ndus performance audits
TRANSCRIPT
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 1/291
©2011 LarsonAllen LLP
Bismarck State College
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 2/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
October 14, 2011
Mr. Larry Skogen
Bismarck State College1500 Edwards Avenue
PO Box 5587
Bismarck, ND 58506-5587
Dear Mr. Skogen,
This report provides you, Bismarck State College (BSC) leadership, the Audit Committee, and members
of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An
enterprise-wide risk assessment is the first step in your risk management program of assessing risks,
evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achievethe Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide Bismarck State College with insight to inherent and specific
risks throughout the institution. While potential characteristics of unsupported financial and operationalactivity may be identified, our procedures alone cannot identify errors and irregularities related to the
scope of this project.
We appreciate the opportunity to assist Bismarck State College. Management and staff involved in the
process were a pleasure to work with and very open to sharing their opinions and knowledge. This
cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to
contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 3/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6
Appendix 16 Impact Criteria 16 Vulnerability Criteria 16
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 4/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Bismarck StateCollege. This included identifying and ranking the key financial, operational, strategic, and information
technology (IT) processes within the organization based on inherent and specific risks. The overall risk
for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity or
process level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Bismarck State College.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 5/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 6/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, Bismarck
State College can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 7/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at Bismarck State College and assess the levels of risk within each of the process areas. In
addition, provide Management with visibility to process areas that contain the highest potential risk as
determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,
league compliance
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training, conference
management
Emergency PreparednessEmergency preparedness and response procedures, business continuity,
risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,
facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and compliance,
executive oversight, regulatory requirements (federal and state),statistical data, affirmative action
Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,
foundation, donor concentrations, foundation investment strategy
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job descriptions,
recruiting, hiring, terminations, performance monitoring, new hire
integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware and
software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict of
interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, health services
Student Financial Processing Student/financial aid, tuition, enrollment fees, scholarships, funding,
student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 8/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 5
Approach
With the assistance of Bismarck State College management, LarsonAllen identified 15 key process
owners in the significant financial, operational, and IT processes. Key process owners were interviewed
for the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 9/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process level based on
the information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 10/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 11/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 12/291
nterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Environmental
Health & Safety
Low There are concerns related to the overall safety
of campus facilities.
BSC should continually monitor the overall
safety of all buildings on campus to identify
potential need for improvements.
Financial Close& Reporting
Moderate Cash reconciliation process is complex and
very time intensive. In addition requires the
use of multiple spreadsheets in the process.
The cash reconciliation process should be
reviewed and assessed to identify potential
capabilities to automate the process. In addition,
identify existing inefficiencies or process
breakdowns.
T
r
a
i
Moderate Lack of controls in CETI’s registration systemto properly secure credit card information.
Controls should be established to properly securecredit card information in accordance with
policy.
Ae
i
c
Moderate Balance sheet reconciliations are not being
completed on a consistent basis.
A schedule of all reconciliations should be
created to identify the individual responsible forexecuting the reconciliation and expected
timeframe for completion. This schedule should
be reviewed by management on an ongoing basis
to identify any delays.
T
b
Moderate Segregation of duties controls should be
reviewed on key cash receipts areas. In
addition, noted that the person who enterspayments and prints the checks also has the
ability to set up a vendor.
BSC should review all significant processes and
identify the potential need for additional controls
to enforce appropriate segregation of duties.
B
a
i
Low Bad debt and other reserves that are applicable
are only analyzed and adjusted on an annualbasis.
Accounting estimates and judgments should be
reviewed on a timely basis to minimize anyinadequacies.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 13/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 14/291
nterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Grant
Administration
Low Legislative changes related to federal grant
recipients.
No proposed recommendation.
Low Donor base concentration and investment
strategy.
No proposed recommendation.
Human
Resources &
Payroll
Moderate Employee work load is a concern. Human Resources and senior managementshould assess current FTE workload by
department. Identify areas of concern and
suggest departmental changes to better manage
existing workload.
Bd
p
D
ww
Moderate Payroll processes are very manual (i.e. Excel
spreadsheets are used to calculate hourly
employees payroll, sick and vacation time and
manually key into PeopleSoft upon manualapproval).
Information technology personnel should work
in conjunction with payroll personnel to identify
potential automated controls within the existing
PeopleSoft system.
