2022 march 3 audit committee meeting

2022 March 3 Audit Committee Meeting

March 3, 2022 at 12:30 PM (EST)

Keene State College

Young Student Center

Keene, NH 03431

If you need assistance or have trouble connecting please call 603-862-0918 or [email protected]

A. Approve Minutes of October 22, 2021 Meeting

1. UNH Spaulding Hall Project Cost Review Report.pdf - 11

2. UNH Student Grades Audit Report.pdf - 18

3. UNH Garage Inventory Audit Report.pdf - 47

4. GSC Student Identity and Financial Verification Audit Report.pdf- 61

B. Accept Internal Audit Reports Issued

C. Accept UNH NCAA Agreed Upon Procedures Report

D. ERM Update on Change Management, Campus Safety, andCompliance

1. AC 10-22-2021 DRAFT minutes.pdf - 4

5. PSU Financial Aid Data Security Review Report.pdf - 80

1. UNH NCAA AUP Report.pdf - 92

12:30-12:35 pm VV. . Approval of Consent Agenda ItemsApproval of Consent Agenda ItemsMOVED, that the Consent Agenda Items be approved.

A. Approve appointment of CliftonLarsonAllen (CLA) as external auditorsand CLA’s Fiscal Year 2022 audit plan covering USNH financialstatements and federal awards under the Uniform Guidance (15 min)MOVED, on recommendation of the Chief Administrative Officer, thatCliftonLarsonAllen LLP be confirmed as the external auditor for theUniversity System of New Hampshire to provide audit services relatedto activities of fiscal year ending June 30, 2022.

B. Approve CY22 Internal Audit Plan/Review Internal Audit's CY21Annual Report (20 min)

1. CLA appointment-audit plan-engagement letter.pdf - 141

12:35-1:10 pm VIVI. . Items for Committee Consideration and ActionItems for Committee Consideration and Action

II. . Meeting InformationMeeting InformationPhysical location:Keene State College (masks required for all indoor spaces)Young Student CenterMabel Brown RoomKeene, NH 03431

Call in: 1 301 715 8592Meeting URL: https://unh.zoom.us/j/91662457599Meeting ID: 916 6245 7599

IIII. . Audit Committee MembersAudit Committee MembersAlexander Walker, Chair, Gregg Tewksbury, Vice Chair, M. JacquelineEastwood, Shawn Jasper, Mackenzie Murphy, Governor Sununu

IIIIII. . In the Unlikely Event of a Zoom Call FailureIn the Unlikely Event of a Zoom Call FailureCall: 1 877 228 3100Participant Code: 638408

IVIV. . Call to OrderCall to Order

1. ERM Update - Change Management, Campus Safety, andCompliance.pdf - 114

Meeting Book - 2022 March 3 Audit Committee Meeting

MEETING AGENDA - March 3, 2022 at 12:30pmMEETING AGENDA - March 3, 2022 at 12:30pm

of 229

MOVED, on recommendation of the Chief Administrative Officer, thatthe proposed Internal Audit Plan for CY22 be approved.

A. Internal Audit Charter Review (5 min)

B. Review status of outstanding audit issues (5 min)

C. Ethics and Compliance Hotline and Fraud Reports Summary (5 mins)

1. IA charter and summary sheet.pdf - 192

1. Status of outstanding audit issues with summary sheet.pdf - 196

1:10-1:25 pm VIIVII. . Items for Committee Consideration and DiscussionItems for Committee Consideration and Discussion

A. Chair or Committee comments

B. Next scheduled meeting: June 23, 2022 at the University of NewHampshire in Durham

IXIX. . Other BusinessOther Business

1. CY22 IA Plan-IA CY21 Annual Report.pdf - 170

1. Hotline and fraud summary 02-01-2022.pdf - 228

VIIIVIII. . Non-Public Session (if needed)Non-Public Session (if needed)

C. Adjourn

of 229

BOARD OF TRUSTEES

p. 1 of 7

AUDIT COMMITTEE OCTOBER 22, 2021

PLYMOUTH STATE UNIVERSITY PLYMOUTH, NEW HAMPSHIRE

and BY ZOOM MEETING:

HTTPS://UNH.ZOOM.US/J/92467918189

MEETING MINUTES Draft for Approval

Committee members physically present: Chair Alexander Walker, Wallace R. Stevens, M. Jacqueline Eastwood, Shawn Jasper, Mackenzie Murphy Other Trustees physically present: Melinda Treadwell, Sen. James Gray Other participants participating by videoconference: (USNH) Karyl Martin, Ashish Jain, Kara Bean, Francine Ndayisaba; (GSC) Tiffany Doherty; (PSU) Janette Wiggett; (KSC) Jeffrey Maher, Kelli Jo Harper; (USSB) Reshma Giji, Ty Gioacchini, Jacob Riley, Christian Merheb; (CLA) Andy Lee, Luke Winter Other participants participating in person: (USNH) Tia Miller; (UNH) Wayne Jones; (Governor’s Office) Jonathan Melanson I. Call to Order At 10:32 a.m., Committee Chair Walker called the meeting to order. Chair Walker called the roll and noted the presence of a quorum sufficient for the conduct of business. On a question regarding committee membership, Chair Walker declared that he has made Trustee Stevens’ resignation from the committee effective end of day on Friday, October 22, 2021. II. Approval of Consent Agenda Items Chair Walker asked the committee members if they had any comments or questions about the consent agenda items; there were none. On motion offered by Trustee Eastwood and duly seconded, the committee voted to approve the consent agenda.

of 229

https://unh.zoom.us/j/92467918189

Audit Committee p. 2 of 7

Items on the consent agenda appear below:

A. Minutes of April 15, 2021 Meeting B. FY21 Financial Statements and audit report/comments for UNH Foundation C. ERM Update on Information Technology and Security D. Internal Audit Reports Issued:

1. KSC Admissions Data Security Review Report 2. PSU Student Billing Audit Report 3. UNH Undergraduate Admissions Data Security Review Report

Chair Walker noted that the UNH Foundation financial statements were approved by the Foundation’s Board and the ERM update for Information Technology and Security was reviewed by the Administrative Board at their August meeting. III. Items for Committee Consideration and Action

A. Approve FY21 University System of New Hampshire Financial Statements B. Review FY21 audit report and comments from CLA

Mr. Jain introduced Francine Ndayisaba, USNH Director of the Financial Operations Center and Controller, and Andy Lee and Luke Winter from CLA. Ms. Ndayisaba noted that the audit went well and there were no concerns. She discussed financial highlights including statements of revenues, expenses, and changes in net position since FY17, statements of net position since FY17, and statements of cash flows since FY17. Financial highlights in FY21 include:

• USNH had an unprecedented net loss of $44M. The results reflect the impact of Covid-19 related costs of $64M of which approximately $50M were in surveillance testing, offset by $20M in HEERF institutional support and $33M in GOEFFER state support. In addition, the Covid Enhanced Voluntary Separation Incentive Program (CERP) had a cost of $56M. There were 485 participants in the program.

• There were healthy returns on endowment investments which increased the market value of total endowments by $211M over the prior year

• There was a $39M net increase of UFR. The increase in endowment returns drove this increase.

• USNH adopted three new accounting standards. The most notable standard adopted was GASB 84 regarding fiduciary activities which affects reporting of the Operating Staff Retirement Plan (OSRP). However, USNH has historically presented these funds in the notes to the financial statements so no further compliance was necessary. The remaining two accounting standards had no effect on the financial statements.

Ms. Ndayisaba drew the committee’s attention to net tuition and fees, employee compensation and supplies and services on the statements of revenues, expenses and changes in net position. Net tuition and fees decreased due to a decrease in enrollment and an increase in financial aid.

of 229


Employee compensation increased in large part because of the CERP. The supplies and services cost increased due to Covid expenses. On the statements of net position, Ms. Ndayisaba highlighted the increase in endowment and similar investments due to healthy returns and the increase in other liabilities and deferred inflows of resources again due to the CERP. Finally, Ms. Ndayisaba discussed receipts from tuition and fees (net), noncapital gifts, grants and other receipts, and net cash (used in)/provided by investing activities on the statements of cash flows. There was a decrease in net tuition and fees due to FY20 student refunds which remained in student accounts. USNH received grants such as CARES and GOEFFER grants which contributed to the increase in grant funds. Net cash increased due in part to an investment liquidation. Chair Walker expressed his appreciation for the work of Ms. Ndayisaba and her team. There were no questions or comments from the committee. Mr. Lee briefly reviewed the engagement scope and deliverables which includes issuance of the following reports: required governance communications letter, internal control communication letter, and a management letter, if necessary. Mr. Lee noted that a management letter was not necessary this year. The Uniform Guidance Audit is in progress. CLA is expecting one compliance supplement. They will perform Major Program Determination and Risk Assessment to identify other major programs for testing. The results are typically provided at the January Audit Committee meeting. Mr. Lee reviewed the responsibility overview of governance, management and the independent auditor, and audit focus areas. He noted that the focus areas did not deviate from the plan discussed at the April Audit Committee meeting. Finally, Mr. Lee stated that the USNH Financial Statement audit resulted in an unmodified opinion (“clean opinion”) on the financial statements, noting his appreciation to the USNH Accounting and Finance team. Regarding internal controls, Mr. Winter stated that CLA found no material weakness or significant deficiencies, no non‐compliance with laws and regulations regarding internal controls over financial reporting, compliance and other matters. He reminded the committee that CLA does not express an opinion on the effectiveness of the System’s internal controls because it is not required under GAAS. Mr. Winter briefly discussed the footnotes in the financial statements, specifically management’s significant accounting policies (Note 1) and disclosure around the COVID‐19 pandemic (Note 15).

of 229


CLA concluded that management has a reasonable basis for significant judgements and estimates for items including Net Pension Asset & Net OPEB Liability and noted that they are in agreement with management. There were no corrected misstatements, errors or adjustments noted. There was one uncorrected misstatement regarding Investment FMV Appreciation. Mr. Winter emphasized that this was not an error; the confirmations revealed that there was a higher threshold than shown. There were no disagreements with management on accounting/auditing matters. Emerging issues include GASB 84, 87, 93 and 96. GASB 84 regarding Fiduciary Activities (any funds owned by other parties) was adopted in FY21. CLA concluded that OSRP funds are immaterial to USNH and subsequently a separate statement is unnecessary. GASB 87 regarding Leases is effective in 2022 and will be a significant workload. Management is working with an accounting firm to comply with the standard. Also effective in 2022 is GASB 93 regarding replacement of interbank offered rates; however, it should have no major effect on USNH. GASB 96 regarding cloud-based subscription information technology arrangements is effective in 2023. In response to a question from Chair Walker, Mr. Lee stated that much of the audit work was done virtually. CLA and management will revisit this arrangement for next year’s audit. Mr. Lee noted that CLA is comfortable with that approach. Mr. Winter mentioned that CLA will be on site at UNH next week for the single audit. The following motion was made by Trustee Eastwood, duly seconded, discussed, and approved with no votes abstained or dissenting.

VOTED, on recommendation of the Chief Administrative Officer, that the USNH Financial Statements for the fiscal year ended June 30, 2021 be approved and forwarded to the Board of Trustees with the following recommended action: MOVED, on recommendation of the Audit Committee, that the USNH Financial Statements for the fiscal year ended June 30, 2021 be accepted and forwarded to the Governor, the Legislative Fiscal Committee, and others as specified in state law RSA 187-A:22. C. Approve Audit Committee FY22 Meeting Schedule and Work Plan

Mr. Jain noted that the work plan is being presented at this meeting due to the cancellation of the June 2021 meeting. Items expected to be on the January agenda include the Single Audit report, Internal Audit’s annual plan and report, and ERM updates as presented to Administrative Board. The Title IX report is on the agenda for the January 2022 meeting; however, the Title IX Coordinators have proposed to present the next report at the January 2023 meeting because of changes in the state law. The timing can be adjusted based on the committee’s expectations. The following motion was made by Trustee Eastwood, duly seconded, discussed, and approved with no votes abstained or dissenting.

of 229


VOTED, on recommendation of the Chief Administrative Officer, that the Audit Committee FY22 Meeting Schedule and Work Plan be approved.

V. Items for Committee Consideration and Discussion

A. Title IX Annual Report Chair Walker introduced the Title IX staff present at the meeting. Jeffrey Maher discussed the update and report. He noted that the report was scheduled for the June 2021 meeting, and that the reporting period covers from July 2020 through May 2021. Mr. Maher briefly explained the term “disclosure.” There was a decrease in the total number of disclosures (including pre-affiliation) to 201. These trends are consistent with prior years though the number of incidents is lower due in part to the impact of COVID-19. Sexual harassment and sexual assault with penetration (27% each) were the highest reported types of misconduct, followed by dating violence (12%). Overall, there were approximately 21% fewer disclosures across the University System compared to 2019-2020 (pandemic shutdown) and 31% fewer than 2018-19 (pre-pandemic). Reduced on-campus density, social gathering restrictions, and remote/hybrid classes all contribute to these trends. The new Title IX regulations were effective in August 2020 so this was the first academic year under the new regulations, which require a formal complaint to initiate an institutional investigation of misconduct. Of 182 affiliated disclosures, 14 parties chose to initiate formal complaints. The high number of formal complaints was unexpected but Title IX Coordinators were able to process them using tools such as shared resources and Zoom. RSA 188-H was effective in January 2021. Title IX Coordinators are actively working to meet the law’s requirements which include development of policies, climate surveys, awareness campaigns, and data reporting to the NH Department of Education (DOE). A state-wide Task Force, on which USNH is participating, is the vehicle for these requirements. There are also a number of sub-committees being formed. A Confidential Resource Advisor has been designated and protocols regarding investigations and prosecution of sexual misconduct incidents have been updated. All NH institutions must conduct a climate survey (due in March) and provide annual data concerning allegations of sexual misconduct to the DOE, Department of Health and Human Services (DHHS), NH House and Senate (due annually on October 1). A standardized climate survey was recently released. Data required for DOE reporting include allegations of dating and domestic violence, sexual assault, stalking, concurrent law enforcement investigations, and student conduct outcomes. Important to note is that the data will be comparative to other NH institutions outside of USNH. Trustee Eastwood inquired whether the state data excluded data that has previously been reported. Attorney Martin noted that at a minimum the USNH reports will be supplemented with information concerning 3rd party reports. She also confirmed that data and climate surveys regarding other institutions will be included for the committee.

of 229


Chair Walker asked whether there were inconsistencies or redundancies between State and Federal law. Mr. Maher stated there are some inconsistencies because the state law was passed before the Title IX rules were finalized. He noted that the DOE is using the rulemaking process to clarify the requirements for the climate survey. For consistency and data analysis purposes, USNH Title IX Coordinators proposed to consolidate the Board of Trustees report with the annual State reporting. Title IX Coordinators would like to submit their next annual report to the Audit Committee in January 2023 which would cover the data from the prior academic year, and every January thereafter. The committee agreed with this approach. Chair Walker thanked the Title IX coordinators for their valuable work.

B. Results of Audit Committee's Self-assessment Mr. Jain noted that there was low survey participation. Mr. Jain requested members to provide feedback/comments/questions, which can be incorporated into the upcoming meetings. If necessary, committee members can contact him with any feedback. In response to a question from Chair Walker regarding suggestions for “deeper dive” items, Trustee Stevens emphasized the importance of Title IX and campus culture. He also encouraged USSB representatives to attend meetings. Lastly, he noted the value of USNH financial staff.

C. Review Audit Committee Charter The Audit Committee has the responsibility to review and assess the adequacy of the Audit Committee Charter on an annual basis and recommend any changes to the Board. No changes to the Audit Committee Charter are recommended by USNH staff at this time. Mr. Jain asked the Committee members to provide suggestions. If necessary, committee members can contact him with any feedback. There were no questions from the committee.

D. Status of Outstanding Audit Issues Mr. Jain noted that the list of outstanding audit issues (as of June 9, 2021) includes all significant (high risk) open issues from past audit reports and those that were closed since the report was last distributed to the Audit Committee. It is updated semi-annually for follow-up and control monitoring purposes. Of 78 action plans currently being tracked, including nine from internal audit reports issued since the last semi-annual, 11 of the underlying risk/control issues have been reported by management as resolved and the remaining 67 are in process, much improved, on hold, and/or management has accepted the residual risk.

of 229


In response to a question from Trustee Eastwood, Mr. Jain noted that Information Technology related risks are most concerning. He and his team work closely with staff responsible for monitoring these items. Much progress has been made to mitigate these risks such as MFA (multi-factor authentication), encryption, etc. Some solutions may require resources and/or technology which delay progress. Trustee Treadwell expressed her appreciation to Mr. Jain and his team for their diligent work. VI. Other Business Trustee Jasper expressed his concern regarding inclusion of Cooperative Extension positions in the CERP. He noted that there were approximately 17 positions approved for reinstatement over a 2-3-year period. The departure of these employees and the extended period of time to refill these positions will have a negative effect on farmers in NH, who rely heavily on the Cooperative Extension. Provost Jones agreed with Trustee Jasper’s concern and acknowledged the error and mitigation efforts, noting that there are ongoing efforts to accelerate the reinstatement process. Trustee Eastwood suggested that this topic be added as a formal agenda item for the next Educational Excellence Committee meeting. This is Trustee Stevens’ last Audit Committee meeting, on which he has served for many years. Chair Walker thanked Trustee Stevens for his gracious and wise guidance over the years and expressed appreciation for all of his accomplishments on the committee. He will be missed. Mr. Jain also expressed his appreciation for Trustee Stevens noting that he has been an integral contributor to the committee and USNH. Mr. Jain stated that Trustee Stevens always understood the challenges faced by management and Internal Audit and provided valuable support. Lastly, he stated that the contributions of Trustee Stevens can never be overstated. Trustee Stevens thanked them for their kind words. There being no further business, the meeting adjourned at 11:42 a.m.

-- End of Audit Committee Meeting Minutes --

of 229

of 229

Internal Audit | 5 Chenell Drive, Suite 301, Concord, NH 03301 | usnh.edu

University of New Hampshire

Student Grades Audit

Report issued November 9, 2021

of 229


November 9, 2021 James W. Dean Jr., President University of New Hampshire Durham, New Hampshire 03824

Dear President Dean: This letter conveys our report on the audit on the University of New Hampshire Student Grades. As communicated in our engagement letter of March 5, 2021, the primary objective of the audit is to obtain reasonable assurance on the effectiveness on internal controls over the integrity and security of the student grades, adequacy of oversight over the process, and control override possibilities to evaluate whether the risks are appropriately identified and managed and whether the existent internal controls are efficient, effective, and operate as expected. This report reflects our observations, which were discussed with members of UNH management, and their action plans in response to our recommendations. It is being distributed to the individuals listed below and will be presented to members of the Audit Committee of the University System of New Hampshire (USNH) at its next scheduled meeting. It is also available for review by external auditors of USNH. We appreciated the full cooperation and assistance we received from Liz Smith, Associate Registrar of Records and Matthew Grady, Assistant Dean for Registration and Records and Registrar with whom Christine Heise, Senior Internal Auditor, worked most closely as she conducted the fieldwork for this audit. Please feel free to contact me with any comments, questions, or suggestions you may have. Sincerely,

Ashish Jain Director of Internal Audit

Distribution: Andy Colby, University Registrar, UNH Pelema Ellis, Vice Provost of Enrollment Management, UNH Matthew Grady, Registrar and Assistant Dean for Registration and Records, UNH Law Wayne Jones, Provost and Vice President for Academic Affairs, UNH Bill Poirier, Chief Information Officer, USNH Catherine Provencher, Chief Administrative Officer and Vice Chancellor for Financial Affairs and Treasurer, USNH

of 229

University of New Hampshire Student Grades Audit

3

I. Executive Summary We performed an audit of the University of New Hampshire student grade process. We noted that the control structure, authority, and responsibility over student grades could be enhanced. UNH student grade responsibilities are distributed across UNH campuses. Student grade related processes and systems, including grade entry, grade adjustments, grade monitoring, and academic policy exceptions, are inconsistent and not standardized across UNH campuses and student levels resulting in inaccurate grades assigned, inaccurate grade modes assigned, missing or incomplete supporting documentation, and inappropriate authorization of student grade adjustments. We also noted lack of segregation of duties over student grade transactions. We recommend that management evaluate the reporting structure, authority, and responsibilities of the campus Offices of the Registrar for standardization and process alignment, including the formal documentation of roles and responsibilities between campus Offices of the Registrar. Management should monitor grade entry and adjustments for accuracy and authorization, develop policies and procedures for grade adjustment authority and academic policy exceptions, and develop supporting documentation retention protocols. Also, instructors at all campuses should be required to enter and submit final grades in Canvas to streamline the process. We noted that the Canvas and WebCat grade entry interfaces are not consistently reconciled. The systems are not configured or designed with edit input controls and permissions to ensure valid and consistent application of student grades. We also noted inconsistent access between Canvas and WebCat. Management should develop policy and protocols that provide a framework that guides grade access and authorization for Canvas and WebCat. Management should also enhance the configuration of Canvas and WebCat grading systems to provide consistent grade scale menus that align with course grade modes. We also noted that the change management process for Canvas superuser accounts is ad-hoc and lacks key components, including review and approval. We recommend that formal protocols should be developed for the management and monitoring of admin superuser accounts, privileges, and activity. Management should periodically review Canvas and Banner Student grade access for appropriateness. We recommend that management enhance monitoring of transfer credits and repeat courses to ensure compliance with UNH policy. Finally, we recommend for management to enhance the monitoring of Parchment (third party vendor used for transcript processing) for compliance with data security requirements and contract terms. II. Background UNH Faculty Senate is responsible for UNH undergraduate and graduate grading policies. Any modifications to UNH Durham (UNH-D) and UNH Manchester (UNH-M) grading policies are proposed and approved by the UNH Faculty Senate. UNH Law Faculty are responsible for UNH Law grading policies and proposed to the UNH Law faculty for approval. UNH Law Academic Affairs & Administration Committee (AAAC) is responsible for updating and amending academic rules. UNH undergraduate, graduate, UNH-Law masters and UNH-Law Juris Doctor have different grading policies and grade scales for their programs.

of 229


4

UNH Offices of the Registrar The UNH Durham (UNH-D) Office of the Registrar serves the students, faculty, staff, and alumni of the University of New Hampshire through registration, maintenance, and security of students’ educational records as well as student data that feeds the academic, reporting, and financial needs for the institution; course and classroom management; graduation, catalogs, and academic support. As part of record keeping, the Office of the Registrar is responsible for grade entry, grade adjustments, grade publishing, and transcript processing. The UNH Manchester (UNH-M) Registration Office manages course registration, classroom scheduling, and faculty relations for the UNH-M campus. The Registration Office is responsible for several UNH-M functions that are typically under the authority of UNH-D Dean Offices. The UNH Law (UNH-L) Office of the Registrar is responsible for maintaining student’s official academic records, course scheduling and registration, exam scheduling and administration, bar certification, and veteran certification. The UNH-L Office of the Registrar is also responsible for grade entry, including the processing of student withdrawal requests. Student Grade Entry The UNH-D Office of the Registrar is responsible for the publishing of all final grades for all UNH campuses. For UNH-D and UNH-M, all teachers assigned to a course in Banner can enter final grades directly into WebCat. Student grades can also be entered by faculty in the learning management software, Canvas. Both WebCat and Canvas have grade scale drop-down menus for faculty to select the grade to be awarded to the student. Canvas teacher and student access is granted through a daily feed from Banner to Canvas. All instructors denoted in Banner Student form SSASECT are assigned teacher access in Canvas. Teachers and course designers have the ability to assign other Canvas users’ roles to access their course. Course designer roles are assigned to department administrative assistants for courses to facilitate the setup of courses in Canvas when the instructor has not yet been determined. See the chart below for commonly used Canvas roles that provides access to student grade information: Canvas Roles Permissions TA Teacher Designer Add/remove other teachers, course designers or TAs to course

No Yes Yes

Add/remove students Yes Yes Yes Edit grades Yes Yes No Moderate grades No Yes No View grades Yes Yes Yes

Faculty designated as the primary instructor in Banner are authorized to submit final grades in Canvas. Grades entered in Canvas are transferred to WebCat through the grade passback process. UNH has developed code to validate grades submitted in Canvas for publishing in WebCat. If any grade errors exist, the faculty member will receive an email notifying them of the error in publishing grades. The types of errors that the rules will check for include: (1) grades were submitted for students not registered for the course, (2) final grade does not equal the current grade, (3) person who submitted grades is not the instructor of record, (4) grade not valid for course, (5) grading period is closed, and (6) student is not an active UNH student. For

of 229


5

UNH-L, grades are entered into Banner Student by the UNH-L Office of the Registrar staff. Banner Student is the system of record for student grades. UNH-D and UNH-M share the same grade scale; whereas UNH-L has their own grade scale which is different for UNH-L JD major and other UNH-L Master’s program majors. The grade mode is the grading schema assigned to a course. Undergraduate students may elect to take a limited number of elective courses pass/fail. Grade mode options are coded on each course, and student registrations reflect grade mode when a choice is relevant. At UNH, the following grade modes are used: letter grade, pass/fail, credit/no credit, satisfactory/unsatisfactory, and audit. In addition, UNH-D and UNH-M use the grade mode to denote students who have elected to take a course as pass/fail. The WebCat and Canvas grade dropdown menus available for grade entry populates grades associated with a course. UNH-D Office of the Registrar runs periodic grade monitoring reports to identify potential issues in grades assigned to UNH-D and UNH-M undergraduate and graduate students. These error reports include: (1) letter grades entered for credit/fail courses, (2) credit/fail grade entered for letter grade course, (3) AF* or F* grades entered for letter grade course, (4) withdrawn students with an incomplete grade, (5) withdrawn students with a letter grade, (6) withdraw grades that have not been published to academic history, and (7) letter grade for an audit course. Student Grade Adjustments For undergraduate student grade changes submitted before the middle of the semester immediately following the one in which the grade was granted may be approved by the Dean of the College. After mid-semester, students must petition the Academic Standards and Advising Committee (ASAC) for any grade changes. For graduate student grade changes, after consulting the instructor, if a student still believes that the grade is unfair, the student has the right to seek redress from the chairperson of the department or program in which the course is offered. Under exceptional circumstances, a final appeal may be made to the Dean of the College or School in which the program is offered. For UNH-L JD student grade changes, a student desiring to appeal an instructor’s final grade should do so to the Associate Dean of Academic Affairs at UNH School of Law. A written appeal must be delivered to the Associate Dean of Academic Affairs no later than the fifth week of the fall semester in the case of grades from spring or summer courses or the fifth week of the spring semester in the case of grades from fall courses. Student grade adjustments are requested through the completion of the Special Grade Report (SGR). This form is initiated by the instructor and is approved by the respective UNH College Dean. In July 2021, functionality allowing faculty to submit grade adjustments via WebCat was implemented. Grade adjustments for all UNH campuses and students are processed through the UNH-D Office of the Registrar. During FY20 and FY19, there were 13,136 and 5,376 student grade changes processed. The FY20 grade changes related to academic terms ranging from Fall 2001 to Summer 2020, with 88% of grade changes related to FY20 academic terms. The top five grade change codes for FY20 and FY19 represented 91% and 69% of the total of grade changes.

of 229


6

Top 5 - Grade

Change Codes

Grade Change

Description

FY 20 - # of Grade

Change Transactions

% of Total FY20 Grade

Change Transactions

FY 19 - # of Grade

Change Transactions

% of Total FY19 Grade

Change Transactions

SG Substitute Grade

9,4471 72% 853 23%

LR Late Roster – Replace IX

Grades

776 6% 696 19%

MC Make Up Work

Completed

709 5% 746 20%

TP Thesis Project

Completed

555 4% 618 16%

IC Instructor Correction

543 4% 804 22%

Transfer Course Grades Transfer credits and grades are processed by the campus Registrar office for existing students. For new incoming students, transfer credits and grades are processed by the respective campus Admissions Office. Repeat Course Grades UNH-D Office of the Registrar has developed an automated process that identifies potential repeat courses for review for undergraduate degree students. Graduate student repeat courses are identified through a sql report and reviewed manually by the Office of the Registrar. The UNH-L Office of the Registrar uses WebI Student reporting to identify repeat courses for review and adjustment. Delegation of Authority According to OLPM BOT III.B, the Board of Trustees has authorized any authority assigned or delegated by any policy of the Board of Trustees may be delegated or redelegated unless a contract intent is clear from the language or context of the policy. Delegations should be in writing and retained in an appropriate manner to ensure both preservation for a sufficient period of time and relative ease of reference. Transcript Reporting UNH has contracted with a third-party vendor, Parchment, for the processing of UNH transcript requests. Parchment collects and processes credit card information from the student for the transcript order. USNH Information Security completed a security assessment review prior to entering into the contract. As a provision of the contract, Parchment is to provide USNH with an annual PCI Certificate of Compliance.

1 9,157 of grade change transactions were related to student’s election for pass/fail grading, in accordance with UNH Faculty Senate Motion# XXIV‐M11 on pass/fail for Spring semester 2020.

of 229


7

III. Scope

The audit focused on key controls surrounding the student grade process and compliance with policies. We performed an audit to obtain reasonable assurance whether the risks associated with the integrity and security of student grades are appropriately identified and managed, internal controls are in place, and the established internal controls are designed effectively and operating as expected. Specifically, we performed the following procedures:

Reviewed a sample of UNH grade entry transactions assigned for approval, authorization, and compliance with UNH grading policies;

Reviewed a sample of UNH transfer and repeat course grade transactions for compliance with UNH policies;

Reviewed a sample of grade adjustment transactions for authorization and compliance with UNH grading policies;

Reviewed grades assigned for students in a sample of undergraduate, graduate, and JD majors for Fall 2020, Spring 2020, and Summer 2020 semesters to determine if grade assigned aligned with grade mode;

Reviewed UNH Spring 2020 grading policy resolutions for authorization and approval; Reviewed modify access to Banner Student Grade Entry Form SFASLST, Banner Grade

Adjustment Form SHATCKN, and Banner Grade Process SFUIXGR; Review view access to student grades in Banner Student Forms SFARHST, SFASLST,

SHACRSE, SHATERM, and SHATRNS; Reviewed Canvas access for users assigned course roles with edit and moderate grade

permissions; Reviewed WebCat access for faculty assigned access to courses; Reviewed modify access to UNH code server; Interviewed personnel in the UNH-D Office of the Registrar, UNH-L Office of the

Registrar, Enterprise Technology and Services, and Teaching and Learning Technologies and met with management to confirm test results.

Internal Audit noted that UNH Teaching and Learning Technologies staff made changes to Canvas admin accounts and Canvas role permissions during the information gathering phase of the audit. As a result, for purposes of the audit, we relied on Canvas role, user, and access reports provided to Internal Audit, and our audit procedures may not fully identify control issues with Canvas roles and access. Student grade data security elements were presented in this audit report but were not the primary objective of the audit. The compliance with student program requirements for degree completion was outside the scope of this audit. Access to systems maintaining grade data e.g., WebI were not considered in scope of this audit. IV. Report Structure The seven observations in Section V of this report outline internal control issues for management’s attention and consideration. The order of the comments is based on their relative importance in terms of potential risk to UNH or foregone effectiveness if not addressed. The observations marked with an asterisk indicates the significance for management attention and resolution, which will be tracked for the USNH Audit Committee’s monitoring until resolved. The report contains recommendations that management has considered and incorporated the

of 229


8

management action plans indicated below. The business process improvement observations in Section VI are strongly recommended but do not require a management action plan. V. Observations

*1. Enhance authority, responsibility, and structure We noted that UNH student grade responsibilities are distributed across the campus UNH Offices of the Registrar. We noted that there is no formal documentation of roles and responsibilities among the campus Offices of the Registrar. We also noted that student grade related processes and procedures, including grade entry, grade adjustments, grade monitoring, and academic policy exceptions, are inconsistent and not standardized between UNH campuses and student levels (i.e., undergraduate, graduate, masters, and JD). Finally, we noted that the level of authority and time limits for grade adjustment transactions is not consistent among UNH programs. Due to inconsistencies in grade related processes and procedures, we noted inaccurate grades assigned, inaccurate course grade modes, inaccurate student grade modes, missing or incomplete supporting documentation, and inappropriate authorization of student grade adjustments. We also noted lack of segregation of duties over student grade transactions and inadequate review of grade entry. There is the risk that student grades are inaccurate or invalid and are not in compliance with UNH policies, resulting in reputational loss. Refer to Appendix I for detailed observations and recommendations. We noted that UNH-Law grade adjustments were initiated (on behalf of the instructor) and approved by the UNH Law Assistant Registrar. The Assistant Registrar combined her own authority with the informal Registrar’s delegated authority, to process these transactions, which resulted in a lack of review over the grade adjustments. We noted that the UNH Law Assistant Registrar authorized special grade report forms on behalf of the UNH Law Registrar. Through inquiry, the UNH Law Assistant Registrar indicated that the Registrar verbally delegated authority replicating her signature on various forms, including special grade reports. We noted that there was no documentation to support this delegation. The delegation of authority by the UNH Law Registrar is not in compliance with OLPM BOT III.B, which requires the delegation to be in writing and retained. There is the risk that student grade adjustment transactions are not properly reviewed, approved, and authorized, resulting in the loss of reputation. Finally, we noted that UNH-L proposed a modification to Academic Rule IV (Grading) applicable to the Spring 2020 semester. This modification intended to allow instructors to award only credit/no credit (CR/NCR) grades in certain circumstances. Although CR/NCR grades were awarded, we were unable to obtain documentation to support the review and approval of underlying modification. Also, we noted that CR/NCR grades are not currently defined in UNH-L Academic Rule IV. We have the following recommendations with regards to this observation:

Refer to Appendix I for detailed recommendations related to student grade entry and adjustment testing.

Management should evaluate the reporting structure, authority, and responsibilities of the campus Offices of the Registrar for standardization and process alignment.

UNH should consider standardized student grade processes across UNH campuses.

of 229


9

Management should formalize the documentation of roles and responsibilities for UNH campus registrar operations.

Management should review grade change procedure time limits and authorization protocols for student grade adjustments for UNH programs for appropriateness and determine if in alignment with management expectations.

Management should develop procedures for the documentation, tracking, and monitoring of delegation of authority for UNH Office of the Registrar forms.

Management should formally approve the UNH Law Spring Emergency & Operations resolution (which modified Academic Rule IV: Grading for Spring 2020 semester) and for authority and compliance with academic rule modification procedure.

Management should formally define UNH Law grades awarded to students in Spring 2020 semester.

Management Action Plan The following actions will be taken to address the above observation: 1. See UNH-L action plans referenced in Appendix I. The UNH Law action plans encompass

the following three main areas (1): Return responsibility for submitting individual student grades to faculty. Faculty will directly submit student grades into WebCat/Banner, (2): Clarity and adherence to deadlines and policies. Deadlines will be reviewed, published, and included on all relevant forms. Authority for approvals, and the designated approving authority, will be reviewed and published and identified on all forms. Deadlines will be followed and all deviation from deadlines or standard policies for the 2021-2022 year may only be approved by the Associate Dean of Academic Affairs (ADAA) or, in her absence, the Associate Dean for Administration and Enrollment (ADEA). Possible delegation of this authority will be considered in 2022-2023 after a review of all processes, (3): Form and document review and retention.

Responsible Party: UNH-L Associate Dean of Academic Affairs and UNH-L Assistant Dean for Registration and Records, unless otherwise noted in Appendix I Due Date: August 31, 2022, unless otherwise noted in Appendix I

2. Create a shared resource that is accessible and maintained by Registrar management at all UNH campuses. UNH-D will create the platform and will include the following documents: 1) operational calendar outlining grade related tasks and deadlines and the staff/campus that will complete work, 2) policies and procedures handbook with designated sections for UNH-D and UNH-M undergraduate programs, UNH-D and UNH-M graduate programs, UNH-L Juris Doctor and UNH-L graduate programs, 3) record of delegation of authority and, 4) USNH Student Grade Audit Report and action plan tracker. UNH-D management will ask management at all campuses to assist in maintenance of the documents. Changes to the documents will be tracked for archival purposes. This will bring consistency and transparency to the work that all campuses do and will ensure that there is a centralized source to aid in procedural improvement, efficiency, authority, and communication.

Responsible Party: UNH-D Associate Registrar of Records Due Date: March 15, 2022

3. In July 2021, functionality allowing faculty to submit final grade changes via WebCat was implemented. The tool was designed to enforce UNH grade change policy, accuracy, authority, and data security. As of the publication of this report, UNH-D and UNH-M faculty use this functionality. Management plans to make the functionality available to UNH-L faculty in a Phase 2 implementation.

of 229


10

Responsible Party: UNH-L Registrar and Assistant Dean for Registration and Records and UNH-D Associate Registrar of Records Due Date: August 31, 2022

4. Management will work to update Student Rights, Rules, and Responsibilities (SRRR) 07.14(ad) to include a dean’s right to delegate his or her authority.

Responsible Party: University Registrar Due Date: September 1, 2022

5. Management will develop a biannual process to review a random selection of grades and grade adjustments processed by all campuses. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and action taken will be recorded and archived.


6. UNH-D Office of the Registrar will work with the Associate Dean for Academic Affairs to evaluate the Graduate School grade change policy time limits and authorization level.

Responsible Party: UNH-D Associate Registrar of Records Due Date: December 1, 2021

7. UNH-L will obtain documentation of faculty vote to approve UNH-L Spring Emergency & Operations resolution, which modified Academic Rule IV: Grading for the Spring 2020 semester. If this documentation is not available, UNH-L will retroactively approve the resolution.

Responsible Party: UNH-L Associate Dean of Academic Affairs Due Date: December 31, 2021

8. UNH-D and UNH-L management will include Credit (CR) grade and definition on UNH-L transcript key.

Responsible Party: UNH-L Registrar and Assistant Dean for Registration and Records, and UNH-D Associate Registrar of Records Due Date: December 1, 2021

9. Academic Rule IV: Grading is under review this year by the Academic Affairs and Administration Committee, co-chaired by the Associate Dean of Academic Affairs. Review, revision, and implementation will be complete before the end of the academic year.

Responsible Party: UNH-L Associate Dean of Academic Affairs Due Date: June 15, 2022

*2. Enhance grading system interfaces We noted that the Canvas and WebCat systems have not been designed with edit input controls and permissions to ensure valid and consistent application of student grades. We noted that the grade menu in the Canvas and WebCat system are not configured to the course grade mode. We also noted that the grade scale menus in Canvas and WebCat are not consistent. As an example, instructors must enter incomplete (IC) grades in WebCat, as the Canvas grade scale menu does not have this grade available. Also, we noted that final grade submittal permissions vary between WebCat and Canvas. All course instructors listed in Banner Student can submit grades in WebCat; whereas only the primary instructor can submit final grades in Canvas. Finally, we noted that select Canvas roles’ have the ability to add students to a course in Canvas, bypassing the automated control of registered students being assigned the student role via a feed from Banner Student to Canvas. Due to the above system configuration, UNH-D has developed grade passback code and grade reporting error reports (for UNH-D and UNH-M students) to identify exceptions, rather than designing the system to not allow for invalid grade

of 229


11

entries or grade submittals. Also, system interface errors noted are not managed and reconciled to ensure that error resolved, and grades are appropriately transferred from Canvas to the WebCat system. Instead, numerous manual and time-consuming workarounds are created, which still does not provide reasonable assurance that the data is appropriately transferred from Canvas to WebCat. There is the risk that the invalid or improper grades are posted to student academic records. We have the following recommendations with regards to this observation:

Policies and protocols should be developed to guide grades setup, access, and authorization of WebCat and Canvas.

Management should redesign Canvas and WebCat grade scale menus to be consistent and align with course grade modes.

Grade submittal authorization should be evaluated and applied consistently in WebCat and Canvas.

Canvas user roles should be updated to not allow for Canvas users to manually add a student to a course.

Interface between Canvas and WebCat should be reconciled and Canvas grade passback errors should be tracked and managed to ensure resolution.

Management Action Plan The following actions will be taken to address the above observation:

1. Management will develop grades access policy and protocols that will provide framework for access and authorization in WebCat and Canvas, which will be approved by the UNH Provost.

Responsible Party: UNH-D Associate Registrar of Records and University Registrar Due Date: October 15, 2022

2. UNH-D management will explore functionality in Banner admin page GTVSDAX to ensure the grade drop down menu in WebCat displays grades associated with a course section. UNH-D and TLT management will explore the redesign of Canvas grade scale menu to be consistent, including IC grade.


3. Registrar and TLT management will work to align WebCat and Canvas grade submission permissions so that all instructors of record (assigned in Banner) have the ability to submit grades for a course in both systems. Management will draft a grades access policy statement to ensure consistency in Banner and Canvas roles. The policy statement will be shared between TLT and Registrar management. Policy statement will address the fact that Banner requires one “primary” instructor on a course. Departments often assign more than one instructor to a course and all instructors have equal roles; one instructor is not designated as “primary” by the department. In this scenario, the “primary” instructor designation is arbitrary, and all instructors have grading responsibilities.


4. University Registrar confirmed with Academic Standards and Advising Committee that instructors must retain the ability to manually add students to Canvas rosters. Registrar management will propose adding text to Canvas that will be displayed when a teacher adds

of 229


12

an individual to course roster alerting them of the fact that the student must also submit a formal request to add the course according to university policy. Management notes that an official grade cannot be submitted for a student that has been added to course roster in Canvas but has not gone through the form university procedure to officially add the course.


5. Current procedures exist to identify discrepancies between Banner and Canvas rosters however instructor response rates are low. To address USNH Internal Audit’s concern regarding Canvas users’ ability to add a student to a course, Registrar management will evaluate this current procedure and will investigate improvements in an effort to increase effectiveness. In addition to this, UNH-D and TLT management will investigate a procedure to compare Canvas and Banner course rosters after the add/drop period closes. UNH-D Registrar management will consider outreach to students that have been manually added to the Canvas roster but have not gone through formal university procedure to officially add the course.

Responsible Party: UNH-D Associate Registrar of Records Due Date: June 15, 2022

6. Registrar and TLT management will review grade passback errors and automated responses to teachers to ensure errors are resolved. As previously stated, management will evaluate Canvas and Banner functionality in an effort to reduce the number of errors produced (see Action Plan 2(2)).


Internal Audit Response to above Management Action Plan:

Manual processes are inefficient, prone to human error, and a waste of limited UNH resources and consequently should not be considered a replacement for automated system control. This way the University can leverage technology while having a better control environment. We recommend that the interface reconciliation verification process should be implemented to confirm that the data extracted from Canvas is accurately and completely reflected in WebCat.

*3. Enhance periodic access review and monitoring

a. Canvas admin accounts are highly privileged accounts primarily used for system administration. During the audit, we noted that the Canvas admin account access modification process is ad-hoc and lacks key components including, appropriate review and approval. In addition, we noted that the semi-annual review of admin accounts for appropriateness is informal and ineffective. Finally, we noted that admin account activity is not periodically reviewed for appropriateness. Specifically, we noted the following with regards to Canvas admin accounts:

i. One shared superuser admin account, for which the credentials are saved on the shared drive in a folder accessible to the Teaching and Learning Technology staff

ii. Two superuser admin accounts had non-USNH email addresses iii. 15 superuser admin accounts had dummy/invalid email addresses. We noted

that these accounts were associated with student workers employed by UNH Teaching and Learning Technology department to provide customer support to

of 229


13

Canvas users. These students are assigned student admin access to Canvas. This access allows students to impersonate an instructor allowing them to enter or modify grades and submit final grades. We noted that there was no documented periodic review of student admin account activity. To protect the integrity and confidentiality of student data, student workers must be assigned carefully defined roles and responsibilities and provided data security training. There is the risk that a student worker can access or modify student grade information for unauthorized purposes, which can result in the loss of reputation to the University.

These conditions exist because there are no formal protocols for the granting of access to grades and the management and monitoring of admin accounts and for reviewing admin user activity. There is a risk that unauthorized or accidental modifications are made to the Canvas system which could go undetected, resulting inaccurate grade entry, modifications, or submittals.

We have the following recommendations with regards to this observation:

Management should develop formal procedures for the review and approval of changes to system administration users, permissions, and roles. The review and approval should be tracked, documented, and communicated.

Management should periodically review Canvas admin account activity for appropriateness.

Management should implement and document the periodic review of Canvas admin user access for appropriateness and alignment with job responsibilities.

Admin account credentials should not be shared. Alternatively, management should document how and when the shared admin account should be used, which users can use the account, and change the password periodically.

Management should discontinue the practice of storing admin credentials in electronic shared files.

Management should develop and assign student workers carefully defined role and responsibilities limiting their access to sensitive data, including student grades. In addition, management should extend data security training to student workers.

Management should consider modifying the Canvas student admin account role to exclude view and modify access to student grades. Alternatively, management should periodically monitor and document the review of Canvas student admin account activity.

Management Action Plan

The following actions will be taken to address the above observation:

1. The admin account access review process will be documented and will include limiting who has access, justification of access, and how credentials are to be stored. Responsible Party: AT Application Administrator

Due Date: November 30, 2021 2. The Application Administration (App Admin) team will document the approval

process of changes to permissions and additions of roles. These changes and who

of 229


14

approved these changes will be tracked in a separate audit/change log specific for admin rights.

Responsible Party: AT Application Administrator Due Date: November 30, 2021

3. In June 2021, App Admin changed the dummy email addresses for student worker local accounts to the App Admin mailing list [email protected]. Emails sent to this email address are received by App Admin team. If there is a change to the student admin account, the App Admin team, including the manager, will receive a notification.

4. TLT will reach out to the Cybersecurity team to discuss best practices for creating admin accounts and will work on a process that follows their suggestions for securing the accounts.

Responsible Party: Director, Teaching and Learning Technologies Due Date: November 15, 2021

5. Currently, there is no password vault that we are able to store account passwords. Since we need to share some admin account information, management agrees that we will continue to store passwords in a folder accessible to only the App Admin team. ET&S is planning to roll out a password vault tool and once that is rolled out, App Admin will use that tool and no longer store passwords in OneDrive.

Responsible Party: AT Application Administrator Due Date: October 31, 2022

6. App Admin will put a process in place to annually change local admin account passwords in line with USNH password policy. Also, the password will be changed when there are changes in App Admin staff. Once the password vault tool is rolled out this process will be automated.

Responsible Party: AT Application Administrator Due Date: October 31, 2021.

7. Student admin privileges were changed in June 2021 during the audit process, and they no longer have admin accounts that allow masquerading as an instructor or the ability to modify or view grades. Responsibility Party: AT Application Administrator Due Date: June 30, 2021

8. The App Admin team will document the steps involved with auditing the student admin account activity. An audit log will be created to record the time and the name of the person that completed the audit along with any findings. Also, the App Admin team will increase the auditing of student admin accounts to bi-monthly.

Responsible Party: Director, Academic Application Administration & Support Due Date: December 31, 2021.

9. The App Admin manager will review the audit log quarterly to ensure audits are happening and there are not any concerning activities such as off hours access, pageviews in areas they should not be etc.

Responsible Party: Director, Academic Application Administration & Support Due Date: December 31, 2021.

10. Student workers sign the ET&S confidentiality and cyber security agreements. The Director of TLT Application Administration and User Support will discuss the possibility of holding data security training for TLT student workers with the USNH Cybersecurity group.

Responsible Party: Director, Academic Application Administration & Support Due Date: December 31, 2021

of 229


15

b. We noted that Canvas users and course role access is not periodically reviewed for appropriateness. During our review of Fall 2020 Canvas course enrollments, we noted the following:

20 course teacher roles assigned to non-employees 61 course TA roles assigned to non-employees 151 course teacher roles assigned to students 580 course TA roles assigned to students 12 courses had no teacher assigned, but had TA, Learning Assistant, Observer

and Academic Advisor roles assigned 55 courses that had both the designer and teacher role assigned

These conditions exist because there is no formal review and approval process or policy for the granting of access to student grades. There is the risk that sensitive student information is not protected; inappropriate users are assigned access to the course; and grade entry and modifications are not authorized.


