.

Review the current responsibilities of Segregation of duties is reviewed by the State each person in the Business office to Auditor’s Office. determine if changes should be made to allow for additional segregation of duties. Although all departments have appointed an individual within the department to have signatory authority, this authority is not intended to preclude consultation with colleagues about budget management, nor does it eliminate a consensus gathering activity for purchase approvals. Dakota College will take steps to assure compliance with institutional purchasing policies. The Institution’s strategic planning has included both long and short-term goals, objectives, and action steps. Following are examples of long-term items included in strategic planning efforts:  Motivate academically talented students to develop to their fullest potential by beginning an Academic Honors Program.  Utilize a combination of delivery methods to build an exemplary Developmental Education Program that can serve as a model for the NDUS.  Provide a vehicle to assess both program and general education learning objectives, and the impact of the NTB focus, by creating a capstone portfolio project requirement for graduation.  Work with the oil industry to satisfy their training needs as they expand exploration and drilling activity into north central North Dakota.

Financial Close & Reporting

Moderate There is a lack of appropriate Develop a policy that requires all segregation of duties with department purchases to involve more than one purchases. In some instances, person in the overall process. department managers are individually deciding what to purchase and from who and are also approving the purchase, involving no other personnel in the overall process. Moderate The institution’s strategic plan lacks a long term focus. In addition, measurable action plans have not been developed to address all objectives and goals. Review the strategic plan to determine if long term objectives should be addressed. In addition, consider developing measurable action plans to meet objectives and goals.

Governance

©2011 LarsonAllen LLP

25

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Moderate

Identified Risk

Proposed Recommendations

Institution Response
The complexity of these planning items naturally attaches a long-term focus to them. However, including timelines to the plan’s steps is advisable. There are benchmarks or measures of success attached to the strategic action plans, for example: GOAL: Enhance the component of the College’s mission that addresses personalized education by developing policies for the evaluation and awarding of college credit for Prior Learning Experiences. Expected Outcome: Award Prior Learning Credit to five students in 2010-2011.

Governance

GOAL: Move the Entrepreneurial Center for Horticulture from the rollout stage to the demonstration site and applied research phase. Expected Outcome: Build three high tunnel greenhouses and a wash/pack facility in 2010-2011. GOAL: Begin a Certificate in college Studies Program that promotes retention and persistence toward a degree for students entering DCB who are undecided about a college major/degree. Expected Outcome: Enroll 30 students in the College Studies Program for fall 2010; and, 70% of the students enrolled in the College Studies Program will return to DCB as second year students. Although measureable action plans exist, they need to be better disseminated.

©2011 LarsonAllen LLP

26

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Improve communication to roll out new policies and procedures and updates to existing. In addition, review and approve all policies and procedures on an ongoing basis.

Institution Response
Two years ago, Dakota College adapted the following practice to communicate new policies and procedures and make updates to existing policies and procedures: The only official edition of this handbook is the document that resides online. The online version will be updated as expeditiously as possible. Thus, it is the online reference that should be used when accessing DCB policy and procedure. Changes, deletions, and additions to the document regarding the policies and procedures will be sent to faculty and staff at the same time they are updated in the online handbook. This routine has been followed over the last two years. Copies of new policies or policy changes are also included with in-service folders each year. The College is discussing collapsing the Faculty, Staff, and Risk Management Handbooks into one comprehensive manual or document that will provide one resource for all information for both faculty and staff members. The Faculty Senate has a Handbook Review Committee that is charged with examining the Faculty Handbook for completeness and possible improvements, and for distribution and dissemination of updates. The Dean’s Council undertakes much the same responsibility for the Staff and Risk Management Handbooks. Neither group, the Faculty Senate or the Dean’s Council, do an adequate job of keeping the handbooks current on an annual basis. They need to make a greater commitment to the task or determine a more effective method of getting the job done.

Moderate Lack of consistent communication to roll out new policies and procedures, make updates to existing, and implement consistently across the institution. In addition, there is not a consistent process to review policies and procedures on an ongoing basis once they are developed.

Governance

©2011 LarsonAllen LLP

27

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Team with the System office and other institutions to gain a better understanding of how System policies are categorized and titled.

Institution Response
The NDUS Policy and Procedure Manual can be accessed from the Dakota College website. It is not a difficult link to find, and after having once connected to it, end users should not have a problem returning to it for subsequent inquiries. In the future, Dakota College’s handbooks and promotional materials can list the link that allows direct communication with the System policies website. A review of how System policies are categorized and titled may be helpful. However, it seems that the issue is more a lack of having to routinely navigate the website than it is an issue of a website that is difficult to navigate.

Moderate Lack of understanding by the institution end users related to how System policies are categorized and where they are stored. In addition, policies are not always clearly titled to reflect content.

Governance

Moderate Bottineau is a small community and local community members and businesses are continually tapped for fund raising and donation dollars making it difficult to continually increase the amount raised each year.

Continue to identify additional alumni, community members, and business relationship opportunities to perform fundraising activities. In addition, perform a cost/benefit analysis to determine if additional funding should be allocated to identifying and building these relationships

The Dakota College Foundation hired a consultant to identify additional, non-local opportunities for revenue generation. The consultant has a successful history with the College in that he devised a plan that resulted in the College/Foundation raising $230,000 in three months to begin its football and softball programs. The fundraising campaign he has put together to solicit donations from alumni and a wider, regional business community is of similar quality. It has the right mix of tools to use when approaching prospective donors from outside the community. The Foundation Office needs additional help to fully implement the effort. Dakota College will consider funding additional staff after fall enrollment has been calculated.

©2011 LarsonAllen LLP

28

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk
Initiatives are identified and teams of staff and faculty are assigned; however, many initiatives are not provided the appropriate levels of attention or are not followed through on.

Proposed Recommendations
Identify all initiatives across the institution, teams assigned to them, progress made, etc. Determine what initiatives are not progressing as deemed sufficient by the institution and identify the root causes for the lack of progression.

Institution Response
True initiatives at Dakota College, as opposed to standard operating procedures, are planned and identified through a strategic planning process. The initiatives, or goals and objectives, of the last strategic planning process were systematically developed and a uniform tracking process was put into place for each of them. Some of the action plans naturally had more impact or consequence than others, and as a result, generated more interest and attention. However, the overarching intent of each of the steps in the Strategic Plan was to enhance enrollment and that goal was achieved. The new Strategic Plan was again a “grass roots, bottom up” process that gathered 300+ suggestions from faculty, staff, students, and community. Out of the numerous suggestions and recommendations, 17 were chosen as initiatives for inclusion in the Strategic Plan. A natural tendency for someone who felt that an initiative for which they had a strong passion had not received appropriate attention or follow up would be to identify their initiative as a risk. In the future, more information about the progress of the Strategic Plan can be distributed to all constituents through email, the alumni newsletter, The Buzz, and the DCB website.

Governance

©2011 LarsonAllen LLP

29

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk
Meeting minutes are not always documented for formal council and committee meetings, resulting in lack of an audit trail of discussion topics, decisions made, and monitoring of ongoing activities. In addition, when meeting minutes are documented, they are not to the level of detail needed.

Proposed Recommendations
Develop a policy that requires all formal council and committee meetings to be documented and describe the level of detail required to be sufficient.

Institution Response
Dakota College has a policy that all committees appointed by the Faculty Senate or Campus Dean keep minutes. A letter from the Dean to the committees states the following: I require that you keep minutes of your meetings and log attendance (form attached). Turn in the attendance to Linda Berube by at least ten days after each meeting. The letter to the committees will now include language pertaining to the level of detail expected in the minutes. The Dakota College Foundation’s Executive Committee has been very conservative with the organization’s investment policy. They rely heavily on certificates of deposit for investment income. Financial service representatives have consulted with the Executive Committee on several occasions; however, the group has chosen to continue with its conservative investment policy. Alternative opportunities in lieu of conservative investments will continue to be proposed to the Foundation for their consideration.

Governance

Moderate Investment strategy for the foundation may be too conservative.

Identify if there are alternative opportunities for conservative investments that result in a higher yield.

Grant Administration Moderate Additional time should be spent on alumni and donation collections.

Team with the Foundation to determine if Please see response to the following identified risk: additional resources could be allocated to focus more on alumni and community Bottineau is a small community and local community networking to increase donations. members and businesses are continually tapped for fund raising and donation dollars making it difficult to continually increase the amount raised each year.

©2011 LarsonAllen LLP

30

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking
Low

Identified Risk
A policy is not in place to address the collection of grant data and reporting on grant key performance indicators (i.e. job creation and retention). It is unclear if this process is performed accurately. Policies and procedures are not in place specific to effort reporting and there are concerns related to the capability to track and monitor reporting.

Proposed Recommendations
Develop a policy and procedures addressing the collection of grant data and reporting on grant key performance indicators to provide additional guidance for staff and faculty. Develop a policy and related procedures for effort reporting. In addition, team with other similar size institutions to determine how they are tracking and monitoring the reporting and if changes should be made to current processes. Require all faculties to complete performance evaluations on an ongoing basis. Identify a department that will assume the responsibility of tracking and monitoring the completion of all evaluations to follow-up on delinquent submissions.

Institution Response
As efforts increase to secure additional grant funding, collection of key performance indicators will become more sophisticated.

Grant Administration

Low

DCB has received only one federal grant in the past five years that required formal effort reporting. The contract requirements were met using manually prepared effort reports. Unless grant awards grow significantly, developing policies and procedures for effort reporting is a low priority. Faculties are evaluated each academic year by comparing their Fall Planning Report form to their Spring Summary of Activities Report form. This process allows the Academic Dean to contrast the work plan they prescribed for themselves with their accomplishments. In addition, self-reported evaluations of faculty are collected from students on a routine basis and the Academic Dean also does classroom visitations to assess faculty performance. Follow-up is conducted for instructional staff that is tardy in submitting the Fall Planning and Spring Summary Report forms. Those few who do not complete the form(s) are not considered for a merit salary adjustment. The performance evaluation process of faculty needs to be reviewed and revised under the leadership of the Campus Dean and the Associate Dean of Academic Affairs.

Moderate Performance evaluations for faculty are not always completed; therefore, there is not always a consistent method to link performance to reward and/or improvement plans.

Human Resources & Payroll

©2011 LarsonAllen LLP

31

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
The server room should be locked at all times, including business hours. In addition, perform a cost/benefit analysis to determine if additional environmental controls should be implemented or if upgrades should be made. Develop and document a formal disaster recovery plan. This would include, but is not limited to:  Risk exposures  Recovery team responsibilities  First response process and procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training

Institution Response
The server room is locked when not occupied. A security camera monitors all personnel entering or leaving the server room. Based on room temperature data, it has been determined that additional cooling is necessary to insure optimum equipment performance. We are currently reviewing the best options for providing improved environmental conditions. DCB does have a formal disaster recovery plan (Continuum of Government Plan) that was developed during 2002. However, the plan should be reviewed and updated as needed. This review will be completed prior to the end of FY2012.

Moderate Servers are maintained in a locked room in an office; however, the room is not always locked during business hours. In addition, appropriate environmental controls are not in place. Moderate A Continuum of Government Plan that addresses some areas of a disaster recovery plan is in place; however, a comprehensive documented plan still needs to be developed.

Information Technology

Moderate USB drives are not password protected or encrypted.

Develop a policy that requires all USB The campus CIO will review this issue and make a drives to be password protected and recommendation to the Dean’s Council prior to the encrypted. Communicate the policy to all end of FY2012. applicable users.

©2011 LarsonAllen LLP

32

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Change the password parameters in Active Directory to technically enforce all users’ passwords to be alpha numeric

Institution Response
Password parameters for Active Directory are currently not technically enforced to require passwords to be alpha numeric. However, the institution is moving to the NDUS Active Directory, and when this move is completed, the network will authenticate against it in order to resolve the issues connected with operating a system that does not require alpha numeric passwords. Under the current strategic approach, leadership, and direction for the marketing of DCB to prospective students, and to those who influence students’ college choices, enrollment has set records for three consecutive semesters. Printed promotional materials, the College’s web presence, and the process by which DCB makes face-to-face contact with prospects has improved dramatically. The systems for tracking student contacts and for responding to these contacts have achieved similar improvements that have provided a sharper and more sophisticated image for the campus. These systems are managed with enrollment software that allows the Admissions Office to work smarter, thus providing time for supplemental communication and marketing tasks. Dakota College can do better in the promotion of its Online and Outreach Programs. Also, it needs to do better with its general public relations efforts. There are many exciting programs and initiatives occurring at the College that deserve exposure to a wide audience.

Information Technology

Moderate Password parameters for Active Directory are not technically enforced to require passwords to be alpha numeric.

Low

There are concerns related the strategic Review the strategic approach and approach, leadership, and direction for leadership for marketing and marketing and communication. communication at the institution to determine if changes should be made to align the strategic plan with the institution.

Marketing & Communications

©2011 LarsonAllen LLP

33

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Review the procedures to protect credit card information at the bookstore and determine if changes should be made to enhance data protection. In addition, if procedures are not formally documented, consider documenting the procedures to allow all employees to be consistent and educate new employees.

Institution Response
Dakota College will review procedures to protect credit card information at the bookstore and determine if changes should be made to enhance data protection.

Moderate Credit card information is manually documented at the bookstore for orders that are placed via phone during peak times of the year.

Operations & Auxiliary Services

Low

Lack of knowledge by students and faculty on how to use digital library services. Technology upgrades are needed for the library to better accommodate student learning. Concerns with theft in the bookstore. There are no security cameras or security system.

Consider offering training to students and Training to students and faculty on the use of digital faculty on the use of digital library library services can be offered. services. Continue to prioritize capital projects and Prioritizing of capital projects and renovation needs renovation needs across campus to across campus will continue to determine if needs in determine if the library is a priority in the the Library are a preference. next fiscal year’s budget. Perform a cost/benefit analysis to determine if security measures should be implemented. Cameras have been installed in the Bookstore to help prevent shoplifting. Hiring practices have also been strengthened to help prevent internal pilferage.

Low

Low

©2011 LarsonAllen LLP

34

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Functional areas should evaluate where it is most critical to implement succession plans and cross train employees. Develop an action plan to implement and cross train where necessary.

Institution Response
Cross training does occur in campus office environments, but not for all functions in all offices. Although Dakota College is a small campus, it still must effectively and efficiently perform the core functions of an institution of higher learning no matter its size. Limited availability of personnel resources require that nearly all staff are responsible for two or more of these core functions, i.e., they wear more than one hat. Thus, in a unique manner, most staff is already cross trained to the limit of their capacity. When and where it is most critical to implement succession planning, Dakota College has begun to bring in new staff several weeks or a month before an incumbent’s departure so that the new person can be trained to hit-the-ground-running.

Moderate Lack of succession planning and cross training for most positions within the institution.

Faculty & Staff

©2011 LarsonAllen LLP

35

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to renovate residence halls and build suite living conditions.

Institution Response
The learning and living environment in Dakota College’s residence halls has not changed significantly since they were constructed in the 1950’s, 1960’s, and 1970’s. However, student expectations about the amenities that need to be included for residential life have changed dramatically. They expect the same convenience, services, and privacy they have at home. Dakota College needs to examine the possibility of revenue bonding to gather the funding needed to modernize Mead, Milligan, and Gross Halls. The Institution will continue to research and implement programming that will meet the needs of an increasingly diverse student population.

Moderate Residence halls need to be remodeled and utilized to attract more students, including building suite living conditions to attract families.

Student Affairs

Moderate The institution is becoming more culturally diverse and there has been a significant increase in out of state students. There are concerns whether the campus is meeting the needs of these students. Moderate Certain faculties do not submit their book/material requests to the bookstore timely or change the books/materials near the start date of a semester, Student Financial resulting in the bookstore not being Processing able to provide books/materials timely to students, keep costs effective and affordable, and possibly cause the institution to be in violation of the HEOA.

Perform an assessment to determine whether the institution is meeting the needs of culturally diverse and out of state students. Utilize feedback from students to make improvements as necessary. Continue to educate faculty about the importance of submitting book and material requests timely. In addition, identify alternative methods of communication and education.

The Institution will continue to educate faculty about the importance of submitting book and material requests in a timely manner and will make clear the consequences for not doing so.

©2011 LarsonAllen LLP

36

Enterprise-Wide Risk Assessment | Dakota College Bottineau

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

37

Dickinson State University Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dickinson State University

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011

Dr. D.C. Coston, Acting President Dickinson State University 291 Campus Drive Dickinson, ND 58601 Dr. Coston, This report provides you, Dickinson State University (DSU) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Dickinson State University with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Dickinson State University. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dickinson State University

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  7 

Appendix
Impact Criteria Vulnerability Criteria

26 
26  26 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dickinson State University

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Dickinson State University. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Dickinson State University.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Dickinson State University

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Dickinson State University

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Dickinson State University can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Dickinson State University

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Dickinson State University and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting, foundation, donor concentrations, foundation investment strategy Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student/financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance

Grant Administration

Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Dickinson State University

Approach
With the assistance of Dickinson State University management, LarsonAllen identified 24 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Dickinson State University

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:  Continuing education

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Dickinson State University

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking
High

Identified Risk
There is significant pressure to increase domestic and international student headcount. Concerns included the diversity of the student body, potential overspending, and certain students not meeting admissions requirements criteria.

Proposed Recommendations
Perform an assessment of the steps taken to increase both domestic and international student headcount. Compare actions taken to the Strategic Enrollment Plan once it has been approved and determine if actions are in alignment with the Plan or if changes should be made to the Plan.

Institution Response
Enrollment Services reports directly to the President. DSU has begun to address many of these issues through its Strategic Enrollment Management Team. A university-wide retention committee was also established in May 2011. The VPAA will also work closely with the VP for Student Development and the Director of Multicultural Affairs in an effort to ensure uniformity and consistency of TOEFL requirements in all MOUs and Articulation Agreements established with international partners. The NDUS has initiated efforts to address these concerns by revising Policy 440 (Enrollment Reporting). DSU will strictly adhere to the enrollment report provisions of Policy 440. DSU will continue to implement cost-effective action steps that have been recommended by the Strategic Enrollment Plan. The Strategic Enrollment Committee will continue to prioritize initiatives and make recommendations to senior leadership.

Academic Affairs

Moderate Criteria to determine student enrollment headcount may not be clearly defined; therefore, there are concerns that enrollment numbers are not accurate. Moderate Initiatives and action plans were developed by the Strategic Enrollment Committee to address the Strategic Enrollment Plan that was developed by a third party consulting firm, on behalf of DSU; however, actions have only been taken on the immediate recommendations by the third party as the Plan has not yet been approved by senior leadership.

Review and document the criteria utilized to calculate student enrollment headcount to clearly define and determine if enrollment numbers are accurate. Review all initiatives across the institution to determine if the Strategic Enrollment Plan is priority in the next fiscal year. During this review, identify roadblocks for the Plan not being approved and determine if this is a direct correlation to the priority of the initiative or if alternative roadblocks should be assessed.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consider developing a process to assign all students academic advisors and require students and advisors to meet on a regular basis as defined by the institution.

Institution Response
The Office of Enrollment Services ensures that all entering first-year students are assigned academic advisors. In addition, on May 2, 2011, the VPAA Council approved a new policy requiring all students to declare a major after they have earned 32 semester hours. Members of the Retention Committee participated in the NDUS Retention Summit in May 2011. Their efforts during the next academic year will focus on “Advising for Student Success.” As part of its Advising for Student Success initiative, the Retention Committee will develop mandatory advising workshops prior to pre-registration period in November. In addition, a Financial Aid workshop has been scheduled for October 17th. The Office of Extended learning has already implemented mandatory training for all faculty members who teach at offsite locations or online.

Moderate Students are not automatically assigned an academic advisor in all instances when declaring a major as there is not a consistent process to assign students an advisor.

Academic Affairs

Moderate Lack of training for academic advisors to allow advisors to be the most effective for students, including being knowledgeable about what classes are only offered every other year, etc.

Provide ongoing training and class schedule update information for advisors to be the most effective for students. In addition, consider implementing a student feedback process for the advisors and the institution to gain visibility to strengths and weaknesses of the academic advising process.

Low

Meeting federal requirements for distance learning, specifically, procedures to follow for state level requirements when DSU offers distance learning in other states, permissions needed, evidence and documentation to maintain, licensing fees, etc. In addition, determining if it is cost beneficial to offer distance learning in various states.

Continue to work with the System office and review existing policies related to federal requirements for distance learning in other states to ensure federal requirements are being met and to determine if it makes good business sense to offer distance learning in various states based on student interest and fees.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Accountability for student enrollment and retention is not consistent across all functional administrative areas and faculty. In addition, faculty and staff are not always making themselves available to current and potential future students. This includes faculty office hours, availability for high school student visits/campus tours, experience in the administration offices, etc. A strong focus of the university is increasing headcount; however, there are concerns that appropriate thought has not been given to the facilities and resources available at the university to support additional headcount. Strom Center programs do not receive university and/or grant funding. If donations and/or grant dollars decrease, the sustainability of programs would be at risk. The Strom Center Business Challenge Program is approximately $50k in debt.

Proposed Recommendations
Review the Strategic Enrollment Plan initiatives and action plans to determine if all functional areas and faculty responsibilities are addressed to support and grow headcount and accountability measures to move forward.

Institution Response

Low

Review the Strategic Enrollment Plan initiatives and action plans to determine if facilities and resources have been addressed to adequately support additional headcount.

Academic Affairs Low

Indentify additional marketing opportunities to reach a broader market, including networking with other colleges and universities within North Dakota, additional services to support programs fees, and identify additional grant opportunities. Review the strategic plan to determine if the Strom Center’s debt is addressed with specific measureable action plans. In addition, consider whether updates should be made to the strategic plan and whether progress is being made towards the measureable action items.

Low

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low Academic Affairs

Identified Risk
North Dakota graduation rates are declining and competition is high with other North Dakota colleges and universities to attract and retain students.

Proposed Recommendations
Identify opportunities on how to reach out to a broader group of potential students. In addition, market studies should be performed on potential major and course offerings to improve attendance. Review spending of the athletics department and perform an overall assessment of the institutions budget to actual to determine if it makes good business sense to develop a budget for the athletics department going forward. Determine if additional visibility is warranted related to significant athletic program travel expenses.

Institution Response

Moderate The athletics department does not have an assigned budget or budget constraints they are held accountable for and measured against. In addition, there is lack of visibility related to athletic program travel expenses.

The 2012 FY includes specific budget recommendations. Primary support for athletics is derived through the University Fee process which is directly impacted by enrollment and a level of fees permitted to be assessed students. The Athletic Director is a direct report to the President and is charged with the accountability / efficiency practices within the unit. General institutional accounting practices are applied. “Open Records” applies. The DSU Booster Club continues to raise substantial funds in support of the athletic programs. DSU will work with relevant stakeholders to develop short and long term plans for fundraising. Requests for increasing University fees are not automatically approved as proposed with timing of the same affecting programs. The Athletic Director will work collaboratively with the VP for Financial Affairs to estimate and benchmark operating expenses.

Athletics

Moderate Additional fund raising is needed to support current athletic programs.

Evaluate whether there are additional opportunities to perform fundraising activities. Develop a short and long term plan for fundraising ideas, how many events will take place annually, how many dollars are needed to be raised at each event, etc. In addition, assess whether the appropriate number of programs are in place or if the activity fees should be increased. Communicate with institutions of similar size and athletic programs that participate in the Frontier conference to estimate and benchmark operating expenses.

Moderate Lack of visibility of the future operating expenses to transfer into the Frontier conference.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Transportation for the university’s rodeo team is not provided and controlled, resulting in the risk of liability to the institution.

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to provide transportation services for the university’s rodeo team. In addition, consider reaching out to other colleges and universities that have a rodeo team to determine the approach they take. Continue to benchmark wages with other North Dakota colleges and universities.

Institution Response

Athletics Recruiting new athletic program coaches and maintaining the existing coaches is a concern due to the size of the institution and compensation offered.

Low

Moderate Concerns that staff and faculty are being verbally and emotionally threatened to increase student enrollment.

Obtain feedback from all staff and faculty related to the tone at the top and pressures to increase student enrollment to determine if the environment is appropriate.

Campus Safety & Security Low Concerns related to the safety of students and security of the campus with the significant numbers of oil field workers migrating to the area. In addition, there is no security officer during the daytime hours. Lack of communication and required training related to emergency response procedures. Perform a cost/benefit analysis to determine if security officers and resources are needed or if additional security measures should be implemented.

DSU has addressed this concern with the implementation of a Code of Conduct Policy on March 22, 2011. In addition, mandatory harassment workshops were conducted during March and August for all DSU employees. A Campus Quality Survey team also met on a regular basis during the 2010-2011 academic year to address concerns that had been brought forward.

Emergency Preparedness

Low

Consider requiring the current training available to employees twice a year to be mandatory training to enhance awareness.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Athletic facilities are outdated and need remodeling (i.e. handicap assessable, strategic concession placement, etc.).

Proposed Recommendations
Continue to prioritize capital projects, renovations, and maintenance needs across campus to determine if athletic facilities are a priority in the next fiscal year’s budget.

Institution Response

Environmental Health & Safety

Low

The ability to attract local contractors has Consider reaching out to other colleges and decreased over the last several years due universities that may also be affected by the to the competition with the oil fields. increased labor demand from the oil fields to identify actions other institutions have taken, discuss contractor options, pricing considerations, etc. Review write-offs over the last several years to determine the amount of write-offs that are tuition related. In addition, review historical trends and determine the root cause of tuition write-offs. Many of these issues have been addressed through the implementation of a new Housing Policy that screens our students who lack the financial resources to attend DSU. A collection entity has assumed responsibility for collecting international accounts that are delinquent 180 days or more. Unit supervisors will do a better job of communicating how departmental and program budgets can be accessed via PeopleSoft. Chairs and program heads will continue to be afforded the opportunity to attend PeopleSoft training sessions.

Moderate Bad debt write-offs continue to rise each fiscal year due to the inability to collect tuition fees.

Financial Close & Reporting

Moderate Concerns that departmental budget changes are not being communicated on a timely basis and could result in potential over spending.

Review the process to communicate departmental budget changes and determine if changes should be made to the process to allow more timely communication.

Low

Interest income has significantly declined over the last several years. In addition, net operating income has been negative for the last three years.

Perform an analysis to determine the root cause for the decrease in interest income and the negative net operating income over the last several years. Determine if the institution could make changes or identify other opportunities to increase both in the future.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low Financial Close & Reporting

Identified Risk
Insurance policies do not provide the appropriate level of detail related to the institution’s assets within the facilities to gain comfort that the assets would be recovered should a disaster occur. A subset of senior leadership is providing an overall culture / environment and tone at the top that is not supported and respected by staff and faculty.

Proposed Recommendations
Review insurance policies on all facilities across campus and determine if the level of detail in the policies is adequate.

Institution Response

High

Obtain feedback from staff and faculty related to the tone at the top and overall culture of the institution. Specific functional areas should be identified to determine the root cause of specific issues and areas.

The newly implemented Code of Conduct should address many of these issues. Senior leaders will also organize community forums in an effort to improve communication and shared governance. The Campus Quality Survey team should also move forward with plans to conduct focus group meetings in an effort to identify specific areas of concern. The Foundation requested separation from DSU during the fall 2010 semester. As a result, a new operating agreement is currently being drafted per terms of Policy 340.2. Moreover, it is not unusual for two distinct entities to have separate strategic visions. Both DSU officials and Foundation employees will need to work collaboratively for the benefit of the institution and its students. DSU is consistently funded far below its peers.

High

Governance

Lack of communication and interaction between the foundation and a subset of senior leadership at the institution. In addition, a subset of senior leadership at the institution has different strategic visions for long terms goals and growth than the foundation.

Assess the current relationship between the foundation and senior leadership at the institution to determine the level of collaboration between the parties and where there may be specific issues. In addition, compare the strategic visions to identify significant differences that would be considered a risk to future success. No proposed recommendation.

Moderate Concerns related to the legislative session and the funding available to DSU as a result of the session. In addition, the university is significantly underfunded when compared to its peers and there are concerns whether the funding is being disbursed appropriately throughout all the colleges and universities in North Dakota.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Reconfirm the verbal contract between the institution and the foundation to determine if the contract should be revised or if the institution should delete its ad hoc database.

Institution Response
DSU will reconfirm the verbal contract between the Foundation and the institution to ensure that a separate database is not being maintained. This will be addressed in the new operating agreement that is currently being negotiated per Board Policy 340.2.

Moderate The institution is maintaining an ad hoc database of alumni and donors; however, under the verbal contract with the Foundation and Alumni organization they are not allowed to do so. Low The university is not PCI compliant.

Governance

Consider identifying PCI compliance as an initiative, including resource dedication, to become compliant in the future. In addition, reach out to other colleges and universities that are compliant across the System to determine the steps other institutions took to become compliant, lessons learned, etc. Review procedures to monitor international students while attending the university and their departure from the U.S. Determine if procedures are documented, communicated, and if proper monitoring controls are in place.