B
t
i
Low Payroll orders are currently being sent via
regular mail and concerns about employee IDsbeing exposed if the payroll orders do not
arrive to their destination.
An automated workflow should be established to
properly secure employee information.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 15/291
nterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Information
Technology
High No formal disaster recovery plan. BSC should assess the need to develop and
maintain a formal disaster recovery plan. This
would include, but are not limited to, Risk exposures
Recovery team responsibilities
First response process/procedures
Functional assessment process
Asset protection
Communications approach
System recovery timeframes
Maintenance/testing
Training
B
d
w
Moderate Lack of a comprehensive information security
policy and procedure manual.
BSC should assess the need to develop and
maintain a formal and comprehensiveinformation security plan.
I
oi
Low Inability to extract data for BSC to report to
the state, leadership, auditors, etc.
BSC management should work closely with the
information technology department to identify
opportunities to improve system capabilities to
produce reports on an as needed basis.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 16/291
nterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Marketing &
Communications
Moderate Improvements needed to report on key
performance indicators (i.e. how much does it
cost per student for marketing techniques, howare dollars being spent, and how can they
adjust the dollars to create more
opportunities).
BSC should identify criteria necessary to assess
key performance indicators and work closely
with the information technology department toidentify system capabilities to produce the
required information.
B
a
pd
m
Moderate Need to improve marketing locally and
nationally to impact additional potentialstudents.
BSC should identify additional marketing
opportunities on how to reach out to a broadergroup of potential students.
B
mo
E
Moderate Competition is a growing concern with the
other universities and colleges in ND.
BSC should identify opportunities on how to
reach out to a broader group of potential
students.
B
O
e
Ei
Low Lack of approval and review related to
changes made to the BSC’s internet web page.
Controls should be established to limit who has
the capabilities to make media changes. In
addition, a formal approval policy should be
established.
Operations &
AuxiliaryServices
Low Adequacy of financial controls from auxiliary
services.
Overall internal controls should be reviewed and
assessed to identify potential risks related to allauxiliary services.
Faculty & Staff
Low Conflict of interest in relation to vendors and
employees.
BSC should review current conflict of interest
policy for adequacy. In addition, identify the
potential need for additional controls to enforceappropriateness of vendor/employee
relationships.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 17/291
nterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Student Affairs
Moderate Confidentiality of academic records. Additional controls should be implemented to
properly secure academic records and other
privacy specific information in accordance withfederal/state regulatory requirements.
A
R
OA
p
(
e
u
Moderate Additional needs from the System Office
related to training for compliance (i.e. SFA
changes).
BSC should identify the specific needs related to
an appropriate learning and development plan in
relation to compliance.
Upon completion, BSC should work closely with
the System Office to identify opportunities to
receive the necessary training or identify if othermethods are needed.
B
C
a
cw
r
Moderate Improved controls needed for background
checks for students.
Key BSC stakeholders should identify areas for
improvements related to the existing background
check process for future and current students.
T
t
ro
Low Concern related to BSC policies that conflict
with other partnership groups utilizing campus
services (i.e. when they have K-12 programs
on campus or when BSC host/maintain events
with alcohol. Lack of policies and liability
concerns.)
BSC should assess the need to develop and
maintain formal policies in relation to social
event hosting with outside groups utilizing BSC
facilities.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 18/291
nterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
tudent Financial
Processing
Moderate Course fees are currently not a key area of
focus at BSC. For example:
What is being done with the course fees,usage, can unused funds be carried over or
counted as reserves?
Is the fee established at the right dollar
amount?
Is the fee too high, is the College charging
too much?
Internal monitoring controls should be reviewed
to evaluate course fees.