Management should develop protocols for the granting, review, and approval of Canvas access.

Management should disable non-employees Canvas access unless justification is documented and appropriately approved.

Management should consider limiting the ability of the teacher role to be assigned by Canvas users. Management should require teacher roles to be approved by the department head and entered in Banner Student Course Registration Form by the Registrar’s Office to be incorporated in the feed process to Canvas for course role assignment.

Management should consider restricting access to grades for designer roles who remain active once course has commenced.


Management will develop grades access policy and protocols that will provide framework for access and authorization in WebCat and Canvas, which will be approved by the UNH Provost.

Responsible Party: UNH-D Associate Registrar of Records and University Registrar Due Date: October 15, 2022

c. We noted that access to sensitive Banner Student grade forms is not appropriately restricted. Furthermore, a review of the appropriateness of user roles and access based upon job responsibilities is not performed on a periodic basis. Specifically, we noted that modify access to Banner Student Form SFASLST (student grade entry form) was granted to 39 individuals within 17 UNH departments who do not have student grade entry responsibilities. Also, we noted that 14 Office of the Registrar staff members had modify access to the SFASLST form but did not have original grade entry or withdrawal processing responsibilities. We also noted that modify access to Banner Student Form

of 229


16

SHATCKN (student grade adjustment form) was granted to nine individuals within five UNH departments who do not have student grade adjustment responsibilities. Also, we noted that seven Registrar’s Office staff members had modify access to the SHATCKN form but are not responsible for processing student grade adjustments. There is the risk that inappropriate users can enter or adjust student grades, which can result in inaccurate grade reporting. We also noted that view access to Banner Student Forms SFARHST, SFASLST, SHACRSE, SHATERM, and SHATRNS (which all display student grades) is not restricted. Grade view access was granted to 438 individuals from 165 different UNH departments.

We recommend that a formal process is established for the periodic review of Banner Student grade form access for appropriateness and alignment with job responsibilities. Management Action Plan The following actions will be taken to address the above observation: 1. Management will implement an annual review of Banner Student grade admin pages

(SFASLST and SHATCKN) access using WebI report SIS00100. User maintenance and query access will be adjusted based on users’ current position and job responsibilities. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and action taken will be recorded and archived.


2. UNH-D Registrar management will continue to create new Banner security classes. Only Registrar records staff, Registrars, and Associate Registrars will retain maintenance access to SFASLST and SHATCKN. All other Registrar’s Office staff will retain query access only.


3. All Banner security access is reviewed and approved by the University Registrar or designee (Registrar authority designation to be recorded in shared registrar platform). In accordance with FERPA and registrar best practices, effort is made to assign the least data access needed to perform job responsibilities. Some user access to Banner admin pages was approved by former Registrar management (2014 and earlier). An initial review of SFARHST, SFASLST, SHACRSE, SHATERM and SHATRNS using WebI report SIS00100 will be done to evaluate the current data needs of users based on current job responsibilities. Review will be documented, and access will be modified as appropriate. Justification of access will be recorded and archived. Going forward, management will continue to create Banner security classes based on a user’s role and will continue to grant the least access needed to preform job duties. Following this initial review, a random sample of users with access to these Banner admin pages will be reviewed annually to ensure data access continues to be appropriate based on users’ legitimate educational interest and current job responsibilities. To

of 229


17

ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses.

Responsible Party: UNH-D Associate Registrar of Records Due Date: June 15, 2022

*4. Enhance transfer credit process During our testing, we noted that two out of 10 selected transfer credits were inappropriately coded to include the transfer grade in the overall UNH GPA calculation. We also noted that there is no review, approval, or monitoring of transfer credits processed by UNH. There is the risk that a student’s academic ranking and performance does not meet UNH academic policy and standards, resulting in reputational loss for the University. We recommend that management should periodically review transfer credits processed for compliance with UNH policy. Management Action Plan UNH-D management will use available reporting to identify high risk transfer credit awards and will evaluate the records for accuracy and compliance with UNH transfer credit policy. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and actions taken will be recorded and archived.


*5. Enhance security protocols for student grades During our testing of UNH Law grade entry, we noted that instructors submit grades to the UNH Law Office of the Registrar through email for entry into Banner Student. We also noted that student grade forms are submitted to the campus Registrar’s Offices through email. Sensitive data delivered via email increases the risk of data loss, as emails are not a secure medium to transmit sensitive information and are frequently subject to phishing attacks. Sensitive personally identifiable information should be protected under various legal requirements and USNH Information Classification Policy USY VIII.C.4. The loss of data may result in financial and reputational loss for the University. We have the following recommendations with regards to this observation:

Management should develop and communicate security protocols and guidelines for handling of student grade information and forms.

Student grades should be entered directly into WebCat or Canvas by instructors. Management should explore the development of a secure submission system for student

grade related forms.

of 229


18

Management Action Plan The following actions will be taken to address the above observation: 1. UNH-L will return responsibility for submitting individual student grades to faculty. Faculty

will directly submit student grades through WebCat and Canvas. UNH-L will Plan to utilize WebCat Final Grade Change tool as ET&S and Registrar resources are available for Phase 2 implementation.

Responsible Party: Associate Dean of Academic Affairs and UNH-L Assistant Dean for Registration and Records Due Date: August 31, 2022

2. Management developed and implemented the WebCat final grade change tool in July 2021 for UNH-D and UNH-M student grade changes. UNH-L will adopt the grade change tool by August 2022.

Responsible Party: University Registrar and UNH-D Associate Registrar of Records Due Date: Completed – July 2021

3. UNH-D management acknowledges that the submission of student grade forms via university email is not best practice. Campuses were forced to alter standard practices to accommodate remote work due to the COVID-19 pandemic. Student grade forms are only accepted from UNH-D and UNH-M faculty when sent using a UNH email address. UNH-D Office of the Registrar will contact other New England Land Grant institutions to learn how registrar forms are submitted, reviewed, and approved. Based on findings, management will draft a plan to improve current submission process.


4. UNH-D management will develop security protocols and guidelines for handling student grade information and registrar forms and will publish on the Registrar FERPA webpage. UNH-D management will request to the Provost that UNH-M and UNH-L link to UNH-D's FERPA webpage to ensure consistency across all campuses.


6. Enhance repeat course process We noted that the identification, review, and adjustment of grades for students taking repeat courses is a manual process and is inconsistent for different student types (i.e., undergraduate, graduate, Law). Based upon discussion with management, the automation of this process has been challenging due to the course coding of special topics courses and course repeat rule exceptions denoted in the course catalog. Also, during testing, we noted that an instructor requested a grade and registration change through the special grade report form. The UNH-D Office of the Registrar adjusted the grade for the student but did not correct the course registration error. As a result, the student received credit and grades for the same course in the Spring 2018 and Spring 2019 semesters. These conditions exist because course repeat rules are not listed in Banner Student and special topics courses do not have unique course code numbering. There is the risk that a student receives GPA credit for the same course more than once, which is not in compliance with UNH policies, resulting in the inaccurate reporting of a student’s academic record.

of 229


19


Management should document, review, and approve exceptions for courses identified as repeat courses in periodic monitoring reports.

Management should evaluate course code numbering methodology for special topics courses.

Management should evaluate the use of Banner Student to manage course repeat rule exceptions.

Management Action Plan The following actions will be taken to address the above observation: 1. Management will continue to work towards the use of Banner Student to manage course

repeat policy and automated records maintenance. Responsible Party: UNH-D Associate Registrar of Records Due Date: October 15, 2022

2. Management will discuss and explore the course code numbering methodology for special topics courses as well as the standardization of special topic titles with college divisions when sufficient resources are available.

Responsible Party: UNH-D University Registrar Due Date: October 15, 2022

7. Enhance controls over monitoring of Parchment contract We noted that UNH uses Parchment for the processing of UNH transcript requests. We noted that UNH does not obtain periodic SOC reports or PCI-DSS compliance reports. In addition, UNH does not periodically monitor the vendor for compliance with contract provisions. There is the risk that UNH student grade data and sensitive student information is not properly secured to ensure integrity and security of student grades, resulting in loss of reputation. We recommend that UNH should develop a service provider monitoring plan. As part of monitoring, UNH should obtain and review periodic SOC reports and PCI-DSS compliance certificates to ensure that Parchment is meeting data security requirements. Management Action Plan The following actions will be taken to address the above observation: 1. Management will ask USNH IT if there are any plans to implement a service provider

monitoring plan. Responsible Party: University Registrar Due Date: February 1, 2022

2. UNH-D Registrar management will request and review SOC reports and PCI-DSS compliance certificates annually. To ensure this is built into current business processes, management will add this task to the calendar which will be accessible by Registrar

of 229


20

management across all campuses. Parchment reports and certificates will be archived in a secure location accessible by appropriate managers.


VI. Business Process Improvements 1. Enhance course schedule development and entry process The UNH-D Office of the Registrar coordinates the course schedule process with each individual UNH department. The individual UNH department downloads the prior semester schedule via a WebI report and then edits the schedule to reflect course subject, sections, instructors, days, times, and room location for the new semester. The course schedule information is manually entered into the Banner Student Form SSASECT by staff. There are two more iterations of the course schedule development process, whereby departments are responsible for downloading the course schedule WebI report and submitting any changes to the Scheduling department, prior to the semester schedule going live on the UNH Course Registration website. We noted that the development of the course schedule is manual. Manual course schedule development is inefficient, a waste of staffing resources, and can be prone to error. There is the risk that course information listed on the website is inaccurate, resulting in students enrolling in courses that may not meet student expectations or requirements. We recommend that management should automate the course schedule development and entry process. Management should consider course scheduling software options that integrate with Ellucian Banner Student. 2. Enhance grade definition documentation

During the audit, we noted that the UNH Offices of the Registrar assign various symbols to student grades, which appears on the student record and/or academic transcript. There is no internal grade definition key to document how the symbol should be applied and interpreted. There is the risk that a grade assigned may be incorrect, resulting in the loss of reputation. We recommend that management should consider developing a grade definition key for symbols used in the assignment of student grades. 3. Enhance transfer credit policy During our testing of transfer credits, we noted that SRR 05.33(fs) states that grades earned in the 200-level Thompson School courses will be recorded on the student’s transcript but will not be included in the student’s GPA. The policy does not explicitly address the treatment of non-200-level courses. There is the risk that Thompson School credits for non-200 level courses are not recorded and in accordance with expectations. We recommend that management should update SRR 05.33(fs) to address the treatment of all Thompson School level courses.

of 229


21

Appendix I: UNH Grade Entry and Grade Adjustments Testing Observation Details and Recommendations

# Campus Category Observation Risk Recommendation Management Action Plan

I UNH-L Anonymous Grading

We noted that UNH Law assigns each student an exam number to facilitate anonymous grading. Student exam numbers are tracked in Excel spreadsheets. Through our testing, we noted two students who had the same exam number assignment. Also, we noted that three of 15 selections did not have the student exam number listed on the spreadsheet and one of 15 selections where the exam number listed on the grade sheet was different than the exam number tracking spreadsheet. There is a lack of controls over the assignment, tracking, monitoring, and validation of the student exam number assignment.

There is the risk that a student is awarded a grade that does not accurately reflect their academic performance, resulting in reputational risk to UNH.

UNH-L should incorporate existing Canvas and Banner Student functionality to facilitate anonymous grading. Management should consider the use of Banner Student for the assignment and tracking of student exam #s. Access should be restricted to this field to those with associated job responsibilities.

The Registrar is exploring potential Banner functionality to generate random student exam numbers tied to individual accounts.

Working with faculty and university staff, we are exploring ways to use existing Canvas anonymous grading tools. Reviewing best practices at other law schools which suggest our overall adherence to fully anonymous grading may be an exaggerated system. It appears anonymous grading of exams is best practice, but not full anonymous assignment of grades. We will continue to review and share results with faculty for policy review.

II UNH-L Course and Student Grade Mode

We noted two UNH Law courses that were not assigned the correct course grade mode in

There is the risk that a student’s assigned grade is invalid.

Management should develop protocols for the review of course

A full review for Fall 2021 of course and student grade mode assignment

of 229


22


Banner Student. These two courses were setup as letter grade courses but were mandated satisfactory(S)/unsatisfactory(U) graded courses. This occurred since there is inadequate review of course setup in Banner Student. We also noted that UNH-Law does not denote a student’s S/U grade election in Banner Student. As a result, UNH-L is unable to efficiently and effectively monitor grades to ensure grades are valid and in compliance with UNH-L grading policy.

information in Banner Student. Standard protocols should be developed for the use of course and student grade modes in Banner Student.

in Banner was completed in early September 2021.

UNH-L will use Banner Student to track course and student grade modes.

Work with Durham’s Office of the Registrar to cooperatively develop and review error monitoring reports to have consistent processes at the three UNH campuses.

Affirm, by vote of faculty, the grading scheme for all courses Affirm, by vote of faculty, total number of pass/fail credits a student may amass in their career, and code that decision and the election process into student’s career within Banner

III UNH-D, UNH-L, UNH-M

Grade Entry & Adjustment Transactions

We noted there is no review, approval, or periodic monitoring of original grade entry or grade adjustments entered

There is the risk that the grade assigned to the student is inaccurate or unauthorized,

Management should monitor grade entry and adjustments on a periodic basis for

Management will develop a biannual process to review a random selection of grades and grade adjustments processed by all campuses. To ensure

of 229


23


by the campus Offices of the Registrar.

resulting in loss of reputation for UNH.

accuracy and authorization.

review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and action taken will be recorded and archived. Responsible Party: UNH-D Associate Registrar of Records Due Date: March 15, 2022

IV UNH-L Grade Entry & Adjustment Transactions

During testing, we noted that there were errors in the system calculation of final grades for a UNH-L course. Special grade reports were completed for six of the 12 students whose recalculated grade was higher. Special grade reports were not completed for students whose recalculated grade was lower. It was also noted that one of the twelve student’s original grade entered in Banner Student did not agree to the spreadsheet submitted

There is the risk that student academic performance is not properly reflected in their academic record, resulting in reputational and financial risk for the University.

UNH-L Office of the Registrar should review and adjust the grades assigned in the ILaw course, as appropriate. Delegation of authority guidelines should be developed. For transactions where delegation of authority is exercised, segregation of duties should be

UNH-L will review ILaw grades for appropriateness. Going forward, UNH-L will establish grade adjustment procedures/approvals in advance of WebCat Final Grade Change implementation. Review best practices with other law schools; presume faculty will submit their own grades going forward in Banner/WebCat. Plan to utilize WebCat Final

of 229


24


by the instructor. We noted that the grade adjustments were initiated (on behalf of the instructor) and approved by the Assistant Registrar, as the Assistant Registrar combined her own authority with informal Registrar’s delegated authority to process these transactions, which resulted in lack of review over the grade adjustments. As a result, five of the twelve students received higher grades than supported by their academic performance and were not accurately reflected in their academic record. We noted that there is inadequate review and approval of grade entry. Grades are received, calculated, and input by the Office of the Registrar. Banner Student grade entry is not reviewed for accuracy and there is no validation that grades on the student record agree to

considered to ensure that the same person is not initiating and approving a transaction. UNH-L should incorporate existing Canvas and Banner Student functionality to facilitate anonymous grading. UNH-L should require instructors to enter final grades in WebCat and Canvas. Management should consider using the existing grade passback functionality to transfer student grades between Canvas and WebCat.

Grade Change tool as ET&S and Registrar resources are available for Phase 2 implementation.

Pilot training on grade entry will be conducted with select faculty in Fall 2021. A revised training based on the fall experience will be provided in Spring 2022. A training module, for all faculty and adjuncts, will be developed and made part of faculty onboarding and fall orientation beginning Fall 2022.

As we work to establish #I action plans above, conduct periodic and random audits with in-house third-party reviewers to ensure accurate grade submission. Work with Durham’s Office of the Registrar to cooperatively develop and review error monitoring reports to have consistent processes at the three UNH campuses.

of 229


25


grade approved by the instructor. In addition, we noted inadequate segregation of duties between individuals responsible for grade calculation, grade entry, and grade adjustment approvals.

As we work to establish anonymous grading and direct grade entry by faculty, the Associate Dean of Academic Affairs will develop a system of review. We will implement the use of passback functionality for faculty to transfer grades from Canvas to WebCat.

V UNH-L

Grade Monitoring

We noted that the there is a lack of monitoring for invalid grades for UNH-L students.

There is the risk that an assigned student grade is invalid and does not agree to academic program, course, or student-elected (where applicable) grading scale.

Standard processes should be developed for monitoring of grades for all UNH campuses.

We will develop a system within Banner student coding that ensures students are assigned a valid grade.

Work with Durham’s Office of the Registrar to cooperatively develop and review error monitoring reports to have consistent processes at the three UNH campuses.

VI UNH-L Student Course Grade Mode

We noted that UNH-L does not track student elections for satisfactory/ unsatisfactory (S/U) grading in Banner Student. As a result, UNH-L is

There is the risk that a student’s assigned grade is invalid.

UNH-L should implement Banner Student functionality for the tracking student

See plan for issue #II, above. All program deadlines will be reviewed, affirmed, and published. Deadlines

of 229


26


unable to monitor grades efficiently and effectively for compliance with UNH-L grading policy and student grade elections. We also noted three of seven S/U student grade elections that were accepted after the deadline and one of seven S/U elections that did not have supporting documentation available. This occurred since UNH-L does not have defined procedures for the processing, review, and approval of exceptions to academic policy. In addition, UNH-L does not have protocols for the retention of student transaction supporting documentation.

There is the risk that student requests for exceptions are not documented, processed, reviewed, and approved in a consistent manner to comply with UNH policy, resulting in the loss of reputation.

elected S/U grade modes. UNH-L should develop formal procedures for the processing, documentation, review, and approval of requests for exception to academic policies. Management should develop protocols for retention of supporting documentation for student grade forms.

will appear on forms, and we will use the UNH-L new communication framework (weekly digests, public information forms) to announce and remind the community of deadlines.

All paperwork and forms, including LOA/Withdrawal, applications, grade selection, and other relevant documents will be indexed to the student file.

We will develop a new document retention protocol, headed by the Registrar, to ensure documents are not only indexed to student files but properly retained. Any deadline extension or variation in the 2021-2022 year will be approved only by the ADAA or ADEA in writing and will be retained in Xtender student file.

of 229


27


Faculty Committees on Academic Policies are reviewing all waiver and exception policies and creating procedures for waiver and student file recording requirements. All extensions and waivers will be provided in writing and attached to student files.

VII UNH-D UNH-L UNH-M

Student Grade Form Authorization

During student grade adjustment testing, we noted nine of 10 special grade reports that were not properly approved by the dean of the College. According to management, UNH College deans’ delegate authority to authorize student grade adjustments, but this delegation is not documented. We noted that a complete list of individuals authorized to approve student grade adjustments was not readily available or maintained by UNH Office of the Registrar.

There is the risk that student grade transactions are not properly authorized, resulting in the loss of reputation.

Management should define in grading policy and procedures that deans can delegate authority to authorize special grade reports. Management should develop a list of staff authorized to sign special grade reports and petition for waiver in academic policy forms and communicate to all business units to ensure that they are aware who is

Management will work to update Student Rights, Rules, and Responsibilities (SRRR) 07.14(ad) to include a dean’s right to delegate his or her authority. Responsible Party: University Registrar Due Date: September 1, 2022 Create a shared resource that is accessible and maintained by Registrar management at all UNH campuses. Included in this share resource will be the record of delegation of authority.

of 229


28


We noted that UNH-L accepted electronic signatures for authorization of withdrawal/leave of absence student grade forms. UNH-L did not retain documentation to support authentic approval.

authorized to approve student grade changes and academic policy waivers. Management should develop protocols for the electronic authorization of student forms. Management should develop protocols for retention of supporting documentation for student grade forms. UNH-L should consider the use of Xtender for retention of student grade documentation and forms

Responsible Party: UNH-D Associate Registrar of Records Due Date: March 15, 2022 UNH-L will develop a protocol for electronic authorization of student forms. UNH-L will develop a protocol for retention of student forms and documents. (preference: Xtender). This process will depend on available personnel.

VIII UNH-D UNH-L

Supporting Documentation

During our testing of student grades entered by the campus Offices of the Registrar, we noted that

There is the risk that the University UNH-L is unable to

Management should develop protocols for retention of

UNH-D management will ensure document maintenance procedures are consistently followed

of 229


29


supporting documentation was not available for five of 25 UNH original grade entry transactions. Subsequently, the UNH-L Registrar was able to obtain support for two of the four UNH-L missing grade transactions. As a result, we are unable to validate the accuracy of the remaining three grades (two for UNH-L and one for UNH-D) awarded to the student.

support a student grade transaction awarded to the academic record, resulting in loss of reputation for the University.

supporting documentation for student grade transactions.

by UNH-D and UNH-M. UNH-D will support UNH-L in this area, as needed. Responsible Party: UNH-D Associate Registrar of Records and UNH-L Registrar and Assistant Dean for Registration and Records Due Date: March 15, 2022

of 229


University of New Hampshire

Garage Inventory Audit

Report Issued December 22, 2021

of 229


December 22, 2021

James W. Dean Jr., President University of New Hampshire Durham, New Hampshire 03824

Dear President Dean: This letter conveys our report on the University of New Hampshire Garage Inventory Audit. As communicated in our engagement letter of May 14, 2021, the primary objective of this audit is to obtain reasonable assurance on effectiveness of UNH Garage’s internal controls over procurement and use of parts and related inventory and whether the existent internal controls are efficient, effective, and operate as expected, and whether standards of compliance being adhered to. This report reflects our observations, which were discussed with members of UNH management, and their action plans in response to our recommendations. It is being distributed to the individuals listed below and will be presented to members of the Audit Committee of the University System of New Hampshire (USNH) at its next scheduled meeting. It is also available for review by external auditors of USNH. We appreciated the full cooperation and assistance we received from William Janelle, Associate Vice President for Facilities and Operations with whom, Yasmin Clark, Manager of Internal Audit, worked most closely as she conducted the fieldwork for this audit. Please feel free to contact me with any comments, questions, or suggestions you may have. Sincerely,


Distribution: Christopher Clement, Chief Operating Officer and Vice President of Administration, UNH William Janelle, Associate Vice President for Facilities and Operations, UNH Catherine Provencher, Chief Administrative Officer and Vice Chancellor for Financial Affairs and Treasurer, USNH Marcel Vernon, Chief Financial Officer, UNH

of 229

University of New Hampshire Garage Inventory Audit

1

I. Executive Summary We performed an audit over the University of New Hampshire Garage inventory. UNH Garage had a significant amount of staff turnover over the last year. In addition, UNH Garage was moved to be within the purview of UNH Facilities starting on July 1, 2021. We noted that there is currently a lack of policies and controls around the inventory procurement, handling, and billing process. Due to a lack of segregation of duties, there is a risk of misappropriation of parts and tools. We recommend that UNH management develop policies and procedures around UNH Garage operations, including the procurement, recording, issuing of vehicle parts, garage tools, the internal billing process, and the year-end inventory count verification. During our audit testing, we noted that 32 parts received (totaling $3,469) were not recorded or incorrectly recorded in the FAMIS inventory system. In addition, parts returned were tracked informally and were not recorded in FAMIS. We were unable to verify that the credit was received relating to six returns (totaling $431). Regarding the year-end inventory count, an independent party is not consistently involved in the count and there is inadequate independent verification of inventory adjustments and balances on hand. We performed a physical inspection of a sample of vehicle parts and noted that two parts out of the selected 11 had a different count than what was noted in the inventory records. The total inventory value difference was $3,628. We also noted inadequate procedures to document, review, and approve direct inventory adjustments. A review over old inventory parts is not performed to determine if these parts are still needed or if they will need to be disposed of. As of June 30, 2021, there is approximately $188,000 in obsolete inventory, which has not been issued over the past two years. We noted that controls surrounding the billing process should be enhanced. We noted that external vendors have not been billed appropriately for repairs. We recommend that management reviews all work orders billed to these vendors to ensure UNH Garage was reimbursed for the repair. As part of the policies and procedures, the UNH Garage manager should verify that all repairs were performed, and all parts are included on the internal billing statement before closing out the work order. We recommend improving physical security controls and tracking high value garage tools to ensure that the University property is protected.

II. Background UNH Garage provides diagnostic services as well as maintenance and repairs for the University fleet vehicles, consisting of approximately 451 vehicles, including heavy duty trucks, light duty trucks, passenger vehicles, motorcycles, commuter buses, and other types of equipment such as Zambonis, forklifts, loaders, ATVs, golf carts, John Deer gators, lawn mowers, trailers, and tractors. The Garage used a system called Facility and Asset Management (FAMIS) to record all parts purchased and issued to work orders, maintain a record of all UNH fleet vehicles, track all historical and current work orders for repairs for any UNH vehicles, the amount and quantity of parts and details of these parts in inventory, details of all vendors (historical and current) used to

of 229


2

order parts, and the billing of work orders to other departments (including labor, parts, and miscellaneous items). The FAMIS system was replaced by AiM Facilities Management Software at the end of September 2021. When a vehicle comes to the UNH Garage either for maintenance or for services, a work order is opened within FAMIS detailing the work that needs to be completed. This work order is then assigned to a designated mechanic. Depending on the vehicle and if it is maintenance or diagnostic services, a predetermined task list might be populated for the mechanic to follow. For example, a predetermined task list exists for state inspections. The mechanic then uses this task list to complete the repair and includes detailed notes on any repairs, parts used, and time spend within the work order in FAMIS. Any parts that are used to repair the vehicle, are detailed within the work order. UNH Garage stores the most used parts within their stock room. If a part is not available or not in stock, the UNH Garage Purchasing Assistant orders the required part from a commonly used vendor. Once received, the part is then installed by the mechanic to finalize the repair. The mechanic will then click completed on the work order and the UNH Garage Manager will finalize the work order, review high level to see if all materials and labor are included on the work order, and bill the work order out to other internal UNH departments for reimbursement. All materials, including repairs performed at outside vendors, are marked up by approximately 25%. The UNH Garage maintains a stock room, where all commonly used parts are stored. The stock room is managed by the UNH Garage Purchasing Assistant. He is responsible to order all vehicle parts needed, either to restock existing inventory or to order specific vehicle parts needed for a work order, add these parts into inventory, and monitor the use of all parts in inventory. Currently, there are approximately 2,356 different types of vehicle parts stored in the stock room and recorded in inventory. Each part is assigned an individual part number and shelf/bin location in FAMIS and tracked in the system. Any part not in inventory is special ordered by the UNH Garage Purchasing Assistant. Once the part is received, the part is assigned an "ASPECIAL" part number within FAMIS and linked to the applicable open work order. The stock room is locked at the end of the day. In order for mechanics to check out parts in inventory, a paper document is completed for each part with the quantity and the work order number where the part is being used on. The UNH Garage Purchasing Assistant inputs the issuance of the part within FAMIS and links the part to the applicable work order. UNH Garage stored and recorded approximately 2,356 vehicle parts (valued at $336,404) in FY21, 2,344 vehicle parts (valued at $342,770) in FY20, and 3,740 vehicle parts (valued at $373,698) in FY19 in the stock room and in inventory.

$336,404 $342,770

$373,698

-

1,000

2,000

3,000

4,000

FY21 FY20 FY19

Inventory value at year end

of 229


3

UNH Garage total revenue from miscellaneous revenue and internal allocations totaled $832,700 in FY21, $1,006,428 in FY20, and $1,080,076 in FY19. Total expenses totaled $845,038 in FY21, $910,301 in FY20, and $937,820 in FY19.

All UNH Garage mechanics are required to provide their own tools and toolbox. UNH Garage provides specialty tools that are required to repair some of the UNH fleet vehicles. These specialty tools are stored in the tools room located at the UNH Garage. The tools room is locked at the end of the day and mechanics sign-out any tools on an honor system via a clip board and piece of paper. The mechanic fills out the document with the following information: the tool removed, the person using the tool, the date when they sign out the tool and the date when they return the tool to the tools room.

III. Scope

The scope of the audit consisted of transactions from July 1, 2017, to June 30, 2021. The audit focused on key controls surrounding the procurement and use of parts and related inventory at UNH Garage. We performed an audit to obtain reasonable assurance whether the risk associated with the procurement and use of parts and related inventory at UNH Garage were appropriately identified and managed, internal controls are in place, and the established internal controls are designed effectively and operating as expected. Specifically, we performed the following procedures:

• Interviewed UNH personnel in the UNH Garage and UNH Facilities to gain an understanding how inventory is handled at the Garage;

• Reviewed a sample of procured items to ensure that they were completely included in inventory;

• Reviewed a sample of invoices to ensure that they complied with USNH procurement policies;

• Reviewed a sample of inventory items to ensure accuracy of the inventory report; • Reviewed a sample of work orders to ensure that they were approved and all related

expenses were billed out; • Physically verified a sample of inventory at UNH Garage; • Performed roll-forward procedures over a sample of parts in inventory to ensure year-

end balances agreed to procured and issued parts;

$1,080,076 $937,820 $1,006,428

$910,301 $832,700 $845,038

$-

$200,000

$400,000

$600,000

$800,000

$1,000,000

$1,200,000

Total Revenue Total Expenses

Revenue and Expenses for FY21, FY20, and FY19

2019 2020 2021

of 229


4

• Reviewed inventory report for obsolete inventory; • Met with UNH Associate Vice President for Facilities and Operations to confirm test

results. The physical inventory records for FY21 year-end inventory records were received on October 15, 2021, several months after requesting the records. Management informed us that they are unsure where the records were; however, the records were located mid-October. We were unable to verify the changes made with lead pencil to physical inventory records. Therefore, we are unable to comment on the accuracy of year-end adjustment made as records could have been modified. We did not perform and access review over FAMIS or the new AiMs system, as systems are being replaced. IV. Report Structure The seven observations in Section V of this report outline internal control issues for management’s attention and consideration. The order of the comments is based on their relative importance in terms of potential risk to USNH or foregone effectiveness if not addressed. The observations marked with an asterisk indicate the most significant items for management attention and resolution, which will be tracked for the USNH Audit Committee’s monitoring until resolved. The report contains recommendations that management has considered and incorporated into the management action plans indicated below. V. Observations

* 1. Enhance inventory receipt process

We noted inadequate controls on inventory receipt to ensure that the parts received are correctly recorded in the inventory system. We selected 72 invoices which contained 246 line transactions (SKUs) for testing appropriateness of receipts and noted the following:

a) Receipt of parts related to 32 line transactions totalling $3,469 were either not recorded in inventory or were recorded in a lesser quantity than charged by the vendor. In addition, we were informed by UNH Garage staff, that six out of these 32 parts, totalling $431, were returned to the vendor after they were received. We were unable to obtain a credit memo for these six parts. Parts returned to the vendor are informally tracked and not consistently recorded in inventory. There is a risk that parts received are misappropriated or vendor may charge inappropriately, which can cause a financial loss to the University. Finally, there is a risk that UNH overpays vendors and the credit memos are not credited on the account for any returned or missing parts.

b) There is inadequate segregation of duties around inventory responsibilities. All parts were ordered, received, recorded, and issued by the same staff member. The same staff is responsible for annual physical inventory and can make any adjustments to the inventory records. When one person orders, receives, record issuances, and maintains custody of an asset without any independent confirmation, the risk of fraud or malfeasance escalates. There is a risk that vehicle parts and tools can be misappropriated, misplaced, or lost.

of 229


5

c) We came across a charge totalling $76 for an annual battery swap, while the battery SKU was not in the stock. This can be attributed to inaccurate record keeping or the University may be paying for a service from which no benefit was derived.

d) Receipt of 34 items (line transactions) totalling $10,419 were classified as special orders and were assigned directly to the work order without recording in inventory. There is lack of review of work orders to ensure that the items are used properly for the University’s business purpose. There is a risk that special-order parts are misappropriated.

e) We noted that purchase transactions were not consistently supported with the related business purpose of the transaction. According to USNH policies (USNH Financial Services Policies and Procedures 09-09-110 Documentation and Record Retention), each purchasing card transaction must be supported by cashier receipt, supplier invoice, credit card slip (with itemized pricing), copy of an order form or application (with itemized pricing), and/or packing slips with pricing details. All purchasing card documentation must contain a description of what was purchased, the related business purpose, date of purchase, supplier name and location, quantity and cost of each item purchased, and total cost of the purchase. Based upon our testing, all 72 selected invoices, did not have detailed business purpose documentation as required by USNH policies. There is a risk that purchase transactions can be processed that do not provide corresponding benefit to UNH and the business purpose may not be available if the employee leaves USNH. In addition, we noted that one invoice was not supported by appropriate supporting documentation imaged in the USNH designated imaging system (BDMS). USNH Financial Services Policies and Procedures 02-02-210 provides that supporting documentation should be easily retrievable for examination, which can be achieved by adding copies to BDMS. We noted that the above invoice was not available from UNH Garage. There is a risk that inappropriate expenses are paid via USNH funds without providing any supporting documentation. (We were subsequently able to obtain supporting documentation directly from the vendor).

We recommend the following in regards to this observation:

1. Management should formally investigate the staff about missing parts and take appropriate action. Based on the investigation results, management should perform cost benefit analysis for identifying all missing and unrecorded parts.

2. Develop policies and procedures to ensure all parts received are recorded in inventory and how to account for and record returns in the inventory system.

3. Procedures for ordering, receiving, and recording assets should be developed, communicated, and implemented. Duties for receiving and recording vehicle parts should be segregated.

4. Require independent and formal review of work orders to ensure that the work order contains appropriate parts used.

5. Reinforce existing USNH policy on supporting documentation and ensure the policy in consistently applied to all expense transactions.

6. Reinforcing existing USNH policy on documenting business purpose before approving the transaction.

7. Periodically review access over AiMs to ensure least privilege principle and segregation of duties are applied.

of 229


6

Management Action Plan – Associate Vice President for Facilities and Operations, UNH

1. UNH Management will evaluate if staff will be formally investigated about the missing parts. This will be completed by December 31, 2021. The remaining employees have been assisting in trying to track down return parts documentation with limited success.

2. The Transportation Garage has been rolled into UNH Facilities Services. UNH Facilities Services has committed to a structural re-organization of the transportation department to ensure department policies and goals are met. A UNH Transportation Garage manager has been hired to ensure the appropriate amount of oversight with documentation control, workflow analysis and inventory control practices are in place. In addition, Facilities Services is in the process of implementing a new work order platform called Assetworks, (AiM). AiM will allow all work, parts inventory, and procurement to be captured on one platform. In addition, by adding the transportation garage stockroom to the Facilities Operations Warehouse, all established policies and procedures will be adopted for the garage operations, which includes, use of AiM to capture all inventory, as well as recording returns. This procedure consists of a three-way match for all purchases. The first match occurs upon arrival of the items, second match occurs when item is released and the third is when the purchase order in AiM is closed with an invoice. This will be completed by December 31, 2022.

3. By adding the Transportation Garage stockroom to the Facilities Operations Warehouse, all established policies and procedures will be followed which includes, use of AiM to capture all inventory, as well as recording returns. In addition, segregation of duties for receiving and recording vehicle parts will be implemented. This will be completed by June 30, 2022.

4. By utilizing the Facilities Work order system, AiM, the review of work orders will be the following: 1) Fleet mechanic completes work which is documented in AiM including parts used and 2) Service writer and/or manager verifies every AiM work order by checking workmanship and the documentation within the work order correctly describes work and parts used. This will be completed by June 30, 2022, based on the capabilities of AiM.

5. We will reinforce existing USNH policy on supporting documentation. All purchases will be documented through AiM as they currently are at the facilities operations warehouse. This will be completed by June 30, 2022.

6. We will reinforce existing USNH policy on documenting business purpose before approving the transaction. All purchases will be approved through AiM and UShopNH. This will be completed by June 30, 2022.

7. We will periodically review access over AiMs to ensure least privilege principles and segregation of duties apply. The first review will be completed and documented by March 31, 2022, based on the capabilities of AiM.

* 2. Enhance annual inventory verification

We noted the following related to the annual year-end physical inventory verification procedures:

a) There are inadequate year-end physical inventory procedures. To perform year-end physical inventory, a report is printed out of FAMIS with the part number, part location, and inventory amount held as of that date. Using a preprinted report enables users to see what is in the inventory; therefore, there is a risk that the staff may not

of 229


7

independently verify what is in stock or their physical inventory count could be biased. b) An independent party is not consistently involved in the year-end inventory counts.

UNH Garage staff is responsible for year-end inventory counting and monitoring of the physical inventory process. Furthermore, no cycle counts are performed by an independent person during the year. Therefore, there is inadequate independent verification of inventory on hand.

c) During the June 2021 physical inventory, we noted that an inventory item totaling $3,628 was increased a day after normal physical inventory adjustments. We were not able to obtain support showing that the adjustment was appropriate and justified. Upon further analysis, we noted that this item had not been purchased in the last three years. The original inventory count on June 28, 2021, was in line with our physical inspection of the item on September 10, 2021. Therefore, our physical verification confirmed the shortage equal to additional item added on June 29, 2021. There is a risk that the item totaling $3,628 was added to inflate the year-end inventory. The employee making the adjustment informed us that they adjusted the inventory based on the verbal information from a garage staff member.

d) During the review of the June 2021 physical inventory records, we noted that 119 parts were adjusted after the original physical inventory count. No explanation was noted why a different quantity was recorded in the inventory system. Of these 119 parts, 80 parts were adjusted to reflect the amount on hand before the inventory count, while 39 were adjusted to reflect an amount different than the counted amount and on hand before the inventory count. There is a risk that the recorded inventory may not accurately reflect the inventory in hand and there is a risk of financial loss for the University.

e) During our physical verification of 11 selected inventory items on September 10, 2021, two items had a variance between the stock record and our physical count. One of the items had a quantity increased by two units totaling $3,628, while the other had a quantity short by two units totaling $138. We did not obtain any satisfactory explanation to support the variance. Therefore, the recorded inventory may not accurately reflect the inventory in hand and there is a risk of financial loss for the University.

f) Various employees have access to adjust the inventory records and there are no protocols or requirements to support inventory adjustments. Furthermore, the reason and support for these adjustments is not consistently documented and maintained. The chronic issue of data entry errors contributed to the volume of adjusting inventory entries. Due to lack of protocols for inventory adjustment approvals, we could not validate the reasonableness of direct inventory adjustments. Therefore, there is a risk that misappropriated stock items have been adjusted in the inventory records.

g) We noted that there is currently approximately $188,000 in obsolete inventory stored at the UNH Garage. These parts have not been issued or purchased over the last two years. This is due to management not identifying non-useable inventory periodically. There is a risk that UNH Garage carries the incorrect inventory value or excess inventory that could be used in foreseeable future.

h) The cost of parts is inconsistently recorded in the inventory system, especially as it relates to the purchase of tires, the recording of battery cores, and parts that are ordered in multi-packs. There is a risk that the inventory value is not accurate at year-end.


1. Establish formal policies and procedures regarding the year-end inventory cycle count, including but not limited to using independent non-garage staff to supervise the inventory process, using blank reports during the year-end cycle

of 229


8

count, using pen (instead of lead pencil) to record inventory counts, and obtaining supporting information if the year-end inventory count needs to be adjusted outside of the count.

2. Ensure all inventory, regardless of value, is included in the year-end inventory cycle count.

3. Identify which vehicle parts are potentially in excess and should be removed from the inventory and written off.

4. Establish formal policies and procedures regarding the recording of cost in the inventory system.

5. Develop protocols to restrict access and approve inventory adjustments.


1. Going forward, we will implement established policies and procedures from UNH Facilities Services. Facilities Services will supervise the inventory process and obtain supporting documentation if the year-end count needs to be adjusted outside of the count. This will be completed by June 30, 2022.

2. Going forward, every single part is given a bin location regardless of value. The bin is included in the year end count and counted regardless of value (even zero value items soap dispensers etc.). This will be completed by December 31, 2022.

3. We will establish a process to identify annually any vehicle parts that are potentially in excess and should be removed from the inventory and written off. Reports are developed that show when parts are received, placed in, and taken out of inventory. We will use these reports to determine if the part should still be in inventory or if the part needs to be removed from inventory and written off. This will be completed by December 31, 2022.

4. With the implementation of AiM, every single part will be received into inventory and “sold” out of inventory, including no cost items. Special order parts will continue to be recorded on purchase orders and charged out to work orders as well. These procedures will maintain the inventory accurately and with the 3 -way match the inventory cost will be accurately recorded in the inventory. In addition, this creates a trail that is easily navigated to see cost and to run reports that would show what campus entity bought an item (housing, operations locations, campus customers etc.). This will be completed by December 31, 2022, based on the capabilities of AiM.

5. Any discrepancies found will be brought to the stockroom manager’s attention. The manager will be the only staff member that has permission within AiM to make any adjustments. In addition, the stockroom manager will request any supporting documentation to support the adjustments. This will be completed by December 31, 2022.

* 3. Enhance billing and collection process

We noted a lack for formal protocols for providing services to external parties and appropriately billing them. A summary report provided 65 work orders totaling $16,026 between 7/1/2017 and 9/21/2021, which might not have been properly billed to three external vendors. We noted that UNH recorded miscellaneous revenue in the amount of $9,158 between 7/1/2017 and 9/21/2021 from various sources, including the sale of scrap metal. We were unable to verify if all external vendor work orders have been billed out and if UNH received funds from the

of 229


9

external parties for these repairs. There is a risk that UNH costs were not reimbursed by these external parties. The terms for providing services have not been documented and agreed upon with these external parties. Therefore, there is a risk of dispute with external parties, and service provided to external parties may not be covered under the existing insurance coverage.

In addition, we noted that all expenses have a markup of approximately 25% at the time of billing internally. Based on the inquiry, there is no approved justification or basis for charging 25% mark-up. Without proper marketing analysis, adding a mark-up may make UNH Garage services more expensive than the market, and internal inefficiencies may not justify Garage operations. We also noted that the mark-up is not consistently applied. We noted four out of 37 work orders had a markup greater than 25%, resulting in an increase of billing amount to other departments in the amount of $878. There is a risk that billing statements to other UNH departments were overstated and these departments overpaid for services rendered by the UNH Garage.

Finally, we noted that the inventory issuance is informal where the mechanic can collect any item and write the usage on a sheet. There is no independent verification of part taken and used. There is a risk that the parts taken are not recorded properly. In addition, there are no formal protocols on roles and responsibilities related to review of work orders, including verification that parts used are actually installed and repairs were completed, as noted in the work order, prior to vehicle leaving the garage. We were informed that the UNH Garage Manager high-level reviews a work order prior to it being finalized to ensure all used materials are included prior to closing out the work order. However, no verification is performed to ensure that all repairs are completed as stated on the work order and that vehicle parts recorded on the work order and issued for the repair, were used in the repair. There is a risk that parts are misappropriated or not used for the business purpose.

We recommend the following in regards to this observation: 1. Develop protocols for providing services to external parties, including the requirement

to enter into a formal arrangement with external parties and collect for services rendered.

2. Review all unbilled work orders to ensure reimbursements are received and revenue is recorded appropriately.

3. Evaluate the practice of markup on all parts and services rendered to internal UNH departments so that Garage operations are competitive.

4. Develop internal policies and procures for independent review and verification to ensure all repairs are completed appropriately prior to the closing and billing of the work order.


1. The decision was made to no longer provide services to non-UNH entities. This has been completed on August 5, 2021

2. We will review all unbilled work orders to external parties to ensure reimbursements are received and revenue is recorded. This will be completed by June 30, 2022.

of 229


10

3. UNH Management determined that markups on parts and services will be discontinued and internal UNH departments are billed these services at cost. This has been completed by July 1, 2021.

* 4. Enhance control structure, authority, and responsibilities for Garage Operations

We noted that there are currently no formal policies and procedures for the Garage operations including:

a) Roles and responsibilities of the staff; b) Procurement of inventory using USNH approved methods; c) Receiving and recording of inventory parts; d) Recording of inventory cost for various unique vehicle parts in the inventory system; e) Recording of issuance of inventory parts; f) Year-end physical inventory and cycle count protocols; g) Review and verification over repairs to ensure that all identified vehicle parts were

utilized and appropriately billed; h) Acceptable use of UNH Garage facilities including off-hours use; i) Procurement, accounting, and use of university provided tools; and j) Need, identification, and tracking of tools provided by employees for the workplace.

Without formal policies and procedures on all areas pertaining the UNH Garage, there is a risk of misappropriation of assets and financial loss for the University.

We recommend developing formal policies and procedures regarding the day-to-day operations of the UNH Garage.

Management Action Plan – Associate Vice President for Facilities and Operations, UNH We will develop formal policies and procedures regarding the day-to day operations, including but not limited to roles and responsibilities of the staff, the receiving and recording of inventory parts, procurement of inventory parts and tools, recording of inventory cost, review and verification over repairs, and the acceptable use of UNH Garage facilities. As previously stated, the transportation garage has been rolled into Facilities and has gone through a re-organization. Under the direction of the Executive Director of Facilities Services, the Transportation Garage Manager currently oversees the shop service writer, stockroom clerk, part time bookkeeper, lead fleet mechanic, and three fleet mechanics. As part of roll over into Facilities and once AiM has been fully installed, the stockroom clerk will move over to the Facilities Warehouse and report to the Facilities Materials Manager. The Facilities Warehouse, as described previously, already has the means and methods in place to handle the current and future inventory for parts needed to operate a successful garage. It is the responsibility as described as essential job functions of the fleet mechanics to properly account for parts and inventory items. Likewise, as described as an essential job function for the Transportation Garage Manager to verify that all parts and inventory used by the garage are properly accounted for. This will be completed by December 31, 2022.

of 229


11

In addition, we are currently working on a draft policy regarding the acceptable use of the UNH Garage facilities, including off-hours use, the procurement, accounting, and use of university provided tools, and the tracking of tools provided by employees. This will be completed by March 31, 2022.

5. Enhance protection of University purchased garage tools

We noted that UNH Garage tools are currently not tracked and recorded. In addition, no identifier is added on the tool that would distinguish this tool from the tools that mechanics own. Any tools purchased by UNH are placed in the tools room to be used by the garage mechanics and other UNH facility staff as needed. There is a risk that these tools could be used for unauthorized purposes and inappropriately removed from the UNH Garage tools room, which can cause a financial loss to the University. We recommend that tools are tracked and labeled. Staff should be instructed to ensure that they remain on UNH property. In addition, an annual physical inventory should be performed over all tools owned to ensure accuracy and completeness. Expensive tools with extended life should be included in the year-end inventory value in accordance with the USNH Capitalization policies.

Management Action Plan – Associate Vice President for Facilities and Operations, UNH We are currently working on a draft policy regarding the procurement, accounting, and use of university provided tools. This will be completed by January 31, 2022. In addition, an annual physical inventory will be performed over all UNH owned tools to ensure accuracy and completeness. This will be completed by December 31, 2022

6. Enhance physical security

The garage facilities including tools and parts storage rooms are accessible by the staff during off hours using key locks. Keys can be shared among staff members and can be lost, stolen, or duplicated and could be exploited for unauthorized use. In addition, we noted that currently there are no cameras installed at UNH Garage to monitor access to the tool and parts storage rooms. There is a risk that garage facilities, tools, and vehicle parts could be misappropriated for unauthorized use.

We recommend the following in regards to this observation: 1. Develop and communicate protocols for acceptable use of garage resources. UNH

management should perform a cost-benefit analysis and consider replacing all physical keys with an electronic card reader to monitor access to UNH Garage during off hours and the weekend.

2. UNH management should perform a cost-benefit analysis and consider installing cameras to monitor all activities within the tools and the parts storage room.

of 229


12

Management Action Plan – Associate Vice President for Facilities and Operations, UNH We will develop and communicate protocols for acceptable use of Garage resources. In addition, we will perform a cost-benefit analysis and consider replacing all physical keys with an electronic card reader and consider installing cameras to monitor all activities. This will be completed by January 31, 2022.

