ndus performance audits

8/3/2019 NDUS Performance Audits

http://slidepdf.com/reader/full/ndus-performance-audits 1/291

©2011 LarsonAllen LLP

Bismarck State College

Risk Assessment Results

October 14, 2011

Craig W. Popenhagen, CPA

Principal

612/[email protected]



Enterprise-Wide Risk Assessment | Bismarck State College


October 14, 2011

Mr. Larry Skogen

Bismarck State College1500 Edwards Avenue

PO Box 5587

Bismarck, ND 58506-5587

Dear Mr. Skogen,

This report provides you, Bismarck State College (BSC) leadership, the Audit Committee, and members

of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An

enterprise-wide risk assessment is the first step in your risk management program of assessing risks,

evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achievethe Board’s acceptable risk level.

LarsonAllen did not audit or review any of the information provided, nor have we performed an

examination of internal controls in accordance with standards promulgated by the American Institute of

Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy

of the information that management has provided.

In addition, the procedures performed by LarsonAllen are not a substitution for management’s

responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk

assessment project was designed to provide Bismarck State College with insight to inherent and specific

risks throughout the institution. While potential characteristics of unsupported financial and operationalactivity may be identified, our procedures alone cannot identify errors and irregularities related to the

scope of this project.

We appreciate the opportunity to assist Bismarck State College. Management and staff involved in the

process were a pleasure to work with and very open to sharing their opinions and knowledge. This

cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to

contact us for assistance.

Sincerely,

LarsonAllen LLP

Craig W. Popenhagen, CPA Principal

612/397-3087

[email protected]

220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850





Table of Contents

Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1

Project Overview 4 Objectives and Scope 4 Approach 4

Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6

Appendix 16 Impact Criteria 16 Vulnerability Criteria 16




©2011 LarsonAllen LLP 1

Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Bismarck StateCollege. This included identifying and ranking the key financial, operational, strategic, and information

technology (IT) processes within the organization based on inherent and specific risks. The overall risk

for each process was based upon the process’s potential impact to the organization and the vulnerability

of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.

Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the

significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical

representation of the relative impact and vulnerability of a risk event for each of the key financial,

operational, and IT processes. Detailed results are also provided communicating the explanation for the

risk ranking and recommendations for addressing the risks.

What is Risk Assessment?

Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse

conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity or

process level.

Entity level is the cornerstone for effective control and its objectives provide guidance on what the

entity wants to achieve. It should be consistent with budget, strategy, and business plans.

Process level should align with entity level objectives but differ in that they relate directly to goal

setting with specific targets and deadlines. It provides guidance for management focus.

Risk Assessment Methodology

The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Bismarck State College.





Understand the Client’s Business: We begin by understanding the North Dakota University System’s

(the System) business by gathering the business objectives, goals, and strategies and identify the System’s

various universities and colleges in addition to the key financial, operational, and IT processes within

each university and college. Next, we assess the external and internal risks related to the industry.

Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or

condition that can negatively affect the ability of an institution to achieve its objectives. Risks are

generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:

Strategic: The risk that business objectives will not be met due to poorly defined business strategies,

poorly communicated strategies, or the institution’s inability to execute these strategies due to

inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by

appropriate organizational governance. Failure to adequately plan and execute against organizational

goals may result in significant damage to the institution’s reputation.

Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely

due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a

large error, or the pressure on management to meet certain expectations.

Operational: The risk that the institutions operational processes are not achieving the objectives

they were designed for to support the business model. This risk addresses inefficient operations, poor

alignment of processes with objectives and strategies, failure to protect assets, etc.

Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations

and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.

Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use

and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall

importance of technology within the institution and the availability and quality of information the

institution can access to support decision making, and the security of key information.

Human Capital: This risk addresses the type of behaviors encouraged by management; the methods

used to reward employees; the approach to consistently enforce policies and procedures; the selection,

screening, and training of employees; and the reason and frequency of turnover. It also includes the

length, consistency, and nature of business relationships, including the handling of sensitive or

confidential information and the risk that business interruption would seriously impact those

relationships.

Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for

risk ranking procedures. In determining risk within the financial, operational, and IT processes, we

assessed the impact of the process to the organization and the vulnerability that a risk would occur by

evaluating the underlying attributes of the process and by assessing the effectiveness of the control

environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.





Areas of Focus Definitions

Financial

Stakeholder

Reputation

Legal / Regulatory

Operations

Control Efficiency & Operating Effectiveness

Speed of Response

Complexity

People

Operational Efficiency

System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, including

key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results

are ranked by defined impact and vulnerability criteria.

Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and

vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then

validated and shared with management, as appropriate. By prioritizing and validating risks, Bismarck

State College can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview

Objectives and Scope

The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT

processes at Bismarck State College and assess the levels of risk within each of the process areas. In

addition, provide Management with visibility to process areas that contain the highest potential risk as

determined by the risk assessment process.

The scope of the enterprise-wide risk assessment included the following functional areas / processes

within the institution:

Functional Area / Process Detailed Coverage of Functional Area / Process

Academic Affairs On-line education, academic experience, employee/faculty

responsibilities, academic data, enrollment

Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,

league compliance

Campus Safety & Security Building security, campus police/security

Continuing EducationNon-credit courses, community programs, workforce training, conference

management

Emergency PreparednessEmergency preparedness and response procedures, business continuity,

risk management

Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,

facilities/classroom

Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,

estimates and judgments, annual close process, financial processes

Governance

General counsel, policies and procedures, internal audit and compliance,

executive oversight, regulatory requirements (federal and state),statistical data, affirmative action

Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,

foundation, donor concentrations, foundation investment strategy

Human Resources & Payroll

Payroll, benefits, records management, FTE workload, job descriptions,

recruiting, hiring, terminations, performance monitoring, new hire

integration, employee retention

Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware and

software, applications, servers, wireless networks, help desk

Marketing / Communications Social media, publications, web development, brand and logo,advertising channels

Operations & Auxiliary Services Bookstore, libraries, food services

Faculty & Staff Workforce training, competency, professional environment, conflict of

interest

Student Affairs Student experience, registrar, student data, housing, campus use,

counseling, academic support, career services, recruiting, health services

Student Financial Processing Student/financial aid, tuition, enrollment fees, scholarships, funding,

student loan processing





Approach

With the assistance of Bismarck State College management, LarsonAllen identified 15 key process

owners in the significant financial, operational, and IT processes. Key process owners were interviewed

for the purpose of assessing the inherent and specific risks associated with each functional area.

Upon completion of the interviews, the inherent and specific risks identified in each process were

prioritized and placed on the enterprise-wide risk map based on the impact of the process to the

organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).






Enterprise-Wide Risk Map

The enterprise-wide risk map communicates the risk results at the functional area / process level based on

the information obtained during the interviews. The description of the risk map is as follows:

Green – Low Risk

Yellow – Moderate Risk

Red – High Risk



nterprise-Wide Risk Assessment | Bismarck State College


FunctionalArea / Process

RiskRanking

Identified Risk Proposed Recommendations

Environmental

Health & Safety

Low There are concerns related to the overall safety

of campus facilities.

BSC should continually monitor the overall

safety of all buildings on campus to identify

potential need for improvements.

Financial Close& Reporting

Moderate Cash reconciliation process is complex and

very time intensive. In addition requires the

use of multiple spreadsheets in the process.

The cash reconciliation process should be

reviewed and assessed to identify potential

capabilities to automate the process. In addition,

identify existing inefficiencies or process

breakdowns.

T

r

a

i

Moderate Lack of controls in CETI’s registration systemto properly secure credit card information.

Controls should be established to properly securecredit card information in accordance with

policy.

Ae

i

c

Moderate Balance sheet reconciliations are not being

completed on a consistent basis.

A schedule of all reconciliations should be

created to identify the individual responsible forexecuting the reconciliation and expected

timeframe for completion. This schedule should

be reviewed by management on an ongoing basis

to identify any delays.

T

b

Moderate Segregation of duties controls should be

reviewed on key cash receipts areas. In

addition, noted that the person who enterspayments and prints the checks also has the

ability to set up a vendor.

BSC should review all significant processes and

identify the potential need for additional controls

to enforce appropriate segregation of duties.

B

a

i

Low Bad debt and other reserves that are applicable

are only analyzed and adjusted on an annualbasis.

Accounting estimates and judgments should be

reviewed on a timely basis to minimize anyinadequacies.






RiskRanking


Grant

Administration

Low Legislative changes related to federal grant

recipients.

No proposed recommendation.

Low Donor base concentration and investment

strategy.


Human

Resources &

Payroll

Moderate Employee work load is a concern. Human Resources and senior managementshould assess current FTE workload by

department. Identify areas of concern and

suggest departmental changes to better manage

existing workload.

Bd

p

D

ww

Moderate Payroll processes are very manual (i.e. Excel

spreadsheets are used to calculate hourly

employees payroll, sick and vacation time and

manually key into PeopleSoft upon manualapproval).

Information technology personnel should work

in conjunction with payroll personnel to identify

potential automated controls within the existing

PeopleSoft system.

B

t

i

Low Payroll orders are currently being sent via

regular mail and concerns about employee IDsbeing exposed if the payroll orders do not

arrive to their destination.

An automated workflow should be established to

properly secure employee information.






RiskRanking

Identified Risk Recommendations

Information

Technology

High No formal disaster recovery plan. BSC should assess the need to develop and

maintain a formal disaster recovery plan. This

would include, but are not limited to, Risk exposures

Recovery team responsibilities

First response process/procedures

Functional assessment process

Asset protection

Communications approach

System recovery timeframes

Maintenance/testing

Training

B

d

w

Moderate Lack of a comprehensive information security

policy and procedure manual.

BSC should assess the need to develop and

maintain a formal and comprehensiveinformation security plan.

I

oi

Low Inability to extract data for BSC to report to

the state, leadership, auditors, etc.

BSC management should work closely with the

information technology department to identify

opportunities to improve system capabilities to

produce reports on an as needed basis.






RiskRanking


Marketing &

Communications

Moderate Improvements needed to report on key

performance indicators (i.e. how much does it

cost per student for marketing techniques, howare dollars being spent, and how can they

adjust the dollars to create more

opportunities).

BSC should identify criteria necessary to assess

key performance indicators and work closely

with the information technology department toidentify system capabilities to produce the

required information.

B

a

pd

m

Moderate Need to improve marketing locally and

nationally to impact additional potentialstudents.

BSC should identify additional marketing

opportunities on how to reach out to a broadergroup of potential students.

B

mo

E

Moderate Competition is a growing concern with the

other universities and colleges in ND.

BSC should identify opportunities on how to

reach out to a broader group of potential

students.

B

O

e

Ei

Low Lack of approval and review related to

changes made to the BSC’s internet web page.

Controls should be established to limit who has

the capabilities to make media changes. In

addition, a formal approval policy should be

established.

Operations &

AuxiliaryServices

Low Adequacy of financial controls from auxiliary

services.

Overall internal controls should be reviewed and

assessed to identify potential risks related to allauxiliary services.

Faculty & Staff

Low Conflict of interest in relation to vendors and

employees.

BSC should review current conflict of interest

policy for adequacy. In addition, identify the

potential need for additional controls to enforceappropriateness of vendor/employee

relationships.






RiskRanking


Student Affairs

Moderate Confidentiality of academic records. Additional controls should be implemented to

properly secure academic records and other

privacy specific information in accordance withfederal/state regulatory requirements.

A

R

OA

p

(

e

u

Moderate Additional needs from the System Office

related to training for compliance (i.e. SFA

changes).

BSC should identify the specific needs related to

an appropriate learning and development plan in

relation to compliance.

Upon completion, BSC should work closely with

the System Office to identify opportunities to

receive the necessary training or identify if othermethods are needed.

B

C

a

cw

r

Moderate Improved controls needed for background

checks for students.

Key BSC stakeholders should identify areas for

improvements related to the existing background

check process for future and current students.

T

t

ro

Low Concern related to BSC policies that conflict

with other partnership groups utilizing campus

services (i.e. when they have K-12 programs

on campus or when BSC host/maintain events

with alcohol. Lack of policies and liability

concerns.)

BSC should assess the need to develop and

maintain formal policies in relation to social

event hosting with outside groups utilizing BSC

facilities.






RiskRanking


tudent Financial

Processing

Moderate Course fees are currently not a key area of

focus at BSC. For example:

What is being done with the course fees,usage, can unused funds be carried over or

counted as reserves?

Is the fee established at the right dollar

amount?

Is the fee too high, is the College charging

too much?

Internal monitoring controls should be reviewed

to evaluate course fees.

B

r

dp

c

f

a

a





Appendix

Impact Criteria IMPACT CRITERIA

FINANCIAL STAKEHOLDER REPUTATIONLEGAL /

REGULATORYOPERATIONS

HIGH

(1) Asset size

(2) Prior negativeexposure

(3) Rapidly increasing

transaction volume

(1) Management,

employees, andfaculty affected byprocess

inefficiencies or

control breakdowns

(1) Potential adverse

issues are knownto externalparties, such as

media and

regulatory bodies

(1) Any Federal/

State/Other action(2) External Audit

reportable

conditions

(1) Current

infrastructure cannotsupport businessstrategy

MEDIUM

(1) Asset size(2) Major potential cost

(3) Transaction volume

stable

(1) Management,employees and

faculty may be

affected by process

inefficiencies orcontrol breakdown

(1) Potential adverseissues could

impact customers

(1) Issues identifiedby Federal/State/

Other

(2) Issues identified

by External Audit

(1) Currentinfrastructure is able

to support business

strategy with work

arounds

LOW

(1) Asset size

(2) Minor potential cost(3) Transaction volume

stable

(1) No management,

employees andfaculty are affected

by process



issues couldimpact

employees

(1) No issues

identified byFederal/State/

Other

(2) No issuesidentified by

External Audit

(1) Current

infrastructure is ableto support business

strategy

Vulnerability CriteriaVULNERABILITY CRITERIA

CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF

RESPONSECOMPLEXITY PEOPLE

OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are not

working or do not

exist.

No method for

anticipating and

accessing specific

risk events exists,so issues are not

escalated to the

appropriateexecutives

effectively.

Manual

processes with

many data

transfer pointsand owners

A limited

number of

staff or

current staff has limited

competency

to managerisk events.

Inadequatecross-training

exists.

High/unmeasure

d cost of

operations, many

quality concernsnoted, and

unacceptable or

unmeasuredcycle/process

time.

Systems are not

operating as

designed or

design is flawed;very limited

controls

Risk is managed

by or directly

impacts people,

processes,systems, or

businesses that

haveexperienced a

HIGH rate of change over the

last 6 months.

MEDIUM

Controls are

detective but notpreventative and

there may or may

not be effectivereporting.

A method for

anticipating andassessing specific

risk events exists

but issues are noteffectivelyescalated to the

appropriate

executives.

Automated

processencompassing

multiple systems

and owners.

A limited

number of staff and/or

staff has

moderatecompetencyto manage

risk event.

Above industry

average cost of operation, some

quality concerns

noted, and belowindustry averagecycle/process

time.

Systems are

operating asdesigned, but

design can be

improved;controls arebolted on top of

the system.

Risk is managed

by or directlyimpacts people,

processes,

systems, orbusinesses thathave

experienced a

MODERATErate of change

over the last 6months.

LOW

Controls areappropriatelypreventive and

detective and there

is effectivereporting.

A method foranticipating andassessing specific

risk events exists

and effectivelyescalates issues to

the appropriateexecutive.

Automatedprocesses withintegrated

systems.

Most staff hashighcompetency

to manage

risk events.

Low/averagecost of operations, no

quality concerns

noted, andcycle/process

times withinspecified

standards.

Systems aredesigned,implemented,

and operating

effectively;controls are

embedded in thesystem.

Risk is managedby or directlyimpacts people,

processes,

systems, orbusinesses that

haveexperienced a

LOW rate of

change over thelast 6 months.




Dakota College Bottineau


October 14, 2011

Craig W. Popenhagen, CPAPrincipal




Enterprise-Wide Risk Assessment | Dakota College Bottineau


October 14, 2011

Dr. David FullerMinot State University500 University Avenue WestMinot, ND 58707

Dr. Fuller,

This report provides you, Dakota College Bottineau (DCB) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.

LarsonAllen did not audit or review any of the information provided, nor have we performed anexamination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacyof the information that management has provided.

In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Dakota College Bottineau with insight to inherent and

specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularitiesrelated to the scope of this project.

We appreciate the opportunity to assist Dakota College Bottineau. Management and staff involved in theprocess were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.

Sincerely,

LarsonAllen LLP

Craig W. Popenhagen, CPA Principal612/[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Dakota CollegeBottineau. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability


Documentation for the risk assessment consists of an enterprise-wide risk map encompassing thesignificant functional areas or processes within the institution. The enterprise-wide risk map is a graphicalrepresentation of the relative impact and vulnerability of a risk event for each of the key financial,operational, and IT processes. Detailed results are also provided communicating the explanation for therisk ranking and recommendations for addressing the risks.



conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.

Entity level is the cornerstone for effective control and its objectives provide guidance on what theentity wants to achieve. It should be consistent with budget, strategy, and business plans.

Process level should align with entity level objectives but differ in that they relate directly to goalsetting with specific targets and deadlines. It provides guidance for management focus.


The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Dakota College Bottineau.





Understand the Client’s Business: We begin by understanding the North Dakota University System’s(the System) business by gathering the business objectives, goals, and strategies and identify the System’svarious universities and colleges in addition to the key financial, operational, and IT processes withineach university and college. Next, we assess the external and internal risks related to the industry.

Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event orcondition that can negatively affect the ability of an institution to achieve its objectives. Risks are


Strategic: The risk that business objectives will not be met due to poorly defined business strategies,poorly communicated strategies, or the institution’s inability to execute these strategies due toinadequate organizational structure, infrastructure or alignment. Strategic risk is managed byappropriate organizational governance. Failure to adequately plan and execute against organizationalgoals may result in significant damage to the institution’s reputation.

Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimelydue to a variety of factors including the pace of change, the amount of uncertainty, the presence of alarge error, or the pressure on management to meet certain expectations.

Operational: The risk that the institutions operational processes are not achieving the objectivesthey were designed for to support the business model. This risk addresses inefficient operations, pooralignment of processes with objectives and strategies, failure to protect assets, etc.

Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulationsand directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.

Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of useand speed, and accuracy of recovery/replacement of systems. This risk addresses the overallimportance of technology within the institution and the availability and quality of information theinstitution can access to support decision making, and the security of key information.

Human Capital: This risk addresses the type of behaviors encouraged by management; the methodsused to reward employees; the approach to consistently enforce policies and procedures; the selection,screening, and training of employees; and the reason and frequency of turnover. It also includes thelength, consistency, and nature of business relationships, including the handling of sensitive orconfidential information and the risk that business interruption would seriously impact thoserelationships.

Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool forrisk ranking procedures. In determining risk within the financial, operational, and IT processes, weassessed the impact of the process to the organization and the vulnerability that a risk would occur byevaluating the underlying attributes of the process and by assessing the effectiveness of the control







Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk

Execute Risk Assessment Approach: We begin by identifying various interview participants, includingkey risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and resultsare ranked by defined impact and vulnerability criteria.

Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact andvulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are thenvalidated and shared with management, as appropriate. By prioritizing and validating risks, DakotaCollege Bottineau can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview


The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at Dakota College Bottineau and assess the levels of risk within each of the process areas. Inaddition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.

The scope of the enterprise-wide risk assessment included the following functional areas / processeswithin the institution:


Academic Affairs On-line education, academic experience, employee/facultyresponsibilities, academic data, enrollment

Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability


Continuing EducationNon-credit courses, community programs, workforce training,conference management

Emergency PreparednessEmergency preparedness and response procedures, businesscontinuity, risk management

Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmentalrisks, facilities/classroom

Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,estimates and judgments, annual close process, financial processes

GovernanceGeneral counsel, policies and procedures, internal audit andcompliance, executive oversight, regulatory requirements (federal andstate), statistical data, affirmative action

Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting

Human Resources & PayrollPayroll, benefits, records management, FTE workload, jobdescriptions, recruiting, hiring, terminations, performance monitoring,new hire integration, employee retention

Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardwareand software, applications, servers, wireless networks, help desk

Marketing / Communications Social media, publications, web development, brand and logo,

advertising channels


Faculty & Staff Workforce training, competency, professional environment, conflictof interest

Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, healthservices

Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,student loan processing





Approach

With the assistance of Dakota College Bottineau management, LarsonAllen identified 14 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.

Upon completion of the interviews, the inherent and specific risks identified in each process wereprioritized and placed on the enterprise-wide risk map based on the impact of the process to the








The enterprise-wide risk map communicates the risk results at the functional area / process based on theinformation obtained during the interviews. The description of the risk map is as follows:

Green – Low Risk


Red – High Risk

The following functional areas / processes are not on the above risk map as there were no risks

identified by stakeholders, per the interview discussions:

Continuing education





Detailed Results

Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks ideisk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with proesting of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommend


RiskRanking


AcademicAffairs

Moderate Enrollment is significantly dependenton athletics and there are concernswhether the current and futureexpenses/costs are appropriatelysubsidized by enrollment.

Perform an assessment to determine if athletic expenses are subsidized byenrollment and develop actions plansbased on the results.

Dakota Collegsports that are North Dakota follows: Ice HSoftball. For 2Ice Hockey, 55Softball. Hockand participanyears. Footbalparticipant num

to-year. It is a student-athletenot have attenprograms. It isderived from eathletes more tAuxiliaries alsrequire servicedining.

However, a deratio for the en

and ought to bwith a detailed






RiskRanking


AcademicAffairs

Moderate Concerns related to funding for futuregrowth of the Entrepreneur Center for

Horticulture.

Indentify additional marketingopportunities to reach a broader market,

including networking with other collegesand universities within North Dakota,additional services to support programsfees, and identify additional grantopportunities.

The Entreprenestaff has forme

Dakota State UCommunity CoThe ECH DireScaling Up LoSummit on Maacademics andat NDSU, to exprograms beinknowledge basuniversity and worked with a design an apprGroupSystems

11th, NDSU pewell as two meteam worked tomeeting are ex

In addition, theworkshops thagrad students aimportant connNDSU exploreresearch on higcomplement th

Harlene HatterSpecialist in thNDSU, works producer contagaps in produc






RiskRanking


AcademicAffairs

Moderate Dakota CollegTurtle Mounta

with the ECH both colleges aThe TMCC ImGardening Prodistrict (over aopportunities (gardening, fooweed & pest cindustry) and gseeds, and seeguest lecturer occasion. As tVegetable Pro

producers, TMthe courses anbenefit of stud

Although MonNorth Dakota,they are currenneeds of produportion of the administrated Extension persGiving Assista

501(c)3 non-pmission is to din eastern Monincreasing the Table works clocal food eco






RiskRanking


AcademicAffairs

Moderate value-add prodfood services aour goal of a l

and Bruce SmTable have cooutreach activrelationship toMSU-ExtensioDakota produc

To provide adprogram has inservice providMinot State Ubeen working campus and in

that could be gfacilities and iboth DCB andECH is in its sCommunity Sushares in its prthen receive wCSA will increas the demonsmaking longer






RiskRanking


AcademicAffairs

Moderate Beginning in tregister studen

Production Prothe school andhired for this papproved by thAcademic Affidentified and Additionally, tmain responsibmanagement sacross the statby funding thrCareer and Tetuition based.

the sustainabil

Although the Efunding cycle submit a Specibehalf of the NGrowers Assohas provided fprovide admingranting cyclecontinue to ap






RiskRanking


AcademicAffairs

Moderate The Federal Egot the ECH

again be availin 2012. Thereapply for fukept the ECHupdate to thapplication. Athat it has mogrant. If succUniversity Cereliable incom

In addition, identified whi

Organic FarmAgriculture ReTrust, and sevECH will appavailable and ECH and its cl






RiskRanking


AcademicAffairs

Moderate Concerns related to certain classes thatare being offered due to low

enrollment and programs that areoffered with no majors.

Perform a cost/benefit analysis todetermine if it makes good business sense

to continue classes, programs, and majorsthat have low enrollment.

Dakota Collegenrollment cla

following proglow enrollmenInformation SyInformation ALegal Secretarclasses do remcontent for a v

It is advisable reliable formulprograms to derevenue derivemake more ast

retaining low e






RiskRanking


AcademicAffairs

Moderate Lack of training for academic advisorsto allow advisors to be the most

effective for students, including beingknowledgeable about what classes areonly offered every other year, etc.

Provide ongoing training and classschedule update information for advisors

to be the most effective for students. Inaddition, consider implementing a studentfeedback process for the advisors and theinstitution to gain visibility to strengthsand weaknesses of the academic advisingprocess.

A way to measacademic advi

measurement iscores. A largescore of 1.5, shstudents’ expescore such as .to meeting stu

When the Collwas measuredthe national peDakota Univerwas .87 for fouyear institution

The data showfavorably to itsregard to the efpractices. Howconcerning thecomprise the agive direction advising/retent






RiskRanking


Academic

Affairs

Low Identifying a faculty member for thenew program starting this fall in the

Entrepreneur Center for Horticulture.

Continue to focus on identifying a facultymember the new program within the

Entrepreneur Center for Horticulture,including networking with other collegesand universities.

A faculty memprogram that is

Center for Hor

Low The number of high school studentsgraduating from North Dakota isdeclining and competition is high withother North Dakota colleges anduniversities to attract and retainstudents.

Continue to identify opportunities on howto reach out to a broader group of potential students. In addition, marketstudies should be performed on potentialmajor and course offerings to improveenrollment.

Faced with decschool graduatnew markets fois the out-of-sthas undertakenfive years, the College’s new to 20% to 24%also increased

in 2001. In Falnine students iregistrations; iand there wereA similar scenProgram. Up uBottineau studcampus to earnclasses. DuringDual Credit stuan effort to serstate, the CollePrior Learning

have their occucollege credit.






RiskRanking


AcademicAffairs

Low second year anto be an ideal p

enough creditsthat they can swith work expan especially vSystem’s NonDakota Collegnecessary stepFriendly CampServices. As sservice men anMyCAA and Gprovide for-crethis two-year o

The faculty anand course offof new major oServices, ParaVegetable ProVegetable Proofferings beingTechnician, Coptions for ourNatural Resouoil industry wo

The campus wreach out to a bexamining newDakota’s work






RiskRanking


Athletics

Moderate There is not a trainer to support theathletics programs, therefore, there is

not a dedicated first responder on siteand reflects on the perception of theinstitution when targeting athleticprogram students.

Perform a cost/benefit analysis todetermine if an open position should be

created to allow for a trainer to be oncampus.

Dakota Collegtrainer for its c

years, the hourincreased. In aService and theand hockey comost home hocresponders pregames. For 201asked to negotservices and foall home conte

A goal of the Ctrainer who wi

athletes. The pnew hires that affordability ba






RiskRanking


Athletics

Moderate The amenities and equipment forathletics needs to be enhanced or

replaced.


to increase amenities specific to athleticsand replace or purchase additionalequipment.

The institutionsupport its athl

has been fulfillability. A purpcontinually strprogram and toquo. At presenconnected to fasuitably turnedallocated each 2012, approximpurchases will Dakota Colleginto consideratpriorities and n

since the Colleseven varsity tmakes good bupurchase additprograms.






RiskRanking


Athletics

Moderate It is difficult to continually raisemoney for athletics via fundraising

activities due to the size of thecommunity.

Continue to evaluate whether there areadditional opportunities to perform

fundraising activities. Develop a shortand long term plan for fundraising ideas,how many events will take placeannually, how many dollars are needed tobe raised at each event, etc

The Logrollerfor college ath

scholarship doset agenda of asuccessful funLogroller itine

1. Busine2. Calend3. Gorder4. Trip to

The number ofthrough the an2012, Logrolle$12,000 and inathletes for the

of this money ihowever, contrNorth Dakota,

During the curfundraising initarget prospectBottineau. OneLumberjack aninto a career andatabase of thedeveloped and

a sequential mdonation. The community frocontiguous coupledge X numborganization foprograms have






RiskRanking


Campus Safety& Security

Low Appropriate security resources are notin place to perform sufficient ongoing

monitoring across campus.

Review the available security resourcesor time allotted for police force to be on

campus and determine if additionalresources are needed or if additionalsecurity measures should beimplemented.

The College ismonitor the ca

cameras. A plahas been develvendor and shbiennium. Eacinclude a line iCollege has incameras and bThe system cacan change enlost or not retuThe key card ithe next bienn

Dakota Collegwith the Bottinthe campus aninsure campuswith the Coundeputies to staresidence hallsconducts hourgrounds checksuspicious actiprocedure was

Additional secbiennium. Thethis purpose, henhance securi






RiskRanking


EmergencyPreparedness

Moderate Lack of communication related toemergency response procedures and

concerns that the involvement of training and testing of the proceduresare not campus-wide.

Identify additional ways to communicateemergency response procedures and

provide training and testing that involvesseveral areas across the institution.

The College haprocedures and

Risk Managempolicy and procseparate in-sersimulated crisiup on campus response can bresponse testinannually to helprocess and pro






RiskRanking


EnvironmentalHealth & Safety

Low Current facilities will not supportanother significant increase in

headcount, both academically andathletically. In addition, office space isnot available for administration officesto allow for enrollment growth.

Perform a cost/benefit analysis todetermine if additional capital projects

should be pursued to support current andpotential future increase in enrollment.

The College isto later in the a

this action willlabs in the eveadditional spacresolution wouhelping to avoistudents’ coursoption.

Office space isonly two or thradditional perscrowding and ito alleviate thi

project currentinstitution’s Ofrom the commCorporation toCollege. Dakoand should det

Low The Environmental Protection Agencyis changing regulations for coalburning and the institution utilizes coalboilers. There are concerns related tothe impact the changes will have on theinstitution.

Continue to monitor changes set forth bythe Environmental Protection Agency toensure the institution is compliant withregulations.

The North Dakcampus informaffecting camp






RiskRanking



Moderate The institution budgeting processutilizes the “same as last year”

approach and does not perform an in-depth analysis to determine if dollarsshould be allocated differently from theprevious year.

Consider performing an in-depth analysisof previous years’ budgets and the dollars

allotted for the current year to determineif available funds should be allocateddifferently from previous years.

All departmenfunding levels

amounts are rebenefit from inrate of inflationincreases, progprograms can bThe College hacomprehensiveenrollment offreductions willinstitution. Thuis little wiggle beginning withapproach. Few

because they estudents—morraise the cost oare in place to requirements iincrementally

Although fundnot an alternatiDCB will contallocation mod






RiskRanking



Moderate There is a lack of appropriatesegregation of duties in the Business

office.

Review the current responsibilities of each person in the Business office to

determine if changes should be made toallow for additional segregation of duties.

Segregation ofAuditor’s Offic

Moderate There is a lack of appropriatesegregation of duties with departmentpurchases. In some instances,department managers are individuallydeciding what to purchase and fromwho and are also approving thepurchase, involving no other personnelin the overall process.

Develop a policy that requires allpurchases to involve more than oneperson in the overall process.

Although all deindividual withauthority, this consultation wmanagement, ngathering activCollege will tainstitutional pu

Governance

Moderate The institution’s strategic plan lacks a

long term focus. In addition,measurable action plans have not beendeveloped to address all objectives andgoals.

Review the strategic plan to determine if

long term objectives should be addressed.In addition, consider developingmeasurable action plans to meetobjectives and goals.

The Institution

long and shortsteps. Followiincluded in str

Motivate adevelop toAcademic

Utilize a cbuild an eProgram tNDUS.

Provide a general edimpact of

portfolio p Work with

training nedrilling ac






RiskRanking


Governance

Moderate The complexitattaches a long

including time

There are bencattached to the

GOAL: Enhanmission that addeveloping poof college credExpected Out

five students in

GOAL: Move

Horticulture frdemonstrationExpected Out

greenhouses a

GOAL: BeginProgram that ptoward a degreundecided aboExpected Out

College Studiethe students en

will return to DAlthough meato be better dis






RiskRanking


Governance

Moderate Lack of consistent communication toroll out new policies and procedures,

make updates to existing, andimplement consistently across theinstitution. In addition, there is not aconsistent process to review policiesand procedures on an ongoing basisonce they are developed.

Improve communication to roll out newpolicies and procedures and updates to

existing. In addition, review and approveall policies and procedures on an ongoingbasis.

Two years agofollowing prac

procedures anprocedures: Th

is the documen

version will be

Thus, it is the o

when accessin

Changes, dele

regarding the

faculty and sta

the online han

over the last twpolicy changefolders each ye

collapsing the Handbooks intdocument thatinformation fo

The Faculty SeCommittee thaFaculty Handbimprovementsof updates. Thesame responsibManagement H

Senate or the Dkeeping the haThey need to mor determine a

job done.






RiskRanking


Governance

Moderate Lack of understanding by theinstitution end users related to how

System policies are categorized andwhere they are stored. In addition,policies are not always clearly titled toreflect content.

Team with the System office and otherinstitutions to gain a better understanding

of how System policies are categorizedand titled.

The NDUS Poaccessed from

difficult link toto it, end usersto it for subseqCollege’s handlist the link thathe System po

A review of hotitled may be hissue is more athe website thadifficult to nav

Moderate Bottineau is a small community andlocal community members andbusinesses are continually tapped forfund raising and donation dollarsmaking it difficult to continuallyincrease the amount raised each year.

Continue to identify additional alumni,community members, and businessrelationship opportunities to performfundraising activities. In addition,perform a cost/benefit analysis todetermine if additional funding should beallocated to identifying and building theserelationships

The Dakota Coidentify additiorevenue generahistory with thresulted in the in three monthprograms. Thetogether to soliregional businehas the right mprospective doFoundation Ofimplement the

funding additiocalculated.






RiskRanking


Governance

Low Initiatives are identified and teams of staff and faculty are assigned;

however, many initiatives are notprovided the appropriate levels of attention or are not followed throughon.

Identify all initiatives across theinstitution, teams assigned to them,

progress made, etc. Determine whatinitiatives are not progressing as deemedsufficient by the institution and identifythe root causes for the lack of progression.

True initiativestandard opera

identified throinitiatives, or gstrategic planndeveloped andinto place for naturally had mothers, and as attention. Howthe steps in theenrollment andStrategic Planprocess that gastaff, students

suggestions anas initiatives f

A natural tendeinitiative for wreceived approto identify theiinformation abcan be distributhe alumni newwebsite.






RiskRanking


Governance

Low Meeting minutes are not alwaysdocumented for formal council and

committee meetings, resulting in lack of an audit trail of discussion topics,decisions made, and monitoring of ongoing activities. In addition, whenmeeting minutes are documented, theyare not to the level of detail needed.

Develop a policy that requires all formalcouncil and committee meetings to be

documented and describe the level of detail required to be sufficient.

Dakota Collegappointed by th

keep minutes. committees stakeep minutes o

(form attached

Berube by at le

letter to the compertaining to thminutes.

GrantAdministration

Moderate Investment strategy for the foundationmay be too conservative.

Identify if there are alternativeopportunities for conservativeinvestments that result in a higher yield.

The Dakota CoCommittee hasorganization’son certificates

Financial servithe Executive Chowever, the gconservative inopportunities icontinue to be consideration.

Moderate Additional time should be spent onalumni and donation collections.

Team with the Foundation to determine if additional resources could be allocated tofocus more on alumni and communitynetworking to increase donations.

Please see resp

Bottineau is a s

members and b

fund raising an

to continually






RiskRanking


InformationTechnology

Moderate Servers are maintained in a lockedroom in an office; however, the room

is not always locked during businesshours. In addition, appropriateenvironmental controls are not inplace.