Low

Monitoring of international students while attending the university and monitoring their departure from the U.S., procedures to verify and document their departure, etc.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Develop policies and procedures for the grant process. Review documents on an ongoing basis to determine if changes should be made.

Institution Response
Department Chairs and Program Directors discussed grant policies and procedures during a VPAA Council recent meeting. Current forms were reviewed and a consensus was reached to develop uniform policies and procedures to ensure consistency and accurate tracking of all grant applications. All grants are currently tracked in a specified fund in the general ledger. The institution may consider hiring a grant officer (or designate this task to an existing employee) to track and monitor grants.

Moderate Lack of grant related policies and procedures, specifically the overall grant lifecycle, expense allocations, coordination of proposing on grants once the grant(s) have been identified, specifically persons that should be involved, timing, knowledge of qualification requirements, etc. Moderate A grant roster is not maintained to centrally track and monitor completeness and accuracy of current grants, renewal of grants, etc. Low Grant expenses, including payroll expenses, may not be applied to the correct grant or expenses may be inaccurately applied due to lack of attention to detail. Lack of resources to identify new grant opportunities.

Develop a grant roster to centrally track and monitor grants and enhance visibility of the status of all grants.

Grant Administration

Review the current processes to code/assign expenses to grants and determine if proper internal controls exist to minimize the risk of coding expenses to incorrect grants or applying inaccurate expense amounts. Perform a cost/benefit analysis to determine if it makes good business sense to dedicate additional resources to the grant identification process. Team with the Foundation and Alumni organization to identify root causes for untimely processing of cash receipts and determine if the Business Office and Strom Center could assist with improvements in the process.

Low

Low

The Foundation and Alumni organization does not always process gift receipts timely and alert the Business Office and Strom Center timely, resulting in financial reports to lag a month or two.

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response
DSU adheres to open records policy as do the other 10 institutions including NDUS. This includes email records. When open records request is made, procedures are followed ensuring FERPA and HIPAA guidelines are accounted for. Senior leaders will need to work with supervisors to ensure necessary documentation of performance issues. Training sessions related to annual evaluations, probationary employment status, and work improvement plans will need to be scheduled during the 2011-2012 academic year.

Moderate There are no policies and procedures Develop a policy to define the process and related to information that staff or faculty approvals necessary to obtain employee may obtain about another employee (i.e. emails. emails from IT) and appropriate measures that need to be taken to obtain the information. Moderate Performance evaluations for staff and faculty are not consistently tracked and monitored by the Human Resources group to ensure they are completed. In addition, managers of functional areas are not always rating employee’s performance appropriately. Managers will discuss substandard performance with Human Resources but not always document substandard performance on evaluation documentation. Moderate There is not a consistent process to track and monitor compensatory time, resulting in disagreements between managers and their direct reports related to accumulation of time, reduction of time when taken, available time remaining, etc. Low A faculty sick leave policy was implemented within the fiscal year and there are concerns related to the consistency in adhering to the policy within the functional areas and human resources are not involved unless the faculty member is out for two or more weeks. Identify a consistent method to track and monitor the completion of performance evaluations for staff and faculty. Consider utilizing the current PeopleSoft module to complete performance evaluations in the system with an automated workflow to forward to the reviewer. In addition, consider offering a training related to supervision of employees and discipline and the importance of accurately documenting performance evaluations to reflect true performance. Develop a consistent process institutionwide to track and monitor compensatory time and require all time to be reported and documented utilizing the process to reduce conflicts related to the time.

Human Resources & Payroll

Senior leaders will need to work collaboratively with the Coordinator of Human Resources to develop a consistent policy regarding the tracking and use of compensatory time.

Assess each functional area to determine their understanding of the current faculty sick leave policy and to emphasize the importance to consistently adhere to the policy.

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk
There are concerns related to the accuracy of the human resources master file. Job descriptions are not up-to-date.

Proposed Recommendations
A review should be performed of the human resources master file to determine if changes need to be made to update information for staff and/or faculty members. Review all job descriptions and determine if updates need to be made. Make updates as needed. In addition, if it is determined that a job description does not exist for a position, per the review, develop a job description for the position. Consider moving the data center to a more secure location.

Institution Response

Human Resources & Payroll

Low

High

The data center is located in the basement of May Hall and contains windows in the room.

Information Technology

The cost versus risk assessment needs to be considered. The current location is secure, although there is a slight risk of flooding in the current location. The geographical topology of this location is on a hill. In at least 17 years, moisture has not been a concern. Extensive wiring infrastructure would be cost prohibitive. Water pipe breaks are similar risk at any location. Windows have coverings preventing viewing from outside. All windows are locked.

©2011 LarsonAllen LLP

17

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
High

Identified Risk

Proposed Recommendations

Institution Response
Senior leaders will need to work collaboratively with the Director of Computer Services and NDUS representatives to develop and document a formal disaster recovery plan that is consistent with system-level policies and procedures. A formal plan has not been made.  Best practices are followed.  A document does exist for administrative credentials to all systems.  Cross training is done to a reasonable degree.  Primary systems are redundant. (e.g. DSU holds replica of Active Directory database).  Email host offsite. Backup media stored in vault in library.

There is no formal disaster recovery plan. Develop and document a formal disaster recovery plan. This would include, but is not limited to:  Risk exposures  Recovery team responsibilities  First response process and procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training

Information Technology

Moderate Data back-ups are stored on-site in the data center. Moderate Shared folders are not restricted on the network. A policy is in place to restrict personnel from maintaining confidential information in the shared folders, but confidential information has been found in the past.

Identify an off-site storage site to maintain data back-ups. Employee’s homes should not be utilized. Develop and assign user roles within shared folders to restrict access to confidential information.

The local share is for temporary use of faculty and students for assignments, syllabi. Staff use local share for forms. All users are instructed not to store confidential data here and are only given access as needed. Microsoft SharePoint is now (Aug 2011) being used, designing security as needed.

©2011 LarsonAllen LLP

18

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate Laptops issued to staff and faculty is not encrypted. In addition, USB drives purchased by functional departments are not password protected or encrypted.

Develop a policy that requires all laptops The NDUS is working toward full encryption and USB drives to be encrypted. In addition, on all computers. determine if the process to issue technology  Employees are instructed to store related items should be centralized within confidential data on SharePoint. the IT group to allow for consistency and  Encryption of all these devices is cost adherence to policy. prohibitive and resource intensive. Many USB are purchased without knowledge of IT staff. Consider technically enforcing security measures on mobile devices to enhance security. Currently being addressed by 1901.2  Discussion is being done at the NDUS level.  This requires agreements with multiple vendors.  Users’ personally owing these devices is also a challenge.

Information Technology

Moderate A mobile device policy is in place; however, appropriate security measures have not been technically enforced to support mobile devices.

Low

Password parameters for Active Directory are not technically enforced to require passwords to be changed after a defined period of time. Significant numbers of staff do not lock their computers when leaving their desk.

Consider changing the password parameters in Active Directory to technically enforce passwords to be changed every 90 days. Develop a policy to require all staff and faculty to lock their computers when leaving their desks to increase overall security of information on their computers. Perform a review to determine if information drafted in publications could be combined in certain instances to allow for time and cost savings.

Low

Low Marketing & Communications

Duplicate information is being drafted in publications that could potentially be combined to save time and costs.

©2011 LarsonAllen LLP

19

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk

Proposed Recommendations

Institution Response

Remodeling and technology upgrades are Continue to prioritize capital projects, needed for the library to better renovations, and maintenance needs across accommodate student learning. campus to determine if the library is a priority in the next fiscal year’s budget. The bookstore sales return policy is not consistently followed. Certain functional areas require the bookstore to make several exceptions to the policy. Concerns with theft in the bookstore. There are no security cameras, security system, and students are trying on apparel in the restrooms. The bookstores apparel and inventory is sold at offsite campus events. All inventory and sales are manually tracked and entered into the POS system after the event. Clubs, departments, organizations, etc. are not required to consider the bookstore when making purchases or involving the bookstore in the bidding or proposal process. Review the bookstore sales return policy to determine if changes should be made to the policy or if the policy is appropriate and current practices should be changed to adhere to the policy. Perform a cost/benefit analysis to determine if security measures and/or designated fitting rooms should be implemented. Review the internal controls in place for selling bookstore apparel and inventory at offsite campus events to determine if additional controls should be implemented and if current controls are operating effectively. Develop a policy that requires clubs, departments, organizations, etc. to submit a request for proposal to the bookstore to bid on the purchases.

Low

Low Operations & Auxiliary Services Low

Low

©2011 LarsonAllen LLP

20

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response
On-going expectation exists to improve efficiency.

Moderate Overall employee work load is a concern. Perform an assessment to determine how Most functional areas identified some resources are being utilized across all level of personnel needs. functional areas, tracking of hours worked, efficiencies that could be gained, etc. Moderate There has been a high turnover rate in key leadership positions in the last several years. Faculty & Staff Moderate Lack of succession planning and cross training for most positions within the institution. No proposed recommendation.

The Coordinator of Human Resources conducted an audit to determine why individuals were leaving DSU. DSU should move forward with plans to cross train employees whenever feasible.

Functional areas should evaluate where it is most critical to implement succession plans and cross train employees. Develop an action plan to implement and cross train where necessary. Continue to benchmark wages with other North Dakota colleges and universities.

Low

Recruitment and retention of staff and faculty is a concern, specifically as it relates to the compensation offered and the competition with the oil field positions.

©2011 LarsonAllen LLP

21

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to hire personnel who are fluent in languages specific to the countries targeted for international students or if alternative countries should be targeted based on language capabilities at the institution.

Institution Response
DSU officials strictly adhere to the terms of the Articulation Agreements and MOUs currently in place with our international partners. SEVIS requirements are also adhered to. Three years ago, DSU began providing ESL service in an effort to help international students improve their English skills. DSU officials will continue to look for ways to ensure uniform and consistent application of TOEFL scores in an effort to improve its screening of international applicants. The VP of Student Development and the VP of Financial Affairs co-chair a Housing Committee that is exploring near, mid, and long range solutions to the housing shortage oncampus and in the Dickinson community.

Moderate Several international students are not fluent in English and the institution does not have staff and/or faculty capable of speaking the languages to accommodate students, resulting in the inability to provide these students with the academic and student experience that is the same as all other students.

Student Affairs

Moderate The cost to live off campus has significantly increased due to the oil fields, resulting in limited residence hall space as students are staying on campus a longer period of time. Low Lack of recruiting efforts at local DSU events where high school student attendance is high. In addition, there is a stronger focus on international student recruitment than the five-state region.

Perform a cost/benefit analysis to determine if it makes good business sense to build additional residence halls, add on to existing, or another alternative. Review the current strategy to recruit students and determine if there is an appropriate balance of domestic and international students. In addition, determine if additional recruiting efforts should be focused on attendance of staff and faculty at local DSU events where high school student attendance is high.

©2011 LarsonAllen LLP

22

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Mental health and medical issues are increasing in the student body and the institution does not have a counselor. Student contact information is not updated and maintained on an ongoing basis, resulting in inaccurate information in the database.

Proposed Recommendations
Perform a cost/benefit analysis to determine if a counselor position should be created. Review the current procedures to update and maintain the database that houses student contact information and determine if additional resources should be allocated to enhance the accuracy of information. Develop a process to track and monitor collaborative students and qualification requirements to receive financial aid. Determine if current technology could assist in the process.

Institution Response

Student Affairs

Low

Moderate Tracking and monitoring of collaborative students and qualification requirements to receive financial aid, specifically declared institution of graduation, institution enrollment, grades received, etc. If a student is not currently enrolled in classes in the declared institution of graduation, the financial aid office cannot monitor their eligibility of a financial aid Student Financial recipient. Processing Moderate Royalties received to support the internal scholarship program are decreasing and five year commitments are made to students to receive scholarship dollars as long as their GPA is appropriate. There is a risk that the institution is overcommitting scholarship funds or will be in the future.

DSU currently has the largest number of collaborative students in the state. DSU will need to develop a process to track and monitor collaborative students and qualification requirements to receive financial aid.

Perform an assessment to determine if there are enough funds to support the internal scholarship program commitments that have been made. Adjust future program commitments as necessary based on the assessment results.

The Acting President has formed a committee to examine how institutional aid is dispersed. Roughrider scholarship changes have also been implemented.

©2011 LarsonAllen LLP

23

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Continue to educate faculty about the importance of submitting book and material requests timely. In addition, identify alternative methods of communication and education.

Institution Response
Senior leaders will work closely with Deans, Chairs, and Program Directors to ensure compliance with policies regarding book and material requests.

Moderate Certain faculties do not submit their book/material requests to the bookstore timely or change the books/materials near the start date of a semester, resulting in the bookstore not being able to provide books/materials timely to students, keep costs effective and affordable, and possibly cause the institution to be in violation of the Higher Education Opportunity Act. Moderate It is challenging to identify the last day a student attended classes if they have dropped out and are to pay back financial Student Financial aid already received. This is especially Processing difficult for collaborative students.

Review the current process to identify when a student last attended classes to determine if improvements could be made. In addition, team with other college and universities to develop a consistent process for collaborative students.

Polices and procedures regarding attendance tracking were discussed with Deans, Chairs, and Program Directors. Faculty will need to document student attendance in order to comply with federal mandates regarding the last date of attendance. These issues will be discussed during a Financial Workshop scheduled for October 17th.

Low

Ability to stay proactive related to financial aid federal compliance. Changes in legislation are not always known and implemented timely. In addition, interpretation of regulations is difficult.

Develop an action plan with specific measurable goals to continually monitor and stay abreast of financial aid federal regulations. Discuss regulations with the System Office and other colleges and universities in ND, as needed, to compare interpretations and gain additional confidence that DSU is in compliance. In addition, consider performing an internal audit to review compliance with regulations.

©2011 LarsonAllen LLP

24

Enterprise-Wide Risk Assessment | Dickinson State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Implementing financial aid regulation changes timely and managing the student experience while implementing changes is a challenge. Duplicate requests are sometimes required of students when changes in regulations occur during the submission and award process. Concerns related to communication between faculty and the Financial Aid department to understand the impact of curriculum changes on financial aid distribution and regulations. There was a fraudulent high school diploma and transcript received and there are concerns related to how many fraudulent documents have been used to be a recipient of financial aid that have not been identified. Concerned that the Financial Aid Department is managed under Student Affairs.

Proposed Recommendations
Continue to implement regulation changes as soon as possible to minimize duplicate requests when processing and awarding financial aid. In addition, review the current process to determine if efficiencies could be gained. Additional communication and training should be implemented to improve understanding of financial aid requirements and the impact of curriculum changes. Consider providing training to staff who review documents collected in the application process to enhance the identification of fraudulent documents and create awareness. Perform an assessment to determine if it makes good business sense to keep Financial Aid under Student Affairs, have the group be self-governed, or another option.

Institution Response

Low

Student Financial Processing Low

Low

©2011 LarsonAllen LLP

25

Enterprise-Wide Risk Assessment | Dickinson State University

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

26

Lake Region State College Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Lake Region State College

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. Mike Bower Lake Region State College 1801 College Drive N. Devils Lake, ND 58301-1598 Dr. Bower, This report provides you, Lake Region State College (LRSC) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Lake Region State College with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Lake Region State College. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Lake Region State College

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  6 

Appendix
Impact Criteria Vulnerability Criteria

16 
16  16 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Lake Region State College

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Lake Region State College. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Lake Region State College.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Lake Region State College

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Lake Region State College

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Lake Region State College can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Lake Region State College

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Lake Region State College and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Lake Region State College

Approach
With the assistance of Lake Region State College management, LarsonAllen identified 22 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Lake Region State College

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Lake Region State College

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking
High

Identified Risk
Federal funding for the Trio Program has been significantly reduced over the past several years.

Proposed Recommendations
No proposed recommendation.

Institution Response
No additions/corrections requested.

Moderate Tracking and monitoring of information to be compliant with various laws and regulations for international students (i.e. I-20 paperwork, working restrictions).

Continue to stay abreast with laws and regulations and diligently track and monitor the information required to report for international students.

Request by Higher Learning Commission (HLC) visiting team in February 2011, to add position for Institution Research to track and monitor as been implemented. New position (Assistant VP for Instruction) as recommended by HLC was added to administrative staff to monitor and address faculty concerns as requested by students. Record access is now in an area under lock programmable key/password. Camera surveillance is 24/7.

Moderate Faculties are not always providing timely Develop a policy that requires faculties to feedback to students, including test scores. provide timely feedback to students with specific examples and timelines to follow. In addition, implement a process to monitor the process. Academic Affairs Low Concerns related to the protection of student records and information, specifically the security of the location in which records and information is stored. Review policies and procedures that address the protection of student information and internal controls in place protecting information to determine if enhancements should be made. If policies and procedures are not in place, consider developing. Perform a cost/benefit analysis to determine if it makes good business sense to continue classes, programs, and majors that have low enrollment. In addition, determine if additional classes and programs should be created in certain areas to support growth.

Low

Concerns related to certain classes that are being offered due to low enrollment and programs that are offered with no majors. In addition, there is potentially a lack of class and program offerings in certain areas to support growth.

On a biannual basis, an internal team of staff and faculty will review courses and programs offered. In addition, every ten years, the HLC commission will perform a review. It was determined that a policy is in place for courses and program cancellation process is followed and addition of new programming to meet student needs is reviewed.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking
Low

Identified Risk
Students are required to report criminal offenses on their applications based on an “on your honor” approach and there is a risk that students may not report offenses.

Proposed Recommendations
No proposed recommendation.

Institution Response
No additions/corrections requested.

Low Academic Affairs Low

Enrollment will decrease if the Grand No proposed recommendation. Forks Air Force Base were to stop offering courses which has been discussed at previous legislative sessions. The number of high school students graduating from North Dakota is declining and competition is high with other North Dakota colleges and universities to attract and retain students. Reading and writing skills of students at LRSC are below the national average. There are only two athletic programs; therefore, the institution appears less appealing for students who would like to be involved in an athletic program, affecting overall enrollment numbers. Adequacy of cash handling and monitoring controls around concessions, ticket, and fund raising revenue. Continue to identify opportunities on how to reach out to a broader group of potential students. In addition, market studies should be performed on potential major and course offerings to improve enrollment. No proposed recommendation. Perform a cost/benefit analysis to determine if additional athletic programs should be added to the institution.

No additions/corrections requested.

No additions/corrections requested.

Low High

No additions/corrections requested. Agree. Men and women’s basketball are the two athletic programs in place and additional programs need to be added to enhance overall enrollment. No additions/corrections requested.

Athletics Low

Internal controls should be reviewed to identify potential risks related to existing cash receipts processes.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Develop a policy and procedures addressing safety and security on campus, including specific actions to take when an incident occurs. Communicate and train all applicable employees on the procedures.

Institution Response
Institution Risk Management team in place to complete documentation with camera surveillance 24/7 for all plant facilities and campus parking location.

Moderate Policies and procedures are not in place to address safety and security incidents that occur on campus and specific actions to take. Campus Safety & Security

Moderate Appropriate security resources are not in place to perform sufficient ongoing monitoring across campus.

Review the available security resources or Again camera surveillance 24/7 for all plant time allotted for police force to be on facilities and campus parking location. campus and determine if additional resources are needed or if additional security measures should be implemented. Assess whether the appropriate number of resources, proper oversight, internal controls, relevant procedures, etc. are in place to support the successful growth of the Train ND program. In addition, consider documenting the long-term strategic plan of the program and create measurable goals to perform against. Train ND was reorganized in 2008 to address the needs of Business & Industry throughout the N.E. region. Additional trainers and consultants were added and training is always a work in progress.

Moderate Significant growth and change has occurred in the Train ND program over the last several months. Continuing Education

Moderate The flooding of Devils Lake and the No proposed recommendation. impact for employees to get to work, longterm existence of college, etc. Emergency Preparedness Moderate Lack of communication and training Identify additional ways to communicate related to emergency response procedures. emergency response procedures and provide training and testing that involves several areas across the institution.

Working with local and state agencies on a continuing basis to assist students and families to have access to the college through face-toface or technology connections. Risk Management team developing procedures to address campus emergencies.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Continue to prioritize capital project needs across campus to determine if installation of the generator should be priority in the next fiscal year’s budget. Consider finalizing the Risk Management Plan and communicating the Plan to applicable personnel across campus. Continue to prioritize capital project needs across campus to determine if additional classroom space should be priority in the next fiscal year’s budget. Consider performing an in-depth analysis of previous years’ budgets and the dollars allotted for the current year to determine if available funds should be allocated differently from previous years. Perform a review of the responsibilities assigned to each individual in the Business Office to determine whether additional responsibilities could be segregated. Consider developing procedures that communicate threshold levels for approval of purchases across campus.

Institution Response
Generator will be evaluated as back-up during the biennium in support of wind turbine installation. No additions/corrections requested.

Emergency Preparedness

Moderate A generator has been purchased to be utilized as a standby power source; however, funding is not available to install the generator. Low The Risk Management Plan is currently in draft form and has not been finalized.

Environmental Health & Safety

Moderate Lack of classroom space to support the largest programs at the institution (i.e. Peace Officer, Nursing). Moderate The institution budgeting process utilizes the “same as last year” approach and does not perform an in-depth analysis to determine if dollars should be allocated differently from the previous year.

Need for Erlandson Center expansion as was denied by legislators during 2011/2013 legislative session. Will move request to next session. Budget requests determined at System level and funded less than 50% of peer institutions. New funding initiatives to be review at state level. Reviews have been performed prior to LarsonAllen visit. Budgeting for additional staff is an on-going issue for institution. Workload from System office increases without additional staffing. No additions/corrections requested.

Financial Close & Reporting

Moderate There is segregation of duties concerns within the Business Office due to the limited staff size.

Low

Purchases are not consistently reviewed and approved prior to purchasing.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Identify additional methods to communicate the Record Retention Policy and the importance of adhering to the policy. Work closely with the System office to determine if changes should be made to the storage structure and naming of policies to add clarification. Continue to identify additional alumni, community members, and business relationship opportunities to perform fundraising activities. In addition, perform a cost/benefit analysis to determine if additional funding should be allocated to identifying and building these relationships. Develop a procedure that requires all grant expenses to be reviewed on a consistent basis. Team with the System to review the current methods to track and monitor effort reporting to determine if enhancements could be made to the current reporting methods. Alternatively, consider purchasing a grant and effort reporting tool to enhance reporting accuracy and produce information needed internally and for compliance reviews.

Institution Response
Committee implemented to address record keeping and retention workshops have been provide to train staff. This is work in progress when staffing is available to perform tasks.

Moderate Lack of communication related to the Record Retention Policy, knowledge around the policy, and specifically where documents should be stored. Moderate Lack of understanding by end users for how NDUS policies are categorized and where they are stored. In addition, policies are not always clearly titled to reflect content. Low Devils Lake is a small community and local community members and businesses are continually tapped for fund raising and donation dollars making it difficult to continually increase the amount raised each year.

Governance

No additions/corrections requested.

Moderate A detailed review is not consistently performed for grants expenses. Moderate PeopleSoft does not currently have the capability to track and monitor effort reporting, resulting in the inability to produce all information needed for a compliance review.

Grant expenses review by grant fiscal agent in coordination with business office. Working with grant office at the System side to address issues if noted through Office Management and Budget.

Grant Administration

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking
Low Grant Administration

Identified Risk
Policies and procedures are not in place specific to effort reporting.

Proposed Recommendations
Develop policies and related procedures specific to effort reporting. In addition, communicate to applicable parties and review documents on an ongoing basis to determine if changes need to be made. Human Resources and senior management should assess current FTE workload by department. Identify areas of concern and suggest departmental changes to better manage existing workload. Review training opportunities for each functional area and level across the institution to determine where training is a priority. Consider offering training to those areas identified as priority and continue to assess on an ongoing basis the need to offer training to other areas and levels deemed less significant. Assess the current method to track and monitor the completion of performance evaluations and determine if changes should be made to enhance the consistency of monitoring and follow-up activities. Continue the current initiative to develop and document a formalized new hire orientation process.

Institution Response
There is minimal grant activity at the institution and effort reporting has been in place and is monitored through working relationship of institution with North Dakota Office of Management Budget. Workload is ALWAYS in review by Administrative Council and determination to assign additional personnel is based on the review/analysis and budgetary constraints. Many employees wear several “hats” and a shortage of personnel positions including a full- time HR representative to address needed in-house training.

Moderate Overall employee work load is a concern. Most functional areas identified some level of personnel needs.

Moderate There is lack of training in most positions across the institution.

Human Resources & Payroll

Moderate Performance evaluations for staff are not consistently completed by departments and tracked and monitored by the Human Resources group to ensure they are completed. Low There is not a formalized and documented new hire orientation process.

Monitoring by HR is an issue due to the need of a full-time HR representative to work with individual departments.

No additions/corrections requested.

Low

Lack of detailed job descriptions for all Review all job descriptions and determine if positions. In addition, job descriptions that updates need to be made. In addition, if it is do exist are not up-to-date. determined that a job description does not exist for a position, per the review, develop a job description for the position.

No additions/corrections requested.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Complete the disaster recovery plan and update portions that are not up-to-date. The disaster recovery plan should include, but is not limited to:  Risk exposures  Recovery team responsibilities  First response process and procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training

Institution Response
Disaster plan is on-going through reorganization of risk management and updated required.

Moderate The disaster recovery plan is not complete. In addition, the portion that is completed and documented are not up-todate.

Information Technology

Moderate Data back-ups for network files are stored Identify an off-site storage site to maintain on-site in the data center and taken off-site data back-ups for network files. Employee’s to someone’s home periodically and homes should not be utilized. stored in a safe. Moderate Lack of PeopleSoft training, specifically to provide additional education of the overall functionality available in the application and to possibly reduce manual work-arounds. Consider offering employees the opportunity to attend PeopleSoft training to provide additional education of the overall functionality available in the application and to possibly reduce manual work-arounds. In addition, detailed procedures should be documented by employees who attend the training to reduce knowledge that is lost with turnover in positions. Consider moving the data center to a more secure location or removing the window.

The president is unaware or has not been provided information that "back-ups are taken home" and person or persons responsible will be identified and procedure stopped. The “lack of PeopleSoft training” is due to addition of new staff scheduling for orientation and the lack of needed staff throughout the college to address increased operational tasks.

Low

The data center is located in an office that has windows.

The window was scheduled for removal prior to the risk assessment process; however, was not actually removed until after the risk assessment process was complete.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking
Low Marketing & Communications

Identified Risk

Proposed Recommendations

Institution Response

The Logo Policy is vague and the logo Update the Logo Policy to be more clear and No additions/corrections requested. utilized across the institution is not always concise on proper use of the institution logo. the approved logo via the policy. In addition, identify additional methods to communicate the Logo policy and the importance of adhering to the policy. Functional areas should evaluate where it is most critical to implement succession plans and cross train employees. Develop an action plan to implement and cross train where necessary. Continue to benchmark wages with other North Dakota colleges and universities. Cross training is a need and will be addressed in next budget cycle.

Moderate Lack of succession planning and cross training for most positions within the institution.

Operations & Auxiliary Services

Moderate Recruitment of qualified staff and faculty is difficult, specifically as it relates to the compensation offered and the location of the college. Low

Human Resources are proactive in benchmarking with business & industry.

The library’s hours have been reduced due Perform a cost/benefit analysis to determine to the lack of resources to operate the if additional resources should be considered library. at the library. Continue to perform candidate searches to attract qualified faculty. In addition, continue to benchmark wages with other North Dakota colleges and universities. Continue to prioritize capital projects, renovations, and maintenance needs across campus to determine if residence halls and/or common areas are a priority in the next fiscal year’s budget. Perform a cost/benefit analysis to determine if a counselor position should be created.

No additions/corrections requested.

Faculty & Staff

Moderate Concerns related to the ability to identify qualified candidates for faculty positions, specifically nursing. Moderate Residence halls and common areas need to be remodeled and utilized to attract more students.

Qualifications and salary is given a priority for the best faculty to address student learning.

Remodeling is budgeted for every cycle and is addressed through the summer when the student population is away to allow work to be performed. No additions/corrections requested.

Student Affairs Low Mental health and medical issues are increasing in the student body and the institution does not have a counselor.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Lake Region State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Document a policy and related procedures addressing the admissions process requirements, including documents and information required to complete the admissions file, deadline to complete the file, risks of not completing the file, etc.

Institution Response
These are isolated incidents and have been addressed. Cannot always assure 100% due to large number of student registration periods and lack of personnel.

Moderate Student admission files are not always completed timely and students have been allowed to continue their education at the institution without a complete admissions file violating financial aid eligibly. Moderate Ability to stay proactive related to financial aid federal compliance. Changes in legislation are not always known and Student Financial implemented timely. In addition, Processing interpretation of regulations is difficult.