7. Enhance outreach of services to leverage scale

We were informed that some internal departments are not utilizing the UNH Garage services on a basis that the repairs are not cost efficient in comparison to the market. Larger operations can reduce the margin cost of operation and can make operations effective. If certain services are too expensive to operate in comparison to the market it may be more efficient to externally procure such services.

We recommend that management should evaluate the current business model and provide a clear guidance and requirement to department on use of Garage services.

Management Action Plan – Associate Vice President for Facilities and Operations, UNH We will evaluate the current business model and request COO to communicate clear guidance and requirements to departments on the use of UNH Garage services. This will be completed by December 31, 2022.

of 229


Granite State College

Student Identity and Financial Verification Audit

Report issued November 30, 2021

of 229


November 30, 2021 James W. Dean Jr., President Granite State College Concord, New Hampshire 03301

Dear President Dean: This letter conveys our report on the audit on the Granite State College Student Identity and Financial Verification. As communicated in our engagement letter of February 26, 2021, the primary objective of the audit is to obtain reasonable assurance on the effectiveness on internal controls around the student identity and financial verification process, and whether existent internal controls are efficient and operating as expected. This report reflects our observations, which were discussed with members of GSC management, and their action plans in response to our recommendations. It is being distributed to the individuals listed below and will be presented to members of the Audit Committee of the University System of New Hampshire (USNH) at its next scheduled meeting. It is also available for review by external auditors of USNH. We appreciated the full cooperation and assistance we received from Mac Broderick, Director of Student Financial Services with whom Christine Heise, Senior Internal Auditor, worked most closely as she conducted the fieldwork for this audit. Please feel free to contact me with any comments, questions, or suggestions you may have. Sincerely,


Distribution: Mac Broderick, Director of Student Financial Services, GSC Mike Decelle, Dean, GSC and UNH-Manchester Wayne Jones, Provost and Vice President for Academic Affairs, UNH Tara Payne, Vice President for Enrollment Management, GSC Catherine Provencher, Vice Chancellor and Treasurer, USNH Chris Williams, Assistant VP of Enrollment Operations, Advising, Admissions, GSC

of 229

Granite State College Student Identity and Financial Verification Audit

3

I. Executive Summary We performed an audit of the Granite State College student identity and financial verification process. We noted that GSC could enhance protocols to ensure compliance with federal financial aid requirements. Specifically, we noted that existing protocols do not identify students who stopped participating in their courses during the term. The unearned financial aid for these students was not calculated and returned to the Department of Education. We recommend management to enhance academic and financial aid policies to include formal course participation requirements and develop protocols to identify students who discontinue coursework during the term. We also noted students who submitted conflicting and modified high school completion documentation, which was not identified and followed up by Financial Aid. Management should enhance student financial aid verification procedures to include the identification, tracking, and resolution of conflicting or altered financial aid supporting documentation. We also noted that there are inadequate procedures over the verification of student identity to ensure that federal financial aid funds are only allocated to students who have the intent to pursue the academic program; hence meeting an important federal financial aid eligibility requirement. We recommend that management incorporate academic purpose into the admissions process, develop a protocol that identifies red flags for potential student financial identity fraud issues in the areas of admissions, course activity, and disbursements. Additionally, management should develop and implement student identity and verification policy and procedures. Management should consider making more frequent disbursements of Title IV funds so that not all of the payment period’s award is disbursed at the beginning of the term. We also noted there is an opportunity to enhance student refund processing protocols. Student accounts roles and responsibilities should be revised, considering segregation of duties. Management should develop protocols to ensure that advance financial aid transactions are independently reviewed and approved. Guidelines should be developed for issuing student refunds to alternate payees or addresses. Additionally, we noted that management should enhance student account policies and procedures to include Red Flag requirements. These policies should include, but not be limited to the identification of red flags, detection of red flags, and the prevention and mitigation of identity theft. Moreover, we noted the opportunity to enhance WebRock account setup protocols and the security of sensitive information. Management should require students to validate identity during WebRock account setup and reduce the time available for a student to setup their account. Multi-factor authentication should be implemented for WebRock in accordance with current industry standards for protecting sensitive data. Also, management should develop formal protocols to verify a students’ identity before assessing, providing sensitive information to the student, and making changes to a student account. Finally, we noted that management should review Banner role authorizations for appropriateness and alignment with business process and job responsibilities, while considering segregation of duties.

of 229


4

II. Background In 2013, the OIG reported to Congress that federal student aid recipients potentially participating in fraud rings had increased 82% from 2009 to 2012, causing an estimated loss of $187 million.1 According to a 2014 OIG report, “eight schools disbursed nearly $222 million to more than 42,000 distance education students who did not earn any credits during at least one payment period.2” Online or other distance learning poses an inherent risk where fraudsters can use stolen identities to obtain financial aid inappropriately. Student Application/Enrollment Process A student contact record is created in Salesforce with a student’s name, email, and phone number. Students can apply to GSC through the GSC website via Salesforce. All completed applications are interfaced with Banner Student. The identity management (IM) process has criteria to detect same or similar student records in Banner Student. After the completion of the IM process, a student record is created in Banner Student and the student is sent an email with a link to create a WebRock username and password. GSC students have 180 days from the time the account is created to set a password. Through the WebRock portal, students then can register for courses, view financial aid requirements, view financial aid awards, make payments on their account, and update student demographic information (i.e.: address, phone number, ACH banking information). Students are accepted, conditionally accepted, or denied admission to GSC. Conditionally accepted students cannot register until all outstanding requirements are satisfied. Outstanding admissions requirements are tracked in Banner Student form SAAADMS. As part of the application process, students self-certify that they have completed high school. Students can also request that FAFSA information be sent to GSC, through the form of an Institution Student Information Record (ISIR), prior to submitting a GSC application. GSC Financial Aid receives student FAFSA information via Central Processing System (CPS) and processes, packages, and finalizes a student’s financial aid package, pending receipt of an application. Banner Student has been configured to not allow for students to have financial aid posted to their student account unless all GSC admissions and financial aid requirements are met. Student Reactivation Process Student accounts are automatically inactivated after three terms of inactivity. If a student wants to continue in their academic program, a reactivation request can be sent to the student’s advisor, or a student can complete the reactivation request form on the GSC website. The student account is not reactivated until a student registers for a course. Title IV - Federal Financial Aid To apply for federal financial aid, students complete the FAFSA. In order to be eligible to receive federal student aid, a student must: (1) be a citizen or eligible noncitizen of the United States, (2) have a valid social security number, (3) have a high school diploma or a General Education Development (GED) certificate, or have completed homeschooling, (4) be enrolled in an eligible program as a regular student seeking a degree or certification, (5) maintain satisfactory academic program, (6) not owe a refund on a federal student grant or be in default on a federal student loan, (7) register with the Select Service System, if you are a male and not currently on active duty in the U.S. Armed Forces, and (8) not have a conviction for the

1 https://www2.ed.gov/about/offices/list/oig/semiann/sar66.pdf 2 https://www2.ed.gov/about/offices/list/oig/misc/mgmtchall2015.pdf

of 229

https://www2.ed.gov/about/offices/list/oig/semiann/sar66.pdf

https://www2.ed.gov/about/offices/list/oig/misc/mgmtchall2015.pdf


5

possession or sale of illegal drugs for an offense that occurred while you were receiving federal student aid. GSC student financial aid is packaged to cover tuition, fees, and books for two courses per term. Students receive a financial aid award letter that lists the financial aid award for each term by the type of aid (i.e., Federal Pell Grant, Direct Sub Loan etc.). Students can complete an award revision form to (1) decline federal direct loans (2) cover the cost of tuition, fees, and books only, and (3) increase loans to allow for additional funding above tuition, fees, and books. FAFSA Verification Each year the Department of Education selects student FAFSA’s for verification to confirm that the data reported on the FAFSA form is accurate. When a student is selected for verification, the institution is responsible for obtaining documentation that supports information reported on the financial aid application. There are various verification groups identified by the Department of Education that identifies the items to be verified.

2020/2021 – FAFSA Verification Group

2020/2021 - Items to Be Verified

V1 – Standard Verification Group: Tax Filer

AGI, U.S. income tax paid, untaxed portions of IRA distributions, untaxed portions of pensions, IRA deductions and payments, tax-exempt interest income, education credits, household size, and number in college

V1 – Standard Verification Group: Non-Tax Filer

Income earned from work, household size, number in college

V4- - Custom Verification Group High school completion status and identity/statement of educational purpose

V5 – Aggregate Verification Group All items from V1 standard verification group, high school completion status, and identity/statement of educational purpose

GSC also selects FAFSA’s for verification if conflicting information is obtained or supporting documentation does not align with expectations to comply with federal requirements. According to 34 CFR 667.54 (a), if an institution has reason to believe that an applicant’s FAFSA information is inaccurate, it must verify the accuracy of that information. An institution may require an applicant to verify any FAFSA information that it specifies. During the 2020-2021 financial aid year, 1,477 GSC students received federal financial aid, of which 351 (24%) of students were selected for federal or GSC financial aid verification. See the table below for a breakdown of the 2020-2021 financial aid verifications by type.

FAFSA Verification Group Type

# of Students Selected

V1 296 V4 21 V5 10

GSC selected verifications 24 Total 351

of 229


6

Of the 1,477 GSC students who received Title IV financial aid, only 31 of these students were selected for V4 or V5 verification. Since student identity verification is only performed if a student record is flagged under the Title IV verification process, the remaining 98% of GSC students who received federal financial aid did not have their identity validated. Federal financial aid requirements stipulate that college financial aid offices should not process requests for professional judgement or disburse federal student aid until the verification process is complete. Financial aid administrators have the right to ask for any documentation they feel is necessary to complete verification. If the student or family refuses to supply this documentation, the college is prohibited from disbursing federal student aid to the student. According to 34 CFR 668.16(f), the Secretary considers an institution to have that administrative capability if the institution develops and applies an adequate system to identify and resolve discrepancies in the information that the institution receives from different sources with regards to a student’s application for financial aid under Title IV, HEA programs. In determining whether an institution’s system is adequate, the Secretary considers whether the institution obtains and reviews (1) all student aid applications, need analysis documents, Statements of Educational Purpose, Statements of Registration Status, and eligibility notification documents presents by or on behalf of each applicant; (2) any documents, including any copies of State and Federal income tax returns, that are normally collected by the institution to verify information received from the student and other sources; and (3) any other information normally available to the institution regarding a student’s citizenship, previous educational experience, documentation of the student’s social security number, or other factors relating to the student’s eligibility for funds under the Title IV, HEA programs. According to the 34 CFR 668.16(f), a school must have an adequate internal system to identify conflicting information and resolve discrepant information. Also, the Dear Colleague letter3 from the Department of Education in 2011 stipulates that it is imperative that institutions comply with all existing statutory and regulatory requirements to disburse aid only to eligible students, to identify and resolve discrepancies in student information, to ensure that all requirements regarding regular student status are met, and to report any suspected fraud to the Department IG’s. The department strongly encourages institutions that suspect potential fraud to question an applicant’s intent to seriously pursue the academic program by requiring the student to demonstrate that he or she has an academic purpose in order to establish eligibility for Federal student aid. Student Participation Financial aid is awarded to students with the expectation that a student will enroll, attend, and participate in the class for the entire term. According to the GSC attendance and participation policy, “attendance requirements vary. It is the student’s responsibility to ascertain what each instructor requires.” To comply with federal student financial aid requirements, GSC validates student attendance and participation in courses during the first two weeks of each term. Financial aid is then distributed to student accounts following this verification. For students who did not participate in the course, the GSC academic advisor will reach out to the student. Student Withdrawals According to 34 CFR 668.22, a student is considered to have withdrawn from a payment period or period of enrollment if (a) in the case of a program that is measured in credit hours, the

3 https://fsapartners.ed.gov/knowledge-center/library/dear-colleague-letters/2011-10-20/gen-11-17-subject-fraud-postsecondary-distance-education-programs-urgent-call-action-updated-8212020

of 229


7

student does not complete all the days in the payment period or period of enrollment that the student was scheduled to complete. A school is required to determine the earned and unearned portions of Title IV aid as of the date the student ceased attendance based on the amount of time the student spent in attendance. Up through the 60% point in each payment period or period of enrollment, a pro rata schedule is used to determine the amount of Title IV funds the student has earned at the time of withdrawal. After the 60% point in the payment period or period of enrollment, a student has earned 100% of the Title IV funds the student was scheduled to receive during the period. According to the GSC Grading and Evaluation policy, students who stop participating in a course and have not completed course work sufficient for the assessment of course outcomes by the faculty member to issue a letter grade are awarded an AF (administrative failure) grade. The awarding of an AF grade will result in a proportionate reduction of a student’s financial aid on their account. Also, the GSC Unofficial Withdrawal policy states that if a student stops attending all of their classes without officially withdrawing the student is considered to have withdrawn from the term. GSC will be required to determine the percentage of aid earned for the term. Since the College is not required to take attendance, GSC is permitted to use the 50% point of the term as the withdrawal date. For students who withdraw or unofficially withdraw from GSC, the pro-ration of financial aid on the student account will result in a balance due to GSC. A student is unable to register for a subsequent term until the student resolves the balance due on their account. Student Refunds After add/drop period, Student Accounts runs a refund report that lists all self-pay students that have a credit balance. Refunds will be issued to students based upon method of payment. Student Accounts runs a Banner Student baseline job that posts financial aid funds to student accounts. The refund process updates the student accounts receivable record and identifies whether the refund is Title IV or Non-Title IV. These refunds are fed to the Banner Finance system and processed by USNH. If a student has ACH banking information in WebRock, an ACH refund will be generated. Students without ACH information will receive a paper check to the address listed on their student record. Satisfactory Academic Progress Federal regulations require that all students receiving Title IV financial aid progress at a reasonable rate toward achieving and completing their program of study by making satisfactory academic progress (SAP). SAP includes a qualitative measure (GPA) and a quantitative measure (pace) of a student’s progress toward degree or certificate completion, and maximum timeframe limitations. The GSC Office of Financial Aid is responsible for ensuring that all students who receive Title IV financial aid are achieving these standards. FTC Red Flags Rule Federal Trade Commission 16 CFR Part 681 regulation requires each creditor that offers or maintains one or more covered accounts to develop and implement a written Identity Theft Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must provide for continued policies and procedures to identify, detect, respond to Red Flags, and update the Program, as necessary.

of 229


8

The USNH Identity Theft Prevention Program was developed and approved by the Board of Trustees on April 30, 2009. III. Scope

The audit focused on key controls surrounding the student identity and financial verification process. We performed an audit to obtain reasonable assurance whether the risks associated with the student identity and financial verification process are appropriately identified and managed, internal controls are in place, and the established internal controls are designed effectively and operating as expected. Specifically, we performed the following procedures:

• Interviewed GSC personnel in the Financial Aid Office, Registrar’s Office, Student Accounts Office, and Admissions Office;

• Reviewed a sample of students selected for FAFSA verification; • Reviewed a sample of high-risk students identified through data analytics and not

selected for FAFSA verification; • Reviewed a sample of students who received Title IV federal financial aid for compliance

with SAP policy; • Reviewed a sample of students for verification of participation in enrolled courses; • Reviewed a sample of students for satisfaction of financial aid and admissions

requirements prior to disbursement of financial aid; • Reviewed modify access to Banner Student Financial Aid Verification Form RRAAREQ,

Financial Aid Selection Rules Form RORRULE, Student Demographics Form SPAIDEN, Student Admissions Application Form SAAADMS, Direct Deposit Form GXADIRD, Student Accounts Refund Processing Forms GURAPAY and TSAMASS;

• Met with GSC Director of Student Financial Services to confirm test results. During the audit we came across certain data security issues, which are presented in this report; however, the review of data security protocols was not an objective of the audit. Therefore, the work should not be used to rely on effectiveness of data security practices at GSC. IV. Report Structure The six observations in Section V of this report outline internal control issues for management’s attention and consideration. The order of the comments is based on their relative importance in terms of potential risk to UNH or foregone effectiveness if not addressed. The observations marked with an asterisk indicates the significance for management attention and resolution, which will be tracked for the USNH Audit Committee’s monitoring until resolved. The report contains recommendations that management has considered and incorporated the management action plans indicated below.

of 229


9

V. Observations *1. Enhance compliance with Title IV federal financial aid requirements

A. We noted control enhancement opportunities to ensure compliance with federal financial aid requirements. Based on sample testing, we noted the following:

i. During testing of student course participation of seven students, we noted the

following:

a. A student who received both Fail and Administrative Failure grades during the Winter 2021 term, which started 1/4/21 and ended 3/26/21. This student only had online course activity from 1/5/21-1/22/21 in both courses. The GSC Unofficial Withdrawal Policy indicates that if a student stops attending all of the classes, the student would be considered to have unofficially withdrawn from the term. GSC does not have effective and consistent protocols in place to identify students who stop attending all classes; rather, GSC relies on the awarding of “Academic Failure” final course grades by the instructor to indicate that a student stopped attending and then processes an adjustment of unearned federal financial aid on the student account. Because this student received a Fail in one course during the same term, the student was not processed as unofficially withdrawn and federal financial aid funds were not returned to the Department of Education.

b. Three students were awarded a Fail grade, while they had course log activity of four or less days during the academic term. We noted that the financial aid applied to these student accounts was not adjusted because the students were not awarded an Academic Failure grade by the instructor.

Federal regulations require institutions to return a portion of Title IV funds for students who discontinue coursework during a term. These conditions exist because GSC does not have protocols in place to identify students who stop attending their GSC courses. Also, GSC policy does not define course attendance/participation requirements to ensure accurate and consistent application. There is the risk that unearned Title IV financial aid funds are not returned, resulting in non-compliance with federal requirements.

ii. We noted that GSC does not have formal protocols to comply with 34 CFR 668.16(p), which requires institutions to develop and follow procedures to evaluate the validity of a student’s high school completion if the institution has reason to believe that the high school diploma is not valid or was not obtained from an entity that provides secondary school education. Based on a sample of transactions, we noted the following:

a. One of four selected students high school diploma and transcript supporting documentation (to support FAFSA verification requirements) did not agree with the high school listed on the FAFSA by the student.

b. One high school transcript submitted (to satisfy FAFSA verification requirements) was manually altered to include three additional courses and the associated grades and credits earned. The transcript was modified to reflect these courses in the total credits earned, but GPA credits, GPA, and

of 229


10

class rank were not modified. This transcript also had a withdrawal date two days prior to the graduation date listed on the transcript.

No follow-up was performed in these instances because GSC does not have procedures to consistently identify or follow-up on conflicting or modified high school completion supporting information. There is the risk that federal financial aid is awarded to students that do not meet eligibility requirements, resulting in non-compliance with Title IV federal guidelines. Non-compliance could result in fines and penalties for the College.

iii. According to 34 CFR 668.16(f), institutions must have an adequate internal system

to identify conflicting information and resolve discrepant information. We noted that GSC does not track the discrepancy reasons where the conflicting information is detected under existing protocols. Therefore, there is no assurance that the reason of conflicting information has been properly resolved to comply with federal requirements.


• Management should develop protocols to identify students who discontinue

coursework during each term. • Management should consider reviewing and enhancing the Unofficial Withdrawal

policy to include timely identification of non-participating students. • Management should define course participation requirements in academic policies

and procedures. Course participation requirements should be communicated to faculty and students.

• Management should review the student course activity for the above noted students, determine if course academic requirements were met and return unearned financial aid, as appropriate.

• Management should develop protocols for identifying, tracking, and resolving conflicting or altered financial aid supporting documentation and incorporate related guidance into financial aid procedures. Staff responsible for the processing of financial aid or verifying FAFSA information should be trained on the protocols.

• Management should validate that the above students met the high school completion requirement. If not, management should reverse federal financial aid applied to the student account and report to Department of Education Office of Inspector General, as appropriate.

• Management should develop documentation protocols for FAFSA’s selected by GSC for verification.


The following actions will be taken by the Dean, Academic Affairs and Undergraduate Studies to address this observation:

• Information on the Administrative Failure (AF) and Failure (F) grade difference was reviewed at the Fall Undergraduate Faculty Meeting (includes adjunct faculty) on October 19, 2021.

of 229


11

• Targeted outreach to faculty teaching in high enrolled, high frequency courses will be conducted during fall term, prior to the end of term grade deadline. These courses typically have higher D/F/W/AF grade rates and often include first-time students. Work to be completed by November 30, 2021.

• Academic Affairs will review other institutions’ policies on attendance, participation, and AF grade definition as part of our review of academic policies that will be taking place during merger working groups. Work to be completed by May 31, 2022.

The following actions will be undertaken by the Director of Student Financial Services to address this observation:

• Financial Aid will review current practices related to the review of HS transcripts. The federal verification rules are changing with regards to the review of high school transcripts. We will review the new guidance and adjust our practices. Work to be completed by November 30, 2021.

• The Financial Aid Office will enhance current protocols for selecting and documenting students for verification. Work to be completed by January 31, 2022.

• The Financial Aid Office will work with Academic Affairs to review course activity for the identified students to determine if academic requirements were met and adjust financial aid, as appropriate. Work to be completed by November 12, 2021.

• The Financial Aid Office verified the authenticity of the High School transcripts identified as potential problematic during this audit. The two students in question completed High School. Work completed on November 1, 2021.

• The Financial Aid Office already devotes much effort to the review of documents but will increase scrutiny on required documents, develop additional follow up procedures for instances of potential conflicting information, and train responsible staff. Work to be completed by November 30, 2021.

B. The 2011 Federal Student Aid “Dear Colleague” letter advises institutions to take preventive measures to identify distance education student aid fraud. We noted the opportunity to enhance student identity verification procedures to identify potential fraud. i. During our testing of students selected for FAFSA verification, we noted that the

procedures are not effective to identify student aid fraud in a timely manner. Specifically, we noted the following:

a. Two of five students, selected for V5 verification, used the same IP address to access the same GSC online course during the Spring 2021 term. These two students had different physical addresses on their GSC student record. Both students opted to receive maximum financial aid funds available and obtained refunds of $4,165 and $4,328. Both students never completed their GSC course during the Spring term and their lack of progress was detected via the annual Satisfactory Academic Progress review and their SAP appeals included the same extenuating circumstance and medical documentation from the same physician with a doctor’s visit on the same date.

of 229


12

b. Three out of 20 students used the same mailing address for GSC student accounts, while the students had a different physical address listed on their 2020-21 FAFSA. Two of these students used the same IP address to access the GSC online course. These students opted to receive maximum financial aid funds available and received refunds of $8,528, $7,262, and $4,327 from Fall 2020 to Spring 2021 terms.

c. Two out of 20 students submitted a paper tax return for FAFSA verification that had the same AGI, taxes paid, occupation, city and state of residence, and banking ACH information. These two students used the same IP address to access the GSC online course.

Due to inadequate procedures to identify these suspicious students in a timely manner, there is a risk that the federal financial aid can be distributed inappropriately to fraudsters posing as students.

ii. We performed data analytics to identify high risk students who received federal

financial aid but were not selected for FAFSA verification. Through our testing of a sample of five high-risk students, we noted that the suspicious non-participating students are not flagged in a timely manner. Specially, we noted the following:

a. One of the selected students registered using fake addresses on their GSC

student account. This student opted to receive maximum financial aid funds available and received refunds totaling $8,024 for the Winter and Spring 2021 terms. This student enrolled in four courses and did not earn any credits; existing procedures were not able to flag this student for additional verification in a timely manner. We noted that GSC annual satisfactory academic progress verification detected this student as not meeting requirements at the end of the Spring 2021 term and placed an academic hold on their account.

b. One student opted to receive maximum financial aid funds available and received a refund of $4,328 for Spring 2021 term. This student enrolled in one course and did not earn any credits. This student did not meet satisfactory academic progress as of the end of Spring 2021 term, resulting in an academic hold on their account. This student submitted an SAP appeal, which was denied due to GSC’s inability to validate medical documentation to support the appeal. Finally, we also noted that this student had enrolled and received federal financial aid to attend another online university during the 20/21 academic year and did not transfer credits.

These conditions exist because (1) GSC does not validate student identity as part of the student admissions process, (2) GSC does not monitor for high-risk student activity that could be an indicator of potential student financial aid fraud and, (3) GSC does not have procedures in place to identify students who stop attending courses. There is the risk that these students are using someone else’s identity to fraudulently obtain federal financial aid funds, resulting in reputational and financial loss for the College.


• Management should incorporate academic purpose questions into Admissions

application process to comply with federal Student Financial Aid requirements.

of 229


13

• Management should consider making more frequent disbursements of Title IV funds so that not all of the payment period’s award is disbursed at the beginning of the term.

• Management should develop and implement student identity verification policy and procedures.

• Management should develop a formal process for the identifying, tracking, and monitoring of high risk or unusual student activity. Management should develop a monitoring program that identifies red flags for potential student financial aid identity fraud issues in the following areas:

o Admissions process: applications from the same IP address, calls from the same phone number, same email address or alias, clusters of students from high risk out of state locations, and different student address on application and FAFSA.

o Course activity: same IP address associated with multiple students, same/similar password, and security questions/answers for WebRock account, and enrollment in the same classes/programs.

o Disbursements: funds for different students disbursed to same bank account (same routing and last four digits only), refund checks mailed to same address, student address changes just prior to disbursement.

• Management should review feasibility of online identity verification services for use at time of application and admission. Alternatively, management should consider sending the student acceptance letter via U.S. mail to help to identify fake or undeliverable addresses.

• Management should consider incorporating OIG Federal Student Aid webinars as part of GSC training program.

• Management should develop formal protocols to report suspected fraud to the Department of Education Inspector General’s office, as required.

Management Action Plan The following actions will be taken to address this observation:

• The Admissions Operations Office is reviewing the possibility of adding academic

purpose questions to the admissions application. Work to be completed by January 31, 2022. Responsible Party: AVP of Enrollment Operations

• In response to this audit, the Admissions Operations Office created a report to search for duplicate IP addresses used to submit the admissions application. The office is developing a procedure to review IP address over the past year to identify any duplicates and will develop a policy to determine if students should be accepted. Currently, when a student or group of students presents with a red flag during admissions, they ask for additional identity verification documents. Work completed in October 2021. Responsible Party: AVP of Enrollment Operations

• The Financial Aid Office will develop formal protocols to report suspected fraud to the Department of Education Inspector General’s Office. Work to be completed by December 31, 2021. Responsible Party: Director of Student Financial Services.

of 229


14

• The Student Accounts Office will develop a report to search for duplicate bank account information on the student record. Work to be completed by November 30, 2021. Responsible Party: Director of Student Financial Services

• The Financial Aid Office will explore the possibility of dividing disbursement of aid into multiple disbursement dates. Work to be completed by November 30, 2021. Responsible Party: Director of Student Financial Services

• Management, in coordination with USNH Information Technology, will research identification tools available for use during the admissions process. Work to be completed by February 28, 2022. Responsible Party: Director, Business Applications Administration

• The Financial Aid Office will review the OIG FSA webinars for use in future trainings. Work to be completed by December 31, 2021. Responsible Party: Director of Student Financial Services

*2. Enhance student refund processing protocols We noted that student advance financial aid payment protocols could be enhanced. GSC uses Banner Accounts Receivable Form TSAMASS to process advanced Title IV book/supply funds for students. This form requires staff to manually enter the student ID, detail code, term, and amount. We noted that there are no restrictions on the purpose or maximum dollar amounts for advances processed without approvals, as noted. Additionally, we noted that the Assistant Director of Student Accounts is responsible for processing and reviewing student charges/refunds entries in TSAMASS. Segregation of duties is a key preventative internal control and is intended to minimize the occurrence of errors or fraud. The lack of segregation of duties leads to an increased risk for errors and misappropriation of assets. We also noted that GSC student accounts staff use Banner form GURAPAY to modify the student refund payment payee name and address to direct the refund to an individual (other than the student) or an alternate address not listed on the student record. Refunds modified in the GURAPAY form are not reviewed or approved. There is the risk for inaccurate student refund payments and fraudulent activity. Additionally, we noted via inquiry that student accounts staff do not enter or update student direct deposit information in Banner. Students are directed to WebRock to manage their banking information. Per our review of Banner form access, we noted that student accounts staff have modify access to GXADIRD (student direct deposit) in Banner. Access granted to Banner Form GXADIRD does not align with GSC operating business process. There is the risk that unauthorized changes are made to student banking information, resulting in diversion of funds and financial and reputational loss for the college. Finally, we noted that student accounts staff have modify access to Banner Student form SPAIDEN. As a result, the staff have the ability to update student name and address, which are all key fields used in the processing of student refunds. Employees involved in refunds should not have access to modify the student record, as inadequate segregation of duties could be exploited to modify an existing student record and process unauthorized refunds against these records. There is the risk for unauthorized student refunds and fraudulent activity.

of 229


15


• Management should revise Student Accounts related roles and responsibilities, considering segregation of duties, and communicate these to all staff.

• Management should develop protocols to ensure that advance financial aid payment transactions are independently reviewed and approved. The review of should be documented.

• Establish maximum dollar amount thresholds for financial aid advances processed in TSAMASS.

• Management should develop guidelines for issuing student refunds to alternate payees or addresses.

• Student refunds issued to different payees or addresses should be reviewed for appropriateness.

• Management should update Banner Form GXADIRD access to align with business process. Alternatively, GSC should independently review and approve student bank account changes made by GSC Student Accounts staff.

Management Action Plan – Director of Student Financial Services The following actions will be taken to address this observation:

• The Student Accounts Office is reviewing the refund process to develop controls over the process and ensure that no one person is able to adjust addresses and disburse funds. Work to be completed by December 31, 2021.

• The Director of Student Financial Services will review and remove staff modify access to Banner Form GXADIRD. If access levels can not be adjusted, GSC will develop a process to review and approve student bank account changes processed by GSC.

• will implement a process to independently review and approve student bank account changes. Work to be completed by November 30, 2021.

• The Student Accounts Office will review current workflows for the advance book fund payments to students and explore the possibility of controls over the process. Work to be completed by December 31, 2021.

• The Student Accounts Office will review refund process to determine potential controls over payee changes. Payee changes are needed when issuing refunds to 3rd party or to parents in the case of PLUS loans. Work to be completed by December 31, 2021.

*3. Enhance GSC student account policies and procedures The College has a responsibility under FTC Red Flag Rules to develop adequate procedures to protect and safeguard student’s data. GSC student account policies and procedures do not incorporate FTC’s Red Flag Rule or the USNH Identity Theft Prevention Program. There are no formal protocols on how to prevent or detect identity theft or to report a suspected compromised student account. Also, there is no formal training of staff on the Red Flag Rule or the Program. Non-compliance could result in monetary civil penalties and injunctive relief. Furthermore, any reports of non-compliance could be viewed adversely by the public and can give the perception that GSC does not have strong information security, resulting in reputational harm. We have the following recommendations with regards to this observation:

of 229


16

• Management should identify GSC operational areas where Red Flags may occur. • Management should communicate and implement the Program and provide training

to employees with job responsibilities that require compliance with the Red Flag Rule.

• GSC policies and procedures should be updated to incorporate the USNH Identity Theft Prevention Program to include but not limited to identification of red flags, detection of red flags, and the prevention and mitigation of identity theft.

Management Action Plan – Director of Student Financial Services The following actions will be taken to address this observation:

• The Student Accounts Office will conduct a review to determine areas where Red Flags may occur. Work to be completed by January 31, 2022.

• The Student Accounts Office will review the USNH Identity Theft Prevention Program and update GSC policies. Work to be completed by January 31, 2022.

• The Student Accounts Office will develop training for staff working in areas where Red Flag Rules apply. Work to be completed by January 31, 2022.

*4. Enhance WebRock account setup and security protocols We noted that GSC students receive an account activation link via email, along with their student ID, and are given up to 180 days to setup their account and create a password. There are no requirements for the student to validate their identity when establishing a WebRock username and password. As the link remains active for a long period of time and there is no identity verification performed, there is a risk that an unauthorized individual may obtain access to this link and setup an unauthorized WebRock account, resulting in sensitive student information being compromised. Additionally, we noted that multi-factor authentication has not been implemented for WebRock accounts. Multi-factor authentication is an additional layer of security designed to reconfirm the identity of the user. Since sensitive data, including financial aid and banking information is stored in WebRock, GSC management should revisit security protocols. Industry best practices have proven that username and password alone do not provide proportionate security for sensitive information that needs increased protection. There is the risk of unauthorized access and an opportunity to increase security for student WebRock login. We have the following recommendations with regards to this observation:

• Management should require students to validate identity during WebRock account setup. • Management should reduce the time available for a student to setup their WebRock

account. • Multi-factor authentication should be implemented in accordance with current industry

standards for protecting sensitive data.

of 229


17

Management Action Plan – Director, Business Applications Administration The following actions will be taken to address this observation:

• Multi-factor authentication is being considered for WebRock. Work to be completed by January 31, 2022.

• The WebRock set up process will be reviewed to determine the available time available for a student to set up the account and if identity can be validated during the setup. Work to be completed by January 31, 2022.

*5. Enhance protocols for sensitive student data We noted that GSC does not have formal protocols in place to verify a student’s identity before the staff provides sensitive information to a student or authorized individual in the areas of financial aid, student accounts, or student registration. Also, there are no formal protocols over the processing of student record demographic changes in the system. There are no guidelines for student demographic data elements that must be updated by students in WebRock versus those elements that can be updated by GSC staff. There is the risk that inaccurate or unauthorized changes could be made to a student record, resulting in legal and reputational liability to the College. We also noted that sensitive information on student financial aid verification supporting documentation, including social security numbers (SSN) and date of birth, are stored in perpetuity in ApplicationXtender. Sensitive personally identifiable information should be protected under FERPA guidelines, the Gramm Leach Bliley Act (GLBA) and USNH Information Security policy. There is the risk that sensitive information is compromised, and the sensitive data could be accessed by an unauthorized individual. We have the following recommendations with regards to regards to this observation:

• Management should develop formal protocols to verify a students’ identity before assessing, providing sensitive information to the student, and making changes to a student account.

• Management should develop protocols for processing changes to student records. • Management should develop security protocols and guidelines for information

uploaded and stored in ApplicationXtender. • Management should develop a requirement to redact sensitive information, where

possible. If not possible, implement stricter requirements to protect data. Management Action Plan The following actions will be taken to address this observation:

• In response to this audit, the Academic Advising Office developed a protocol to identify students when on the phone. The process includes asking students to verify non-directory information contained in the student record. The process is documented in a Standard Operating Procedure (SOP). The process was shared and adopted by the

of 229


18

Admissions office in October 2021. This process will be shared with other offices that interact with students. Work to be completed by November 30, 2021. Responsible Party: Director of Student Financial Services.

• In response to this audit, the Academic Advising Office developed a procedure to redact personal information found in student correspondence saved in Salesforce. Work completed on October 13, 2021. The Financial Aid Office is reviewing the possibility of redacting information in documents submitted and stored in Xtender. The redaction of sensitive information in Xtender will be very difficult. That information may be needed to link the student to the document and information can be found in a number of places within a document, particularly if the document is lengthy. There would be no standard way to review each document and perform the redaction. The Financial Aid Office will review Xtender access by other departments and evaluate other individuals access for appropriateness. The Financial Aid Office will review options to purge old data from Xtender. Work to be completed by January 31, 2022. Responsible Party: Director of Student Financial Services

6. Enhance periodic access review and monitoring We noted that GSC IT generates a monthly Banner security matrix report that is distributed to all department heads for review of user access appropriateness. We noted that this review process is ineffective, as it was noted that the May 2021 report was incomplete and missing select Banner security classes, objects, and roles. Department heads had not noted that the report was incomplete or provided any positive confirmation that users on the list are appropriate users with necessary access. There is the risk that Banner access is not properly reviewed and restricted to those who require access to perform their job responsibilities. We also noted that access to sensitive Banner forms is not appropriately restricted. Specifically, we noted that modify access to Banner Student Form SPAIDEN (student demographics) is not restricted to those staff in the Registrar’s Office responsible for the maintenance of student record demographic data. Specifically, we noted that modify access to Banner Student Form SPAIDEN was improperly granted to 34 individuals within seven GSC departments that do not have student record responsibilities. There is the risk that inappropriate users can enter or modify student record information. Furthermore, inappropriate access to the College’s sensitive data can result in loss of reputation for the College. We have the following recommendations with regards to this observation:

• Management should review Banner role authorizations for appropriateness and alignment with business process and job responsibilities, while considering segregation of duties. Management should ensure that no one has modify access to student demographics, student account banking information, and refund processing forms.

• Management should require positive confirmation of monthly Banner access report review by department heads.

of 229


19

Management Action Plan The following actions will be taken to address this observation:

• In response to this audit, GSC revised the Banner role review process and now requires an affirmative confirmation of roles each month by department heads. Work completed in September 2021. Responsible Party: Banner Specialist, Integrated Technologies and Services

• Management has reviewed modify access to Banner Student Form SPAIDEN and adjusted access based upon job responsibilities. In addition, the Registrar’s Office and the Student Accounts Office will explore the possibility of altering workflows and the segregation of duties to minimize the need for modify access to student demographic and account records. Work to be completed by January 31, 2022. Responsible Party: The Registrar and the Director of Student Financial Services

of 229


Plymouth State University

Financial Aid Data Security Review

Report Issued February 16, 2022

of 229


February 16, 2022

Donald L. Birx, President Plymouth State University Plymouth, New Hampshire 03264

Dear President Birx: This letter conveys our report on the Plymouth State University Financial Aid Data Security Review. As communicated in our engagement letter of September 16, 2021, the primary objective of the review is to obtain reasonable assurance that controls are appropriately designed to secure confidential and sensitive data within the department. This report reflects our observations, which were discussed with members of PSU management, and their action plans in response to our recommendations. It is being distributed to the individuals listed below and will be presented to members of the Audit Committee of the University System of New Hampshire (USNH) at its next scheduled meeting. It is also available for review by external auditors of USNH. We appreciated the full cooperation and assistance we received from Amy DelVecchia, Information Technologist, PSU, with whom Yasmin Clark, Internal Audit Manager, worked most closely as she conducted the fieldwork for this audit. Please feel free to contact me with any comments, questions, or suggestions you may have. Sincerely,


Distribution: David Blezard, Senior Director, Enterprise IT Systems, USNH Mac Broderick, Director of Student Financial Services, PSU Tracy Claybaugh, Vice President for Finance and Administration, PSU Amy DelVecchia, Information Technologist, PSU Thomas Nudd, Chief Information Security Officer, USNH Catherine Provencher, Chief Administrative Officer and Vice Chancellor for Financial Affairs and Treasurer, USNH

of 229

Plymouth State University Financial Aid Data Security Review

1

I. Executive Summary We performed a data security review of the PSU Financial Aid, within the PSU Student Financial Services office. Based on our review, we noted that there are opportunities to enhance data security practices within this area. Our first recommendation is to enhance sensitive data handling protocols, including increasing the use of Dynamic Forms to obtain sensitive information from students and parents. Once Dynamic Forms are used consistently by students, it will help to reduce the number of emails received with sensitive data. In addition, purging of obsolete sensitive data will reduce the data security risk. Additionally, the reinforcement of existing policies and procedures to ensure that sensitive information is only provided to authorized persons, will help comply with the data security requirements. We noted that access security protocols for information systems, including Ellucian Banner Student, MyPlymouth, and Dynamic forms, should be enhanced. There is an opportunity to reduce the risk of unauthorized access to sensitive data by implementing two-factor authentication for these applications and systems. PSU Financial Services uses an external vendor for shredding paper documents containing sensitive data; however, the contract terms with the vendor does not include appropriate language to protect USNH interests. Furthermore, the vendors data handling practices were not reviewed by the USNH Cybersecurity & Networking department, as required under the USNH Cybersecurity policy. We recommend enhancing the vendor security review protocols to ensure that any external vendor that handles PSU’s sensitive data has appropriate language in the contract and undergoes a detailed security review by USNH Cybersecurity & Networking.

II. Background At Plymouth State University, the Student Financial Services office combines Financial Aid Services and Student Accounts operations. Within this one-stop model, students and families can address their financial needs at a single location. Some of the Student Financial Services staff members are cross trained to understand and handle both financial aid and student accounts operations so that students and families do not have to go to different locations on campus. The financial aid services strive to use available resources to fill the gap that exists between family resources and the cost of a quality education. Financial aid takes a comprehensive approach in identifying financial aid programs that best meet the financial needs of PSU students. This financial assistance can cover educational expenses including tuition, fees, and room and board. There are several types of financial aid, including grants and scholarships, work study, and loans that are managed by PSU Financial Aid. Financial aid awards may include a combination of the various types of aid. PSU Financial Aid staff Financial Aid has four professional staff members on site to administer the aid programs and to advise students and their families regarding the financial aid and scholarship opportunities available to them. In addition, there is one additional staff member who is the customer service representative. This staff answers any questions that students or parents may have regarding the student’s account, including financial aid and billing questions. At the time of the review, two staff work remotely for part of the week. USNH Policy USY.V.C.21 requires remote workers to complete the Flexible Work Arrangement Proposal. As part of the proposal, the employee attests to comply with the USNH IT security standards, including but not limited to, logging into

of 229


2

the VPN prior to logging into the University systems remotely, storing of University information on PSU servers, and the protection of PSU issued equipment. PSU Student Workers Additionally, PSU Financial Aid also employs student workers. All student workers have access to Banner Student to process student related sensitive data. PSU Financial Aid staff, including student workers, process sensitive data, including social security numbers (tax returns, W-2s) and medical information (excuse poor academic performance in academic progress or effect on income during the financial aid award process). An analysis was performed over these student workers regarding their access to sensitive student data and the analysis was approved by the PSU Dean of Enrollment Management. The analysis included that student workers have an annual background check performed, carefully defined roles and responsibilities have been developed, access rights are periodically reviewed, and student workers are properly supervised by PSU Financial Services staff. During the 2020-2021 academic year, the PSU Financial Services office employed one student worker. Training Requirements All PSU Financial Services staff complete annual training requirements, including FERPA, GLBA and Financial Aid training. Additionally, staff read, sign, and electronically submit the following documents annually: confidentiality statement for Financial Aid and Student Account Services employees, NASFAA Code of Conduct, NASFAA Statement of Ethical Principals, Student Loan Code of Conduct, PCI Compliance Acknowledgment, and security reminders. Lastly, each staff member reviews annually the following PSU policies: Acceptable Use of Computing Resources (FIN-ITS-001), Sensitive and Confidential Information Policy (FIN-ITS-002), User Credentials Policy (FIN-ITS-003), Email Use Policy (FIN-ITS-004), Departmental Shared Drive Policy (FIN-ITS-009), and USNH Online Policy Manual (USY.VI.F). Rules and Regulations To perform the functions of the Financial Aid area, all staff members must understand and comply with all financial aid rules and regulations of the Higher Education Act of 1965. In addition, the U.S. Department of Education publishes the Federal Student Aid Handbook for financial aid offices managing the federal financial aid programs on campus. Data handled by the PSU Financial Aid Office is subject to the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA) and the FTC Red Flag Rules, which are federal laws that protect the privacy of student education records and other private information, including safeguarding the student’s financial information. USNH Cybersecurity policy sets standards for securing University data. In addition, USNH Cybersecurity & Networking implemented a third-party scanning software called Spirion, to scan for PII, HIPAA, and other sensitive data as defined at PSU Student Financial Services. The Financial Aid laptops and desktops currently use an anti-virus providers called CylancePROTECT. USNH IT is currently monitoring the use of this anti-virus provider and has a plan in place to move all PSU laptops and desktop to the USNH IT recommended Windows Defender. Family Access By enrolling in classes at Plymouth State University, students agree to pay all expenses that they incur. The student is responsible for all charges and payments that occur on their tuition bill account. To comply with FERPA guidelines, access to the tuition bill account is restricted to students only. However, students can grant parents and/or guardians access to certain billing information. To grant access, a student needs to log into their MyPlymouth account and invite their family member to create their own myPlymouth account. Students can share the following

of 229


3

information via Family Access: tuition bill notifications, tuition bill view, enrollment verification, financial aid (only for parent(s) listed on the Free Application for Federal Student Aid (FAFSA) application form), campus flexcash and view the student’s schedule. The student then confirms that they have read and understood their rights under FERPA and acknowledge that they consent to release educational records to the individuals listed in the request. Once access is granted and the parent/guardian sets up their own myPlymouth account they are able to pay their student’s bill via Nelnet Transaction Solutions (a third-party transaction processing service). To comply with FERPA and the Higher Education Act (HEA) Section 483(a)(3)(E), PSU financial aid is prohibited from providing certain information from a student’s financial aid record to a third party. For family members to have access to this data (including billing, tuition and fee assessments, financial aid (including scholarships, grants, work-study, or loan amounts), and other student financial aid record information), the student needs to complete the PSU Permission Form. This form grants access to the student’s financial aid award offers, any documents needed to complete the financial aid application, and financial aid cost of attendance. The student must complete the form for anyone not on the FAFSA application, who wishes to have access to the student’s financial aid data. Federal Aid and Private Loans Applications PSU students can apply for federal grants, loans, and work-study funds to help pay for college. Students apply for this aid by completing the FAFSA form. In addition, the information within the FAFSA form is also used by Plymouth State University to award institutional aid. To complete the FAFSA form, students need their social security number, alien registration number (if applicable), federal tax information or tax returns, records of any untaxed income, account balances, and information on any investments other than the home in which the applicant lives. In addition, similar information is needed from the student's parents. The student indicates on Step 6 on the FAFSA form which Colleges and Universities should receive the FAFSA information. The application is electronically submitted to PSU Financial Aid based on the student’s selection. Financial Aid obtains the application in EdConnect, which is a Windows-based software that assists the Financial Aid staff with receiving and managing the Federal student aid information electronically. Once the application is received, Financial Aid staff reviews and processes the information and may request additional information from the student to verify the information within the FAFSA form. Once processed, the student receives an aid offer, stating the amount of aid that they could receive. The student formally accepts the offer and the aid that they would like. PSU Financial Aid staff applies the financial aid on the student's account. The FAFSA form and supporting documentation are stored on ApplicationXtender and Dynamic Forms (if used by the student and/or parents). In addition to federal aid, students can apply directly for private loans. Unlike the FAFSA application, there is no deadline for a private student loan application. Each private student loan vendor has their own application process, but similar supporting documentation is required, such as social security numbers, personal information, employment information, gross annual income, list of any assets and their value, monthly rent or mortgage, and the latest tax return, and the name of the College or University attending. PSU Financial Aid office uses ScholarNet to obtain private student loan information to apply these private loans to the student's account.

of 229


4

Information Technology & Systems A Financial Aid Information Technology Specialist is on site to assist the Student Financial Services Director, as the data steward, to manage and monitor access to all data used by Student Financial Services staff. The Financial Aid Information Technology Specialist performs periodic access review over internal applications, including Banner Student. All access to external applications (including EdConnect and ScholarNet) must be requested and verified annually to the external parties. In August 2020, Financial Aid implemented a new submission system called Dynamic Forms. Sensitive information from existing students and new students that paid their enrollment deposit can be uploaded to this the secure submission system instead of being emailed to PSU Financial Aid staff. Once the documents are submitted, staff will verify the documents and then the system will upload these documents, multiple times a day, to Banner Student and SLLP ApplicationXtender. Additionally, PSU Financial Aid staff uses multiple systems daily to complete their assigned tasks. These systems include shared folders, Dynamic Forms, SLLP ApplicationXtender, and Banner Student, where sensitive data is shared and stored.

III. Scope

The purpose of the review was to obtain reasonable assurance that controls were appropriately designed to secure and protect sensitive data within Financial Aid. We did not test the operating effectiveness of these controls. Our procedures were not intended to identify compliance with any legal requirements, but to ensure that the data security practices are in accordance with the industry best practices.

During the review, we:

• surveyed on security over confidential and sensitive data; • reviewed Financial Aid data security policies and protocols; and • interviewed Financial Aid staff.