The server room should be locked at alltimes, including business hours. In

addition, perform a cost/benefit analysisto determine if additional environmentalcontrols should be implemented or if upgrades should be made.

The server roosecurity camer

leaving the serdata, it has beenecessary to inWe are currentproviding impr

Moderate A Continuum of Government Plan thataddresses some areas of a disasterrecovery plan is in place; however, acomprehensive documented plan stillneeds to be developed.

Develop and document a formal disasterrecovery plan. This would include, but isnot limited to:

Risk exposures


First response process andprocedures

Functional assessment process Asset protection



Maintenance and testing

Training

DCB does hav(Continuum ofdeveloped durreviewed and ucompleted prio

Moderate USB drives are not password protectedor encrypted.

Develop a policy that requires all USBdrives to be password protected andencrypted. Communicate the policy to allapplicable users.

The campus Crecommendatioend of FY2012






RiskRanking



Moderate Password parameters for ActiveDirectory are not technically enforced

to require passwords to be alphanumeric.

Change the password parameters inActive Directory to technically enforce

all users’ passwords to be alpha numeric

Password paracurrently not te

passwords to binstitution is mand when this mauthenticate agconnected withrequire alpha n

Marketing &Communications

Low There are concerns related the strategicapproach, leadership, and direction formarketing and communication.

Review the strategic approach andleadership for marketing andcommunication at the institution todetermine if changes should be made toalign the strategic plan with theinstitution.

Under the currdirection for thstudents, and tcollege choiceconsecutive sematerials, the

process by whwith prospectssystems for traresponding to improvementssophisticated iare managed wthe Admissionproviding timemarketing task

Dakota CollegOnline and Ou

better with its gare many excitat the College audience.






RiskRanking


Operations &AuxiliaryServices

Moderate Credit card information is manuallydocumented at the bookstore for orders

that are placed via phone during peak times of the year.

Review the procedures to protect creditcard information at the bookstore and

determine if changes should be made toenhance data protection. In addition, if procedures are not formally documented,consider documenting the procedures toallow all employees to be consistent andeducate new employees.

Dakota Collegcredit card inf

determine if chprotection.

Low Lack of knowledge by students andfaculty on how to use digital libraryservices.

Consider offering training to students andfaculty on the use of digital libraryservices.

Training to stulibrary service

Low Technology upgrades are needed forthe library to better accommodate

student learning.

Continue to prioritize capital projects andrenovation needs across campus to

determine if the library is a priority in thenext fiscal year’s budget.

Prioritizing of across campus

the Library are

Low Concerns with theft in the bookstore.There are no security cameras orsecurity system.

Perform a cost/benefit analysis todetermine if security measures should beimplemented.

Cameras have prevent shoplifstrengthened to






RiskRanking


Faculty & Staff

Moderate Lack of succession planning and crosstraining for most positions within the

institution.

Functional areas should evaluate where itis most critical to implement succession

plans and cross train employees. Developan action plan to implement and crosstrain where necessary.

Cross training environments,

Although Dakomust effectivelfunctions of anmatter its size.resources requfor two or morwear more thanmost staff is alcapacity.

When and whesuccession planbring in new st

incumbent’s detrained to hit-th






RiskRanking


Student Affairs

Moderate Residence halls need to be remodeledand utilized to attract more students,

including building suite livingconditions to attract families.


to renovate residence halls and build suiteliving conditions.

The learning anCollege’s resid

significantly si1950’s, 1960’sexpectations abincluded for redramatically. Tservices, and pCollege needs bonding to gathMead, Milliga

Moderate The institution is becoming moreculturally diverse and there has been asignificant increase in out of state

students. There are concerns whetherthe campus is meeting the needs of these students.

Perform an assessment to determinewhether the institution is meeting theneeds of culturally diverse and out of

state students. Utilize feedback fromstudents to make improvements asnecessary.

The Institutionimplement proan increasingly

Student FinancialProcessing

Moderate Certain faculties do not submit theirbook/material requests to the bookstoretimely or change the books/materialsnear the start date of a semester,resulting in the bookstore not beingable to provide books/materials timelyto students, keep costs effective andaffordable, and possibly cause theinstitution to be in violation of the

HEOA.

Continue to educate faculty about theimportance of submitting book andmaterial requests timely. In addition,identify alternative methods of communication and education.

The Institutionthe importancerequests in a ticonsequences





Appendix




HIGH

(1) Asset size


(3) Rapidly increasingtransaction volume

(1) Management,

employees, andfaculty affected byprocessinefficiencies orcontrol breakdowns


issues are knownto externalparties, such asmedia andregulatory bodies

(1) Any Federal/


reportableconditions

(1) Current


MEDIUM

(1) Asset size(2) Major potential cost(3) Transaction volume

stable

(1) Management,employees andfaculty may beaffected by processinefficiencies orcontrol breakdown

(1) Potential adverseissues couldimpact customers

(1) Issues identifiedby Federal/State/ Other

(2) Issues identifiedby External Audit

(1) Currentinfrastructure is ableto support businessstrategy with work arounds

LOW

(1) Asset size(2) Minor potential cost(3) Transaction volume

stable

(1) No management,employees andfaculty are affectedby process


(1) Potential adverseissues couldimpactemployees

(1) No issuesidentified byFederal/State/ Other

(2) No issuesidentified byExternal Audit

(1) Currentinfrastructure is ableto support businessstrategy


CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are notworking or do notexist.

No method foranticipating andaccessing specific

risk events exists,so issues are notescalated to theappropriateexecutiveseffectively.

Manualprocesses withmany data


A limitednumber of staff or

current staff has limitedcompetencyto managerisk events.Inadequatecross-trainingexists.

High/unmeasured cost of operations, many

quality concernsnoted, andunacceptable orunmeasuredcycle/processtime.

Systems are notoperating asdesigned or

design is flawed;very limitedcontrols


processes,systems, orbusinesses thathaveexperienced aHIGH rate of change over thelast 6 months.

MEDIUM

Controls aredetective but notpreventative andthere may or maynot be effectivereporting.

A method foranticipating andassessing specificrisk events existsbut issues are noteffectivelyescalated to theappropriateexecutives.

Automatedprocessencompassingmultiple systemsand owners.

A limitednumber of staff and/orstaff hasmoderatecompetencyto managerisk event.

Above industryaverage cost of operation, somequality concernsnoted, and belowindustry averagecycle/processtime.

Systems areoperating asdesigned, butdesign can beimproved;controls arebolted on top of the system.

Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aMODERATErate of change


LOW

Controls areappropriatelypreventive anddetective and thereis effectivereporting.

A method foranticipating andassessing specificrisk events existsand effectivelyescalates issues tothe appropriateexecutive.

Automatedprocesses withintegratedsystems.

Most staff hashighcompetencyto managerisk events.

Low/averagecost of operations, noquality concernsnoted, andcycle/processtimes withinspecifiedstandards.

Systems aredesigned,implemented,and operatingeffectively;controls areembedded in thesystem.

Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aLOW rate of change over thelast 6 months.




Dickinson State University


October 14, 2011





Enterprise-Wide Risk Assessment | Dickinson State University


October 14, 2011

Dr. D.C. Coston, Acting PresidentDickinson State University291 Campus DriveDickinson, ND 58601

Dr. Coston,

This report provides you, Dickinson State University (DSU) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.


In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Dickinson State University with insight to inherent and


We appreciate the opportunity to assist Dickinson State University. Management and staff involved in theprocess were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.

Sincerely,

LarsonAllen LLP







Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Dickinson StateUniversity. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability









The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Dickinson State University.






Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk


Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact andvulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are thenvalidated and shared with management, as appropriate. By prioritizing and validating risks, DickinsonState University can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview


The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at Dickinson State University and assess the levels of risk within each of the process areas. Inaddition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.




Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,league compliance


Continuing EducationNon-credit courses, community programs, workforce training, conferencemanagement

Emergency PreparednessEmergency preparedness and response procedures, business continuity,risk management

Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,facilities/classroom


GovernanceGeneral counsel, policies and procedures, internal audit and compliance,executive oversight, regulatory requirements (federal and state),statistical data, affirmative action

Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,foundation, donor concentrations, foundation investment strategy

Human Resources & PayrollPayroll, benefits, records management, FTE workload, job descriptions,recruiting, hiring, terminations, performance monitoring, new hireintegration, employee retention

Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware andsoftware, applications, servers, wireless networks, help desk



Faculty & Staff Workforce training, competency, professional environment, conflict of interest

Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, health services

Student Financial Processing Student/financial aid, tuition, enrollment fees, scholarships, funding,student loan processing





Approach

With the assistance of Dickinson State University management, LarsonAllen identified 24 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.










Green – Low Risk


Red – High Risk






nterprise-Wide Risk Assessment | Dickinson State University



RiskRanking


AcademicAffairs

Low Accountability for student enrollmentand retention is not consistent across all

functional administrative areas andfaculty. In addition, faculty and staff arenot always making themselves availableto current and potential future students.This includes faculty office hours,availability for high school studentvisits/campus tours, experience in theadministration offices, etc.

Review the Strategic Enrollment Planinitiatives and action plans to determine if

all functional areas and facultyresponsibilities are addressed to support andgrow headcount and accountability measuresto move forward.

Low A strong focus of the university isincreasing headcount; however, there areconcerns that appropriate thought has notbeen given to the facilities and resources

available at the university to supportadditional headcount.

Review the Strategic Enrollment Planinitiatives and action plans to determine if facilities and resources have been addressedto adequately support additional headcount.

Low Strom Center programs do not receiveuniversity and/or grant funding. If donations and/or grant dollars decrease,the sustainability of programs would beat risk.

Indentify additional marketing opportunitiesto reach a broader market, includingnetworking with other colleges anduniversities within North Dakota, additionalservices to support programs fees, andidentify additional grant opportunities.

Low The Strom Center Business ChallengeProgram is approximately $50k in debt.

Review the strategic plan to determine if theStrom Center’s debt is addressed withspecific measureable action plans. In

addition, consider whether updates shouldbe made to the strategic plan and whetherprogress is being made towards themeasureable action items.






RiskRanking


Athletics

Low Transportation for the university’s rodeoteam is not provided and controlled,

resulting in the risk of liability to theinstitution.

Perform a cost/benefit analysis to determineif it makes good business sense to provide

transportation services for the university’srodeo team. In addition, consider reachingout to other colleges and universities thathave a rodeo team to determine the approachthey take.

Low

Recruiting new athletic program coachesand maintaining the existing coaches is aconcern due to the size of the institutionand compensation offered.

Continue to benchmark wages with otherNorth Dakota colleges and universities.

Campus Safety& Security

Moderate Concerns that staff and faculty are beingverbally and emotionally threatened to

increase student enrollment.

Obtain feedback from all staff and facultyrelated to the tone at the top and pressures to

increase student enrollment to determine if the environment is appropriate.

DSU hasimpleme

March 22harassmeMarch anCampus regular byear to adforward.

Low Concerns related to the safety of studentsand security of the campus with thesignificant numbers of oil field workersmigrating to the area. In addition, there isno security officer during the daytime

hours.

Perform a cost/benefit analysis to determineif security officers and resources are neededor if additional security measures should beimplemented.

EmergencyPreparedness

Low Lack of communication and requiredtraining related to emergency responseprocedures.

Consider requiring the current trainingavailable to employees twice a year to bemandatory training to enhance awareness.






RiskRanking



Low Athletic facilities are outdated and needremodeling (i.e. handicap assessable,

strategic concession placement, etc.).

Continue to prioritize capital projects,renovations, and maintenance needs across

campus to determine if athletic facilities area priority in the next fiscal year’s budget.

Low The ability to attract local contractors hasdecreased over the last several years dueto the competition with the oil fields.

Consider reaching out to other colleges anduniversities that may also be affected by theincreased labor demand from the oil fields toidentify actions other institutions have taken,discuss contractor options, pricingconsiderations, etc.


Moderate Bad debt write-offs continue to rise eachfiscal year due to the inability to collecttuition fees.

Review write-offs over the last several yearsto determine the amount of write-offs thatare tuition related. In addition, review

historical trends and determine the rootcause of tuition write-offs.

Many of through tPolicy th

financialentity hainternatiodays or m

Moderate Concerns that departmental budgetchanges are not being communicated ona timely basis and could result inpotential over spending.

Review the process to communicatedepartmental budget changes and determineif changes should be made to the process toallow more timely communication.

Unit supecommunbudgets cand progthe opporsessions.

Low Interest income has significantly declinedover the last several years. In addition,

net operating income has been negativefor the last three years.

Perform an analysis to determine the rootcause for the decrease in interest income and

the negative net operating income over thelast several years. Determine if theinstitution could make changes or identifyother opportunities to increase both in thefuture.






RiskRanking


Governance

Moderate The institution is maintaining an ad hocdatabase of alumni and donors; however,

under the verbal contract with theFoundation and Alumni organizationthey are not allowed to do so.

Reconfirm the verbal contract between theinstitution and the foundation to determine if

the contract should be revised or if theinstitution should delete its ad hoc database.

DSU wilthe Foun

a separatThis willagreemenBoard Po

Low The university is not PCI compliant. Consider identifying PCI compliance as aninitiative, including resource dedication, tobecome compliant in the future. In addition,reach out to other colleges and universitiesthat are compliant across the System todetermine the steps other institutions took tobecome compliant, lessons learned, etc.

Low Monitoring of international studentswhile attending the university andmonitoring their departure from the U.S.,procedures to verify and document theirdeparture, etc.

Review procedures to monitor internationalstudents while attending the university andtheir departure from the U.S. Determine if procedures are documented, communicated,and if proper monitoring controls are inplace.






RiskRanking


GrantAdministration

Moderate Lack of grant related policies andprocedures, specifically the overall grant

lifecycle, expense allocations,coordination of proposing on grants oncethe grant(s) have been identified,specifically persons that should beinvolved, timing, knowledge of qualification requirements, etc.

Develop policies and procedures for thegrant process. Review documents on an

ongoing basis to determine if changesshould be made.

Departmdiscussed

a VPAA were revdevelop uensure cogrant app

Moderate A grant roster is not maintained tocentrally track and monitor completenessand accuracy of current grants, renewalof grants, etc.

Develop a grant roster to centrally track andmonitor grants and enhance visibility of thestatus of all grants.

All grantfund in thconsider task to anmonitor g

Low Grant expenses, including payrollexpenses, may not be applied to thecorrect grant or expenses may beinaccurately applied due to lack of attention to detail.

Review the current processes to code/assignexpenses to grants and determine if properinternal controls exist to minimize the risk of coding expenses to incorrect grants orapplying inaccurate expense amounts.

Low Lack of resources to identify new grantopportunities.

Perform a cost/benefit analysis to determineif it makes good business sense to dedicateadditional resources to the grantidentification process.

Low The Foundation and Alumni organizationdoes not always process gift receipts

timely and alert the Business Office andStrom Center timely, resulting infinancial reports to lag a month or two.

Team with the Foundation and Alumniorganization to identify root causes for

untimely processing of cash receipts anddetermine if the Business Office and StromCenter could assist with improvements inthe process.






RiskRanking


HumanResources &

Payroll

Low There are concerns related to theaccuracy of the human resources master

file.

A review should be performed of the humanresources master file to determine if changes

need to be made to update information forstaff and/or faculty members.

Low Job descriptions are not up-to-date. Review all job descriptions and determine if updates need to be made. Make updates asneeded. In addition, if it is determined that a

job description does not exist for a position,per the review, develop a job description forthe position.


High The data center is located in thebasement of May Hall and containswindows in the room.

Consider moving the data center to a moresecure location.

The cost considerealthough

current lothis locatmoisture wiring inWater piplocation. viewing f






RiskRanking


Information

Technology

High There is no formal disaster recovery plan. Develop and document a formal disasterrecovery plan. This would include, but is not

limited to: Risk exposures


First response process and procedures


Asset protection




Training

Senior lewith the

NDUS redocumenconsistenprocedur

A formal

Be

A cre

Crdeg

Pri

DSdat

Em

Moderate Data back-ups are stored on-site in thedata center.

Identify an off-site storage site to maintaindata back-ups. Employee’s homes shouldnot be utilized.

Backup m

Moderate Shared folders are not restricted on thenetwork. A policy is in place to restrictpersonnel from maintaining confidentialinformation in the shared folders, butconfidential information has been foundin the past.

Develop and assign user roles within sharedfolders to restrict access to confidentialinformation.

The localand studelocal sharnot to stogiven accnow (Aug

as needed






RiskRanking



Moderate Laptops issued to staff and faculty is notencrypted. In addition, USB drives

purchased by functional departments arenot password protected or encrypted.

Develop a policy that requires all laptopsand USB drives to be encrypted. In addition,

determine if the process to issue technologyrelated items should be centralized withinthe IT group to allow for consistency andadherence to policy.

The NDUon all com

Ec

EpMk

Moderate A mobile device policy is in place;however, appropriate security measureshave not been technically enforced tosupport mobile devices.

Consider technically enforcing securitymeasures on mobile devices to enhancesecurity.

Currently

Dl

Tv

U

i

Low Password parameters for ActiveDirectory are not technically enforced torequire passwords to be changed after adefined period of time.

Consider changing the password parametersin Active Directory to technically enforcepasswords to be changed every 90 days.

Low Significant numbers of staff do not lock their computers when leaving their desk.

Develop a policy to require all staff andfaculty to lock their computers when leavingtheir desks to increase overall security of information on their computers.

Marketing &Communications

Low Duplicate information is being drafted inpublications that could potentially becombined to save time and costs.

Perform a review to determine if information drafted in publications could becombined in certain instances to allow fortime and cost savings.






RiskRanking


Operations &AuxiliaryServices

Low Remodeling and technology upgrades areneeded for the library to better

accommodate student learning.


campus to determine if the library is apriority in the next fiscal year’s budget.