Develop an action plan with specific Internal audits are in place and reviews will be measurable goals to continually monitor and performed on an annual basis. stay abreast of financial aid regulations. Discuss regulations with the System Office and other colleges and universities in ND, as needed, to compare interpretations and gain additional confidence that LRSC is in compliance. In addition, consider performing an internal audit to review compliance with regulations. Review financial aid policies and procedures Federal policies and procedures often “lag” on an ongoing and consistent basis (i.e. behind causing implementation for current annually) and make changes as deemed student financial needs. necessary.

Moderate Policies and procedures addressing financial aid are not updated on an ongoing basis to reflect current practices and changes in regulations.

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Lake Region State College

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

16

Mayville State University Risk Assessment Results

October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Mayville State University

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. Gary Hagen Mayville State University 330 Third Street NE Main Building 113A Mayville, ND 58257-1299 Dr. Gary Hagen, This report provides you, Mayville State University (MaSU) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Mayville State University with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Mayville State University. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Mayville State University

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  6 

Appendix
Impact Criteria Vulnerability Criteria

17 
17  17 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Mayville State University

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Mayville State University. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Mayville State University.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Mayville State University

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Mayville State University

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Mayville State University can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Mayville State University

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Mayville State University and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting, foundation, donor concentrations, foundation investment strategy Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student/financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance

Grant Administration

Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Mayville State University

Approach
With the assistance of Mayville State University management, LarsonAllen identified 21 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Mayville State University

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:

Continuing education

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Mayville State University

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Review policies and procedures that address the protection of student information and internal controls in place protecting information to determine if enhancements should be made. If policies and procedures are not in place, consider developing. Perform a cost/benefit analysis to determine if it makes good business sense to continue classes, programs, and majors that have low enrollment.

Institution Response
During each fall pre-service, all policies and procedures are presented to faculty and staff regarding the protection of student information. Also, FERPA guidelines are available in the academic catalog and are reviewed on a regular basis with new faculty and staff as part of their orientation. The MaSU campus size does result in some of the upper level classes to be low enrollment. MaSU will continue to look at options to increase enrollment using technology for distance delivery and collaboration. Degrees that may not currently have any majors still serve an important purpose for support courses for other majors and general education. A comprehensive review including a cost/benefit analysis was completed in 2003 which resulted in a 22% reduction in classes offered. As of the summer 2011, MaSU has an online “Distance Student Handbook” and other improvements to the Extended Learning web presence to address the issues as stated.

Moderate Concerns related to the protection of student information, specifically hard copy records, and if the proper internal controls are in place to safeguard the information.

Moderate Concerns related to certain classes that are being offered due to low enrollment and programs that are offered with no majors. Academic Affairs

Low

Communication to students (i.e. how to drop a class, how to obtain financial aid, etc.) is focused heavily towards on-campus students; however, a significant portion of enrollment is distant learners.

Review communication methods utilized for both on campus students and distant learning students to determine if changes should be made to focus more on distant learners.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking
Low Academic Affairs

Identified Risk
Lack of targeted email groups by staff and faculty to better reach students. Students receive a significant number of emails by the institution that is not relevant to them and students are assuming emails are junk mail. Compliance with Title IX is an ongoing inherent concern. The institution believes they are in compliance, but are not 100% sure.

Proposed Recommendations

Institution Response

Consider developing email groups to MaSU has email groups specific to each course target specific groups of students in email offered within Moodle. MaSU continues to communication. reduce incoming and campus ‘junk mail’. The university is also evaluating commercial applications that allow targeted e-mail, text messages, etc. to selected students. Perform a compliance audit to determine whether the institution is in compliance with Title IX. We are conscientious about Title IX and feel that we are fully in compliance. We submit information annually on the “Equity in Athletics” report. Additionally, we continually monitor to make sure we are meeting the needs of our student population. All student athletes receiving scholarships sign agreements. Within the agreement there is language stating the specific requirements necessary to maintain the scholarship and the consequences if those requirements are not met. Eligibility of every student athlete is evaluated and certified to make sure the requirements of the NAIA are met. Those not meeting the requirements are not certified and are ineligible for intercollegiate competition. We have a system of checks and balances in place from the point of sale to record of deposit in the business office. Security cameras have been installed in concession stands to monitor employee behavior. Current financial records indicate that concession operations are profitable and we will continue to monitor these operations to ensure profitability.

Low

Low

Lack of consistent communication from functional staff areas to students related to athletic scholarships and eligibility requirements.

Develop a policy related to athletic scholarships and eligibility requirements and communicate to all personnel to enhance consistency in communication.

Athletics

Low

Adequacy of cash and inventory handling, specifically monitoring controls around concessions and ticket revenue. Concession profit margins are not where the institution feels they should be and a root cause has not been identified.

Internal controls should be reviewed to identify potential risks related to existing cash receipts and tracking of inventory processes.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to purchase additional fire alarms and sprinkler systems in the older residence halls.

Institution Response
Current financial obligations to the Agassiz Hall renovation project will not permit expenditures to upgrade fire alarm or sprinkler systems in other residence halls. Should revenue projections continue positive, consideration will be given to proposing a renovation project in at least one other residence hall, to include installation of a centralized system. There is a digital security camera system ($61,400) in place in all residence and other major buildings. We also completed a campus lighting survey and will consider lighting enhancements as resources allow. Notifind.net is utilized by campus to provide instantaneous messaging to students and employees. This system utilizes cell-phones, email and office phones. Emergency response drills will be scheduled and implemented. A system to prioritize projects and maintenance is being developed. We prioritize projects carefully and involve our campus-wide strategic planning committee when contemplating strategic moves. Recent improvements in facilities across campus have eliminated many old buildings. Old Main and the Gymnasium buildings continue to be areas of concern. The Old Main renovation project will be a high funding priority again to the NDUS to address building safety, and infrastructure improvements.

Moderate There is no centralized fire alarm or sprinkler systems in older residence halls.

Campus Safety & Security Low There is poor lighting across campus, Perform a cost/benefit analysis to additional security cameras are needed, and determine if additional security measures there is one security personnel who is also should be implemented across campus. in a custodial role. Identify additional ways to communicate emergency response procedures and provide training and testing that involves several areas across the institution. Assess the need for additional resources in the Facilities Group. In addition, review the process to prioritize projects and maintenance to determine if changes should be made to the prioritization process.

Emergency Preparedness

Moderate Lack of communication related to emergency response procedures and concerns that the involvement of training and testing of the procedures are not campus-wide. Low Lack of resources in the Facilities Group. Concerns that projects and maintenance are not prioritized appropriately.

Environmental Health & Safety

Low

Safety of campus facilities is a concern as Continually monitor the overall safety of there are a number of older buildings across all buildings on campus to identify campus. potential need for improvements.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consider performing reconciling activities on a more frequent basis (i.e. monthly, quarterly).

Institution Response
Agree, the NDUS controllers group recently agreed to perform various reconciliations on more current, possibly quarterly, basis.

Moderate Accounts receivable (specific to fund accounting) is reconciled annually. It is not always known what funds to properly allocate revenue to and reconciling across funds can be a challenge. Moderate There are concerns related to the protection of credit card information and if the proper internal controls are in place.

Review policies and procedures that address the protection of credit card information and internal controls in place protecting information to determine if enhancements should be made. If policies and procedures are not in place, consider developing. Perform a review of department responsibilities and compare with expenses allocated to departments to determine if changes should be made based on responsibilities.

Campus procedure documentation could be improved. All credit card activity is processed through the Bank of ND. Bank of ND’s D. Blumhagen provides useful information to all state government on CC alerts and safety procedures which are forwarded to affected employees. Payment procedures have been reviewed with the Controller and department administrators, and are more clearly understood.

Financial Close & Reporting

Moderate There are concerns related to expense allocations budgeted and whether they are consistent with responsibilities by department, specifically for departments that have several responsibilities that overlap such as Enrollment Services, Admissions & Extended Learning, and Academic Records/Registrar. Moderate Lack of clarity for capital projects, specifically the definition of a capital project, bidding services separately vs. together, and expectations of contractors. Moderate Student receivables are not always followed up on timely due to lack of resources.

Develop a policy and procedure that addresses the lifecycle of a capital project. Perform a cost/benefit analysis to determine if an additional resource should be added to the Finance Group to assist in the collections process.

A new system of approval has been developed and implemented which also provides project description and expense tracking. The Business Office is presently reviewing position responsibilities to allow more time to critical office needs.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking
Low Financial Close & Reporting

Identified Risk
A significant amount of time is spent reconciling cash each month.

Proposed Recommendations
Review the method to reconcile cash and determine if changes could be made to reduce time spent. In addition, work with the System office to determine if it makes good business sense to purchase a cash module within PeopleSoft.

Institution Response
These processes have improved. Templates have been developed to improve bank reconciliations. Templates have also been developed for recurring monthly cash entries.

Low Governance

Lack of procedures institution-wide, specifically for activities performed in PeopleSoft. There is loss of knowledge when there is turnover in staff.

Develop detailed procedures for all The NDUS has developed PeopleSoft positions institution-wide, specifically for procedures for various modules. Campus responsibilities performed in PeopleSoft. procedure documentation and cross training opportunities are being pursued. Develop policies and procedures for the grant process. Review documents on an ongoing basis to determine if changes should be made. After some research we find there are not grant related policies and procedures in the NDUS system. Grant policies and procedures are dictated by the individual grants. Every grant has its own set of policies as to the lifecycle of the grant. Every grant received at MASU follows the guidelines established by the grant. Budgets and documentation are followed and reported on a timely manner to maintain the funding. The Business Office is currently considering options to address this concern including additional staffing.

Moderate Lack of grant related policies and procedures, specifically grant lifecycle and expense allocations.

Grant Administration

Moderate Monitoring of grant expenses, accounting responsibilities, etc. is lacking due to an insufficient level of resources to assist. A resource has not been designated to the grant accounting role; personnel in the Accounting Group are working to fill the role in addition to other responsibilities. Low A full-time dedicated grant writer position does not currently exist within the institution and there are concerns related to potential missed grant opportunities.

Perform a cost/benefit analysis to determine if it makes good business sense to add additional personnel for the grant process.

Perform a cost/benefit analysis to determine if it makes good business sense to add additional personnel to identify grants.

The Business Office is currently considering options to address this concern including additional staffing.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if a Human Resources department should be implemented to segregate responsibilities and provide independence. Review the current responsibilities of each person performing payroll responsibilities to determine if changes should be made to allow for additional segregation of duties. Information technology personnel should work in conjunction with Payroll personnel to identify potential automated functions within the existing PeopleSoft system.

Institution Response
A dedicated person to direct Human Resources efforts across campus will be integrated into the institutional budget during the next year as part of a transition from a grant funded position. The Business Office is currently considering options to address this concern including additional staffing.

Moderate An independent Human Resources department in not in place and responsibilities are performed by another department. Moderate There is a lack of appropriate segregation of duties in the Payroll department.

Low Human Resources & Payroll Low

Payroll processes are manual in nature (i.e. nonexempt employee hours and all employees sick and vacation time are manually tracked and entered into PeopleSoft).

The NDUS is presently studying payroll efficiency areas for all system campuses.

The benefits election process for new No proposed recommendation as this is employees and annual renewal process is managed by the state. very manual. Employees manually complete forms and benefit elections for new employees and annual open enrollment changes are manually entered into PERS. Overall employee work load is a concern. Most functional areas identified some level of personnel needs. Human Resources and other senior management should assess current FTE workload by department. Identify areas of concern and suggest departmental changes to better manage existing workload.

No institution response as this is managed by the state.

Low

We will continue to monitor employee satisfaction based on NDUS surveys and institutional procedures to determine which areas of concern should be addressed and develop staffing plans to respond to these issues.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consider locking the server room at all times, including business hours and moving the server room to a more secure location.

Institution Response
The issues identified here have been addressed previously; i.e. the server room is locked at all times. Because of costs it is not feasible to relocate to a different location. Current facilities are secure and there appears to be little risk of unapproved access to equipment and information. Informal disaster recovery plans exist and are part of the campus disaster recovery plan, but a formal disaster recovery plan for IT will be developed with the completion date of December 2011.

Moderate The server room is located in an old classroom and contains windows in the room. In addition, the server room is not always locked during business hours.

Moderate A data back-up policy is in place, but there is no formal disaster recovery plan.

Information Technology

Develop and document a formal disaster recovery plan. This would include, but is not limited to:  Risk exposures  Recovery team responsibilities  First response process and procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training Consider technically enforcing security measures on mobile devices to enhance security. Identify current reporting in PeopleSoft that are not effective and efficient. In addition, identify additional query writers at MASU that could assist in enhancing reporting.

Moderate A mobile device policy is in place; however, appropriate security measures have not been technically enforced to support mobile devices. Moderate Gathering data and information quickly requested by senior leadership, the state, etc. is challenging and time consuming. In addition, there is lack of query writers at the institution.

MaSU will consider methods for enforcing security for mobile devices.

MaSU does report inefficiencies in PeopleSoft reporting and to have queries written to resolve. MaSU does have one query writer for on-campus queries and will pursue having a second person trained.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Work with the System office to evaluate the permissions assigned to security roles to determine if changes could be made. In addition, identify and review manual controls to mitigate the risk of inappropriate access. All student workers that need access to the system or applications should be provided their own unique user ID and password with restricted access based on their job responsibilities. Students should not use staff and faculty computers. Identify an off-site storage site to maintain data back-ups. Consider seeking ongoing feedback from students, alumni, community, etc. to assist in evaluating marketing techniques that have the most success with the budget allotted. Perform a cost/benefit analysis to determine if it makes good business sense to purchase a point of sale system.

Institution Response
Security roles within PeopleSoft will continue to be reviewed to ensure personnel who need access to multiple sources of data have appropriate clearance.

Moderate Security roles in Campus Connection are too broad for the size of the institution; therefore, employees have additional access than what is needed based on job responsibility. Moderate In some instances, students who work at the institution are allowed to use staff and faculty computers.

Information Technology

MaSU has office computers for staff and student employees to use. MaSU’s procedures will be reviewed to assure that student employees have their own unique user ID and password.

Low

Data back-ups are stored on-site at the institution. Marketing techniques utilized may not be targeting the largest audience or the right audience and evaluations are not performed to determine what marketing techniques have the most success with the budget allotted.

All critical financial, HR and student data is stored offsite. The campus will continue to explore ways to back up campus data. Within the last 3 years, a professional marketing firm has provided useful advice and services that have assisted in achieving double digit enrollment increases. The campus will continue to evaluate our marketing techniques and utilization of the marketing budget. A point of sale system for Dining Services will be investigated and evaluated for implementation.

Low Marketing & Communications

Operations & Auxiliary Services

Moderate There is not a point of sale system for Dining Services to manage purchases, inventory, cash, etc. All transactions and inventory is managed via Excel, potentially resulting in risk for errors. Moderate There is a lack of appropriate segregation of duties in the Dining Services Group, specifically as it relates to purchasing, receiving, and inventory counts.

Review the current responsibilities of Purchasing and receiving responsibilities will be each person in the Dining Services Group reviewed for added segregation. The Controller to determine if changes should be made is participating in the annual inventory counting. to allow for additional segregation of duties.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
No proposed recommendation.

Institution Response
Efforts to retain employees, including salary and review of position responsibilities, continue to be a high priority on campus. Cross training of employees will be done where it is feasible. Office manuals which detail operational specifics will be developed and/or updated to ensure that newly hired personnel have resources needed to perform their functions.

Moderate There has been a high turnover rate in certain positions in the last several years. Low Lack of succession planning and cross training for most positions within the institution.

Faculty & Staff

Functional areas should evaluate where it is most critical to implement succession plans and cross train employees. Develop an action plan to implement and cross train where necessary.

Low Student Affairs

Mental health and medical issues are increasing in the student body, resulting in an increased need for student counseling services. The mental health counselor is only supporting one day per week.

Assess whether additional resources Institutional counseling staff will continue to should be allocated to student counseling. make referrals to outside agencies and professionals for students needing assistance. We will also explore collaboration with Sanford Medical to provide psychological services when needed. Develop an action plan with specific measurable goals to continually monitor and stay abreast of financial aid federal regulations. Discuss regulations with the System Office and other colleges and universities in ND, as needed, to compare interpretations and gain additional confidence that MASU is in compliance. In addition, consider performing an internal audit to review compliance with regulations. Additional communication and training should be implemented to improve understanding of financial aid requirements and the impact of curriculum changes. Resources will be provided for financial aid staff to continue attending training sessions at both the state and regional level to help stay abreast of changes in regulations. Discussions will be held with NDUS staff to determine how an internal audit may be implemented to help identify compliance issues.

Moderate Ability to stay proactive related to financial aid federal compliance. Changes in legislation are not always known and implemented timely. In addition, interpretation of regulations is difficult.

Student Financial Processing

Moderate Concerns related to communication between faculty and the Financial Aid department to understand the impact of curriculum changes on financial aid distribution and regulations.

Information regarding financial aid policies and procedures will be shared with faculty and staff on a regular basis as part of pre-service activities each fall.

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Mayville State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Continue to educate the registration office and faculty about the importance of finalizing class schedules and submitting book and material requests timely. In addition, identify alternative methods of communication and education.

Institution Response
Class schedules are finalized nine months prior to allow adequate time. Faculties are provided deadlines to submit materials to the bookstore, it is the responsibility of the bookstore to notify faculty and the division chair if a deadline is not met. A process is in place. Our campus: Bookstore and Office of Academic Records meets all of the HEOA polices related to this issue. MaSU was required by the NDUS to submit information on our processes to meet HEOA & ISBN textbook policies in 2009.

Moderate Class schedules are not finalized timely and faculties do not always submit their book/material requests to the bookstore timely, resulting in the bookstore not being able to provide books/materials timely to students, keep costs effective and affordable, and possibly cause the institution to be in violation of the HEOA. Student Financial Processing

Low

Lack of local financial aid policies and procedures.

Develop financial aid policies and procedures at the institutional level.

Most policies and procedures are defined by federal regulations and the campus does have documentation to address these; i.e. satisfactory progress policy, return of federal funds, etc.

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | Mayville State University

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners.

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls.

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

17

Minot State University Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Minot State University

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. David Fuller Minot State University 500 University Avenue West Minot, ND 58707 Dr. Fuller, This report provides you, Minot State University (MiSU) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Minot State University with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Minot State University. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Minot State University

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  7 

Appendix
Impact Criteria Vulnerability Criteria

16 
16  16 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Minot State University

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Minot State University. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Minot State University.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Minot State University

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Minot State University

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Minot State University can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Minot State University

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Minot State University and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Minot State University

Approach
With the assistance of Minot State University management, LarsonAllen identified 24 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Minot State University

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:   Continuing education Environmental Health & Safety

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Minot State University

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Develop policies and procedures specific to offering distance learning in other states to ensure federal requirements are being met and to determine if it makes good business sense to offer distance learning in various states based on student interest and fees.

Institution Response
Representatives from our Center for Extended Learning are coordinating with the university system office to follow evolving federal requirements. Appropriate policies and procedures will be developed as federal guidelines are finalized.

Moderate Meeting federal requirements for distance learning, specifically, procedures to follow for state level requirements when MiSU offers distance learning in other states, permissions needed, evidence and documentation to maintain, licensing fees, etc. In addition, determining if it is cost beneficial to offer distance learning in various states.

Moderate Concerns related to certain classes that are Perform a cost/benefit analysis to being offered due to low enrollment and determine if it makes good business sense programs that are offered with no majors. to continue classes, programs, and majors with low enrollment. Academic Affairs Moderate Concerns that there are not enough faculties to support the growth of online classes. Perform an assessment to determine if the institution needs additional faculties to support the future growth of online classes. Determine if strategic changes should be made as a result of the assessment.

Academic administrators are involved in a prioritization process designed to strengthen programs and align resources with strategic priorities. Academic administrators are involved in a prioritization process designed to strengthen programs and align resources with strategic priorities.

Low

Graduation rates at MiSU are significantly Review research performed to reach to this N/A below the national average. conclusion to determine root cause(s) for lower graduation rates at MiSU and determine if institution-wide changes should be made to increase rates. North Dakota graduation rates are declining and competition is high with other North Dakota colleges and universities to attract and retain students. Identify opportunities to reach out to a broader group of potential students. Market studies should be performed on potential major and course offerings to improve attendance. N/A

Low

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate Certain athletic programs are moving from NAIA to the NCAA conference. There are concerns related to the new reporting requirements and overall compliance. Moderate Budget to actual tracking for athletics is a concern due to the lack of functionality within PeopleSoft. Moderate Additional fund raising is needed to support current athletic programs.

Continue to focus on identifying the new MiSU has hired an athletics compliance office reporting requirements, staying abreast of and business manager to track NCAA operating the requirements, and performing audits to and reporting requirements. ensure the institution is in compliance. Team with the System office to determine if enhancements could be made to budget to actual tracking. Evaluate whether there are additional opportunities to perform fundraising activities. Develop a short and long term plan for fundraising ideas, how many events will take place annually, how many dollars are needed to be raised at each event, etc. In addition, assess whether the appropriate number of programs are in place or if the activity fees should be increased. Perform a cost/benefit analysis to determine whether additional resources should be allocated to academic support services for athletes. Review current athletics policies and procedures to determine if documents continue to be adequate or if changes should be made. In addition, develop a procedure to communicate and roll out changes to appropriate personnel. Internal controls should be reviewed to identify potential risks related to existing cash receipts processes. New business manager will train with Business Office to take advantage of all reporting functions within PeopleSoft. Athletic reporting will move from activity codes to fund codes. MiSU has hired a director of marketing and promotions to assist with fundraising opportunities, and has reorganized office operations to allow the athletic director to focus on community relations. Also, in anticipation of NCAA transition, NACDA Consulting prepared a strategic plan for external fundraising. Staffing and other changes have allowed the department to begin implementation of that plan. N/A

Athletics Low Lack of resources allocated to academic support services specifically for student athletes. Policies and procedures related to athletics may not continue to be adequate, specifically student athletes who misbehave and the actions that should be taken by the institution. In addition, misbehaving results in a negative perception of the institution. Adequacy of cash handling and monitoring controls around concessions, ticket, and fund raising revenue.

Low

N/A

Low

N/A

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Assess the current security officers / resources on campus and determine if additional resources are needed or if additional security measures should be implemented. Identify additional ways to communicate emergency response procedures and provide training and testing that involves several areas across the institution. Perform an internal audit of the purchasing and accounts payable processes to identify efficiencies that could be gained to reduce time and cost in these processes. In addition, determine if additional technology could be utilized to gain inefficiencies. Perform an internal audit to determine the significance of delinquent payments to vendors. Identify go-forward solutions to reduce delinquent payments. Perform a cost/benefit analysis to determine if a compliance function should be developed within MiSU to monitor and communicate compliance requirements.

Institution Response
MiSU has hired a new superintendent of campus safety and security, and will be hiring two fulltime campus security officers. In addition, planned landscaping upgrades include improved lighting and emergency/panic stations. Our new superintendent of safety and security has been charged with updating the emergency response plan, and providing training to the campus community. The Business Office has completed a review of signature requirements, and will be revising those requirements to eliminate many of the duplicate/redundant approvals.

Campus Safety & Security

Moderate Security across campus should be improved, specifically additional cameras, blue emergency lights, electronic key card access, etc. Moderate Lack of communication related to emergency response procedures and concerns that the involvement of training and testing of the procedures are not campus-wide. Moderate The purchasing and accounts payable processes are very inefficient requiring multiple signatures on vouchers, manual approvals, etc.; there are duplicate processes and approvals that are not needed. Low Payments are not always made timely to vendors and there are concerns that the institution’s reputation is at risk when payments are not made timely.

Emergency Preparedness

Financial Close & Reporting

N/A

Governance

Moderate There is no Compliance Officer or compliance function to oversee the various regulations the institution is required to comply with such as PCI, HIPAA, FERPA, HEOA, etc. and assist in proactively understanding requirements.

While MiSU does not employ a general institutional compliance officer, we do provide compliance support for grants/contracts, human resources, and athletics. We also partner with NDUS to provide legal reviews on matters related to laws, policies, procedures, etc.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking
High

Identified Risk
The STEM grant is no longer awarded; therefore, funding does not exist for universities to foster and build relationships with high schools and relationships have been affected. Policies and procedures related to effort reporting should be enhanced.

Proposed Recommendations
Perform a cost/benefit analysis to determine if funding should be allocated to support the dollars normally awarded via the stem grant. In addition, identify alternative methods to build relationships. Review current effort reporting policies and procedures to determine where enhances should be made.

Institution Response
While STEM funding was in jeopardy at the time of the risk assessment site visit, permanent project funding was subsequently appropriated directly to participating institutions. N/A

Grant Administration

Low

Low

There are concerns related to the accuracy Continue to review information in the of information in the alumni database. alumni database to identify inaccurate information and make changes as deemed necessary. Develop a policy and procedure for the termination/resignation process requiring exit interviews are performed. Communicate the process to applicable personnel ensuring it is rolled out consistently. Review training opportunities for each functional area and level across the institution to determine where training is a priority. Consider offering training to those priority areas and continue to assess on an ongoing basis the need to offer training to other areas and levels deemed less significant. Continue to enforce requirement for staff and faculty to complete performance evaluations on an ongoing basis.

N/A

Moderate A formal termination/resignation process is not in place and exit interviews are not conducted for staff and faculty.

MiSU has hired a new human resource assistant to provide additional services at the time of hire and separation. While formal separation checklists exist, additional staff in the HR office will allow the process to be fully implemented. With additional support in the HR office, MiSU is beginning a series of regular supervisor training meetings. The first meeting was held in late September.

Human Resources & Payroll

Moderate There is lack of training in most positions across the institution, especially at the manager level.

Low

Performance evaluations for staff and faculty are not always completed on a consistent basis.

N/A

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Develop and document a comprehensive disaster recovery plan including, but not limited to:  Risk exposures  Recovery team responsibilities  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training Continue current initiative to move data center in the Administration building to a more secure area with additional security and enhanced temperature control. Consider developing unique user IDs and passwords for users to authenticate in computer labs across campus. Develop a policy that requires all laptops and USB drives to be encrypted. In addition, determine if the process to issue technology related items should be centralized within the IT group to allow for consistency and adherence to policy. Conduct training for all personnel who are responsible for assigning user roles in PeopleSoft to create awareness around the importance of information security, segregation of duties, and assignment of roles.

Institution Response
MiSU recently received State Board approval for a fiber network rebuild and consolidation of campus server rooms. Once the project is complete, our CIO will begin development of a comprehensive disaster recovery plan.

Moderate Informal disaster recovery plans are in place; however, a comprehensive documented plan still needs to be developed.

Moderate The data center in the Administration building is in an office that has windows and a window air conditioner. Information Technology

MiSU recently received State Board approval for a fiber network rebuild and consolidation of campus server rooms. Once the project is complete, the Administration data center will be closed. Campus CIO will explore options for providing unique user credentials for computer lab access. Campus will develop a policy limiting sensitive data to only those portable devices that have been encrypted by IT.

Moderate Network access in computer labs is through generic identification and password entry. Moderate Laptops are purchased and issued to staff and faculty by functional departments and are not encrypted. In addition, USB drives purchased by functional departments are not password protected or encrypted. Moderate The functional areas assign user roles in PeopleSoft and there are concerns related to the awareness of security when assigning roles.

A current internal control/compliance audit performed by the State Auditor’s Office raises similar questions about system access and security. User assignments and training will be reconsidered by Minot State when the audit is released.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
A current state assessment should be performed for all functional areas to identify where internally developed software is being utilized and manual work-arounds have been created outside of PeopleSoft to determine if it continues to make good business sense to continue with the current methods. Review the current fiber infrastructure upgrades needed in buildings across campus to determine where there are concerns and prioritize installation based on risk. Identify the root cause(s) of the roadblocks with the wireless in the library to determine if changes need to be made to limit classes that are cancelled. Review the current methods to communicate and market the primary programs at MiSU and determine if changes need to be made to the current methods, if additional communication and marketing should be implemented, etc. Continue to identify additional ways to stay abreast with new and current marketing trends to reach students.

Institution Response
Because of limited time and money, statewide consensus is required to advance a system upgrade to implementation. Accordingly, departments are often forced to develop other external systems. MiSU continues to advocate for campus needs, but cannot independently enhance system functionality. N/A

Moderate Internally developed software is being utilized where PeopleSoft could potentially be leveraged and manual workarounds have been created outside of PeopleSoft and other systems.

Information Technology

Low

Several buildings need fiber infrastructure upgrades.

Low

Classes have been cancelled in the library due to recent changes in the wireless.

N/A

Low

Marketing & Communications Low

Additional communication and marketing should be implemented to promote the primary programs offered by the institution. In addition, there are concerns that the community is not aware of the primary programs offered by MiSU. Staying abreast on new and current marketing trends to reach students.

N/A

N/A

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform an internal audit of the purchasing processes at the library to identify efficiencies that could be gained to reduce time and cost in these processes. In addition, determine if additional technology could be utilized to gain inefficiencies. Identify a resource to cross train and perform back-up responsibilities when the Human Resources Director is out of the office.