B
r
dp
c
f
a
a
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 19/291
Enterprise-Wide Risk Assessment | Bismarck State College
©2011 LarsonAllen LLP 16
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size
(2) Prior negativeexposure
(3) Rapidly increasing
transaction volume
(1) Management,
employees, andfaculty affected byprocess
inefficiencies or
control breakdowns
(1) Potential adverse
issues are knownto externalparties, such as
media and
regulatory bodies
(1) Any Federal/
State/Other action(2) External Audit
reportable
conditions
(1) Current
infrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost
(3) Transaction volume
stable
(1) Management,employees and
faculty may be
affected by process
inefficiencies orcontrol breakdown
(1) Potential adverseissues could
impact customers
(1) Issues identifiedby Federal/State/
Other
(2) Issues identified
by External Audit
(1) Currentinfrastructure is able
to support business
strategy with work
arounds
LOW
(1) Asset size
(2) Minor potential cost(3) Transaction volume
stable
(1) No management,
employees andfaculty are affected
by process
inefficiencies orcontrol breakdown
(1) Potential adverse
issues couldimpact
employees
(1) No issues
identified byFederal/State/
Other
(2) No issuesidentified by
External Audit
(1) Current
infrastructure is ableto support business
strategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are not
working or do not
exist.
No method for
anticipating and
accessing specific
risk events exists,so issues are not
escalated to the
appropriateexecutives
effectively.
Manual
processes with
many data
transfer pointsand owners
A limited
number of
staff or
current staff has limited
competency
to managerisk events.
Inadequatecross-training
exists.
High/unmeasure
d cost of
operations, many
quality concernsnoted, and
unacceptable or
unmeasuredcycle/process
time.
Systems are not
operating as
designed or
design is flawed;very limited
controls
Risk is managed
by or directly
impacts people,
processes,systems, or
businesses that
haveexperienced a
HIGH rate of change over the
last 6 months.
MEDIUM
Controls are
detective but notpreventative and
there may or may
not be effectivereporting.
A method for
anticipating andassessing specific
risk events exists
but issues are noteffectivelyescalated to the
appropriate
executives.
Automated
processencompassing
multiple systems
and owners.
A limited
number of staff and/or
staff has
moderatecompetencyto manage
risk event.
Above industry
average cost of operation, some
quality concerns
noted, and belowindustry averagecycle/process
time.
Systems are
operating asdesigned, but
design can be
improved;controls arebolted on top of
the system.
Risk is managed
by or directlyimpacts people,
processes,
systems, orbusinesses thathave
experienced a
MODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive and
detective and there
is effectivereporting.
A method foranticipating andassessing specific
risk events exists
and effectivelyescalates issues to
the appropriateexecutive.
Automatedprocesses withintegrated
systems.
Most staff hashighcompetency
to manage
risk events.
Low/averagecost of operations, no
quality concerns
noted, andcycle/process
times withinspecified
standards.
Systems aredesigned,implemented,
and operating
effectively;controls are
embedded in thesystem.
Risk is managedby or directlyimpacts people,
processes,
systems, orbusinesses that
haveexperienced a
LOW rate of
change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 20/291
©2011 LarsonAllen LLP
Dakota College Bottineau
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPAPrincipal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 21/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
October 14, 2011
Dr. David FullerMinot State University500 University Avenue WestMinot, ND 58707
Dr. Fuller,
This report provides you, Dakota College Bottineau (DCB) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed anexamination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacyof the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Dakota College Bottineau with insight to inherent and
specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularitiesrelated to the scope of this project.
We appreciate the opportunity to assist Dakota College Bottineau. Management and staff involved in theprocess were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal612/[email protected]
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 22/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 7
Appendix 37 Impact Criteria 37 Vulnerability Criteria 37
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 23/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Dakota CollegeBottineau. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing thesignificant functional areas or processes within the institution. The enterprise-wide risk map is a graphicalrepresentation of the relative impact and vulnerability of a risk event for each of the key financial,operational, and IT processes. Detailed results are also provided communicating the explanation for therisk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what theentity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goalsetting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Dakota College Bottineau.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 24/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s(the System) business by gathering the business objectives, goals, and strategies and identify the System’svarious universities and colleges in addition to the key financial, operational, and IT processes withineach university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event orcondition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,poorly communicated strategies, or the institution’s inability to execute these strategies due toinadequate organizational structure, infrastructure or alignment. Strategic risk is managed byappropriate organizational governance. Failure to adequately plan and execute against organizationalgoals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimelydue to a variety of factors including the pace of change, the amount of uncertainty, the presence of alarge error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectivesthey were designed for to support the business model. This risk addresses inefficient operations, pooralignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulationsand directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of useand speed, and accuracy of recovery/replacement of systems. This risk addresses the overallimportance of technology within the institution and the availability and quality of information theinstitution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methodsused