Low The bookstore sales return policy is notconsistently followed. Certain functionalareas require the bookstore to makeseveral exceptions to the policy.

Review the bookstore sales return policy todetermine if changes should be made to thepolicy or if the policy is appropriate andcurrent practices should be changed toadhere to the policy.

Low Concerns with theft in the bookstore.There are no security cameras, securitysystem, and students are trying onapparel in the restrooms.

Perform a cost/benefit analysis to determineif security measures and/or designatedfitting rooms should be implemented.

Low The bookstores apparel and inventory issold at offsite campus events. Allinventory and sales are manually trackedand entered into the POS system after theevent.

Review the internal controls in place forselling bookstore apparel and inventory atoffsite campus events to determine if additional controls should be implementedand if current controls are operatingeffectively.

Low Clubs, departments, organizations, etc.are not required to consider the bookstorewhen making purchases or involving thebookstore in the bidding or proposalprocess.

Develop a policy that requires clubs,departments, organizations, etc. to submit arequest for proposal to the bookstore to bidon the purchases.






RiskRanking


Faculty & Staff

Moderate Overall employee work load is a concern.Most functional areas identified some

level of personnel needs.

Perform an assessment to determine howresources are being utilized across all

functional areas, tracking of hours worked,efficiencies that could be gained, etc.

On-goingefficienc

Moderate There has been a high turnover rate inkey leadership positions in the lastseveral years.

No proposed recommendation. The Cooconducteindividua

Moderate Lack of succession planning and crosstraining for most positions within theinstitution.

Functional areas should evaluate where it ismost critical to implement succession plansand cross train employees. Develop anaction plan to implement and cross trainwhere necessary.

DSU shotrain emp

Low Recruitment and retention of staff and

faculty is a concern, specifically as itrelates to the compensation offered andthe competition with the oil fieldpositions.

Continue to benchmark wages with other

North Dakota colleges and universities.






RiskRanking


Student Affairs

Moderate Several international students are notfluent in English and the institution does

not have staff and/or faculty capable of speaking the languages to accommodatestudents, resulting in the inability toprovide these students with the academicand student experience that is the same asall other students.

Perform a cost/benefit analysis to determineif it makes good business sense to hire

personnel who are fluent in languagesspecific to the countries targeted forinternational students or if alternativecountries should be targeted based onlanguage capabilities at the institution.

DSU offiArticulat

in place wrequiremago, DSUeffort to htheir Engto look foconsisteneffort to iapplicant

Moderate The cost to live off campus hassignificantly increased due to the oilfields, resulting in limited residence hall

space as students are staying on campus alonger period of time.

Perform a cost/benefit analysis to determineif it makes good business sense to buildadditional residence halls, add on to

existing, or another alternative.

The VP oFinanciaCommitt

range solcampus a

Low Lack of recruiting efforts at local DSUevents where high school studentattendance is high. In addition, there is astronger focus on international studentrecruitment than the five-state region.

Review the current strategy to recruitstudents and determine if there is anappropriate balance of domestic andinternational students. In addition, determineif additional recruiting efforts should befocused on attendance of staff and faculty atlocal DSU events where high school studentattendance is high.






RiskRanking


Student Affairs

Low Mental health and medical issues areincreasing in the student body and the

institution does not have a counselor.

Perform a cost/benefit analysis to determineif a counselor position should be created.

Low Student contact information is notupdated and maintained on an ongoingbasis, resulting in inaccurate informationin the database.

Review the current procedures to update andmaintain the database that houses studentcontact information and determine if additional resources should be allocated toenhance the accuracy of information.


Moderate Tracking and monitoring of collaborativestudents and qualification requirementsto receive financial aid, specificallydeclared institution of graduation,institution enrollment, grades received,

etc. If a student is not currently enrolledin classes in the declared institution of graduation, the financial aid office cannotmonitor their eligibility of a financial aidrecipient.

Develop a process to track and monitorcollaborative students and qualificationrequirements to receive financial aid.Determine if current technology could assistin the process.

DSU currcollaboraneed to dcollaborarequirem

Moderate Royalties received to support the internalscholarship program are decreasing andfive year commitments are made tostudents to receive scholarship dollars aslong as their GPA is appropriate. There isa risk that the institution is over-committing scholarship funds or will be

in the future.

Perform an assessment to determine if thereare enough funds to support the internalscholarship program commitments that havebeen made. Adjust future programcommitments as necessary based on theassessment results.

The Actito examiRoughridimpleme






RiskRanking


Student Financial

Processing

Moderate Certain faculties do not submit theirbook/material requests to the bookstore

timely or change the books/materialsnear the start date of a semester, resultingin the bookstore not being able to providebooks/materials timely to students, keepcosts effective and affordable, andpossibly cause the institution to be inviolation of the Higher EducationOpportunity Act.

Continue to educate faculty about theimportance of submitting book and material

requests timely. In addition, identifyalternative methods of communication andeducation.

Senior leChairs, a

complianmaterial

Moderate It is challenging to identify the last day astudent attended classes if they havedropped out and are to pay back financialaid already received. This is especially

difficult for collaborative students.

Review the current process to identify whena student last attended classes to determineif improvements could be made. In addition,team with other college and universities to

develop a consistent process forcollaborative students.

Polices atracking and Progdocumen

with fedeattendancduring a October

Low Ability to stay proactive related tofinancial aid federal compliance.Changes in legislation are not alwaysknown and implemented timely. Inaddition, interpretation of regulations isdifficult.

Develop an action plan with specificmeasurable goals to continually monitor andstay abreast of financial aid federalregulations. Discuss regulations with theSystem Office and other colleges anduniversities in ND, as needed, to compareinterpretations and gain additionalconfidence that DSU is in compliance. In

addition, consider performing an internalaudit to review compliance with regulations.






RiskRanking



Low Implementing financial aid regulationchanges timely and managing the student

experience while implementing changesis a challenge. Duplicate requests aresometimes required of students whenchanges in regulations occur during thesubmission and award process.

Continue to implement regulation changesas soon as possible to minimize duplicate

requests when processing and awardingfinancial aid. In addition, review the currentprocess to determine if efficiencies could begained.

Low Concerns related to communicationbetween faculty and the Financial Aiddepartment to understand the impact of curriculum changes on financial aiddistribution and regulations.

Additional communication and trainingshould be implemented to improveunderstanding of financial aid requirementsand the impact of curriculum changes.

Low There was a fraudulent high school

diploma and transcript received and thereare concerns related to how manyfraudulent documents have been used tobe a recipient of financial aid that havenot been identified.

Consider providing training to staff who

review documents collected in theapplication process to enhance theidentification of fraudulent documents andcreate awareness.

Low Concerned that the Financial AidDepartment is managed under StudentAffairs.

Perform an assessment to determine if itmakes good business sense to keep FinancialAid under Student Affairs, have the groupbe self-governed, or another option.





Appendix

Impact CriteriaIMPACT CRITERIA



HIGH

(1) Asset size(2) Prior negative

exposure(3) Rapidly increasing

transaction volume

(1) Management,employees, andfaculty affected byprocessinefficiencies orcontrol breakdowns

(1) Potential adverseissues are knownto externalparties, such asmedia andregulatory bodies

(1) Any Federal/ State/Other action

(2) External Auditreportableconditions

(1) Currentinfrastructure cannotsupport businessstrategy

MEDIUM


stable






LOW

(1) Asset size(2) Minor potential cost

(3) Transaction volumestable

(1) No management,employees and

faculty are affectedby processinefficiencies orcontrol breakdown


impactemployees


Federal/State/ Other(2) No issues

identified byExternal Audit


to support businessstrategy


CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH














MEDIUM









LOW











Lake Region State College


October 14, 2011


Principal




Enterprise-Wide Risk Assessment | Lake Region State College


October 14, 2011

Dr. Mike BowerLake Region State College

1801 College Drive N.

Devils Lake, ND 58301-1598

Dr. Bower,

This report provides you, Lake Region State College (LRSC) leadership, the Audit Committee, and

members of the Board with the results of the risk assessment and a means to prioritize risk mitigation

strategies. An enterprise-wide risk assessment is the first step in your risk management program of

assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of

strategies to achieve the Board’s acceptable risk level.







assessment project was designed to provide Lake Region State College with insight to inherent and

specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularities

related to the scope of this project.

We appreciate the opportunity to assist Lake Region State College. Management and staff involved in the




Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Lake Region StateCollege. This included identifying and ranking the key financial, operational, strategic, and information












process level.






The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Lake Region State College.


































relationships.











Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk






validated and shared with management, as appropriate. By prioritizing and validating risks, Lake Region


Impact

Vulnerability

Measurement

Scale





Project Overview



processes at Lake Region State College and assess the levels of risk within each of the process areas. In










Continuing EducationNon-credit courses, community programs, workforce training,

conference management


Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental

risks, facilities/classroom



Governance

General counsel, policies and procedures, internal audit and

compliance, executive oversight, regulatory requirements (federal and

state), statistical data, affirmative action



Payroll, benefits, records management, FTE workload, job

descriptions, recruiting, hiring, terminations, performance monitoring,

new hire integration, employee retention

Information Technology IT infrastructure, security (logical and physical), operations, change

management, disaster recovery, data reporting capabilities, hardware

and software, applications, servers, wireless networks, help desk




Faculty & Staff Workforce training, competency, professional environment, conflict

of interest


counseling, academic support, career services, recruiting, health

services

Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,






Approach

With the assistance of Lake Region State College management, LarsonAllen identified 22 key process












The enterprise-wide risk map communicates the risk results at the functional area / process based on the

information obtained during the interviews. The description of the risk map is as follows:

Green – Low Risk


Red – High Risk



nterprise-Wide Risk Assessment | Lake Region State College



RiskRanking


Academic

Affairs

Low Students are required to report criminal

offenses on their applications based on an

“on your honor” approach and there is arisk that students may not report offenses.

No proposed recommendation. No addi

Low Enrollment will decrease if the Grand

Forks Air Force Base were to stop

offering courses which has been discussed

at previous legislative sessions.


Low The number of high school studentsgraduating from North Dakota is declining

and competition is high with other North

Dakota colleges and universities to attract

and retain students.

Continue to identify opportunities on how toreach out to a broader group of potential

students. In addition, market studies should

be performed on potential major and course

offerings to improve enrollment.

No addit

Low Reading and writing skills of students atLRSC are below the national average.


Athletics

High There are only two athletic programs;

therefore, the institution appears lessappealing for students who would like to

be involved in an athletic program,

affecting overall enrollment numbers.

Perform a cost/benefit analysis to determine

if additional athletic programs should beadded to the institution.

Agree. M

two athlprogram

enrollme

Low Adequacy of cash handling and

monitoring controls around concessions,

ticket, and fund raising revenue.

Internal controls should be reviewed to

identify potential risks related to existing

cash receipts processes.

No addi






RiskRanking


Campus Safety

& Security

Moderate Policies and procedures are not in place to

address safety and security incidents that

occur on campus and specific actions totake.

Develop a policy and procedures addressing

safety and security on campus, including

specific actions to take when an incidentoccurs. Communicate and train all

applicable employees on the procedures.

Instituti

complet

surveillcampus

Moderate Appropriate security resources are not in

place to perform sufficient ongoing

monitoring across campus.

Review the available security resources or

time allotted for police force to be on

campus and determine if additional

resources are needed or if additional security

measures should be implemented.

Again c

facilitie

ContinuingEducation

Moderate Significant growth and change has

occurred in the Train ND program over

the last several months.

Assess whether the appropriate number of

resources, proper oversight, internal controls,

relevant procedures, etc. are in place to

support the successful growth of the TrainND program. In addition, consider

documenting the long-term strategic plan of

the program and create measurable goals to

perform against.

Train ND

the need

the N.E.

consultawork in

Emergency

Preparedness

Moderate The flooding of Devils Lake and the

impact for employees to get to work, long-term existence of college, etc.

No proposed recommendation. Working

continuito have a

face or t

Moderate Lack of communication and training

related to emergency response procedures.

Identify additional ways to communicate

emergency response procedures and provide

training and testing that involves severalareas across the institution.

Risk Ma

to addre






RiskRanking


Governance

Moderate Lack of communication related to the

Record Retention Policy, knowledge

around the policy, and specifically wheredocuments should be stored.

Identify additional methods to communicate

the Record Retention Policy and the

importance of adhering to the policy.

Commi

keeping

provide

Moderate Lack of understanding by end users for

how NDUS policies are categorized and

where they are stored. In addition, policies

are not always clearly titled to reflectcontent.

Work closely with the System office to

determine if changes should be made to the

storage structure and naming of policies to

add clarification.

This is w

availabl

Low Devils Lake is a small community and

local community members and businesses

are continually tapped for fund raising and

donation dollars making it difficult to

continually increase the amount raisedeach year.

Continue to identify additional alumni,

community members, and business

relationship opportunities to perform

fundraising activities. In addition, perform a

cost/benefit analysis to determine if additional funding should be allocated to

identifying and building these relationships.

No addi

Grant

Administration

Moderate A detailed review is not consistently

performed for grants expenses.

Develop a procedure that requires all grant

expenses to be reviewed on a consistent

basis.

Grant ex

coordin

Moderate PeopleSoft does not currently have the

capability to track and monitor effortreporting, resulting in the inability to

produce all information needed for a

compliance review.

Team with the System to review the current

methods to track and monitor effortreporting to determine if enhancements

could be made to the current reporting

methods. Alternatively, consider purchasinga grant and effort reporting tool to enhance

reporting accuracy and produce informationneeded internally and for compliance

reviews.

Working

to addreManage






RiskRanking


Information

Technology

Moderate The disaster recovery plan is not

complete. In addition, the portion that is

completed and documented are not up-to-date.

Complete the disaster recovery plan and

update portions that are not up-to-date. The

disaster recovery plan should include, but isnot limited to:

Risk exposures




Asset protection




Training

Disaster

reorgan

updated

Moderate Data back-ups for network files are stored

on-site in the data center and taken off-siteto someone’s home periodically and

stored in a safe.

Identify an off-site storage site to maintain

data back-ups for network files. Employee’shomes should not be utilized.

The pre

providehome" a

be ident

Moderate Lack of PeopleSoft training, specifically

to provide additional education of the

overall functionality available in the

application and to possibly reduce manual

work-arounds.

Consider offering employees the opportunity

to attend PeopleSoft training to provide

additional education of the overall

functionality available in the application and

to possibly reduce manual work-arounds. In

addition, detailed procedures should be

documented by employees who attend the

training to reduce knowledge that is lost

with turnover in positions.

The “lac

addition

orientat

through

operatio

Low The data center is located in an office thathas windows.

Consider moving the data center to a moresecure location or removing the window.

The winto the ris

not actu

assessm






RiskRanking


Student Financial

Processing

Moderate Student admission files are not always

completed timely and students have been

allowed to continue their education at theinstitution without a complete admissions

file violating financial aid eligibly.

Document a policy and related procedures

addressing the admissions process

requirements, including documents andinformation required to complete the

admissions file, deadline to complete the

file, risks of not completing the file, etc.

These a

addresse

large nuand lack

Moderate Ability to stay proactive related to

financial aid federal compliance. Changesin legislation are not always known and

implemented timely. In addition,

interpretation of regulations is difficult.

Develop an action plan with specific

measurable goals to continually monitor andstay abreast of financial aid regulations.

Discuss regulations with the System Office

and other colleges and universities in ND, as

needed, to compare interpretations and gainadditional confidence that LRSC is in

compliance. In addition, consider

performing an internal audit to reviewcompliance with regulations.

Internal

perform

Moderate Policies and procedures addressing

financial aid are not updated on an

ongoing basis to reflect current practices

and changes in regulations.

Review financial aid policies and procedures

on an ongoing and consistent basis (i.e.

annually) and make changes as deemed

necessary.

Federal

behind c

student





Appendix




HIGH

(1) Asset size



transaction volume

(1) Management,


inefficiencies or

control breakdowns



media and

regulatory bodies

(1) Any Federal/


reportable

conditions

(1) Current


MEDIUM



stable


faculty may be

affected by process



impact customers


Other


by External Audit


to support business

strategy with work

arounds

LOW

(1) Asset size


stable

(1) No management,


by process



issues couldimpact

employees

(1) No issues


Other


External Audit

(1) Current


strategy


CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are not

working or do not

exist.

No method for

anticipating and

accessing specific


escalated to the


effectively.

Manual

processes with

many data


A limited

number of

staff or


competency



exists.

High/unmeasure

d cost of

operations, many


unacceptable or


time.

Systems are not

operating as

designed or


controls

Risk is managed

by or directly

impacts people,


businesses that

haveexperienced a


last 6 months.

MEDIUM

Controls are


there may or may


A method for


risk events exists


appropriate

executives.

Automated

processencompassing

multiple systems

and owners.

A limited


staff has


risk event.

Above industry


quality concerns


time.

Systems are


design can be


the system.

Risk is managed


processes,


experienced a



LOW


detective and there



risk events exists




systems.


to manage

risk events.


quality concerns



standards.


and operating




processes,


haveexperienced a

LOW rate of





Mayville State University


October 14, 2011





Enterprise-Wide Risk Assessment | Mayville State University


October 14, 2011

Dr. Gary HagenMayville State University330 Third Street NEMain Building 113AMayville, ND 58257-1299

Dr. Gary Hagen,

This report provides you, Mayville State University (MaSU) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.


In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Mayville State University with insight to inherent and


We appreciate the opportunity to assist Mayville State University. Management and staff involved in theprocess were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.

Sincerely,

LarsonAllen LLP







Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Mayville StateUniversity. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability









The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Mayville State University.





Project Overview


The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at Mayville State University and assess the levels of risk within each of the process areas. Inaddition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.