We did not review the security of any of the applications and underlying systems and networks that PSU Financial Aid uses during their daily operations. IV. Report Structure The six observations in Section V of this report outline internal control issues for management’s attention and consideration. The order of the comments is based on their relative importance in terms of potential risk to USNH or foregone effectiveness if not addressed. The observations marked with an asterisk indicate the most significant items for management attention and resolution, which will be tracked for the USNH Audit Committee’s monitoring until resolved. The report contains recommendations that management has considered and incorporated into the management action plans indicated below.

of 229


5

V. Observations

* 1. Enhance protocols for sensitive data handling

a) PSU Financial Aid staff receives sensitive data, including SSN, date of birth, and sensitive tax information (including W-2s) from students via email. In addition, documents with sensitive data including PSU ID, SSNs, and tax information are emailed among staff members. Sensitive data delivered via email increases the risk of data loss, as emails are not a secure medium to transmit sensitive information and are frequently subject to phishing attacks. In August 2020, USNH implemented a new submission system called Dynamic Forms. This system allows students and parents to upload sensitive data securely. However, the system is inconsistently used by students and parents because usage is not reinforced to students and parents by PSU Financial Aid staff. There is a risk of loss of sensitive data, which may result in financial and reputational loss for the University.

b) In addition, sensitive information, including SSN, date of birth, and tax information are

stored in perpetuity on the shared drive, ApplicationXtender, Dynamic Forms, email accounts, and shared email account. Retaining unnecessary data poses a risk that the data may be lost or stolen, which can result in non-compliance with FERPA or the Gramm Leach Bliley Act (GLBA).

c) We noted that the Financial Aid Office uses a dedicated, non-network fax machine to

receive sensitive and confidential data from students and/or their parents. On February 8, 2021, USNH Cybersecurity performed an IT risk analysis over the fax machine and deemed the fax machine to be not secure to receive sensitive student data. There is a risk that the continued use of the fax machine may result in a loss of sensitive data.

d) Under existing protocols, a student’s financial aid information is being improperly provided to a family member who is not listed on the FAFSA. Under existing procedures, a separate permission form must be completed for students to grant access to financial aid information for anyone not included on the FAFSA application. Currently, Financial Aid staff only verifies if the student granted access for this person via Family access but does not verify if the student needs to grant permission to their financial aid information via the separate permission form. There is a risk that sensitive student information is provided to unauthorized persons, which may result in non-compliance with data security requirements and reputational loss for the University.


1. Develop security protocols and guidelines for handling sensitive data, including, but not limited to the following:

• Proper handling of sensitive information in the office, including safeguarding, redacting, shredding of documents;

• Student information that should or should not be received or sent via email and fax;

• Student information that should or should not be uploaded to ApplicationXtender and/or OneDrive folders;

• Protocols for scanning sensitive student information; 2. Develop requirement to redact sensitive information where possible. If not

of 229


6

possible, implement stricter requirements to protect data. 3. Ensure security protocols and guidelines are reviewed by the USNH Information

Security Officer prior to distribution. 4. Discuss the use and proper set up of OneDrive to store sensitive information with

the USNH Information Security Officer. 5. Securely purge obsolete documents that are stored on ApplicationXtender,

shared drives, and Dynamic Forms. 6. Review and address the recommendation on the USNH Cybersecurity IT Risk

Analysis over the fax machine. In addition, consider discontinuing the use of the fax machine to protect University’s sensitive data.

7. Develop and publish all PSU Financial Aid forms on Dynamic Forms for students to complete within the secure system.

8. Ensure that all students and parents can access, complete, and upload documents and forms within Dynamic Forms.

9. Require the use of Dynamic Forms to receive sensitive data to eliminate email use for sensitive data.

10. Ensure verification procedures are completed that a student granted access via the appropriate permission forms to any person, prior to providing sensitive student related information to this person.

Management Action Plan – PSU Director of Student Financial Services 1. We will review, update, and communicate to all PSU Financial Aid staff our current

security protocols and guidelines to ensure all different aspects of the handling of sensitive data is included in our Data Security Reminder document, including the proper handling of sensitive information in the office, information that should be received via fax and email, what type of sensitive information should be uploaded to ApplicationXtender and OneDrive folders, the protocols for scanning this sensitive information, the redaction of sensitive information (where possible). In addition, we will set up a meeting with the USNH CISO and the USNH Director of IT Governance, Risk and Compliance to discuss the use of OneDrive to upload sensitive student information to ensure the folder is appropriately protected and the most recent security protocols and guidelines. This will be completed by September 30, 2022.

2. We will reinforce with Financial Aid staff the existing verification procedures to ensure sensitive student related information is only provided to a person if a student completed the required permission form. This will be completed by June 30, 2022.

3. We will propose and implement a schedule when documents that are stored on ApplicationXtender, shared drives, OneDrive, and Dynamic Forms can be securely purged. In addition, we will identify a PSU Financial Aid staff that will be responsible to purge this sensitive information based on the schedule. This will be completed by September 30, 2022.

4. We will investigate the possibility of deleting fax machine memory on a daily basis to reduce the exposure and will reach out to ET&S Cybersecurity to develop an interim solution. We will explore the possibility of getting a new device to replace the existing fax machine. We will complete this by September 30, 2022.

5. We completed the implementation of a single sign-on for prospective students so that they can utilize Dynamic Forms when submitting sensitive Financial Aid forms and supporting documents on December 16, 2021. In addition, we will expand the available forms within Dynamic Forms to be used by prospective and existing students. This will be completed by September 30, 2022.

of 229


7

* 2. Enhance security protocols to access key applications

Two-factor authentication has not been implemented for accessing Ellucian Banner Student, MyPlymouth, and Dynamic Forms. Two-factor authentication is an additional layer of security designed to reconfirm the identity of the user. Since sensitive data, including social security numbers and other financial aid data, is stored within these applications, PSU management should revisit the security protocols. Not using two-factor authentication leaves sensitive data vulnerable to attack and data exfiltration. Industry best practices have proven that username and password alone do not provide proportionate security for sensitive information that needs increased protection. Subsequently, there is a risk of unauthorized access and an opportunity to increase security layers for logins and passwords.

We recommend that two-factor authentication should be implemented in accordance with current industry standards for protecting sensitive data.

Management Action Plan – USNH Chief Information Security Officer ET&S Cybersecurity IAM team will work directly with the application teams for Ellucian Banner Student, MyPlymouth and Dynamic Forms to assess, prioritize and implement multifactor authentication on these systems. The expected completion date is Q3 2022 prior to students returning for Fall Semester.

* 3. Enhance vendor security review protocols

We noted that various PSU departments, including Financial Aid, uses Shred-It USA LLC for shredding services. USNH Cybersecurity Policy USY VIII.A.5.13.1 states that all vendors that process institutional information shall require approval by Cybersecurity & Networking and follow the requirements defined in the relevant standards. We noted that approval of the shredding vendor was not received when the contract was originally signed. We were only able to obtain the latest signed contract from October 2016, however, the terms and conditions of the Shred-it Customer Service Agreement did not include any contract language around proper destruction of the sensitive materials. These conditions increase the risk that documents containing PSU sensitive data may not be properly disposed of, which may result in a loss of sensitive data.

We recommend the following in regards to this observation: 1. Contact PSU Facilities and USNH Procurement to initiate a discussion with the vendor

to sign an updated contract. Ensure all appropriate data security language is included in the updated contract.

2. Contact the USNH Information Security Officer to conduct a security review of the vendor.

Management Action Plan – PSU Director of Student Financial Services We will contact USNH Procurement, PSU Facilities and USNH Director of IT Governance, Risk, and Compliance to initiate a discussion with Shred-It USA regarding an updated contract and to conduct a security review of the vendor prior to the signing of the updated contract. This will be completed by September 30, 2022.

of 229


8

4. Enhance protection of data on end user devices

We noted that one out of four laptops in the Financial Aid Office are currently not encrypted. In addition, we were informed by UNH Cybersecurity & Networking that the third-party scanning software Spirion is used at PSU Financial Aid to scan for PII, HIPAA, and other sensitive data as defined. However, no procedures are currently in place on how identified instances of sensitive information should be securely removed. These computers are used to access restricted and sensitive data. Certain documents with restricted and sensitive data may remain in the temporary folder or could be accidentally downloaded. There is a risk that inappropriate users have access to sensitive data, which can result in a security breach and cause financial and reputational loss to PSU.

We recommend the following in regards to this observation: 1. Ensure that all laptops and other mobile devices within PSU Financial Aid are

encrypted. 2. Establish protocols on how Spirion identified instances of sensitive information should

be securely removed.

Management Action Plan – PSU Director of Student Financial Services & USNH Chief Information Security Officer

1. ET&S Cybersecurity will work directly with PSU Financial Aid and the ET&S Endpoint team to identify and encrypt all USNH owned endpoint devices used in the PSU financial aid office by July 1, 2022.

2. The PSU Director of Student Financial Services will establish protocols on how Spirion identified instances of sensitive information should be securely removed. This will be completed by September 30, 2022.

3. ET&S Cybersecurity will evaluate all USNH owned endpoint devices to ensure Spirion is installed on the device. If needed, we will deploy the Spirion product for the identification and removal of sensitive data by July 1, 2022.

5. Enhance access management

We noted that UNH IT developers have modify access to Banner Student production and test environment. There is no documented justification why these users need edit access to Banner Student production environment. Developer access to production data does not follow the least privilege principle. A user should be given only those privileges, which are needed to complete the task. There is a risk that inappropriate access privileges can result in unauthorized changes. In addition, UNH IT clones the production database environment and copies all sensitive data into the development, test, reporting, and the clones of Banner student production and old Banner test. This practice results in multiple copies of sensitive production data. Cloning a full copy of production to the other environments is not considered a best practice as it increases the attack surface and the risk of information disclosure and unauthorized access, inadvertently or deliberately. There is a risk that inappropriate users have access to sensitive data, which can result in a security breach and cause financial and reputational loss to the University.

of 229


9

We recommend the following regarding this observation: 1. Management should evaluate all developer access to production and test databases

and remove developers access or mitigate the risk related to the developer’s access. 2. Management should document and communicate the responsibilities and

accountabilities for system developers and data owner/data stewards. 3. Management should cease the practice of creating clones of sensitive production data

and use only limited data, with additional controls to mitigate the risks. Alternatively, management should develop protocols for identifying and encrypting sensitive data at all times.

Management Action Plan – USNH Senior Director, Enterprise IT Systems 1. UNH ET&S staff will review and document all developer access to PSU Banner

Student’s production and test databases by April 1, 2022. The levels of access will be reviewed between the Director of Business Applications Administration and Integration in conjunction with the PSU Registrar and Director of PSU Financial Aid to determine if any access is excessive and needs to be revoked. This review and adjustments will be completed by June 1, 2022.

2. PSU Management and UNH ET&S will document and communicate the responsibilities and accountabilities for system developers and data stewards. This will be completed by April 1, 2022.

3. PSU Management in coordination with UNH ET&S service leader will evaluate the current practice of creating clones of sensitive production data and provide a response as to whether or not it is required to have sensitive data in the test instances by May 1, 2022. If the review finds that sensitive data is not required in the test instances, a process will be developed to remove or mask sensitive data in the test environment. Such work, if required, would be completed by December 31, 2022.

6. Enhance information security protocols for remote workers

We noted that the current USNH policy USY.V.C.21 for remote working was not adopted. All Financial Aid staff have access to an abundance of sensitive data obtained from students. This information is stored on Banner Student, ApplicationXtender, Dynamic Forms, shared drives, and computers. This information is accessed by Financial Aid staff while working remotely. Currently, the USNH Flexible Work Arrangement Proposals have not been completed and signed by the employee and supervisor for working remotely. There is a risk that employees are not aware of security procedures and do not follow all the best practices standards to keep student data secure. There is a risk that sensitive data may not be appropriately protected, and a breach can occur.

We recommend that all PSU Financial Aid staff should be trained for security requirements for remote working. All staff working remotely should review and acknowledge adherence to security protocols requirement as included in the Flexible Work Arrangement proposal form.

Management Action Plan – PSU Director of Student Financial Services & USNH Chief Information Security Officer We will ensure that all PSU Financial Aid staff are trained for security requirements for remote working. Currently, only two staff are working remotely. In addition, we will discuss with PSU

of 229


10

HR if staff are required to complete the Flexible Work Arrangement proposal form. If required, those PSU Financial Aid staff that work remotely, will complete the form. This will be completed by September 30, 2022. In addition, ET&S Cybersecurity will provide cybersecurity training to the PSU Financial Aid Staff by April 1, 2022.

of 229

UNIVERSITY OF NEW HAMPSHIRE INTERCOLLEGIATE ATHLETICS PROGRAM

INDEPENDENT ACCOUNTANTS’ REPORT ON APPLYING

AGREED-UPON PROCEDURES

FOR THE YEAR ENDED JUNE 30, 2021

of 229

UNIVERSITY OF NEW HAMPSHIRE INTERCOLLEGIATE ATHLETICS PROGRAM

TABLE OF CONTENTS JUNE 30, 2021

Page(s)

Independent Accountants’ Report on Applying Agreed-Upon Procedures 1 – 16

Exhibits

Exhibit I – Statement of Revenues and Expenses 17 Exhibit II – Notes to Statement of Revenues and Expenses 18 – 19 Exhibit III – Supplement to Statement of Revenues and Expenses 20

of 229

- 1 -

INDEPENDENT ACCOUNTANTS’ REPORT ON APPLYING AGREED-UPON PROCEDURES

To James Dean Jr., President, University of New Hampshire:

We have performed the procedures enumerated below on the accompanying Statement of Revenues and Expenses (the Statement, see Exhibit I) of the University of New Hampshire (the University) Intercollegiate Athletics Program (the Program) in compliance with the National Collegiate Athletic Association’s (NCAA) Bylaw 3.2.4.17 for the year ended June 30, 2021. The University’s management is responsible for the accompanying Statement and the Statement’s compliance with those requirements for the year ended June 30, 2021.

The University had agreed to and acknowledged that the procedures performed are appropriate to meet the intended purpose of evaluating whether the accompanying Statement is in compliance with the NCAA’s Bylaw 3.2.4.17 for the year ended June 30, 2021. This report may not be suitable for any other purpose. The procedures performed may not address all the items of interest to a user of this report and may not meet the needs of all users of this report and, as such, users are responsible for determining whether the procedures performed are appropriate for their purposes.

Exceptions totaling the lesser of $150,000 or 10% of the line item total to which an agreed-upon procedure has been applied to, other than exceptions related to internal control procedures of the Program, for which there are no thresholds, have been reported. The procedures and the associated findings are as follows:

Agreed-Upon Procedures Related to the Statement of Revenues and Expenses

Procedure Finding

All Revenue Categories

Compare and agree each operating revenue category reported in the statement during the reporting period to supporting schedules provided by the Program. If a specific reporting category is less than 4.0% of the total revenues, no procedures are required for that specific category.

No exceptions noted.

Compare and agree a sample of operating revenue receipts obtained from the above operating revenue supporting schedules to adequate supporting documentation.


Compare each major revenue account over 10% of the total revenues to prior period amounts and budget estimates. Obtain and document an explanation of any variations greater than 10%. Report the analysis as a supplement to the final Agreed-Upon procedures report.

No exceptions noted and amounts and explanations for variations from the prior period are included in the supplement on page 20.

of 229

Procedure Finding

- 2 -

Ticket Sales

1. Compare tickets sold during the reporting period, complimentary tickets provided during the reporting period and unsold tickets to the related revenue reported by the Program in the statement and the related attendance figures and recalculate totals.

As ticket sales for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Student Fees

2. Compare and agree student fees reported by the Program in the statement for the reporting to student enrollments during the same reporting period and recalculate totals.


3. Obtain documentation of institution’s methodology for allocating student fees to intercollegiate athletics programs.

An understanding of the University’s methodology was gained, and we noted the allocation was in accordance with the University's methodology.

4. If the athletics department is reporting that an allocation of student fees should be countable as generated revenue, recalculate the totals of their methodology for supporting that they are able to count each sport. Tie the calculation to supporting documents such as seat manifests, ticket sales reports and student fee totals.

No exceptions noted as this is not applicable.

Direct State or Other Governmental Support

5. Compare direct state or other governmental support recorded by the Program during the reporting period with state appropriations, institutional authorizations and/or other corroborative supporting documentation and recalculate totals.


Direct Institutional Support

6. Compare the direct institutional support recorded by the Program during the reporting period with the institutional supporting budget transfers documentation and other corroborative supporting documentation and recalculate totals.


Transfers Back to Institution

7. Compare the transfers back to the institution with permanent transfers back to the institution from the athletics department and recalculate totals.

As transfers back to institution for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Indirect Institutional Support

8. Compare the indirect institutional support recorded by the Program during the reporting period with expense payments, cost allocation detail and other corroborative supporting documentation and recalculate totals.

As there was no indirect institutional support for the year ended June 30, 2021, this procedure was not performed.

of 229

Procedure Finding

- 3 -

Guarantees

9. Select a sample of settlement reports for away games during the reporting period and agree each selection to the Program’s general ledger and/or the statement and recalculate totals.

As guarantees for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

10. Select a sample of contractual agreements pertaining to revenues derived from guaranteed contests during the reporting period and compare and agree each selection to the Program’s general ledger and/or the statement and recalculate totals.

As guarantees for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Contributions

11. Any contributions of moneys, goods or services received directly by an intercollegiate athletics program from any affiliated or outside organization, agency or group of individuals (two or more) not included above (e.g., contributions by corporate sponsors) that constitutes 10 percent or more in aggregate for the reporting year of all contributions received for intercollegiate athletics during the reporting periods shall obtain and review supporting documentation for each contribution and recalculate totals.


In-Kind

12. Compare the in-kind revenue recorded by the Program during the reporting period with a schedule of in-kind donations and recalculate totals.

As there was no in-kind revenue for the year ended June 30, 2021, this procedure was not performed.

Compensation and Benefits Provided by a Third-Party

13. Obtain the summary of revenues from affiliated and outside organizations (the "Summary") as of the end of the reporting period from the Program and select a sample of funds from the Summary and compare and agree each selection to supporting documentation, the Program’s general ledger and/or the Summary and recalculate totals.

As there was no compensation and benefits provided by a third party for the year ended June 30, 2021, this procedure was not performed.

Media Rights

14. Obtain and inspect agreements to understand the institution's total media (broadcast, television, radio) rights received by the Program or through their conference offices as reported in the statement.

As media rights revenues for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

15. Compare and agree the media right revenues to a summary statement of all media rights identified, if applicable, and the Program’s general ledger and recalculate totals. Ledger totals may be different for total conference distributions if media rights are not broken out separately.

As media rights revenues for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

of 229

Procedure Finding

- 4 -

NCAA Distributions

16. Compare the amounts recorded in the revenue and expense reporting to general ledger detail for NCAA distributions and other corroborative supporting documents and recalculate totals.

As NCAA distributions for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Conference Distributions and Conference Distributions of Football Bowl Generated Revenue

17. Obtain and inspect agreements related to the Program’s conference distributions and participation in revenues from tournaments during the reporting period for relevant terms and conditions.

As conference distributions and conference distributions of football bowl generated revenue for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

18. Compare and agree the related revenues to the Program’s general ledger, and/or the statement and recalculate totals.

As conference distributions and conference distributions of football bowl generated revenue for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Program Sales, Concessions, Novelty Sales and Parking

19. Compare the amount recorded in the revenue reporting category to a general ledger detail of program sales, concessions, novelty sales and parking as well as any other corroborative supporting documents and recalculate totals.

As program sales, concessions, novelty sales and parking revenues for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Royalties, Licensing, Advertisements and Sponsorships

20. Obtain and inspect agreements related to the Program’s participation in revenues from royalties, licensing, advertisements and sponsorships during the reporting period for relevant terms and conditions.

As royalties, licensing, advertising and sponsorships revenues for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

21. Compare and agree the related revenues to the Program’s general ledger, and/or the statement and recalculate totals.

As royalties, licensing, advertising and sponsorships revenues for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Sports Camp Revenues

22. Inspect sports camp contract(s) between the institution and person(s) conducting institutional sports-camps or clinics during the reporting period to obtain documentation of the Program’s methodology for recording revenues from sports-camps.

As there was no sports camp revenue for the year ended June 30, 2021, this procedure was not performed.

of 229

Procedure Finding

- 5 -

23. Obtain schedules of camp participants and select a sample of individual camp participant cash receipts from the schedule of sports-camp participants and agree each selection to the Program’s general ledger, and/or the statement and recalculate totals.

As there was no sports camp revenue for the year ended June 30, 2021, this procedure was not performed.

Athletics Restricted Endowment and Investment Income

24. Obtain and inspect endowment agreements (if any) for relevant terms and conditions.

As athletics restricted endowment and investment income for the year ended June 30, 2021 was below 4% of total revenues, this procedure was not performed.

25. Compare and agree the classification and use of endowment and investment income reported in the statement during the reporting period to the uses of income defined within the related endowment agreement and recalculate totals.

As athletics restricted endowment and investment income for the year ended June 30, 2021 was below 4% of total revenues, this procedure was not performed.

Other

26. Perform minimum agreed-upon procedures referenced for all revenue categories and recalculate totals.

As other operating revenues for the year ended June 30, 2021 were below 4% of total revenues, this procedure was not performed.

Football Bowl Revenues

27. Obtain and inspect agreements related to the institution’s revenues from post-season football bowl participation during the reporting period to gain an understanding of the relevant term and conditions.

As there were no football bowl revenues for the year ended June 30, 2021, this procedure was not performed.

28. Compare and agree the related revenues to the institution’s general ledger, and or the statement and recalculate totals.

As there were no football bowl revenues for the year ended June 30, 2021, this procedure was not performed

All Expense Categories

Compare and agree each expense category reported in the statement during the reporting period to supporting schedules provided by the institution. If a specific reporting category is less than 4.0% of the total expenses, no procedures are required for that specific category.


Compare and agree a sample of expenses obtained from the above operating expense supporting schedules to adequate supporting documentation.


of 229

Procedure Finding

- 6 -

Compare each major expense account over 10% of the total expenses to prior period amounts and budget estimates. Obtain and document an explanation of any variations greater than 10%. Report the analysis as a supplement to the final Agreed-Upon procedures report.

No exceptions noted and amounts and explanations for variations from the prior period are included in the supplement on page 20.

Athletic Student Aid

29. Select a sample of students (10% of the total student-athletes for institutions who have used NCAA's Compliance Assistant (CA) software to prepare athletic aid detail, with a maximum sample size of 40, and 20% of total student-athletes for institutions who have not, with a maximum sample size of 60) from the listing of institutional student aid recipients during the reporting period. Data should be captured by the institution through the creation of a squad/eligibility list for each sponsored sport.

A sample of 35 student aid recipients was selected.

30. Obtain individual student account detail for each selection and compare total aid in the institution’s student system to the student’s detail in CA or the institution report that ties directly to the NCAA Membership Financial Reporting System.


31. Division I Institutions Only: Perform a check of each student selected to ensure their information was reported accurately in either the NCAA’s CA software or entered directly into the NCAA Membership Financial Reporting System using the following criteria:


The equivalency value for each student-athlete in all sports, including head-count sports, needs to be converted to a full-time equivalency value. The full-time equivalency value is calculated using the athletic grant amount reported on the Calculation of Revenue Distribution Equivalencies Report (CRDE) from CA as the numerator and the full grant amount which is the total cost for tuition, fees, required course-related books, room and board for an academic year as the denominator. If using the NCAA CA software, this equivalency value should already be calculated for you on the CRDE report labeled “Revenue Distribution Equivalent Award”.


Grants-in-aid is calculated by using the revenue distribution equivalencies by sport and in aggregate. (Athletic grant amount divided by the full grant amount).


of 229

Procedure Finding

- 7 -

Other expenses related to attendance (also known as cost of attendance) should not be included in grants-in-aid revenue distribution equivalencies. Only tuition, fees, room, board and course-related books are countable for grants-in-aid revenue distribution per Bylaw 20.02.07). Note: For compliance purposes equivalencies may include other expenses related to attendance per Bylaw 15.02.2, however these expenses are not allowed to be included for revenue distribution equivalencies.


Full grant amount should be entered as a full year of tuition, not a semester or quarter.


Student-athletes are to be counted once, regardless of multiple sport participation, and should not receive a revenue distribution equivalency greater than 1.00.


Athletic grants are valid for revenue distribution purposes only in sports in which the NCAA conducts championships competition, emerging sports for women and football bowl subdivision football.


Grants-in-aid are valid for revenue distribution purposes in NCAA sports that do not meet the minimum contests and participants’ requirements of Bylaw 20.9.6.3.


Institutions providing grants to student-athletes listed on the CRDE as “Exhausted Eligibility (fifth-year)” or “Medical” receive credit in the grants-in-aid component.


The athletics aid equivalency cannot exceed maximum equivalency limits. However, the total revenue distribution equivalency can exceed maximum equivalency limits due to exhausted eligibility and medical equivalencies (reference Bylaw 15.5.3.1).


If a sport is discontinued and the athletic grant(s) are still being honored by the institution, the grant(s) are included in student-athlete aid for revenue distribution purposes.

As there were no discontinued sports for the year ended June 30, 2021, this procedure was not performed.

All equivalency calculations should be rounded to two decimal places.


of 229

Procedure Finding

- 8 -

If a selected student received a Pell Grant, ensure the value of the grant is not included in the calculation of equivalencies or the total dollar amount of student athletic aid expense for the institution.


If a selected student received a Pell Grant, ensure the student's grant was included in the total number and total value of Pell Grants reported for Revenue Distribution purposes in the NCAA Membership Financial Reporting System.


32. Recalculate totals for each sport and overall. No exceptions noted.

Guarantees

33. Obtain and inspect visiting institution's away-game settlement reports received by the institution during the reporting period and agree related expenses to the Program’s general ledger and/or the statement and recalculate totals.

As there were no guarantee expenses for the year ended June 30, 2021, this procedure was not performed.

34. Obtain and inspect contractual agreements pertaining to expenses recorded by the Program from guaranteed contests during the reporting period. Compare and agree related amounts expensed by the institution during the reporting period to the Program’s general ledger and/or the statement and recalculate totals.

As there were no guarantee expenses for the year ended June 30, 2021, this procedure was not performed.

Coaching Salaries, Benefits, and Bonuses Paid by the University and Related Entities

35. Obtain and inspect a listing of coaches employed by the Program and related entities during the reporting period. Select a sample of coaches’ contracts that must include football, and men’s and women’s basketball from the listing.

A listing of all coaches employed by the Program was obtained. A sample of five coaches for two pay periods each was selected, including the men’s and women’s basketball head coach and the men’s football head coach.

36. Compare and agree the financial terms and conditions of each selection to the related coaching salaries, benefits, and bonuses recorded by the Program and related entities in the statement during the reporting period.


37. Obtain and inspect payroll summary registers for the reporting year for each selection. Compare and agree payroll summary registers from the reporting period to the related coaching salaries, benefits and bonuses paid by the Program and related entities expense recorded by the Program in the statement during the reporting period.


of 229

Procedure Finding

- 9 -

38. Compare and agree the totals recorded to any employment contracts executed for the sample selected and recalculate totals.


Coaching Other Compensation and Benefits Paid by a Third-Party

39. Obtain and inspect a listing of coaches employed by third parties during the reporting period. Select a sample of coaches’ contracts that must include football, and men’s and women’s basketball from the listing.

As there were no coaching other compensation and benefits paid by a third-party for the year ended June 30, 2021, this procedure was not performed.

40. Compare and agree the financial terms and conditions of each selection to the related coaching other compensation and benefits paid by a third party and recorded by the Program in the statement during the reporting period.


41. Obtain and inspect reporting period payroll summary registers for each selection. Compare and agree related payroll summary register to the coaching other compensation and benefits paid by a third-party expenses recorded by the institution in the statement during the reporting period and recalculate totals.


Support Staff/Administrative Salaries, Benefits and Bonuses Paid by the University and Related Entities

42. Select a sample of support staff/administrative personnel employed by the Program and related entities during the reporting period.

A sample of five support staff/administrative personnel for two pay periods each was selected.

43. Obtain and inspect reporting period summary payroll register for each selection. Compare and agree related summary payroll register to the related support staff administrative salaries, benefits and bonuses paid by the Program and related entities expense recorded by the Program in the statement during the reporting period and recalculate totals.


Support Staff/Administrative Other Compensation and Benefits Paid by a Third-Party

44. Select a sample of support staff/administrative personnel employed by the third parties during the reporting period.

As there were no support staff and administrative other compensation and benefits paid by a third-party for the year ended June 30, 2021, this procedure was not performed.

of 229

Procedure Finding

- 10 -

45. Obtain and inspect reporting period payroll summary registers for each selection. Compare and agree related payroll summary registers to the related support staff administrative other compensation and benefits expense recorded by the Program in the statement during the reporting period and recalculate totals.

As there was no support staff and administrative other compensation and benefits paid by a third-party for the year ended June 30, 2021, this procedure was not performed.

Severance Payments

46. Select a sample of employees receiving severance payments by the institution during the reporting period and agree each severance payment to the related termination letter or employment contract and recalculate totals.

As there were no severance payments for the year ended June 30, 2021, this procedure was not performed.

Recruiting

47. Obtain documentation of the Program’s recruiting expense policies.

As recruiting expenses for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

48. Compare and agree to existing institutional- and NCAA-related policies.


49. Obtain general ledger detail and compare to the total expenses reported and recalculate totals.


Team Travel

50. Obtain documentation of the Program’s team travel policies.

As team travel expenses for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

51. Compare and agree to existing institutional- and NCAA-related policies.


52. Obtain general ledger detail and compare to the total expenses reported and recalculate totals.


of 229

Procedure Finding

- 11 -

Equipment, Uniforms and Supplies

53. Obtain general ledger detail and compare to the total expenses reported. Select a sample of transactions to validate existence of transaction and accuracy of recording and recalculate totals.

As equipment, uniforms and supplies for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Game Expenses


As game expenses for the year ended June 30, 2021 were 4% of total expenses, this procedure was not performed.

Fund Raising, Marketing and Promotion


As fund raising, marketing, and promotion for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Sports Camp Expenses


As sports camp expenses for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Spirit Groups


As spirit groups’ expenses for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Athletic Facility Debt Service, Leases and Rental Fees

58. Obtain a listing of debt service schedules, lease payments and rental fees for athletics facilities for the reporting year. Compare a sample of facility payments including the top two highest facility payments to additional supporting documentation (e.g. debt financing agreements, leases, rental agreements).


59. Compare amounts recorded to amounts listed in the general ledger detail and recalculate totals.


Direct Overhead and Administrative Expenses


As direct overhead and administrative expenses for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

of 229

Procedure Finding

- 12 -

Indirect Institutional Support

61. Tested with revenue section- Indirect Institutional Support.

As there was no indirect institutional support for the year ended June 30, 2021, this procedure was not performed.

Medical Expenses and Medical Insurance


As medical expenses and medical insurance for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Memberships and Dues


As memberships and dues for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Other Operating Expenses and Transfers to Institution


As other operating expenses for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Student-Athlete Meals (non-travel)

65. Obtain general ledger detail and compare to the total expenses report. Select a sample of transactions to validate existence of transaction and accuracy of recording and recalculate totals

As student-athlete meals (non-travel) for the year ended June 30, 2021 were below 4% of total expenses, this procedure was not performed.

Football Bowl Expenses


As there were no football bowl expenses for the year ended June 30, 2021, this procedure was not performed.

MINIMUM AGREED-UPON PROCEDURES FOR OTHER REPORTING ITEMS

Excess Transfers to Institution and Conference Realignment Expenses


As there were no excess transfers to institution or conference realignment expenses for the year ended June 30, 2021, this procedure was not performed.

of 229

Procedure Finding

- 13 -

Total Athletics Related Debt

68. Obtain repayment schedules for all outstanding intercollegiate athletics debt during the reporting period. Recalculate annual maturities (consisting of principal and interest) provided in the schedules obtained.


69. Agree the total annual maturities and total outstanding athletic related debt to supporting documentation and the institution’s general ledger, as applicable.


Total Institutional Debt

70. Agree the total outstanding institutional debt to supporting documentation and the institution's audited financial statements, if available, or the institution's general ledger.


Value of Athletics Dedicated Endowments

71. Obtain a schedule of all athletics dedicated endowments maintained by athletics, the institution, and affiliated organizations. Agree the fair market value in the schedule(s) to supporting documentation, the general ledger(s) and audited financial statements, if available.


Value of Institutional Endowments

72. Agree the total fair market value of institutional endowments to supporting documentation, the institution's general ledger and/or audited financial statements, if available.


Total Athletics Related Capital Expenditures

73. Obtain a schedule of athletics related capital expenditures made by the Program, the institution, and affiliated organizations during the reporting period.


74. Obtain general ledger detail and compare to the total expenses reported. Select a sample of transactions to validate existence of transaction and accuracy of recording and validate totals.


of 229

- 14 -

ADDITIONAL MINIMUM AGREED-UPON PROCEDURES

In order for the NCAA to place reliance on the Division I financial reporting to calculate the Division I NCAA revenue distributions, which is a financial benefit to the institution, the following procedures are required to be performed:

Procedure Finding

1. Grants-in-Aid

a. Compare and agree the sports sponsored reported in the NCAA Membership Financial Reporting System to the Calculation of Revenue Distribution Equivalencies Report (CRDE) from Compliance Assistant (CA) or other report that supports the equivalency calculations from the institution between May and August. The NCAA Membership Financial Reporting System populates the sports from the NCAA Sports Sponsorship and Demographics Form as they are reported by the institution between May and August. If there is a discrepancy in the sports sponsored between the NCAA Membership Financial Reporting System and the CRDE or other report that supports the equivalency calculations, inquire about the discrepancy and report the justification in the AUP report.


b. Compare current year Grants-in-Aid revenue distribution equivalencies to prior year reported equivalencies per the Membership Financial Report submission. Inquire and document an explanation for any variance greater than +/- 4%.


2. Sports Sponsorship:

a. Obtain the institution’s Sports Sponsorship and Demographics Form submitted to the NCAA for the reporting year between May and August. Validate that the countable NCAA sports reported by the institution met the minimum requirements, set forth in Bylaw 20.9.6.3, related to the number of contests and the number of participants. If the institution requested and/or received a waiver related to minimum contests or minimum participants for a sport, that sport would not qualify as a sponsored sport for the purposes of revenue distribution. Also, only sports in which the NCAA conducts championships competition, emerging sports for women and bowl subdivision football are eligible. Once countable sports have been validated, ensure that the institution has properly reported these sports as countable for revenue distribution purposes within the NCAA Membership Financial Reporting System. Note: Any discrepancies MUST be resolved within the NCAA Membership Financial Reporting System prior to the report being submitted to the NCAA.


of 229

Procedure Finding

- 15 -

b. Compare current year number of Sports Sponsoredto prior year reported total per the MembershipFinancial Report submission. Inquire and documentan explanation for any variance.


*Note for 2020-21 reporting only: Sports an institution expected to sponsor in academic year 2020-21,as reported on the institution’s 2020 Sports Sponsorship and Demographics form, would qualify as asponsored sport for the purposes of revenue distribution. This exception is consistent with the intent ofthe Division I Council Coordination Committee’s decision on March 25, 2020 to grant an extraordinaryblanket waiver in light of the impact of the COVID-19 global pandemic.

3. Pell Grants:

a. Agree the total number of Division I student-athletes who, during the academic year, received aPell Grant award (e.g. Pell Grant recipients on FullAthletic Aid, Pell Grant recipients on PartialAthletic Aid and Pell Grant recipients with noAthletic Aid) and the total value of these Pell Grantsreported in the NCAA Membership FinancialReporting System to a report, generated out of theinstitution’s financial aid records of all student-athlete Pell Grants. Note 1: Only Pell Grants forsports in which the NCAA conducts championshipscompetition, emerging sports for women and bowlsubdivision football are countable. Note 2: Student-athletes should only be counted once even if theathlete participates in multiple sports. Note 3:Individual student-aid file testing in step 31 aboveshould tie any selected student athletes whoreceived Pell Grants back to the report of all studentathlete Pell Grants to test the completeness andaccuracy of the report.


b. Compare current year Pell Grants total to prior yearreported total per the Membership Financial Reportsubmission. Inquire and document an explanationfor any variance greater than +/- 20 grants.


Agreed-Upon Procedures Related to Affiliated and Outside Organizations

Procedure

1. The Program shall identify all intercollegiate athletics-related affiliated and outsideorganizations and obtain those organizations’ statements for the reporting period. Once theProgram has made these statements available, the independent accountant shall agree theamounts reported in the statement to the organization’s general ledger or, alternatively, confirmrevenues and expenses directly with a responsible official of the organization. In addition, theProgram shall prepare a summary of revenues and expenses for or on behalf of intercollegiateathletics programs affiliated and outside organizations to be included with the agreed-uponprocedures report.

of 229

- 16 -

Results

The Program identified the University of New Hampshire Foundation (Foundation) as the only outside organization making expenditures for, or on behalf of the Program or its employees. The Foundation serves as the official legal conduit for the acceptance, investment, and distribution of private gifts in support of the activities and programs of the Program. For the year ended June 30, 2021, Program Foundation recognized revenues of $3,757,428 and expenses of $402,803 on behalf of the Program.

Finding


Procedure

2. The independent accountant shall obtain and review the audited financial statements of theorganization and any additional reports regarding internal control matters if the organization isaudited independent of the agreed-upon procedures required by NCAA legislation. TheProgram’s independent accountant shall also inquire of institutional and outside organizationmanagement as to corrective action taken in response to comments concerning internal controlstructure (if any).

Results

We obtained and read the audited financial statements of the Foundation for the year ended June 30, 2021, and the related report on compliance and on internal control. The results of this procedure disclosed that the independent auditors expressed an unmodified opinion on the financial statements of the Foundation. The independent auditors noted no matters involving internal control over financial reporting and its operation that were considered material weaknesses.

Finding


We were engaged by the University to perform this agreed-upon procedures engagement and conducted our engagement in accordance with attestation standards established by the AICPA. We were not engaged to and did not conduct an examination or review, the objective of which would be the expression of an opinion or conclusion, respectively, on the compliance of the accompanying Statement of Revenues and Expenses (Exhibit I) of the University and the accompanying notes to the Statement of Revenues and Expenses (Exhibit II). Accordingly, we do not express such an opinion or conclusion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you.

We are required to be independent of the University and to meet our ethical responsibilities, in accordance with the relevant ethical requirements related to our agreed-upon procedures engagement.

Gainesville, Florida December 10, 2021

of 229

Exhibit I

Basketball Basketball Ice Hockey Ice Hockey All Other Non-ProgramFootball Men's Women's Men's Women's Gymnastics Sports Specific Total

RevenuesTicket sales -$ -$ -$ 35$ -$ -$ -$ -$ 35$ Direct state or other government support - - - - - - - 3,054,642 3,054,642 Student fees - - - - - - - 10,599,938 10,599,938 Direct institutional support 2,498,292 483,809 454,401 690,263 684,134 488,297 1,873,191 3,892,677 11,065,064 Transfers to institution (31,591) (17,000) (10,118) (23,402) (13,782) (8,526) (57,218) (84,717) (246,354) Indirect institutional support - - - - - - - - - Indirect institutional support - athletic facilities debt

service, leases and rental fees - - - - - - - - - Guarantees - - 10,000 - - - - - 10,000 Contributions 301,021 64,035 68,547 131,575 25,190 35,395 606,779 94,011 1,326,553 In-kind - - - - - - 2,125 - 2,125 Compensation and benefits provided by a third-party - - - - - - - - - Media rights - - - - - - - 102,106 102,106 NCAA distributions 4,034 6,443 4,034 4,034 4,034 4,034 177,536 347,762 551,911 Conference distributions (non media and non football bow - - - - - - - 500 500

13A Conference distributions of football bowl generated revenue - - - - - - - - - Program, novelty, parking and concession sales - - - - - - - 16,232 16,232 Royalties, licensing, advertisement and sponsorships 60,000 16,000 18,000 2,000 3,000 11,000 90,000 480,649 680,649 Sports camp revenues - - - - - - - - - Athletics restricted endowment and investments income 230,414 5,387 - 96,974 1,838 8,669 111,643 437,195 892,120 Other operating revenue - - - - - - 450 10,375 10,825 Football bowl revenues - - - - - - - - -

Total operating revenues 3,062,170 558,674 544,864 901,479 704,414 538,869 2,804,506 18,951,370 28,066,346

ExpensesAthletics student aid 2,754,175 563,584 591,318 869,127 898,136 514,864 4,133,317 - 10,324,521 Guarantees - - - - - - - - - Coaching salaries, benefits and bonuses paid

by the university and related entities 1,105,799 513,791 319,327 664,950 383,114 282,448 1,975,232 - 5,244,661 Coaching salaries, benefits and bonuses paid

by a third-party - - - - - - - - - Support staff and administrative compensation, benefits and

bonuses paid by the university and related entities 111,375 101,187 - 115,882 57,975 - - 3,087,789 3,474,208 Support staff and administrative compensation paid by

third-party - - - - - - - - - Severance payments - - - - - - - - - Recruiting 4,035 2,944 6,121 10,115 1,718 1,130 14,650 20,372 61,085 Team travel 12,005 35,306 40,019 50,836 33,789 39,554 243,399 709 455,617 Sports equipment, uniforms and supplies 143,040 30,611 36,718 95,061 46,191 27,717 207,616 4,979 591,933 Game expenses 22,304 54,129 36,077 13,912 8,403 18,334 151,584 73,556 378,299 Fund raising, marketing and promotion 1,022 94 (2,650) 536 238 99 5,038 123,982 128,359 Sports camp expenses - - - - - - 640 - 640 Spirit groups - - - - - - - 8,476 8,476 Athletic facilities debt service, leases and rental fees - - - 240,500 240,500 - (3,300) 4,278,837 4,756,537 Direct overhead and administrative expenses 50,402 14,293 40,578 30,914 8,309 2,457 51,087 200,616 398,656 Indirect institutional support - - - - - - - - - Medical expenses and insurance - - - 41 - - - 351,157 351,198 Memberships and dues 33,750 - 825 60,000 34,000 1,125 6,803 86,595 223,098 Student-athlete meals (non-travel) 15,910 1,881 1,702 7,235 2,346 190 1,502 14,116 44,882 Other operating expenses 107 - - 2,259 160 5,348 3,400 24,811 36,085 Football bowl expenses - - - - - - - - - Football bowl expenses - coaching compensation/bonuses - - - - - - - - -

Total operating expenses 4,253,924 1,317,820 1,070,035 2,161,368 1,714,879 893,266 6,790,968 8,275,995 26,478,255

Excess transfers to institution - - - - - - - - -

Excess (deficiency) of revenues over (under) expenses (1,191,754)$ (759,146)$ (525,171)$ (1,259,889)$ (1,010,465)$ (354,397)$ (3,986,462)$ 10,675,375$ 1,588,091$

Conference realignment expenses -$

Total athletics related debt 4,340,658$

Total institutional debt 163,412,228$

Value of athletics dedicated endowments 25,745,865$

Value of institutional endowments 1,001,246,846$

Total athletics related capital expenditures 2,044,187$

37

40

ON APPLYING AGREED-UPON PROCEDURES)

1

6A

55

21

50

51

52

UNIVERSITY OF NEW HAMPSHIREDEPARTMENT OF INTERCOLLEGIATE ATHLETICS

STATEMENT OF REVENUES AND EXPENSESFOR THE YEAR ENDED JUNE 30, 2021

(UNAUDITED - SEE ACCOMPANYING INDEPENDENT ACCOUNTANTS' REPORT

1514

234

16

56

89

1011

7

29

1213

18

23

24

22

20

17

54

25

35

30

19

28

38

31

2627

41A

39

41

56

323334

36

53

- See accompanying notes to statement of revenues and expenses -

- 17 - of 229

Exhibit II UNIVERSITY OF NEW HAMPSHIRE

INTERCOLLEGIATE ATHLETICS PROGRAM NOTES TO STATEMENT OF REVENUES AND EXPENSES

FOR THE YEAR ENDED JUNE 30, 2021 (UNAUDITED – SEE ACCOMPANYING INDEPENDENT ACCOUNTANTS’

REPORT ON THE APPLICATION OF AGREED-UPON PROCEDURES)

- 18 -

(1) Basis of Presentation:

The accompanying Statement of Revenues and Expenses of University of New Hampshire (the University) Intercollegiate Athletics Program (the Program) has been prepared on the accrual basis of accounting. Under this method, revenues are recorded when earned and expenses are recognized when they are incurred.

(2) Capital Assets:

Property and equipment are recorded at original cost for purchased assets or at fair value on the date of donation in the case of gifts. Equipment with a unit cost of $5,000 or more is capitalized. Building improvements with a cost of $50,000 or greater are also capitalized. Net interest costs incurred during the construction period for major, debt-funded capital projects are added to the cost of the underlying asset. Depreciation of property and equipment is calculated on a straight-line basis over the estimated useful lives of the respective assets.

Capital asset activity for the year ended June 30, 2021, was as follows:

Beginning Balance Additions Decreases

Ending Balance

Capital assets being depreciated: Building and building

improvements $ 44,817,732 $ 2,044,187 $ (42,597) $ 46,819,322 Land improvements 9,694,195 - - 9,694,195 Infrastructure 1,471,766 - - 1,471,766

Total capital assets being depreciated 55,983,693 2,044,187 (42,597) 57,985,283

Less accumulated depreciation for: Building and building improvements (14,949,773) (1,353,792) - (16,303,565) Land improvements (4,640,454) (476,224) - (5,116,678) Infrastructure (430,178) (117,198) - (547,376)

Total accumulated depreciation (20,020,405) (1,947,214) - (21,967,619)

Capital assets, net $ 35,963,288 $ 96,973 $ (42,597) $ 36,017,664

of 229

Exhibit II UNIVERSITY OF NEW HAMPSHIRE

INTERCOLLEGIATE ATHLETICS PROGRAM NOTES TO STATEMENT OF REVENUES AND EXPENSES

FOR THE YEAR ENDED JUNE 30, 2021 (UNAUDITED – SEE ACCOMPANYING INDEPENDENT ACCOUNTANTS’

REPORT ON THE APPLICATION OF AGREED-UPON PROCEDURES)

- 19 -

(3) Contributions:

The University of New Hampshire Foundation (the Foundation) serves as the official legal conduit for the acceptance, investment, and distribution of private gifts in support of the activities and programs of the Program. Contributions of $1,326,553 were recognized from the Foundation for the year ended June 30, 2021, and have been included in the accompanying statement of revenues and expenses. Contributions received from the Foundation were the only contributions exceeding 10% of total contributions, as reported in the statement of revenues and expenses, for the year ended June 30, 2021.

(4) Debt:

The University issued Series 2001 Bond for the Whittemore Center and Arena construction and issued Series 2009A Bond for the Whittemore Center Renovations. The University refinanced the 2001 and 2009A issuances in order to restructure repayment of principal. The obligations of the University Athletics’ funding for the original repayment of debt principal was not impacted.