Institution Response
PeopleSoft system allows for the creation of purchase orders, and departments are encouraged to use p-cards wherever possible. The implementation of automated workflow depends on statewide consensus.

Operations & Auxiliary Services

Moderate Purchasing processes for the library are inefficient with no use of purchase orders to receive against, p-cards are not utilized, and there is no automated workflow.

Moderate There is only one person in the Human Resources group to perform all responsibilities; therefore, there is no cross training or human resource personnel to perform back up responsibilities when this individual is out. Moderate Lack of succession planning and cross training for most positions within the institution. Faculty & Staff

MiSU has hired a new human resource assistant to provide support and cross training in the department.

Functional areas should evaluate where it is most critical to implement succession plans and cross train employees. Develop an action plan to implement and cross train where necessary.

Cross training and succession planning are department-specific initiatives, and departments are encouraged to implement such measures. New flexible budgeting models allow vice presidents to assign resources in support of such initiatives.

Low

Overall employee work load is a concern. Most functional areas identified some level of personnel needs. In addition, there are concerns how resources are being utilized across the institution, what functional areas are significantly lacking resources, and what resources could be realigned to even workloads.

Perform an assessment to determine how N/A resources are being utilized across all functional areas, tracking of hours worked, efficiencies that could be gained, etc.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if it makes good business sense to build additional residence halls, add on to existing, or another alternative.

Institution Response
With the general economic boom in North Dakota and recent flooding in Minot, availability and affordability of housing are major concerns. The university recently purchased additional housing units for displaced faculty, staff, and students. The university also continues to engage community partners to encourage the development of affordable housing options.

Moderate Residence halls are at maximum capacity and additional space is needed to support continued growth.

Student Affairs

Low

Improvements should be made to the drinking and drug intervention programs.

Review the current intervention programs N/A to determine if changes and improvements should be addressed. Continue to focus on increasing enrollment N/A and assess the need to increase fees or if fees continue to be appropriate.

Low

The Student Success Center revenue is primarily derived from student enrollment expenses. If enrollment significantly decreased or fees were cut, the program would be at risk of meeting financial needs.

Moderate Certain faculties do not submit their book/material requests to the bookstore timely or change the books/materials near the start date of a semester, resulting in the bookstore not being able to provide books/materials timely to students, keep costs effective and affordable, and possibly cause the institution to be in Student Financial violation of the HEOA. Processing Moderate Concerns related to communication between faculty and the Financial Aid department to understand the impact of curriculum changes on financial aid distribution and regulations.

Continue to educate faculty about the importance of submitting book and material requests timely. In addition, identify alternative methods of communication and education.

Recent support from the new vice president for academic affairs resulted in immediate improvements in textbook adoption rates. With continued support, MiSU will meet all requirements of the HEOA.

Additional communication and training should be implemented to improve understanding of financial aid requirements and the impact of curriculum changes.

Recent support from the new vice president for academic affairs has eliminated many of the concerns related to last-minute curriculum changes.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Minot State University

Functional Risk Area / Process Ranking
Low

Identified Risk
The MiSU local manual for financial aid needs to be updated to reflect current practices and changes to regulations.

Proposed Recommendations
Review the local manual for financial aid to determine where changes should be made to reflect existing practices and changes to regulations. In addition, perform a review of the manual on an ongoing basis. Review eligibility for scholarships and determine if the criteria are too narrow or specific and determine if scholarships should reach a broader group of students. N/A

Institution Response

Low

Scholarships are too narrow and specific and do not reach a broad group of students. Keeping tuition and room and board costs effective and affordable for students. In addition, off campus living costs are continually increasing due to oil fields, resulting in limited residence hall space on campus. Reputation risk, specifically the measures taken towards students who have not paid their tuition or who make late payments on tuition.

N/A

Student Financial Processing

Low

Continue to perform appropriate research N/A and benchmarking to ensure MiSU tuition and room and board prices are competitive and in line with other colleges and universities. Review procedures to follow-up with students who have not paid their tuition to determine if changes should be made. In addition, evaluate the attitudes of staff towards students when following up. N/A

Low

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Minot State University

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners.

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls.

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

16

North Dakota State College of Science Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State College of Science

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. John Richman North Dakota State College of Science 800 Sixth Street North Wahpeton, North Dakota 58076-0002 Dr. Richman, This report provides you, North Dakota State College of Science (NDSCS) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide North Dakota State College of Science with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist North Dakota State College of Science. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  7 

Appendix
Impact Criteria Vulnerability Criteria

14 
15  15 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for North Dakota State College of Science. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprisewide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota State College of Science.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, North Dakota State College of Science can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at North Dakota State College of Science and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Approach
With the assistance of North Dakota State College of Science management, LarsonAllen identified 16 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:

   

Continuing education Marketing / communications Student affairs Student financial processing

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Develop policies and procedures specific to offering distance learning in other states to ensure federal requirements are being met and to determine if it makes good business sense to offer distance learning in various states based on student interest and fees.

Institution Response
NDSCS is actively participating in efforts led by the NDUS system to ensure compliance with federal and state requirements related to distance education. This is proving to be an efficient and effective means to determine various state requirements. It will also aid in bringing consistency in establishing related policies and procures. A cost/benefit analysis will be conducted to determine if it is economically feasible to offer distance programming in some states.

Moderate Meeting federal requirements for distance learning, specifically, procedures to follow for state level requirements when NDSCS offers distance learning in other states, permissions needed, evidence and documentation to maintain, licensing fees, etc. In addition, determining if it is cost beneficial to offer distance learning in various states.

Academic Affairs

Low

Continued enhancements in the Instructional Technology curriculum approach is needed to provide students the best learning experience; additional group and lab hours is needed versus lecture and classroom hours.

Evaluate the Instructional Technology curriculum approach to determine if the most effective learning methods are in place to provide students with the best learning experience.

The evaluation of the appropriate departmental use of instructional technology occurs on an ongoing basis. Other 2-year colleges in the state are modeling aspects of the NDSCS approach to providing instructional technology support. Enhanced use of instructional technology has been identified as one way to support the campus strategic goals. The instructional taskforce was assembled to evaluate and advance the use of instructional technology in the classroom. As a result, the innovative use of instructional technology is a key effort of the faculty and staff and a frequent focus of discussions, professional development activities and workshops.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking
Low

Identified Risk

Proposed Recommendations

Institution Response
Added resources have been provided to the Instructional Technology Department to provide instructors with the tools to integrate innovative technology into their instructional techniques. The use of IT Boot Camp, eCompanion, e-folios and the instructor led Technology and Learning Team are all examples of initiatives in this area.

Academic Affairs

Low Athletics

Adequacy of cash and inventory handling, specifically monitoring controls around concessions and ticket revenue. Lack of security at weekend events.

Internal controls should be reviewed to identify potential risks related to existing cash receipts and tracking of inventory processes. Perform a cost/benefit analysis to determine if additional security resources should be allocated to weekend events on campus.

An internal control process has been established and implemented for 2011 and beyond.

Low

Campus Safety & Security

The NDSCS Police Department provides security to the campus at events that occur during hours when full-time and part-time staff are scheduled. Weekend scheduling provides shift coverage primarily around the scheduled athletic events however full-time staff schedules are modified to cover special occasions such as Homecoming, dances, Move In Day and other campus wide events. The volume of calls for service occurring during campus weekend events do not justify the cost of providing additional resources.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Identify additional ways to communicate emergency response procedures and provide training and testing that involves several areas across the institution.

Institution Response
Emergency drills are conducted annually with the emergency response team and local emergency responders. Emergency procedures are posted on the NDSCS web page for all employees and students to access. Fire drills are conducted in all academic and residential buildings every semester. The locker room will be addressed in 2012 and Old Main will be our number one priority next biennium (13-15). An analysis is being conducted to determine the projected needs for classroom, laboratory and office space at NDSCS-Fargo. The needs of both academic and workforce training will be evaluated. Beginning in 2011-12, NDSCS-Fargo needs are being included as a component of the institutional extra-ordinary repair budget. NDSCS-Fargo needs will be evaluated on an annual basis in the same manner that NDSCSWahpeton needs are considered. Adequate classroom space currently exists at NDSCS-Wahpeton; however, ongoing facility upgrading is required. Should the anticipated Old Main renovation project be approved, contingency plans will be made to accommodate classrooms lost while the Old Main renovation takes place and due to the demolition of Hektner Hall.

Emergency Preparedness

Moderate Lack of communication and training related to emergency response procedures, including staff, faculty, students, and student workers.

Low

There is air quality, ventilation, and mold issues in the Old Main building. In addition, the football locker rooms have mold and are unusable. Lack of classroom space at the Fargo location. Credit programs courses are utilizing space at the Fargo location and the Fargo location was initially built for workforce training only.

Continue to prioritize capital projects, renovations, and maintenance needs across campus to determine what facilities is a priority in the next fiscal year’s budget. Continue to prioritize capital project needs across campus to determine if additional classroom space should be priority in the next fiscal year’s budget.

Low

Environmental Health & Safety

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response
The State Auditors review the duties of the Business Office personnel each year in the areas of cash, debt, fixed assets, inventory, payables, and revenues. They have deemed the segregation to be adequate for the limited number of staff to minimize risk. The Foundation staff is working on aligning our donor database entries by the end of the 2011/2012 fiscal year to be compatible with the institutions entries. We will then be able to reconcile donor gifts/deposits. The NDSCS Purchasing Director is currently in the process of scheduling meetings with NDSCS’ employees who have purchasing responsibility. Meetings will include: current purchasing, property control and P Card policy, procedures and regulations and discussion of each department’s procurement plans for the coming year. Meetings are planned to start the first week of September and conclude by the end of October 2011. Disagree: There is a policy in place that outlines the requirements for policy proposal, updates and changes. All of our policies were reviewed and updated if necessary in early 2011.

Moderate There is a lack of appropriate segregation Review the current responsibilities of each of duties in the Business office. person in the Business office to determine if changes should be made to allow for additional segregation of duties.

Moderate The foundation’s donor database is not reconciled to the institution’s general ledger. Financial Close & Reporting Moderate Lack of communication and training related to purchasing policies and procedures. In addition, current practices do not always reflect adherence to policies and procedures.

Develop a procedure that requires the foundation’s donor database to be reconciled to the institution’s general ledger on an ongoing basis. Consider performing an internal audit to determine if appropriate internal controls are in place for the purchasing process and if policies and procedures are adhered to. In addition, enhance communication and training related to the policies and procedures.

Governance

Moderate Lack of consistent communication to roll out new policies and procedures, make updates to existing documents, and implement consistently across the institution.

Evaluate the awareness of the existing policy addressing policies and procedures, how to make updates, communication, consistent implementation to personnel, etc.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform an assessment to determine if it makes good business sense to keep the Grant Management team under the Institutional Effectiveness function or move under the Business Office, have the group be self-governed, or another option. Review the current processes to code/assign expenses to grants and determine if proper internal controls exist to minimize the risk of coding expenses to incorrect grants or applying inaccurate expense amounts.

Institution Response
Division of responsibility is good accounting practice as well as a fraud prevention technique. The Business Office and Grants Administration as separate entities provides for checks and balances. The IE Office is the campus resource to provide current/critical data required in all grant submissions. Past practice has been refined to correct this weakness. Now all grant payments from faculty project directors go through the Grants Management Office instead of directly to the Business Office for payment. As a result, the number of journal entry requests has been substantially reduced. A newly hired grants assistant with high qualifications in accounting and experience in reviewing over a million dollars in expenses and charging to the appropriate account will assist in future appropriate application of funds. A new Leadership Development program has been implemented for Fall 2011 that will address these issues. The College has made this a top priority to develop training for managers and supervisors. It also is an AQIP project and a program is being developed to meet those demands beginning fall 2011.

Moderate The Grant Management team reports to the Institutional Effectiveness function. There are concerns that the Institutional Effectiveness function does not have the expertise related to compliance with the grants. Low Grant Administration Grant expenses may not always be applied to the correct grant or expenses may be inaccurately applied to the appropriate grant.

Moderate Lack of training available and necessary for new managers and supervisors.

Consider offering training for new managers or supervisors (existing managers as needed) that addresses leadership, discipline, adherence to policies, appropriate behavior, etc.

Human Resources & Payroll Moderate Minimal policies and procedures exist to address all operations with the Human Resources function.

Review current policies and procedures HR has flow charts in place that document their addressing the Human Resources function to major processes and written procedures that identify where there are gaps. Develop cover day to day tasks. policies and procedures, as needed, based on the review.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking
High

Identified Risk

Proposed Recommendations

Institution Response

There is no formal disaster recovery plan. Develop and document a formal disaster Agreed. A disaster recovery plan will be recovery plan. This would include, but is not developed in 2012. limited to:  Risk exposures  Recovery team responsibilities  First response process and procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training The physical security controls in the data center are weak and improvements are needed. The network and infrastructure are not adequate to support current needs. Implement additional security controls for the data center to appropriately secure the premises. Review the current network and infrastructure needs in all buildings across campus to determine where there are concerns and prioritize the risks and the need for upgrades. The design for the new IT facilities in the NDSCS Student Center includes a secure, isolated server and switch room. Agreed. The IT department is aware of the data network and infrastructure issues and is taking aggressive steps to address the problem. An individual was recently promoted to the position of infrastructure manager to prioritize these efforts, and another .5 FTE committed to network services. Both of these individuals have completed intensive network administration training in the past six months. A plan for a one-time network upgrade is being developed, along with a proposal for an annual, budgeted refresh of infrastructure and networking equipment. Agreed. The cost of a security audit is not included in the current budget, but will be considered in the upcoming budget review.

High Information Technology

High

Moderate Penetration testing and an internal vulnerability assessment have not been completed for three years.

Consider engaging a third-party firm on an annual basis to perform penetration testing and an internal vulnerability assessment.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if a generator or alternative back-up power supply should be purchased.

Institution Response
Disagree: All on-campus servers are protected by uninterruptable power supplies (UPS), which offer short-term continuous operation in case of an electrical outage. Other core IT services is hosted externally and would not benefit from the installation of a generator. This issue is not under the control of NDSCS; however, NDSCS is aware of the issue and hired an application developer in 2011 to ensure ConnectND accessibility for the campus and to work directly with ConnectND staff.

Moderate There is not a generator or back-up power supply.

Moderate Development of the data warehouse is managed by Connect ND and there are concerns that NDSCS and other institution’s input will not be obtained and utilized throughout the development process. Information Technology Moderate A mobile device policy is in place; however, appropriate security measures have not been technically enforced to support mobile devices.

Team with the System office and Connect ND to stay abreast of the process to facilitate and collect input from the institutions in the development of the data warehouse and suggest changes to the process if NDSCS does not feel adequate input is being collected from the institutions. Consider technically enforcing security measures on mobile devices to enhance security.

Agreed. Starting immediately, all new NDSCSpurchased cell phones and mobile devices will be configured to require a user-specific PIN/password which must be correctly entered each time the device is switched on, or the device will not function. This year, specialized training has been provided to specific IT staff in the areas of security, networking, and data access. All 2011 staff responsibility reviews included individual goals related to job-specific training. The current strategic plan for 2011-2012 includes realignment and redefinition of staff roles and job descriptions.

Low

Concerns around the training available and needed for the Information Technology (IT) function related to technical IT and strategic long-term planning.

Consideration should be given to provide increased training to existing personnel and potentially develop job qualifications for new applicants.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Functional Risk Area / Process Ranking
Low

Identified Risk
Food costs continue to increase within the Dining Services function and there are concerns about maintaining sufficient profit levels.

Proposed Recommendations
Continue to review food costs and identify methods to keep costs down. In addition, evaluate current sale prices to determine if prices continue to be appropriate.

Institution Response
The Food and Beverage costs (prime costs) in Dining Services have been at the following levels: 2006: 35.5% 2007: 36.7% 2008: 33.5% 2009: 33.6% 2010: 31.4%.Board fee increases to students were: 2006: 7%, 2007: 7%, 2008: 5%, 2009: 7.9% and 2010: 5.2%.While we are concerned about the continual rise in food and beverage costs Dining Services management are confident that through diligent purchasing methods and waste control costs can be managed. It has been and continues to be a priority to keep costs and profits in line and to provide high quality products at reasonable prices to the customers of NDSCS.

Operations & Auxiliary Services

Moderate Several manager and supervisor positions are filled with resources that have not previously been in a manager or supervisory role. Faculty & Staff Moderate Recruitment and retention of faculty is a concern, specifically as it relates to the compensation offered for these positions.

Consider offering training for new managers A new Leadership Development program has or supervisors (existing managers as needed) been implemented for Fall 2011 that will that addresses leadership, discipline, address these issues. adherence to policies, appropriate behavior, etc. Continue to benchmark wages with other North Dakota colleges and universities. Salary surveys are conducted annually to benchmark wages with our peer institutions.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | North Dakota State College of Science

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners.

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls.

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

15

North Dakota State University Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State University

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. Dean Bresciani North Dakota State University 1340 Administration Ave. Fargo, ND 58102 Dr. Bresciani, This report provides you, North Dakota State University (NDSU) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide North Dakota State University with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist North Dakota State University. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State University

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  6 

Appendix
Impact Criteria Vulnerability Criteria

31 
31  31 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State University

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for North Dakota State University. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota State University.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | North Dakota State University

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | North Dakota State University

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, North Dakota State University can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | North Dakota State University

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at North Dakota State University and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota State University

Approach
With the assistance of North Dakota State University management, LarsonAllen identified 24 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | North Dakota State University

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:   Continuing education Student affairs

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | North Dakota State University

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking
High

Identified Risk
The institution is in need of a significant number of faculty positions and is also significantly underfunded when reviewing the total student population to current funding.

Proposed Recommendations
Review current faculty positions and compare to growth strategies to ascertain whether they are in alignment.

Institution Response
Due to strong student enrollment demand NDSU’s preferred faculty to student ratio of 1:16 has been affected. In order to address this ratio NDSU needs 175 faculty. Until that time, adjunct faculty have been hired to instruct students. This has been a proposed policy by the US Dept. of Education. NDSU, working with the NDUS, has already been working on a solution to this controversial issue. Although, the USDOE has backed away from the initial implementation date, we are monitoring developments closely, while pursuing a solution with NDUS.

Academic Affairs

Moderate Meeting federal requirements for distance learning, specifically, procedures to follow for state level requirements when NDSU offers distance learning in other states, permissions needed, evidence and documentation to maintain, licensing fees, etc. In addition, determining if it is cost beneficial to offer distance learning in various states.

Develop policies and procedures specific to offering distance learning in other states to ensure federal requirements are being met and to determine if it makes good business sense to offer distance learning in various states based on student interest and fees.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Athletic events have students consuming alcoholic beverages or who consumed alcoholic beverages prior to arriving at the event and this continues to be a liability.

Proposed Recommendations
Continue to assess policies, procedures, safety, and security on an ongoing basis, specific to athletic events, to determine if appropriate measures are in place and actions taken.

Institution Response
Given the scope of concern of misuse of alcohol by students, athletics is extremely sensitive to the policies, procedures, safety and security of all. The Director of Athletics is the current chair of the President’s Council on Alcohol and Other Drugs. The University believes the misuse of alcohol at athletic events is a university-wide issue. Athletics is keenly aware that it is their event and as such, works with a high degree of collaboration with the Office of Student Affairs. Use of two facilities external to athletics necessitates sharing of the University’s philosophy regarding alcohol with these entities. Event staffs from both entities meet regularly to review issues such as number of officers on site, admission policies, etc. Also, the NDSU Director of Tickets/Athletics Facilities is in close contact with the Director of Athletics about any on-site issues regarding the misuse of alcohol and there is always an athletic administrator on site at home athletic competitions. Athletics will continue to be responsive to the policies, procedures, safety and security of the public it serves.

Athletics

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Review current policies related to open/close times for individual campus buildings. Buildings should only remain unlocked based on operational needs with appropriate security. Consider requiring all staff and faculty to wear badges. In addition, perform a cost/benefit analysis to determine if implementing an electronic key card system or additional security cameras would be appropriate.

Institution Response
Campus safety, including building security, is an important concern at NDSU. NDSU’s approach to maintaining the safety and security of its facilities for all who use them remains a high priority and includes recognition of the need to be proactive in pursuing and sustaining this priority. A centralized system for card access, electronic locking as well as surveillance camera operations does exist and will be improved upon as funding dollars become available. Where this technology is not fully implemented, ridged key access policies and procedures as well as police and public safety officers continue to provide for a high degree of safety and security on the campus. NDSU will continue to work on the emergency preparedness plan, with a focus on the continuity of operations, based on the emergency management cycle of mitigation, preparedness, response and recovery. NDSU will continue to research grant opportunities (for which it has been successful in utilizing in the past) to create current documents for emergency management efforts, and will also pursue other budgetary funding options which may become available as the result of recent emphasis on continuity of operations needs within the State of North Dakota.

Campus Safety & Security

Moderate There are improvements that could be made to building security, specifically building access and monitoring of activity. There are no security cameras in the university buildings downtown. In addition, if there was an emergency, most buildings could not be secured.

Moderate The comprehensive emergency preparedness plan is not complete and there are concerns that the institution will not have the resources to implement and sustain the plan once it is complete, including funding. Emergency Preparedness

Continue to finalize the emergency preparedness plan and analyze current funding streams and probability of being able to utilize other funding streams. In addition, research additional grant opportunities to support the resources needed.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
High

Identified Risk
The IACC building’s environmental temperature control system is unable to support the needs of the information technology equipment it houses.

Proposed Recommendations
The current environmental temperature control system should be enhanced or replaced to support the information technology equipment.

Institution Response
The HVAC was reviewed in a 2010 study done by the engineer and will be added to the list of needs. As part of the Performance Contract project signed with ESG to start in August of 2011, some new building controls will be installed. This won’t cure all of the issues in the building but should help with some issues. The remaining issues will be added to the outstanding deferred maintenance project list. NDSU has a facilities master plan that is updated every two years. In addition, NDSU Facilities Management will create and document a 10 year plan for maintenance activities. These activities will follow the SBHE guidelines for evaluating projects. Life, health and safety are the top priorities followed by code issues. The planned maintenance will follow what the State financially gives NDSU for extra ordinary repairs. In addition, the City of Fargo does have a fire marshal walk through the campus buildings to give input on any serious concerns. NDSU moves those concerns to the top of the list, when necessary. NDSU’s 2011-13 biennial funding for extraordinary repairs is $2,732,244. NDSU has over $25million in outstanding deferred maintenance.

High

Environmental Health & Safety

The demand to expand facilities, stay current with maintenance, etc. is not keeping up with the growth of the university. In addition, there are concerns related to building safety and soundness; there are possible code violations. As code changes evolve, several buildings were “grandfathered” in and proper assessments have not continued to take place.

Continue to prioritize capital projects, renovations, and maintenance needs across campus to determine buildings that are priority in the next fiscal year’s budget and assess whether the institution is in violation of code.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk
The structure of the Facilities function, including reporting lines, roles and responsibilities, etc. are inconsistent and certain responsibilities fall within duplicate departmental divisions within the Facilities function. In addition, there is no cross training between departmental divisions.

Proposed Recommendations
Consider developing formal job descriptions for all personnel within the Facilities function to determine if the roles and responsibilities fall under the appropriate departmental division or if changes should be made. Determine where there may be duplication of responsibilities across divisions. In addition, consider the benefits gained from cross training within and across departmental divisions.

Institution Response
NDSU Facilities Management is in the process of a re-organization, which will also include job description reviews. In addition, cross training has started in some areas and more will be reviewed in the future. Job descriptions and cross training to keep current will be assigned to a revised vacant position that is currently advertised. An Associate Director’s position will be filled within a month and Facilities Management is currently in the process of filling the vacant position referenced. The division of Finance and Administration will work in coordination with university leadership to strategically align priorities with appropriate funding. A strategic plan was developed to address the University’s financial commitments. As a result of the plan, the University has strategically aligned the revenue with expenses. NDSU continues to evaluate the appropriate allocation of all resources, as well as continuing to improve on the efficiency and effectiveness of existing operations. Budget reallocations have allowed NDSU’s leadership the ability to carry out the overall campus strategic plan.

Environmental Health & Safety

High

The institution has $12M in underfunded projects.

Continue to review and update the strategic plan to assess underfunded projects and prioritize needs appropriately.

Financial Close & Reporting

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate Decentralized business office approach (i.e. each department has its own accounts payable and cash receipts function). Concerns include, but are not limited to, staying current with accounts payable and penalties assessed for late payments, cash receipts, segregation of duties, etc. Low The current financial reserves are not capable of handling a significant disaster (i.e. flooding, fire, etc.). The legislative will assist in the event of a disaster; however, it is difficult to estimate the funds that should exist in the reserve to mitigate the financial risk. The institution has excessive long-term lease commitments that were entered into by previous leadership.

Review the internal control environment NDSU will continue to evaluate the overall based on existing operational structure to control environment on a regular basis. determine if appropriate internal controls are in place and operating effectively and to evaluate whether the current decentralized approach continues to be the most appropriate solution for the institution. Perform a risk assessment of the financial reserves in place to measure the likelihood of a disaster taking place and the impact it would have to the university and the funds needed to recover from the disaster. Funding for significant disasters is normally funded by the ND Legislature or insurance coverage.

Financial Close & Reporting Low

The institution should continue to work with NDSU has reviewed all lease commitments the lessors’ to determine if lease including those entered into during the commitments can be renegotiated. previous administration. NDSU continues to review all lease commitments, and will make necessary adjustments when opportunities arise or when deemed appropriate by management. Team with the System office to determine if it makes good business sense to purchase a budgeting tool within PeopleSoft to eliminate duplications, inefficiencies, and reduce chance for error. NDSU will look for direction from the System Office regarding the purchase of a budgeting tool within PeopleSoft.

Low

The budgeting process is performed outside of PeopleSoft with heavy use of Microsoft Access and Excel. In addition, the Access database was developed in 1999/2000; therefore, updates and enhancements cannot be made to the database due to the version being utilized.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
High

Identified Risk
Concerns related to the legislative session and the funding available to NDSU as a result of the session. In addition, the university is significantly underfunded when compared to its peers and there are concerns whether the funding is being disbursed appropriately throughout all the colleges and universities in North Dakota.

Proposed Recommendations
NDSU and NDUS should continue to work with the legislators to determine if funding is appropriate for NDSU. Agree.

Institution Response

Governance

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Develop procedures institution-wide to ensure all new System level policies and changes to existing System level policies are communicated to applicable parties at the institution. In addition, identify policies where interpretation is difficult and continue to reach out to other campuses or the System office for further clarification.

Institution Response
NDSU does communicate with all parties when changes are made to policies or new policies are adopted. Policies are vetted through the Policy Coordination Committee and forwarded to the Staff and Faculty Senates for input and approval. All policy changes are reviewed and approved by General Counsel and the President prior to being published in the online Policy Manual. A notice on all new policies and policy changes is published in “It’s Happening at State” after they are finalized and are also sent via email to all Policy Coordination Committee members. In addition, a new committee, Senate Coordinating Council, will be established in Fall 2011. The Council’s responsibilities are to: a. Encourage the development of clear, thorough, and consistent policies by stimulating collegial discussion and analysis of policy proposals having campus-wide effects. b. Coordinate the distribution of policies to the appropriate senate body consistent with the Faculty Senate Constitution. c. Send policies that have been voted on to appropriate channels at NDSU for final approval. d. Serve in a liaison capacity regarding the Faculty Senate, administration, Staff Senate, and Student Government.

Moderate New System level policies and changes to existing policies communicated to NDSU are not always further communicated to the appropriate personnel at the institution. In addition, policies are not always interpreted appropriately.

Governance

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Team with the System office and other campuses to define “flexibility”, discuss concerns, and enhance communication. In addition, team with the information technology group to determine if PeopleSoft can report data in multiple ways to allow for the System and NDSU to have the data reported in the format they need (i.e. institutional vs. cumulative GPA). Per the Institute of Internal Auditors (IIA), PA 1110-1: Organizational Independence, consider changing the functional reporting structure for the Director of Internal Audit to the Board or Audit Committee with a dotted line (administratively reporting) to the President.

Institution Response
NDSU will look for guidance from the System Office.

Moderate Campuses are allowed “flexibility” under the flexibility with accountability expectations of SB 2003 passed by the 2001 Legislative Assembly; however, NDSU and the System office are not always in agreement with the definition of flexibility and what processes and changes should be driven by the System office vs. NDSU. Governance Moderate The Director of Internal Audit reports directly to the President (i.e. President provides performance evaluations, wage adjustments, etc.) resulting in potential independence issues.

Strongly disagree. The operational word in the title is intentionally “internal” audit. Position is considered a management tool within NDSU administration and reports directly to the President to eliminate any conflicts of interest with his high priority of best possible business practices. Would, of course, agree that “external” auditors should report to the audit committee with a dotted line to the President.