Continuing EducationNon-credit courses, community programs, workforce training, conferencemanagement


Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,facilities/classroom


GovernanceGeneral counsel, policies and procedures, internal audit and compliance,executive oversight, regulatory requirements (federal and state),statistical data, affirmative action


Human Resources & PayrollPayroll, benefits, records management, FTE workload, job descriptions,recruiting, hiring, terminations, performance monitoring, new hireintegration, employee retention

Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware andsoftware, applications, servers, wireless networks, help desk



Faculty & Staff Workforce training, competency, professional environment, conflict of interest


Student Financial Processing Student/financial aid, tuition, enrollment fees, scholarships, funding,student loan processing





Approach

With the assistance of Mayville State University management, LarsonAllen identified 21 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.










Green – Low Risk


Red – High Risk






nterprise-Wide Risk Assessment | Mayville State University



RiskRanking


Human

Resources &Payroll

Moderate An independent Human Resourcesdepartment in not in place and

responsibilities are performed by anotherdepartment.

Perform a cost/benefit analysis todetermine if a Human Resources

department should be implemented tosegregate responsibilities and provideindependence.

A dedicateefforts acro

institutionaof a transiti

Moderate There is a lack of appropriate segregationof duties in the Payroll department.

Review the current responsibilities of each person performing payrollresponsibilities to determine if changesshould be made to allow for additionalsegregation of duties.

The Busineoptions to aadditional s

Low Payroll processes are manual in nature (i.e.nonexempt employee hours and allemployees sick and vacation time are

manually tracked and entered intoPeopleSoft).

Information technology personnelshould work in conjunction withPayroll personnel to identify potential

automated functions within the existingPeopleSoft system.

The NDUSefficiency a

Low The benefits election process for newemployees and annual renewal process isvery manual. Employees manuallycomplete forms and benefit elections fornew employees and annual open enrollmentchanges are manually entered into PERS.

No proposed recommendation as this ismanaged by the state.

No institutistate.

Low Overall employee work load is a concern.Most functional areas identified some levelof personnel needs.

Human Resources and other seniormanagement should assess current FTEworkload by department. Identify areasof concern and suggest departmental

changes to better manage existingworkload.

We will consatisfactioninstitutionaof concern

staffing pla






RiskRanking



Moderate The server room is located in an oldclassroom and contains windows in the

room. In addition, the server room is notalways locked during business hours.

Consider locking the server room at alltimes, including business hours and

moving the server room to a more securelocation.

The issues previously

times. Becalocate to a dare secure aunapprovedinformation

Moderate A data back-up policy is in place, but thereis no formal disaster recovery plan.

Develop and document a formal disasterrecovery plan. This would include, but isnot limited to:

Risk exposures


First response process andprocedures

Functional assessment process Asset protection




Training

Informal dipart of the cformal disadeveloped w2011.

Moderate A mobile device policy is in place;however, appropriate security measureshave not been technically enforced tosupport mobile devices.

Consider technically enforcing securitymeasures on mobile devices to enhancesecurity.

MaSU will security for

Moderate Gathering data and information quickly

requested by senior leadership, the state,etc. is challenging and time consuming. Inaddition, there is lack of query writers atthe institution.

Identify current reporting in PeopleSoft

that are not effective and efficient. Inaddition, identify additional query writersat MASU that could assist in enhancingreporting.

MaSU does

reporting anMaSU doesqueries andtrained.






RiskRanking


tudent FinancialProcessing

Moderate Class schedules are not finalized timely andfaculties do not always submit their

book/material requests to the bookstoretimely, resulting in the bookstore not beingable to provide books/materials timely tostudents, keep costs effective andaffordable, and possibly cause theinstitution to be in violation of the HEOA.

Continue to educate the registrationoffice and faculty about the importance

of finalizing class schedules andsubmitting book and material requeststimely. In addition, identify alternativemethods of communication andeducation.

Class schedto allow ad

deadlines tis the respofaculty andmet. A proc

Our campuRecords meto this issueto submit inHEOA & I

Low Lack of local financial aid policies andprocedures.

Develop financial aid policies andprocedures at the institutional level.

Most policfederal regu

documentaprogress po





Appendix




HIGH

(1) Asset size



(1) Management,




(1) Any Federal/



(1) Current


MEDIUM


stable






LOW


stable








CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH





transfer pointsand owners.






design is flawed;very limitedcontrols.



MEDIUM









LOW











Minot State University


October 14, 2011


Principal




Enterprise-Wide Risk Assessment | Minot State University


October 14, 2011

Dr. David FullerMinot State University

500 University Avenue West

Minot, ND 58707

Dr. Fuller,

This report provides you, Minot State University (MiSU) leadership, the Audit Committee, and members


enterprise-wide risk assessment is the first step in your risk management program of assessing risks,

evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve

the Board’s acceptable risk level.







assessment project was designed to provide Minot State University with insight to inherent and specific

risks throughout the institution. While potential characteristics of unsupported financial and operationalactivity may be identified, our procedures alone cannot identify errors and irregularities related to the


We appreciate the opportunity to assist Minot State University. Management and staff involved in the




Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Minot State University.This included identifying and ranking the key financial, operational, strategic, and information technology

(IT) processes within the organization based on inherent and specific risks. The overall risk for each

process was based upon the process’s potential impact to the organization and the vulnerability of the risk

occurring given the current environment. The risk environment is dynamic and will continue to change;therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessmentperformed periodically.









process level.






The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Minot State University.


































relationships.











Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk






validated and shared with management, as appropriate. By prioritizing and validating risks, Minot State

University can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview



processes at Minot State University and assess the levels of risk within each of the process areas. In

















Governance
















of interest



services







Approach

With the assistance of Minot State University management, LarsonAllen identified 24 key process owners

in the significant financial, operational, and IT processes. Key process owners were interviewed for the

purpose of assessing the inherent and specific risks associated with each functional area.












Green – Low Risk


Red – High Risk




Environmental Health & Safety



nterprise-Wide Risk Assessment | Minot State University



RiskRanking


Information

Technology

Moderate Internally developed software is being

utilized where PeopleSoft could

potentially be leveraged and manual work-arounds have been created outside of

PeopleSoft and other systems.

A current state assessment should be

performed for all functional areas to

identify where internally developedsoftware is being utilized and manual

work-arounds have been created outside of

PeopleSoft to determine if it continues to

make good business sense to continue with

the current methods.

Because o

consensus

upgrade todepartmen

external sy

for campu

enhance sy

Low Several buildings need fiber infrastructure

upgrades.

Review the current fiber infrastructure

upgrades needed in buildings across

campus to determine where there areconcerns and prioritize installation based

on risk.

N/A

Low Classes have been cancelled in the library

due to recent changes in the wireless.

Identify the root cause(s) of the

roadblocks with the wireless in the libraryto determine if changes need to be made

to limit classes that are cancelled.

N/A

Marketing &

Communications

Low Additional communication and marketing

should be implemented to promote the

primary programs offered by the

institution. In addition, there are concerns

that the community is not aware of the

primary programs offered by MiSU.

Review the current methods to

communicate and market the primary

programs at MiSU and determine if

changes need to be made to the current

methods, if additional communication and

marketing should be implemented, etc.

N/A

Low Staying abreast on new and current

marketing trends to reach students.

Continue to identify additional ways to

stay abreast with new and current


N/A






RiskRanking


Operations &

AuxiliaryServices

Moderate Purchasing processes for the library are

inefficient with no use of purchase orders

to receive against, p-cards are not utilized,

and there is no automated workflow.

Perform an internal audit of the purchasing

processes at the library to identify

efficiencies that could be gained to reduce

time and cost in these processes. Inaddition, determine if additionaltechnology could be utilized to gain

inefficiencies.

PeopleSof

purchase o

to use p-ca

implemenon statewi

Faculty & Staff

Moderate There is only one person in the Human

Resources group to perform all

responsibilities; therefore, there is no cross

training or human resource personnel to

perform back up responsibilities when this

individual is out.

Identify a resource to cross train and

perform back-up responsibilities when the

Human Resources Director is out of the

office.

MiSU has

to provide

departmen

Moderate Lack of succession planning and cross

training for most positions within the

institution.

Functional areas should evaluate where it

is most critical to implement succession

plans and cross train employees. Developan action plan to implement and cross train

where necessary.

Cross train

departmen

are encourNew flexib

presidents

initiatives

Low Overall employee work load is a concern.Most functional areas identified some level

of personnel needs. In addition, there are

concerns how resources are being utilized

across the institution, what functionalareas are significantly lacking resources,

and what resources could be realigned to

even workloads.

Perform an assessment to determine howresources are being utilized across all

functional areas, tracking of hours worked,

efficiencies that could be gained, etc.

N/A






RiskRanking



Low The MiSU local manual for financial aid

needs to be updated to reflect current

practices and changes to regulations.

Review the local manual for financial aid

to determine where changes should be

made to reflect existing practices and

changes to regulations. In addition,perform a review of the manual on anongoing basis.

N/A

Low Scholarships are too narrow and specific

and do not reach a broad group of

students.

Review eligibility for scholarships and

determine if the criteria are too narrow or

specific and determine if scholarships

should reach a broader group of students.

N/A

Low Keeping tuition and room and board costs

effective and affordable for students. In

addition, off campus living costs are

continually increasing due to oil fields,

resulting in limited residence hall space on

campus.

Continue to perform appropriate research

and benchmarking to ensure MiSU tuition

and room and board prices are competitive

and in line with other colleges and

universities.

N/A

Low Reputation risk, specifically the measurestaken towards students who have not paid

their tuition or who make late payments

on tuition.

Review procedures to follow-up withstudents who have not paid their tuition to

determine if changes should be made. In

addition, evaluate the attitudes of staff towards students when following up.

N/A





Appendix




HIGH


exposure


(1) Management,employees, and

faculty affected by

processinefficiencies or

control breakdowns

(1) Potential adverseissues are known

to external

parties, such asmedia and

regulatory bodies


(2) External Audit


(1) Currentinfrastructure cannot

support business

strategy

MEDIUM

(1) Asset size

(2) Major potential cost(3) Transaction volume

stable

(1) Management,

employees andfaculty may be

affected by process

inefficiencies or

control breakdown


issues couldimpact customers


by Federal/State/ Other


by External Audit

(1) Current


strategy with work

arounds

LOW

(1) Asset size

(2) Minor potential cost


(1) No management,

employees and

faculty are affectedby processinefficiencies or

control breakdown


issues could

impactemployees

(1) No issues

identified by


identified by

External Audit

(1) Current

infrastructure is able



CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are notworking or do not

exist.

No method foranticipating and

accessing specificrisk events exists,

so issues are notescalated to the


effectively.

Manualprocesses with

many datatransfer points

and owners.

A limitednumber of

staff orcurrent staff

has limitedcompetency


Inadequate

cross-trainingexists.

High/unmeasured cost of

operations, manyquality concerns

noted, andunacceptable or


time.

Systems are notoperating as

designed ordesign is flawed;

very limitedcontrols.

Risk is managedby or directly

impacts people,processes,


haveexperienced a

HIGH rate of


MEDIUM

Controls aredetective but notpreventative and

there may or may



risk events exists

but issues are noteffectively

escalated to theappropriate

executives.

Automatedprocessencompassing

multiple systems

and owners.

A limitednumber of staff and/or

staff has

moderatecompetency

to managerisk event.

Above industryaverage cost of operation, some

quality concerns

noted, and belowindustry average

cycle/processtime.

Systems areoperating asdesigned, but

design can be

improved;controls are

bolted on top of the system.


processes,


haveexperienced a


over the last 6

months.

LOW

Controls are

appropriatelypreventive anddetective and there


A method for

anticipating andassessing specificrisk events exists


the appropriate

executive.

Automated

processes withintegratedsystems.

Most staff has

highcompetencyto manage

risk events.

Low/average

cost of operations, noquality concerns


times within

specifiedstandards.

Systems are

designed,implemented,and operating


embedded in the

system.

Risk is managed

by or directlyimpacts people,processes,


have

experienced aLOW rate of





North Dakota State College of Science


October 14, 2011


Principal




Enterprise-Wide Risk Assessment | North Dakota State College of Science


October 14, 2011

Dr. John RichmanNorth Dakota State College of Science

800 Sixth Street North

Wahpeton, North Dakota 58076-0002

Dr. Richman,

This report provides you, North Dakota State College of Science (NDSCS) leadership, the Audit

Committee, and members of the Board with the results of the risk assessment and a means to prioritize

risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management

program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and

implementation of strategies to achieve the Board’s acceptable risk level.







assessment project was designed to provide North Dakota State College of Science with insight to

inherent and specific risks throughout the institution. While potential characteristics of unsupportedfinancial and operational activity may be identified, our procedures alone cannot identify errors and

irregularities related to the scope of this project.

We appreciate the opportunity to assist North Dakota State College of Science. Management and staff

involved in the process were a pleasure to work with and very open to sharing their opinions and

knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions,

please feel free to contact us for assistance.

Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents






































relationships.











Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk






validated and shared with management, as appropriate. By prioritizing and validating risks, North Dakota

State College of Science can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview



processes at North Dakota State College of Science and assess the levels of risk within each of the process

areas. In addition, provide Management with visibility to process areas that contain the highest potential

risk as determined by the risk assessment process.















Governance
















of interest



services







Approach

With the assistance of North Dakota State College of Science management, LarsonAllen identified 16 key

process owners in the significant financial, operational, and IT processes. Key process owners were

interviewed for the purpose of assessing the inherent and specific risks associated with each functionalarea.


prioritized and placed on the enterprise-wide risk map based on the impact of the process to theorganization, and the vulnerability of the risk occurring (see Appendix A for further description of the

definitions of impact and vulnerability criteria).









Green – Low Risk


Red – High Risk



Continuing education Marketing / communications

Student affairs

Student financial processing



nterprise-Wide Risk Assessment | North Dakota State College of Science



RiskRanking


Academic

Affairs

Low Added re

Instructio

provide iinnovativ

techniqu

eCompan

Technolo

examples

Athletics

Low Adequacy of cash and inventory

handling, specifically monitoring

controls around concessions and ticket

revenue.

Internal controls should be reviewed to

identify potential risks related to existing

cash receipts and tracking of inventory

processes.

An intern

and impl

Campus Safety

& Security

Low Lack of security at weekend events. Perform a cost/benefit analysis to determine

if additional security resources should beallocated to weekend events on campus.

The NDS

security tduring ho

are sched

shift cove

athletic e

schedule

occasion

In Day an

volume o

campus w

of provid






RiskRanking


Emergency

Preparedness

Moderate Lack of communication and training

related to emergency response

procedures, including staff, faculty,students, and student workers.




Emergen

the emer

emergenare poste

employe

conducte

buildings

Environmental

Health & Safety

Low There is air quality, ventilation, and moldissues in the Old Main building. In

addition, the football locker rooms have

mold and are unusable.


campus to determine what facilities is a

priority in the next fiscal year’s budget.

The lockOld Main

biennium

Low Lack of classroom space at the Fargo

location. Credit programs courses are

utilizing space at the Fargo location andthe Fargo location was initially built for

workforce training only.

Continue to prioritize capital project needs

across campus to determine if additional

classroom space should be priority in thenext fiscal year’s budget.

An analy

projected

office spboth acad

evaluated

Beginnin

being inc

institutio

NDSCS-

annual ba

Wahpeto

Adequate

NDSCS-

upgradinOld Main

continge

accommo

Main ren

demolitio






RiskRanking


Operations &

Auxiliary

Services

Low Food costs continue to increase within

the Dining Services function and there

are concerns about maintaining sufficient

profit levels.

Continue to review food costs and identify

methods to keep costs down. In addition,

evaluate current sale prices to determine if

prices continue to be appropriate.

The Food

Dining S

levels: 20

2009: 33to studen

5%, 2009

concerne

beverage

are confimethods

managed

priority t

provide hprices to

Faculty & Staff

Moderate Several manager and supervisor positions

are filled with resources that have notpreviously been in a manager or

supervisory role.

Consider offering training for new managers

or supervisors (existing managers as needed)that addresses leadership, discipline,

adherence to policies, appropriate behavior,

etc.

A new L

been impaddress t

Moderate Recruitment and retention of faculty is a

concern, specifically as it relates to the

compensation offered for these positions.

Continue to benchmark wages with other

North Dakota colleges and universities.

Salary su

benchma





Appendix




HIGH

(1) Asset size



transaction volume

(1) Management,


inefficiencies or

control breakdowns



media and

regulatory bodies

(1) Any Federal/


reportable

conditions

(1) Current


MEDIUM



stable


faculty may be

affected by process



impact customers


Other


by External Audit


to support business

strategy with work

arounds

LOW

(1) Asset size


stable

(1) No management,


by process



issues couldimpact

employees

(1) No issues


Other


External Audit

(1) Current


strategy


CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are not

working or do not

exist.

No method for

anticipating and

accessing specific


escalated to the


effectively.

Manual

processes with

many data

transfer pointsand owners.

A limited

number of

staff or


competency



exists.

High/unmeasure

d cost of

operations, many


unacceptable or


time.

Systems are not

operating as

designed or


controls.

Risk is managed

by or directly

impacts people,


businesses that

haveexperienced a


last 6 months.

MEDIUM

Controls are


there may or may


A method for


risk events exists


appropriate

executives.

Automated

processencompassing

multiple systems

and owners.

A limited


staff has


risk event.

Above industry


quality concerns


time.

Systems are


design can be


the system.

Risk is managed


processes,


experienced a



LOW


detective and there



risk events exists




systems.


to manage

risk events.


quality concerns



standards.


and operating




processes,


haveexperienced a

LOW rate of





North Dakota State University


October 14, 2011





Enterprise-Wide Risk Assessment | North Dakota State University


October 14, 2011

Dr. Dean BrescianiNorth Dakota State University1340 Administration Ave.Fargo, ND 58102

Dr. Bresciani,

This report provides you, North Dakota State University (NDSU) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.


In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide North Dakota State University with insight to inherent andspecific risks throughout the institution. While potential characteristics of unsupported financial and

operational activity may be identified, our procedures alone cannot identify errors and irregularitiesrelated to the scope of this project.