to reward employees; the approach to consistently enforce policies and procedures; the selection,screening, and training of employees; and the reason and frequency of turnover. It also includes thelength, consistency, and nature of business relationships, including the handling of sensitive orconfidential information and the risk that business interruption would seriously impact thoserelationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool forrisk ranking procedures. In determining risk within the financial, operational, and IT processes, weassessed the impact of the process to the organization and the vulnerability that a risk would occur byevaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 25/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, includingkey risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and resultsare ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact andvulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are thenvalidated and shared with management, as appropriate. By prioritizing and validating risks, DakotaCollege Bottineau can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 26/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at Dakota College Bottineau and assess the levels of risk within each of the process areas. Inaddition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processeswithin the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/facultyresponsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,conference management
Emergency PreparednessEmergency preparedness and response procedures, businesscontinuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmentalrisks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,estimates and judgments, annual close process, financial processes
GovernanceGeneral counsel, policies and procedures, internal audit andcompliance, executive oversight, regulatory requirements (federal andstate), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & PayrollPayroll, benefits, records management, FTE workload, jobdescriptions, recruiting, hiring, terminations, performance monitoring,new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardwareand software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,
advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflictof interest
Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, healthservices
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 27/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 5
Approach
With the assistance of Dakota College Bottineau management, LarsonAllen identified 14 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process wereprioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 28/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on theinformation obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 29/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks ideisk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with proesting of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommend
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate Enrollment is significantly dependenton athletics and there are concernswhether the current and futureexpenses/costs are appropriatelysubsidized by enrollment.
Perform an assessment to determine if athletic expenses are subsidized byenrollment and develop actions plansbased on the results.
Dakota Collegsports that are North Dakota follows: Ice HSoftball. For 2Ice Hockey, 55Softball. Hockand participanyears. Footbalparticipant num
to-year. It is a student-athletenot have attenprograms. It isderived from eathletes more tAuxiliaries alsrequire servicedining.
However, a deratio for the en
and ought to bwith a detailed
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 30/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate Concerns related to funding for futuregrowth of the Entrepreneur Center for
Horticulture.
Indentify additional marketingopportunities to reach a broader market,
including networking with other collegesand universities within North Dakota,additional services to support programsfees, and identify additional grantopportunities.
The Entreprenestaff has forme
Dakota State UCommunity CoThe ECH DireScaling Up LoSummit on Maacademics andat NDSU, to exprograms beinknowledge basuniversity and worked with a design an apprGroupSystems
11th, NDSU pewell as two meteam worked tomeeting are ex
In addition, theworkshops thagrad students aimportant connNDSU exploreresearch on higcomplement th
Harlene HatterSpecialist in thNDSU, works producer contagaps in produc
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 31/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate Dakota CollegTurtle Mounta
with the ECH both colleges aThe TMCC ImGardening Prodistrict (over aopportunities (gardening, fooweed & pest cindustry) and gseeds, and seeguest lecturer occasion. As tVegetable Pro
producers, TMthe courses anbenefit of stud
Although MonNorth Dakota,they are currenneeds of produportion of the administrated Extension persGiving Assista
501(c)3 non-pmission is to din eastern Monincreasing the Table works clocal food eco
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 32/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate value-add prodfood services aour goal of a l
and Bruce SmTable have cooutreach activrelationship toMSU-ExtensioDakota produc
To provide adprogram has inservice providMinot State Ubeen working campus and in
that could be gfacilities and iboth DCB andECH is in its sCommunity Sushares in its prthen receive wCSA will increas the demonsmaking longer
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 33/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate Beginning in tregister studen
Production Prothe school andhired for this papproved by thAcademic Affidentified and Additionally, tmain responsibmanagement sacross the statby funding thrCareer and Tetuition based.
the sustainabil
Although the Efunding cycle submit a Specibehalf of the NGrowers Assohas provided fprovide admingranting cyclecontinue to ap
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 34/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate The Federal Egot the ECH
again be availin 2012. Thereapply for fukept the ECHupdate to thapplication. Athat it has mogrant. If succUniversity Cereliable incom
In addition, identified whi
Organic FarmAgriculture ReTrust, and sevECH will appavailable and ECH and its cl
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 35/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate Concerns related to certain classes thatare being offered due to low
enrollment and programs that areoffered with no majors.