Maturity dates and interest terms of outstanding debt issues are summarized below:

Bonds Maturity Date Interest Terms and Rates 2001, refinanced by 2005B and 2011B 7/1/2024 Fixed at 4% 2009A, refinanced by 2017A 7/1/2025 Fixed at 4%

The following is a schedule of future principal and interest payments for the demand bonds as of June 30, 2021:

Fiscal Year Ending June 30,

Capital Improvement Bonds Payable

Total Principal

and Interest Principal Interest

2022 $ 1,334,093 $ 173,626 $ 1,507,719 2023 1,401,708 120,263 1,521,971 2024 1,473,250 64,194 1,537,444 2025 131,607 5,264 136,871 Total $ 4,340,658 $ 363,348 $ 4,704,005

(5) Surplus/Deficit Allocations:

The Program is allowed to carry forward all available funds at the end of each fiscal year to the next fiscal year. Deficits are funded by the Program to the extent there is sufficient net position available.

of 229

Revenues 2021 2020 $ Variance % Variance Variation Explanation

Direct state or other government support 3,054,642$ 660,124$ 2,394,518$ 362.74%

Student fees 10,599,938$ 9,397,240$ 1,202,698$ 12.80%

Expenses

Coaching salaries, benefits and bonuses paid 5,244,661$ 6,009,953$ (765,292)$ -12.73%by the university and related entities

Support staff and administrative compensation, benefits and 3,474,208$ 3,966,998$ (492,790)$ -12.42%and bonuses paid by the university and related entities

Revenues Actual Budget $ Variance % Variance Variation Explanation

Direct state or other government support 3,054,642$ -$ 3,054,642$ 100.00%

2

2 Increase is due to COVID-19 Student Fee Bill Allocation which was notbudgeted for.

Direct State or Other Governmental Support increased from prior year dueto the COVID 19 Student Fee Bill Allocation in the CY.

SUPPLEMENT TO STATEMENT OF REVENUES AND EXPENSESVARIATION ANALYSIS OF THE TOTAL REVENUES AND EXPENSES

TO PRIOR PERIOD AMOUNTS AND BUDGET ESTIMATESFOR THE YEAR ENDED JUNE 30, 2021

(UNAUDITED - SEE ACCOMPANYING INDEPENDENT ACCOUNTANTS' REPORT ON APPLYING AGREED-UPON PROCEDURES)

3 Student fees increased from prior year due to a student fee refund of$268.70 that was issued to each student student.

22 Decrease is due to coaching vacancies primarliy related to COVID-19.

24 Decrease is due to staffing vacancies primarliy related to COVID-19.

- 20 -

of 229

UNIVERSITY SYSTEM OF NEW HAMPSHIRE BOARD OF TRUSTEES

Audit Committee

Information Item

Supporting Materials Summary Sheet

University System of New Hampshire To: Audit Committee Re: ERM Update - Change Management, Campus Safety, and Compliance – For Information,

No Action Required SUPPORTING MATERIALS (attached) – SUMMARY AND SALIENT INFORMATION

In April 2021, the Executive Committee assigned top 10 risks to Board Committees for monitoring. ERM Champion was designated for each risk to gather necessary information and present a report to Administrative Board on primary activities that are occurring to manage or mitigate the risk. At the December 16, 2021 Administrative Board meeting, CHRO Jim McGrail led a discussion on the enterprise risks related to change management, focusing on the importance of developing change leaders and the resources needed to support the efforts, particularly information management tools. At the January 20, 2022 Administrative Board meeting, Chief Paul Dean provided an update on the Campus Safety risk. The number one issue that currently impacts Campus Safety is staffing shortages. The ability to respond to crises is impacted by staffing shortages; COVID-19 has required the campus safety departments to also take on a community caretaking role. This is a national issue with fewer applicants and impact from COVID-19; attrition has been higher due to the pandemic. Municipalities are making investments in pay and benefits to attract more police officers. Mental health issues have increased along with basic anxiety and stress among students and employees. Alcohol continues to be the number one contributor to crime and disorder on campuses. At the February 17, 2022 Administrative Board meeting, General Counsel, Ron Rodgers, led a discussion on the enterprise risks related to Compliance and provided update on risk mitigation efforts relating to Compliance and Risk Management. The presented reports are attached.

of 229

SUBMITTED AND APPROVED BY:

Catherine A. Provencher Chief Administrative Officer and Vice Chancellor for Financial Affairs & Treasurer

Date Prepared: February 22, 2022 For the Meeting of: March 3, 2022

-- End of Summary Sheet --

of 229

Administrative Board

5 Chenell Drive, Suite 301, Concord, NH 03301 | usnh.edu

ENTERPRISE RISK MANAGEMENT

Risk Monitoring Report to the Board of Trustees’

Process for Management of Enterprise Risks: Jim McGrail presented Change Management risk area to the Ad Board in December 2021. Summary of the Mitigation Plans for Enterprise Risks:

Risk Area Accountable Office Risk Description

ERM Champion Likelihood Impact Management/

Mitigation Plan

Admin Board’s

Assessment Comments

Change Management

HR, Finance, Exec Team

• Challenges of engaging the workforce during pandemic and restructures.

• Number of projects create potential for significant burnout/exhaustion

James McGrail

High High • Communications

to and meetings with employees explaining the changes have increased, call center available at UNH.

of 229

-- 2 --

and/or attrition of employees.

• Transition of duties and knowledge transfer must be effectively managed.

• Industry in general and USNH specifically does not embrace change.

• Ability to engage in process re-engineering may be limited (aptitude and time).

• Continued business process improvements are being made based on customer feedback.

• Status of the multiple ongoing projects are standing item on Ad Board agenda. Ad Board will take leadership role with ERP.

• Change management playbook (attached) has been developed as a reference tool to guide the ongoing change.

of 229

2020

UNIVERSITY SYSTEM OF NEW HAMPSHIRE CHANGE PLAYBOOK

This guide is designed primarily to assist teams tasked with planning and managing organizational changes that impact USNH. It outlines a process and steps that may or may not apply to every change, and includes examples of tools and work products which may be used to guide and support teams and leaders responsible for managing whole system change.

of 229

1. IDENTIFYING THE NEED FOR CHANGE It is not difficult to identify when change is needed, but to be successful, change must be shaped purposefully and supported by critical decision-makers and stakeholders throughout the process. The best way to ensure this support is to define, discuss and document the following critical elements.

Work Steps (4 –8 Weeks)

Assemble Work Team and Establish Charter/Mission

Conduct Strategy Meeting

Document Discussion

Identify Critical Stakeholders and Methodology for Engagement

Get Go Ahead from Decision-Makers

Planning Tools

Exhibit 1: Work Team Roster

Exhibit 2: Team Charter

Exhibit 3: Planning Meeting Discussion Guide

Exhibit 4: Project Plan

Exhibit 5: Stakeholder Analysis

Exhibit 6: Draft Management Presentation

of 229

Phase 1 Planning Tools

Exhibit 1: Work Team Roster

Name Title Email Telephone Mailing Address

of 229


Exhibit 2: Team Charter (Illustrative)

Purpose: The (Name) is a standing body within the University System of New Hampshire (USNH). The (name) is advisory to the USNH Administrative Board and is charged to consider, decide, recommend and/or implement strategic or operationally significant matters, according to the policies and processes of USNH.

Membership and Structure: Membership will be (titles) of Granite State College, Keene State College, Plymouth State University, and the University of New Hampshire (or their designees), along with representatives designated by the Chancellor, or designee, with significant responsibility for (job responsibilities) for the system, including but not limited to (name of functions). The Chancellor may assign a USNH representative to support the committee. Other campus representatives may be invited to attend meetings at the discretion of each member of the Council.

Membership Structure/Roles: The Council through discussion and voting establishes its Chairperson. The Chair serves a two (2) year term. If membership in the Council changes, discussion and voting will again occur to elect a Chair. The Chair may not serve more than two (2) consecutive terms.

Council Chair

The Chair is responsible for convening the Council and its meeting logistics, agenda creation and triage. The Chair actively promotes the collaborative nature of the group, and ensuring that, to the fullest extent possible, items of collective interest are shared in a timely fashion so as to permit thoughtful consideration of potential actions and advice from other members and the institutions and/or functions that they represent. The Council Chair serves as primary point of contact for the USNH System Office, Executive Councils and the Administrative Board, and is responsible for ensuring that relationships between the Council and other committees are maintained.

Member Responsibility

Members are expected to:

• Proactively engage with home campus leadership, committees, councils and other bodies as warranted and/or assigned, to maintain appropriate levels of communications and achievement of strategic goals and priorities.

• Actively share items that could be of significant or relevant interest or concern to USNH. • Ensure shared deliverables are completed. • Ensure that accepted standards, shared processes and best practices are followed.

Meetings: The Council will have regular meetings sufficient to meet its objectives in support of the outcomes expected from its strategic roadmap. Meetings will be at times and locations convenient to membership. Some meetings may be held by video conferencing to reduce travel time and create operational efficiencies.

Objectives: List objectives. Be as specific as possible. Note how members will be held responsible and recognized for their contributions. Objectives might include:

• Create and execute a cohesive ongoing strategy. • Advise and guide the USNH Administrative Board. • Identify, share and adopt best practices, work products and processes for the benefit of USNH. • Facilitate and promote efficiency and leverage in the use of services, contracts and related purchasing. • Establish and follow processes and procedures that ensure individual institutions are appropriately consulted,

represented, informed, and/or responsible. • Ensure a responsive, coordinated and collaborative process for responding to experiences that affect the University

System and its campuses broadly. • Keep the Administrative Board appropriately informed of the Council’s work and work plans as well as the current

and emerging challenges and opportunities that may affect the efficient and effective accomplishment of USNH’s mission.

of 229


Exhibit 3: Planning Meeting Discussion Guide

Topic Responsibility Timing

Welcome and Introductions

Who and why are we here?

Background and Context

How did we get here and what are we here to do?

The Need for Change

What does success look like? What priorities are we trying to achieve?

Guiding Principles

What unifying principles should guide our process and decisions?

Governance and Stakeholders

Who will ensure success, what is their role and how do we best engage them?

Work Process, Resources and Timing

What process will be used to shape our proposed change? What resources will be needed?

What are the major milestones and timing of them in this process?

Deliverables and Next Steps

What are our next steps and who is responsible for what?

of 229

Phase 1 Project Planning

Exhibit 4: Sample Project Plan

Phase 1: Project Planning

Ensure leadership and working team members are fully aligned and supportive of effort

August – September

Task (What is the objective of this step?)

Detailed Deliverables (What are the specific work products that will be produced?)

Responsibility (Who will complete this step?)

Date (when are deliverables expected and/or what is the status?)

Confirm project plan and timing Detailed project approach, including goals and methodology and deliverables

Project timeline, sequenced with other leadership meetings/events

Delineation of responsibilities

Clarification of working model and project communication protocols

Completed

Identify potential working team members

List of potential working team members from campuses, system office and others?

Definition of team charter

Estimate of team member time commitment and other resource needs

Completed

Confirm working team meeting dates and locations

Schedule of leadership and working team meeting dates, times and locations

Completed

Collect and review relevant background information

Strategic plans/Forecasts

External marketing materials

Market segmentation data

Demographic and economic data

Past positioning statements/branding strategies

In process

of 229

7

Develop project administration materials

Team roster/distribution lists

Meeting invitations

Report template/format

Completed

Phase 2: Working Team Formation

Establish organizational change management working team that can ensure success across critical constituent groups

September – October 2018

Review project overview and nominations for working team

Telephone conference call with CEOs Completed

Confirm working team representation, project scope and deliverables with individual CEOs/leadership

Leadership discussion to review

• Project overview • High-level project timeline • Working team representation

Completed

Finalize and enlist working team membership

Project summary and timeline

Estimated time commitment

Barriers to participation and alternatives/accommodations

Completed

Organize kick-off meeting and invite team members (1/2 day)

Meeting invitation email

Meeting agenda

Presentation/facilitation materials

Completed

Conduct initial working team meeting (Internally focused with goal of information sharing and team formation)

Project background, summary, goals, timeline and deliverables

Working team charter

Current campus positioning and marketing activities

Existing market segmentation and targeting strategies

Opportunities for ongoing information and resource sharing

Additional sources for market data

Completed

Summarize and share results and findings of initial working team meeting with team and leadership

Working team meeting #1 summary Completed

of 229

Provide Board of Trustees Update

Overview of process

Working team roster

Project timing and deliverables

Project status

Completed

Phase 3: Doing Our Homework

Conduct and summarize market analysis, with focus on gathering and synthesizing existing data and intelligence

October – November

Gather and summarize internal and external market data (i.e., market analysis) and trends

Context

Challenges and opportunities

Target markets, demographic trends and opportunities for influence

In process

Identify and specify target market(s), including overlaps across organization

Primary and secondary constituents

Lead-stream sources

Competitors

Market influencers

In process

Articulate differentiated value proposition by institution (campuses and System)

Market differentiation

Positioning strategy

Targeting/outreach strategies

Sources for data

October

Conduct one-day market situation/strategy planning session

Email

Agenda

Summary of market analysis

Existing and potential future marketing and outreach strategies (media, networking, direct marketing, advertising, trade outreach, positioning)

November 7

Summarize and present market situation

Draft leadership report

Interim update on project activities

Known/immediate opportunities for collaboration across organization

November 12

of 229

9

Phase 4: Telling Our Story

Draft roadmap for shaping change, with the goal of positively influencing constituents critical to its success and vitality

November - December

Develop blue sky meeting agenda and discussion materials

Meeting agenda

Presentation materials

Facilitation guide

Meeting invitation

November - December

Conduct blue sky meeting December 12

9 am – 3 pm

Summarize and review results of blue sky meeting

Value proposition statement

Positioning attributes

Potential positioning strategies and approaches

Market segmentation summary

Potential outreach strategies

Goals/metrics and tracking protocols

Resourcing and budget

December 17

Develop and review integrated strategy

January 7

Present integrated strategy to leadership for comment and approval

January 14

Provide strategic recommendations to Board of Trustees

January 18

Phase 5: Resourcing and Next Steps

Develop effective implementation plan and supporting resources

of 229

January - February

Define strategy implementation resourcing (project plan, responsibilities, timing, etc.)

January

Assess support needs and define appropriate functional requirements

Function/Position descriptions

Start-up budget

Ongoing resource commitment

Decision on future role of working team

January - February

of 229

11


Exhibit 5: Stakeholder Analysis

(Designed to identify a process for engaging key constituents who will ensure change is managed, important voices influence and support the scope of change, and everyone is engaged at the appropriate and necessary point in the change process. Should be

completed by change owners/project leaders and decision makers).

Potential Impact

Who?

When?

Challenges?

Critical Success Factors?

I will drive the change. Administrative Board At inception and throughout Indecision

Over-analysis

Lack of delegation

Active and visible support for

change

Clear delineation of

responsibility for decision-

making

Chancellor and System Office

Leadership

Functional Leadership (i.e., HR,

Finance, etc.)

I will see the change. Media

Local politicians

Faculty and Staff

of 229

I will experience the change.

Program participants or

beneficiaries

Future program

participants/new hires

Specific demographic cohorts

Recruits

I will enable the change. Cabinets

Councils

Managers

Labor leadership

I will need to know about the change.

Board of Trustees Throughout the process Managing expectation and

rumors

Alumni

Major Donors/Supporters

Media

Local Business Leaders

of 229


Exhibit 6: Draft Management Presentation

of 229

of 229

15

of 229

of 229

17

of 229

2. ANALYZE IMPACT A. Description of Current State

i. Documentation/Data Review ii. Work Flow Analysis

iii. Context for Change B. Potential Future State Alternatives and Impact

i. Financial Impact ii. Operational Impact

iii. Talent Impact iv. Timing

C. Listening Strategies/Customer Inputs

D. Documentation Review and Sharing

3. GO-NO GO DECISION A. Objectives and Process Overview

B. Summary of Data Analysis

C. Range of Options

D. Recommended Future Approach

E. Projected Impact/Outcomes

F. Disruption Analysis/Mitigation

G. Transition Strategies

H. Positioning and Communication Messaging

I. High Level Timeline

J. Resourcing

4. IMPLEMENTATION A. Charter/Leadership Accountability

B. Workstreams

C. Project Management (PMO)

i. Project Leadership ii. Operating Model/Workstream Leadership

of 229

19

iii. Documentation Repository/Management iv. Progress Reporting/Issues Resolution Process

D. Detailed Implementation Project Plan

E. Issues Tracking and Management

F. Metrics/Data Benchmark

5. MEASURE RESULTS A. Metrics

B. Benchmarks

C. Data Tracking

D. Review Process and Timing

of 229



ENTERPRISE RISK MANAGMENT

Risk Monitoring Report to the Board of Trustees’ February 22, 2022

Process for Management of Enterprise Risks: Ongoing meetings with UNH, PSU, KSC, GSC, UNH Law, UNHM and the System Office to identify campus public safety risks. Summary of the Mitigation Plans for Campus Public Safety Risks (Mitigation plan and progress comments columns are updated periodically. Other columns flow from the Annual ERM

of 229

-- 2 --

Accountable Office Risk Description

ERM Champion

Likelihood Impact Management/ Mitigation Plan

Admin Board’s

Assessment Comments

Presidents • Hiring and Retention of Police Officers, Campus Safety Officers, Emergency Dispatchers and Public Safety support staff Timely, appropriate, and comprehensive response to a crisis may not always be achieved.

Paul Dean Medium High

Work with Human Resources recruitment, marketing and benchmarking public safety positions

Presidents • The impact of Alcohol and other drugs on crimes

Paul Dean High High

Prevention, Education and Enforcement of underage alcohol consumption

of 229



ENTERPRISE RISK MANAGMENT

Risk Monitoring Report to the Administrative Board

Compliance and Risk Management (February 17, 2022)

Summary of the ERM function re: compliance and risk management: The management and oversight of compliance and risk management functions are substantially distributed across the USNH institutions and programs. As a result, there is a wide variety of practice, facility, and focus on compliance and risk management. The system office has developed several resources available to support institutional efforts; the BOT and Admin Bd practices of monitoring and reporting enterprise risks is intended to encourage the maturation of processes across the system. The management plan for the risks related to compliance and risk management (Mitigation plan and progress comments columns are updated periodically; other columns flow from the Annual ERM Report.):

Risk Area Accountable Office Risk Description ERM

Champion Likelihood Impact Management/ Mitigation Plan

Admin Board’s

Assessment Comments

Compliance and Risk Management

Presidents and CAO

• Compliance goals may not be fully met due to resource constraints, inadequate planning, lack of awareness, or knowledge gaps, which may result in regulatory sanctions or significantly impact organizational reputation.

Ron Rodgers Medium High • Established a risk management position in the System Office and appointed a manager (Lorna Jacobsen) • Established a compliance, ethics, and conflict of interest management support service in the GCO. The resource

of 229

-- 2 --

• Resources dedicated to risk area vary substantially across institutions and from program-to-program. • ERM program is relatively immature and not sufficiently integrated into strategic decision-making and management processes across USNH.

supports the institutions in advising, training, dissemination of new regulatory requirements, and reporting to the Admin Board and Board of Trustees. • Established a revised risk identification, monitoring, and reporting process with the Administrative Board taking the primary responsibility for oversight. • On-going development and implementation of contingency planning practices. • Encourage and support the use of after-action reviews. • Continue advancing the maturity of the ERM program following guidance in the publication Risk Management, Second Edition, published by UE and the AGB.

of 229


Audit Committee

Motion Sheet

University System of New Hampshire To: Audit Committee Re: Recommend the appointment of external auditors

PROPOSED MOTION

MOVED, on recommendation of the Chief Administrative Officer, that CliftonLarsonAllen LLP be confirmed as the external auditor for the University System of New Hampshire to provide audit services related to activities of fiscal year ending June 30, 2022.

SUMMARY OF PROPOSED ACTION This action approves the annual engagement plan and proposed fees for CliftonLarsonAllen LLP (CLA), the qualified audit firm that was selected in 2020 for a term up to seven years, to audit the consolidated financial statements and associated schedule of expenditures of federal awards of the University System of New Hampshire (USNH) for the year ended June 30, 2022. Fees are proposed to increase approximately 3% (to $272,092) for the USNH financial statements and Uniform Guidance engagement. RATIONALE FOR PROPOSED ACTION CLA was selected to be the USNH’s audit firm in Spring 2020 for audits of the financial statements of USNH for fiscal year 2020 and up to six years thereafter. The proposed action would reengage CLA for another year based on the reasonable fees proposed for this year’s services and USNH’s satisfaction with the audit services provided by CLA. PREVIOUS REVIEWS AND APPROVALS The determination of the external auditor selected by the Audit Committee and the Board of Trustees was based on a competitive bid process among major national firms as required by USNH policy, which incorporated consideration of proposed fees and expenses for multiple years of the engagement.

of 229

RELEVANT GOVERNANCE DOCUMENTS, POLICIES, AND PRACTICES

1. Title XV, Chapter 187-A:25-a of the State of New Hampshire’s Revised Statutes Annotated

2. Board of Trustees’ Financial Policy IV.D External Audit RESOURCE IMPLICATIONS Below is a summary of related fees for prior years and amounts expected to be paid in FY22 & FY23 for the related FY22 audit work. Sufficient funds have been budgeted by USNH management to cover the costs of the audits.

Competitive bids were obtained for performing NCAA agreed upon procedures related to the UNH Athletics Department’s statement of revenues and expenditures in FY19. James Moore & Co. will perform this work for FY22.

CLA CLA CLA KPMG KPMG2022(1) 2021(2) 2020(3) 2019(4) 2018(5)

USNH financial statements audit andUniform Guidance audit of expendituresmade on federal grants/contracts 272,092$ 264,592$ 257,350$ 299,600$ 290,900$

UNHF 27,646$ 26,885$ 26,150$ 26,700$ 27,900$

NCAA n/a n/a n/a n/a 26,000$

Total USNH and UNH Fees 299,738$ 291,477$ 283,500$ 326,300$ 344,800$

(1) FY2022 work includes testing of one Major Program. Any additional Major Program work will range from $7500 to $12,500, based upon the program.(2) USNH figure excludes an estimated $22,500 in fees for additional Uniform Guidance audit work.(3) USNH figure excludes $21,000 in fees for additional Uniform Guidance audit work.(4) USNH figure excludes $15,800 in fees for additional Uniform Guidance audit work.(5) USNH figure excludes $19,300 in fees for additional Financial Statements and Uniform Guidance audit work.

Costs Related to Audits for Fiscal Year Ended 6/30/

of 229

RISK MANAGEMENT CONSIDERATIONS Legal and regulatory non-compliance as well as reputational damage could result from untimely provision of the USNH’s audited financial statements for the year ended June 30, 2022, to the State of New Hampshire and the federal government. SUBSEQUENT ACTION REQUIRED The Audit Committee Chair and the Vice Chancellor for Financial Affairs and Treasurer will be required to sign the engagement letter that provides the detailed terms of the engagement to audit the USNH financial statements for the year ended June 30, 2022. Authorized representatives of the UNH Foundation will be required to sign separate formal engagement letters for an audit of the UNH Foundation’s financial statements. ATTACHED MATERIALS – SUMMARY AND SALIENT INFORMATION CLA’s presentation to the Audit Committee of its 2022 Audit Plan, including the proposed engagement letter for the primary audit of the USNH financial statements and expenditures of federal awards, is included in the meeting materials.


Catherine A. Provencher Chief Administrative Officer and Vice Chancellor for Financial Affairs & Treasurer Date Prepared: February 23, 2022 For the Meeting of: March 3, 2022

-- End of Motion Sheet --

of 229

WEALTH ADVISORY | OUTSOURCING AUDIT, TAX, AND CONSULTING

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

©20

21 C

lifto

nLar

sonA

llen

LLP

1

FY22 Audit Planning MeetingMarch 3, 2022

University System of New Hampshire

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

2

Scope of Services and Deliverables

Responsibility Overview

Audit Timeline

FY22 Audit Fees

Risk Assessment

Emerging Issues

Agenda

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

Scope of Services and Deliverables

An audit of the financial statements of the University

System of New Hampshire (the System) in accordance with generally accepted auditing

standards (GAAS) as of and for the year ending June 30, 2022

Required Governance Communications Letter

Internal Control Communication Letter

Management Letter, if applicable

An audit of the System’s major federal award programs under the Uniform Grant Guidance

(Single Audit)

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

Responsibility Overview

4

Governance Oversight of the audit process and strategic direction

Policy related to external audits

Management Preparation of financial statements

Selection of accounting policies

Design and implementation of internal controls over financial reporting and compliance

Programs to control and prevent fraud and inform auditors of known or suspected fraud

Independent Auditor

Perform an audit in accordance with GAAS

Express opinion on whether financial statements are fairly presented in conformity with GAAP in all material respects

Communicate significant matters

System

Governance

Management

Independent Auditor

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

Audit Timeline

Audit Planning Continuous

Preliminary ProceduresMay - July

FieldworkAugust -September

Final Reporting October

The audit planning meeting today is the start of the audit process. We utilize a collaborative approach, which includes seeking input from management and governance, to develop an audit plan that focuses on areas of risk and areas of significance to stakeholders of your Organization.

5

Any items of significance, warranting communication with governance, that arise throughout the audit process will be promptly communicated. If you do not hear from us prior to the final audit presentation in October, everything went as planned and discussed here today.

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

FY2021

• FS Audit: $200,525• SA Audit: $ 64,067*

Total: $264,592

FY2022

• FS Audit: $206,270• SA Audit: $ 65,822*

Total: $272,092

USNH Audit Fees

6

*Assumes testing 1 type A Major Program (MP) and any type B program(s) necessary. Additional MP will range from $7,500 to $12,500, based upon the program.

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

•New tests annually to avoid familiarity with audit process

•Use of data analytics on large volumes of data

•Cash and Cash Equivalents

•Estimate (Allowance for Defaulted Loans)

•Liabilities

•Review design and perform tests to validate they are functioning

•Revenue Recognition

•Management Override of controls

•Debt Covenants Significant or Fraud Risks

(Other Risks Deemed Significant

or Fraudulent in Nature)

Control Risk (Internal Controls Fail to Prevent or Detect a Material

Misstatement)

Detection Risk (Audit Procedures

Fail to Detect a Material

Misstatement)

Inherent Risk(Due to the Nature

of the Account)

Risk Assessment

Audit Risk

Audit Risk = the risk of an undetected material

misstatement due to error or fraud.

Preliminary Risk Assessment to reduce the audit risk to an

appropriately low level.

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

Risk Assessment - Governance Input

• Individual Accounts• Transactions• Processes• Controls

Areas of Focus?

• Litigation• Operations• Industry Trends

Other Concerns? • Knowledge of Fraud

• Threshold for communication

Fraud?

As independent auditors, we work for governance and work with management to accomplish the audit. Your input is valued as we develop our audit plan and approach.

of 229

©20

21 C

lifto

nLar

sonA

llen

LLP

Emerging Issues

Effective Dates• 2022

• GASB 87 – Leases• GASB 93 – Replacement of Interbank Offered Rates

• 2023• GASB 96 - Subscription-Based Information Technology Arrangements

9 of 229

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

©20

21 C

lifto

nLar

sonA

llen

LLP

Questions?

of 229

WEALTH ADVISORY | OUTSOURCING AUDIT, TAX, AND CONSULTING

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

©20

21 C

lifto

nLar

sonA

llen

LLP

11

Link to articles:https://www.claconnect.com/industries/education-overview

Andy Lee, [email protected]

Luke Winter, [email protected]

of 229

DRAFT

February 23, 2022

Board of Trustees and Management University System of New Hampshire 5 Chenell Drive, Suite 301 Concord, NH 03301 Dear Board of Trustees and Management:

We are pleased to confirm our understanding of the terms and objectives of our engagement and the nature and limitations of the audit and nonaudit services CliftonLarsonAllen LLP (“CLA,” “we,” “us,” and “our”) will provide for the University System of New Hampshire (“you,” “your,” “USNH,” or “the entity”) for the year ended June 30, 2022. Per the USNH Consultant agreement signed by both parties in June 2020, USNH and CLA agree to extend the agreement for one additional year.

Andrew Lee, CPA is responsible for the performance of the audit engagement. He will be assisted by Brenda Scherer, CPA, who will be responsible for the single audit.

Scope of audit services We will audit the financial statements of the business-type activities and the aggregate discretely presented component units, which collectively comprise the basic financial statements of the University System of New Hampshire, as of and for the year ended June 30, 2022, and the related notes to the financial statements.

The Governmental Accounting Standards Board (GASB) provides for certain required supplementary information (RSI) to accompany the entity’s basic financial statements. The following RSI will be subjected to certain limited procedures, but will not be audited.

1. Management’s discussion and analysis.

2. GASB-required supplementary pension and OPEB information.

The information other than RSI accompanying the financial statements will not be subjected to the auditing procedures applied in our audit of the financial statements and our auditors’ report will not provide an opinion or any assurance on that information.

We will also evaluate and report on the presentation of the following supplementary information other than RSI accompanying the financial statements in relation to the financial statements as a whole:

1. Schedule of expenditures of federal awards

Nonaudit services We will also provide the following nonaudit services:

• Assistance with the preparation of your financial statements, schedule of expenditures of federal awards, related notes.

of 229

DRAFT

February 23, 2022 University System of New Hampshire Page 2

• Preparation of adjusting journal entries, as needed.

Audit objectives The objectives of our audit are to obtain reasonable assurance about whether the basic financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditors’ report that includes our opinions about whether your basic financial statements are fairly presented, in all material respects, in conformity with accounting principles generally accepted in the United States of America (U.S. GAAP). Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with auditing standards generally accepted in the United States of America (U.S. GAAS)will always detect a material misstatement when it exists. Misstatements, including omissions, can arise from fraud or error and are considered material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.

Our audit will be conducted in accordance with U.S. GAAS; the standards for financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the audit requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Those standards require us to be independent of the entity and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements relating to our audit. Our audit will include tests of your accounting records, a determination of major program(s) in accordance with the Uniform Guidance, and other procedures we consider necessary to enable us to express opinions and render the required reports. We will apply certain limited procedures to the RSI in accordance with U.S. GAAS. However, we will not express an opinion or provide any assurance on the RSI because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance. We will also perform procedures to enable us to express an opinion on whether the supplementary information (as identified above) other than RSI accompanying the financial statements is fairly stated, in all material respects, in relation to the financial statements as a whole.

The objectives of our audit also include:

• Reporting on internal control over financial reporting and on compliance with the provisions of laws, regulations, contracts, and award agreements, noncompliance with which could have a material effect on the financial statements in accordance with Government Auditing Standards.

• Reporting on internal control over compliance related to major programs and expressing an opinion (or disclaimer of opinion) on compliance with federal statutes, regulations, and the terms and conditions of federal awards that could have a direct and material effect on each major program in accordance with the Uniform Guidance.

The Government Auditing Standards report on internal control over financial reporting and on compliance and other matters will include a paragraph that states (1) that the purpose of the report is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control or on compliance, and (2) that the report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity’s internal control and compliance. The Uniform Guidance report on internal control over compliance will

of 229

DRAFT


include a paragraph that states that the purpose of the report on internal control over compliance is solely to describe the scope of our testing of internal control over compliance and the results of that testing based on the requirements of the Uniform Guidance. Both reports will state that the report is not suitable for any other purpose.

We will issue written reports upon completion of our audit of your financial statements and compliance with requirements applicable to major programs. Circumstances may arise in which our report may differ from its expected form and content based on the results of our audit. Depending on the nature of these circumstances, it may be necessary for us to modify our opinions, add an emphasis-of-matter or other-matter paragraph to our auditors’ report, or if necessary, withdraw from the engagement. If our opinions on the financial statements or the single audit compliance opinion is other than unmodified, we will discuss the reasons with you in advance. If circumstances occur related to the condition of your records, the availability of sufficient, appropriate audit evidence, or the existence of a significant risk of material misstatement of the financial statements or material noncompliance caused by error, fraudulent financial reporting, or misappropriation of assets, which in our professional judgment prevent us from completing the audit or forming opinions on the financial statements or an opinion on compliance, we retain the right to take any course of action permitted by professional standards, including declining to express opinions or issue reports, or withdrawing from the engagement.

Auditor responsibilities, procedures, and limitations We will conduct our audit in accordance with U.S. GAAS, the standards for financial audits contained in Government Auditing Standards, and the Uniform Guidance. Those standards require that we exercise professional judgment and maintain professional skepticism throughout the planning and performance of the audit. As part of our audit, we will:

• Identify and assess the risks of material misstatement of the financial statements and material noncompliance, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for our opinions. The risk of not detecting a material misstatement or a material noncompliance resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.

• Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing opinions on the effectiveness of the entity's internal control. However, we will communicate to you in writing any significant deficiencies or material weaknesses in internal control relevant to the audit of the basic financial statements that we have identified during the audit.

• Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the basic financial statements, including the amounts and disclosures, and whether the basic financial statements represent the underlying transactions and events in a manner that achieves fair presentation.

• Conclude, based on the audit evidence obtained, whether there are conditions or events, considered in the aggregate, that raise substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time.

of 229

DRAFT


Although our audit planning has not been concluded and modifications may be made, we have identified the following significant risk(s) of material misstatement as part of our audit planning:

• Management override of controls

• Revenue Recognition

There is an unavoidable risk, because of the inherent limitations of an audit, together with the inherent limitations of internal control, that some material misstatements or noncompliance may not be detected, even though the audit is properly planned and performed in accordance with U.S. GAAS, Government Auditing Standards, and the Uniform Guidance. Because we will not perform a detailed examination of all transactions, material misstatements, whether from (1) errors, (2) fraudulent financial reporting, (3) misappropriation of assets, or (4) violations of laws or governmental regulations that are attributable to the entity or to acts by management or employees acting on behalf of the entity, may not be detected. Because the determination of waste and abuse is subjective, Government Auditing Standards do not require auditors to perform specific procedures to detect waste or abuse in financial audits nor do they expect auditors to provide reasonable assurance of detecting waste or abuse.

In addition, an audit is not designed to detect immaterial misstatements or violations of laws or governmental regulations that do not have a direct and material effect on the financial statements or on major programs. However, we will inform the appropriate level of management and those charged with governance of any material errors, fraudulent financial reporting, or misappropriation of assets that come to our attention. We will also inform the appropriate level of management and those charged with governance of any violations of laws or governmental regulations that come to our attention, unless clearly inconsequential. We will include such matters in the reports required for a single audit.

Tests of controls may be performed to test the effectiveness of certain controls that we consider relevant to preventing and detecting fraud or errors that are material to the financial statements and to preventing and detecting misstatements resulting from noncompliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements. Our tests, if performed, will be less in scope than would be necessary to render an opinion on internal control and, accordingly, no opinion will be expressed in our report on internal control issued pursuant to Government Auditing Standards.

As required by the Uniform Guidance, we will perform tests of controls over compliance to evaluate the effectiveness of the design and operation of controls that we consider relevant to preventing or detecting material noncompliance with the direct and material compliance requirements applicable to each major federal award program. However, our tests will be less in scope than would be necessary to render an opinion on those controls and, accordingly, no opinion will be expressed in our report on internal control issued pursuant to the Uniform Guidance.

An audit is not designed to provide assurance on internal control or to identify deficiencies, significant deficiencies, or material weaknesses in internal control. However, we will communicate to you in writing significant deficiencies or material weaknesses in internal control relevant to the audit of the basic financial statements that we identify during the audit that are required to be communicated under AICPA professional standards, Government Auditing Standards, and the Uniform Guidance.

of 229

DRAFT


As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we will perform tests of the entity’s compliance with the provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements. However, the objective of our audit will not be to provide an opinion on overall compliance and we will not express such an opinion in our report on compliance issued pursuant to Government Auditing Standards.

We will include in our report on internal control over financial reporting and on compliance relevant information about any identified or suspected instances of fraud and any identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements that may have occurred that are required to be communicated under Government Auditing Standards.

The Uniform Guidance requires that we also plan and perform the audit to obtain reasonable assurance about whether the auditee has complied with federal statutes, regulations, and the terms and conditions of federal awards that may have a direct and material effect on each of the entity’s major programs. Our procedures will consist of tests of transactions and other applicable procedures described in the “OMB Compliance Supplement” for the types of compliance requirements that could have a direct and material effect on each of the entity’s major programs. The purpose of these procedures will be to express an opinion on the entity’s compliance with requirements applicable to each of its major programs in our report on compliance issued pursuant to the Uniform Guidance.

We will evaluate the presentation of the schedule of expenditures of federal awards accompanying the financial statements in relation to the financial statements as a whole. We will make certain inquiries of management and evaluate the form, content, and methods of preparing the schedule to determine whether the information complies with U.S. GAAP and the Uniform Guidance, the method of preparing it has not changed from the prior period, and the information is appropriate and complete in relation to our audit of the financial statements. We will compare and reconcile the schedule to the underlying accounting records and other records used to prepare the financial statements or to the financial statements themselves.

Our responsibility as auditors is limited to the period covered by our audit and does not extend to any later periods for which we are not engaged as auditors.

Management responsibilities Our audit will be conducted on the basis that you (management and, when appropriate, those charged with governance) acknowledge and understand that you have certain responsibilities that are fundamental to the conduct of an audit.

You are responsible for the preparation and fair presentation of the financial statements, RSI, and the schedule of expenditures of federal awards in accordance with U.S. GAAP. Management is also responsible for identifying all federal awards received, understanding and complying with the compliance requirements, and for the preparation of the schedule of expenditures of federal awards (including notes and noncash assistance received) in accordance with the requirements of the Uniform Guidance.

Management’s responsibilities include the selection and application of accounting principles; recording and reflecting all transactions in the financial statements; determining the reasonableness of significant accounting estimates included in the financial statements; adjusting the financial statements to correct material

of 229

DRAFT


misstatements; and confirming to us in the management representation letter that the effects of any uncorrected misstatements aggregated by us during the current engagement and pertaining to the latest period presented are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. In preparing the financial statements, management is required to evaluate whether there are conditions or events, considered in the aggregate, that raise substantial doubt about the entity’s ability to continue as a going concern for 12 months beyond the financial statement date.

Management is responsible for compliance with applicable laws and regulations and the provisions of contracts and grant agreements, including compliance with federal statutes, regulations, and the terms and conditions of federal awards applicable to the entity’s federal programs. Your responsibilities also include identifying significant contractor relationships in which the contractor has responsibility for program compliance and for the accuracy and completeness of that information.

You are responsible for the design, implementation, and maintenance of effective internal control, including internal control over compliance, relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error, including evaluating and monitoring ongoing activities and safeguarding assets to help ensure that appropriate goals and objectives are met; and that there is reasonable assurance that government programs are administered in compliance with compliance requirements.

You are responsible for the design, implementation, and maintenance of internal controls to prevent and detect fraud; assessing the risk that the financial statements may be materially misstated as a result of fraud; and for informing us about all known or suspected fraud affecting the entity involving (1) management, (2) employees who have significant roles in internal control, and (3) others where the fraud could have a material effect on the financial statements. Your responsibilities include informing us of your knowledge of any allegations of fraud or suspected fraud affecting the entity received in communications from employees, former employees, grantors, regulators, or others. In addition, you are responsible for implementing systems designed to achieve compliance with applicable laws and regulations and the provisions of contracts and grant agreements, including compliance with federal statutes, regulations, and the terms and conditions of federal awards applicable to the entity’s federal programs; identifying and ensuring that the entity complies with applicable laws, regulations, contracts, and grant agreements, including compliance with federal statutes, regulations, and the terms and conditions of federal awards applicable to the entity’s federal programs; and informing us of all instances of identified or suspected noncompliance whose effects on the financial statements should be considered.

You are responsible for taking timely and appropriate steps to remedy any fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements that we may report. Additionally, as required by the Uniform Guidance, it is management’s responsibility to evaluate and monitor noncompliance with federal statutes, regulations, and the terms and conditions of federal awards; take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings; and to follow up and take prompt corrective action on reported audit findings and to prepare a summary schedule of prior audit findings and a corrective action plan. The summary schedule of prior audit findings should be available for our review on June 30, 2022.

You are responsible for providing us with (1) access to all information of which you are aware that is relevant to the preparation and fair presentation of the financial statements, including amounts and disclosures, such as

of 229

DRAFT


records, documentation, identification of all related parties and all related-party relationships and transactions, and other matters, and for the accuracy and completeness of that information (including information from within and outside of the general and subsidiary ledgers), and for ensuring management information and financial information is reliable and properly reported; (2) access to personnel, accounts, books, records, supporting documentation, and other information as needed to perform an audit under the Uniform Guidance; (3) additional information that we may request for the purpose of the audit; and (4) unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence. You agree to inform us of events occurring or facts discovered subsequent to the date of the financial statements that may affect the financial statements.

You agree to include our report on the schedule of expenditures of federal awards in any document that contains and indicates that we have reported on the schedule of expenditures of federal awards. You also agree to include the audited financial statements with any presentation of the schedule of expenditures of federal awards that includes our report thereon or make the audited financial statements readily available to intended users of the schedule of expenditures of federal awards no later than the date the schedule of expenditures of federal awards is issued with our report thereon. Your responsibilities include acknowledging to us in the representation letter that (1) you are responsible for presentation of the schedule of expenditures of federal awards in accordance with the Uniform Guidance; (2) you believe the schedule of expenditures of federal awards, including its form and content, is fairly presented in accordance with the Uniform Guidance; (3) the methods of measurement or presentation have not changed from those used in the prior period (or, if they have changed, the reasons for such changes); and (4) you have disclosed to us any significant assumptions or interpretations underlying the measurement or presentation of the schedule of expenditures of federal awards.

Management is responsible for providing us with a written confirmation concerning representations made by you and your staff to us in connection with the audit and the presentation of the basic financial statements and RSI. During our engagement, we will request information and explanations from you regarding, among other matters, the entity’s activities, internal control, future plans, specific transactions, and accounting systems and procedures. The procedures we will perform during our engagement and the conclusions we reach as a basis for our report will be heavily influenced by the representations that we receive in the representation letter and otherwise from you. Accordingly, inaccurate, incomplete, or false representations could cause us to expend unnecessary effort or could cause a material fraud or error to go undetected by our procedures. In view of the foregoing, you agree that we shall not be responsible for any misstatements in the entity’s financial statements that we may fail to detect as a result of misrepresentations made to us by you.

Management is responsible for establishing and maintaining a process for tracking the status of audit findings and recommendations. Management is also responsible for identifying and providing report copies to us of previous financial audits, attestation engagements, performance audits, or other studies related to the objectives discussed in the “Audit objectives” section of this letter. This responsibility includes relaying to us corrective actions taken to address significant findings and recommendations resulting from those audits, attestation engagements, performance audits, or other engagements or studies. You are also responsible for providing management’s views on our current findings, conclusions, and recommendations, as well as your planned corrective actions for the report, and for the timing and format for providing that information.

of 229

DRAFT


Responsibilities and limitations related to nonaudit services For all nonaudit services we may provide to you, management agrees to assume all management responsibilities; oversee the services by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, and/or experience to understand and oversee the services; evaluate the adequacy and results of the services; and accept responsibility for the results of the services. Management is also responsible for ensuring that your data and records are complete and that you have received sufficient information to oversee the services.

The responsibilities and limitations related to the nonaudit services performed as part of this engagement are as follows:

• We may assist, as needed, with the preparation of a draft of your financial statements, schedule of expenditures of federal awards, and related notes conformity with U.S. GAAP and the Uniform Guidance based on information provided by you. Since the preparation and fair presentation of the financial statements, schedule of expenditures of federal awards your responsibility, you will be required to acknowledge in the representation letter our assistance with preparation of the financial statements, schedule of expenditures of federal awards and that you have reviewed and approved the financial statements, schedule of expenditures of federal awards, related notes prior to their issuance and have accepted responsibility for them. You have a responsibility to be in a position in fact and appearance to make an informed judgment on those financial statements, schedule of expenditures of federal awards.

• We will propose adjusting journal entries as needed. You will be required to review and approve those entries and to understand the nature of the changes and their impact on the financial statements.

These nonaudit services do not constitute an audit under Government Auditing Standards and such services will not be conducted in accordance with Government Auditing Standards.

Use of financial statements The financial statements and our report thereon are for management’s use. If you intend to reproduce and publish the financial statements and our report thereon, they must be reproduced in their entirety. Inclusion of the audited financial statements in a document, such as an annual report or an offering document, should be done only with our prior approval of the document. You are responsible to provide us the opportunity to review such documents before issuance.

If the parties (i.e., you and CLA) agree that CLA will not be involved with your official statements related to municipal securities filings or other offering documents, we will require that any official statements or other offering documents issued by you with which we are not involved clearly indicate that CLA is not involved with the contents of such documents. Such disclosure should read as follows:

CliftonLarsonAllen LLP, our independent auditor, has not been engaged to perform and has not performed, since the date of its report included herein, any procedures on the financial statements addressed in that report. CliftonLarsonAllen LLP also has not performed any procedures relating to this offering document.

of 229

DRAFT


Should you decide to include or incorporate by reference these financial statements and our auditors’ report(s) thereon in a future private placement or other offering of equity or debt securities, you agree that we are under no obligation to re-issue our report or provide consent for the use of our report in such a registration or offering document. We will determine, at our sole discretion, whether we will re-issue our report or provide consent for the use of our report only after we have performed the procedures we consider necessary in the circumstances. If we decide to re-issue our report or consent to the use of our report, we will be required to perform certain procedures including, but not limited to, (a) reading other information incorporated by reference in the registration statement or other offering document and (b) subsequent event procedures. These procedures will be considered an engagement separate and distinct from our audit engagement, and we will bill you separately. If we decide to re-issue our report or consent to the use of our report, you agree that we will be included on each distribution of draft offering materials and we will receive a complete set of final documents. If we decide not to re-issue our report or decide to withhold our consent to the use of our report, you may be required to engage another firm to audit periods covered by our audit reports, and that firm will likely bill you for its services. While the successor auditor may request access to our workpapers for those periods, we are under no obligation to permit such access.

With regard to the electronic dissemination of audited financial statements, including financial statements published electronically on your website or submitted on a regulator website, you understand that electronic sites are a means to distribute information and, therefore, we are not required to read the information contained in those sites or to consider the consistency of other information in the electronic site with the original document.

We may issue preliminary draft financial statements to you for your review. Any preliminary draft financial statements should not be relied on or distributed.

Engagement administration and other matters We understand that your employees will prepare all confirmations, account analyses, and audit schedules we request and will locate any documents or invoices selected by us for testing. A list of information we expect to need for our audit and the dates required will be provided in a separate communication.

At the conclusion of the engagement, we will complete the auditor sections of the electronic Data Collection Form SF-SAC and perform the steps to certify the Form SF-SAC and single audit reporting package. It is management’s responsibility to complete the auditee sections of the Data Collection Form. We will create the single audit reporting package PDF file for submission; however, it is management’s responsibility to review for completeness and accuracy and electronically submit the reporting package (including financial statements, schedule of expenditures of federal awards, summary schedule of prior audit findings, auditors’ reports, and corrective action plan) along with the Data Collection Form to the federal audit clearinghouse and, if appropriate, to pass-through entities. The Data Collection Form and the reporting package must be electronically submitted within the earlier of 30 calendar days after receipt of the auditors’ reports or nine months after the end of the audit period.

We will provide copies of our reports to the entity; however, management is responsible for distribution of the reports and the financial statements. Unless restricted by law or regulation, or containing confidential or sensitive information, copies of our reports are to be made available for public inspection.

of 229

DRAFT


The audit documentation for this engagement is the sole and exclusive property of CLA and constitutes confidential and proprietary information. However, subject to applicable laws and regulations, audit documentation and appropriate individuals will be made available upon request and in a timely manner to the U.S. Department of Education, or its designee, a federal agency providing direct or indirect funding, or the U.S. Government Accountability Office for purposes of a quality review of the audit, to resolve audit findings, or to carry out oversight responsibilities. We will notify you of any such request. If requested, access to such audit documentation will be provided under the supervision of CLA personnel. Furthermore, upon request, we may provide copies of selected audit documentation to the aforementioned parties. These parties may intend, or decide, to distribute the copies or information contained therein to others, including other governmental agencies.

The audit documentation for this engagement will be retained for a minimum of seven years after the report release date or for any additional period requested by the U.S. Department of Education. If we are aware that a federal awarding agency, pass-through entity, or auditee is contesting an audit finding, we will contact the party(ies) contesting the audit finding for guidance prior to destroying the audit documentation.

Except as permitted by the “Consent” section of this agreement, CLA will not disclose any confidential, proprietary, or privileged information of the entity to any persons without the authorization of entity management or unless required by law. This confidentiality provision does not prohibit us from disclosing your information to one or more of our affiliated companies in order to provide services that you have requested from us or from any such affiliated company. Any such affiliated company shall be subject to the same restrictions on the use and disclosure of your information as apply to us.