We appreciate the opportunity to assist North Dakota State University. Management and staff involved inthe process were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.

Sincerely,

LarsonAllen LLP







Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for North Dakota StateUniversity. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability









The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota State University.






Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk


Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact andvulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are thenvalidated and shared with management, as appropriate. By prioritizing and validating risks, North DakotaState University can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview


The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at North Dakota State University and assess the levels of risk within each of the process areas.In addition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.






Continuing EducationNon-credit courses, community programs, workforce training,conference management


Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmentalrisks, facilities/classroom


GovernanceGeneral counsel, policies and procedures, internal audit andcompliance, executive oversight, regulatory requirements (federal andstate), statistical data, affirmative action


Human Resources & PayrollPayroll, benefits, records management, FTE workload, jobdescriptions, recruiting, hiring, terminations, performance monitoring,new hire integration, employee retention

Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardwareand software, applications, servers, wireless networks, help desk




Faculty & Staff Workforce training, competency, professional environment, conflictof interest

Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, healthservices






Approach

With the assistance of North Dakota State University management, LarsonAllen identified 24 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.










Green – Low Risk


Red – High Risk



Continuing education Student affairs



nterprise-Wide Risk Assessment | North Dakota State University


Detailed Results

Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks ideisk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with proesting of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommend


RiskRanking


AcademicAffairs

High The institution is in need of a significantnumber of faculty positions and is alsosignificantly underfunded when reviewingthe total student population to currentfunding.

Review current faculty positions andcompare to growth strategies to ascertainwhether they are in alignment.

Due to sNDSU’1:16 hasratio NDadjunct students

Moderate Meeting federal requirements for distancelearning, specifically, procedures tofollow for state level requirements when

NDSU offers distance learning in otherstates, permissions needed, evidence anddocumentation to maintain, licensing fees,etc. In addition, determining if it is costbeneficial to offer distance learning invarious states.

Develop policies and procedures specific tooffering distance learning in other states toensure federal requirements are being met

and to determine if it makes good businesssense to offer distance learning in variousstates based on student interest and fees.

This hasDept. ofNDUS,

solutionthe USDimplemdevelopsolution






RiskRanking


Athletics

Low Athletic events have students consumingalcoholic beverages or who consumed

alcoholic beverages prior to arriving at theevent and this continues to be a liability.

Continue to assess policies, procedures,safety, and security on an ongoing basis,

specific to athletic events, to determine if appropriate measures are in place andactions taken.

Given thalcohol

sensitivsecuritycurrent Alcoholbelievesevents ikeenly aworks wthe Offifacilitiesharing regardinstaffs fr

review isite, admDirectorclose coabout anof alcohadminiscompetiresponsand secu






RiskRanking



High The IACC building’s environmentaltemperature control system is unable to

support the needs of the informationtechnology equipment it houses.

The current environmental temperaturecontrol system should be enhanced or

replaced to support the informationtechnology equipment.

The HVdone by

list of neContracAugust will be iissues insome isadded toproject l

High The demand to expand facilities, staycurrent with maintenance, etc. is notkeeping up with the growth of theuniversity. In addition, there are concerns

related to building safety and soundness;there are possible code violations. As codechanges evolve, several buildings were“grandfathered” in and proper assessmentshave not continued to take place.

Continue to prioritize capital projects,renovations, and maintenance needs acrosscampus to determine buildings that arepriority in the next fiscal year’s budget and

assess whether the institution is in violationof code.

NDSU hupdatedFacilitiedocume

activitieSBHE ghealth afollowemaintenfinanciarepairs. have a fbuildingconcerntop of th

NDSU’

extraordover $25mainten






RiskRanking



Low The structure of the Facilities function,including reporting lines, roles andresponsibilities, etc. are inconsistent and

certain responsibilities fall withinduplicate departmental divisions withinthe Facilities function. In addition, there isno cross training between departmentaldivisions.

Consider developing formal job descriptionsfor all personnel within the Facilitiesfunction to determine if the roles and

responsibilities fall under the appropriatedepartmental division or if changes shouldbe made. Determine where there may beduplication of responsibilities acrossdivisions. In addition, consider the benefitsgained from cross training within and acrossdepartmental divisions.

NDSU Fof a re-o

job desc

trainingwill be rand crosassignedcurrentlpositionFacilitieprocess referenc


High The institution has $12M in underfundedprojects.

Continue to review and update the strategicplan to assess underfunded projects andprioritize needs appropriately.

The diviwill worleadersh

appropridevelopcommitmUniversiwith exp

NDSU callocatiocontinuieffectivereallocathe abilistrategic






RiskRanking


Governance

High Concerns related to the legislative sessionand the funding available to NDSU as a

result of the session. In addition, theuniversity is significantly underfundedwhen compared to its peers and there areconcerns whether the funding is beingdisbursed appropriately throughout all thecolleges and universities in North Dakota.

NDSU and NDUS should continue to work with the legislators to determine if funding

is appropriate for NDSU.

Agree.






RiskRanking


Governance

Moderate New System level policies and changes toexisting policies communicated to NDSU

are not always further communicated tothe appropriate personnel at theinstitution. In addition, policies are notalways interpreted appropriately.

Develop procedures institution-wide toensure all new System level policies and

changes to existing System level policies arecommunicated to applicable parties at theinstitution. In addition, identify policieswhere interpretation is difficult and continueto reach out to other campuses or the Systemoffice for further clarification.

NDSU dwhen ch

policiesthroughand forwfor inpurevieweand the the onlipolicies“It’s HafinalizePolicy C

In addit

CoordinFall 201to:a. Encouthoroughstimulatpolicy pb. CoordappropriFaculty c. Send pappropri

approvad. ServeFacultyand Stud






RiskRanking


Governance

Moderate Campuses are allowed “flexibility” underthe flexibility with accountability

expectations of SB 2003 passed by the2001 Legislative Assembly; however,NDSU and the System office are notalways in agreement with the definition of flexibility and what processes and changesshould be driven by the System office vs.NDSU.

Team with the System office and othercampuses to define “flexibility”, discuss

concerns, and enhance communication. Inaddition, team with the informationtechnology group to determine if PeopleSoftcan report data in multiple ways to allow forthe System and NDSU to have the datareported in the format they need (i.e.institutional vs. cumulative GPA).

NDSU wOffice.

Moderate The Director of Internal Audit reportsdirectly to the President (i.e. Presidentprovides performance evaluations, wageadjustments, etc.) resulting in potentialindependence issues.

Per the Institute of Internal Auditors (IIA),PA 1110-1: Organizational Independence,consider changing the functional reportingstructure for the Director of Internal Audit tothe Board or Audit Committee with a dotted

line (administratively reporting) to thePresident.

Stronglytitle is inis considNDSU athe Pres

interest businesthat “exaudit coPresiden






RiskRanking


Governance

Moderate Manstud

Conacceaccedutineedlongchan

Conneedlaw

Studentcompliaall new additionconsulteand inte

The GencompliaportionsResearchHR, Gra

The Inte

compliaareas of






RiskRanking


Governance

Moderate A formal risk assessment is not performedto identify specific risks and to assist in

the development of the internal audit plan.

Consider leveraging the enterprise-wide risk assessment performed by LarsonAllen in the

development of future internal audit plans.In addition, continue to assess and rank riskson an ongoing basis with a full risk assessment being performed regularly.

NDSU uassessm

actions the annuwas hiredesigninplanninLarson Aaddress structurand repeutilize o

Moderate Processes to prioritize and make changeswithin PeopleSoft are governed by

Connect ND. Prioritization and decisionmaking is not clearly defined and does notalways involve NDSU when theinstitution feels it is necessary. NDSUstaff and faculty are users of PeopleSoftand are significantly affected by changes.

Team with the System office and ConnectND to determine if current policies and

procedures to prioritize and make changes toPeopleSoft should be more clearly definedand if involvement of the institutions isappropriate.

Additionresearch

the veryfrom theCurrent “democruniversisystem.






RiskRanking


Governance

Low Concerns related to intellectual property,such as research, export controls, etc. and

if appropriate procedures are in place toreduce and address such risk.

Continue to communicate relevant policiesand procedures related to intellectual

property to appropriate personnel. Inaddition, continue to review such documentsto validate risks are continually discussedand addressed.

NDSU h(IP) pol

SBHE PproceduNDSU phttp://wpolicy aFY 200StandinConsultapprove2010 theForce copersonnTask Fo

to finalibe forwResearcTransfecampusvarious The Teca resourundersta

Based orisk issu

were idcharge to the ureview regardinrelating






RiskRanking


Chance"appropdesigne

innovatindividupromotfor the pand statGenerathat thegovernidiscovecourt opforce mimpact

task forlanguagemployinventioa samplused/in

Further,providesnotice oManageto read t

and signsignifyinAnnual Nand to co






RiskRanking


Governance

Low discuss. Policy 1Informa

providesemployeand info

GrantAdministration

High Congress is discussing making cuts relatedto earmarked dollars critical to research.

No proposed recommendation. The earzeroed oCongresearmarkVice PreActivitiplacing identifymitigate

Moderate Concerns related to the visibility andactions taken for excess funds that exceedthe grant term, specifically expenses beingapplied to grants that have expired if thereare still dollars left and carryoverapprovals from the grantor andcommunication related to carryovers.

Perform additional centralized review andoversight of the grant process to determinethe volume of excess funds and if appropriate internal controls are in place tocarryover the funds or return funds to thegrantor. In addition, review the expiration of grants and when expenses were applied todetermine if there were expenses applied togrants that expired without approval of continued use.

NDSU wthe overthe PI’s

Grants &Researcgrant tra






RiskRanking


HumanResources &

Payroll

Low Payroll processes are very manual (i.e.Leave forms are used to approve sick and

vacation time, manual time cards areutilized in several instances, etc. Inaddition, PeopleSoft is manually updatedin all instances.

Payroll should work with the InformationTechnology group to determine if there are

additional processes that could be automatedin PeopleSoft, automated workflow toolsthat exist and/or could be utilized, andperform a cost/benefit analysis to determineif additional software should be purchased(if needed) to automate manual processes.

Connectreviewin

managerPeopleSNDSU’sthat com

In additiPeopleAbenefittesubmitte

PeopleSimplemecan mak

and direcompletand are e

Low The benefits election process for newemployees and annual renewal process isvery manual. Employees manuallycomplete forms and benefit elections if they are a new employee and for theannual open enrollment process. Changesare manually entered into PERS withduplicate entry into PeopleSoft.

No proposed recommendation as this ismanaged by the state.

NDPERonline emfuture. W






RiskRanking



High There are many shadow systems that arebeing utilized outside of PeopleSoft and

across various functional areas. Inaddition, there is not an inventorymaintained of all the shadow systems toidentify what they are used for, whomanages them, etc.

Identify a resource(s) to inventory allshadow systems maintained outside of

PeopleSoft and gather additionalinformation such as what department isusing the system, the purpose for using it,who manages the system, if PeopleSoftoffers the functionality the shadow system isbeing used for, etc. Determine if shadowsystems can be eliminated and processesperformed in PeopleSoft.

PeopleSInforma

the DataSignificneed to

NDSU’all, shadinventor

A determcould suneed to Divisionsupport

High Electrical capacity in the technologybuilding is inadequate. There are alsoconcerns related to other buildings aroundcampus. In addition, there have beeninstances where back-up generators havefailed.

Review the current power methods andcapability in all buildings across campus todetermine where there are concerns andprioritize the risks and the need forreplacements.

In orderAg ComengineeHVAC of $4M.prioritizaddresse






RiskRanking



Low There are several documents that addressdisaster recovery; however, they are not

consolidated into one document. Inaddition, the specific flood preparationsdocument for 2009-2011 is incomplete.

Consider consolidating all Plans into onedocument and review document(s) on an

ongoing basis to ensure they are completed.

(A) Disfunction

and docReady Callow Uquickly preparaand doc(B) In 2firm to icenter inremedy that it wIACC o(C) Thr

submittplan. Th($4.7M)and Em($5.2M)(D) Adddisasterthe creanotificanotificavoice brEmerge

GovernmTelecomWirelesensure e(E) RedfacilitieNDSCS






RiskRanking


Faculty & Staff

Moderate Lack of cross training for most positionswithin the institution.

Functional areas should evaluate where it ismost critical to cross train employees.

Develop an action plan to cross train wherenecessary.

Where ntrain em

Moderate The economy has had an impact on theability to attract faculty and staff for openpositions. People are not able to sell theirhomes and move to the area; therefore,positions cannot be accepted.


Low There has been a high turnover rate in keyleadership positions in the last severalyears and there may continue to be morein the future.

No proposed recommendation. Turnoveanticipa


Low A significant number of faculties do notsubmit their book/material requests to thebookstore timely, resulting in thebookstore not being able to providebooks/materials timely to students, keepcosts effective and affordable (i.e. abilityto buy used books), and possibly cause theinstitution to be in violation of the HEOA.

Continue to educate faculty about theimportance of submitting book and materialrequests timely. In addition, identifyalternative methods of communication andeducation.

Bookstodepartmmerchanprocess fashion.remindedirector group toHEOA c

The deacoincide

register the fall tare receimonth papproximplaced, abefore th






RiskRanking



Low When ordeadlineoffer useIn an attBookstofor somemore affare oftenorders tothe startadded onsemestershipping

Student with Acaprocess.





Appendix




HIGH

(1) Asset size



(1) Management,




(1) Any Federal/



(1) Current


MEDIUM


stable






LOW


stable








CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH














MEDIUM









LOW











University of North Dakota


October 14, 2011


Principal




Enterprise-Wide Risk Assessment | University of North Dakota


October 14, 2011

Dr. Robert KellyUniversity of North Dakota

264 Centennial Drive Stop 8193

300 Twamley Hall

Grand Forks, ND 58202-8364

Dr. Robert Kelly,

This report provides you, the University of North Dakota (UND) leadership, the Audit Committee, and











assessment project was designed to provide University of North Dakota with insight to inherent andspecific risks throughout the institution. While potential characteristics of unsupported financial and

operational activity may be identified, our procedures alone cannot identify errors and irregularities


We appreciate the opportunity to assist University of North Dakota. Management and staff involved in the




Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for the University of NorthDakota. This included identifying and ranking the key financial, operational, strategic, and information












process level.






The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the University of North Dakota.


































relationships.










Project Overview



processes at the University of North Dakota and assess the levels of risk within each of the process areas.

In addition, provide Management with visibility to process areas that contain the highest potential risk as










management






Governance


executive oversight, regulatory requirements (federal and state),

statistical data, affirmative action







management, disaster recovery, data reporting capabilities, hardware and





interest


counseling, academic support, career services, recruiting, health services







Approach

With the assistance of University of North Dakota management, LarsonAllen identified 25 key process














Green – Low Risk


Red – High Risk






nterprise-Wide Risk Assessment | University of North Dakota



RiskRanking


Academic

Affairs

Moderate Concerns that foundations are

potentially no longer supporting UND

objectives or aligning with standards.

Identify specific objectives and standards that

UND feels are not being supported by

foundations and communicate these specifics tothe foundation to determine a future approach or

strategy and potentially clarify

misunderstandings.

In the co

this revie

Agreem

Moderate Visibility to the overall operations,

compliance, reporting, accountability,and safety of the Aerospace and

Research Foundations.

Identify specific topics that UND would like

more visibility to as it relates to the operations,compliance, reporting, accountability, and

safety of the Aerospace and Research

Foundations. In addition, UND and the

Foundations should work together so UND cangain further clarification on these topics.

In the co

this revieAgreem

Low Affiliated organizations operate

independently with minimal oversight

from the institution.


Athletics

Moderate Concerns related to the visibility of

where fund raising revenue is derived

from to more accurately report on

estimated budgeting and forecasting

processes.

Internal controls should be reviewed to identify

potential improvements related to the validity

of fund raising revenue and budgeting and

forecasting processes.

UND Fo

intellige

informa

revenue

Fundrai

periodic

toward t

Moderate Relationship between UND Marketing

Group and the Ralph Engelstad Arena

related to the sales of athleticmerchandise.

Identify opportunities to incorporate UND into

the Ralph Engelstad Arena marketing and sales

strategy.

Discuss

Usage A

negotiat






RiskRanking


Campus Safety

& Security

Low The scope of background and health

checks on students and employees is

potentially too narrow.

Review current policies and procedures to

determine the current scope of background and

health checks and evaluate whether the currentscope is appropriate. Background and health

checks should include, but is not limited to,

criminal, health, previous employment,

previous school enrollment, and financial

stability.

Federal

followe

constraifor infor

perform

Emergency

Preparedness

Moderate No formal policy and procedures related

to business continuity.

Develop a formal business continuity plan. Templa

Plan and

have be

has beenare plan

develop

review/

Moderate Increased racial and ethnic diversity of

student base.

Continually monitor and assess changes in

diversity within the existing and future student

body. Understand and educate faculty, staff,

and students on the importance of diversity at

UND.

UND ha

Advisor

Environmental

Health & Safety

Low Safety and soundness of campus

facilities.

Continually monitor the overall safety and

soundness of all buildings on campus to

identify the potential need for improvements.






RiskRanking


Governance

Moderate There is no Compliance Officer or

compliance function to oversee the

various regulations the institution isrequired to comply with such as PCI,

HIPAA, FERPA, HEOA, etc. and assist

in proactively understanding

requirements.

Perform a cost/benefit analysis to determine if a

compliance function should be developed

within UND to monitor and communicatecompliance requirements. In addition, assess

whether the existing Internal Audit group has

the skills necessary and resource capacity to

assist with the communication of compliance

requirements.

Respons

currently

Conside

Moderate Concerns that contract terms and

conditions related to liability are not

consistently being reviewed.

All contracts, including terms and conditions,

should be reviewed.

We will

understa

to be.