Perform a cost/benefit analysis todetermine if it makes good business sense
to continue classes, programs, and majorsthat have low enrollment.
Dakota Collegenrollment cla
following proglow enrollmenInformation SyInformation ALegal Secretarclasses do remcontent for a v
It is advisable reliable formulprograms to derevenue derivemake more ast
retaining low e
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 36/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Moderate Lack of training for academic advisorsto allow advisors to be the most
effective for students, including beingknowledgeable about what classes areonly offered every other year, etc.
Provide ongoing training and classschedule update information for advisors
to be the most effective for students. Inaddition, consider implementing a studentfeedback process for the advisors and theinstitution to gain visibility to strengthsand weaknesses of the academic advisingprocess.
A way to measacademic advi
measurement iscores. A largescore of 1.5, shstudents’ expescore such as .to meeting stu
When the Collwas measuredthe national peDakota Univerwas .87 for fouyear institution
The data showfavorably to itsregard to the efpractices. Howconcerning thecomprise the agive direction advising/retent
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 37/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Academic
Affairs
Low Identifying a faculty member for thenew program starting this fall in the
Entrepreneur Center for Horticulture.
Continue to focus on identifying a facultymember the new program within the
Entrepreneur Center for Horticulture,including networking with other collegesand universities.
A faculty memprogram that is
Center for Hor
Low The number of high school studentsgraduating from North Dakota isdeclining and competition is high withother North Dakota colleges anduniversities to attract and retainstudents.
Continue to identify opportunities on howto reach out to a broader group of potential students. In addition, marketstudies should be performed on potentialmajor and course offerings to improveenrollment.
Faced with decschool graduatnew markets fois the out-of-sthas undertakenfive years, the College’s new to 20% to 24%also increased
in 2001. In Falnine students iregistrations; iand there wereA similar scenProgram. Up uBottineau studcampus to earnclasses. DuringDual Credit stuan effort to serstate, the CollePrior Learning
have their occucollege credit.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 38/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Low second year anto be an ideal p
enough creditsthat they can swith work expan especially vSystem’s NonDakota Collegnecessary stepFriendly CampServices. As sservice men anMyCAA and Gprovide for-crethis two-year o
The faculty anand course offof new major oServices, ParaVegetable ProVegetable Proofferings beingTechnician, Coptions for ourNatural Resouoil industry wo
The campus wreach out to a bexamining newDakota’s work
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 39/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Athletics
Moderate There is not a trainer to support theathletics programs, therefore, there is
not a dedicated first responder on siteand reflects on the perception of theinstitution when targeting athleticprogram students.
Perform a cost/benefit analysis todetermine if an open position should be
created to allow for a trainer to be oncampus.
Dakota Collegtrainer for its c
years, the hourincreased. In aService and theand hockey comost home hocresponders pregames. For 201asked to negotservices and foall home conte
A goal of the Ctrainer who wi
athletes. The pnew hires that affordability ba
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 40/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Athletics
Moderate The amenities and equipment forathletics needs to be enhanced or
replaced.
Perform a cost/benefit analysis todetermine if it makes good business sense
to increase amenities specific to athleticsand replace or purchase additionalequipment.
The institutionsupport its athl
has been fulfillability. A purpcontinually strprogram and toquo. At presenconnected to fasuitably turnedallocated each 2012, approximpurchases will Dakota Colleginto consideratpriorities and n
since the Colleseven varsity tmakes good bupurchase additprograms.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 41/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Athletics
Moderate It is difficult to continually raisemoney for athletics via fundraising
activities due to the size of thecommunity.
Continue to evaluate whether there areadditional opportunities to perform
fundraising activities. Develop a shortand long term plan for fundraising ideas,how many events will take placeannually, how many dollars are needed tobe raised at each event, etc
The Logrollerfor college ath
scholarship doset agenda of asuccessful funLogroller itine
1. Busine2. Calend3. Gorder4. Trip to
The number ofthrough the an2012, Logrolle$12,000 and inathletes for the
of this money ihowever, contrNorth Dakota,
During the curfundraising initarget prospectBottineau. OneLumberjack aninto a career andatabase of thedeveloped and
a sequential mdonation. The community frocontiguous coupledge X numborganization foprograms have
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 42/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 43/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Campus Safety& Security
Low Appropriate security resources are notin place to perform sufficient ongoing
monitoring across campus.