Professional standards require us to be independent with respect to you in the performance of these services. Any discussion that you have with our personnel regarding potential employment with you could impair our independence with respect to this engagement. Therefore, we request that you inform us prior to any such discussions so that we can implement appropriate safeguards to maintain our independence and objectivity. Further, any employment offers to any staff members working on this engagement without our prior knowledge may require substantial additional procedures to ensure our independence. You will be responsible for any additional costs incurred to perform these procedures.

Our relationship with you is limited to that described in this letter. As such, you understand and agree that we are acting solely as independent accountants. We are not acting in any way as a fiduciary or assuming any fiduciary responsibilities for you. We are not responsible for the preparation of any report to any governmental agency, or any other form, return, or report or for providing advice or any other service not specifically recited in this letter.

Our engagement ends on delivery of our signed report. Any additional services that might be requested will be a separate, new engagement. The terms and conditions of that new engagement will be governed by a new, specific engagement letter for that service.

Government Auditing Standards require that we make our most recent external peer review report publicly available. The report is posted on our website at www.CLAconnect.com/Aboutus/.

of 229

DRAFT


Mediation Any disagreement, controversy, or claim (“Dispute”) that may arise out of any aspect of our services or relationship with you, including this engagement, shall be submitted to non-binding mediation by written notice (“Mediation Notice”) to the other party. In mediation, we will work with you to resolve any differences voluntarily with the aid of an impartial mediator.

The mediation will be conducted as specified by the mediator and agreed upon by the parties. The parties agree to discuss their differences in good faith and to attempt, with the assistance of the mediator, to reach an amicable resolution of the Dispute.

Each party will bear its own costs in the mediation. The fees and expenses of the mediator will be shared equally by the parties.

Any Dispute will be governed by the laws of the state of New Hampshire, without giving effect to choice of law principles.

Time limitation The nature of our services makes it difficult, with the passage of time, to gather and present evidence that fully and fairly establishes the facts underlying any Dispute that may arise between the parties. The parties agree that, notwithstanding any statute or law of limitations that might otherwise apply to a Dispute, including one arising out of this agreement or the services performed under this agreement, for breach of contract or fiduciary duty, tort, fraud, misrepresentation or any other cause of action or remedy, any action or legal proceeding by you against us must be commenced within twenty-four (24) months (“Limitation Period”) after the date when we deliver our final audit report under this agreement to you, regardless of whether we do other services for you relating to the audit report, or you shall be forever barred from commencing a lawsuit or obtaining any legal or equitable relief or recovery.

The Limitation Period applies and begins to run even if you have not suffered any damage or loss, or have not become aware of the existence or possible existence of a Dispute.

Fees We estimate that our professional fees for these services will be $206,270 for the financial statement audit and $65,822 for the uniform guidance report. These fees were presented in our Proposal and Fee submission dated January 10, 2020 which includes our technology and client support fee of five percent (5%) of all professional fees billed. Our invoices, including applicable state and local taxes, will be rendered based on the percentage of completion (every 20%) as work progresses and are payable net 30 days. In accordance with our firm policies, work may be suspended if your account becomes 60 days or more overdue and will not be resumed until your account is paid in full. If we elect to terminate our services for nonpayment, our engagement will be deemed to have been completed even if we have not issued our reports. You will be obligated to compensate us for all time expended and related fees and to reimburse us for all out-of-pocket expenditures through the date of termination.

of 229

DRAFT


Unanticipated services We do not anticipate encountering the need to perform additional services beyond those described in this letter. Below are listings of services considered to be outside the scope of our engagement. If any such service needs to be completed before the audit can proceed in an efficient manner, we will determine whether we can provide the service and maintain our independence. If appropriate, we will notify you and provide a fair and reasonable price for providing the service. We will bill you for the service at periodic dates after the additional service has been performed.

Bookkeeping services Bookkeeping services are not audit services. Bookkeeping services include the following activities:

• Preparation of a trial balance

• Account reconciliations

• Bank statement reconciliations

• Capital asset accounting (e.g., calculating depreciation, identify capital assets for additions and deletions)

• Calculating accruals

• Analyzing transactions for proper recording

• Converting cash basis accounting records to accrual basis

• Preparation of financial statements and the related notes to the financial statements

• Processing immaterial adjustments through the financial statements

• Adjusting the financial statements for new activities and new disclosures

Additional work resulting from unanticipated changes in your organization or accounting records If your organization undergoes significant changes in key personnel, accounting systems, and/or internal control, we are required to update our audit documentation and audit plan. The following are examples of situations that will require additional audit work:

• Revising documentation of your internal control for changes resulting from your implementation of new information systems

• Deterioration in the quality of the entity’s accounting records during the current-year engagement in comparison to the prior-year engagement

• Significant new accounting issues

of 229

DRAFT


• Significant changes in your volume of business

• Mergers, acquisitions, or other business combinations

• New or unusual transactions

• Changes in audit scope or requirements resulting from changes in your activities

• Erroneous or incomplete accounting records

• Evidence of material weaknesses or significant deficiencies in internal control

• Substantial increases in the number or significance of problem loans

• Regulatory examination matters

• Implementation or adoption of new or existing accounting, reporting, regulatory, or tax requirements

• New financial statement disclosures

Changes in engagement timing and assistance by your personnel The fee estimate is based on anticipated cooperation from your personnel and their assistance with timely preparation of confirmations and requested schedules. If the requested items are not available on the dates required or are not accurate, we will advise management. Additional time and costs may be necessary because of such unanticipated delays. Examples of situations that may cause our estimated fee to increase include:

• Significant delays in responding to our requests for information such as reconciling variances or providing requested supporting documentation (e.g., invoices, contracts, and other documents)

• Rescheduling our fieldwork

• Schedule disruption caused by litigation, financial challenges (going concern), loan covenants (waivers), etc.

• Identifying a significant number of proposed audit adjustments

• Schedules prepared by your personnel that do not reconcile to the general ledger

• Numerous revisions to information and schedules provided by your personnel

• Restating financial statements for accounting errors in the prior year

• Lack of availability of entity personnel during audit fieldwork

of 229

DRAFT


Changes in accounting and audit standards Standard setters and regulators continue to evaluate and modify standards. Such changes may result in new or revised financial reporting and disclosure requirements or expand the nature, timing, and scope of the activities we are required to perform. To the extent that the amount of time required to provide the services described in this letter increases due to such changes, our fee may need to be adjusted. We will discuss such circumstances with you prior to performing the additional work.

Changes related to COVID-19 COVID-19 continues to have significant direct and indirect impacts on financial reporting, disclosure requirements, and the nature, timing, and scope of the activities we are required to perform. To the extent that the amount of time required to provide the services described in this letter increases due to such changes, our fee may need to be adjusted. We will discuss such circumstances with you prior to performing the additional work.

Other fees You also agree to compensate us for any time and expenses, including time and expenses of legal counsel, we may incur in responding to discovery requests or participating as a witness or otherwise in any legal, regulatory, or other proceedings that we are asked to respond to on your behalf.

Finance charges and collection expenses You agree that if any statement is not paid within 30 days from its billing date, the unpaid balance shall accrue interest at the monthly rate of one and one-quarter percent (1.25%), which is an annual percentage rate of 15%. In the event that any collection action is required to collect unpaid balances due us, reasonable attorney fees and expenses shall be recoverable.

ConsentConsent to use information for benchmarking analysisIn an effort to better serve the needs of our clients, we develop a variety of benchmark, performance indicator, and predictive analysis reports, using anonymized client data obtained from our audit, tax, and other engagements. Business and financial information that you provide to us may be combined with information from other clients and included within the aggregated data that we use in these reports. While some of these analytical reports will be published and released publicly, please be assured that the separate information that we obtain from you will remain confidential, as required by the AICPA Code of Professional Conduct.

Subcontractors CLA may, at times, use subcontractors to perform services under this agreement, and they may have access to your information and records. Any such subcontractors will be subject to the same restrictions on the use of such information and records as apply to CLA under this agreement.

Agreement We appreciate the opportunity to be of service to you and believe this letter accurately summarizes the significant terms of our engagement. This letter constitutes the entire agreement regarding these services and supersedes all prior agreements (whether oral or written), understandings, negotiations, and discussions

of 229

DRAFT


between you and CLA. If you have any questions, please let us know. Please sign, date, and return this letter to us to indicate your acknowledgment and understanding of, and agreement with, the arrangements for our audit of your financial statements including the terms of our engagement and the parties’ respective responsibilities.

Sincerely,

CliftonLarsonAllen LLP

Andrew Lee, CPA Brenda Scherer, CPA Principal Signing Director 267-419-1122 [email protected] [email protected]

Response: This letter correctly sets forth the understanding of the University System of New Hampshire.

Authorized governance signature:

Title:

Date:

Authorized management signature:

Title:

Date:

of 229

mailto:[email protected]


Audit Committee

Motion Sheet

University System of New Hampshire To: Audit Committee Re: Approve CY2022 Internal Audit Plan/Review Internal Audit 2021 Annual Report

PROPOSED MOTION

MOVED, on recommendation of the Chief Administrative Officer, that the proposed Internal Audit Plan for CY2022 be approved.

SUMMARY OF PROPOSED ACTION

The motion calls for approval of the CY2022 Internal Audit Plan. RATIONALE FOR PROPOSED ACTION

The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Florida. The IIA is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. The IIA provides a framework for performing internal auditing, through the publication of International Standards for the Professional Practice of Internal Auditing. It is considered industry best practice to comply with the IIA standards. Standard 2020 requires that the Director of Internal Audit communicates internal audit plan to the board for review and approval. In order to comply with the above mentioned IIA standards, the Director of Internal Audit is presenting the 2022 Audit Plan to the Audit Committee. PREVIOUS REVIEWS AND APPROVALS

The plan incorporates feedback from campuses and system office. Shared the audit plan with FINEC on February 3, 2022.

RELEVANT GOVERNANCE DOCUMENTS, POLICIES, AND PRACTICES

The USNH’s policy on Internal Audit (BOT.IV.C) requires that the Board of Trustees' Audit Committee has the responsibility for reviewing the activities of the Internal Audit Department. RESOURCE IMPLICATIONS

None

of 229

RISK MANAGEMENT CONSIDERATIONS

None

SUBSEQUENT ACTION REQUIRED

None

ATTACHED MATERIALS – SUMMARY AND SALIENT INFORMATION

The CY2022 Internal Audit Plan and Internal Audit 2021 Annual Report are enclosed.


Catherine A. Provencher Chief Administrative Officer and Vice Chancellor for Financial Affairs Date Prepared: February 22, 2022 For the Meeting of: March 3, 2022

-- End of Motion Sheet --

of 229

• Internal Audit Plan CY2022• Department Resources• CY2021 Audits And Department Activities• Summaries of Advisory Reports• Current Year Initiatives

Report Sections

2 of 229

Responsible Operation

Audit Name

KSC Cash Carrying and DepositingKSC Special One-time Payments to Employees KSC Registrar Data Security ReviewPSU Employee Onboarding and Off boardingPSU Cash Carrying and DepositingUNH Registrar Data Security Review

UNH Cash Carrying and Depositing Audit – Concessions, Dining, Advancement, Student Accounts

UNH Active Directory UNH Human Resources Data Security ReviewSystem wide Internal Communications (Advisory)System wide eProcurement (UShopNH) System wide Accounts ReceivableSystem wide Personally Identifiable InformationSystem wide ERP Implementation (Advisory)System wide Cybersecurity Assessment (Outsource)System wide Investigations and Special Projects (as needed)System wide Continuous monitoringSystem wide Construction Cost Review (Outsource)System wide Follow-up on previous audit recommendations

CY2022 Internal Audit Plan

3 of 229

MOVED, on recommendation of the Chief Administrative Officer, that the proposed Internal Audit Plan for CY22 be approved.

Motion

4 of 229

IA Organization Chart

5

Audit Committee of the USNH Board of Trustees

Chief Administrative Officer

Director of Internal Audit

IT Audit Manager Audit Manager

Integrated Auditor

Senior Internal Auditor/Data

Analyst

Co-Sourcing/Specialists

Construction out-source/co-

source

Not posted

of 229

Budget FY2022

6

Total Adjusted Budget for FY2022 $584,000

Budget -Personnel Amount (in ‘000 $)

Salaries 358

Benefits 137

Professional Services 65

Subtotal Personnel 560

Budget- Operating Amount(in ‘000 $)

Training and travel 7

Software and licenses 15

Membership dues & fees 2

Subtotal Operating 24

of 229

• Director: Ashish Jain, CIA, CISA, CA, ACDA(CPA-licensed in Massachusetts)

• Audit Manager: Yasmin Clark (CPA-licensed in Massachusetts)• Senior Auditor: Christine Heise, CPA

Qualifications• All have bachelor’s degrees • Two have master’s degrees• All have at least one professional certification• Audit experience ranges from 8-23 years

Internal Audit Staff

7 of 229

Ashish JainDirectorAshish Jain holds a Master of Science in Accountancy from Bentley University and Bachelor of Commerce from Panjab University, India. Ashish joined the University System in April 2016. He was previously the Associate Director for Internal Audit at Boston College. Additional prior experiences includes working at Massachusetts Institute of Technology and PricewaterhouseCoopers, LLP. Ashish maintains professional certifications as a Certified Public Accountant in Massachusetts, a Certified Internal Auditor, and a Certified Information Systems Auditor. He holds a certification as ACL™ Certified Data Analyst (ACDA).

Yasmin ClarkInternal Audit ManagerYasmin Clark graduated from Oglethorpe University in Atlanta, GA, magna com laude, in 2006 with a Bachelor’s degree in Accounting. Prior to joining the University System in September 2016, she had 10 years of experience in auditing at PricewaterhouseCoopers, LLP, where she specialized in the valuation of Investments for public and private Funds and in the area of Employee Benefit Plans. Yasmin maintains professional certifications as a Certified Public Accountant in Massachusetts.

Internal Audit Staff Profiles

8 of 229

Christine Heise, CPASenior AuditorChristine Heise graduated magna cum laude with her Bachelor’s degree in Business Administration, Accounting from the University of New Hampshire and summa cum laude with her Master’s degree in Business Administration from Plymouth State University. Christine has 8 years of auditing experience, including higher education sponsored research and compliance. Christine is also an active CPA in the State of New Hampshire.

Internal Audit Staff Profiles

9 of 229

Internal Audit 2021 Planned Vs Actual

10

2021 Planned Audit*Status Key: C = Completed; D = Deferred; IP = Fieldwork In ProcessResponsible Operation

Audit Name Status*

GSC Student Identity and Financial Verification Process C

KSC Student Billing IP

KSC Admissions Data Security Review C

PSU Cash Carrying and Depositing D

PSU Financial Aid Data Security Review C

UNH Registrar Data Security Review D

UNH Undergraduate Admissions Data Security Review C

UNH Student Grades C

UNH Financial Aid Data Verification Process IP

UNH Accounts Receivable D

UNH National Transit Database (NTD) Audit Procedures (Outsourced)

C

UNH Spaulding Hall Project – Cost Review (Outsourced) IP

System wide Oracle Databases D

System wide Personally Identifiable Information D

System wide Stimulus Funds D

System wide FAR Project - Advisory C

System wide Banner Finance and HR Security D

Other Projects Not on the Audit Plan *Status Key: C = Completed; D = Deferred; IP = Fieldwork In Process

Responsible Operation

Project Name Status*

PSU Grants Continuous Monitoring CUNH Athletics Cash Carrying and

DepositingIP

UNH Garage Inventory CSystem Wide Red Flag Rule Compliance - Identity

Theft Prevention Program Advisory C

2020 Audits Completed in CY2021*Status Key: C = Completed; D = Deferred; IP = Fieldwork In ProcessResponsible Operation

Project Name Status*

PSU Student Billing CUNH Mandatory Fees CSystem Wide Disbursement and Purchasing Card

Transactions Match (Data Analytics)C

of 229

• Risk based audit plan and scope• Advisory services and consultations• Data security assessments in business areas• Construction cost review• Data analysis and continuous monitoring

– Provided management with reports in the area of procurement card and sponsored research

Department Activities CY2021

11 of 229

• Maintained anonymous reporting Ethics and Compliance Hotline

• ERM reporting and coordination• Participation in USNH EHS Council (ex-officio)• Coordinated GLBA Compliance Program changes• Participation in GLBA Committee (ex-officio)


12 of 229

• Secondary review of conflict-of-interest disclosures by Trustees and Executive Officers

• Coordinated proposals for GASB 87 and 96 implementation assistance

• Senior Auditor co-presented at ACUA annual conference and co-authored paper on data acquisition, preparation, and validation


13 of 229

• Active involvement in professional organizations – ACUA and Institute of Internal Auditors

memberships for staff– Ivy Plus user groups (CAEs, IT auditors, data

analytics, direct reports)– ACUA user group on data analytics– New England Audit Directors


14 of 229

Internal Audit provides advice and limited consultation services informally to USNH employees upon request, and more formally inwritten advisories as a result of planned consultation projects or to supplement formal audit reports. The following represent the more significant areas of consultation for USNH internal auditors in 2021.

USNH Identity Theft Prevention Program Advisory – A written advisory was issued to USNH Chief Information Officer and USNH Chief Administrative Officer and Vice Chancellor for Financial Affairs and Treasurer to enhance controls to comply with the Federal Trade Commission’s (FTC) Red Flag Rule. We recommended that the USNH Identity Theft Prevention Program should be revised, communicated, and implemented. In addition, we recommended that management should periodically review and update the Program and associated USNH policies and procedures for changes in USNH organizational structure and compliance with Red FlagRules requirements.FAR Project – Participated in FAR related gaps and challenges discussion and provided informal input related to resolutions. PSU Grants Continuous Monitoring – Internal Audit collaborated with UNH Support Team for the Administration of Research (STAR) to add Plymouth State University’s transactions to identify high-risk grant activity for follow-up. STAR staff should use these monitoring reports to review identified transactions for compliance with Uniform Guidance, sponsor requirements, and institutional policies.

Summaries of 2021 Advisory Services

15 of 229

• Red Flag Rule compliance coordination• Coordinate revisions in GLBA Compliance

Program to accommodate new requirements• Select consultant to perform construction cost

reviews • Grants continuous monitoring reports for KSC

Internal Audit’s 2022 Initiatives

16 of 229

APPENDIX

of 229

January 20, 2022

GLBA Safeguards Rule Amendments Become Effective —GLBA Safeguards Rule Amendments Become Effective —December 2022 Compliance Countdown for Key ProvisionsDecember 2022 Compliance Countdown for Key ProvisionsBeginsBeginsChristopher Capurso, James Stevens, Alan Wing�eld

Troutman Pepper

+ Follow Contact

On January 10, the Federal Trade Commission’s On January 10, the Federal Trade Commission’s final rulefinal rule, amending the Standards for, amending the Standards for

Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley ActSafeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act

(GLBA), became effective. We wrote about the final rule when it first published in October 2021(GLBA), became effective.(see here). As a practical matter, the amendments will likely require many financial institutions

to revisit and revise their policies and procedures, including, for example, in the areas of risk

assessments, vendor oversight, and incident response plans.

To refresh, the final rule, among other things:

Expands the definition of ”financial institution” to include entities engaged in activities the

Federal Reserve Board determines to be incidental to financial activities, which notably

brings ”finders” — companies that bring together buyers and sellers of a product or service

— within the Safeguards Rule’s scope.

Adds provisions designed to improve the accountability of financial institutions’

information security programs, such as by requiring (1) designation of a specific qualified

individual responsible for overseeing and implementing the information security program,

(2) risk assessments, and (3) periodic reports to boards of directors or governing bodies.

Adds provisions designed to provide covered financial institutions with more guidance on

how to develop and implement specific aspects of an overall information security program,

such as (1) encryption of customer information over external networks and at rest, (2)

multifactor authentication, and (3) secure disposal of customer information; and

of 229

https://www.jdsupra.com/authors/christopher-capurso/

https://www.jdsupra.com/authors/james-stevens/

https://www.jdsupra.com/authors/alan-wingfield/

https://www.jdsupra.com/profile/troutman_pepper_docs/

https://www.jdsupra.com/profile/contributor-contact.aspx

https://www.consumerfinancialserviceslawmonitor.com/wp-content/uploads/sites/501/2022/01/Safeguards-Rule-Amendments-Final-Rule.pdf

https://www.troutman.com/insights/ftc-amends-safeguards-rule-for-covered-financial-institutions.html

Exempts financial institutions that collect customer information from fewer than 5,000

consumers from certain requirements.

While the amended Safeguards Rule became effective on January 10, the following provisions do

not become effective until December 9, 2022:

The requirement to designate a qualified individual;

The specific requirements for written risk assessments (please note that the requirement to

perform risk assessments is effective now — only the criteria mandated by the final rule are

not yet effective);

The specific requirements related to implementation of safeguards based on risk

assessments, which include the provisions on encryption and multifactor authentication;

The requirement that “information systems” undergo continuous monitoring or periodic

penetration testing and vulnerability assessments;

Training and operational requirements for security personnel;

The requirement to perform periodic assessments of service providers;

The requirement to establish a written incident response plan to respond to and recover

from security events materially affecting the confidentiality, integrity, or availability of

customer information; and

The requirement that the qualified individual’s periodic reports be given in writing,

regularly and at least annually, to the board of directors.

As noted above, the breadth of parties considered to be “financial institutions” subject to the

Safeguards Rule has become broader. Among others, entities are subject to the Safeguards Rule ifthey engage in the following:

Traditional banking functions;

Making, acquiring, brokering, or servicing loans or other extensions of credit;

Real estate and personal property appraising;

Collection agency services;

Credit bureau services;

of 229

Lenders Receive Additional Time to Comply With New York State Commercial Finance Disclosure

Law

Government Efforts to Address Cryptocurrencies Ramp Up as Federal Reserve Releases Report on

Digital Currency

CFPB Requests Comment on Buy Now, Pay Later Inquiry

State AGs Lead the Way in False Advertising Enforcement

DOJ Antitrust Chief Wants to Litigate Proposed “Anticompetitive” Mergers

Asset management, servicing, and collection activities;

Leasing personal or real property;

Real estate settlement servicing; and

Bringing together one or more buyers and sellers of any product or service for transactions

that the parties themselves negotiate and consummate.

Affected entities should be proactive in implementing the significant operational requirements of

the revised Safeguards Rule. The requirements are not light lifts, and the countdown clock to

compliance is ticking

Send Report

LATEST POSTS

See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations

and should not be acted upon without speci�c legal advice based on particular situations.

© Troutman Pepper 2022 | Attorney Advertising

WRITTEN BY:

Troutman Pepper

Contact + Follow

Print

of 229

https://www.jdsupra.com/legalnews/lenders-receive-additional-time-to-7125799/

https://www.jdsupra.com/legalnews/government-efforts-to-address-5572398/

https://www.jdsupra.com/legalnews/cfpb-requests-comment-on-buy-now-pay-7224065/

https://www.jdsupra.com/legalnews/state-ags-lead-the-way-in-false-1081230/

https://www.jdsupra.com/legalnews/doj-antitrust-chief-wants-to-litigate-8733771/

javascript:sendit();

https://www.jdsupra.com/reportaproblem/index.aspx




https://www.jdsupra.com/profile/contributor-contact.aspx

javascript:window.print();


Audit Committee

Information Item


University System of New Hampshire To: Audit Committee Re: Internal Audit Charter (attached) – For Information, No Action Required SUPPORTING MATERIALS (attached) – SUMMARY AND SALIENT INFORMATION

The Audit Committee has the responsibility to review and assess the adequacy of the Internal Audit Charter on an annual basis and recommend any changes to the Board. The Internal Audit Charter was last revised in April 2017. No changes to the Internal Audit Charter are recommended by USNH staff at this time. SUBMITTED AND APPROVED BY:

Catherine A. Provencher Chief Administrative Officer and Vice Chancellor for Financial Affairs & Treasurer

Date Prepared: February 16, 2022 For the Meeting of: March 3, 2022


of 229

12/9/21, 3:09 PM C. Internal Audit | University System of New Hampshire

https://www.usnh.edu/policy/bot/iv-financial-policies/c-internal-audit 1/4

C. Internal Audit

(Note: OLPM sections on this page may be cited following the format of, for example, "BOT.IV.C.1".

These policies may be amended at any time, do not constitute an employment contract, and are

provided here only for ease of reference and without any warranty of accuracy. See OLPM Main Menu

(/policy) for details.)

C. Internal Audit

1. Internal Audit Department Mission (Purpose)

1.1 The USNH Internal Audit Department is an objective assurance and consulting activity

designed to provide the Board of Trustees and management with appraisal of the

adequacy of, compliance with, and improvement for existing internal controls. The

Internal Audit Department helps the USNH accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the e�ectiveness of risk

management, control, and governance processes through both audits and consulting

services.

2. Internal Audit Function

2.1 The internal auditing function is an objective appraisal activity within the USNH's

overall organizational structure. The Internal Audit Department is speci�cally authorized

and directed to:

2.1.1 Have full, free and unrestricted access, consistent with all applicable laws, to all

USNH functions, �les, records, property and personnel. All employees are requested

to assist Internal Audit activity in ful�lling its roles and responsibilities. Internal Audit

will also have free and unrestricted access to the Board through its Audit

Committee.

2.1.2 Determine whether management's policies, procedures and instructions are

of 229

https://www.usnh.edu/policy

https://www.usnh.edu/



followed in a manner consistent with USNH's objectives.

2.1.3 Evaluate any matter that comes to its attention that, in the judgment of the

Internal Audit Director, would require a change in policy, procedure, or instruction in

order to safeguard USNH assets.

2.1.4 Issue reports to members of management who should be informed or who

should take appropriate action, showing the results of the internal audit review and

o�ering recommendations for required improvements. The Internal Audit Director

will ensure that all formal audit reports are delivered to each member of the Audit

Committee of the Board of Trustees.

2.1.5 Obtain and evaluate plans or actions taken to implement audit

recommendations from internal or external auditors and recommend further plans

or actions if appropriate.

2.1.6 Review and document the adequacy of internal controls of areas under review.

3. Independence and Objectivity

3.1 The internal audit activity will remain free from interference by any element in the

organization, including matters of audit selection, scope, procedures, frequency, timing,

or report content to permit maintenance of a necessary independent and objective

mental attitude.

3.2 Internal auditors will have no direct operational responsibility or authority over any of

the activities audited. Accordingly, they will not implement internal controls, develop

procedures, install systems, prepare records, or engage in any other activity that may

impair internal auditor’s judgment.

3.3 Internal auditors will exhibit the highest level of professional objectivity in gathering,

evaluating, and communicating information about the activity or process being examined.

Internal auditors will make a balanced assessment of all the relevant circumstances and

not be unduly in�uenced by their own interests or by others in forming judgments.

4. Professionalism and Standards of Internal Audit Practice

4.1 The internal auditing department strives to comply with the International Standards

for the Professional Practice of Internal Auditing of The Institute of Internal Auditors.

4.2 The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position

Papers will also be adhered to as applicable to guide operations. In addition, the internal

audit activity will adhere to USNH’s relevant policies and procedures and the internal audit

activity's standard operating procedures.

5. Internal Audit Operations

of 229



‹ B. Internal Borrowing (/policy/bot/iv-�nancial-policies/b-internal-borrowing)

D. External Audit › (/policy/bot/iv-�nancial-policies/d-external-audit)

5.1 The Internal Audit Director will prepare a proposed audit budget for the next year. The

audit budget will outline the scope and objectives of audit programs, projects and other

activities, and resources necessary to perform them. The Audit Committee will approve

the audit budget and will have overall responsibility for oversight of the performance of

internal audit activities.The Chancellor's O�ce is responsible for providing the Internal

Audit Department with adequate resources to perform the scope of its responsibilities.

The Chancellor, through the Vice Chancellor for Financial A�airs, will provide

administrative oversight for the performance of the Internal Audit Department.

6. Quality Assurance Program

6.1 Internal Audit will strive to maintain a quality assurance and improvement program

that covers all aspects of the internal audit activity.

7. Audit Committee Function

7.1 The Board of Trustees' Audit Committee has the responsibility for reviewing the

activities of the Internal Audit Department to make certain it operates in accordance with

this policy.

8. Audit Committee Operations

8.1 The Audit Committee will meet with USNH management, the Internal Audit Director

and the external auditors at least three times per year and ful�ll the duties and

responsibilities of the Audit Committee of the Board as outlined in the Audit Committee

Charter, Appendix 9 (/policy/bcc/ii-audit-committee-charter) in the Board of Trustees On

Line Policy Manual and provide the Board with a report of each meeting.

up (/policy/bot/iv-�nancial-policies)

Printer-friendly version (/book/export/html/157)

This page last updated Wednesday, April 26, 2017. For information on the adoption and e�ective dates

of policies please see explanation on the OLPM Main Menu (/policy).

OUTLINE

of 229

https://www.usnh.edu/policy/bot/iv-financial-policies/b-internal-borrowing

https://www.usnh.edu/policy/bot/iv-financial-policies/d-external-audit

https://www.usnh.edu/policy/bcc/ii-audit-committee-charter

https://www.usnh.edu/policy/bot/iv-financial-policies

https://www.usnh.edu/book/export/html/157

https://www.usnh.edu/policy


Audit Committee

Information Item


University System of New Hampshire To: Audit Committee Re: Outstanding Audit Issues (as of December 31, 2021) – For Information, No Action Required SUPPORTING MATERIALS (attached) – SUMMARY AND SALIENT INFORMATION

The list of outstanding audit issues (as of December 31, 2021) includes all significant open issues from past audit reports and those that were closed since the report was last distributed to the Audit Committee. It is updated semi-annually for follow-up and control monitoring purposes. Of 89 action plans currently being tracked, 22 are from internal audit reports issued since the last semi-annual update and six have been reported by management as resolved. The remaining 61 action plans are in process, much improved, on hold, and/or management has accepted the residual risk. SUBMITTED AND APPROVED BY: Catherine A. Provencher Chief Administrative Officer and Vice Chancellor for Financial Affairs & Treasurer Date Prepared: February 21, 2022 For the Meeting of: March 3, 2022


of 229

of 31

Jan-22 Jan-22 In Process 11/21

Dec-21 Dec-21 In Process 11/21


Originally Reported Audit Risk/Control Issue Action Plan & Responsible Party StatusOriginal

Target DateEntity

OUTSTANDING AUDIT ISSUES MONITORING MATRIX as of 12/22/2021

# Revised Target Date

1 2021 GSC Student Identity and Financial Verification

Enhance compliance with Title IV federal financial aid requirements

(1) Information on the Administrative Failure (AF) and Failure (F) grade difference was reviewed at the Fall Undergraduate Faculty Meeting (includes adjunct faculty) on October 19, 2021.(2) Targeted outreach to faculty teaching in high enrolled, high frequency courses will be conducted during fall term, prior to the end of term grade deadline. These courses typically have higher D/F/W/AF grade rates and often include first-time students. Work to be completed by November 30, 2021.(3) Academic Affairs will review other institutions’ policies on attendance, participation, and AF grade definition as part of our review of academic policies that will be taking place during merger working groups. Work to be completed by May 31, 2022.(4) Financial Aid will review current practices related to the review of HS transcripts. The federal verification rules are changing with regards to the review of high school transcripts. We will review the new guidance and adjust our practices. Work to be completed by November 30, 2021.(5) The Financial Aid Office will enhance current protocols for selecting and documenting students for verification. Work to be completed by January 31, 2022.(6) The Financial Aid Office will work with Academic Affairs to review course activity for the identified students to determine if academic requirements were met and adjust financial aid, as appropriate. Work to be completed by November 12, 2021.(7) The Financial Aid Office verified the authenticity of the High School transcripts identified as potential problematic during this audit. The two students in question completed High School. Work completed on November 1, 2021.(8) The Financial Aid Office already devotes much effort to the review of documents but will increase scrutiny on required documents, develop additional follow up procedures for instances of potential conflicting information, and train responsible staff. Work to be completed by November 30, 2021.(9) The Admissions Operations Office is reviewing the possibility of adding academic purpose questions to the admissions application. Work to be completed by January 31, 2022.(10) In response to this audit, the Admissions Operations Office created a report to search for duplicate IP addresses used to submit the admissions application. The office is developing a procedure to review IP address over the past year to identify any duplicates and will develop a policy to determine if students should be accepted. Currently, when a student or group of students presents with a red flag during admissions, they ask for additional identity verification documents. Work completed in October 2021.(11) The Financial Aid Office will develop formal protocols to report suspected fraud to the Department of Education Inspector General’s Office. Work to be completed by December 31, 2021.(12) The Student Accounts Office will develop a report to search for duplicate bank account information on the student record. Work to be completed by November 30, 2021.(13) The Financial Aid Office will explore the possibility of dividing disbursement of aid into multiple disbursement dates. Work to be completed by November 30, 2021.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/16/2021: NEW


Enhance student refund processing protocols

(1) The Student Accounts Office is reviewing the refund process to develop controls over the process and ensure that no one person is able to adjust addresses and disburse funds. Work to be completed by December 31, 2021.(2) The Director of Student Financial Services will review and remove staff modify access to Banner Form GXADIRD. If access levels can not be adjusted, GSC will develop a process to review and approve student bank account changes processed by GSC. Work to be completed by November 30, 2021.(3) The Student Accounts Office will review current workflows for the advance book fund payments to students and explore the possibility of controls over the process. Work to be completed by December 31, 2021.(4) The Student Accounts Office will review refund process to determine potential controls over payee changes. Payee changes are needed when issuing refunds to 3rd party or to parents in the case of PLUS loans. Work to be completed by December 31, 2021.



Enhance GSC student account policies and procedures

(1) The Student Accounts Office will conduct a review to determine areas where Red Flags may occur. (2) The Student Accounts Office will review the USNH Identity Theft Prevention Program and update GSC policies. (3) The Student Accounts Office will develop training for staff working in areas where Red Flag Rules apply.


Page 1 of 31

of 229

of 31


Target DateEntity# Revised Target Date



Enhance WebRock account setup and security protocols

(1) Multi-factor authentication is being considered for WebRock. (2) The WebRock set up process will be reviewed to determine the available time available for a student to set up the account and if identity can be validated during the setup.


Page 2 of 31

of 229

of 31




Dec -17 Apr-22 In Process 11/21

Dec-20 Apr-22 In Process 11/21

6MGT. EXPLANATION & RESOLUTION PLAN @ 05/26/2021: (1) In Process. The USNH Business Continuity/Disaster Recovery (BC/DR) Project is underway. Berry Dunn has completed phase 1 of the project on 10/8/2021. This included initial assessment as well as project plan development. Phase 2 will start in December 2021 with estimated finish in Q1 2022. This will include plan updates and finalization of plan in partnership with Berry Dunn. The due date for the management action plan was extended to April 30, 2022. An update will be provided during the June 2022 Audit Committee meeting (2) The USNH BC/DR Project is underway. Berry Dunn has completed phase 1 of the project on 10/8/2021. This included initial assessment as well as project plan development. Phase 2 will start in December 2021 with estimated finish in Q1 2022. This will include plan updates and finalization of plan in partnership with Berry Dunn. The due date for the management action plan was extended to April 30, 2022. An update will be provided during the June 2022 Audit Committee meeting (3) Resolved

2017 KSC Data Center

Move towards full recovery testing of KSC key services

(1) Review technical infrastructure barriers and execute plan to remove barriers and enable full restore off-site at UNH(2) Conduct annual DRP exercises for individual Tier 1 services and tabletop exercises for selected other tiers of service to test DRP processes and procedures(3) Enhance current testing verification from business units that will provide details of acceptance testing and verify successful recovery

7 2019 KSC Sponsored Projects Review

Enhance controls to comply with Uniform Guidance and grant terms

and conditions

(1) Updated research policies and procedures will be developed and implemented by December 31, 2020 and incorporated into KSC research training initiatives. OSPR will update the existing grants administration roles and responsibilities matrix by December 31, 2020.(2)The Keene State College Grants Policies and Procedures Manual will be reviewed and will be updated to reflect current processes and updated policies and procedures by May 2021. OSPR training will be reflective of policies and procedures outlined in the manual. (3) Starting in October 2019, OSPR will conduct a kick-off meeting at the beginning of the grant with the PI. PIs will be trained on research policies, procedures and compliance requirements. A grants management checklist and policy acknowledgement page will be developed for use at this kick-off meeting starting in June 2020. (4) OSPR will remove unallowable costs by December 31, 2019. (5) OSPR will develop a PI reporting package for PI's by February 28, 2020.(6) OSPR will develop protocols for the monitoring and tracking of cost share by February 28, 2020.(7) Management will develop grant expense allowability and allocability guidance by April 2020.(8) Effective in Nov 2019, management instructed staff on documentation required to support expense allocability and business purpose, OSPR started to document review and approval of invoices and financial reports, and PI approval is now required prior to the processing of grant labor distribution changes.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1)-(3), (5)-(8) Effective April 2021, UNH Sponsored Programs Administration is providing research administration services to KSC. UNH policies and procedures have been adopted and implemented across all USNH campuses that aligns with the new operating structure. UNH Research is working on updating polices and procedures to reflect all campuses and provide links on individual campus websites. (4) All unallowable costs identified have been removed from the grants.


Enhance protocols for sensitive student data

(1) In response to this audit, the Academic Advising Office developed a process protocol to identify students when on the phone. The process includes asking students to verify non-directory information contained in the student record. The process is documented in an Standard Operating Procedure (SOP). The process was shared and adopted by the Admissions office in October 2021. This process will be shared with other offices that interact with students. Work to be completed by November 30, 2021.(2) In response to this audit, the Academic Advising Office developed a procedure to redact personal information found in student correspondence saved in Salesforce. Work completed on October 13, 202110/13/21. The Financial Aid Office is reviewing the possibility of redacting information in documents submitted and stored in Xtender. The redaction of sensitive information in Xtender will be very difficult. That information may be needed to link the student to the document and information can be found in a number of places within a document, particularly if the document is lengthy. There would be no standard way to review each document and perform the redaction. The Financial Aid Office will review Xtender access by other departments and evaluate other individuals access for appropriateness. The Financial Aid Office will review options to purge old data from Xtender. Work to be completed by January 31, 2022.


Page 3 of 31

of 229

of 31



Dec-20 Nov-21 Resolved 11/21

Jun-20 Apr-22 In Process 11/21

Jun-21 Dec-21 In Process 1/22


Nov-20 Mar-22 In Process 11/21

11 2020 KSC Advancement Operations

Enhance gift restriction tracking

(1) Each new fund Banner request will be reviewed by another Advancement Services staff member before submission to the campus business office. This was been put in place on July 1, 2020.(2) We will review all Banner Finance funds for appropriateness. We will review 1/3 of all active funds annually with three review goals: top 1/3 of funds by December 31, 2020, including higher dollar/higher risk funds; next 1/3 of funds by August 31, 2021; last 1/3 of funds by June 30, 2022.(3) Beginning FY21 if there is an addendum to an MOU, the language will include "Any money in the restricted gift fund will be awarded using the new restrictions". Banner Finance fund text will be updated with the change and effective date of said change. Copies of the executed addendum to the MOU (if it is a minor change) will be shared with all appropriate campus partners and USNH. If the change is deemed significant to effect coding, or overall intention, a new fund will be created. This was put in place on July 1, 2020.(4) The current process of a campus department notifying Advancement, and Advancement staff initiating any changes to existing gift restrictions will be documented. This will be completed by October 31, 2020.Responsible Party is KSC Director of Advancement Services & Director of Development

MGT. EXPLANATION & RESOLUTION PLAN @ 10/22/2021: (1) Resolved. (2) In process. Due to staffing limitations, this task has not been started. The new goal will be 1/2 of the funds will be reviewed by 12/31/2021 and the remaining 1/2 will be reviewed by 12/31/2022. An update will be provided during the June 2022 Audit Committee meeting.(3) Resolved (4) Resolved. The action was completed on 4/6/2021

12 2020 KSC


Enhance the current chart of accounts

(1) OSPR will update the existing grants administration roles and responsibilities matrix by December 31, 2020. (2) OSPR will develop processes that ensure segregation of duties associated with the initiation and review/approval of grant transactions, financial reporting, and grant closeouts. This will be completed by February 28, 2020. (3) OSPR staff will utilize WebI grant summary, detail expense and personnel reports to develop a monthly grant reporting package for PIs, along with a guide on how to reach and understand the reporting package. This will be completed by February 28, 2020.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1), (2) Effective April 2021, UNH Sponsored Programs Administration is providing research administration services to KSC. Roles and responsibilities have been fully defined for all research administration tasks: PI, pre-award, post-award, and STAR (Support Team for Research Administration), while ensuring segregation of duties. UNH SFA AFC is responsible for invoicing, financial reporting, and closeouts; while STAR is responsible for expense processing/review for approvals, allowability, and allocability. (3) All PI's are receiving monthly grant financial reporting. In the long term, UNH is looking to using the UNH PI reporting package for other campus PI's.

(1) We will review all advancement related Banner Finance funds for appropriateness to ensure that gifts are recorded in the correct funds. We will set up a meeting with USNH Finance and the KSC Business Office to review current practice of establishing activity codes instead of new gift funds.(2) We will set up a meeting with USNH Finance and the KSC Business Office to review current fund creation coding and procedures by August 31, 2020. We will also review all fund designated funds (5D) for correct coding. This will be completed by December 31, 2020. Any funds identified will be corrected by June 30, 2021.(3) As stated in (1) & (2) the funds will be reviewed and any adjustments will be made by December 31, 2020. (4) We will review the Raiser's Edge to Banner Finance mapping annually, by comparing the Raiser's Edge fund GL report to Banner Finance WebI FBAL 1050 report. The first review will be completed by December 31, 2020. Responsible Party is KSC Director of Advancement Services & Fund Stewardship Assistant

MGT. EXPLANATION & RESOLUTION PLAN @ 10/21/2021: (1) In process. The meeting with USNH Finance and the KSC Business Office was held on August 17, 2020. Due to staffing shortages and additional projects the anticipated completion dates will be adjust out by six months. The revised completion date for this action is December 31, 2021. An update will be provided during the June 2022 Audit Committee meeting. (2) Resolved. All 5D funds were identified and corrections were processed. The action was completed on 7/15/2021 (3) Resolved. The action was completed on 4/6/2021 (4) Resolved. The action was completed on 12/17/2020.

Improve segregation of duties

Advancement Operations

Enhance donor compliance procedures

The Fund Steward Assistant is tasked to audit a sample of gift expenditures recorded by the gift funds. Currently, the focus has been on scholarships and awards annually, with a plan of expanding to the other gift funds. Going forward, we will review a sample of gift expenditures that are recorded by the gift fund on a quarterly basis, to ensure that the transactions are in compliance with donor restrictions. The first review will be performed by November 30, 2020.

MGT. EXPLANATION & RESOLUTION PLAN @ 10/22/2021: In Process. The scholarships are audited as they are awarded annually. 33 funds, with annual FY21 expenses have been identified. As of November, 13 audits have been completed, nine audits are in process, and data for 11 funds has been identified to be completed. We are planning to complete the audit by March 31, 2022. An update will be provided during the January 2022 Audit Committee meeting.


Improve grant closeout controls and procedures

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1) Complete. Effective April 2021, UNH Sponsored Programs Administration is providing research administration services to KSC. All KSC grants are going through the UNH SPA closeout workflow. (2) Completed. With the revised structure, UNH SPA is now handling invoicing and financial reporting and applying UNH review/approval protocols to KSC grants. (3) KSC is working with UNH to resolve unbilled activity on grants that have ended and using the UNH workflow system to close and deactivate the grant funds. Due to competing priorities, additional time is needed to close out old grants and process related adjustments.

(1) Grant closeout policies and procedures will be developed and implemented by June 30, 2020. OSPR will review and streamline the current grant closeout process using a modified current practice or through the implementation of Banner Workflow. (2) Effective October 2019, OSPR has started to document the review and approval of invoices and financial reports.(3) Management will review unbilled activity on grants that have ended and determine the appropriate action and submit the list of active expired grants to FAST for inactivation by February 28, 2020. Starting in February 2020, on a monthly basis, OSPR will use WebI reports to review unbilled grant expenditures, refunds due sponsors, and fund aging.


Page 4 of 31

of 229

of 31



Jun-21 Dec-21 Resolved 10/21

Jun-21 Dec-21 Resolved 10/21

Mar-21 Mar-22 In Process 10/21

Jun-21 Mar-22 In Process 10/21

Mar-21 Mar-21 Resolved 11/21

15 2020 KSC Financial Aid Data Security

Enhance protocols for sensitive data handling

(1) A formal policy, including protocols and guidelines, will be created by the Financial Aid Office (FAO) addressing all of the above recommendations by June 30, 2021. We will ensure that security protocols and guidelines are reviewed by the USNH Information Security Officer prior to distribution. We have already begun to establish new procedures when emailing staff or other offices regarding a student. In addition, we have begun to review our reports to determine what data can be hidden from a report if it is not needed for the job being done.All students are asked to show their KSC ID before any information is given to them. If the student/parent is calling, we do review the FERPA spreadsheet to ensure we have permission to speak with the parent. We will develop a formal policy, including protocols and procedures to verify the student’s identity before accessing the student’s account. (2) Regarding the fax machine, KSC has recently been using Dynamic Forms for the submission of Financial Aid (FA) forms. We will investigate the feasibility of and/or purchasing a dedicated, non-network fax machine for use in faxing and receiving faxed documents with sensitive data. Alternatively, the office may end fax use (both sending and receiving). This will be completed by March 31, 2021.

MGT. EXPLANATION & RESOLUTION PLAN @ 10/26/2021: (1) In Process: A meeting with UNH, GSC, and PSU Financial Aid staff has been set up to work jointly on protocols and guidelines has been set up for November 2021. An updated completion date of March 31, 2022 has been requested. An update will be provided during the June 2022 Audit Committee meeting. (2) Resolved: KSC Management determined that faxes will no longer be accepted by KSC Financial Aid.

13 2020 KSC


Enhance data security

(1) Current PCI-DSS compliance procedures will be continuously monitored, documented and retained. This will be completed by August 31, 2020.(2) We will contact the USNH Information Security Office to conduct a security review of the vendor. This will be completed by December 31, 2020.(3) We will contact the USNH Procurement services to initiate a discussion with the vendor to sign an updated contract at the next contract renewal. We will ensure that appropriate data security language will be included in the contract. This will be completed by June 30, 2021.Responsible Party is the KSC Director of Advancement Services

MGT. EXPLANATION & RESOLUTION PLAN @ 10/26/2021: (a) Resolved. A meeting with Campus Guard was held and all required documentation has been retained by KSC Advancement. Campus Guard will work on the annual SAQ to be completed before December 31, 2021 (2) Resolved. A security review was completed by the USNH Information Security Office over the vendor. (3) Resolved. A new contract was signed on 3/30/2021


Enhance security protocols to access key applications

17 2020

The Vice President of Enrollment and Student Engagement with work with USNH Information Technology to review our security protocols and determine further action by June 30, 2021.

KSC Financial Aid Data Security

Enhance data security training

The FAO staff attend Department of Education training on a regular basis. In addition, both the Director and Assistant Director read daily updates from the Department of Education, so any new information or policy changes with regards to FERPA would be noted quickly and disbursed to the staff immediately. GLBA security training will occur on an annual basis. Currently, we have been asked to complete this training and as of December 2020, 3 out of the 7 have successfully completed. This will be completed by March 31, 2021

MGT. EXPLANATION & RESOLUTION PLAN @ 10/26/2021: In Process: Reached out to the USNH CISO to start a discussion regarding the implementation of multi-factor authentication on Colleague. An updated completion date of March 31, 2022 has been requested. An update will be provided during the June 2022 Audit Committee meeting.