Low A Quality Assessment Review of the

Internal Audit Department has never

been performed by a third party. TheInstitute of Internal Auditors (IIA)

International Standards for the

Professional Practice of Internal

Auditing (specifically 1312 – External

Assessments) states that an external

assessment must be conducted at least

once every five years by a qualified,

independent reviewer or review team

from outside the organization.


third party should be engaged to perform an

external assessment of the Internal AuditDepartment.

Low Internal audit reports and specific audit

findings are not ranked to differentiate

the level of risk.

Develop an internal audit report and audit

finding ranking methodology that has clearly

defined ranking criteria to differentiate betweenthe level of risk associated with each report andaudit finding.






RiskRanking


Governance

Low Concerns related to the overall

awareness of the whistleblower hotline.

Human Resources should identify additional

opportunities (posters, intranet, etc.) to better

advertise the whistleblower hotline.

Grant

Administration

High Congress is discussing making cutsrelated to earmarked dollars critical to

research.


High Concerns related to effort reporting.

Policies and procedures are not in place

and there is not a tool to track reporting.

Develop and implement a policy and related

procedures related to effort reporting. In

addition, perform a cost/benefit analysis to

determine if a tool should be purchased and

utilized for effort reporting.

Policies

have be

campus

presente

impleme

process

reportin

determi

Human

Resources &

Payroll

Moderate Payroll processes are very manual (i.e.

Excel spreadsheets are used to calculate

and approve sick and vacation time,

manual time cards are utilized in several

instances, PeopleSoft is manually

updated, etc.).

Payroll should work with the Information

Technology group to determine if there are

additional processes that could be automated in

PeopleSoft, automated workflow tools that exist

and/or could be utilized, and perform a

cost/benefit analysis to determine if additional

software should be purchased (if needed) to

automate additional manual processes.

The Uni

the Nort

which ad

Managem

improve

HRMS m

campuse

team and

schedulesupporte

currently

implemethe next






RiskRanking


HumanResources &

Payroll

Low Concerns related to employee retention. Human Resources should perform an

assessment to determine what employees enjoy

most and least about their jobs. In addition,evaluate exit interview documentation and

questionnaire results (if applicable) to determine

if there is a consistent theme(s) related to why

employees leave the university.


High IT infrastructure is maintainedunderground, including the data center.

Perform a cost/benefit analysis to determinewhere the infrastructure could be maintained

and still be within reasonable cost/budget.

Fundingbiennium

to house

under th

committ

High No formal disaster recovery plan. Develop a formal disaster recovery plan. This

would include, but is not limited to: Risk exposures




Asset protection




Training

A Disas

proposaNDUS f

approve

Howeve

plan doe

initiate f






RiskRanking


Information

Technology

Moderate The IT function is not consistently

approving service level agreements

(SLAs).

The IT function should develop procedures or

scrutinize against existing procedures to require

SLA approval prior to receiving services. In

addition, monitoring controls should be in placeto ensure approved individuals are executing

contracts.

UND w

Low The UND helpdesk is shared with

NDSU and results in inefficiencies and

call forward discrepancies.

Develop a centralized helpdesk function to gain

efficiencies.

Helpdes

there is

can be s

the outsNDUS.

Marketing &

Communications

High Potential reputation impact and loss of

fan base when UND changes the

Fighting Sioux name and logo.

A comprehensive committee (i.e. staff,

students, and faculty) should be established to

identify and evaluate potential name and logo

considerations.

This pla

months

retire th

signed pSBHE a

SBHE a

plannin

name an

is chang

Low Staying abreast on new and current


Continue to identify additional ways to stay

abreast with new and current marketing trendsto reach students.

Operations &Auxiliary

Services

Moderate Funding concerns related to the libraries

ability to maintain and increase

subscriptions and licensing to

adequately meet student and facultyneeds.

Funding to maintain adequate subscriptions and

licenses should be assessed and communicated

in the budgeting process.

Funding

been co

years as

has resuextent p

identify

predicta

research






RiskRanking


Operations &

Auxiliary

Services

Moderate Certain auxiliary services that are not

core to the institution are a financial

liability and do not receive funding. Allrevenue is generated based on

operations. Divergence of risk related to

proper procedures and reporting if

operations close.

Perform an assessment to determine if fees and

rates are appropriate and establish procedures to

ensure they are revisited on an ongoing basis. Inaddition, evaluate marketing techniques utilized

to advertise these services and determine if

improvements could be made.

During t

entities a

revenue Further

FY13 bu

Low Remodeling and technology upgradesneeded for the library to better

accommodate student learning.

A cost/benefit analysis should be performed toidentify what improvements need to be made

related to technology, resources, and space to

better accommodate student learning.

Low Security and safety of mail in the UND

post office.

Continue to evaluate security and safety with

mail. Perform an internal audit focused on

compliance with postal/government regulations.

Low Public use of the auditorium has

decreased due to the economy; therefore

revenue from operations has decreased.

Continue to identify additional ways to market

and advertise the public use options of the

auditorium.

Low The Director of Libraries is not

currently a member of the Academic

Council.

Assess the need to add the Director of Libraries

to the Academic Council.

Faculty & Staff

Moderate Lack of succession planning for most

positions within the institution.

Functional areas should evaluate where it is

most critical to implement a succession plan

and take steps to implementing where needed.

Human

tools/in

unit lev

Moderate There has been a high turnover rate in

key leadership positions in the last

several years.






Appendix




HIGH


exposure



faculty affected by


control breakdowns


to external


regulatory bodies


(2) External Audit



support business

strategy

MEDIUM

(1) Asset size


stable

(1) Management,


affected by process

inefficiencies or

control breakdown






by External Audit

(1) Current


strategy with work

arounds

LOW

(1) Asset size



(1) No management,

employees and


control breakdown


issues could

impactemployees

(1) No issues

identified by


identified by

External Audit

(1) Current




CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are notworking or do not

exist.

No method foranticipating and

accessing specificrisk events exists,

so issues are notescalated to the


effectively.

Manualprocesses with

many datatransfer points

and owners

A limitednumber of

staff orcurrent staff

has limitedcompetency


Inadequate

cross-trainingexists.

High/unmeasured cost of

operations, manyquality concerns

noted, andunacceptable or


time.

Systems are notoperating as

designed ordesign is flawed;

very limitedcontrols

Risk is managedby or directly

impacts people,processes,


haveexperienced a

HIGH rate of


MEDIUM

Controls aredetective but notpreventative and

there may or may



risk events exists

but issues are noteffectively

escalated to theappropriate

executives.

Automatedprocessencompassing

multiple systems

and owners.

A limitednumber of staff and/or

staff has

moderatecompetency

to managerisk event.

Above industryaverage cost of operation, some

quality concerns

noted, and belowindustry average

cycle/processtime.

Systems areoperating asdesigned, but

design can be

improved;controls are

bolted on top of the system.


processes,


haveexperienced a


over the last 6

months.

LOW

Controls are

appropriatelypreventive anddetective and there


A method for

anticipating andassessing specificrisk events exists


the appropriate

executive.

Automated

processes withintegratedsystems.

Most staff has

highcompetencyto manage

risk events.

Low/average

cost of operations, noquality concerns


times within

specifiedstandards.

Systems are

designed,implemented,and operating


embedded in the

system.

Risk is managed

by or directlyimpacts people,processes,


have

experienced aLOW rate of





Valley City State University


October 14, 2011


Principal




Enterprise-Wide Risk Assessment | Valley City State University


October 14, 2011

Dr. Steven ShirleyValley City State University

101 College Street SW

Valley City, ND 58072

Dr. Shirley,

This report provides you, Valley City State University (VCSU) leadership, the Audit Committee, and











assessment project was designed to provide Valley City State University with insight to inherent and

specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularities


We appreciate the opportunity to assist Valley City State University. Management and staff involved in

the process were a pleasure to work with and very open to sharing their opinions and knowledge. This



Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Valley City StateUniversity. This included identifying and ranking the key financial, operational, strategic, and information












process level.






The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Valley City State University.


































relationships.











Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk






validated and shared with management, as appropriate. By prioritizing and validating risks, Valley City

State University can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview



processes at Valley City State University and assess the levels of risk within each of the process areas. In











management






Governance


executive oversight, regulatory requirements (federal and state), statistical

data, affirmative action







management, disaster recovery, data reporting capabilities, hardware and


Marketing / Communications Social media, publications, web development, brand and logo, advertisingchannels

Operations & Auxiliary

Services

Bookstore, libraries, food services


interest


Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding





Approach

With the assistance of Valley City State University management, LarsonAllen identified 20 key process














Green – Low Risk


Red – High Risk






nterprise-Wide Risk Assessment | Valley City State University



RiskRanking


Emergency

Preparedness

Moderate Lack of communication related to emergency

response procedures and concerns that the

involvement of training and testing of theprocedures are not campus-wide.




Emer

build

The Ecamp

empl

coord

suffic

and i

prepa

In ad

Com

repre

mana

activ

Low Concerns related to flooding and whether theright business continuity and disaster

recovery plans are in place and if

communication and training regarding the

plans is sufficient.

Review the current business continuity anddisaster recovery plans to assess whether the

plans appear appropriate to address flooding

concerns. In addition, determine whether all

staff, faculty, and students have receivedsufficient training, communication, and

specific procedures on what to do in the

event of another flood incident.

Environmental

Health & Safety

Low Safety and soundness of campus facilities,

specifically the age of buildings, ventilation

issues, etc.

Continually monitor the overall safety and

soundness of all buildings on campus to

identify the potential need for

improvements.






RiskRanking


Financial Close

& Reporting

Moderate There is segregation of duties concerns within

the business office due to the limited staff

size.

Perform a review of the responsibilities

assigned to each individual in the business

office to determine whether additionalresponsibilities could be segregated.

A rev

cond

we soptim

hamp

nece

will

VPB

trans

Low The account payable process is manual in

nature causing significant inefficiencies. For

example, the expense approval process forpurchases is not streamlined to eliminate

duplicate processes related to submission and

review of receipts, statements received fromvendors, etc.


if an automated workflow should be

implemented for the account payableprocess to eliminate duplicate processes and

opportunities to make errors.

VCS

imple

Conn

Low Concerns that new GASB statements and/or

changes to existing GASB statements are not

monitored on a consistent basis, which could

result in inaccurate financial statements.

Continue to stay abreast of new GASB

statements and/or changes to existing GASB

statements.

The c

contr

repor

imple

the V

VCS

servi

NAC

GAS

relea

the re






RiskRanking


Governance

Moderate Contract start dates have been delayed due to

the turnaround time in the contract review

process.

Discuss the turnaround time of contract

review with the System Office to determine

if the review period could be shortened. Inaddition, determine if it makes good

business sense to centralize the General

Counsel function to allow further allocation

opportunities to the smaller colleges and

universities.

The G

the sy

Geneimpr

Low System level policy interpretation is difficult

and VCSU is unsure of their authority in all

circumstances.

Identify specific system level policies and/or

verbiage in policies that are difficult to

interpret and meet with the System Office to

obtain additional guidance related to thepolicies.

VCS

follo

comp

Comneed

polic

Low Concerns that personnel are using VCSU

property for personal use when not

authorized to do so.

Continue to communicate and train

personnel on the existing policy for

appropriate use of VCSU property.

Polic

over

Presi

use o

Grant

Administration

Moderate Lack of grant related policies and procedures,

specifically grant lifecycle and expense

allocations.

Develop policies and related procedures for

grant processes, specifically grant lifecycle

and expense allocations.

Mee

and t

was

respo

lifec

A gr

proc






RiskRanking


Human

Resources &

Payroll

Moderate Lack of payroll procedures specific to the

hiring and termination processes.

Develop procedures for payroll processes,

specifically for the hiring and termination

processes.

Proce

docu

increposit

The f

and d

proce

will c

cond

Moderate Recruitment and retention of faculty is a

concern, specifically as it relates to the

compensation offered for these positions.

No proposed recommendation. Reten

prese

past thad s

posit

hiredsucce

resul

facul

past 5Legis

recru

Moderate Employee work load is a concern. Several

functional areas identified some level of

personnel needs. An over worked employee

could potentially lead to burnout, low morale,

etc.

Human Resources and senior management

should assess current FTE workload by

department. Identify areas of concern and

suggest departmental changes and/or

identify ways to better manage workloads.

VCS

as re

man

work






RiskRanking


HumanResources &

Payroll

Moderate Faculty sick leave is not tracked and

monitored causing concerns related to

compliance with the Family and MedicalLeave Act (FMLA).

Team with the System Office to assess

policies across all colleges and universities

and identify inconsistencies specific tofaculty sick leave. Evaluate how lack of

tracking faculty sick leave can impact

compliance with FMLA. In addition,

continue to educate staff and faculty related

to FMLA.

VCS

leave

systeleave

shoul

comp

Moderate There is only one person performing all

payroll responsibilities, resulting in

segregation of duties conflicts.

Assess the need to move certain

responsibilities to another functional area or

person to segregate significant

responsibilities in the payroll process.

Upon

reass

Busin

emplimpr

respo

trainibe co

are a

Low Payroll processes are very manual (i.e. Excel

spreadsheets are used to calculate and

approve sick and vacation time, manual time

sheets are utilized, PeopleSoft is manually

updated, etc.). In addition, time sheets are not

always turned in timely and approval

signatures are missing.

Payroll should work with the Information

Technology group to determine if there are

additional processes that could be automated

in PeopleSoft, automated workflow tools

that exist and/or could be utilized, and

perform a cost/benefit analysis to determine

if additional software should be purchased

(if needed) to automate additional manual

processes.

Low There are concerns related to the accuracy of the human resources master file, specifically

faculty information (i.e. tenure, status, etc.).

A review should be performed of the humanresources master file to determine if changes

need to be made to update information for

staff and/or faculty members.






RiskRanking


Information

Technology

Moderate Security roles in Campus Connection are too

broad for the size of the institution; therefore,

employees have additional access than what isneeded based on job responsibility.

Work with the System office to evaluate the

permissions assigned to security roles to

determine if changes could be made. Inaddition, identify and review manual

controls to mitigate the risk of inappropriate

access.

Camp

whic

updainfor

This

roles

user g

conti

evalu

by se

Low Concerns that the back-up generator does notsupply appropriate power and cooling needs

are not being met in one of the two data

centers.

Review the current power and coolingmethods in the data center and determine if

enhancements to the generator should be

made.

In Jucurre

powe

cente

Low Gathering data and information quickly

requested by senior leadership, the state, etc.

is challenging and time consuming.

Information needed for reporting and

retrieved from PeopleSoft is at a “point in

time” and a significant amount of time is

spent manipulating and reporting on

historical information. Several manual work-

arounds have been created to meet specific

needs.

Identify current reporting in PeopleSoft that

are not effective and efficient. Utilize

appropriate resources to determine if current

reports could be enhanced to allow for

historical reporting, new reports developed,

etc. to obtain the information needed and in

the appropriate format for reporting.






RiskRanking


Marketing &

Communications

Low Ongoing concern related to marketing and

ability to attract students for programs,

specifically where and what should bemarketed and communicated.

Identify additional marketing opportunities

on how to reach a broader group of potential

students by networking and determiningwhat other colleges and universities across

the nation are doing to attract students.

Low There is no Social Media Policy in place. VCSU is currently utilizing facebook as a

marketing technique; therefore, a Social

Media Policy should be developed toestablish appropriate use, ethical behavior,

etc.

Prese

speci

has arespo

not re

sanct

The D

form

and fVCS

seme

neces

publiensur






RiskRanking


Operations &

AuxiliaryServices

Moderate There is no POS system utilized by the

bookstore which poses a risk of recording

accuracy and completeness of purchases.


if it makes good business sense to purchase

and implement a POS system. In addition,perform a review of the internal controls in

place to determine if additional controls

should be implemented and existing controls

strengthened.

How

Book

syste

Low The bookstore does not currently offer onlinepurchasing capabilities potentially resulting in

missed revenue opportunities.

Perform a cost/benefit analysis to determineif it makes good business sense to

implement bookstore purchasing capabilities

online.

Howpurch

Low Concerns that the library hours are not

meeting student needs, especially during peak

periods.

Perform an assessment, receiving student

input, to determine how many students are

utilizing the library, if library hours areadequate, when students feel hours are the

most adequate, etc. Adjust library hours as

appropriate, based on the results.

This

stude

to inrequ

Low There are two bookstore locations on campus,

creating additional oversight to monitor

inventory level needs in each location,

increased staffing oversight, and other

inefficiencies that exist by having two

locations.

Assess the need to continue having two

bookstore locations on campus and

determine if the two locations should be

consolidated into one to allow for more

efficient and cost effective processes.

Arch

ident

locat

Low Concerns related to the type of inventory soldin the bookstore and if it is appropriate (i.e.

appropriate sizes of clothing merchandise in

stock to maximize sales).

Track and monitor historical trends of merchandise sales and perform an analysis

of the type of inventory to maintain in the

bookstore to maximize sales.






RiskRanking


Faculty & Staff

Moderate Current staffing model at the library and

training available to meet the changing

information technology demand of students.

Consideration should be given to provide

increased information technology training to

existing personnel, specific to libraryservices within higher education, and

potentially develop job qualifications for

new applicants.

The D

for cu

manaand s

Direc

comp

are av

highe

Moderate Concerns that succession planning has not

been a key priority where deemed necessary.

Perform an assessment to determine where

succession planning would be deemed most

critical and develop a plan to implement

with key action plans and milestone dates.

Succ

ongo

key p

plan.

Low Current relationships with vendors could

potentially be a conflict of interest as certainaccusations have been made.

Continue to communicate and train

personnel on the existing conflict of interestpolicy. In addition, the vendor master file

should be reviewed on an ongoing basis to

identify potential conflicts of interest.

Emp

withbusin

empl

agree

Cond

langu






RiskRanking


Student Affairs

Low Athletes may not be receiving the appropriate

level of academic advising, due to lack of

resources.

Review the allocation of academic advising

resources to determine whether resources

are appropriately allocated to studentathletes or if changes should be made. In

addition, perform a cost/benefit analysis to

determine if additional dollars should be

budgeted for academic advising.