Review the available security resourcesor time allotted for police force to be on
campus and determine if additionalresources are needed or if additionalsecurity measures should beimplemented.
The College ismonitor the ca
cameras. A plahas been develvendor and shbiennium. Eacinclude a line iCollege has incameras and bThe system cacan change enlost or not retuThe key card ithe next bienn
Dakota Collegwith the Bottinthe campus aninsure campuswith the Coundeputies to staresidence hallsconducts hourgrounds checksuspicious actiprocedure was
Additional secbiennium. Thethis purpose, henhance securi
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 44/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
EmergencyPreparedness
Moderate Lack of communication related toemergency response procedures and
concerns that the involvement of training and testing of the proceduresare not campus-wide.
Identify additional ways to communicateemergency response procedures and
provide training and testing that involvesseveral areas across the institution.
The College haprocedures and
Risk Managempolicy and procseparate in-sersimulated crisiup on campus response can bresponse testinannually to helprocess and pro
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 45/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
EnvironmentalHealth & Safety
Low Current facilities will not supportanother significant increase in
headcount, both academically andathletically. In addition, office space isnot available for administration officesto allow for enrollment growth.
Perform a cost/benefit analysis todetermine if additional capital projects
should be pursued to support current andpotential future increase in enrollment.
The College isto later in the a
this action willlabs in the eveadditional spacresolution wouhelping to avoistudents’ coursoption.
Office space isonly two or thradditional perscrowding and ito alleviate thi
project currentinstitution’s Ofrom the commCorporation toCollege. Dakoand should det
Low The Environmental Protection Agencyis changing regulations for coalburning and the institution utilizes coalboilers. There are concerns related tothe impact the changes will have on theinstitution.
Continue to monitor changes set forth bythe Environmental Protection Agency toensure the institution is compliant withregulations.
The North Dakcampus informaffecting camp
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 46/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Financial Close& Reporting
Moderate The institution budgeting processutilizes the “same as last year”
approach and does not perform an in-depth analysis to determine if dollarsshould be allocated differently from theprevious year.
Consider performing an in-depth analysisof previous years’ budgets and the dollars
allotted for the current year to determineif available funds should be allocateddifferently from previous years.
All departmenfunding levels
amounts are rebenefit from inrate of inflationincreases, progprograms can bThe College hacomprehensiveenrollment offreductions willinstitution. Thuis little wiggle beginning withapproach. Few
because they estudents—morraise the cost oare in place to requirements iincrementally
Although fundnot an alternatiDCB will contallocation mod
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 47/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Financial Close& Reporting
Moderate There is a lack of appropriatesegregation of duties in the Business
office.
Review the current responsibilities of each person in the Business office to
determine if changes should be made toallow for additional segregation of duties.
Segregation ofAuditor’s Offic
Moderate There is a lack of appropriatesegregation of duties with departmentpurchases. In some instances,department managers are individuallydeciding what to purchase and fromwho and are also approving thepurchase, involving no other personnelin the overall process.
Develop a policy that requires allpurchases to involve more than oneperson in the overall process.
Although all deindividual withauthority, this consultation wmanagement, ngathering activCollege will tainstitutional pu
Governance
Moderate The institution’s strategic plan lacks a
long term focus. In addition,measurable action plans have not beendeveloped to address all objectives andgoals.
Review the strategic plan to determine if
long term objectives should be addressed.In addition, consider developingmeasurable action plans to meetobjectives and goals.
The Institution
long and shortsteps. Followiincluded in str
Motivate adevelop toAcademic
Utilize a cbuild an eProgram tNDUS.
Provide a general edimpact of
portfolio p Work with
training nedrilling ac
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 48/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate The complexitattaches a long
including time
There are bencattached to the
GOAL: Enhanmission that addeveloping poof college credExpected Out
five students in
GOAL: Move
Horticulture frdemonstrationExpected Out
greenhouses a
GOAL: BeginProgram that ptoward a degreundecided aboExpected Out
College Studiethe students en
will return to DAlthough meato be better dis
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 49/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate Lack of consistent communication toroll out new policies and procedures,
make updates to existing, andimplement consistently across theinstitution. In addition, there is not aconsistent process to review policiesand procedures on an ongoing basisonce they are developed.