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if a compliance function should be developed within NDSU to monitor and communicate compliance requirements. As an alternative, NDSU could also assess whether the existing Internal Audit group has the skills necessary and resource capacity to assist with the communication and monitoring of compliance requirements.

Institution Response
While there are not officially designated compliance officers for FERPA and HEOA, the compliance function is definitely seen as the responsibility for the respective offices. The NDSU Offices of Registration and Records serves as the primary and responsible office for monitoring and administering the Family Educational Rights and Privacy Act (FERPA) on campus. As part of this responsibility, we:  Regularly review current and proposed federal regulations, and are involved with discussions on state policies and procedures as they pertain to student data privacy;  Serve as the primary point of contact and field faculty, staff and student questions and concerns related to student privacy and FERPA;  Publish the annual notice on FERPA and regularly disseminates it to students (per the federal law);  Educate the campus and greater community on directory and non-directory information and acceptable use;  Provide a means for students to consent to third party releases as well as to restrict their directory information;  Handle subpoenas and open record requests for student information according to FERPA guidelines;

Moderate There is no Compliance Officer or compliance function to oversee the various regulations the institution is required to comply with such as PCI, HIPAA, FERPA, HEOA, etc. and assist in proactively understanding requirements.

Governance

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Moderate

Identified Risk

Proposed Recommendations

Institution Response
Manage institutional-level security to student academic records in Campus Connection (including assigning security access to new employees who require access to student data to perform their job duties; changing/reviewing assignments as needed; and terminating access on users no longer employed at NDSU or who have a change in position on campus); Consult with NDSU General Counsel as needed on matters related to FERPA, state laws, and student-specific privacy issues
 

Governance

Student Financial Services oversees compliance for HEOA and is very attentive to all new and existing federal guidelines. In addition, the university general counsel is consulted on occasion for specific questions and interpretations of compliance concerns. The General Counsel performs a de facto compliance function. Many offices have portions of compliance, like UPSO, Sponsored Research, Auditor, General Counsel, Registrar, HR, Grants & Contracts, and Financial Aid. The Internal Auditor is developing a compliance matrix to document owners of areas of key compliance.

©2011 LarsonAllen LLP

17

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consider leveraging the enterprise-wide risk assessment performed by LarsonAllen in the development of future internal audit plans. In addition, continue to assess and rank risks on an ongoing basis with a full risk assessment being performed regularly.

Institution Response
NDSU understands the value of risk assessments in both guiding management actions in key risk areas as well as developing the annual internal audit plan. LarsonAllen was hired to develop a framework to utilize in designing an ongoing risk-based audit planning process. NDSU will consider the Larson Allen deliverable with modifications to address NDSU’s organizational needs and structure. The end goal is to build a structured and repeatable risk assessment process to utilize on an annual basis. Additional concern likely common to the two research universities, but certainly NDSU, are the very different priorities they often have from the nine smaller regional institutions. Current priorities are identified “democratically” even though the two research universities are the largest portion of the system.

Moderate A formal risk assessment is not performed to identify specific risks and to assist in the development of the internal audit plan.

Governance Moderate Processes to prioritize and make changes within PeopleSoft are governed by Connect ND. Prioritization and decision making is not clearly defined and does not always involve NDSU when the institution feels it is necessary. NDSU staff and faculty are users of PeopleSoft and are significantly affected by changes. Team with the System office and Connect ND to determine if current policies and procedures to prioritize and make changes to PeopleSoft should be more clearly defined and if involvement of the institutions is appropriate.

©2011 LarsonAllen LLP

18

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Concerns related to intellectual property, such as research, export controls, etc. and if appropriate procedures are in place to reduce and address such risk.

Proposed Recommendations
Continue to communicate relevant policies and procedures related to intellectual property to appropriate personnel. In addition, continue to review such documents to validate risks are continually discussed and addressed.

Institution Response
NDSU has long had an Intellectual Property (IP) policy and procedures, modeled after the SBHE Policy 611.2. NDSU’s IP policy and procedures are currently Policy 190 in the NDSU policy manual, found at http://www.ndsu.edu/policy/190.htm. This policy and procedure document was revised in FY 2009 by the then University Senate Standing Committee, the Research & Consulting Committee, and the revisions were approved by the University Senate. In FY 2010 the Chancellor appointed a SBHE Task Force consisting of NDSU and UND personnel to review SBHE Policy 611.2. That Task Force held its final meeting in July 2011 to finalize recommendations, which will soon be forwarded to the Chancellor. The VP for Research, Creative Activities and Technology Transfer provides periodic seminars on campus (“Gear up for Grants”) covering various topics, including intellectual property. The Technology Transfer office is available as a resource for any questions in regards to understanding IP policy or disclosing IP.

Governance

Based on the Committee actions, no high risk issues in regards to intellectual property were identified by the task force. The charge from the Chancellor in April of 2010 to the university system task force was to review and make recommendations regarding SBHE policies and state statutes relating to intellectual property. The

©2011 LarsonAllen LLP

19

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response Chancellor asked for recommendations for "appropriate revisions or amendments designed to encourage and support innovation and creative activities, reward individual initiative and productivity, promote utilization of intellectual property for the public benefit and protect institution and state interests". In June of 2011, NDUS General Counsel Pat Seaworth requested that the task force look at 611.2(3) governing ownership of patentable discoveries, in light of the recent supreme court opinion, Stanford v. Roche. The task force met in July of 2011 to discuss the impact of Stanford v. Roche on 611.2. The task force is recommending additional language in regards to the requirement that employees execute a written assignment of inventions. The task force is also providing a sample assignment document that can be used/incorporated if the NDUS desires.
Further, the University Police & Safety Office provides to all NDSU employees an annual notice of policies covered under the ND Risk Management Program. Employees are directed to read the provisions contained in the notice and sign and return the signature page signifying it is their responsibility to review the Annual Notice and the NDSU Policy Manual and to contact their supervisor if they want to

©2011 LarsonAllen LLP

20

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low Governance

Identified Risk

Proposed Recommendations

Institution Response
discuss. This Annual Notice includes NDSU Policy 190 on IP. Finally, the NDSU Chief Information Technology Security Officer provides an annual email to all NDSU employees in regards to an annual disclosure and information resource for IP and copyright

High

Congress is discussing making cuts related No proposed recommendation. to earmarked dollars critical to research.

The earmarks for FY2011 & FY2012 were zeroed out. There are no indications from Congress as of yet as to the possibility of earmark funding for FY2013 and beyond. The Vice President for Research, Creative Activities, and Technology Transfer office is placing increased emphasis and focus on identifying private sector funding to help mitigate the loss of earmark funding. NDSU will continue to evaluate and review the overall grant administration process with the PI’s and departments. Grants & Contract Accounting office and Research Administration office are providing grant training to grant PI and support staff.

Grant Administration

Moderate Concerns related to the visibility and actions taken for excess funds that exceed the grant term, specifically expenses being applied to grants that have expired if there are still dollars left and carryover approvals from the grantor and communication related to carryovers.

Perform additional centralized review and oversight of the grant process to determine the volume of excess funds and if appropriate internal controls are in place to carryover the funds or return funds to the grantor. In addition, review the expiration of grants and when expenses were applied to determine if there were expenses applied to grants that expired without approval of continued use.

©2011 LarsonAllen LLP

21

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Review the current methods to track and monitor effort reporting to determine if enhancements could be made to the current reporting methods. Alternatively, consider purchasing a grant and effort reporting tool to enhance reporting accuracy and produce information needed internally and for compliance reviews.

Institution Response
The effort system in PeopleSoft that the University System uses complies with basic federal requirements. The current system is a very manual process and does not provide a method of tracking proposed or committed effort. NDSU has been working in coordination with the University System (ConnectND) team for a number of years to purchase a new system that would be more automated and inclusive. Grants & Contract Accounting office and Research Administration office are providing grant training to grant PI and support staff.

Moderate PeopleSoft is lacking certain capabilities to track and monitor effort reporting, which may result in inaccurate reporting and the inability to produce all information needed for a compliance review.

Grant Administration

Moderate Grant expenses, including payroll Continue to perform a centralized review of expenses, may not be accurately applied to the current processes to code/assign the correct grant. expenses to grants and determine if proper internal controls exist to minimize the risk of coding expenses to incorrect grants.

Within every financial environment inherent risk exists due to accuracy of data. NDSU has and will continue to evaluate the grant workflow process in order to mitigate risk where possible. The Grants office will continue to work with the PI for proper coding of expenditures. Grants & Contract Accounting office and Research Administration office are providing grant training to grant PI and support staff. NDSU has and will continue to work with Principal Investigators to provide assurance funds awarded are being used as intended. Grants & Contract Accounting office and Research Administration office are providing grant training to grant PI and support staff.

Moderate There are concerns that not all grants are being utilized appropriately and for the purpose they were awarded.

Perform centralized review and oversight to determine whether grants are being used appropriately and for the purpose they were awarded.

©2011 LarsonAllen LLP

22

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Payroll processes are very manual (i.e. Leave forms are used to approve sick and vacation time, manual time cards are utilized in several instances, etc. In addition, PeopleSoft is manually updated in all instances.

Proposed Recommendations
Payroll should work with the Information Technology group to determine if there are additional processes that could be automated in PeopleSoft, automated workflow tools that exist and/or could be utilized, and perform a cost/benefit analysis to determine if additional software should be purchased (if needed) to automate manual processes.

Institution Response
ConnectND (SITS) currently has a committee reviewing the feasibility of implementing manager’s self-service which is utilizing PeopleSoft for the workflow of payroll forms. NDSU’s Associate Director of Payroll is on that committee. In addition, the online employment system, PeopleAdmin, is now being used to process benefitted hires online – so no form is submitted. PeopleSoft Employee Self-Service has been implemented for the last 2 years so employees can make changes to withholdings, addresses, and direct deposits online without manually completing a form. Leave forms are submitted and are entered into PeopleSoft.

Human Resources & Payroll

Low

The benefits election process for new employees and annual renewal process is very manual. Employees manually complete forms and benefit elections if they are a new employee and for the annual open enrollment process. Changes are manually entered into PERS with duplicate entry into PeopleSoft.

No proposed recommendation as this is managed by the state.

NDPERS has indicated that there will be online employee enrollment process in the near future. We are waiting for further information.

©2011 LarsonAllen LLP

23

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
High

Identified Risk
There are many shadow systems that are being utilized outside of PeopleSoft and across various functional areas. In addition, there is not an inventory maintained of all the shadow systems to identify what they are used for, who manages them, etc.

Proposed Recommendations
Identify a resource(s) to inventory all shadow systems maintained outside of PeopleSoft and gather additional information such as what department is using the system, the purpose for using it, who manages the system, if PeopleSoft offers the functionality the shadow system is being used for, etc. Determine if shadow systems can be eliminated and processes performed in PeopleSoft.

Institution Response
PeopleSoft is administered by NDUS System Information Technology Services (SITS) with the Data Center services located at UND. Significant portions of the identified risk will need to be addressed by SITS. NDSU’s IT Division is aware of many, but not all, shadow systems. It could maintain an inventory if desired. A determination of whether or not PeopleSoft could subsume a given shadow system would need to be done by SITS as NDSU's IT Division is not involved in the operation or support of PeopleSoft.

Information Technology

High

Electrical capacity in the technology building is inadequate. There are also concerns related to other buildings around campus. In addition, there have been instances where back-up generators have failed.

Review the current power methods and capability in all buildings across campus to determine where there are concerns and prioritize the risks and the need for replacements.

In order to address the needs in the Industrial Ag Communication Center (IACC), an engineer was hired to review the Electrical and HVAC during 2010. Estimates were in excess of $4M. This project has been added to the prioritized list of projects and will be addressed as funds become available.

©2011 LarsonAllen LLP

24

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
High

Identified Risk
Several buildings need network upgrades such as routers, switches, etc. A significant portion of NDSU’s network is operated by obsolete switches.

Proposed Recommendations
Review the current network upgrades needed in all buildings across campus to determine where there are concerns and prioritize the risks and the need for upgrades. In addition, consider treating the network as a utility to ensure the funding is available and to minimize interruptions.

Institution Response
Fifty percent of NDSU’s network is operated by obsolete switches that have known security vulnerabilities as identified in the 2008 Foundstone security audit. Long term sustainable funding for the campus network needs to be secured in order to properly address this risk. To mitigate the impact, upgrades have been done according to threat assessment. Buildings that have greater risks associated with a network compromise have been upgraded before others where possible. The potential impact associated with this risk will continue to grow in the future as NDSU deploys more network based phones, building automation systems, video surveillance, fire alarms, etc. PeopleSoft is administered by NDUS System Information Technology Services (SITS) with the Data Center services located at UND. A response to the identified risk will need to be formulated by SITS. NDSU's IT Division is not involved in the operation or support of PeopleSoft. NDSU's IT Division is aware of support delays during peak times such as the start of the Fall Semester. The benefit of staffing the Help Desk for these peak times does not outweigh the cost of doing so; thus, these delays are considered acceptable. Furthermore, recent changes to the Help Desk structure with the outsourcing of the NDUS Help Desk should allow higher priority to NDSU support.

Information Technology

Moderate PeopleSoft is not being utilized to its full capabilities. Internally developed software is being utilized where PeopleSoft could potentially be leveraged and manual workarounds have been created outside of PeopleSoft and other systems.

A current state assessment should be performed for all functional areas that are concerned PeopleSoft is not being utilized to its full capabilities and/or several manual work-arounds have been created outside of systems, etc. Identify future state improvement opportunities and perform reengineering of processes. Perform a cost/benefit analysis to determine if it makes good business sense to add additional resources in the helpdesk function to support staff and faculty needs.

Moderate A significant number of helpdesk calls from NDSU staff and faculty are not addressed timely due to lack of resources. In addition, as resources become more limited, priorities for IT investment have to be established.

©2011 LarsonAllen LLP

25

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk
There are several documents that address disaster recovery; however, they are not consolidated into one document. In addition, the specific flood preparations document for 2009-2011 is incomplete.

Proposed Recommendations
Consider consolidating all Plans into one document and review document(s) on an ongoing basis to ensure they are completed.

Institution Response
(A) Disaster recovery plans, to include critical functions and resources, have been developed and documented as a part of the NDSU’s Ready Campus Initiative (RCI) project to allow University operations to resume more quickly following a disaster. As well, flood preparations for 2009-2011 were identified and documented, however incomplete. (B) In 2010, NDSU engaged an engineering firm to identify risks related to IACC data center infrastructure and to develop a plan to remedy identified risks. The study determined that it would cost $2.2M to address IT areas of IACC only and $4M for all areas of the IACC. (C) Three special fund projects were submitted by ITS for the 2013-2015 master plan. They were an upgrade to the IACC ($4.7M), redundant IT infrastructure ($22M), and Emergency Support Technologies ($5.2M). (D) Additional steps taken for campus-wide disaster recovery include the technologies for the creation of a campus emergency notification system (CENS), e.g., emergency notification broadcast via email, telephone, voice broadcast messaging and CATV Emergency Alert System (EAS). Governmental Emergency Telecommunications Service (GETS) and Wireless Priority Service (WPS) initiated to ensure emergency communications. (E) Redundant voice server and carrier facilities provisioned serving NDSU and NDSCS.

Information Technology

©2011 LarsonAllen LLP

26

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Several students were inappropriately suspended at NDSU due to incorrect academic reporting from PeopleSoft, specifically issues with reporting for students taking repeat courses. However, multiple new end-of-term processes have been put into place to identify future instances of this problem.

Proposed Recommendations
Team with Connect ND to review the current change management process specific to PeopleSoft reports to determine if adequate policies and procedures are in place to test and approve changes to reports.

Institution Response
PeopleSoft is administered by NDUS System Information Technology Services (SITS) with the Data Center services located at UND. A response to the identified risk will need to be formulated by SITS. NDSU's IT Division is not involved in the operation or support of PeopleSoft. Reviews of PeopleSoft/Oracle processes and reports are a continual process undertaken by NDUS/ConnectND business analysts and campus staff. While upgrades, patches and bundles may continue to impact functionality of such processes and reports, this particular issue has been resolved by and for NDSU. Additionally, multiple new end-of-term processes have been put into place to identify future instances of this problem at NDSU, promptly correct them should they occur, and properly adjust student records prior to coding records and notifying students of their academic standing. As a result of these additional processes and checks/balances, this is no longer a risk for North Dakota State University.

Information Technology

©2011 LarsonAllen LLP

27

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
High

Identified Risk
Remodeling and technology upgrades are needed for the library to better accommodate student learning.

Proposed Recommendations
Continue to prioritize capital projects, renovations, and maintenance needs across campus to determine if the library is a priority in the next fiscal year’s budget.

Institution Response
NDSU has a comprehensive facilities master plan. Through this plan, projects are ranked and prioritized for inclusion in the overall budget submitted to the SBHE and, if approved, to the ND Legislature for consideration of funding.    The bookstore at CityScapes downtown location has been closed. All bookstore operations have been limited to the main store in the Memorial Union and one downtown location in Barry Hall.  NDSU currently exhibits the lowest administrative ratio of all system institutions, and staffing is suboptimal in virtually all areas. Identified risk is so pervasive that an assessment would not seem productive in any practical sense.

Operations & Auxiliary Services

Low

There are concerns related to the profitability of the two bookstores located off campus.

Review the profitability of bookstores located off campus to determine whether the bookstores should continue to operate, including lease commitments, divergence risks, lost revenue, etc. Perform an assessment to determine how resources are being utilized across all functional areas, tracking of hours worked, efficiencies that could be gained, etc.

Faculty & Staff

Moderate Overall employee work load is a concern. Most functional areas identified some level of personnel needs. In addition, there are concerns how resources are being utilized across the institution, what functional areas are significantly lacking resources, and what resources could be realigned to even workloads. Moderate There is a lack of trust and partnership between staff and faculty and between functional departments. There are concerns that this affects the overall culture of the university and student experience.

Perform an assessment of the overall culture of the university, specifically the interaction between staff and faculty and between functional departments to identify where trust and partnership may be lacking and specific reasons.

NDSU believes that this is an artifact of previous campus tension/administration. Current mood and morale on campus is considerably changed and appears to be quite positive.

©2011 LarsonAllen LLP

28

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Functional areas should evaluate where it is most critical to cross train employees. Develop an action plan to cross train where necessary. No proposed recommendation.

Institution Response
Where necessary, NDSU will continue to cross train employees.

Moderate Lack of cross training for most positions within the institution.

Moderate Faculty & Staff

The economy has had an impact on the ability to attract faculty and staff for open positions. People are not able to sell their homes and move to the area; therefore, positions cannot be accepted. There has been a high turnover rate in key leadership positions in the last several years and there may continue to be more in the future. A significant number of faculties do not submit their book/material requests to the bookstore timely, resulting in the bookstore not being able to provide books/materials timely to students, keep costs effective and affordable (i.e. ability to buy used books), and possibly cause the institution to be in violation of the HEOA.

Low

No proposed recommendation.

Turnover is noted but has been planned or anticipated, and purposefully executed.

Low

Continue to educate faculty about the importance of submitting book and material requests timely. In addition, identify alternative methods of communication and education.

Student Financial Processing

Bookstore staff members meet with academic departments to discuss bookstore services and merchandise, including the importance of and process for completing book orders in a timely fashion. In addition to the notices and reminders sent to individual faculty, the director utilizes the faculty bookstore advisory group to get word out and educate about HEOA compliance and book orders. The deadlines for submitting textbook orders coincide with the dates students are able to register for the upcoming term (late March for the fall term). Approximately 50-60% of orders are received by the original deadline. One month prior to the start of the term, approximately 94% of orders have been placed, and 99% of materials are on the shelves before the first day of the semester.

©2011 LarsonAllen LLP

29

Enterprise-Wide Risk Assessment | North Dakota State University

Functional Risk Area / Process Ranking
Low

Identified Risk

Proposed Recommendations

Institution Response
When orders are placed after the original deadline, the opportunity for the Bookstore to offer used books (at a lower cost) is reduced. In an attempt to compensate for this, the Bookstore has added a textbook rental program for some courses, making the cost of textbooks more affordable. It should be noted that there are often times very legitimate reasons for orders to be late or materials not available at the start of the term. For example, classes added only a few days prior to the start of the semester, publisher delays on new editions, or shipping problems. Student Affairs will continue to collaborate with Academic Affairs to enhance this process.

Student Financial Processing

©2011 LarsonAllen LLP

30

Enterprise-Wide Risk Assessment | North Dakota State University

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

31

University of North Dakota Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | University of North Dakota

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Dr. Robert Kelly University of North Dakota 264 Centennial Drive Stop 8193 300 Twamley Hall Grand Forks, ND 58202-8364 Dr. Robert Kelly, This report provides you, the University of North Dakota (UND) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide University of North Dakota with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist University of North Dakota. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | University of North Dakota

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  7 

Appendix
Impact Criteria Vulnerability Criteria

21 
21  21 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | University of North Dakota

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for the University of North Dakota. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the University of North Dakota.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | University of North Dakota

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | University of North Dakota

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, the University of North Dakota can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | University of North Dakota

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at the University of North Dakota and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting, foundation, donor concentrations, foundation investment strategy Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance

Grant Administration

Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | University of North Dakota

Approach
With the assistance of University of North Dakota management, LarsonAllen identified 25 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | University of North Dakota

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:  Continuing education

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | University of North Dakota

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Identify additional marketing opportunities to reach a broader group of potential students via networking with other colleges and universities within North Dakota, other Aerospace programs throughout the nation, etc.

Institution Response
Distinction needs to be made between flight instruction expenses (charged to Aviation students) and other instructional and research costs. Aerospace continues to aggressively pursue existing proven strategies as well as exploring new opportunities. Aerospace is model of responsible management of multiple revenue streams – state appropriations, grants and contracts, auxiliary enterprises, private and corporate gifts – to balance costs and revenues under varying economic conditions and to support new initiatives that enhance the academic programs. Aerospace currently does monitor compensation and benefits to benchmark and remain competitive. Multiple types of support for flight instructors are continually reviewed and updated to ensure that Aviation program has adequate staffing (quantity and quality) to meet all flight instruction demands. In the context of the revised SBHE Policy 340.2, this review will occur as the current Master Agreements are updated.

Moderate The Aerospace program receives less funding than other programs as funding is not proportional across all programs; therefore, there is a heavy reliance on revenue earned from student enrollment expenses related to the program (i.e. flight hours). If enrollment significantly decreased, the program would be at risk of meeting financial needs.

Academic Affairs Moderate Continuous changes within the aerospace industry could result in the Aerospace program not being able to retain an appropriate number of flight instructors. Continue to monitor compensation and benefits of the aerospace industry and benchmark against the Aerospace program to remain competitive. In addition, continue to pay for instructor’s multi-engine instrument (MEI), provided the instructors agree to stay at the university and teach for a year or more.

Moderate There is overlap in key management Perform an assessment to ensure there are no positions between the Aerospace conflict of interest issues that could potentially program and the Aerospace Foundation. arise.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate Concerns that foundations are potentially no longer supporting UND objectives or aligning with standards.

Identify specific objectives and standards that In the context of the revised SBHE Policy 340.2, UND feels are not being supported by this review will occur as the current Master foundations and communicate these specifics to Agreements are updated. the foundation to determine a future approach or strategy and potentially clarify misunderstandings. Identify specific topics that UND would like more visibility to as it relates to the operations, compliance, reporting, accountability, and safety of the Aerospace and Research Foundations. In addition, UND and the Foundations should work together so UND can gain further clarification on these topics. No proposed recommendation. In the context of the revised SBHE Policy 340.2, this review will occur as the current Master Agreements are updated.

Academic Affairs

Moderate Visibility to the overall operations, compliance, reporting, accountability, and safety of the Aerospace and Research Foundations.

Low

Affiliated organizations operate independently with minimal oversight from the institution.

Moderate Concerns related to the visibility of where fund raising revenue is derived from to more accurately report on estimated budgeting and forecasting processes. Athletics Moderate Relationship between UND Marketing Group and the Ralph Engelstad Arena related to the sales of athletic merchandise.

Internal controls should be reviewed to identify potential improvements related to the validity of fund raising revenue and budgeting and forecasting processes.

UND Foundation has implemented business intelligence software to provide real-time information about availability of private gift revenue for support of all campus activities. Fundraising targets are set each year, with periodic updates (now quarterly) on progress toward targets. Discussion of this issue will be included as the Usage Agreement for FY12 and beyond is negotiated.

Identify opportunities to incorporate UND into the Ralph Engelstad Arena marketing and sales strategy.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
General Counsel and UND stakeholders should review existing contracts with relevant venues to determine how revenue and expenses can be better realigned to increase profitability. This includes, but not limited to, ticket sales, concession sales, and sponsorship and marketing. Review current policies related to open/close times for individual campus buildings. Buildings should only remain unlocked based on operational needs with appropriate security. Require staff and faculty to wear badges. In addition, perform a cost/benefit analysis to determine if implementing an electronic key access system would be appropriate.

Institution Response
Discussion of this issue will occur as the renewals of various agreements are put in place. General Counsel (and others) is already part of the process. It is important to note that “profitability” for UND is one of many factors that must be considered in the negotiation process and which must be balanced in the resulting agreement. In October 2010, UND hired an Emergency Preparedness Specialist reporting to the Vice President for Finance and Operations. In June 2011, reorganization was implemented to bring emergency preparedness together with safety/environmental health/risk management etc. A number of operational changes are under discussion, a building risk review is being piloted, selective implementation of electronic access is occurring and changes to the Communications Center operations are being implemented to create greater depth and capacity.

Athletics

Moderate Revenue and expenses proposed in venue contracts utilized by UND should be better aligned to increase profitability.

High

Physical security of buildings. The campus is an open community and badges are not required to be worn by staff and faculty. In addition, if there was an emergency, most buildings could not be secured.

Campus Safety & Security

Moderate Concerns that the staff size at the communications center during off-peak hours should be increased.

Assess the need for additional security officers / In October 2010, UND hired an Emergency resources at the communications center during Preparedness Specialist reporting to the Vice off-peak hours. President for Finance and Operations. In June 2011, reorganization was implemented to bring emergency preparedness together with safety/environmental health/risk management etc. A number of operational changes are under discussion, a building risk review is being piloted, selective implementation of electronic access is occurring and changes to the Communications Center operations are being implemented to create greater depth and capacity.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking
Low

Identified Risk
The scope of background and health checks on students and employees is potentially too narrow.

Proposed Recommendations
Review current policies and procedures to determine the current scope of background and health checks and evaluate whether the current scope is appropriate. Background and health checks should include, but is not limited to, criminal, health, previous employment, previous school enrollment, and financial stability.

Institution Response
Federal and state law and NDUS policies are followed, including recognition of privacy constraints and legal prohibitions against asking for information unrelated to employee or student performance.

Campus Safety & Security

Moderate No formal policy and procedures related Develop a formal business continuity plan. to business continuity.

Emergency Preparedness Moderate Increased racial and ethnic diversity of student base. Continually monitor and assess changes in diversity within the existing and future student body. Understand and educate faculty, staff, and students on the importance of diversity at UND. Continually monitor the overall safety and soundness of all buildings on campus to identify the potential need for improvements.

Templates for both a Continuity of Operations Plan and Business Continuity Plans (unit level) have been drafted. An initial information session has been given and additional steps in the rollout are planned. It is anticipated that the full plan development will take up to a year with regular review/revisions to follow. UND has created presidential-level Diversity Advisory Council to fulfill this responsibility.

Environmental Health & Safety

Low

Safety and soundness of campus facilities.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
The Finance group should work with the IT group to determine whether PeopleSoft is being utilized to its full capabilities as it relates to capital projects. In addition, discuss more effective and efficient reporting opportunities that could be implemented. Review and update the existing conflict of interest policy to clearly define appropriate vendor relationships and determine if changes should be made to the policy. In addition, the vendor master file should be reviewed on a timely basis to identify conflicts of interest. Review current UND policies and procedures to identify where additional documents should be created. Develop consistent procedures to communicate and implement new policies and procedures (including updates) and require a review and approval process to be followed. In addition, continue to perform internal audits addressing compliance with policies and procedures.

Institution Response
Initial focus has been on review of statute and policy (both UND and NDUS) to address issues raised in the Performance Audit. Discussion of tools/reporting capabilities must occur in the context of these requirements.

Moderate Efficiency of tracking and visibility of capital projects. In addition, the reporting structure in PeopleSoft should be improved as it relates to capital projects. Financial Close & Reporting Low Current relationships with vendors could potentially be a conflict of interest.

High

Comprehensive UND policies and procedures are not in place, lack of consistent communication to roll out new policies and procedures, make updates to existing, and implement consistently across the institution. In addition, there is not a consistent process to review policies and procedures on an ongoing basis once they are developed.

Governance Moderate Policies are implemented and/or changed at the university level specifically related to certain programs/schools; however, the new policies and/or changes to policies are not always communicated with the end users working in the schools/programs.