Athl

supp

they decla

their

seme

to Li

remi

their

addit

and m

Lear

close

for a

athle

tutor

Dire

coac

acad

deter

need

athlein in

Inve

day o

LearStud

to Liinterwho

supp






RiskRanking


Student Affairs

Low Mental health and medical issues are

increasing in the student body, resulting in an

increased need for student counselingservices.

Assess the current workload in the Student

Counseling Services group to determine if

current resources are adequate to supportstudent needs.

In rec

use M

NDSbasis

by th

acade

hours

Abus

curre

part-

VCS

Educ

Preve

resou

activ

The N

need

ident

Even

for co

fulltim

availthe d






RiskRanking


Student Financial

Processing

Moderate Concerns related to communication between

faculty and the Financial Aid department to

understand the impact of potential curriculumchanges on financial aid distribution and

regulations.

Communication between faculty and the

Financial Aid department should be

enhanced to improve the understanding of the financial aid requirements and the

potential impact on curriculum changes. In

addition, develop specific procedures and

distribute to all applicable parties related to

the process and communication that should

occur when there are curriculum changes.

We h

like t

occurdocu

effec

Stude

Curri

To in

issue

adde

to aff

any c

Low Ability to stay proactive related to financial

aid federal compliance. Changes in

legislation are not always known andimplemented timely as monitoring of new

regulations and changes to existing

regulations is not performed on a consistent

basis. In addition, interpretation of regulations is difficult.

Develop an action plan with specific

measurable goals to continually monitor and

stay abreast of financial aid federalregulations. Discuss regulations with the

System Office and other colleges and

universities in ND, as needed, to compare

interpretations and gain additionalconfidence that VCSU is in compliance. In

addition, consider performing an internal

audit to review compliance with regulations.

Thes

of fed

staff and n

unde




Williston State College


October 14, 2011


Principal




Enterprise-Wide Risk Assessment | Williston State College


October 14, 2011

Dr. Raymond A. Nadolny

Williston State College

1410 University Avenue

Williston, ND 58801

Dr. Raymond Nadolny,

This report provides you, Williston State College (WSC) leadership, the Audit Committee, and members


enterprise-wide risk assessment is the first step in your risk management program of assessing risks,evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve

the Board’s acceptable risk level.







assessment project was designed to provide Williston State College with insight to inherent and specificrisks throughout the institution. While potential characteristics of unsupported financial and operational

activity may be identified, our procedures alone cannot identify errors and irregularities related to the


We appreciate the opportunity to assist Williston State College. Management and staff involved in the




Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Williston State

College. This included identifying and ranking the key financial, operational, strategic, and information

technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability

of the risk occurring given the current environment. The risk environment is dynamic and will continue to

change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.








conditions and/or events and their potential effects on the institution. The process starts with identifying

risks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.






The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk

assessment for Williston State College.


































relationships.











Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk






validated and shared with management, as appropriate. By prioritizing and validating risks, Williston


Impact

Vulnerability

Measurement

Scale





Project Overview



processes at Williston State College and assess the levels of risk within each of the process areas. In












Emergency PreparednessEmergency preparedness and response procedures, business

continuity, risk management





Governance
















of interest



services










Green – Low Risk


Red – High Risk






RiskRanking


Financial Close

& Reporting

Moderate Concerns related to oversight related to

significant capital projects currently

maintained on campus.


position should be created or utilize an existing

WSC employee to monitor and oversee capitalprojects.

W

de

pro

Moderate Duplicate financial transactions are entered

into the ACEware and PeopleSoft systems

as there is no direct interface between them.

In addition, PeopleSoft does not currentlyhave the functionality to support non-credit

student registration.

WSC should evaluate the processes to determine

if the most efficient methods are being utilized for

this area.

A

an

tra

Moderate ACEware non-credit registration software

continues to have significant unresolved or

aged reconciling items in relation to the

PeopleSoft.

All open and aged reconciling items should be

reviewed and resolved on a timely basis.

A

all

Moderate Concerns that departmental budget changes

are not being communicated on a timely

basis, resulting in over spending.

When a revision in the budget is determined

necessary, WSC should communicate with

impacted departments on a timely basis.

W

im

Moderate There have been instances identified where

expenses are misclassified between

programs, etc.

WSC should review their process of expense

classification to include the process owner when

possible in account classification.

W

wh

Moderate Balance sheet reconciliations are not being

completed on a timely basis.

A schedule of all reconciliations should be created

to identify the individual responsible for executing

the reconciliation and expected timeframe for

completion. This schedule should be reviewed by

management on an ongoing basis to identify anydelays.

Th

an






RiskRanking


Human

Resources &

Payroll

Moderate Concerns around the training available and

needed for the Human Resources Group

related to technical benefits and human

resources related issues.

Consideration should be given to provide

increased training to existing personnel and

potentially develop job qualifications for new

applicants.

W

an

de

Moderate Overall employee work load is a concern.

Most functional areas identified some levelof personnel needs.

Human Resources and senior

management should assess current FTEwork load by department. Identify areas of

concern and suggest departmental changes to

better manage existing workload.

W

cre

Low Hourly employees worked hours and all

vacation and sick leave are tracked

manually.

WSC should assess the opportunity to improve

efficiency and internal controls over tracking of

employee hours.

Low Faculty is not required to record sick time. WSC should assess whether tracking of sick time

is necessary for faculty.

Low Recruitment of staff positions is done

primarily through the local newspaper.

The opportunity to attract more qualified

candidates may be achieved with a larger number

of resources used to conduct the search.

Low Staff and faculty handbooks have dated

material.

The handbooks should be reviewed and updated

on an ongoing basis.






RiskRanking


Faculty & Staff

High Concerns related to faculty wages in

comparison to industry averages. In

addition, WSC wages are under the localhigh school wages.

WSC should consider benchmarking wages with

other North Dakota colleges and universities to

help monitor wages.

W

fac

stabri

Moderate Concerns how resources are being utilized

across the institution, what functional areas

are significantly lacking resources, and

what resources could be realigned to evenworkloads.

Perform an assessment to determine how

resources are being utilized across all functional

areas, tracking of hours worked, efficiencies that

could be gained, etc.

As

do

an

exres

Student Affairs

Moderate WSC currently does not have a counselor

on campus.

Consideration should be given to potentially

hiring a counselor to assist students on mental

health, academic assistance and career

assessments.

Fa

ass

loc

ass

Wthe

me

Low Lack of available housing and residence

space due to increase enrollment and

overall population of Williston.

WSC should continue to identify additional

opportunities for student housing as student

enrollment continues to increase.

A

20

an

nu






RiskRanking


tudent FinancialProcessing

Moderate Ability to stay proactive related to financial

aid federal compliance due to limited

staffing and potential legislation changes.

WSC should assess the current staffing levels

with the financial aid department. In addition,

WSC should consider identifying opportunities to

utilize the System Office and othercolleges/universities to improve their

understanding of potential legislation changes.

Pe

uti

co

theND

en

ch

mo

Moderate Concerns related to communication

between faculty and the Financial Aiddepartment to understand the impact of

potential curriculum changes on financial

aid distribution and regulations.

Ongoing communication should be implemented

to improve understanding of financial aidrequirements and the potential impact on

curriculum changes.

A

increv





Appendix




HIGH


exposure



faculty affected by


control breakdowns


to external


regulatory bodies


(2) External Audit



support business

strategy

MEDIUM

(1) Asset size


stable

(1) Management,


affected by process

inefficiencies or

control breakdown






by External Audit

(1) Current


strategy with work

arounds

LOW

(1) Asset size



(1) No management,

employees and


control breakdown


issues could

impactemployees

(1) No issues

identified by


identified by

External Audit

(1) Current




CONTROL

EFFECTIVENESS

AND EFFICIENCY

SPEED OF


OPERATIONAL

EFFICIENCY

SYSTEM

CAPABILITY

RATE OF

CHANGE

HIGH

Controls are not

working or do not

exist.

No method for

anticipating and

accessing specific


escalated to the


effectively.

Manual

processes with

many data


A limited

number of

staff or


competency



exists.

High/unmeasure

d cost of

operations, many


unacceptable or


time.

Systems are not

operating as

designed or


controls

Risk is managed

by or directly

impacts people,


businesses that

haveexperienced a


last 6 months.

MEDIUM

Controls are


there may or may


A method for


risk events exists


appropriate

executives.

Automated

processencompassing

multiple systems

and owners.

A limited


staff has


risk event.

Above industry


quality concerns


time.

Systems are


design can be


the system.

Risk is managed


processes,


experienced a



LOW


detective and there



risk events exists




systems.


to manage

risk events.


quality concerns



standards.


and operating




processes,


haveexperienced a

LOW rate of





North Dakota University System


October 14, 2011


Principal612/397-3087

[email protected]



Enterprise-Wide Risk Assessment | North Dakota University System


October 14, 2011

Chancellor Goetz

North Dakota University System10th Floor, State Capitol

600 East Boulevard Ave, Dept. 215

Bismarck, ND 58505-0230

Dear Chancellor Goetz,

This report provides you, North Dakota University System (NDUS or the System) leadership, the Audit

Committee, and members of the Board with the results of the risk assessment and a means to prioritize

risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management

program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and

implementation of strategies to achieve the Board’s acceptable risk level.







assessment project was designed to provide the System with insight to inherent and specific risks

throughout the System. While potential characteristics of unsupported financial and operational activitymay be identified, our procedures alone cannot identify errors and irregularities related to the scope of

this project.

We appreciate the opportunity to assist the North Dakota University System. Management and staff

involved in the process were a pleasure to work with and very open to sharing their opinions and

knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions,

please feel free to contact us for assistance.

Sincerely,

LarsonAllen LLP


612/397-3087

[email protected]






Table of Contents









Executive Summary

LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for the North DakotaUniversity System. This included identifying and ranking the key financial, operational, strategic, and

information technology (IT) processes within the organization based on inherent and specific risks. The

overall risk for each process was based upon the process’s potential impact to the organization and the

vulnerability of the risk occurring given the current environment. The risk environment is dynamic andwill continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.


significant functional areas or processes within the System. The enterprise-wide risk map is a graphical






conditions and/or events and their potential effects on the System. The process starts with identifyingrisks associated with business objectives linked through all levels of the System whether it is entity or

process level.






The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota University System.





Understand the Client’s Business: We begin by understanding the System’s business by gathering the

business objectives, goals, and strategies and identified the System’s various universities and colleges in

addition to the key financial, operational, and IT processes within each university and college. Next, we

assess the external and internal risks related to the industry.


condition that can negatively affect the ability of the System to achieve its objectives. Risks are generally

thought to be associated with taking actions; however, risks can also occur when no action is taken in theform of missed opportunities. There are six types of risks:


poorly communicated strategies, or the System’s inability to execute these strategies due to



goals may result in significant damage to the System’s reputation.

Financial: The risk that the System’s financial reporting is inaccurate, incomplete, or untimely due

to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large

error, or the pressure on management to meet certain expectations.

Operational: The risk that the System’s operational processes are not achieving the objectives they

were designed for to support the business model. This risk addresses inefficient operations, poor


Legal/Regulatory: The System is subject to a variety of federal, state and local laws, regulations and

directives, or accreditation agencies. Failure to follow prescribed directives may result in substantialfines, restrictions, loss of business, and/or legal action taken by regulators.



importance of technology within the System and the availability and quality of information the

System can access to support decision making, and the security of key information.






relationships.

Next, we define impact and vulnerability criteria applicable to the System to be utilized as a tool for risk

ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed

the impact of the process to the organization and the vulnerability that a risk would occur by evaluating

the underlying attributes of the process and by assessing the effectiveness of the control environment

around that process. The criteria are defined in terms of high, moderate, and low. See illustration belowfor definitions.






Financial

Stakeholder

Reputation

Legal / Regulatory

Operations


Speed of Response

Complexity

People


System Capability

Rate of Change

High Risk

Moderate Risk

Low Risk






validated and shared with management, as appropriate. By prioritizing and validating risks, the System

can align and prioritize its resources to manage and mitigate risks appropriately.

Impact

Vulnerability

Measurement

Scale





Project Overview



processes at the System and assess the levels of risk within each of the process areas. In addition, provide

Management with visibility to process areas that contain the highest potential risk as determined by the

risk assessment process.


within the System:



Athletics Ticket revenue, concessions revenue, fund raising, athletic

scholarships, league compliance, player and spectator liability




Emergency PreparednessEmergency preparedness and response procedures, business

continuity, risk management





GovernanceGeneral counsel, policies and procedures, internal audit andcompliance, executive oversight, regulatory requirements (federal and







Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware





of interest


counseling, academic support, career services, recruiting, healthservices







Approach

With the assistance of North Dakota University System management, LarsonAllen identified 10 key

process owners in the significant financial, operational, and IT processes. Key process owners were

interviewed for the purpose of assessing the inherent and specific risks associated with each functionalarea.


prioritized and placed on the enterprise-wide risk map based on the impact of the process to theorganization, and the vulnerability of the risk occurring (see Appendix A for further description of the

definitions of impact and vulnerability criteria).

Note that risks identified at the institutional level that were System related or recommendations involved

the System, were communicated in the institution reports; however, they were also included in the System

report.









Green – Low Risk


Red – High Risk



Athletics

Campus safety & security


Emergency preparedness

Environmental health & safety

Operations & auxiliary services

Student affairs

Student financial processing



nterprise-Wide Risk Assessment | North Dakota University System


Detailed Results

Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks iden

isk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with proces

esting of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommend


RiskRanking


AcademicAffairs

High Forecasts predict that there will be a

significant decrease in student enrollment

by 2017 due to a decrease in the overall

population in North Dakota.

No proposed recommendation. Agree. T

similar

will take

continu

High Several campuses are behind intechnology used to deliver online classes.

In addition, differing tools are used

across the System.

Assess each institution’s technology used todeliver online classes and identify individual

campus or system-wide improvements.

Consider consistency of approach in the use

of on-line development software to assist in

training, lowering barriers to use, andpossible cost reduction.

Agree. Wtaken in

instituti

manage

authenti

academisupport

institutioaddress

Moderate A for-profit institution entered into the

state of North Dakota. This could have a

negative impact on enrollment if for-

profit and on-line institutions continue to

enter the state.

No proposed recommendation. Agree. R

Chancel

out of st

standard

understa

maintain

access to






RiskRanking


Governance

High The System does not consistently operate

as a unified system of higher education,

with the primary focus on what is in thebest interest of the student and state, as

opposed to the institution. In addition,

there is not a collaborative mentality

within some institutions and it is not

productive to meeting the state’s

expectations.

In order for the System to truly operate as a

unified system of higher education, it is

important that the following is in place: 1)clear and strong SBHE direction,

expectations, and support; 2) cooperation

and support at all levels of the System; 3)

adherence and respect for various roles and

responsibilities; and performance

accountability.

Agree. T

the SBH

Moderate Lack of general counsel resources at the

System level to supply legal thought

leadership and guidance to the nineinstitutions that do not maintain their

own general counsel office.


the need to expand the number of general

counsel resources at the System office tosupport the various institutions.

Agree. T

addition

additionyear-lon

legal se

steps wiforce re

Moderate Overall availability of funding was raised

during each individual campus visit;

however, it is only noted in a few select

campus reports based on the level of

institutional concern expressed. It should

be noted that all institutions indicated

funding is a challenge.

Funding levels for all NDUS institutions

should be reviewed, and adjusted as

necessary.

Agree. T

Governo

develop

addition

develop

compon






RiskRanking


Grant

Administration

High PeopleSoft may not have the complete

capability to track and monitor effort

reporting, resulting in the inability toproduce all information needed for a

compliance review. In addition, there are

concerns that institutions would not be in

compliance.

Ensure that the institutions are following

consistent best practice business procedures

at all institutions.

Review the current methods to track and

monitor effort reporting to determine if

enhancements could be made to the current

reporting methods.

Alternatively, consider purchasing a grant

and effort reporting tool to enhance

reporting accuracy and produce information

needed internally and for compliance

reviews. This will not be successful without

consistent business processes at the

institutions.

Agree. W

instituti

institutieffort.

The aud

processe

determi

practice

enhance

If it is d

an RFP

addition






RiskRanking


Information

Technology

Low Several students were inappropriately

suspended at NDSU due to incorrect

academic reporting from PeopleSoft,

specifically issues with reporting forstudents taking repeat courses. However,

multiple new end-of-term processes have

been put into place to identify future

instances of this problem.

Review the current change management

process specific to PeopleSoft reports to

determine if adequate policies and

procedures are in place to test and approvechanges to reports. In addition, identify the

root cause of the issue and determine if the

issue has been resolved.

Agree. T

the codin

NDUS a

bundle 1Once the

determin

the fall s

institutio

given socould de

impleme

repeat pr

suspensiaddition

suspensi

Marketing &

Communications

Low Negative information could potentiallybe received by the media prior to the

System office becoming aware of an

issue.

No proposed recommendation. Agree.






RiskRanking


Faculty & Staff

High Overall employee work load at the

System office is a concern. Most

functional areas identified some level of staff needs to meet state, SBHE and

campus expectations. In addition, areas

of expertise are insufficient to meet the

demands and expectations (i.e. capital

projects, compliance, HR).

Perform an assessment to determine how

resources are being utilized across all

functional areas, tracking of hours worked,efficiencies that could be gained, etc.

Determine if additional resources are needed

and what specific areas of expertise they are

needed.

Agree. T

priority

staff as recomm

Moderate There has been a high turnover rate in

key leadership positions in the last

several years at both the System and

institution level, specifically vicepresidents, presidents and Chancellor.


Moderate The housing market (nation-wide), ruralnature of North Dakota, and the

perception of North Dakota has had an

impact on the ability to attract personnel

system-wide with the appropriate

qualifications to fill open positions.





Appendix

ndus performance audits

Documents