Improve communication to roll out newpolicies and procedures and updates to
existing. In addition, review and approveall policies and procedures on an ongoingbasis.
Two years agofollowing prac
procedures anprocedures: Th
is the documen
version will be
Thus, it is the o
when accessin
Changes, dele
regarding the
faculty and sta
the online han
over the last twpolicy changefolders each ye
collapsing the Handbooks intdocument thatinformation fo
The Faculty SeCommittee thaFaculty Handbimprovementsof updates. Thesame responsibManagement H
Senate or the Dkeeping the haThey need to mor determine a
job done.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 50/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate Lack of understanding by theinstitution end users related to how
System policies are categorized andwhere they are stored. In addition,policies are not always clearly titled toreflect content.
Team with the System office and otherinstitutions to gain a better understanding
of how System policies are categorizedand titled.
The NDUS Poaccessed from
difficult link toto it, end usersto it for subseqCollege’s handlist the link thathe System po
A review of hotitled may be hissue is more athe website thadifficult to nav
Moderate Bottineau is a small community andlocal community members andbusinesses are continually tapped forfund raising and donation dollarsmaking it difficult to continuallyincrease the amount raised each year.
Continue to identify additional alumni,community members, and businessrelationship opportunities to performfundraising activities. In addition,perform a cost/benefit analysis todetermine if additional funding should beallocated to identifying and building theserelationships
The Dakota Coidentify additiorevenue generahistory with thresulted in the in three monthprograms. Thetogether to soliregional businehas the right mprospective doFoundation Ofimplement the
funding additiocalculated.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 51/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Low Initiatives are identified and teams of staff and faculty are assigned;
however, many initiatives are notprovided the appropriate levels of attention or are not followed throughon.
Identify all initiatives across theinstitution, teams assigned to them,
progress made, etc. Determine whatinitiatives are not progressing as deemedsufficient by the institution and identifythe root causes for the lack of progression.
True initiativestandard opera
identified throinitiatives, or gstrategic planndeveloped andinto place for naturally had mothers, and as attention. Howthe steps in theenrollment andStrategic Planprocess that gastaff, students
suggestions anas initiatives f
A natural tendeinitiative for wreceived approto identify theiinformation abcan be distributhe alumni newwebsite.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 52/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Low Meeting minutes are not alwaysdocumented for formal council and
committee meetings, resulting in lack of an audit trail of discussion topics,decisions made, and monitoring of ongoing activities. In addition, whenmeeting minutes are documented, theyare not to the level of detail needed.
Develop a policy that requires all formalcouncil and committee meetings to be
documented and describe the level of detail required to be sufficient.
Dakota Collegappointed by th
keep minutes. committees stakeep minutes o
(form attached
Berube by at le
letter to the compertaining to thminutes.
GrantAdministration
Moderate Investment strategy for the foundationmay be too conservative.
Identify if there are alternativeopportunities for conservativeinvestments that result in a higher yield.
The Dakota CoCommittee hasorganization’son certificates
Financial servithe Executive Chowever, the gconservative inopportunities icontinue to be consideration.
Moderate Additional time should be spent onalumni and donation collections.
Team with the Foundation to determine if additional resources could be allocated tofocus more on alumni and communitynetworking to increase donations.
Please see resp
Bottineau is a s
members and b
fund raising an
to continually
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 53/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 54/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
InformationTechnology
Moderate Servers are maintained in a lockedroom in an office; however, the room
is not always locked during businesshours. In addition, appropriateenvironmental controls are not inplace.
The server room should be locked at alltimes, including business hours. In
addition, perform a cost/benefit analysisto determine if additional environmentalcontrols should be implemented or if upgrades should be made.
The server roosecurity camer
leaving the serdata, it has beenecessary to inWe are currentproviding impr
Moderate A Continuum of Government Plan thataddresses some areas of a disasterrecovery plan is in place; however, acomprehensive documented plan stillneeds to be developed.
Develop and document a formal disasterrecovery plan. This would include, but isnot limited to:
Risk exposures
Recovery team responsibilities
First response process andprocedures
Functional assessment process Asset protection
Communications approach
System recovery timeframes
Maintenance and testing
Training
DCB does hav(Continuum ofdeveloped durreviewed and ucompleted prio
Moderate USB drives are not password protectedor encrypted.