In September 2010 a Special Projects Assistant was hired reporting to the Vice President for Finance and Operations. This was not a new position but had been vacant for several months. An institutional policy review was performed to identify areas where required policies did not exist or needed updating. A policy development and review process is being piloted within Finance and Operations for possible use across all divisions. This process includes a campus-wide comment period for proposed policies or material changes.

Identify a consistent process to develop new See response for prior risk. policies and/or make changes to existing policies that includes involving appropriate end users within various schools, programs, departments, etc. to determine if the new policy or change to a policy appears appropriate and to obtain feedback from the personnel who the policy will be applicable to.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Assess whether restricted shared drives are in place to restrict access to information based on job responsibilities. Once shared drives are restricted, the Internal Audit group should maintain all of their department’s final documents on the server to enhance the protection of information and ensure the information is backed up and will not be lost. Consider changing the direct reporting structure for the Director of Internal Audit to the Budget, Audit, and Finance Committee with a dotted line to the President.

Institution Response
UND will assess whether restricted shared drives are in place to appropriately restrict access to information.

Moderate Internal audit documents utilized for audits, work papers, supporting documentation, reports, etc. is not backed-up on the server. All documents are backed-up periodically on a USB portable drive.

Governance

Moderate The Director of Internal Audit communicates with the Budget, Audit, and Finance Committee on an ongoing basis; however, reports directly to the President (i.e. President provides performance evaluations, wage adjustments, etc.), resulting in potential independence issues.

In depth discussions were held at the Chancellor’s Cabinet and at the Budget, Audit and Finance Committee (BAFC) level resulting in a decision that reporting to the Institution’s President was the best fit. The Internal Auditor continues to report to the BAFC on the annual audit plan, progress report for the plan and any significant findings for which corrective action has not been fully implemented. The Internal Auditor is also available to conduct special examinations and reviews at the request of BAFC. Over the past 5 years, the IT Security Officer has performed a number of security assessments of critical servers/applications. Discussion of this process will be initiated and consideration given to revising the process.

Moderate The Information Technology department is not included in the annual risk assessment performed by the Internal Audit group. New applications across the institution are identified and addressed in the risk criteria, but responsibilities of the Information Technology group including the network, servers, operating system, helpdesk, etc. and the security administration, change management, and operations processes surrounding these areas are not addressed.

The Information Technology department should be included in the annual risk assessment and inherent and/or specific risks should be identified to determine if an internal audit is warranted related to the responsibilities and processes performed by the Information Technology department.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking
Moderate

Identified Risk
Processes to prioritize and make changes within PeopleSoft are governed by Connect ND. Prioritization and decision making is not clearly defined and does not always involve UND when the institution feels it is necessary. UND staff and faculty are users of PeopleSoft and are significantly affected by changes. Development of reports and queries in PeopleSoft to extract information and data to meet and report on mandatory federal regulation requirements are not implemented timely by Connect ND causing UND to develop interim processes to enable timely reporting. Additional template contracts should be drafted and utilized and there is not a clear definition related to who can enter into a contract.

Proposed Recommendations
Team with the System office and Connect ND to determine if current policies and procedures to prioritize and make changes to PeopleSoft should be more clearly defined and if involvement of the institutions is appropriate.

Institution Response
UND will initiate this discussion.

Moderate

Governance Moderate

Team with the System office and Connect ND to identify potential obstacles that are restricting Connect ND from developing reports/queries timely to allow for UND to report on mandatory federal regulation requirements without developing interim processes. Assess where additional template contracts could be drafted and utilized across the various departments and programs to reduce potential liability and exposure. In addition, perform an internal audit focusing on compliance of parties entering into contracts, threshold approval levels, etc. Develop a policy and related procedures to address intellectual property. Establish communication lines to ensure applicable personnel are receiving new policies and procedures or updates to existing and are able to interpret and implement properly.

UND will initiate this discussion.

The University will continue to put in place templates where regularity and volume indicate a benefit in doing so. The University is also in the process of completing a signature authority policy.

Moderate

Concerns related to intellectual property, such as research, export controls, etc. and if appropriate procedures are in place to reduce and address such risk.

The University Senate approved a revised IP Policy in May 2011 and it was signed by the President. Implementation is in process and further information will be provided to the campus. A consultant performed a review of export controls in May 2011 and consideration of how to implement the recommendations is in process.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate There is no Compliance Officer or compliance function to oversee the various regulations the institution is required to comply with such as PCI, HIPAA, FERPA, HEOA, etc. and assist in proactively understanding requirements. Moderate Concerns that contract terms and conditions related to liability are not consistently being reviewed. Low Governance A Quality Assessment Review of the Internal Audit Department has never been performed by a third party. The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (specifically 1312 – External Assessments) states that an external assessment must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. Internal audit reports and specific audit findings are not ranked to differentiate the level of risk.

Perform a cost/benefit analysis to determine if a Responsibility for various compliances is compliance function should be developed currently divided among several departments. within UND to monitor and communicate Consideration will be given to alternative models. compliance requirements. In addition, assess whether the existing Internal Audit group has the skills necessary and resource capacity to assist with the communication of compliance requirements. All contracts, including terms and conditions, should be reviewed. Perform a cost/benefit analysis to determine if a third party should be engaged to perform an external assessment of the Internal Audit Department. We will seek further detail on this issue to understand what is not being reviewed that needs to be.

Low

Develop an internal audit report and audit finding ranking methodology that has clearly defined ranking criteria to differentiate between the level of risk associated with each report and audit finding.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking
Low Governance High

Identified Risk
Concerns related to the overall awareness of the whistleblower hotline. Congress is discussing making cuts related to earmarked dollars critical to research. Concerns related to effort reporting. Policies and procedures are not in place and there is not a tool to track reporting.

Proposed Recommendations
Human Resources should identify additional opportunities (posters, intranet, etc.) to better advertise the whistleblower hotline. No proposed recommendation.

Institution Response

High Grant Administration

Develop and implement a policy and related procedures related to effort reporting. In addition, perform a cost/benefit analysis to determine if a tool should be purchased and utilized for effort reporting.

Policies and procedures related to effort reporting have been developed and vetted within the UND campus. Once put in final format, these will be presented to the President for approval and implemented. NDUS (ConnectND) is in the process of developing a RFP for an effort reporting solution. The timeline is not yet determined. The University of North Dakota is a member of the North Dakota University System (NDUS), which administers the Human Resource Management System (HRMS). Any improvements to efficiencies that are made to HRMS must be approved by a majority of the campuses in the NDUS, prioritized by the HRMS team and completed according to their time schedule. UND has always been a strong supporter of automating the Payroll process and is currently serving on a NDUS subcommittee to implement workflow for Payroll process within the next year.

Human Resources & Payroll

Moderate Payroll processes are very manual (i.e. Excel spreadsheets are used to calculate and approve sick and vacation time, manual time cards are utilized in several instances, PeopleSoft is manually updated, etc.).

Payroll should work with the Information Technology group to determine if there are additional processes that could be automated in PeopleSoft, automated workflow tools that exist and/or could be utilized, and perform a cost/benefit analysis to determine if additional software should be purchased (if needed) to automate additional manual processes.

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking
Low Human Resources & Payroll

Identified Risk
Concerns related to employee retention.

Proposed Recommendations
Human Resources should perform an assessment to determine what employees enjoy most and least about their jobs. In addition, evaluate exit interview documentation and questionnaire results (if applicable) to determine if there is a consistent theme(s) related to why employees leave the university. Perform a cost/benefit analysis to determine where the infrastructure could be maintained and still be within reasonable cost/budget.

Institution Response

High

IT infrastructure is maintained underground, including the data center.

Funding was appropriated for the 2011-13 biennium to construct a data center for the NDUS to house this infrastructure. Planning is in process under the guidance of a NDUS level steering committee. A Disaster Recovery Infrastructure System proposal was developed and submitted to the NDUS for consideration. It has not yet been approved. Thus, a formal plan does not exist. However, a disaster recovery/business continuity plan does exist for Campus Solutions. UND will initiate further discussion.

High Information Technology

No formal disaster recovery plan.

Develop a formal disaster recovery plan. This would include, but is not limited to:  Risk exposures  Recovery team responsibilities  First response process and procedures  Functional assessment process  Asset protection  Communications approach  System recovery timeframes  Maintenance and testing  Training

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
A current state assessment should be performed for all functional areas that are concerned PeopleSoft is not being utilized to its full capabilities and/or several manual workarounds have been created outside of systems, etc. Identify future state improvement opportunities and perform re-engineering of processes. Cost/benefit analyses should be performed to determine if additional modules should be purchased within PeopleSoft, automated workflows implemented, etc. Identify all systems that are currently being utilized outside of PeopleSoft in the various schools/programs. Perform a review of the internal controls in place to monitor whether financial information is uploaded completely and accurately to PeopleSoft to allow for accurate reporting. Identify current reporting in PeopleSoft that are not effective and efficient. Utilize appropriate resources to determine if current reports could be enhanced, new reports developed, etc. to obtain the information needed and in the appropriate format for reporting. Team with the System office and Connect ND to stay abreast the process to facilitate and collect input from the institutions in the development of the data warehouse and suggest changes to the process if UND does not feel adequate input is being collected from the institutions.

Institution Response
Opportunities to improve functionality of PeopleSoft are routinely identified and requested by UND. UND will initiate further discussion.

Moderate PeopleSoft is not being utilized to its full capabilities. Internally developed software is being utilized where PeopleSoft could potentially be leveraged and manual work-arounds have been created outside of PeopleSoft and other systems.

Moderate Various schools/programs maintain their own business systems with financial information uploaded to PeopleSoft on a periodic basis. Information Technology Moderate User reports generated from PeopleSoft could be more effective and efficient. Gathering data and information quickly requested by senior leadership, the state, etc. is a challenge.

Processes are already in place to insure the integrity of data uploaded into PeopleSoft. These will be reviewed.

This has been an ongoing effort since the PeopleSoft implementation.

Moderate Development of the data warehouse is managed by Connect ND and there are concerns that UND input will not be obtained and utilized throughout the development process.

UND will initiate this discussion.

©2011 LarsonAllen LLP

17

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response

Moderate The IT function is not consistently approving service level agreements (SLAs). Information Technology Low The UND helpdesk is shared with NDSU and results in inefficiencies and call forward discrepancies.

The IT function should develop procedures or UND will initiate this discussion. scrutinize against existing procedures to require SLA approval prior to receiving services. In addition, monitoring controls should be in place to ensure approved individuals are executing contracts. Develop a centralized helpdesk function to gain efficiencies. Helpdesk function has been reorganized so that there is clarity about the types of assistance that can be sought from campus resources and from the outsourced contract relationship created by NDUS. This planning activity was initiated several months ago consistent with SBHE directive to retire the name and logo. In April 2011 a law was signed prohibiting the retirement. Subsequent SBHE action put all planning on hold. Recent SBHE action has provided approval to restart the planning process. Approval for retirement of the name and logo cannot occur until the existing law is changed or repealed.

High

Potential reputation impact and loss of fan base when UND changes the Fighting Sioux name and logo.

A comprehensive committee (i.e. staff, students, and faculty) should be established to identify and evaluate potential name and logo considerations.

Marketing & Communications

Low

Staying abreast on new and current marketing trends to reach students.

Continue to identify additional ways to stay abreast with new and current marketing trends to reach students. Funding needs as identified by the library have been considered each year for the past several years as part of the annual budget process. This has resulted in supplemental allocations to the extent possible. Consideration is underway to identify additional revenue streams to provide predictable funding for subscriptions and online research licenses.

Operations & Auxiliary Services

Moderate Funding concerns related to the libraries Funding to maintain adequate subscriptions and ability to maintain and increase licenses should be assessed and communicated subscriptions and licensing to in the budgeting process. adequately meet student and faculty needs.

©2011 LarsonAllen LLP

18

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform an assessment to determine if fees and rates are appropriate and establish procedures to ensure they are revisited on an ongoing basis. In addition, evaluate marketing techniques utilized to advertise these services and determine if improvements could be made. A cost/benefit analysis should be performed to identify what improvements need to be made related to technology, resources, and space to better accommodate student learning. Continue to evaluate security and safety with mail. Perform an internal audit focused on compliance with postal/government regulations.

Institution Response
During the annual budget process, self-supporting entities are instructed to engage in a review of revenue projections, rates and expenditures. Further guidance will be provided as part of the FY13 budgeting process.

Moderate Certain auxiliary services that are not core to the institution are a financial liability and do not receive funding. All revenue is generated based on operations. Divergence of risk related to proper procedures and reporting if operations close. Low Operations & Auxiliary Services Remodeling and technology upgrades needed for the library to better accommodate student learning. Security and safety of mail in the UND post office.

Low

Low

Public use of the auditorium has Continue to identify additional ways to market decreased due to the economy; therefore and advertise the public use options of the revenue from operations has decreased. auditorium. The Director of Libraries is not currently a member of the Academic Council. Assess the need to add the Director of Libraries to the Academic Council. Functional areas should evaluate where it is most critical to implement a succession plan and take steps to implementing where needed. No proposed recommendation. Human Resources will review this area to identify tools/information that can inform planning at the unit level.

Low

Moderate Lack of succession planning for most positions within the institution. Faculty & Staff Moderate There has been a high turnover rate in key leadership positions in the last several years.

©2011 LarsonAllen LLP

19

Enterprise-Wide Risk Assessment | University of North Dakota

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Functional areas should work with HR to assist in identifying training opportunities applicable to their area, identify trainings that could be facilitated internally, document a personal training growth plan in performance reviews and goals documentation, etc. Perform an assessment to determine how resources are being utilized across all functional areas, tracking of hours worked, efficiencies that could be gained, etc. An assessment should be performed to determine if there is lack of time spent on student development and living and identify specifically where it appears to be lacking. Develop a plan to focus on those areas identified. Continue to perform appropriate research and benchmarking to ensure UND tuition prices are competitive and in line with other colleges and universities. Perform an assessment to determine if it makes good business sense to keep Financial Aid under Student Affairs or move under Finance and Operations, have the group be selfgoverned, or another option.

Institution Response
HR is taking the lead on discussions in this area.

Moderate Ability to stay current with training to perform at an optimal level. UND currently does not require leadership training or ongoing learning for key stakeholders within the institution. Faculty & Staff Low Concerned how resources are being utilized across the institution, what functional areas are significantly lacking resources, and what resources could be realigned to even workloads. There is a concern that not enough time is spent on student development and student living.

Low Student Affairs

Low

Keeping costs effective and affordable for students.

Student Financial Processing

Low

Concerned that the Financial Aid Department is managed under Student Affairs.

©2011 LarsonAllen LLP

20

Enterprise-Wide Risk Assessment | University of North Dakota

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

21

Valley City State University Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Valley City State University

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011

Dr. Steven Shirley Valley City State University 101 College Street SW Valley City, ND 58072 Dr. Shirley, This report provides you, Valley City State University (VCSU) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Valley City State University with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Valley City State University. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Valley City State University

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  6 

Appendix
Impact Criteria Vulnerability Criteria

23 
23  23 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Valley City State University

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Valley City State University. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Valley City State University.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Valley City State University

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Valley City State University

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Valley City State University can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Valley City State University

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Valley City State University and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting, foundation, donor concentrations, foundation investment strategy Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding
4

Governance

Grant Administration

Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs Student Financial Processing
©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Valley City State University

Approach
With the assistance of Valley City State University management, LarsonAllen identified 20 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Valley City State University

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:

Continuing education

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Valley City State University

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Faculty and staff should discuss the needs that the staff and students have for the faculty to report curriculum changes more timely. In addition, faculty should discuss the challenges they have reporting changes timely. Develop a go-forward approach or procedure to allow for more timely communication and to allow for students to be alerted timely.

Institution Response
We have not been able to identify a situation like this, and conclude it is likely an unusual occurrence. Curriculum changes follow a documented process and generally go into effect when the new catalog is published. Students have representation on the Curriculum Committee, as do faculty and staff. To increase communication of academic issues, the Campus Inter-functional Team added a reporting line to its agenda this spring, to afford the VPAA the opportunity to review any changes with CIFT. The Financial Aid office has identified a method of reporting non-attendance through ConnectND at midterm, and APAC has reviewed the Attendance Reporting policy and identified three points in the semester for reporting non-attendance. Building this requirement into the academic calendar should improve compliance, as faculty will be reminded and aware of their responsibility. This new process will be implemented Fall 2011.

Moderate Concerns related to faculty changing their curriculum and not communicating changes timely, sometimes resulting in a reduction of credits being offered for the class. Students are not always informed of the change timely and it affects whether a student is considered a full time or part time student, financial aid received, graduation dates, etc.

Academic Affairs Moderate Concerns that faculty are not adhering to the Participation Policy, specifically communicating students who are not attending class or participating to allow for academic counseling. Faculty and staff should discuss the importance of reporting lack of participation by students. In addition, faculty should discuss the challenges they have reporting lack of participation. Develop a go-forward approach or procedure to allow for compliance with the Participation Policy.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Develop policies and procedures specific to offering distance learning in other states to ensure federal requirements are being met and to determine if it makes good business sense to offer distance learning in various states based on student interest and fees.

Institution Response
The Assistant VP for Academic Affairs and her staff have taken on this responsibility; currently they are working with the NDUS to identify states that will develop state-by-state agreements; they are also contacting states where we have large populations of distance students to make certain we are in compliance with these states first. After determining the affordability of compliance in every state, the Asst. VPAA plans to meet with online faculty to assess which programs VCSU may want to restrict to particular states because of cost. New coordinator is being hired by DCB; contract will require more time spent on administrative duties. Individual will be expected to attend VCSU’s Campus Interfunctional Team meetings, Division Meetings, and provide monthly updates to the VPAA.

Moderate Meeting federal requirements for distance learning, specifically, procedures to follow for state level requirements when VCSU offers distance learning in other states, permissions needed, evidence and documentation to maintain, licensing fees, etc. In addition, determining if it is cost beneficial to offer distance learning in various states.

Low Academic Affairs

Lack of communication around the Bridges Program, specifically defining the program, procedures to be followed, and communicating which college is responsible for what procedures/tasks (i.e. VCSU vs. DCB). In addition, there are concerns that students are not getting the best experience possible due to the lack of communication between staff at VCSU and DCB. North Dakota graduation rates are declining and competition is high with other North Dakota colleges and universities to attract and retain students.

Work with DCB to develop and implement specific policies and procedures for the Bridges Program. In addition, ongoing meetings should occur between VCSU and DCB to enhance overall communication around the program and to clearly define and communicate responsibilities.

Low

Identify opportunities on how to reach out to a broader group of potential students. In addition, market studies should be performed on potential major and course offerings to improve enrollment.

Enrollment trends for Fall 2011 continue to go up, despite competition for a diminishing pool of ND HS graduates. Efforts with in-state articulations, grad program, and NDSU Elementary Ed program are all bringing in strong enrollments. In addition, targeted major development (Fish and Wildlife, Health Sciences, Music online) have increased enrollments significantly.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Additional fund raising is needed to support current athletic programs.

Proposed Recommendations
Evaluate whether there are additional opportunities to perform fundraising activities. Develop a short and long term plan for fundraising ideas, how many events will take place annually, etc. In addition, assess whether the appropriate number of programs are in place or if the activity fees should be increased. Continue to communicate and train personnel on the existing data protection policy and the importance of protecting confidential information. Continue to assess the need and evaluate the current initiative to roll out an electronic key card system by fall 2011. In addition, review the current process to track and monitor issued keys, and determine if additional tracking measures should be implemented to strengthen the process and monitor access.

Institution Response

Athletics

Moderate Confidential information that should be shredded is maintained in unlocked designated recycling boxes under desks or other designated areas and is not shredded or safeguarded appropriately. Low Certain staff and faculty have master keys that provide access to buildings and/or offices/areas where they do not need access based on their job responsibilities. In addition, instances occur where keys are lost. Locks are not changed every time a key is lost which poses a risk of inappropriate access. There are also concerns related to the tracking and monitoring of issued keys, the access provided by the key(s), and if the access provided continues to be appropriate.

The items placed in the recycling bins do not contain confidential or exempt information. We are not aware of instances of confidential information being maintained in recycling boxes. VCSU purchased a software program in May 2010 for the purpose of tracking keys and key codes. Staff was trained, keys entered into the software and all keys held by employees were physically checked against the database information. The next step is to recover keys from individuals with unneeded access and issue keys that permit appropriate access. Mitigation efforts included surveillance cameras. VCSU more than doubled the number of security cameras in its inventory. By the end of summer 2011, cameras will be installed at all building entryways.

Campus Safety & Security

Low

Students who work the night or weekend shifts at the Student Center have keys to the building.

Assess whether it makes good business sense to have facilities / security lock and unlock buildings for night and weekend shifts and randomly patrol the premises.

Facility Services/Security staff do check doors and randomly patrol the premises. Only select front desk student managers have keys to the building. All student managers undergo full criminal background checks.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Identify additional ways to communicate emergency response procedures and provide training and testing that involves several areas across the institution.

Institution Response
Emergency response procedures are posted in buildings and provided to employees annually. The Emergency Notification System is tested campus wide at least once a semester. VCSU employs a fulltime office manager/safety coordinator. The coordinator is providing sufficient communication, training and posters and is expanding the already robust emergency preparedness materials on the safety website. In addition, the campus Loss Control Committee has very broad campus representation and attends to safety, risk management, and emergency preparedness activities and policies.

Moderate Lack of communication related to emergency response procedures and concerns that the involvement of training and testing of the procedures are not campus-wide.

Emergency Preparedness

Low

Concerns related to flooding and whether the right business continuity and disaster recovery plans are in place and if communication and training regarding the plans is sufficient.

Review the current business continuity and disaster recovery plans to assess whether the plans appear appropriate to address flooding concerns. In addition, determine whether all staff, faculty, and students have received sufficient training, communication, and specific procedures on what to do in the event of another flood incident. Continually monitor the overall safety and soundness of all buildings on campus to identify the potential need for improvements.

Low Environmental Health & Safety

Safety and soundness of campus facilities, specifically the age of buildings, ventilation issues, etc.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a review of the responsibilities assigned to each individual in the business office to determine whether additional responsibilities could be segregated.

Institution Response
A review of position responsibilities is conducted every year per the audit schedule; we simply do not have the staff to provide the optimal segregation of duties desired without hampering our ability to provide the services necessary to conduct ordinary business. We will continue to be aware of this issue and the VPBA will continue to approve all transactions involving expenditure of funds. VCSU would welcome NDUS system implementation of workflow processes within Connect ND.

Moderate There is segregation of duties concerns within the business office due to the limited staff size.

Low

Financial Close & Reporting

The account payable process is manual in nature causing significant inefficiencies. For example, the expense approval process for purchases is not streamlined to eliminate duplicate processes related to submission and review of receipts, statements received from vendors, etc. Concerns that new GASB statements and/or changes to existing GASB statements are not monitored on a consistent basis, which could result in inaccurate financial statements.

Perform a cost/benefit analysis to determine if an automated workflow should be implemented for the account payable process to eliminate duplicate processes and opportunities to make errors.

Low

Continue to stay abreast of new GASB The controller participates in the NDUS statements and/or changes to existing GASB controller’s group where accounting and statements. reporting changes are communicated and implementation discussed. The Controller and the VPBA attend annual professional training. VCSU subscribes to NACUBO’s FARM service and receives industry updates from NACUBO. The controller is subscribed to the GASB listserv and receives updates as they are released. We will continue to be involved in the resources listed above.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Discuss the turnaround time of contract review with the System Office to determine if the review period could be shortened. In addition, determine if it makes good business sense to centralize the General Counsel function to allow further allocation opportunities to the smaller colleges and universities. Identify specific system level policies and/or verbiage in policies that are difficult to interpret and meet with the System Office to obtain additional guidance related to the policies. Continue to communicate and train personnel on the existing policy for appropriate use of VCSU property.

Institution Response
The General Counsel function is centralized at the system office. We will collaborate with the General Counsel office on determining ways to improve the timeliness of contract approval.

Moderate Contract start dates have been delayed due to the turnaround time in the contract review process.

Governance

Low

System level policy interpretation is difficult and VCSU is unsure of their authority in all circumstances.

VCSU has not had any instances of failure to follow policy and received a noteworthy compliance audit report from the SAO. Communication with NDUSO staff occurs as needed for interpretation and applicability of policy. Policies were implemented and communicated over two years ago. The VPBA and the President are unaware of any current personal use of VCSU property. Meeting of the VPBA, Grant fiscal manager and the Assistant Academic Vice President was held in November 2010 to assign responsibility for each element of the grant lifecycle and to develop forms and procedures. A grant manager handbook of policies and procedures should be developed.

Low

Concerns that personnel are using VCSU property for personal use when not authorized to do so.

Grant Administration

Moderate Lack of grant related policies and procedures, Develop policies and related procedures for specifically grant lifecycle and expense grant processes, specifically grant lifecycle allocations. and expense allocations.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Concerns related to the organization and identification of grant expenses to ensure all funds are being reimbursed and receipts allocated to the appropriate grants.

Recommendations

Institution Response

Grant Administration Low Lack of communication between the Academic Affairs office and faculty members regarding grants that are awarded; therefore, there are concerns that grants may be missing from the grant roster.

Develop procedures for the organization and VCSU experienced a turnover in the position identification of grant expenses. responsible for grant fiscal management. The incumbent has reorganized the recordkeeping for grant expenses and reimbursements. We are not aware of any grant expenses that have not been reimbursed or are not reimbursable. All receipts have been allocated to the appropriate grants. Develop and implement procedures related to awarded grants to ensure appropriate actions and communication is taking place to ensure grants are added to the grant roster and are monitored appropriately. Drafts of policies, procedures, and forms have been developed and communicated to faculty by Academic Affairs staff through meetings and the postings on the website. Once these items are reviewed by the University Policy Committee and formalized, communication will be improved. VCSU does not have a documented performance based salary plan. VCSU applies salary increases across the board with supplemental increases based on promotion, degree attainment, market, equity and workload changes to all employees with documented satisfactory performance. VCSU administration will explore a performance based salary plan during FY 2012. VCSU plans to purchase and implement a document imaging system in FY 2012. We will also review current storage and improve security of the files.

Human Resources & Payroll

Moderate Annual wage increases are not performance based and all employees are provided the same increase regardless of performance. Providing all employees the same wage increase and not linking increase to performance provides less incentive for employees to perform well, potentially resulting in poor performance, retention problems, etc. Moderate Staff and faculty personnel files are maintained in offices and are not always in locked file cabinets. In addition, certain personnel with master keys are able to access these offices.

Evaluate the need to provide annual income increases based on performance to reward individuals who are performing well and develop improvements plans for employees where needed.

Consider utilizing a document imaging system to store personnel files to allow for additional security.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Develop procedures for payroll processes, specifically for the hiring and termination processes.

Institution Response
Procedures exist; they were not well documented or communicated. VCSU increased the Director of Human Resources position from .50 FTE to 1.0 FTE in FY 2011. The first priority for the new hire was revising and documenting the hiring and termination processes. This has been accomplished; we will continue to improve on the processes and conduct campus training with supervisors. Retention does not seem to be a critical issue at present—we have had three retirements in the past two years, and no resignations. We have had strong candidate pools for the five positions hired this past year (and the four hired the previous year), and have been successful in attracting quality faculty as a result. VCSU administration has increased faculty salaries by greater than 25% over the past 5 years and will continue to advocate for Legislative funding to increase salaries to recruit and retain excellent faculty. VCSU’s HR Director reviews workload issues as requested. We will explore training in time management and use of technology to manage workload issues.

Moderate Lack of payroll procedures specific to the hiring and termination processes.

Human Resources & Payroll

Moderate Recruitment and retention of faculty is a concern, specifically as it relates to the compensation offered for these positions.

No proposed recommendation.

Moderate Employee work load is a concern. Several functional areas identified some level of personnel needs. An over worked employee could potentially lead to burnout, low morale, etc.

Human Resources and senior management should assess current FTE workload by department. Identify areas of concern and suggest departmental changes and/or identify ways to better manage workloads.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Team with the System Office to assess policies across all colleges and universities and identify inconsistencies specific to faculty sick leave. Evaluate how lack of tracking faculty sick leave can impact compliance with FMLA. In addition, continue to educate staff and faculty related to FMLA. Assess the need to move certain responsibilities to another functional area or person to segregate significant responsibilities in the payroll process.

Institution Response
VCSU faculty do not accrue sick leave so leave cannot be tracked through the HRMS system. VCSU implemented a faculty sick leave policy in late FY 2011. The new policy should provide the tracking necessary for compliance with FMLA.

Moderate Faculty sick leave is not tracked and monitored causing concerns related to compliance with the Family and Medical Leave Act (FMLA).

Moderate There is only one person performing all payroll responsibilities, resulting in segregation of duties conflicts.