Advancement Operations

Enhance current policies and procedures for Advancement

operations

(1) We will create/follow a timeline for annual review of division policies and procedures, based on staffing resources. This will be completed by June 30, 2021.(2) The procedure was formalized in writing and shared with all campus administrative assistance on February 20, 2020. It is also included in the upcoming revision of the Gift Acceptance Policies and Procedures.(3) The KSC Gift Acceptance Policy and Procedures will be reviewed and updated by September 30, 2020. The updated draft policy will be submitted to the Cabinet for approval by December 31, 2020.Responsible Party is the KSC Director of Advancement Services and Director of Development

MGT. EXPLANATION & RESOLUTION PLAN @ 10/22/2021: (1) Resolved. A timeline was created for an annual review of division policies and procedures. (2) Resolved (3) Resolved. The KSC Gift Acceptance Policy and Procedure was approved by the Cabinet on October 5, 2021.

Page 5 of 31

of 229

of 31



MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: Resolved: All staff completed their annual GLBA and FERPA training in December 2020.

Page 6 of 31

of 229

of 31






Jun-22 Jun-22 In Process 10/21


Enhance protection of data on end user devices

The Director of Financial Aid and Scholarships will work with our IT department to ensure all laptops are encrypted. The FAO currently does not use mobile devices containing any sensitive data. The FAO will submit a ticket to IT to request a third-party software be run on a weekly basis and for assistance in creating an established protocol for removal of any malware. Students will be asked to provide their own laptop to complete the FAFSA until a standalone CPU can be installed for this purpose. This will be completed by June 30, 2021.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: In process: All KSC Financial Aid laptops were encrypted. USNH IT is currently working to implement scanning for unprotected data with the Spirion Solution at KSC. An updated completion date of March 31, 2022 has been requested. An update will be provided during the June 2022 Audit Committee meeting.


19 2021 KSC Admission Data Security


(1) We are currently consulting with the KSC/CRM technical manager and the USNH CRM team to implement multi-factor authentication (MFA) for Salesforce TargetX. PSU is going to be first school to enable this and they have been working with the security team to move this to production. Once they have completed their implementation, we will copy their plan. This will be completed by December 31, 2021.(2) As for EAB, two-factor authentication is on the road map and a priority for EAB, but unfortunately it might not be ready by the beginning of 2022 for the MyAnalytics portal. EAB is committed to this important enhancement and will update us as we get closer to 2022. This will be completed by March 31, 2022.(3) The Director of Admissions will work with the USNH Chief Information Security Officer to implement MFA for Ellucian Colleague. This will be completed by December 31, 2021.




(1) We are currently accepting high school transcripts and other documents with sensitive data via email. We already have a system in place for high school counselors to submit these transcripts securely. We will reinforce the usage of this system. In addition, we will be developing an alternate way for those counselors that are challenged by technology to send transcripts on behalf of the applicant in a safe manner. This process will be in place in time for the next application cycle (September 30, 2021).(2) A formal policy, including protocols and guidelines, will be created by the Admissions Office addressing all of the above recommendations by December 31, 2021. We will ensure that security protocols and guidelines are reviewed by the USNH Information Security Officer prior to distribution. (3) We will review the USNH Cybersecurity Policy USY VIII.C.4 to ensure compliance with this policy (September 30, 2021)(4) We will be developing a retention policy for paper documents and documents stored within the system, with the CRM team and consult USNH legal team. This will be completed by October 31, 2021.(5) We will investigate the feasibility of and/or purchasing a dedicated, non-network fax machine for use in faxing and receiving faxed documents with sensitive data. Alternatively, the office may end fax use (both sending and receiving). This will be completed by September 30, 2021.(6) We will reinforce the existing policy to only use the dedicated scanning workstation to scan sensitive data.

MGT. EXPLANATION & RESOLUTION PLAN @ 10/26/2021: New & In Process (1) Resolved: We no longer accepts transcripts via email and only via Naviance. (2) In Process: The completion date for this action is December 31, 2021. An update will be provided during the June 2022 Audit Committee meeting. (3) In Process: This will be completed during the drafting of the formal policy. A new due date of December 31, 2021 is requested. An update will be provided during the June 2022 Audit Committee meeting. (4) Resolved: A retention policy was developed and communicated to the CRM team. (5) Resolved: We will no longer use the fax machine to receive or send sensitive data. (6) Resolved: We reinforced the existing policy to only use the dedicated scanning workstation to scan sensitive data.


Enhance vendor security review protocols

(1) As contracts expire, we will confirm with the USNH Chief Information Security Officer that vendors are meeting all USNH requirements to protect sensitive student data. In addition, we will contact USNH Procurement services to initiate discussions with vendors to sign an updated contract as the contracts expire. We will confirm that all appropriate data security language is included in contracts as they are updated and renewed. This will be completed by June 30, 2022.(2) A project request was submitted to the CRM technical manager to develop a business continuity plan. Check in will happen on November 1, 2021, on the progress of this project. This will be completed by June 30, 2022.



Enhance protection of data on end user devices

(1) The Director of Admissions will work with USNH Chief Information Security Officer to ensure all laptops are encrypted. We will submit a ticket to IT to request a third-party software be run on a weekly basis and for assistance in creating an established protocol for removal of any malware. This will be completed by September 30, 2021.(2) In addition, the USNH Chief Information Security Officer will ensure a process is developed to ensure all computers are encrypted before they are issued to departments. This will be completed by December 31, 2021.


Page 7 of 31

of 229

of 31




Aug-19 Dec-21 In Process 11/21

Jun-20 Jan-22 In Process 11/21



Sponsored Projects

Inadequate controls over maintenance of grants in Banner

MGT. EXPLANATION & RESOLUTION PLAN @ 11/23/21: (1) In Process: The review, inactivation, and closeout of ended projects is still ongoing with UNH SPA. Revised completion date of April 30, 2022. (2) The roles and responsibilities matrix has been completed, which denotes the responsibility for the entry, review, and approval of grant fund setup in Banner.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: (1) Resolved on 6/30/2020. (2) In process. Data in flight is encrypted for all user and server level connections to all PSU Oracle databases. Additionally, as of December, 2021, Oracle OEM will be deployed for PSU and this will allow for better management of, and ability to encrypt data at rest and backups. Due date was extended to January 31, 2022 (3) Resolved on 6/30/2020 (4) In process. UNH IT is deploying Oracle Enterprise Manager (OEM) to the ETS systems at PSU. OEM will allow us to better report on audit requests. It allows for aggregate reporting across systems and supplies management functions to assist with enabling additional reporting functionality.. Due date was extended to January 31, 2022 (5) Resolved on 6/30/2021

(1) Password Profiles will be reviewed and will be aligned with the PSU Password policy guidelines. (2) Database encryption is being researched for both at rest and in flight and will be piloted by end of June 2020. UNH will also be contacted to identify the methodology employed by them. (3) Oracle Masking for sensitive data is completed. (4) PSU will work with USNH colleagues to determine and develop a database logging and operating system process/standard including a formal review of logs. (5) We will work with the PSU ITS CSO to formalize a security configuration hardening standard for the database. We will also remediate the listener settings and SQL 92 and sessions per user providing database performance is not impacted. Responsible Party: PSU Director Management Information System

(1) PSU will perform a detailed review of projects that have ended and inactivate and closeout these grants and funds in Banner by June 30, 2019.(2) Going forward, PSU will incorporate the setup and review of grant demographic information as part of defined roles and responsibilities and updated policies and procedures by August 31, 2019.

Security hardening and configuration needs improvement

PSU2019 Oracle Database Audit

24 2019 PSU

25

26 2020 PSU Student Billing Audit

Enhance the review and approval of billing rules

SFS had already self-identified some of these issues noted above prior to this Internal Audit report as evidenced through official performance enhancement plans in place through HR. As the billing rules for the Summer 2021 term were being built congruent with this audit, SFS has already begun the process to assist with the development and creation of formal protocols for segregation of duties between rule changes, testing of rules changes, and tuition billing. These new processes now consist of the billing manager and student accounts receivable team complete testing new billing rules before implementation. The final step will be the Director approving the billing rules once testing is complete. In regard to manual adjustments, a list will be created and reviewed at least quarterly by the Director of SFS, beginning no later than June 30, 2021. Although the policies and processes are being developed now, SFS plans to have a complete process narrative and enhanced policy in place by December 31, 2021. In addition, desk procedures over rule changes and billing adjustments will be created and SFS staff will be trained on these desk procedures. This will be completed by December 31, 2021.

MGT. EXPLANATION & RESOLUTION PLAN @ 10/22/2021: In Process. The due date for the management action plan is December 31, 2021. An update will be provided for the June 2022 Audit Committee meeting.


Enhance policies and procedures for billing course load changes

SFS agrees to enhance formal policies and procedures regarding the authorization of refunds. SFS will review current add/drop and withdrawal policies with the Registrar’s Office and enhancement recommendations will be made to PSU Senior Management. Any of those approved by PSU Senior Management will be incorporated into current policies/procedures. SFS will work with the relevant offices (i.e., Registrar’s Office, Housing/Dining Office, etc.) to establish a more formal communication plan regarding billing-related changes to reduce risk and close gaps. The necessary enhancements to policies and procedures will be implemented by December 31, 2021. Going forward, protocols will be created to ensure all stakeholders are informed of any upcoming student accounts related policy changes to provide input and discuss implications. This will be implemented by December 31, 2021.



Enhance data security over payment card data

(1) We have reached out to the USNH Director of Treasury to replace the current terminal. We will also review of all current paper applications to delete credit card information and SSN. The project was submitted to KSC Marketing for the re-design. This will be completed by September 30, 2021. (2) In addition, we will investigate a way for re-admit and transfer students to pay the application fee and/or deposit via an online portal. This will be completed by December 31, 2021.


Page 8 of 31

of 229

of 31



Dec-21 Jun-22 In Process 10/21


Dec-21 Dec-21 Resolved 12/21

h


31 2017 UNH Information Technology Incident Response

Not all servers outside of the two data centers are scanned for

vulnerabilities

Enhanced vulnerability scanning program shall include: server OS security hardening, server pre and post production security audit (conducted by UNH-ISS), server vulnerability patching, and server vulnerability scanning. - CIO

MGT. EXPLANATION & RESOLUTION PLAN @ 05/28/2021: In Process. Significant progress has been made in expanding the Barricade program for devices managed by ET&S through the Pen test results and the deployment of Nessus agents on devices. All of the teams in ET&S are part of this project and are actively working on it. We expect this effort to continue through December 31, 2022 to incorporate all of the devices managed by ET&S.

Student Billing Audit

Enhance protocols related to mandatory and course related fees

(1) The Finance Division, in conjunction with the Registrar’s office, will establish/enhance policies and procedures regarding the set up and use of course related fees by December 31, 2021. Through the implementation of the UShop tool, the majority of expenses charged against course fee revenues is evaluated at the time of purchase. For those items, such as reimbursements, that are not processed through the purchasing tool, the Finance Division will establish a periodic review process to ensure the appropriateness of expenses charged against course fee revenues beginning July 1, 2021. (2) PSU Finance will create a formal policy on how student fees can be used. This will be implemented by December 31, 2021. Procedures on how to access/spend the dollars will be governed by USNH purchasing and disbursement policies and procedures. Through the UShop tool, the PSU Finance Office has greater insight into related expenditures that are occurring and by virtue of their approval of the requisition is validating the appropriateness of the expense. As the new FAR travel and expense process is being constructed, PSU is advocating to have Campus Finance Offices inserted the Banner Finance approval process for such payments to employ the same allowability review that occurs for transaction processed through the UShop tool.(3) Mandatory auxiliary fees support auxiliary activity, and USNH elected to classify these revenues in alignment with the activity they support. USNH Financial Services will evaluate the existing practice and as part of the policy updates underway to support the Financial Administrative Restructure project and document its justification for the classification by June 30, 2022. The language in MD&A also will be clarified to fully disclose the categories of auxiliary activities for the year ending June 30, 2021.

MGT. EXPLANATION & RESOLUTION PLAN @ 10/22/2021: (1) In process: The due date for the management action plan is December 31, 2021. An update will be provided for the June 2022 Audit Committee meeting. (2) In Process: The due date for the management action plan is December 31, 2021. An update will be provided for the June 2022 Audit Committee meeting. (3) In Process: Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to June 30, 2022. An update will be provided during the June 2022 Audit Committee meeting.


Enhance procedures surrounding collectability of outstanding student

debt

Student Financial Services will refine the write-off policy (600-046) prior to July 15, 2021 to ensure it more clearly reflects that the 120 days write-off rule applies only to inactive student accounts and not the active student actions to avoid misunderstandings. Student Financial Services will broaden existing policies and procedure around outstanding balances and financial holds by December 31, 2021. It’s important to note that the FY20 write off amount is higher than usual due in part to the COVID-19 pandemic which caused a myriad of financial hardships for students/parents throughout the year. SFS already contacts students weekly leading up to term start but will document this more clearly going forward. This will be implemented by December 31, 2021.



Enhance periodic access review and monitoring

SFS accepts the recommendations. A review to SFARGFE and TSDETL has already been completed and access adjusted accordingly. A comprehensive review access to of Banner forms related to student billing will occur, with the support for UNH/USNH Information Technology Unit and will be completed by July 1, 2021. Necessary changes, with support from UNH/USNH IT, will implemented by December 31, 2021. An annual review of form access will occur every winter thereafter.

MGT. EXPLANATION & RESOLUTION PLAN @ 12/22/2021: Resolved. The comprehensive access review of Banner forms relating to student billing was completed and access was removed for all identified staff no longer needing access to these forms. Going forward, access is going to be reviewed twice a year and this action has been added to the SFS administrative calendar.

28 2020 PSU

Page 9 of 31

of 229

of 31



Sep-17 Dec-22 In Process 11/21

Dec-18 Feb-22 In Process 11/21

Apr-19 Feb-22 In Process 11/21

Jun-20 Sep-21 In Process 12/21

UNH Financial Conflict of Interest in Research

Enhance guidance, tracking and monitoring of non-PHS FCOIR disclosures and requirements

2017 UNH Financial Conflict of Interest in Research

Information Technology Incident Response

33

34 2017

Linux Audit35 2019 UNH

32

(1) UNH RIS will incorporate flowcharts into FCOIR guidance to aid researchers in identification of FCOIR that are required to be disclosed. (2) UNH RIS will use the InfoEd COI module to develop, track, monitor, manage and report on PHS and non-PHS disclosures and management plans. (3) UNH RIS will update financial conflicts of interest in research policies to mandate annual disclosures by all researchers certifying existence or non-existence of significant financial interest.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/12/21: (1) and (2) Resolved for June 2021 Audit Committee meeting. (3) A USNH working group has been formed to implement annual and real-time COI disclosures through Cayuse; policies and procedures will be updated accordingly. The working group is obtaining necessary approvals from various constituents to roll out the Annual Disclosure Form to the USNH campuses. The annual disclosure process is ready to launch pending USNH Legal approval.

MGT. EXPLANATION & RESOLUTION PLAN @ 05/28/2021: In process. USNH just signed a contract to have the key logs aggregated in the Splunk tool and also to have the logs in the tool adhere to Splunk's framework to ensure they are designed well : MSAD (UF) 2. Windows Servers (UF) a. Wineventlog:Security 3. Defender (HF – API) 4. Mac Endpoints (UF) 5. Aruba Network Devices (syslog) 6. ClearPass (syslog) 7. Secure auth (syslog) 8. O365 (API) 9. Microsoft exchange audit logs (UF) 10. JAMF (HF – API) 11. VMWare (syslog) 12. Aruba (Syslog). As part of the contract, the Splunk team will build out dashboards so that the current Cybersecurity can utilize the logs being aggregated in a meaningful way due to not being able to fill the Splunk engineer position. The Cyber security team also attended a search party training with Splunk a couple of months ago in preparation for this professional services engagement. We expect this project to give us the key log sources.

2017 UNH

Addressing this issue shall entail evaluating and implementing where feasible a centralized security log aggregation database. In cases where automated centralized logging may not be feasible, a mechanism to facilitate centralized ad-hoc reporting shall be explored and implemented. - CIO

(1) The standard operating procedures for the processes mentioned will be modified to include provisioning and deprovisioning responsibilities, approval requirement for IT staff, time period for removing disabled accounts and will be completed by October 31, 2019(2) The system administrators have been instructed to follow this process going forward. Completed by October 31, 2019(3) A periodic review will be performed semi-annually using a risk-based approach and sampling. This review will include all account types, password changes, login shells etc., and will be completed by June 30, 2020. The results of the review will be filed in our audit directory. (4) The superuser password vault was segregated on August 31, 2019 and system administrators are aware of the requirement to change these passwords regularly. Responsible party for all actions are the UNH Senior Information Technology Manager and the UNH Information Security Officer

MGT. EXPLANATION & RESOLUTION PLAN @ 12/02/2021: (1) In process. Progress has been made on this outstanding audit issue. We are in the midst of bringing in new tools for management of Linux servers which will centralize and standardize management including providing more audit trails for actions taken. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (2) In process. Progress has been made on this outstanding audit issue. We are in the midst of bringing in new tools for management of Linux servers which will centralize and standardize management including providing more audit trails for actions taken. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (3) In process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (4) Completed.

Enhance tracking and monitoring of PHS-funded projects, disclosure reporting and researcher training

(1) Implementation of InfoEd Conflict of Interest module(2) Electronic processing of proposals in InfoEd (3) UNH RIS will update written internal procedures to confirm the process for complying with federal FCOIR disclosure reporting requirements

MGT. EXPLANATION & RESOLUTION PLAN @ 11/12/21: (1) Resolved for June 2021 Audit Committee meeting. (2) Cayuse proposal submission module with Cayuse COI integrated into the routing/review process was launched to select departments s with full implementation by early 2022. (3) Written internal procedures are in process, as all SOPs will be updated to reflect process in Cayuse; planned completion is February 2022.

Access Management

No comprehensive information security log is maintained

Page 10 of 31

of 229

of 31



Dec-19 Jan-22 In Process 11/21


Dec-19 Apr-22 In Process 11/21

MGT. EXPLANATION & RESOLUTION PLAN @ 12/22/2021: In process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/13/2020: (1) In Process. Currently, servers are patched automatically every two weeks. We are still working on creating a formal change management process. This will be completed by March 31, 2022. The due date was extended for the management action plan to April 30, 2022. An update will be provided during the June 2022 Audit Committee meeting. (2) Resolved for the June 2021 Audit Committee Meeting. (3) In Process. Linux server administration is being centralized to use the SaltStack configuration management platform. Implementation of that tool started on 11/29 by our partners with VMware. We are working to adopt that tool throughout the first quarter of 2022. This tool will provide full visibility into system setup, updates, configuration changes etc. when complete. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (4) Resolved. Least privilege access is now established with 2 administrators who can change the configuration of the script. (5) In Process. USNH Cybersecurity and Networking is currently working to establish a formal process to ensure that all security hardenings applied to the servers are in compliance with current security requirements.

UNH Linux Audit

Unauthorized Software Protection

AIDE is currently used to notify system administrators of changed/new files through an e-mail message sent to the primary administrator. Standard operating procedures will be updated to reflect the process that all notifications should be examined and filed by November 1, 2019.

Responsible party for this action is the UNH Senior Information Technology Manager and the UNH Information Security Officer

Linux Audit

Change and Patch Management

MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: In Process. Password parameters have been changed to comply with current USNH password policies. The servers are domain-joined so the password policy is enforced by AD. We are currently working on developing server templates. This will be completed by January 31, 2022. The due date was extended for the management action plan to January 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

37 2019

(1) Due to current staffing levels, technical limits for applications and scheduling downtime, we patch every two weeks. Also, the SADA team is part of a department wide Tiger Team, led by ISS, that deals with immediate security situations. We help determine the severity of the issue and implement controls, patches, fixes, etc., as the team directs.(2) Inconsistent results with patch levels was due to the implementation of our automated Linux patching project. The first phase of the project automated patching on all servers every 30 days in the first two weeks of the month. We added a second phase to the project that scheduled patching for the second two weeks. We gathered audit data in the middle of this project, so some results are due to servers not yet scheduled for the second phase of the project. Some results may be due to some servers not being patched regularly. The completion of our Linux patching project now ensures all servers are patched twice monthly.(3) Testing approvals are required and acquired for all our changes. Approvals are not stored in one location but will be by December 31, 2019. The change management team in IT should be looked to for a standard approval process that documents approvals in the ticketing system.(4) Ensuring a set of patches is pushed to dev/test servers first, followed by production is our desired behavior. Due to recent changes to the satellite server we cannot “freeze” a set of patches, which was the earlier behavior of the satellite server. We have written a “freeze” script to ensure we are only applying tested patches. Least privilege access will be setup for our templates by October 31, 2019. (5) USNH Cybersecurity and Networking will ensure that security hardening applied complies with current security requirements. Responsible party for this action is the UNH Senior Information Technology Manager and the UNH Information Security Officer

Password parameters will be remediated by December 31, 2019, which will enforce password changes and the adoption of the most up to date encryption. While waiting for an approved standard for Information Technology, the SADA team has proactively analyzed and implemented CIS benchmark controls on newer servers in a manner that improves security without compromising performance or usability. It is important to remember that the CIS Benchmarks are best practice guidelines, not mandatory standards. In some cases, we determine that implementing certain Benchmarks would increase risk, without measurable improvement to security. For example, TCP Wrappers, in particular can be exploited to cause Denial-of-Service (DOS) attacks on servers where implemented. It's also an Application Layer service that is more likely to have security flaws that could be exploited than a kernel-based firewall such as NetFilter or Firewalled. We believe our implementation of host-based firewall rules provides superior protection to the servers, without increasing the risk of DOS attacks. Responsible party for this action is the UNH Senior Information Technology Manager and the UNH Information Security Officer

USNH Internal Audit response: TCP wrappers (a host-based network access control list system) should not be considered a complete replacement for a properly configured firewall and other security mechanisms. TCP wrappers are used to enhance Linux server’s security, when properly used, these reduce the risk of Denial-of-Service attacks on Linux servers. We recommend that TCP wrappers should be used in conjunction with a fully configured firewall and other security mechanisms and tools. If the above security recommendations cannot be implemented, management should document their rationale for not using the above recommended security enhancements and obtain USNH CIO and ISO formal approval for risk assumption.

36

Security Configuration and Hardening

38 2019 UNH

2019 UNH Linux Audit

Page 11 of 31

of 229

of 31




Apr-20 Mar-22 In Process 11/21

Dec-19 Mar-22 In Process 11/21


Logging and Monitoring

The logging has been enabled for the 1 of 5 servers identified in the audit on August 31, 2019. Logs are uploaded to Log Insight in real time. We will keep logs for 90 days and ISS will review a sampling of critical application logs, monthly. This work will be done by December 31, 2019.Responsible party for this action is the UNH Senior Information Technology Manager and the UNH Information Security Officer

USNH Internal Audit response to Management action plan:We recommend that management liaise with ISS and the USNH CIO to determine the appropriate retention period and related log review to appropriately diagnose potential security incidents.

MGT. EXPLANATION & RESOLUTION PLAN @ 10/26/2021: In process. Logs are uploaded to Log Insight for all servers. However, the log review for this action will not be able to complete this review until the SIEM is in place and security monitoring functions are established. The SIEM will be put in place by December 31, 2022.

(1) A formal periodic network security threat and risk assessment will be performed by December 31, 2019; (2) Network standards and baselines will be developed for the network environment by September 30, 2019; (3) Ongoing monitoring of compliance with relevant network standards and baselines by April 30, 2020; and(4) Further refinement of the roles and delineation of authority between ISS and the network team by September 30, 2019.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: (1) In Process. The Network Security Risk assessment has been completed. The network team in conjunction with the Cybersecurity team are continuing to prioritize and remediate findings. This will also be included in the new risk process being developed by the newly formed USNH GRC Team. (2) In Process. Completion of this item was delayed due to resourcing constraints. These resourcing constraints have been addressed with the addition of a Cybersecurity GRC Director and an additional Cybersecurity GRC Analyst. This effort has been reprioritized with the expected completion of Q1 2022. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. . (3) In Process. Completion of this item was delayed due to resourcing constraints. These resourcing constraints have been addressed with the addition of a Cybersecurity GRC Director and an additional Cybersecurity GRC Analyst. This effort has been reprioritized with the expected completion of Q1 2022. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (4) Resolved.

Configuration and Security Hardening

UNH Linux Audit

The network team will collaborate with ISS on the development of security configuration and hardening standards, specifically for the network infrastructure devices, to be finalized by September 30, 2019. Subsequently, the network team will ensure that the standards feasible for the environment will be implemented on each device by December 31, 2019 and any exceptions to the standards will be approved by ISS and documented accordingly. Where possible, two factor will be implemented by December 31, 2019.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: In process. The standards program is underway and operational. The expected date of completion for the network standard is Q1 2022 with development starting in December. Currently nine security standards have been developed and published since January 2021. The due date for the management action plan was extended to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

2019

Security Program Governance and Oversight

42 2019 UNH Network Security Audit

Logging and Monitoring The network management team will implement the logging and monitoring process, in accordance with the newly implemented standards by December 31, 2019.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/17/2021: In process. Loggins servers have been deployed at PSU and KSC and the network team is now working to prioritize which logs should be included. The due date for the management action plan was extended to December 31, 2021. An update will be provided during the June 2022 Audit Committee meeting.

40 2019 UNH Network Security Audit

UNH Network Security Audit

39

41 2019

Page 12 of 31

of 229

of 31



Jun-20 Sep-22 In Process 11/21

Dec-19 Feb-22 In Process 10/21

Sep-22 Sep-22 In Process 05/21

(1) The Associate Vice President for Finance and Administration and the Associate Provost for Academic Administration will review expenditures to ensure compliance with donor restrictions. Review of adjustments made after R+30 for each semester. Retroactive review of adjustments made in the Spring 2019 to ensure they are in compliance with donor restrictions (December 31,2019)(2) The Associate Provost for Academic Administration, the AVPFA, and the Financial Aid Office Director, will revisit the process for awarding scholarships, identify any needed refinements, and communicate to appropriate stakeholders (December 31, 2019)(3) UNH Financial Aid Office is in the process of procuring a software solution that improves applications, awarding and tracking process (June 30, 2020)

MGT. EXPLANATION & RESOLUTION PLAN @ 12/08/2020: (1) In process. The focus continues to be shifting financial aid on to the restricted gift funds. The Director, Central Finance and the Director of Finance (Schools and Colleges) have conducted limited independent reviews to date. Resources in the CFO office will be identified to complete the appropriate reviews going back to Spring 2019. For scholarships with a GPA requirement, resources in Enrollment Management will be identified to assist with the review. The CERP, other departures and the Huron FAR project have pushed out the expected completion date to December 31, 2021. An update will be provided during the June 2022 Audit Committee meeting (2) In Process. Significant progress has been made in more fully incorporating spending plans in the annual budget and this will continue to be a focus for the FY22 budget. We expect to document evidence of the release of restrictions by the end of FY21 for a significant portion of the current balance. With respect to rules around awarding scholarships, the Director, Central Finance and Director of Finance (Schools & Colleges) will be developing a high-level plan. The more detailed procedures within Financial Aid are being updated as part of the Blackbaud Award Management implementation, scheduled for Fall 2021. Revised completion date for high-level plan December 31, 2021. An update will be provided during the June 2022 Audit Committee meeting (3) In process. The contract with Blackbaud Awards Management (formerly called Academic Works) was signed in December 2019. The implementation of the system was delayed by a few months due to staff turnover at the vendor. Blackbaud Awards Management will be implemented by December 31, 2021 with on boarding of some UNH Colleges by March 31, 2022. The remaining colleges will be onboarded by September 31, 2022.

MGT. EXPLANATION & RESOLUTION PLAN @ 12/08/2020: (1) Resolved for the June 30, 2020 Audit Committee meeting. (2) Resolved for the January 2021 Audit Committee Meeting (3) In Process. Progress on this project has slowed due to other priorities. Approximately 700 funds remain to be reviewed, covering about 40% of the total dollars. The project is on schedule and this will be completed by September 30, 2022. (4) Resolved for June 30, 2020 Audit Committee meeting (5) Resolved for the June 2020 Audit Committee meeting (6) Resolved for the June 2020 Audit Committee meeting (7) In Process, Management is focusing on developing gift charters for internally designated gift funds where none exists. The few donor-established gift funds without founding docs (older funds) will have a page added to Xtender noting "no documents available". Given several higher gift management/spending priorities and limited risk, we plan to complete this portion of the project will be completed during FY22 (by June 30, 2022). (8) In process. The contract with Blackbaud Awards Management (formerly called Academic Works) was signed in December 2019. The implementation of the system was delayed by a few months due to staff turnover at the vendor. Blackbaud Awards Management will be implemented by December 31, 2021 with on boarding of some UNH Colleges by March 31, 2022. The remaining colleges will be onboarded by September 31, 2022.

44 2019 UNH Donor Restriction & Compliance Audit

Enhance procedures to ensure gifts are recorded accurately

(1) AVP of Development and Foundation Treasurer will enhance the fund creation process to include sign-off by Corporate & Foundation Relations director on the documentation and the determination of establishing a foundation-administered fund (December 31, 2019)(2) The AVP of Development, C&FR Director, and Foundation Treasurer will work with UNH SPA to review and update formal guidance regarding the administrations for corporate and foundation fund proposals(December 31, 2019)(3) Director of Advancement Finance will periodically perform a secondary review of related documents on corporate and foundation gifts (December 31, 2019)

MGT. EXPLANATION & RESOLUTION PLAN @ 12/08/2020: (1) Resolved for the January 2021 Audit Committee meeting (2) In Process. This item continues to be outstanding as the Institutional Giving Team is still in the reorganization process. In addition, the restructuring of administrative support services in SPA due to FAR have made this item a lower priority for that team. We will continue to seek resolution of this item and suggest a new target date of February 28, 2022. An update will be provided during the June 2022 Audit Committee meeting. (3) Resolved for the June 2020 Audit Committee meeting.


Enhance procedures to track gift restrictions accurately and

completely

(1) UNH Director of Advancement Finance will sample new gifts monthly to ensure proper setup and purpose (December 31, 2019)(2) UNH Director of Donor Relations & Stewardship will oversee the SharePoint Gift Agreement tool enhancement to formalize the mechanism to notify the appropriate BSC when a new gift fund is created (December 31, 2019)(3) UNH Foundation Treasurer and Director of Donor Relations & Stewardship will create a comprehensive process to review fund documentation and update any inconsistencies in Banner Finance. There will be three review goals (September 30, 2020, September 30, 2021, and September 30, 2022)(4) UNH Foundation Treasurer will ensure all BSCs are aware of the process to gain access to ApplicationXtender (December 31, 2019)(5) UNH Foundation Treasurer and Director of Donor Relations & Stewardship are working to clarify when a new gift fund is needed after a gift agreement amendment (December 31, 2019)(6) UNH Director of Donor Relations & Stewardship will outline and disseminate the gift purpose amendment process to BSC Directors, VPFA and Provost staff (December 31, 2019)(7) UNH Foundation Treasurer and Director of Donor Relations & Stewardship will ensure ApplicationXtender includes all documentation regarding the designated purpose for all gift funds (September 30, 2020)(8) UNH Financial Aid Office is in the process of procuring a software solution that improves applications, awarding and tracking process (June 30, 2020)


Enhance procedures to ensure use of restricted funds is in accordance with donor terms and restrictions

Page 13 of 31

of 229

of 31



Jul-20 Feb-22 In Process 11/21

Jan-22 Oct-22 In Process 11/21

46 2020 UNH Export Controls

Improve controls over the identification, tracking and

monitoring of export-controlled projects and technology control

plans

(1) The University is transitioning electronic research administration systems from InfoEd to Cayuse. Cayuse is a more robust system that will provide integrated reporting. In the interim, CEC will request monthly reports from the senior programmer starting in December 2019. (2) We will revise the proposal routing form questions, as part of the Cayuse implementation, to identify red flags that the export compliance staff could then follow up on. We anticipate that this will be completed by June 30, 2020.(3) Export control training will be required for staff on export-controlled projects by June 30, 2020.(4) Cayuse is anticipated to launch on July 1, 2020, where export compliance information will be linked to the actual project record and will offer more timely and usable management information. In the interim, our current spreadsheet solution will be enhanced to include key fields and reflect the current status of export-controlled proposals and projects by February 29, 2020. (5) To enhance monitoring of TCP compliance, we will incorporate an annual recertification process for active TCP’s. We anticipate that this will be completed by March 2020.(6) Going forward, we will download reports of all RPS activity on a quarterly basis. We will improve our record retention protocols by July 1, 2020. (7) We will perform RPS on personnel listed on active TCPs by January 31, 2020.

MANAGEMENT EXPLANATION & RESOLUTION @ 11/10/21: (1) Resolved for June 30, 2021 Audit Committee meeting. (2) Resolved for June 30, 2021 Audit Committee meeting. (3) Mandatory training for staff was included in the Export Controls Committee's report to the Provost. Given the situation with COVID, associated actions have been delayed. (4) Cayuse was implemented to select UNH departments on June 1, with full implementation by February 2022. In the interim, the spreadsheet was enhanced to include SPA project ID and status of the project. (5) Resolved for June 30, 2021 Audit Committee meeting. (6) Resolved for January 2021 Audit Committee meeting. (7) TCP's for active projects have been received, reviewed and approved by CEC and RPS was performed for all personnel listed in TCP.

47 2020 UNH Identity Access Management

Enhance security configurations

(1) UNH IT agrees that a security assessment of the OIM replacement should be conducted by 12/31/2021. (UNH Information Technology Manager)(2) By 10/1/2020, the IAM team will review the benefits of setting up a process for feeding OIM application logs to Log Insight with the SADA team. The SADA team will increase OIM log retention to 30 days. Once a SIEM is in place and a USNH process for creating, managing, monitoring security events is created, the IAM team will work with ISS and SADA to support the new process. Estimated completion date 1/1/2022. (UNH Information Technology Manager)(3) By 6/30/2020, Service Account passwords will be changed in accordance with the new USNH Password Policy. Passwords will be stored in the new IT PAM/Password Vault when available. (UNH Information Technology Manager)(4) We have no plans to utilize the encryption in the database for tables and columns since the encryption in place today is being enforced using the Oracles native encryption via the OIM application. Consequently, the DBA cannot see sensitive data and we would be encrypting data already encrypted via the application. For traffic between the database and computer connections we will implement encryption by 4/28/2020. (Senior Information Manager)(5) Standard operating procedures will be modified to outline what the database SYS account will be used for. UNH IT will set the parameter to move the audit files where DBAs cannot modify them. UNH IT will build a report from the audit records outlining the activity of the SYS account and review quarterly. We will evaluate expanding our database privilege account monitoring beyond SYS. The above will be completed by 1/1/2021 (Senior Information Manager)(6) Failed database login attempts are set to 10 on all accounts. All accounts will follow this policy by 6/30/2020. (Senior Information Manager)(7) A periodic review of access will occur twice a year by 1/1/2021. (Senior Information Manager)(8) We will evaluate the Listener settings of our current network design. We will also evaluate our compensating controls and determine if we should enable any or some of the Listener capabilities to complement our current mitigations by 1/1/2021. (Senior Information Manager)

MGT. EXPLANATION & RESOLUTION PLAN @ 11/16/2021: (1) - (4) In Process. Cybersecurity has evaluated the audit findings and determined given the current resources and projects that the time would be better spent to remediate these items as part of the replacement project for the new Identity Management Tool (SailPoint). We expect there to be multiple phases. Phase one of the SailPoint project will start in October 2021 and run through October 2022. We have submitted a request for LRTP funding proposal with a comparison on return on investment between remaining on Oracle Identity Manager (OIM) and moving to Identity IQ SailPoint. The funding was approved and we slated the project to begin in September 2021. The project had a delayed start due to the Active Directory consolidation and the new MyAccounts tool and the size of the IAM team. The project started in early October 2021. Preliminary planning is occurring, a project manager is in place and a project plan is being drafted. There will be two phases for this project the first will be predominantly focused on replacing OIM and ensuring disaster recovery and business continuity is in place addressing audit findings. The second phase will focus on moving the PSU identity tool to SailPoint and the remaining audit findings will be addressed from the Identity Access Management audit report. Phase two will run from October 2022 through October 2023. (5) In Process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (6) In process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (7) In process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting. (8) In process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

Page 14 of 31

of 229

of 31



Jan-21 Sep-22 In Process 11/21

Jan-21 Oct-22 In Process 11/21

Jan-21 Sep-22 In Process 11/21

Accountability and responsibility

The newly formed IAM team is currently in the process of defining and documenting a clear governance structure. As part of the initiative to replace OIM, documentation will be created to cover the areas described above for the new system, which will manage, track, and report (quarterly).

By 1/1/2021, the IAM manager will provide documentation on the governance structure of the IAM ecosystem.

The IAM manager will raise the lack of OLA standards and requirements across USNH IT to the CIO’s Office for prioritization.Responsible Party: Information Technology Manager, UNH

UNH

MGT. EXPLANATION & RESOLUTION PLAN @ 11/16/2021: In Process. As part of the transformation service line leaders where appointed for each service. The service line leader owns the service under the direction of the orchestrator. For IAM the service line leader is the Director of Cybersecurity Operations and Engineering and the Orchestrator is the Chief Information Security Officer. As part of the SailPoint project we will address the security review, business continuity, disaster recovery and ongoing maintenance of process design documentation September 2022. There is a new Director of Cybersecurity GRC and compliance who will be working on policies and standards going forward.

(1) IAM manager will work with SADA to review and update existing disaster recovery plans and review risk assessments with the new CISO.(Information Technology Manager, UNH) Due date: 1/1/2021

(2) The IAM team will participate in an any future IT-wide business continuity plans development efforts. (Information Technology Manager, UNH) Due date: 1/1/2021

MGT. EXPLANATION & RESOLUTION PLAN @ 11/16/2021: (1) & (2) In process. The Director for GRC and compliance is responsible for Disaster recovery enterprise wide. A proposal was submitted to LRTP and approved. From an enterprise perspective this project will set the tone and expectations for disaster recovery enterprise wide. Also, as part of phase one of the SailPoint Identity IQ implementation we will develop a disaster recovery plan and business continuity plan for the IT portions of provisioning and deprovisioning for are target systems to utilize if the technology is not available.


Disaster recovery and business continuity


Access management

(1) Code is managed in subversion, which provides both versioning and code comparison capabilities. Code is designed, developed and unit tested in the OIM development environment by the OIM developer team. When ready, it is deployed first to OIM test for system testing and then to production by one of two system administrators with the appropriate access. While UNH IT perceives the risk of one of the two administrators modifying the code prior to deployment to be low, IAM will raise the issue with ISS and the new CISO. Estimated completion date 10/1/2020. (Information Technology Manager, UNH)(2) By 10/1/2020, the IAM team will raise the segregation of duties issues with ISS and the new CISO for risk assessment and prioritization. (Information Technology Manager, UNH)(3) By 8/1/2020, the IAM Team will implement both a biannual review/attestation of system administration access to the OIM application. Additionally, approvals for new access will be formally documented and the evidence retained prior to granting any new access. (Information Technology Manager, UNH)(4) By 1/1/2021, for each OIM target system (Canvas, Kaltura, Team Dynamix, etc.), the IAM Team will document the account lifecycle supported by OIM. (Information Technology Manager, UNH)(5) By 1/1/2021, the service owner for each of the target systems will review and approve the account lifecycle and document the baseline access provided to a user when OIM creates accounts in that system. (Information Technology Manager, UNH)

MGT. EXPLANATION & RESOLUTION PLAN @ 11/16/2021: (1) - (2) In Process. Cybersecurity has evaluated the audit findings and determined given the current resources and projects that the time would be better spent to remediate these items as part of the replacement project for the new Identity Management Tool (SailPoint). We expect there to be multiple phases. Phase one of the SailPoint project will start in October 2021 and run through October 2022. We have submitted a request for LRTP funding proposal with a comparison on return on investment between remaining on Oracle Identity Manager (OIM) and moving to Identity IQ SailPoint. The funding was approved and we slated the project to begin in September 2021. The project had a delayed start due to the Active Directory consolidation and the new MyAccounts tool and the size of the IAM team. The project started in early October 2021. Preliminary planning is occurring, a project manager is in place and a project plan is being drafted. There will be two phases for this project the first will be predominantly focused on replacing OIM and ensuring disaster recovery and business continuity is in place addressing audit findings. The second phase will focus on moving the PSU identity tool to SailPoint and the remaining audit findings will be addressed from the Identity Access Management audit report. Phase two will run from October 2022 through October 2023. (3) In Process. We reviewed the tool called Devolutions and have determined that we need a true privilege access management tool. A request for funding will be submitted for LRTP for FY 2023 including staffing to work on the project given the other planned project of SailPoint and the small size of the IAM team. (4) Resolved. (5) In Process. Cybersecurity has evaluated the audit findings and determined given the current resources and projects that the time would be better spent to remediate these items as part of the replacement project for the new Identity Management Tool (SailPoint). We expect there to be multiple phases. Phase one of the SailPoint project will start in October 2021 and run through October 2022. We have submitted a request for LRTP funding proposal with a comparison on return on investment between remaining on Oracle Identity Manager (OIM) and moving to Identity IQ SailPoint. The funding was approved and we slated the project to begin in September 2021. The project had a delayed start due to the Active Directory consolidation and the new MyAccounts tool and the size of the IAM team. The project started in early October 2021. Preliminary planning is occurring, a project manager is in place and a project plan is being drafted. There will be two phases for this project the first will be predominantly focused on replacing OIM and ensuring disaster recovery and business continuity is in place addressing audit findings. The second phase will focus on moving the PSU identity tool to SailPoint and the remaining audit findings will be addressed from the Identity Access Management audit report. Phase two will run from October 2022 through October 2023.

Identity Access Management48 2020

Page 15 of 31

of 229

of 31



May-21 Mar-22 In Process 12/21

Sep-20 Mar-22 In Process 12/21

Jul-20 Mar-22 In Process 12/21


UNH Change Management

Improve emergency change process

If the decision is made to move forward as outlined in the finding Streamline policies and procedures, then:(1) Modify the Change Management Program such that the approval of the director/service line leader for all emergency changes must be provided to the CMT and stored as part of the emergency change request. Socialize process change with requestors. (CMT) Due date September 30, 2020(2) Modify the Change Management Program such that all emergency changes that occur between CAB meetings will be reviewed and documented at the next scheduled CAB meeting. Socialize process change with requestors and CAB. (CMT) Due September 30, 2020

MGT. EXPLANATION & RESOLUTION PLAN @ 12/22/2021: (1) Not yet started. As Action #1 hasn't been completed yet, due date was moved to March 31, 2022. This item is being included in the work by the ITSM unit to review change management practices within ET&S. It will be included in the new definition of those practices going forward.. (2) Not yet started. As Action #1 hasn't been completed yet, due date was moved to March 31, 2022. This item is being included in the review of change management practices across ET&S. That will likely include moving the change records out of the home-grown tool currently used and into TeamDynamix where we can include this requirement and provide records of the approvals for emergency changes.

52 2020

51 2020 UNH Change Management

Streamline policies and procedures

(1) Confirm that the UNH Change Management Program will be adopted for use across USNH to meet the needs o the new USNH ET&S organization (Director of ET&S Help Desk Services and Senior Leadership) Due September 30, 2020(2) Escalate to the ET&S Senior Leadership and CIO to implement a formal SDAMLC charged with clearly defining and required activities, documentation, segregation of duties, approvals, and audit trail artifacts required for any change to a production ET&S system or environment (AVP, Information Technology, UNH) Due July 31, 2020If the decision is made to move forward as outlined in (1), then:(3a) Implement an annual review cycle for the Change Management Program (Director of ET&S Help Desk Services and Senior Leadership) Due January 31, 2020(4a) Develop and implement an annual training requirement for all change management participants to be rolled out ET&S wide as part of the expansion of the existing UNH Change Management program to all USNH ET&S (Director of ET&S Help Desk Services and Senior Leadership) Due May 31, 2021If the decision is made NOT to move forward as outlined in (1), then:(3b) Document requirements that should be considered when developing the go-forward Change Management Program and the SDAMLC for USNH ET&S to ensure gaps identified are included in the design of those processes/programs (CMT) Due November 30, 2020

MGT. EXPLANATION & RESOLUTION PLAN @ 12/22/2021: (1) In process. Process has been made on this action. As of today, the buy-in from ET&S service leaders is still outstanding. We expect to provide an update on this by March 31, 2022, if all of the ET&S service leaders fully support the UNH Change Management Program. (2) In process. Efforts are underway to review and expand the past change management practices. when those practices are reviewed and deployed throughout ET&S operations. The updated practices will address all concerns raised in the audit report. (3a) Not yet started. As Action #1 hasn't been completed yet, due date was moved to March 31, 2022 (4a) Not yet started. As Action #1 hasn't been completed yet, due date was moved to March 31, 2022 (3b) Not yet started. As Action #1 hasn't been completed yet, the due date was moved to March 31, 2022 (4b) Not yet started. As Action #1 hasn't been completed yet, due date was moved to March 31, 2022.

(1) Escalate to the ET&S Senior Leadership and CIO to implement a formal SDAMLC charged with clearly defining and required activities, documentation, segregation of duties, approvals, and audit trail artifacts required for any change to a production ET&S system or environment (AVP, Information Technology, UNH) Due July 31, 2020

MGT. EXPLANATION & RESOLUTION PLAN @ 12/22/2021: (1) In process. This management action plan hasn't been completed yet and the due date was moved to March 31, 2022. The UNH change management processes for use across USNH IT resources will be based those processes established initially within UNH IT, with modifications made based on the recommendations from this audit and appropriate to the new system-wide scope of the ET&S

ti

54 2020 UNH Change Management System maintenance changes

This statement is made based on the fact that the auditor reviewed change-related issues occurring over the past year. In practice, outages are investigated immediately, and system logs are more readily and consistently available than they are months out from an issue.

If the decision is made to move forward as outlined in the finding Streamline policies and procedures, then:As part of the initiative to expand change management ET&S wide, analyze all changes currently designated as system maintenance changes to define a clear set of boundaries for what can and cannot be a system maintenance change. With that definition, perform a return on investment (ROI) analysis that compares the cost of implementing the additional controls recommended by Internal Audit against the actual risk mitigation achieved with those controls. Based on the results of this analysis, make a recommendation to service line and ET&S Senior Leadership (orchestrators) on the appropriate go-forward approach to system maintenance changes, including a SOP. Address any Internal Audit recommendations that are not selected for implementation via formal risk acceptance. (Director Enterprise technology and services (ET&S) Help Desk Services and CMT) Due May 31, 2021

53 2020 UNH Change Management Enhance code migration restrictions

Page 16 of 31

of 229

of 31



MGT. EXPLANATION & RESOLUTION PLAN @ 12/21/2021: (1) Not yet started. As Action #1 hasn't been completed yet, the due date was moved to March 31, 2022. This item is being included in the review of ET&S change management practices. There is no ETA for when the review of these will be complete, but it should take place through out the spring of 2022.