Human Resources & Payroll Low Payroll processes are very manual (i.e. Excel spreadsheets are used to calculate and approve sick and vacation time, manual time sheets are utilized, PeopleSoft is manually updated, etc.). In addition, time sheets are not always turned in timely and approval signatures are missing. Payroll should work with the Information Technology group to determine if there are additional processes that could be automated in PeopleSoft, automated workflow tools that exist and/or could be utilized, and perform a cost/benefit analysis to determine if additional software should be purchased (if needed) to automate additional manual processes. A review should be performed of the human resources master file to determine if changes need to be made to update information for staff and/or faculty members.

Upon hire of a fulltime HR director and reassigning responsibilities among the Business Office and Employee Services employees in August 2011, VCSU made improvements in the separation of payroll responsibilities and created a plan for cross training. A review of the new assignments will be conducted and reassignments made as we are able.

Low

There are concerns related to the accuracy of the human resources master file, specifically faculty information (i.e. tenure, status, etc.).

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Work with the System office to evaluate the permissions assigned to security roles to determine if changes could be made. In addition, identify and review manual controls to mitigate the risk of inappropriate access.

Institution Response
Campus Connection has a security system which allows individuals to have either add, update, or inquiry access to some, but not all, information based on the type of position held. This access is created by assigning security roles to each individual user. The functional user groups for each module work on a continuous basis with the System office to evaluate and refine the permissions assigned by security roles. In July 2011, the Facilities director will test the current generator to determine if emergency power is sufficient to run the secondary data center.

Moderate Security roles in Campus Connection are too broad for the size of the institution; therefore, employees have additional access than what is needed based on job responsibility.

Information Technology

Low

Concerns that the back-up generator does not supply appropriate power and cooling needs are not being met in one of the two data centers. Gathering data and information quickly requested by senior leadership, the state, etc. is challenging and time consuming. Information needed for reporting and retrieved from PeopleSoft is at a “point in time” and a significant amount of time is spent manipulating and reporting on historical information. Several manual workarounds have been created to meet specific needs.

Review the current power and cooling methods in the data center and determine if enhancements to the generator should be made. Identify current reporting in PeopleSoft that are not effective and efficient. Utilize appropriate resources to determine if current reports could be enhanced to allow for historical reporting, new reports developed, etc. to obtain the information needed and in the appropriate format for reporting.

Low

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Ongoing concern related to marketing and ability to attract students for programs, specifically where and what should be marketed and communicated. There is no Social Media Policy in place.

Recommendations
Identify additional marketing opportunities on how to reach a broader group of potential students by networking and determining what other colleges and universities across the nation are doing to attract students. VCSU is currently utilizing facebook as a marketing technique; therefore, a Social Media Policy should be developed to establish appropriate use, ethical behavior, etc.

Institution Response

Low

Marketing & Communications

Presently, sanctioned Social Media sites are specifically identified on our web site and each has a specific admin or set of admins responsible for monitoring content. We have not received any reports of abuse or nonsanctioned Social Media sites. The Director of Communications will draft a formal Social Media Policy, route for review and feedback as appropriate, submit it to VCSU’s Policy Committee during the Fall semester 2011, and work towards approval as necessary. Once approved, the policy will be published and distributed the as necessary to ensure general awareness.

©2011 LarsonAllen LLP

17

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations

Institution Response

Moderate There is no POS system utilized by the bookstore which poses a risk of recording accuracy and completeness of purchases.

Perform a cost/benefit analysis to determine However, this is no longer a risk. The if it makes good business sense to purchase Bookstore implemented an effective POS and implement a POS system. In addition, system spring 2011. perform a review of the internal controls in place to determine if additional controls should be implemented and existing controls strengthened.

Low

The bookstore does not currently offer online Perform a cost/benefit analysis to determine However with the new POS system, online purchasing capabilities potentially resulting in if it makes good business sense to purchasing was implemented summer 2011. missed revenue opportunities. implement bookstore purchasing capabilities online. Concerns that the library hours are not meeting student needs, especially during peak periods. Perform an assessment, receiving student input, to determine how many students are utilizing the library, if library hours are adequate, when students feel hours are the most adequate, etc. Adjust library hours as appropriate, based on the results. Assess the need to continue having two bookstore locations on campus and determine if the two locations should be consolidated into one to allow for more efficient and cost effective processes. Track and monitor historical trends of merchandise sales and perform an analysis of the type of inventory to maintain in the bookstore to maximize sales. This past spring, the Library staff conducted a student survey and worked with student senate to increase library hours to meet student requests.

Low Operations & Auxiliary Services

Low

There are two bookstore locations on campus, creating additional oversight to monitor inventory level needs in each location, increased staffing oversight, and other inefficiencies that exist by having two locations. Concerns related to the type of inventory sold in the bookstore and if it is appropriate (i.e. appropriate sizes of clothing merchandise in stock to maximize sales).

Architectural services have been employed to identify possibilities for a single bookstore location in the Student Center.

Low

©2011 LarsonAllen LLP

18

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Consideration should be given to provide increased information technology training to existing personnel, specific to library services within higher education, and potentially develop job qualifications for new applicants.

Institution Response
The Director has increased focus on training for current employees in use of library management system and e-resource structure and searching. Mitigation is ongoing. The Director will continue to encourage staff to complete on-the-job training sessions as they are available and relevant to library services in higher education. Succession planning is discussed on an ongoing basis. Options have been explored for key personnel. We will continue to develop a plan. Employees with a potential conflict of interest with a vendor complete a disclosure of business interest form annually. All regular employees certify annually they have read and agree to abide by the Employee Code of Conduct which contains conflict of interest language.

Moderate Current staffing model at the library and training available to meet the changing information technology demand of students.

Faculty & Staff

Moderate Concerns that succession planning has not been a key priority where deemed necessary.

Perform an assessment to determine where succession planning would be deemed most critical and develop a plan to implement with key action plans and milestone dates. Continue to communicate and train personnel on the existing conflict of interest policy. In addition, the vendor master file should be reviewed on an ongoing basis to identify potential conflicts of interest.

Low

Current relationships with vendors could potentially be a conflict of interest as certain accusations have been made.

©2011 LarsonAllen LLP

19

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Athletes may not be receiving the appropriate level of academic advising, due to lack of resources.

Recommendations
Review the allocation of academic advising resources to determine whether resources are appropriately allocated to student athletes or if changes should be made. In addition, perform a cost/benefit analysis to determine if additional dollars should be budgeted for academic advising.

Institution Response
Athletes receive the same academic advising support available to all students at VCSU: they are assigned a faculty advisor in their declared field of study; they are introduced to their academic advisor during their first semester on campus as part of their Learning to Live course; and they are regularly reminded to visit with their advisor to plan their program of study. Recognizing the additional needs of athletes to remain eligible and manage time effectively, in Fall 2010, the Learning Center Director began working closely with the athletic coaches responsible for athlete academics to coordinate weekly athletic study table times with Learning Center tutor availability. The Learning Center Director also communicates with these athletic coaches throughout the semester to identify academic concerns with particular athletes to determine whether or not learning support is needed to increase the opportunity for an athlete’s academic success. Following training in interpreting and using the College Student Inventory (which each freshman takes the first day of classes in the fall), coaches, the Learning Center Director, the Director of Student Academic Services, and the Learning to Live faculty plan to develop stronger intervention strategies to benefit all students who may need more attentive advising support.

Student Affairs

©2011 LarsonAllen LLP

20

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking
Low

Identified Risk
Mental health and medical issues are increasing in the student body, resulting in an increased need for student counseling services.

Recommendations
Assess the current workload in the Student Counseling Services group to determine if current resources are adequate to support student needs.

Institution Response
In recognizing the need, VCSU continues to use Master level graduate students from NDSU, MSUM, or U of Mary on a consistent basis. These graduate students are supervised by the Director of Counseling for a complete academic year~ usually providing 16-20 hours/week. Abused Person Outreach Center (APOC) currently has a presence on VCSU campus part-time throughout the academic year. VCSU is a member of the NDUS Higher Education Consortium for Substance Abuse Prevention which provides some training and resources in prevention work and student activities funds. The NDUS chancellor has also recognized this need among the campuses within the NDUS~ identified this as a need across the system. Even though VCSU has a 50% FTE position for counseling~ the position is held by a fulltime employee who is in a 100% availability mode… i.e. on campus throughout the day.

Student Affairs

©2011 LarsonAllen LLP

21

Enterprise-Wide Risk Assessment | Valley City State University

Functional Risk Area / Process Ranking

Identified Risk

Recommendations
Communication between faculty and the Financial Aid department should be enhanced to improve the understanding of the financial aid requirements and the potential impact on curriculum changes. In addition, develop specific procedures and distribute to all applicable parties related to the process and communication that should occur when there are curriculum changes.

Institution Response
We have not been able to identify a situation like this, and conclude it is likely an unusual occurrence. Curriculum changes follow a documented process and generally go into effect when the new catalog is published. Students have representation on the Curriculum Committee, as do faculty and staff. To increase communication of academic issues, the Campus Inter-functional Team added a reporting line to its agenda this spring, to afford the VPAA the opportunity to review any changes with CIFT. These issues are inherent in the administration of federal financial aid. VCSU financial aid staff is actively engaged in NDUS system-wide and national professional development. VCSU undergoes regular audits and reviews.

Moderate Concerns related to communication between faculty and the Financial Aid department to understand the impact of potential curriculum changes on financial aid distribution and regulations.

Student Financial Processing Low Ability to stay proactive related to financial aid federal compliance. Changes in legislation are not always known and implemented timely as monitoring of new regulations and changes to existing regulations is not performed on a consistent basis. In addition, interpretation of regulations is difficult. Develop an action plan with specific measurable goals to continually monitor and stay abreast of financial aid federal regulations. Discuss regulations with the System Office and other colleges and universities in ND, as needed, to compare interpretations and gain additional confidence that VCSU is in compliance. In addition, consider performing an internal audit to review compliance with regulations.

©2011 LarsonAllen LLP

22

Enterprise-Wide Risk Assessment | Valley City State University

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners.

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls.

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

23

Williston State College Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Williston State College

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011

Dr. Raymond A. Nadolny Williston State College 1410 University Avenue Williston, ND 58801 Dr. Raymond Nadolny, This report provides you, Williston State College (WSC) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Williston State College with insight to inherent and specific risks throughout the institution. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist Williston State College. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Williston State College

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  4 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  6 

Appendix
Impact Criteria Vulnerability Criteria

15 
15  15 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Williston State College

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Williston State College. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the institution. The process starts with identifying risks associated with business objectives linked through all levels of the institution whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Williston State College.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | Williston State College

Understand the Client’s Business: We begin by understanding the North Dakota University System’s (the System) business by gathering the business objectives, goals, and strategies and identify the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of an institution to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the institution’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the institution’s reputation.  Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the institutions operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the institution and the availability and quality of information the institution can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | Williston State College

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, Williston State College can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | Williston State College

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at Williston State College and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the institution: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | Williston State College

Approach
With the assistance of Williston State College management, LarsonAllen identified 15 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria).

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | Williston State College

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | Williston State College

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking Identified Risk Proposed Recommendations
Continue to identify opportunities on how to reach out to a broader group of potential students. In addition, continue to perform market studies to improve enrollment numbers. Continue to analyze and monitor classes that are not meeting enrollment standards. Upon identification, determine the need to continue to offer those classes at WSC.

Institution Response
Williston State College is listening to community and student needs. Results are being collected with discussion being shared with faculty in regard to the mode of instruction, demands/needs, and timeframe offered. Williston State College has reviewed the course offerings based on viability/need. Programs reviews are being completed and assessed and filed with the SBHE Office. Williston State College has been working with other NDUS campuses on articulation and collaborative agreements over this past year. These relationships as they continue to develop will improve the communication regarding transfer processes.

Moderate Concerns related to limited curriculum offerings to attract students at a local and national level.

Academic Affairs

Moderate Concerns related to the adequacy of certain classes that are being offered at WSC due to low enrollment. Low

Student transfer process is manual resulting WSC should evaluate process to determine if in delays in identifying which previous better solutions are available. classes/credits will be accepted prior to student enrollment and decision making process for attending WSC. Potential opportunity to increase revenue from ticket and concession sales. There is no cash register or tracking method for cash and inventory sales for an event. WSC should consider evaluating the opportunity to increase concession fees and identify potential ways to improve attendance. WSC should consider evaluating the opportunity for improved internal controls over inventory sales.

Low Athletics Low

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking
High

Identified Risk
Concerns related to security force size to monitor campus activities, residence halls and overall student safety.

Proposed Recommendations
WSC should assess the need for additional security officers/resources to improve overall safety concerns.

Institution Response
The need for security resources has been determined, and dollars awarded through the legislative funding process. Security personnel now have a presence on campus, and work continues to enhance security technology as well. Legislative authorization has resulted in campus security to mitigate need for building and residence security. A campus team will also review open/close times for all buildings and formalize the ‘open campus’ policy. This team will identify the need for additional security measures. WSCs Emergency Preparedness Team will review the Emergency Preparedness Plan to identify, and implement where necessary, communication improvements and training. Multiple building assessments have taken place on campus facilities. As a result, renovation of Stevens Hall has been placed in the State’s Capital Budget request. WSC contracted with a consultant with over 30 years of experience within the NDUS that assisted the Business Services group with technical accounting and higher education related issues. NDUS has written procedures for the financial close and budgeting process and is currently developing an accounting manual through its Controllers Group.

Campus Safety & Security

High

Improvements potentially needed in relation to “open campus” and overall building and residence security.

WSC should review current policies related to open/close times for individual campus buildings. Buildings should only remain unlocked based on operational needs with appropriate security. Additional security measures should be identified and implemented. Identify and implement additional emergency procedure communication and training across the campus. WSC should continually monitor the overall safety and soundness of all buildings on campus to identify potential need for improvements. Consideration should be given to provide increased training to existing personnel and potentially develop job qualifications for new applicants.

Emergency Preparedness

Moderate Training and communication should be enhanced related to the Emergency Preparedness Plan. Moderate Maintenance improvements are needed to campus facilities (i.e. asbestos, fire prevention, general maintenance). High Concerns around the training available and needed for the Business Services Group related to technical accounting and higher education related issues.

Environmental Health & Safety

Financial Close & Reporting

High

No written policies and procedures over the Identify a consistent process to develop new financial close and budgeting processes. policies and procedures and/or make changes to existing policies and procedures. In addition, an accounting manual could assist with learning development and accounting transition assistance.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if a position should be created or utilize an existing WSC employee to monitor and oversee capital projects.

Institution Response
WSC contracted with UND’s Capital Projects department for assistance with its current capital projects. A new platform will be launched in July 2011 in an effort to eliminate duplicate financial transactions.

Moderate Concerns related to oversight related to significant capital projects currently maintained on campus.

Moderate Duplicate financial transactions are entered WSC should evaluate the processes to determine into the ACEware and PeopleSoft systems if the most efficient methods are being utilized for as there is no direct interface between them. this area. In addition, PeopleSoft does not currently have the functionality to support non-credit student registration. Moderate ACEware non-credit registration software continues to have significant unresolved or aged reconciling items in relation to the PeopleSoft. All open and aged reconciling items should be reviewed and resolved on a timely basis.

A new platform will be launched in July 2011 allowing reconciliations to occur on a timely basis.

Financial Close & Reporting

Moderate Concerns that departmental budget changes When a revision in the budget is determined are not being communicated on a timely necessary, WSC should communicate with basis, resulting in over spending. impacted departments on a timely basis. Moderate There have been instances identified where expenses are misclassified between programs, etc. Moderate Balance sheet reconciliations are not being completed on a timely basis. WSC should review their process of expense classification to include the process owner when possible in account classification.

WSC has implemented a procedure for implementing budget changes. WSC will include the process owner when possible when classifying expenses.

A schedule of all reconciliations should be created The NDUS has a schedule of all reconciliations to identify the individual responsible for executing and the expected completion time frame. the reconciliation and expected timeframe for completion. This schedule should be reviewed by management on an ongoing basis to identify any delays.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
WSC should consider developing written policies and procedures.

Institution Response
A committee, formed to review existing policies and procedures, will make recommendations in order for the College to ensure appropriate policies and procedure are in place. An internal auditor from the university system is now in place.

Moderate There are minimal written policies and procedures regarding general operations, information technology, record retention, security and data privacy. Governance Low

WSC has concerns related to compliance WSC should assess the need to utilize NDUS with System Office policies and procedures internal audit and compliance staff to perform and adherence to federal/state regulatory ongoing current state reviews. guidelines. WSC should review the accounting for grants to determine if they are accurately tracking funds in relation to grant terms. Consideration should be given to provide faculty and staff with ongoing communication related to the intent and purpose of specific grants.

Moderate Concerns related to the visibility and actions related to excess funds that exceed the grant term. Moderate There appears to be a lack of communication between staff and faculty on grant identification and the related application of funds. This also includes grants that are sub-awarded to WSC from another college or university in North Dakota.

Policies and procedures are being adopted by the business office to ensure grant tracking.

Policies and procedures are being adopted by the business office to ensure grant communication across departments and organizations.

Grant Administration

Moderate There are no policies and procedures for the Develop policies and procedures to assist in the grant process. management of the grant process.

Policies and procedures are being developed by the business office.

Moderate Improvements are needed as it relates to ongoing grant monitoring.

WSC should establish and maintain a grant master file that would document each grant for tracking, follow-up, application of funds and renewal purposes. All grants should be reviewed on an ongoing basis to determine if funds are being utilized for the appropriate and intended purpose.

Policies and procedures are being developed by the business office to identify tracking, follow up, and renewal of grants. Policies and procedures are being developed by the business office to identify periodic reviews of ongoing grants.

Moderate Concern that grants are not being utilized appropriately and for the purpose they were awarded.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consideration should be given to provide increased training to existing personnel and potentially develop job qualifications for new applicants. Human Resources and senior management should assess current FTE work load by department. Identify areas of concern and suggest departmental changes to better manage existing workload. WSC should assess the opportunity to improve efficiency and internal controls over tracking of employee hours. WSC should assess whether tracking of sick time is necessary for faculty. The opportunity to attract more qualified candidates may be achieved with a larger number of resources used to conduct the search. The handbooks should be reviewed and updated on an ongoing basis.

Institution Response
WSC has training available for existing personnel and job qualifications for new applicants have been developed. WSC has assessed existing workload and has created new positions to alleviate areas of concern.

Moderate Concerns around the training available and needed for the Human Resources Group related to technical benefits and human resources related issues. Moderate Overall employee work load is a concern. Most functional areas identified some level of personnel needs.

Human Resources & Payroll

Low

Hourly employees worked hours and all vacation and sick leave are tracked manually. Faculty is not required to record sick time. Recruitment of staff positions is done primarily through the local newspaper. Staff and faculty handbooks have dated material.

Low Low

Low

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking
High

Identified Risk
Protection of data related to shared folders; shared folders are not restricted on the network and contain confidential information.

Proposed Recommendations
Develop and assign user roles within shared folders to restrict access to confidential information. WSC should maintain a list of people and the keys provided to them for access to facilities. Develop and maintain a detailed and comprehensive information security plan.

Institution Response
WSC has a shared data structure on its Windows based servers which are locked down by groups and/or usernames. Shared folders are password protected which is in line with SBHE policy. The data center/server room has been rekeyed. There are 4 total keys. WSC follows NDUS policies and procedures. There is currently a policy and procedures committee that is developing internal policies and procedures. WSC has implemented a pin code/password policy for mobile devices. The College created a marketing office in 2010. Increased training will be identified in the employee’s annual evaluation.

Information Technology

Moderate The data center is accessed by a manual key; however there is no formal record of who has keys or if they should have access. Moderate Lack of a comprehensive information security policy and procedure manual.

Moderate Appropriate security measures have not been implemented to support mobile devices. Moderate Concerns around the training available and needed for the Marketing Group related to marketing and communications techniques. Marketing & Communications

WSC should evaluate its security process and implement additional controls on all mobile devices. Consideration should be given to provide increased training to existing personnel and potentially develop job qualifications for new applicants. Continue to identify additional ways to stay abreast with new and current marketing trends to reach students.

Low

Concerns on how WSC is staying abreast on new and current marketing trends to reach students.

An Enrollment Management Team is in place and currently working on a continuous plan for reaching potential students by way of new and current technologies and trends.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking
High

Identified Risk
Concerns related to faculty wages in comparison to industry averages. In addition, WSC wages are under the local high school wages.

Proposed Recommendations
WSC should consider benchmarking wages with other North Dakota colleges and universities to help monitor wages. Perform an assessment to determine how resources are being utilized across all functional areas, tracking of hours worked, efficiencies that could be gained, etc. Consideration should be given to potentially hiring a counselor to assist students on mental health, academic assistance and career assessments.

Institution Response
WSC has developed a salary matrix to identify the faculty and staff that are most “out of line” with state/industry averages and will work toward bringing those salaries more “in line.” Assessments have been performed and documented in the master plan, strategic plan, and annual plan. A budget team, working with executive cabinet, was initiated in 2011 to assess resource alignment across the institution. Faculty advisors currently provide academic assistance to students. The TRIO EOC Counselor located on the WSC campus provides career assessments to students requesting those services. WSC is working to enhance its relationship with the local Human Service Center for provision of mental health counseling services. A new 171 bed residence hall will open in August 2011. Housing assignments have been reviewed, and configuration changes made to optimize the number of available beds.

Faculty & Staff

Moderate Concerns how resources are being utilized across the institution, what functional areas are significantly lacking resources, and what resources could be realigned to even workloads. Moderate WSC currently does not have a counselor on campus.

Student Affairs Low Lack of available housing and residence space due to increase enrollment and overall population of Williston. WSC should continue to identify additional opportunities for student housing as student enrollment continues to increase.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | Williston State College

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations

Institution Response
Personnel in the financial aid office continue to utilize the services and expertise of their colleagues around the state and region, as well as the assistance and expertise available through the NDUS Office and Campus Solutions. As enrollment patterns change, and regulations change, staffing levels will continue to be monitored. A process has been developed and implemented to include the financial aid director in the curriculum review and approval process.

Moderate Ability to stay proactive related to financial WSC should assess the current staffing levels aid federal compliance due to limited with the financial aid department. In addition, staffing and potential legislation changes. WSC should consider identifying opportunities to utilize the System Office and other colleges/universities to improve their understanding of potential legislation changes. Student Financial Processing Moderate Concerns related to communication between faculty and the Financial Aid department to understand the impact of potential curriculum changes on financial aid distribution and regulations. Ongoing communication should be implemented to improve understanding of financial aid requirements and the potential impact on curriculum changes.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | Williston State College

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

15

North Dakota University System Risk Assessment Results
October 14, 2011

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota University System

220 South Sixth Street, Suite 300 Minneapolis, MN 55402-1436 612-376-4500, Fax 612-376-4850

October 14, 2011 Chancellor Goetz North Dakota University System 10th Floor, State Capitol 600 East Boulevard Ave, Dept. 215 Bismarck, ND 58505-0230 Dear Chancellor Goetz, This report provides you, North Dakota University System (NDUS or the System) leadership, the Audit Committee, and members of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level. LarsonAllen did not audit or review any of the information provided, nor have we performed an examination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy of the information that management has provided. In addition, the procedures performed by LarsonAllen are not a substitution for management’s responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide the System with insight to inherent and specific risks throughout the System. While potential characteristics of unsupported financial and operational activity may be identified, our procedures alone cannot identify errors and irregularities related to the scope of this project. We appreciate the opportunity to assist the North Dakota University System. Management and staff involved in the process were a pleasure to work with and very open to sharing their opinions and knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to contact us for assistance. Sincerely, LarsonAllen LLP

Craig W. Popenhagen, CPA Principal 612/397-3087 cpopenhagen@larsonallen.com

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota University System

Table of Contents
Executive Summary
What is Risk Assessment? Risk Assessment Methodology


1  1 

Project Overview
Objectives and Scope Approach


4  5 

Risk Assessment Results
Enterprise-Wide Risk Map Detailed Results


6  7 

Appendix
Impact Criteria Vulnerability Criteria

22 
22  22 

©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota University System

Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for the North Dakota University System. This included identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprisewide risk assessment performed periodically. Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the significant functional areas or processes within the System. The enterprise-wide risk map is a graphical representation of the relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Detailed results are also provided communicating the explanation for the risk ranking and recommendations for addressing the risks.

What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the System. The process starts with identifying risks associated with business objectives linked through all levels of the System whether it is entity or process level.  Entity level is the cornerstone for effective control and its objectives provide guidance on what the entity wants to achieve. It should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota University System.

©2011 LarsonAllen LLP

1

Enterprise-Wide Risk Assessment | North Dakota University System

Understand the Client’s Business: We begin by understanding the System’s business by gathering the business objectives, goals, and strategies and identified the System’s various universities and colleges in addition to the key financial, operational, and IT processes within each university and college. Next, we assess the external and internal risks related to the industry. Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or condition that can negatively affect the ability of the System to achieve its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. There are six types of risks:  Strategic: The risk that business objectives will not be met due to poorly defined business strategies, poorly communicated strategies, or the System’s inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by appropriate organizational governance. Failure to adequately plan and execute against organizational goals may result in significant damage to the System’s reputation.  Financial: The risk that the System’s financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.  Operational: The risk that the System’s operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.  Legal/Regulatory: The System is subject to a variety of federal, state and local laws, regulations and directives, or accreditation agencies. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action taken by regulators.  Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall importance of technology within the System and the availability and quality of information the System can access to support decision making, and the security of key information.  Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover. It also includes the length, consistency, and nature of business relationships, including the handling of sensitive or confidential information and the risk that business interruption would seriously impact those relationships. Next, we define impact and vulnerability criteria applicable to the System to be utilized as a tool for risk ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed the impact of the process to the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process. The criteria are defined in terms of high, moderate, and low. See illustration below for definitions.

©2011 LarsonAllen LLP

2

Enterprise-Wide Risk Assessment | North Dakota University System

Areas of Focus               

Definitions Financial Stakeholder Reputation Legal / Regulatory Operations

Impact

Vulnerability

Control Efficiency & Operating Effectiveness Speed of Response Complexity People Operational Efficiency System Capability Rate of Change

Measurement Scale

High Risk Moderate Risk Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results are ranked by defined impact and vulnerability criteria. Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map. An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then validated and shared with management, as appropriate. By prioritizing and validating risks, the System can align and prioritize its resources to manage and mitigate risks appropriately.

©2011 LarsonAllen LLP

3

Enterprise-Wide Risk Assessment | North Dakota University System

Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT processes at the System and assess the levels of risk within each of the process areas. In addition, provide Management with visibility to process areas that contain the highest potential risk as determined by the risk assessment process. The scope of the enterprise-wide risk assessment included the following functional areas / processes within the System: Functional Area / Process
Academic Affairs Athletics Campus Safety & Security Continuing Education Emergency Preparedness Environmental Health & Safety Financial Close & Reporting

Detailed Coverage of Functional Area / Process
On-line education, academic experience, employee/faculty responsibilities, academic data, enrollment Ticket revenue, concessions revenue, fund raising, athletic scholarships, league compliance, player and spectator liability Building security, campus police/security Non-credit courses, community programs, workforce training, conference management Emergency preparedness and response procedures, business continuity, risk management Physical safety and soundness of campus buildings, environmental risks, facilities/classroom Reconciliations, financial statements, segregation of duties, budgeting, estimates and judgments, annual close process, financial processes General counsel, policies and procedures, internal audit and compliance, executive oversight, regulatory requirements (federal and state), statistical data, affirmative action Grant tracking and monitoring, accounting, budgeting, reporting Payroll, benefits, records management, FTE workload, job descriptions, recruiting, hiring, terminations, performance monitoring, new hire integration, employee retention IT infrastructure, security (logical and physical), operations, change management, disaster recovery, data reporting capabilities, hardware and software, applications, servers, wireless networks, help desk Social media, publications, web development, brand and logo, advertising channels Bookstore, libraries, food services Workforce training, competency, professional environment, conflict of interest Student experience, registrar, student data, housing, campus use, counseling, academic support, career services, recruiting, health services Student financial aid, tuition, enrollment fees, scholarships, funding, student loan processing
4

Governance Grant Administration Human Resources & Payroll Information Technology

Marketing / Communications Operations & Auxiliary Services Faculty & Staff Student Affairs

Student Financial Processing
©2011 LarsonAllen LLP

Enterprise-Wide Risk Assessment | North Dakota University System

Approach
With the assistance of North Dakota University System management, LarsonAllen identified 10 key process owners in the significant financial, operational, and IT processes. Key process owners were interviewed for the purpose of assessing the inherent and specific risks associated with each functional area. Upon completion of the interviews, the inherent and specific risks identified in each process were prioritized and placed on the enterprise-wide risk map based on the impact of the process to the organization, and the vulnerability of the risk occurring (see Appendix A for further description of the definitions of impact and vulnerability criteria). Note that risks identified at the institutional level that were System related or recommendations involved the System, were communicated in the institution reports; however, they were also included in the System report.

©2011 LarsonAllen LLP

5

Enterprise-Wide Risk Assessment | North Dakota University System

Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the information obtained during the interviews. The description of the risk map is as follows:    Green – Low Risk Yellow – Moderate Risk Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks identified by stakeholders, per the interview discussions:  Athletics  Campus safety & security  Continuing education  Emergency preparedness  Environmental health & safety  Operations & auxiliary services  Student affairs  Student financial processing

©2011 LarsonAllen LLP

6

Enterprise-Wide Risk Assessment | North Dakota University System

Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks identified were considered in the overall risk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with process owners and not based on actual testing of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommendations for addressing the risks. Functional Risk Area / Process Ranking
High

Identified Risk

Proposed Recommendations

System Office Response
Agree. The system successfully addressed a similar decline between 1999 and 2010, but it will take a renewed effort to address the continuing decline. Agree. While some important steps have been taken in this area over the last three years the institutions are diverse in their use of learning management systems, lecture capture software, authentication, and standards for collaborative academic programs. A concerted effort with support from the SBHE, Chancellor, Presidents, institutions and NDUS SITS will be required to address this risk. Agree. Recent changes in state law provide the Chancellor with an opportunity to require that out of state providers meet the same quality standards as NDUS institutions. Ongoing state understanding and support will be required to maintain the current NDUS strategy of offering access to quality education at a reasonable cost.

Forecasts predict that there will be a No proposed recommendation. significant decrease in student enrollment by 2017 due to a decrease in the overall population in North Dakota. Several campuses are behind in technology used to deliver online classes. In addition, differing tools are used across the System. Assess each institution’s technology used to deliver online classes and identify individual campus or system-wide improvements. Consider consistency of approach in the use of on-line development software to assist in training, lowering barriers to use, and possible cost reduction.

High

Academic Affairs

Moderate A for-profit institution entered into the No proposed recommendation. state of North Dakota. This could have a negative impact on enrollment if forprofit and on-line institutions continue to enter the state.

©2011 LarsonAllen LLP

7

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if a comprehensive solution is available through CND or if a consolidation tool should be purchased and implemented system-wide. In addition, assess whether appropriate spreadsheet internal controls are in place to mitigate the risk of misstatement or error during consolidation.

System Office Response
Agree. As a short-term solution, this year the NDUS Office updated the spreadsheet templates to add more functionality and edits. We have already discussed long-term solutions with CND. As a result, this year CND staff created several additional queries and reports to assist with statement preparation, and they continue to examine a more comprehensive solution. Agree. Beginning in FY10 certain additional procedures were put in place that requires more frequent recording and reconcilement of accounting activities. This was done in lieu of monthly general ledger close, as more frequent close and preparation of statements required additional staff resources, which are not available. Agree. The Budget Directors group will be asked to complete an evaluation and forward recommendations by June 30, 2012.

Moderate The institutions financial statements are consolidated into the System statement utilizing Excel on an annual basis; an automated consolidation tool is not utilized. Heavy use of spreadsheets in significant processes such as consolidation could potentially result in misstatements, errors, and inefficiencies.

Financial Close & Reporting

Moderate The financial close and financial Perform year-end posting procedures, statement reporting process is time reconcilements and other financial close intensive and only occurs once per year. procedures on a more frequent basis. In addition, individual institutions are not required to develop financial statements on a more frequent basis.

Moderate In addition to the CND n‘Vision reports available, each institution across the system utilizes their own budgeting tool or solely uses spreadsheets, making the annual budgeting process time intensive.

Perform a cost/benefit analysis to determine if it makes good business sense to utilize the current methods for budgeting or purchase a budgeting tool to roll out across all institutions. A budgeting tool would assist with tighter controls related to the accuracy of the budgeting process and potential efficiencies could be gained. In addition, assess whether both position and employee budgeting could be integrated using source data from the payroll and HR applications.

©2011 LarsonAllen LLP

8

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform an internal audit to assess the various roles and responsibilities individuals perform at the campus level identifying areas where improvements could be made related to the segregation of duties. Perform a cost/benefit analysis to determine the need to expand the number of accounting resources at the System office.

System Office Response
Agree. This is frequently raised in annual audits. Due to lack of staffing, campuses have taken other steps to attempt to mitigate risk resulting from lack of segregation of duties. The NDUS Director of Internal Audit will be asked to consider this as part of an audit plan. Agree. The Chancellor will consider the priority and need for additional System office staff as he formulates his 13-15 biennial budget recommendation to the SBHE.

Moderate Many smaller campuses have individuals that are responsible for several areas potentially causing segregation of duties issues.

Moderate The System office Accounting department is currently understaffed.

Low

The System office Accounting Manual is not updated on a timely basis or upon significant change.

Financial Close & Reporting

Consider implementing procedures to update Agree. The current manual is under review and the System office Accounting Manual on a updates will be completed by Dec. 31, 2011. timely basis and/or upon significant change. The Controller’s group will be asked to annually review and update the manual hereafter or sooner if needed. Perform a cost/benefit analysis to determine if an automated workflow tool should be implemented for the accounts payable process to reduce duplicate processes and reduce opportunities for errors. Agree. There is currently the capability to decentralize entry of invoices. Using this capability, departments receive invoices from vendors, do necessary approvals in the departments, and then enter the invoices for payment with no, or minimal, use of manual forms or manual routing of approvals. This process is in use at NDSU. Additional workflow capabilities have recently been made available by Oracle but this capability has not been implemented. A significant drawback is the lack of consistent business processes at the institutions that would require each institution to be implemented separately.

Low

Accounts payable processes at various institutions are not streamlined, are manual in nature, and much time is spent circulating manual documents for review, approval, and submission for payment.

©2011 LarsonAllen LLP

9

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking
High

Identified Risk
There is limited compliance and internal audit function(s) to oversee the various regulations the institutions’ are required to comply with or to address enterprisewide risk.

Proposed Recommendations
Perform a cost/benefit analysis to determine if an internal audit and/or compliance function should be expanded at the System level and/or campuses and consider whether current internal audit staff at other colleges and universities could be utilized across all institutions. Furthermore, annual performance processes should take into consideration compliance with laws and regulations.

System Office Response
Agree. The SBHE considered this issue during 2010 and also as part of the 2011-13 biennial budget request process. In 2010, the SBHE directed the addition of a System internal audit position. The issue of appropriate staffing levels at both the System and campus level was also just recently outlined in a memo to the SBHE Budget, Audit and Finance Committee in September 2010. With regard to performance processes, the Chancellor will take this under advisement as he prepares presidential performance evaluations.

High Governance

There is not a central repository for contracts. Risks include, but are not limited to, the following: Ability to locate contracts timely, version control, increased cycle time during contract drafting, negotiating, etc., ability to report on key performance indicators, visibility into personnel who are executing contracts, unauthorized changes made to final executed contracts, etc. There appears to be significant opportunities to improve effectiveness and efficiency, as a System, by focusing on consistency of approach and collaboration for both academic and administrative functions; however, it will take strong, committed leadership to do so.

Perform a cost/benefit analysis to determine if it makes good business sense to develop a centralized electronic repository to house and manage contacts in each stage of the contract life cycle (drafting, negotiating, approval, storage & repository, track & administration, and renew & optimize).

Agree. The NDUS will consider the possibility of completing the recommended analysis.

High

Perform an assessment to determine where departures in approach and collaboration for academic and administrative functions exist system-wide. Identify root causes for the inconsistencies and develop future state improvements to gain consistency where deemed appropriate.

Agree. The SBHE will be asked to consider an approach to improving system-wide efficiency and effectiveness in FY12.

©2011 LarsonAllen LLP

10

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking
High

Identified Risk
The System does not consistently operate as a unified system of higher education, with the primary focus on what is in the best interest of the student and state, as opposed to the institution. In addition, there is not a collaborative mentality within some institutions and it is not productive to meeting the state’s expectations.

Proposed Recommendations
In order for the System to truly operate as a unified system of higher education, it is important that the following is in place: 1) clear and strong SBHE direction, expectations, and support; 2) cooperation and support at all levels of the System; 3) adherence and respect for various roles and responsibilities; and performance accountability. Perform a cost/benefit analysis to determine the need to expand the number of general counsel resources at the System office to support the various institutions.

System Office Response
Agree. This will be clearly communicated to the SBHE and campuses.

Governance

Moderate Lack of general counsel resources at the System level to supply legal thought leadership and guidance to the nine institutions that do not maintain their own general counsel office.

Agree. The SBHE took steps in 2009 to add an additional System legal counsel position. In addition, a SBHE task force is concluding a year-long study that reviewed the provision of legal services across the NDUS. Additional steps will be taken as outlined in the SBHE task force report. Agree. The NDUS is partnering with the Governor’s Office in a review of funding and development of a new funding model. In addition, the NDUS will be proceeding with development of a performance funding budget component.

Moderate Overall availability of funding was raised Funding levels for all NDUS institutions during each individual campus visit; should be reviewed, and adjusted as however, it is only noted in a few select necessary. campus reports based on the level of institutional concern expressed. It should be noted that all institutions indicated funding is a challenge.

©2011 LarsonAllen LLP

11

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Consider restructuring the legal counsel function to follow a centralized approach.

System Office Response
Agree. A SBHE task force is concluding a yearlong study that reviewed the provision of legal services across the NDUS. Additional steps will be taken as outlined in the SBHE task force report.

Moderate There is not a centralized legal counsel group to identify circumstances where legal counsel attention is needed, communicate to the institutions when legal counsel oversight is warranted, and to prioritize dedication of resources across the System to ensure all institutions receive the appropriate support. Moderate Campus personnel are not always knowledgeable of System level policies and procedures, including lack of understanding of how policies are organized, titled, and where they are stored. There are also limited monitoring processes in place to ensure compliance with SBHE policies and procedures. Moderate New System level policies and changes to existing policies communicated from the System office to the individual campuses are not always further communicated to the appropriate personnel at the campus. In addition, it is unclear whether individual institutions are complying with System level policies and procedures.

Governance

System level policies and procedures should be reviewed periodically across the System to enhance understanding, and to update, as necessary. In addition, the current format of SBHE policies and procedures should be reviewed to determine if there are ways to condense, simplify and organize policies to increase user understanding and awareness. Evaluate the current method of communicating new System level policies/procedures and changes to existing policies/procedures to the institutions and also the method of communication within the institutions to determine if changes should be made to enhance communication. In addition, consider performing an internal audit across the institutions comparing current practices to policies to determine whether institutions are adhering to policies.

Agree. System legal counsel has expressed an interest in a comprehensive review and consolidation of system policies and procedures. This should be completed by June 30, 2012. With regard to period review, the various senior councils will be asked to make this a regular part of their meeting schedules. Agree. A review of communication and distribution at both the System and campus level, and appropriate changes, will be completed by June 30, 2012. The System internal auditor will be asked to consider adding policy compliance to the audit plan.

©2011 LarsonAllen LLP

12

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Develop a procedure manual for the key responsibilities in the job descriptions to document procedures related to responsibilities, key functional use and screens within PeopleSoft, etc. Once the most significant responsibilities are documented, the less significant responsibilities can be documented, as time allows. Whistleblower hotline communication should funnel through a department or individual(s) that report directly to the SBHE audit committee, including possibly legal counsel. Appropriate individuals at the System and institution level should be identified and contacted by Legal Counsel for follow-up on reports. Consider policy/procedure changes, as necessary to further clarify, and identify opportunities for improvement. Seek consistency in administrative business processes and procedures, collaboration in academic offerings, and allow selective innovation supporting new ideas and solutions.

System Office Response
Agree. Key positions will be identified and required to develop initial procedure manuals by December 31, 2012, with ongoing revisions and updates added thereafter.

Moderate There are limited day-to-day procedures documented for various roles within the System office. When someone resigns, is out on family leave, etc. it is difficult to understand the individuals responsibilities, how they utilize PeopleSoft, etc. In addition, certain responsibilities may not be completed due to the unknown variable. Moderate The reporting structure for the whistleblower hotline is not independent of the Administrative Affairs office. Governance

As a result of a recent change, all hotline reports are simultaneously sent to a campus representative and the NDUS Internal Auditor. The VC for Administrative Affairs no longer receives the reports. As the NDUS Internal Auditor does not directly to the SBHE BAFC, a change may need to be considered. Agree. This delicate balance is always debated and contemplated in the development of policies and procedures, and on significant areas of difference the SBHE is asked to make the final determination. It is important to note that there are opportunities to be more efficient and effective as a System in areas that are not mission critical; however, these will require SBHE support and commitment.

Moderate Campuses are allowed substantial “flexibility” under the flexibility with accountability expectations of SB 2003 passed by the 2001 Legislative Assembly; however, in certain circumstances, the System office needs consistent processes across institutions to perform their responsibilities and to meet their requirements, and state expectations of a unified system of higher education to operate effectively and efficiently.

©2011 LarsonAllen LLP

13

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Carefully consider the appropriate balance when drafting policies and procedures, especially in those instances where differences are important in protecting the core academic mission of the institution, as opposed to processes that do not infringe on mission critical activities.

System Office Response
Agree. This delicate balance is always debated and contemplated in the development of policies and procedures, and on significant areas of difference the SBHE is asked to make the final determination. It is important to note that there are opportunities to be more efficient and effective as a System in areas that are not mission critical; however, these will require SBHE support and commitment. Agree. The Chancellor will consider the priority and need for additional System office staff as he formulates his 13-15 biennial budget recommendation to the SBHE.

Moderate The system is very diverse (i.e. community colleges, research institutions). It is difficult to develop system-wide policies that address each institution; however, there are times when a consistent policy and practice is warranted in effectively and efficiently serving students and utilization of state resources.

Governance

Moderate Within the System Office, time is spent focusing on issues that arise on a day to day basis and reduces the time the System Office can spend focusing on the goals and objectives of the strategic plan. Moderate Compliance with the Higher Education Act, including, but not limited to, the following: interpretation, drafting related procedures, monitoring changes to laws and regulations, knowledge around penalties, etc. In addition, communicating the above items to the institution level. Moderate New laws and regulations. Concerned whether the institutions have the appropriate knowledge and training to adhere to compliance.

Assess workload in comparison to the number of resources in the System office to determine if additional resources are needed to allow for additional time spent on focusing on the goals and objectives of the strategic plan, or other impacting factors. Perform a cost/benefit analysis to determine if a compliance function should be developed to oversee the various regulations the System and institutions are required to comply with.

Agree. The Chancellor will consider the priority and need for additional System office staff as he formulates his 13-15 biennial budget recommendation to the SBHE.

Perform a cost/benefit analysis to determine if a compliance function should be developed to oversee the various regulations the System and institutions are required to comply with.

Agree. The Chancellor will consider the priority and need for additional System office staff as he formulates his 13-15 biennial budget recommendation to the SBHE.

©2011 LarsonAllen LLP

14

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Discuss communication concerns with Connect ND Advisory Committee regarding processes to make and prioritize changes within PeopleSoft to determine if changes can be made to process and communication.

System Office Response
Agree. The CIO and Executive Director of ConnectND will meet with the Campus Advisory Committee to review current advisory structure and methods of communications to determine what changes may be made to improve the overall process. The Executive Director of ConnectND has a set of priority levels for enhancements and changes that have been reviewed by the Campus Advisory and user groups over the past year. There have also been discussions with those same entities on their roles and responsibilities.

Moderate Communication between Connect ND and the various institutions could be improved as it relates to significant decisions and changes that are made that affect the institutions, specifically the processes to make and prioritize changes within PeopleSoft and overall decision making is not clearly defined or communicated.

Governance

Moderate Development of reports and queries in PeopleSoft to extract information and data to meet and report on mandatory federal regulation requirements are not implemented timely by Connect ND causing institutions to develop interim processes to enable timely reporting.

Identify obstacles to timely reporting at a System level for external reports to meet Federal and State requirements. Review polices and procedures for compliance related ssues and modify procedures to ensure accurate reporting.

Agree. Data quality both in terms of accuracy and completeness is a major issue that must be addressed. A second major issue is external reports may be provided by institutions where reported numbers are inconsistent with those recorded at the System level. The need for improvement is recognized and support for a consistent approach to reporting will be important. Agree. The data warehouse is simply a collection of data from existing production ERP Systems. Institutional input has been vital and will continue to be vital in the development of the data element dictionary that identifies the data elements stored in the dictionary. The institutions will be further involved through discussions on additional data marts and data elements to be captured in the data warehouse.

Moderate Development of the data warehouse is managed by Connect ND and there are concerns that input will not be obtained from the institutions throughout the development process.

Team with Connect ND to stay abreast of the process to facilitate and collect input from the institutions in the development of the data warehouse and recommend changes to the process if adequate input is not being collected from the institutions and additional input is deemed appropriate.

©2011 LarsonAllen LLP

15

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking
High

Identified Risk
PeopleSoft may not have the complete capability to track and monitor effort reporting, resulting in the inability to produce all information needed for a compliance review. In addition, there are concerns that institutions would not be in compliance.

Proposed Recommendations
Ensure that the institutions are following consistent best practice business procedures at all institutions. Review the current methods to track and monitor effort reporting to determine if enhancements could be made to the current reporting methods. Alternatively, consider purchasing a grant and effort reporting tool to enhance reporting accuracy and produce information needed internally and for compliance reviews. This will not be successful without consistent business processes at the institutions.

System Office Response
Agree. Work is currently underway with the institutional grant offices and the NDUS and institutional auditors on ways to improve this effort. The auditors will be reviewing the business processes along with the grant offices to determine if moving to a consistent set of best practice business procedures along with enhanced reporting can meet requirements. If it is determined that approach is not sufficient an RFP will be developed and issued for additional grant reporting tools.

Grant Administration

©2011 LarsonAllen LLP

16

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a cost/benefit analysis to determine if a human resources department or individual dedicated resource should be implemented to segregate responsibilities and provide independence.

System Office Response
Agree. Several years ago the NDUS Office had an HR position; however, that was converted to a financial reporting position to address audit concerns. The Chancellor will consider the priority and need for additional System office staff as he formulates his 13-15 biennial budget recommendation to the SBHE.

Moderate A dedicated HR resource is not in place at the System office and responsibilities are performed by another department.

Human Resources & Payroll

Moderate Payroll processes at the institutions are very manual (i.e. Excel spreadsheets are used to calculate and approve sick and vacation time, manual time cards are utilized in several instances, PeopleSoft is manually updated, etc.).

The Information Technology group should review the current use of PeopleSoft for payroll processes to determine if there are additional opportunities to automate the processes in PeopleSoft, automated workflow tools that exist and/or could be utilized, and perform a cost/benefit analysis to determine if additional software should be purchased to automate manual processes. The NDUS and institutions should review business processes to eliminate or reduce the need for manual processes outside of CND. If consistent business practices were utilized the existing software may meet the requirements.

Agree. There are tools and automation available that could reduce manual processes. There is current capability in HRMS for decentralized entry of time sheets for hourly employees and for leave entry for all employees. Only one institution currently takes advantage of the capability offered. Related to HRMS workflow and process, at the request of the Administrative Affairs Council a recommendation implement Manager SelfService in HRMS as been made. This provides for automation and workflow related to hiring, termination, and HR or payroll changes, such as salary or job category changes or government forms (I-9, W-4). PERS is working on a solution.

Low

The benefits election process for new No proposed recommendation as this is employees and the annual renewal managed by the state. processes system-wide are very manual. Employees manually complete forms and benefit elections for new employees and annual open enrollment changes are manually entered into PERS.

©2011 LarsonAllen LLP

17

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking
High

Identified Risk
There are many shadow systems that are being utilized outside of PeopleSoft and across various functional areas. In addition, there is not an inventory maintained of all the shadow systems to identify what they are used for, who manages them, security, etc.

Proposed Recommendations
Request each institution to identify all shadow systems that are being used outside of PeopleSoft. The information collected on the shadow systems must include information such as the department using the system, why it is necessary, the person responsible for managing the system, and the security controls in place for the system. This information should then be sent to the CIO for further review to determine if these systems may be eliminated through collective reporting or if existing functionality can replace the shadow system.

System Office Response
Agree. This has been an area of concern and previously was a subject of discussion among the Chancellor’s Sr. Staff and the institutional presidents. At the time the discussion was held for awareness and to encourage institutional review of shadow systems and the requirement for their continuance. The NDUS CIO will develop a recommendation to help establish procedures for identifying, cataloging and coping with data collections and systems that are referred to as shadow systems. Agree. A report detailing key software licensing, and maintenance costs for the current fiscal year and the projected costs for FY13 will be created and distributed for review and discussion to the appropriate councils. Information will be provided by institution where practicable. Agree. An excess number of roles are a known performance issue in PeopleSoft and there is also the impact on employee productivity of having an employee log in and out of the system to perform duties based on their multiple roles at smaller institutions. ConnectND will work with the institutions to review the current roles to determine what changes are prudent to lower risk without significant impact on performance and productivity.

High Information Technology

The System Information Technology Services does not have the ability to recover costs associated with maintenance licensing cost escalation for software and licensing, especially as it relates to increasing demands due to student enrollment growth and service expectations. Security roles in Campus Connection are too broad for the size of the smaller institutions; therefore, employees have additional access than what is needed based on job responsibility.

Perform a review of costs associated with maintenance licensing cost escalation for software and licensing and determine where pricing has increased specific to each institution. Determine if it continues to make good business sense to absorb costs at the System vs. allocate budget and any additional costs to the institutions. Evaluate the permissions assigned to security roles to determine if roles are appropriate. In addition, identify and review manual controls at the smaller institutions to mitigate the risk of inappropriate access.

High

©2011 LarsonAllen LLP

18

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking

Identified Risk

Proposed Recommendations
Perform a current state assessment for all functional areas to determine how PeopleSoft is being utilized and to identify other methods being used to house data and information. Identify future state improvement opportunities and reengineer processes. In addition, perform a cost/benefit analyses to determine if additional modules should be purchased within PeopleSoft, automated workflows implemented, etc. To the greatest extent possible, identify a consistent set of reporting needs at a statewide and system-wide level. Next, identify changes needed to address these reporting requirements effectively and accurately.

System Office Response
Agree. In 2006, the NDUS engaged Oracle in a current state assessment that led to the identification of significant issues that were addressed over the following two years. It is prudent that another current assessment be conducted to help identify other improvement opportunities. However, until there is recognition and commitment to moving to consistent best practice business procedures across the NDUS the potential of many improvements cannot be realized. Agree. Having consistent business practices, consistent data definition, and improved data quality is a requirement to reducing the time spent reviewing, validating, and reporting on information. As long as the report programming for each institution must be customized for the unique definitions and business practices of each institution the inefficiencies, reporting errors, and timeliness of reporting cannot be effectively addressed. Agree. Implement and support an information technology strategy that unifies the infrastructure for academic technologies across the System. The focus of increasing efficiencies, reducing duplication, and leveraging costs need to be combined in support of enhanced technological opportunities in courses for students and faculty.

Moderate PeopleSoft is not being utilized to its full capabilities. Internally developed software is being utilized where PeopleSoft could potentially be leveraged and manual work-arounds have been created outside of PeopleSoft and other systems. In addition, there is a lack of consistency across institutions as it relates to the use of PeopleSoft modules, legacy systems, and other methods of housing data and information for reporting.
Moderate Gathering data and information quickly requested by senior leadership, the state, etc. is challenging and time consuming. Information needed for reporting and retrieved from PeopleSoft is at a “point in time” and a significant amount of time is spent reviewing, validating and reporting on historical information. Several manual work-arounds have been created to meet specific needs. Moderate As course offerings and student enrollment increase there are concerns that the System will not be able to sustain the information technology infrastructure needed to support distance learning.

Information Technology

Continue to assess the information technology needs to support distance learning, including how collaboratively services and programs can be delivered more efficiently and effectively. Develop a long-term plan with specific objectives and goals to gain comfort that future information technology needs will be supported and available.

©2011 LarsonAllen LLP

19

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking
Low

Identified Risk
Several students were inappropriately suspended at NDSU due to incorrect academic reporting from PeopleSoft, specifically issues with reporting for students taking repeat courses. However, multiple new end-of-term processes have been put into place to identify future instances of this problem.

Proposed Recommendations
Review the current change management process specific to PeopleSoft reports to determine if adequate policies and procedures are in place to test and approve changes to reports. In addition, identify the root cause of the issue and determine if the issue has been resolved.

System Office Response
Agree. This problem was the result of a flaw in the coding provided by Oracle/PeopleSoft to the NDUS and other customers in their software bundle 16 for the Campus Solutions application. Once the problem and its cause were determined, corrective action was taken during the fall semester 2010. NDSU and other institutions were informed of the problem and given software process information so they could determine the settings they would implement on their campus based on the their repeat practices. NDSU modified their suspension verification procedures to provide additional checks and balances to the suspension grade verification process. Agree.

Information Technology

Low Marketing & Communications

Negative information could potentially be received by the media prior to the System office becoming aware of an issue.

No proposed recommendation.

©2011 LarsonAllen LLP

20

Enterprise-Wide Risk Assessment | North Dakota University System

Functional Risk Area / Process Ranking
High

Identified Risk
Overall employee work load at the System office is a concern. Most functional areas identified some level of staff needs to meet state, SBHE and campus expectations. In addition, areas of expertise are insufficient to meet the demands and expectations (i.e. capital projects, compliance, HR).

Proposed Recommendations
Perform an assessment to determine how resources are being utilized across all functional areas, tracking of hours worked, efficiencies that could be gained, etc. Determine if additional resources are needed and what specific areas of expertise they are needed. No proposed recommendation.

System Office Response
Agree. The Chancellor will consider the priority and need for additional System office staff as he formulates his 13-15 biennial budget recommendation to the SBHE.

Faculty & Staff

Moderate There has been a high turnover rate in key leadership positions in the last several years at both the System and institution level, specifically vice presidents, presidents and Chancellor. Moderate The housing market (nation-wide), rural nature of North Dakota, and the perception of North Dakota has had an impact on the ability to attract personnel system-wide with the appropriate qualifications to fill open positions.

Agree.

No proposed recommendation.

Agree.

©2011 LarsonAllen LLP

21

Enterprise-Wide Risk Assessment | North Dakota University System

Appendix
Impact Criteria
IMPACT CRITERIA
FINANCIAL (1) Asset size (2) Prior negative exposure (3) Rapidly increasing transaction volume STAKEHOLDER (1) Management, employees, and faculty affected by process inefficiencies or control breakdowns REPUTATION (1) Potential adverse issues are known to external parties, such as media and regulatory bodies LEGAL / REGULATORY (1) Any Federal/ State/Other action (2) External Audit reportable conditions OPERATIONS (1) Current infrastructure cannot support business strategy

HIGH

MEDIUM

(1) Asset size (2) Major potential cost (3) Transaction volume stable

LOW

(1) Asset size (2) Minor potential cost (3) Transaction volume stable

(1) Management, employees and faculty may be affected by process inefficiencies or control breakdown (1) No management, employees and faculty are affected by process inefficiencies or control breakdown

(1) Potential adverse issues could impact customers

(1) Issues identified by Federal/State/ Other (2) Issues identified by External Audit (1) No issues identified by Federal/State/ Other (2) No issues identified by External Audit

(1) Current infrastructure is able to support business strategy with work arounds (1) Current infrastructure is able to support business strategy

(1) Potential adverse issues could impact employees

Vulnerability Criteria
VULNERABILITY CRITERIA
CONTROL EFFECTIVENESS AND EFFICIENCY SPEED OF RESPONSE COMPLEXITY PEOPLE OPERATIONAL EFFICIENCY SYSTEM CAPABILITY RATE OF CHANGE

Controls are not working or do not exist.

HIGH

No method for anticipating and accessing specific risk events exists, so issues are not escalated to the appropriate executives effectively.

Manual processes with many data transfer points and owners

MEDIUM

Controls are detective but not preventative and there may or may not be effective reporting.

A method for anticipating and assessing specific risk events exists but issues are not effectively escalated to the appropriate executives.

Automated process encompassing multiple systems and owners.

A limited number of staff or current staff has limited competency to manage risk events. Inadequate cross-training exists. A limited number of staff and/or staff has moderate competency to manage risk event.

High/unmeasure d cost of operations, many quality concerns noted, and unacceptable or unmeasured cycle/process time.

Systems are not operating as designed or design is flawed; very limited controls

Above industry average cost of operation, some quality concerns noted, and below industry average cycle/process time.

Systems are operating as designed, but design can be improved; controls are bolted on top of the system.

LOW

Controls are appropriately preventive and detective and there is effective reporting.

A method for anticipating and assessing specific risk events exists and effectively escalates issues to the appropriate executive.

Automated processes with integrated systems.

Most staff has high competency to manage risk events.

Low/average cost of operations, no quality concerns noted, and cycle/process times within specified standards.

Systems are designed, implemented, and operating effectively; controls are embedded in the system.

Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a HIGH rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a MODERATE rate of change over the last 6 months. Risk is managed by or directly impacts people, processes, systems, or businesses that have experienced a LOW rate of change over the last 6 months.

©2011 LarsonAllen LLP

22

Sign up to vote on this title
UsefulNot useful