Page 17 of 31

of 229

of 31




Jul-20 Mar-22 In Process 12/21

Oct-20 Mar-22 In Process 11/21

Sep-20 Mar-22 In Process 11/21

57 2020 UNH Financial Aid Data Security Review

Restrict access to sensitive data in Web Report Service

The Financial Aid Office will work with USNH Information Technology, the unit responsible for security of the Web Report Service, to resolve financial aid report access by October 31, 2020. (UNH Director of Financial Aid)

MGT. EXPLANATION & RESOLUTION PLAN @ 11/23/2021: In process. Financial Aid Office has reached out to USNH Information Technology, the unit responsible for security of the Web Report Service, to resolve financial aid report access. The new due date for the management action plan is March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting

58 2020 UNH Financial Aid Data Security Review


(1) Contact the UNH Information Security Officer and request a vendor security review over Shred-It USA LLC.(2) Contact USNH Procurement Services and request an updated contract be drafted and signed with the vendor; the request will include asking that all appropriate data security language be included by USNH Procurement Services and the vendor.(3) Contact UNH Facilities, to include representation in the discussion outlined in Management Action Plan item 2., in the preceding paragraph. (UNH Director of Financial Aid)

MGT. EXPLANATION & RESOLUTION PLAN @ 11/23/2021: (1) The UNH Director of Financial Aid contacted the UNH Information Security Office and requested a vendor security review over Shred-IT USA LLC. This will be completed once a new contract is in process (2) Contacted USNH Procurement Services and requested an updated contract to be drafted and signed with the vendor (3) Contacted UNH Facilities, to include representation in the discussion for the new contract


Pre-Approved standard changes (PAS)

(1) Changes are categorized based on a risk assessment that takes into consideration a number of concrete factors that, based on historical evidence and industry guidance, increase the risk of certain types of changes. A reassessment of the changes being categorized as system maintenance and preapproved will be performed for appropriateness. (Director and the Enterprise Technology & Services (ET&S)) Due May 31, 2021

If the decision is made to move forward as outlined in the finding Streamline policies and procedures, then:(2) Perform a review of all existing PAS changes in 2020/2021 and determine the appropriate frequency for this review going forward. Formal sign-off on review of the PAS changes for a service line will be required from the service line leader. A SOP for conducting and documenting the review will be developed. (CMT) Due March 31, 2021(3) Modifications to the existing Change Management Model will be implemented to capture and store the rationale for approving all new PAS changes. Best practices/SOPs will be updated to capture this new requirement. (CMT) Due October 31, 2020

MGT. EXPLANATION & RESOLUTION PLAN @ 12/22/2021: (1) In process. Progress has been made on this outstanding audit issue. The due date was the due date was moved to March 31, 2022. This item is being included in the review of ET&S change management practices. There is no ETA for when the review of these will be complete, but it should take place through out the spring of 2022. (2) Not yet started. As Action #1 hasn't been completed yet, the due date was moved to March 31, 2022. The current review of ET&S change practices does plan to review all pre-approved changes for appropriateness. (3) Not yet started. As Action #1 hasn't been completed yet, due date was moved to March 31, 2022.


Monitoring of changes for appropriateness

Escalate to the ET&S Senior Leadership and CIO to implement a formal SDAMLC charged with clearly defining and required activities, documentation, segregation of duties, approvals, and audit trail artifacts required for any change to a production ET&S system or environment (AVP, Information Technology, UNH) Due July 31, 2020

MGT. EXPLANATION & RESOLUTION PLAN @ 06/09/2021: (1) In process. Progress has been made on this outstanding audit issue. The due date was extended for the management action plan to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

Page 18 of 31

of 229

of 31



Dec-20 Mar-22 In Process 11/212020 UNH Financial Aid Data Security

Review


(1) Develop and implement security protocols and guidelines for handling sensitive data as mentioned in the audit report.(2) Develop requirements to redact sensitive information where possible. When this is not possible, stricter data protection requirements will be implemented.(3) Ensure security protocols and guidelines are reviewed by UNH Information Security Office prior to implementation.(4) Develop and implement protocols and guidelines to securely purge obsolete documents that are stored on ApplicationXtender, UNH Box, shared drives, and Dynamic Forms.(5) Develop and implement protocols and guidelines that ensure all sensitive documents are either placed in a secure location or placed in locked shredding cabinets at the end of the business day.(6) Develop and implement protocols and guidelines that ensure all cabinets and rooms that contain sensitive information are locked at the end of the business day.(UNH Director of Financial Aid)

MGT. EXPLANATION & RESOLUTION PLAN @ 11/23/2021: (1) - (6) In process. The UNH Director of Financial Aid is working with UNH cybersecurity to develop uniform standards and procedures that can apply across the institution. The new due date for the management action plan is March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting

59

Page 19 of 31

of 229

of 31





Dec-20 Apr-22 In Process 11/2162 2020 UNH Business Services Data Security

Review

Enhance security for sensitive data

Business Services will review its procedures regarding sensitive information, including secure storage and redaction, and will make appropriate updates. There is a business need to retain sensitive information and procedures will be updated and will be consistent with USNH document retention policies (02-211 Financial Records Retention Periods). Related to the response for finding #2, Xtender for Banner Student is being upgraded in September 2020 and will be part of MFA. (UNH Director of Business Services)

MGT. EXPLANATION & RESOLUTION PLAN @ 06/09/2021: In process. UNH Director of Business Services is currently reviewing its procedures regarding sensitive information. In addition, Xtender for Banner Student was successfully upgraded in January 2021. The new due date for the Management Action Plan is 04/30/2022. An update will be provided during the June 2022 Audit Committee meeting.

Financial Aid Data Security Review

Enhance periodic access reviews

Management concurs with this finding. In response, periodic appropriate access review protocols and guidelines will be developed and implemented by November 30, 2020. The protocols and guidelines will include the ability to modify or remove access, as necessary. In the development of protocols and guidelines, work with other data stewards to arrive at best practices across similar data steward areas will be attempted. The first review will be completed by November 30, 2020. (UNH Director of Financial Aid)

60 2020 UNH

MGT. EXPLANATION & RESOLUTION PLAN @ 11/09/2021: In process. Data stewards, their technical delegates, and ET&S continue to meet regularly to work through security classification issues. Main offices - Registrar, Financial Aid, Admissions, and Business Services have worked to create new security groups that contain only objects from their data areas. New individual classes continue to be developed for other campus offices as the needs arise. These outside office classes limit the access to only the objects needed for a specific task. The data steward working group made recommendations to the Account Management System (AMS) team for the account request process that would reduce confusion by the requestor, and provide individual office approvals rather. AMS has not provided a time line of implementing these changes. The new due date for the management action plan is March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

61 2020 UNH Business Services Data Security Review

Initiate periodic access reviews

ET&S developed a report of users who have not accessed Banner in 13 months, and access for those users is removed. Business Services is in the process of getting access to a Banner Student security report. Ownership of Banner Student forms and roles and responsibilities need to be defined across the student services units. Policies and procedures need to be developed, in collaboration with ET&S. A plan will be developed for the initial security review, focusing on the high-risk areas. An employee checklist is used to discontinue access to Banner and all files when employees or student workers leave the department. We will work on the following target dates: Obtain access to the Banner Student security report and confirm that report meets Business Services needs: October 30, 2020; develop risk-based plan for initial security review: December 31, 2020; define roles and responsibilities and procedures: January 31, 2021; initial review: March 31, 2021(UNH Information Technologist, ET&S and UNH Director of Business Services)

MGT. EXPLANATION & RESOLUTION PLAN @ 11/09/2021: In process. Data stewards, their technical delegates, and ET&S continue to meet regularly to work through security classification issues. Main offices - Registrar, Financial Aid, Admissions, and Business Services have worked to create new security groups that contain only objects from their data areas. New individual classes continue to be developed for other campus offices as the needs arise. These outside office classes limit the access to only the objects needed for a specific task. The data steward working group made recommendations to the Account Management System (AMS) team for the account request process that would reduce confusion by the requestor, and provide individual office approvals rather. AMS has not provided a time line of implementing these changes. The new due date for the management action plan is March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting.

Page 20 of 31

of 229

of 31



Sep-20 Dec-21 In Process 12/21

Sep-20 Jul-21 In Process 12/21

63 2020 UNH Effort Reporting

Enhance controls over allocation of effort

(1) Management will work with the Business Service Center (BSC) to ensure effort charged to the cooperative agreement referenced is in compliance with Uniform Guidance and make any adjustments deemed appropriate. This will be completed on or before July 31, 2020. (2) Management worked with the BSC to adjust the annual effort allocation for the research scientist referenced above in section (i). These adjustments were completed in April 2020. (3) For FY20, Sponsored Programs Administration will require principal investigators to certify the effort for all research staff.(4) For FY20, Sponsored Programs Administration launched a non-mandatory PI Quarterly Expense Certification for all federal sponsored program expenditures. This certification will be made mandatory in FY21.(5) The principal investigator has been reminded that changes to an existing agreement must be made, in writing, between the University and initiated through SPA and the Sponsor’s contract office. (6) Management believes that UNH has fulfilled the voluntary committed cost share through the receipt of third-party agreements. We will appropriately document and report these voluntary committed cost share amounts to the sponsor in the next reporting cycle. If not fully met through third-party agreements, UNH will identify resources to fulfill the cost share obligation.(7) The Grant and Contract Administrators will be reminded of their responsibility to review the proposal to ensure that voluntary cost share is not proposed without the approval of the Senior Vice Provost for Research, Economic Engagement and Outreach (SVPR, EE&O) or her designee. This was reviewed at the June 23, 2020 SPA staff meeting.(8) SPA will incorporate the review of Banner grant setup by AFC Financial Research Administrators during billing setup. This will be completed on or before September 30, 2020.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/10/21: (1) The Senior Director, Research & Sponsored Programs met with the NOAA Program Manager and the Principal Investigator on August 27, 2020 to discuss the finding. The NOAA Program Manager and Principal Investigator confirmed that charging the scientists time to the cooperative agreement was appropriate and the funds provided by external sponsor should be reported as cost share. The funds provided by the sponsor were used to advance the work of the JHEC. The grant received a no-cost extension until December 31, 2021, at which time UNH will report the applicable cost share in the final financial report. (2) Resolved for December 31, 2020 Audit Committee meeting. (3) Effective for FY21, the effort of grad students, administrative and professional employees, undergraduate students, non-exempt, and adjunct employees will be certified by the PI or Fund Manager that has fiscal and technical responsibility for a sponsored fund. Internal Audit noted that the effort certification policy was not updated to reflect this new process, but the risk is minimized as the practice is more restrictive than the current policy. In order to increase controls over effort allocated to grants, PIs are receiving quarterly reports listing staff and total amount of payroll charged to each grant. Effective July 1, 2020, quarterly certification of expenditures is mandatory. Failure to certify may result in non-submission of proposals and delay in set-up of new awards. (4) Resolved for December 31, 2020 Audit Committee meeting. (5) Resolved for December 2020 Audit Committee meeting. (6) UNH has identified the source of funds to meet the cost share obligation and will have the PI certify that the cost share requirement is met through these funds. In addition, UNH will receive validation from the Sponsor that the required cost share obligation has been fulfilled. The cost share will be reported to the Sponsor at the end of the program period on 12/31/21. Update to be provided at June 2022 Audit Committee meeting. (7) Resolved for December 2020 Audit Committee meeting. (8) Resolved for December 31, 2020 Audit Committee meeting.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/10/21: UNH SPA worked with HR to develop a process for identifying, tracking, and monitoring of E-Verify requirements. Banner has a built in control that prevents an employee from being hired into a position assigned to a federal grant if E-Verify is not completed. UNH Pre-Award will be responsible for identifying federal contracts that E-Verify requirements are applicable, SPA Research Administration Support Services will be responsible for reviewing Banner HR to see if E-Verify has been completed. If not, SPA will request HR to complete this verification and confirm when complete. SPA Post-Award will be responsible for monitoring compliance with E-Verify requirements. Process to be formally implemented. Update to be provided at June Audit Committee meeting.

64 2020 UNH Effort Reporting

Enhance controls over federal contract E-Verify compliance

UNH Research, UNH Human Resources, and BSCs will work collaboratively to develop procedures to process, track, and monitor compliance with E-Verify requirements. E-Verify records related to effort charged on projects subject to E-Verify will be validated to ensure compliance with FAR 48 CFR 52.222-54 requirements.

Page 21 of 31

of 229

of 31



Mar-21 Apr-22 In Process 11/21

Dec-21 Dec-21 Resolved 12/21

66 2020 UNH Institutional Data Reporting

Enhance controls over survey data element definitions and

interpretations

(1) IR&A will develop protocols for the documentation of key survey definitions working with institutional data stewards and business process owners. This documentation will be reviewed each submission cycle to ensure definitions meet survey requirements. Protocols developed will be implemented for the completion of the Common Data Set, which will be completed by IR&A on February 15, 2021. (2) IR&A will develop protocols for the documentation of changes required to key survey definitions and interpretations of requirements. These changes will be reviewed and approved by institutional data stewards. Protocols developed will be implemented for the completion of the Common Data Set, which will be completed by IR&A on February 15, 2021. (3) When/if it is determined that incorrect data was reported, IR&A will work with the data steward and appropriate institutional leadership to determine appropriate steps to report corrected data. This is dependent upon survey, nature of data with issue and timing. Such issues will be tracked in the survey repository. Work to be completed by the end of the annual survey cycle, approximately December 31, 2021.

MGT. RESOLUTION & EXPLANATION PLAN @ 11/10/21: IR&A maintains a file documenting key survey definitions and documentation to support WebI/other reporting to meet survey definitions. In addition, IR&A maintains a detail survey log which contains annual survey requirements, detailed activity log, and historical survey requirement change log. This log documents changes, review, and approval of key survey definitions. (3) IR&A looks at prior year values and will review any significant deviations from prior to current year. For other surveys, due to resource constraints, IR&A is unable to look back at prior survey submissions. IR&A is focusing efforts on ensuring survey accuracy going forward.

MGT. RESOLUTION & EXPLANATION PLAN @ 11/22/21: (1)-(3), (5): A survey was sent to the associate deans in each college asking them to report on all external surveys they complete for rankings/guidebooks. The list has been incorporated into our master list of surveys along with the month each surveys is due, and we now actively work with the colleges on each of these surveys. This master survey list tracks organization, survey name, level, deadline, contributing departments, purpose, extension and date, draft completion and date, reviewed and date, IR&A or department approval, senior administrator approval, and a link to supporting documentation (4): In process; the first phase of additional oversight and access to financial aid data has occurred and more involved review of the CDS, IPEDS, and US News financial aid data provided for these surveys was completed by IR&A. Financial Aid data has not been added to the enterprise reporting environment due to capacity/staffing issues and competing priorities. It is a key priority for FY22. (6) Resolved for June 2021 Audit Committee meeting.

65 2020 UNH Institutional Data Reporting

(1) Management agrees that more central oversight is required for external surveys and reporting. Since these findings were reported, IR&A has reviewed a US News survey for Paul College and will be reviewing additional US News surveys for Engineering and Physical Sciences, Health and Human Services, Liberal Arts, and Paul College before they are submitted. IR&A, working with Academic Leadership, will develop an inventory of survey participation and external data submissions that occur at UNH. Work will be completed by February 15, 2021. (2) Based on the findings from the survey inventory, roles, and responsibilities for the completion of each survey will be established, based upon risk, impact of institutional reputation, and leadership objectives. Work to be completed by March 15, 2021. (3) A central repository of institution-wide surveys will be established to track and monitor the due dates, approvals, and submissions of these surveys. This central repository will provide a framework for survey completion, review, and submission. It will identify and document survey requirements, survey due date, roles and responsibilities for survey completion and reporting integrity, review and approval protocols, and data sources/retrieval approach for each survey. Work to be completed by March 15, 2021. (4) IR&A and Enrollment Management will increase oversight and access to Financial Aid data required for surveys and external data sets. This effort is underway and will be completed throughout the survey cycle period. Common Data Set review will be completed by February 15, 2021, Integrated Postsecondary Education Data System (IPEDS) review will be completed by January 31, 2021. (5) Based on the outcome of the inventory of surveys and level of institutional oversight required, additional data elements will be incorporated into the Center for DATA enterprise data mart. This will be a phased effort and dependent upon the results of the survey inventory, which will be completed by March 15, 2021. A sub-certification process will be developed for areas that provide data to IR&A for external surveys for which IR&A does not have access to or oversight. This process will require submitting departments to certify that the data is accurate, has been reviewed and tested, and meets the survey need/requirement. Work to be completed by January 15, 2021. (6) The processes mentioned above for increasing Center for DATA/IR&A access to and oversight of financial aid data will be in place to ensure accuracy of financial aid data reported in in the 2022 US News survey, which will be due in May of 2021 and published in September 2021. For the interim period between now and May, IR&A will submit corrected financial aid data for the 2021 US News survey which was submitted in June 2020. Although corrections will not change UNH’s ranking, US News makes corrections to its institutional data published on its website. Work to be completed by December 23, 2020.

Enhance control structure, authority, and responsibility for

institutional data reporting

Page 22 of 31

of 229

of 31



Sep-21 Sep-21 Resolved 10/21



Jan-22 Jan-22 In Process 10/2170 2020 UNH Mandatory Fee

Ensure mandatory fees charged are according to approved rates

Mandatory fees for summer and January term are minimal and are currently under review. UNH will work with USNH to determine how mandatory fees for summer and January term should be disclosed in the Board materials. Any changes will be implemented for the January 2022 Board meeting, when mandatory fees are submitted for approval.

MGT. RESOLUTION & EXPLANATION PLAN @ 10/27/21: In Process: The due date due for the management action plan is January 30, 2022 . An update will be provided during the June 2022 Audit Committee meeting

68 2020 UNH Mandatory Fee

Document classification of mandatory fees in the financial

statements

Mandatory auxiliary fees support auxiliary activity, and USNH elected to classify these revenues in alignment with the activity they support. USNH Financial Services will evaluate the existing practice and as part of the policy updates underway to support the Financial Administrative Restructure project and document its justification for the classification by June 30, 2022. The language in MD&A also will be clarified to fully disclose the categories of auxiliary activities for the year ending June 30, 2021.

MGT. RESOLUTION & EXPLANATION PLAN @ 10/27/2021: In Process. The language in the MD&A was updated to fully disclose the categories of auxiliary activities for the year ending June 30, 2021. We are in the process to document the justification for the classification. The due date due for the management action plan is June 30, 2022 . An update will be provided during the June 2022 Audit Committee meeting


Develop formal policies and procedures for mandatory student

fees

As part of the FY23 mandatory fee rate-setting process, the UNH CFO Office will establish formal policies and procedures regarding how mandatory student fees can be used. The policy and procedures will also address travel, including student and team travel, and will reflect compliance with NCAA requirements. UNH will also reinforce existing USNH policies to ensure that the policy is consistently applied to all expense transactions. This will be completed by December 31, 2021.

MGT. RESOLUTION & EXPLANATION PLAN @ 10/27/21: In Process: The due date due for the management action plan is December 31, 2021 . An update will be provided during the June 2022 Audit Committee meeting


Develop procedures to bill in accordance with approved rates

UNH is in the process of revising the policy in light of the significant number of remote students for all semesters. Changes will be approved and put in place by Summer 2021. The policy will be approved by the UNH Provost and CFO and communicated to President’s Leadership Council (PLC). UNH will include a review of this policy as part of the annual tuition update process, or as needed. UNH will take direction from the University System of NH regarding whether any exceptions should be included in the Board materials. The most recent approved policy will be easily accessible. This will be completed by September 30, 2021.

MGT. RESOLUTION & EXPLANATION PLAN @ 10/27/2021: Resolved: The policy has been updated for FY22 and has been approved by the UNH Provost. UNH will revisit the policy annually during the budget development process and prior to any updates to the Student Rights Rules and Responsibilities Handbook.

Page 23 of 31

of 229

of 31




Aug-22 Aug-22 In Process 1/22


72 2021 UNH Admission Data Security Review


As contracts expire, we will confirm with the USNH Chief Information Security Officer that vendors are meeting all USNH requirements to protect sensitive student data. In addition, we will contact USNH Procurement services to initiate discussions with vendors to sign an update contract as the contracts expire. We will confirm that all appropriate data security language is included in contracts as they are updated and renewed. Finally, we will work with the USNH Cybersecurity office regarding the review of applicable SSAE 18 reports for all external vendors. This will be completed by August 31, 2022.

MGT. RESOLUTION & EXPLANATION PLAN @ 10/21/21: NEW



We will consult with the USNH CRM team to implement MFA for Salesforce TargetX. PSU is going to be first school to enable this and they have been working with the security team to move this to production. Once they have completed their implementation, the plan will be copied to KSC and UNH. The Associate Vice Provost for Enrollment Management and Marketing will work with the USNH Chief Information Security Officer to implement MFA for Salesforce TargetX. This will be completed by June 30, 2022.




(1) UNH Office of Undergraduate Admissions uses Hobson’s Naviance to allow transcripts and sensitive information to be submitted. We will continue to use this system and discourage staff from accepting documents via email.2. Admissions will work on these policies and add to the admissions handbook by March 1, 2022: security protocols and guidelines for handling sensitive data, addressing all of the above recommendations.3. We will review the USNH Data Classification Policy with the USNH Chief Information Security Officer regarding emailing UNH ID to potential UNH students by December 1, 2021. With the implementation of a new solution called Slate in 2022, we will remove the need to send UNH IDs to students.4. A document retention policy has been implemented with IT for scanned documents. Paper documents are scanned to the system and physically discarded after 1 year. We will consult with UNH legal regarding this retention policy. This will be completed by January 1, 2022.5. We will investigate the feasibility of and/or purchasing a dedicated, non-network fax machine for use in faxing and receiving faxed documents with sensitive data. Alternatively, the office may end fax use (both sending and receiving). This will be completed by January 1, 2022.6. We no longer provide paper documents to offices outside admissions. New processes are in place for electronic access to admission documents to those privy to this information. Approval protocols are in place before access is granted to staff throughout the University. UNH accounts portal is used to monitor requests and workflows are developed to ensure admissions approves any access.(7) We will work internally to develop guidelines for staff to understand which PII information should not be sent via fax, email or printed.


Page 24 of 31

of 229

of 31



Aug-22 Aug-22 In Process 1/2274 2021 UNH Student Grades

Enhance authority, responsibility, and structure

(1) See UNH-L action plans referenced in Appendix I. The UNH Law action plans encompass the following three main areas (1): Return responsibility for submitting individual student grades to faculty. Faculty will directly submit student grades into WebCat/Banner, (2): Clarity and adherence to deadlines and policies. Deadlines will be reviewed, published, and included on all relevant forms. Authority for approvals, and the designated approving authority, will be reviewed and published and identified on all forms. Deadlines will be followed and all deviation from deadlines or standard policies for the 2021-2022 year may only be approved by the Associate Dean of Academic Affairs (ADAA) or, in her absence, the Associate Dean for Administration and Enrollment (ADEA). Possible delegation of this authority will be considered in 2022-2023 after a review of all processes, (3): Form and document review and retention. Work to be completed by August 31, 2022.(2) Create a shared resource that is accessible and maintained by Registrar management at all UNH campuses. UNH-D will create the platform and will include the following documents: 1) operational calendar outlining grade related tasks and deadlines and the staff/campus that will complete work, 2) policies and procedures handbook with designated sections for UNH-D and UNH-M undergraduate programs, UNH-D and UNH-M graduate programs, UNH-L Juris Doctor and UNH-L graduate programs, 3) record of delegation of authority and, 4) USNH Student Grade Audit Report and action plan tracker. UNH-D management will ask management at all campuses to assist in maintenance of the documents. Changes to the documents will be tracked for archival purposes. This will bring consistency and transparency to the work that all campuses do and will ensure that there is a centralized source to aid in procedural improvement, efficiency, authority, and communication. Work to be completed by March 15, 2022.(3) In July 2021, functionality allowing faculty to submit final grade changes via WebCat was implemented. The tool was designed to enforce UNH grade change policy, accuracy, authority, and data security. As of the publication of this report, UNH-D and UNH-M faculty use this functionality. Management plans to make the functionality available to UNH-L faculty in a Phase 2 implementation. Work to be completed by August 31, 2022.(4) Management will work to update Student Rights, Rules, and Responsibilities (SRRR) 07.14(ad) to include a dean’s right to delegate his or her authority. Work to be completed by September 1, 2022.(5) Management will develop a biannual process to review a random selection of grades and grade adjustments processed by all campuses. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and action taken will be recorded and archived. Work to be completed by March 15, 2022.(6) UNH-D Office of the Registrar will work with the Associate Dean for Academic Affairs to evaluate the Graduate School grade change policy time limits and authorization level. Work to be completed by December 1, 2021.(7) UNH-L will obtain documentation of faculty vote to approve UNH-L Spring Emergency & Operations resolution, which modified Academic Rule IV: Grading for the Spring 2020 semester. If this documentation is not available, UNH-L will retroactively approve the resolution. Work to be completed by December 31, 2021.(8) UNH-D and UNH-L management will include Credit (CR) grade and definition on UNH-L transcript key to be completed by December 1, 2021.(9) Academic Rule IV: Grading is under review this year by the Academic Affairs and Administration Committee, co-chaired by the Associate Dean of Academic Affairs. Review, revision, and implementation will be complete by June 15, 2022.


Page 25 of 31

of 229

of 31



Dec-22 Dec-22 In Process 1/2275 2021 Student Grades

Enhance grading system interfaces

(1) Management will develop grades access policy and protocols that will provide framework for access and authorization in WebCat and Canvas, which will be approved by the UNH Provost. Work to be completed by October 15, 2022.(2) UNH-D management will explore functionality in Banner admin page GTVSDAX to ensure the grade drop down menu in WebCat displays grades associated with a course section. UNH-D and TLT management will explore the redesign of Canvas grade scale menu to be consistent, including IC grade. Work to be completed by March 15, 2022.(3) Registrar and TLT management will work to align WebCat and Canvas grade submission permissions so that all instructors of record (assigned in Banner) have the ability to submit grades for a course in both systems. Management will draft a grades access policy statement to ensure consistency in Banner and Canvas roles. The policy statement will be shared between TLT and Registrar management. Policy statement will address the fact that Banner requires one “primary” instructor on a course. Departments often assign more than one instructor to a course and all instructors have equal roles; one instructor is not designated as “primary” by the department. In this scenario, the “primary” instructor designation is arbitrary, and all instructors have grading responsibilities. Work to be completed by March 15, 2022.(4) University Registrar confirmed with Academic Standards and Advising Committee that instructors must retain the ability to manually add students to Canvas rosters. Registrar management will propose adding text to Canvas that will be displayed when a teacher adds an individual to course roster alerting them of the fact that the student must also submit a formal request to add the course according to university policy. Management notes that an official grade cannot be submitted for a student that has been added to course roster in Canvas but has not gone through the form university procedure to officially add the course. Work to be completed by December 1, 2022.(5) Current procedures exist to identify discrepancies between Banner and Canvas rosters however instructor response rates are low. To address USNH Internal Audit’s concern regarding Canvas users’ ability to add a student to a course, Registrar management will evaluate this current procedure and will investigate improvements in an effort to increase effectiveness. In addition to this, UNH-D and TLT management will investigate a procedure to compare Canvas and Banner course rosters after the add/drop period closes. UNH-D Registrar management will consider outreach to students that have been manually added to the Canvas roster but have not gone through formal university procedure to officially add the course. Work to be completed by June 15, 2022.(6) Registrar and TLT management will review grade passback errors and automated responses to teachers to ensure errors are resolved. As previously stated, management will evaluate Canvas and Banner functionality in an effort to reduce the number of errors produced (see Action Plan 2(2)). Work to be completed by March 15, 2022.


UNH

Page 26 of 31

of 229

of 31



Oct-22 Oct-22 In process 1/22

Dec-21 Dec-21 In process 1/22

Aug-22 Aug-22 In process 1/22

76 2021 UNH Student Grades

Enhance periodic access review and monitoring

(1) The admin account access review process will be documented and will include limiting who has access, justification of access, and how credentials are to be stored by November 30, 2021. (2) The Application Administration (App Admin) team will document the approval process of changes to permissions and additions of roles. These changes and who approved these changes will be tracked in a separate audit/change log specific for admin rights by November 30 ,2021.(3) In June 2021, App Admin changed the dummy email addresses for student worker local accounts to the App Admin mailing list [email protected]. Emails sent to this email address are received by App Admin team. If there is a change to the student admin account, the App Admin team, including the manager, will receive a notification. (4) TLT will reach out to the Cybersecurity team to discuss best practices for creating admin accounts and will work on a process that follows their suggestions for securing the accounts by November 15, 2021. (5) Currently, there is no password vault that we are able to store account passwords. Since we need to share some admin account information, management agrees that we will continue to store passwords in a folder accessible to only the App Admin team. ET&S is planning to roll out a password vault tool and once that is rolled out, App Admin will use that tool and no longer store passwords in OneDrive. Work to be completed by October 31, 2022. (6) App Admin will put a process in place to annually change local admin account passwords in line with USNH password policy. Also, the password will be changed when there are changes in App Admin staff. Once the password vault tool is rolled out this process will be automated. Work completed by October 31, 2021.(7) Student admin privileges were changed in June 2021 during the audit process, and they no longer have admin accounts that allow masquerading as an instructor or the ability to modify or view grades. (8) The App Admin team will document the steps involved with auditing the student admin account activity. An audit log will be created to record the time and the name of the person that completed the audit along with any findings. Also, the App Admin team will increase the auditing of student admin accounts to bi-monthly. The App Admin manager will review the audit log quarterly to ensure audits are happening and there are not any concerning activities such as off hours access, pageviews in areas they should not be etc. Student workers sign the ET&S confidentiality and cyber security agreements. The Director of TLT Application Administration and User Support will discuss the possibility of holding data security training for TLT student workers with the USNH Cybersecurity group. Work to be completed by December 31, 2021.(9) Management will develop grades access policy and protocols that will provide framework for access and authorization in WebCat and Canvas, which will be approved by the UNH Provost by October 15, 2022.(10) Management will implement an annual review of Banner Student grade admin pages (SFASLST and SHATCKN) access using WebI report SIS00100. User maintenance and query access will be adjusted based on users’ current position and job responsibilities. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and action taken will be recorded and archived by December 1, 2021.(11) UNH-D Registrar management will continue to create new Banner security classes. Only Registrar records staff, Registrars, and Associate Registrars will retain maintenance access to SFASLST and SHATCKN. All other Registrar’s Office staff will retain query access only. Work to be completed by March 15, 2022.(12) All Banner security access is reviewed and approved by the University Registrar or designee (Registrar authority designation to be recorded in shared registrar platform). In accordance with FERPA and registrar best practices, effort is made to assign the least data access needed to perform job responsibilities. Some user access to Banner admin pages was approved by former Registrar management (2014 and earlier). An initial review of SFARHST, SFASLST, SHACRSE, SHATERM and SHATRNS using WebI report SIS00100 will be done to evaluate the current data needs of users based on current job responsibilities. Review will be documented, and access will be modified as appropriate. Justification of access will be recorded and archived. Going forward, management will continue to create Banner security classes based on a user’s role and will continue to grant the least access needed to preform job duties. Following this initial review, a random sample of users with access to these Banner admin pages will be reviewed annually to ensure data access continues to be appropriate based on users’ legitimate educational interest and current job responsibilities. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses and will be completed by June 15, 2022.

MGT. EXPLANATION & RESOLUTION PLAN @ xx/xx/2021: NEW

77 2021 UNH Student GradesEnhance transfer credit process

UNH-D management will use available reporting to identify high risk transfer credit awards and will evaluate the records for accuracy and compliance with UNH transfer credit policy. To ensure review is built into current business processes, management will add this task to the calendar which will be accessible by Registrar management across all campuses. Findings and actions taken will be recorded and archived.


78 2021 UNH Student Grades

Enhance security protocols for student grades

(1) UNH-L will return responsibility for submitting individual student grades to faculty. Faculty will directly submit student grades through WebCat and Canvas. UNH-L will Plan to utilize WebCat Final Grade Change tool as ET&S and Registrar resources are available for Phase 2 implementation.(2) Management developed and implemented the WebCat final grade change tool in July 2021 for UNH-D and UNH-M student grade changes. UNH-L will adopt the grade change tool by August 2022.(3) UNH-D management acknowledges that the submission of student grade forms via university email is not best practice. Campuses were forced to alter standard practices to accommodate remote work due to the COVID-19 pandemic. Student grade forms are only accepted from UNH-D and UNH-M faculty when sent using a UNH email address. UNH-D Office of the Registrar will contact other New England Land Grant institutions to learn how registrar forms are submitted, reviewed, and approved. Based on findings, management will draft a plan to improve current submission process.(4) UNH-D management will develop security protocols and guidelines for handling student grade information and registrar forms and will publish on the Registrar FERPA webpage. UNH-D management will request to the Provost that UNH-M and UNH-L link to UNH-D's FERPA webpage to ensure consistency across all campuses.


Page 27 of 31

of 229

of 31






79 2021 UNH Garage InventoryEnhance inventory receipt process

(1) UNH Management will evaluate if staff will be formally investigated about the missing parts. This will be complete by December 31, 2021 by the UNH Associate Vice President for Facilities and Operations(2) The Transportation Garage has been rolled into UNH Facility Services. Facilities Services is in the process of implementing a new work order platform called Assetworks, (AiM). AiM will allow all work, parts inventory, and procurement to be captured on one platform. In addition, by adding the transportation garage stockroom to the Facilities Operations Warehouse, all established policies and procedures will be adopted for the garage operations, which includes, use of AiM to capture all inventory, as well as recording returns. This will be completed by December 31, 2022 by the UNH Associate Vice President for Facilities and Operations. (3) By adding the Transportation Garage stockroom to the Facilities Operations Warehouse, all established policies and procedures will be followed which includes, use of AiM to capture all inventory, as well as recording returns. In addition, segregation of duties for receiving and recording vehicle parts will be implemented. This will be completed by June 30, 2022 by the UNH Associate Vice President for Facilities and Operations.(4) By utilizing the Facilities Work order system, AiM, the review of work orders will be the following: 1) Fleet mechanic completes work which is documented in AiM including parts used and 2) Service writer and/or manager verifies every AiM work order by checking workmanship and the documentation within the work order correctly describes work and parts used. This will be completed by June 30, 2022, based on the capabilities of AiM by the UNH Associate Vice President for Facilities and Operations. (5) We will reinforce existing USNH policy on supporting documentation. All purchases will be documented through AiM as they currently are at the facilities operations warehouse. This will be completed by June 30, 2022 by the UNH Associate Vice President for Facilities and Operations.(6) We will reinforce existing USNH policy on documenting business purpose before approving the transaction. All purchases will be approved through AiM and UShopNH. This will be completed by June 30, 2022 by the UNH Associate Vice President for Facilities and Operations.(7) We will periodically review access over AiMs to ensure least privilege principles and segregation of duties apply. The first review will be completed and documented by March 31, 2022, based on the capabilities of AiM. by the UNH Associate Vice President for Facilities and Operations


80 2021 UNH Garage Inventory

Enhance annual inventory verification

(1) We will implement established policies and procedures from UNH Facilities Services. Facilities Services will supervise the inventory process and obtain supporting documentation if the year-end count needs to be adjusted outside of the count. This will be completed by June 30, 2022.(2) Every single part is given a bin location regardless of value. The bin is included in the year end count and counted regardless of value (even zero value items soap dispensers etc.). This will be completed by December 31, 2022 by the UNH Associate Vice President for Facilities and Operations.(3) We will establish a process to identify annually any vehicle parts that are potentially in excess and should be removed from the inventory and written off. Reports are developed that show when parts are received, placed in, and taken out of inventory. We will use these reports to determine if the part should still be in inventory or if the part needs to be removed from inventory and written off. This will be completed by December 31, 2022 by the UNH Associate Vice President for Facilities and Operations.(4) With the implementation of AiM, every single part will be received into inventory and “sold” out of inventory, including no cost items. Special order parts will continue to be recorded on purchase orders and charged out to work orders as well. These procedures will maintain the inventory accurately and with the 3 -way match the inventory cost will be accurately recorded in the inventory. In addition, this creates a trail that is easily navigated to see cost and to run reports that would show what campus entity bought an item (housing, operations locations, campus customers etc.). This will be completed by December 31, 2022, based on the capabilities of AiM by the UNH Associate Vice President for Facilities and Operations.(5) Any discrepancies found will be brought to the stockroom manager’s attention. The manager will be the only staff member that has permission within AiM to make any adjustments. In addition, the stockroom manager will request any supporting documentation to support the adjustments. This will be completed by December 31, 2022 by the UNH Associate Vice President for Facilities and Operations.



Enhance billing and collection process

(1) The decision was made to no longer provide services to non-UNH entities. This has been completed on August 5, 2021(2) We will review all unbilled work orders to external parties to ensure reimbursements are received and revenue is recorded. This will be completed by June 30, 2022 by the UNH Associate Vice President for Facilities and Operations. (3) UNH Management determined that markups on parts and services will be discontinued and internal UNH departments are billed these services at cost. This has been completed by July 1, 2021.


Page 28 of 31

of 229

of 31






84 2020 USNH Contract Management

Enhance existing Standard Contracts

1) Revised general terms and conditions have been drafted which are being used to create a USNH Master Service Agreement (MSA) template. The revised MSA along with frequently used contract templates (ex. Consultant Agreements, Facilities Rental Agreement, ICA) will be made available for campus use as soon as possible. While the MSA template has been updated, a decision was made not to make it available to campuses until the Jaggaer contracts module has been implemented. This will be completed by June 30, 2021 - USNH Chief Procurement Officer2) The Jaggaer contracts module will provide contract drafting functionality and the standard USNH terms and conditions, etc. will be available for utilization by users. Non-USNH contracts will require a business justification and we anticipate a higher level of review and approval will be required for non-USNH contracts as they are deemed to be higher risk. This will be completed by June 30, 2021 - USNH Chief Procurement Officer

83 2020 USNH

Enhance Protocols around Signature Authority Administration

(1)Creating a new list of delegations within the Jaggaer contracts module with primary delegations to be provided to specific positions and automatically terminated when an employee leaves that position. This will be completed by June 30, 2021 - USNH Chief Procurement Officer(2)Once the updated delegation list is established, all existing delegations will be rescinded, and the new delegations immediately put in place. In addition, procedures will be developed to address changes to the list of delegations. This will be completed by June 30, 2021 - USNH Chief Procurement Officer(3) An annual review of the delegation list will be performed, adjustments made as needed, and the final list will be approved by the USNH Treasurer. This will be completed by June 30, 2021 - USNH Chief Procurement Officer(4) A recent decision has been made to implement the Jaggaer contracts module beginning in March 2020. As the technology will provide automated workflow approvals for contracts, we believe we will also be able to reduce the number of signature delegations that currently exist today. This will be completed by June 30, 2021 - USNH Chief Procurement Officer(5) As part of the current effort to update signature delegations, implement the Jaggaer contracts module, and establish a new business process, communication will be created and endorsed by the Treasurer, Procurement, and Campus CFO’s detailing the role of authorized signature delegates and that unauthorized contract signature will result in disciplinary action. This will be completed by June 30, 2021 - USNH Chief Procurement Officer

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1) - (5) In process. USNH Procurement is close to moving the Contract + module within UShopNH into production which will address the action items on the audit, but we are still a couple of months away from “going live”. We anticipate a release some time in Q1 CY22. The release date on Contracts+ is also influenced by other factors such as the FOC restructure and UShop Shopper/Requisitioner training. The due date for the management action plan will be extended to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1) - (2) In process. USNH Procurement is close to moving the Contract + module within UShopNH into production which will address the action items on the audit, but we are still a couple of months away from “going live”. We anticipate a release some time in Q1 CY22. The release date on Contracts+ is also influenced by other factors such as the FOC restructure and UShop Shopper/Requisitioner training. The due date for the management action plan will be extended to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting

Contract Management


Enhance control structure, authority, and responsibilities for

UNH Operations

We will develop formal policies and procedures regarding the day-to day operations, including but not limited to roles and responsibilities of the staff, the receiving and recording of inventory parts, procurement of inventory parts and tools, recording of inventory cost, review and verification over repairs, and the acceptable use of UNH Garage facilities. As previously stated, the transportation garage has been rolled into Facilities and has gone through a re-organization. Under the direction of the Executive Director of Facilities Services, the Transportation Garage Manager currently oversees the shop service writer, stockroom clerk, part time bookkeeper, lead fleet mechanic, and three fleet mechanics. As part of roll over into Facilities and once AiM has been fully installed, the stockroom clerk will move over to the Facilities Warehouse and report to the Facilities Materials Manager. The Facilities Warehouse, as described previously, already has the means and methods in place to handle the current and future inventory for parts needed to operate a successful garage. It is the responsibility as described as essential job functions of the fleet mechanics to properly account for parts and inventory items. Likewise, as described as an essential job function for the Transportation Garage Manager to verify that all parts and inventory used by the garage are properly accounted for. This will be completed by December 31, 2022 by the UNH Associate Vice President for Facilities and Operations.


Page 29 of 31

of 229

of 31







87 2020 USNH Duplicate Payments

USNH Independent Contractor

Lack of formal ownership for independent contractor process

Enhance controls over entry and payment of vendor invoices

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1) - 5) In process. The Independent Contractor Agreement has been revised to included a hiring admin signature. Once the procurement policy is finalized all information will be shared once the Contract+ module will be implemented. USNH Procurement is close to moving the Contract + module within UShopNH into production which will address the action items on the audit, but we are still a couple of months away from “going live”. We anticipate a release some time in Q1 CY22. The release date on Contracts+ is also influenced by other factors such as the FOC restructure and UShop Shopper/Requisitioner training. The due date for the management action plan will be extended to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting

88 2020

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/21: In process; USNH Procurement is working on the development of ICA policy, procedures, and process, while incorporating the revised FAR structure.

The independent contractor policy, procedures and process will be reviewed and revised, outlining who owns each step in the process along with the risk associated, including the responsibility for compliance with IRS and DOL requirements. This work will be completed by January 1, 2021.

(1) USNH Financial Services validated the duplicate payments and will work with campuses to recover funds from the vendor or apply the overpayment to future vendor invoices, as necessary. We will have this completed by June 30, 2020.(2) UNSH Financial Services will incorporate a monthly review of continuous monitoring reports for duplicate payments to begin by June 30, 2020.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/12/21: (1) In process; USNH Financial Services is working with campuses to get collection updates on all duplicate payments identified during the audit. (2)Resolved December 31, 2020 Audit Committee meeting.


Reinforce existing USNH Procurement Policies and

Procedures

1) UShopNH is in the process of being released to campuses. All USNH procurement policies are incorporated into the application. A pilot group will start utilizing UShopNH in April 2020. In order to complete a purchase, campus staff are required to complete all steps. In addition, a reiteration of USNH procurement policies will be made via a System-wide communication and training opportunities. This will be completed by October 31, 2020. In addition, a link to Procurement policies will be made available on the USNH Procurement website and TeamDynamix induction page. This will be completed by October 31, 2020 - USNH Chief Procurement Officer2) UShopNH will soon become the central repository for USNH contracts. Additionally, the utilization of UShopNH should also decrease the number of contracts executed by USNH via consolidation of institutional contracts into system-wide contracts, increased utilization of consortium agreements, etc. Contract overlap / consolidation will be managed through a combination of reporting and strategic planning sessions with the Central USNH Procurement Organization and the impacted business users. The current plan is to implement the Jaggaer contracts module over the next several months with an initial focus on contracts related to the procurement of goods and services. In FY21, USNH plans to continue expansion of the Jaggaer contracts module to also include other contract types such as revenue contracts, lease agreements, etc.. This will be completed by June 30, 2021 - USNH Chief Procurement Officer

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/2021: (1) Resolved for the January 2021 Audit Committee Meeting. (2) In process. USNH Procurement is close to moving the Contract + module within UShopNH into production which will address the action items on the audit, but we are still a couple of months away from “going live”. We anticipate a release some time in Q1 CY22. The release date on Contracts+ is also influenced by other factors such as the FOC restructure and UShop Shopper/Requisitioner training. The due date for the management action plan will be extended to March 31, 2022. An update will be provided during the June 2022 Audit Committee meeting


Enhance process around Contract Review

1) An updated contract checklist, including the review of appropriate stakeholders, has been created and will be made available to users in TeamDynamix, and on the USNH Procurement website. This will be completed by October 31, 2020 - USNH Chief Procurement Officer2) The checklist is incorporated within UShopNH once the Jaggaer contracts module is available. The checklist will address areas of due diligence, disclosure of existing or potential conflicts of interest, etc. This will be completed by June 30, 2021 - USNH Chief Procurement Officer3) USNH will provide communications and training as needed regarding the use of the Jaggaer contracts module. This will be completed by June 30, 2021 - USNH Chief Procurement Officer4) Once implemented, policies and procedures will be established to collect all procurement-related contracts within UShopNH. This will be completed by June 30, 2021 - USNH Chief Procurement Officer5) USNH has an independent contractor determination checklist which will be revised to include a signature from the hiring administrator and human resources. This will be completed by October 31, 2020 - USNH Chief Procurement Officer

Page 30 of 31

of 229

of 31



Jan-21 Jan-22 In process 11/21

89 2020 USNH Independent Contractor

Enhance protocols for independent contractor process

(1) The independent contractor policy, procedures and process will be reviewed and revised, outlining who owns each step in the process along with the risk associated, including the responsibility for compliance with IRS and DOL requirements.(2) USNH Procurement revised and communicated changes to the Independent Contractor Agreement (ICA) form and checklist to all campuses in August 2020. These revisions included the reviewed of the checklist for accuracy and validation by the Project Administrator and Business Unit Director. Additional revisions will be made to require signature by designated campus authority with delegated authority to enter into agreement within delegated authority. In addition, the form will include current and former employee hire and termination dates. Finally, Procurement will limit ICA service periods to one fiscal year. (3) Conflicts of interest will be evaluated based on Procurement Policy 6-001, Section C., Item 1, and USNH Personnel Policies, Section D, Item 7. Disagreements regarding non-approval of an independent contractor where there is a conflict, may be elevated to the campus VPFA for approval when they exceed $10,000. If Procurement disagrees with VPFA, Procurement may elevate to the VCFA at their discretion. (4) USNH Procurement will review the completed ICA form to ensure the ICA policy has been followed, which will be outlined in the new policy referenced above. (5) ICA document retention currently exists in Xtender and will be moved to USHOPNH.(6) Create annual dashboard/report for tracking and reporting of ICA in USHOPNH. Create the distribution list for the report and the owner of the creation of the report.

MGT. EXPLANATION & RESOLUTION PLAN @ 11/15/21: (1) In process; USNH Procurement is working on the development of ICA policy, procedures, and process, while incorporating the revised FAR structure. (3) USNH Procurement is working on the development of a Conflict of Interest form to allow for disclosure in accordance with Procurement policies. (4) In process (5) Procurement is currently evaluating indexing and imaging options for Procurement forms in UShopNH. (6) Procurement is evaluating reporting options to allow for efficient and effective vendor management, inclusive of ICA.

Page 31 of 31

of 229

Item VII.C. Ethics and Compliance Hotline and Fraud Reports Summary

of 229

CY2021 - Ethics and Compliance Hotline and Fraud Reports Summary

Report Date Campus Issue Type Assigned to Days open Date Closed12/10/2021 PSU Conflict of Interest VP for Finance &

Administration, PSU, and Interim Provost and Vice President of Academic Affairs, PSU

7 12/17/2021

11/16/2021 PSU Other Athletic Matters Director of HR, PSU 22 12/8/202111/08/2021 KSC Discrimination or Harassment Title IX Program

Manager, KSC58 1/5/2022

11/08/2021 PSU Discrimination or Harassment N/A In Process11/08/2021 PSU Other Human Resource Matters N/A In Process

09/17/2021 PSU Other Financial Matters Finance Director, PSU, and Interim Provost and Vice President of Academic Affairs, PSU

19 10/6/2021

09/16/2021 PSU Disclosure of Confidential Information VP for Finance & Administration, PSU

20 10/6/2021

08/29/2021 PSU Unsafe Working Conditions President, PSU 31 9/29/2021

08/24/2021 UNH Other Financial Matters Vice Provost of Enrollment Management, UNH, and UNH Human Resource

150 1/21/2022

07/15/2021 PSU Conflict of Interest Director of HR, PSU 11 7/26/202104/30/2021 PSU Student Safety PSU Police 3 5/3/202104/26/2021 USNH Employee Misconduct Chief Administrative

Officer, USNH7 5/3/2021

04/06/2021 PSU Other Financial Matters VP for Finance & Administration, PSU

6 4/12/2021

03/18/2021 KSC Public Safety President, KSC 5 3/23/2021

02/22/2021 PSU Other Financial Matters VP for Finance & Administration, PSU

4 2/26/2021

VP for Finance & Administration, PSU, and Director of HR, PSU

of 229

2022 march 3 audit committee meeting

Documents