Develop a policy that requires all USBdrives to be password protected andencrypted. Communicate the policy to allapplicable users.
The campus Crecommendatioend of FY2012
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 55/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
InformationTechnology
Moderate Password parameters for ActiveDirectory are not technically enforced
to require passwords to be alphanumeric.
Change the password parameters inActive Directory to technically enforce
all users’ passwords to be alpha numeric
Password paracurrently not te
passwords to binstitution is mand when this mauthenticate agconnected withrequire alpha n
Marketing &Communications
Low There are concerns related the strategicapproach, leadership, and direction formarketing and communication.
Review the strategic approach andleadership for marketing andcommunication at the institution todetermine if changes should be made toalign the strategic plan with theinstitution.
Under the currdirection for thstudents, and tcollege choiceconsecutive sematerials, the
process by whwith prospectssystems for traresponding to improvementssophisticated iare managed wthe Admissionproviding timemarketing task
Dakota CollegOnline and Ou
better with its gare many excitat the College audience.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 56/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Operations &AuxiliaryServices
Moderate Credit card information is manuallydocumented at the bookstore for orders
that are placed via phone during peak times of the year.
Review the procedures to protect creditcard information at the bookstore and
determine if changes should be made toenhance data protection. In addition, if procedures are not formally documented,consider documenting the procedures toallow all employees to be consistent andeducate new employees.
Dakota Collegcredit card inf
determine if chprotection.
Low Lack of knowledge by students andfaculty on how to use digital libraryservices.
Consider offering training to students andfaculty on the use of digital libraryservices.
Training to stulibrary service
Low Technology upgrades are needed forthe library to better accommodate
student learning.
Continue to prioritize capital projects andrenovation needs across campus to
determine if the library is a priority in thenext fiscal year’s budget.
Prioritizing of across campus
the Library are
Low Concerns with theft in the bookstore.There are no security cameras orsecurity system.
Perform a cost/benefit analysis todetermine if security measures should beimplemented.
Cameras have prevent shoplifstrengthened to
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 57/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Faculty & Staff
Moderate Lack of succession planning and crosstraining for most positions within the
institution.
Functional areas should evaluate where itis most critical to implement succession
plans and cross train employees. Developan action plan to implement and crosstrain where necessary.
Cross training environments,
Although Dakomust effectivelfunctions of anmatter its size.resources requfor two or morwear more thanmost staff is alcapacity.
When and whesuccession planbring in new st
incumbent’s detrained to hit-th
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 58/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student Affairs
Moderate Residence halls need to be remodeledand utilized to attract more students,
including building suite livingconditions to attract families.
Perform a cost/benefit analysis todetermine if it makes good business sense
to renovate residence halls and build suiteliving conditions.
The learning anCollege’s resid
significantly si1950’s, 1960’sexpectations abincluded for redramatically. Tservices, and pCollege needs bonding to gathMead, Milliga
Moderate The institution is becoming moreculturally diverse and there has been asignificant increase in out of state
students. There are concerns whetherthe campus is meeting the needs of these students.
Perform an assessment to determinewhether the institution is meeting theneeds of culturally diverse and out of
state students. Utilize feedback fromstudents to make improvements asnecessary.
The Institutionimplement proan increasingly
Student FinancialProcessing
Moderate Certain faculties do not submit theirbook/material requests to the bookstoretimely or change the books/materialsnear the start date of a semester,resulting in the bookstore not beingable to provide books/materials timelyto students, keep costs effective andaffordable, and possibly cause theinstitution to be in violation of the
HEOA.
Continue to educate faculty about theimportance of submitting book andmaterial requests timely. In addition,identify alternative methods of communication and education.
The Institutionthe importancerequests in a ticonsequences
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 59/291
Enterprise-Wide Risk Assessment | Dakota College Bottineau
©2011 LarsonAllen LLP 37
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size
(2) Prior negativeexposure
(3) Rapidly increasingtransaction volume
(1) Management,
employees, andfaculty affected byprocessinefficiencies orcontrol breakdowns
(1) Potential adverse
issues are knownto externalparties, such asmedia andregulatory bodies
(1) Any Federal/
State/Other action(2) External Audit
reportableconditions
(1) Current
infrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost(3) Transaction volume
stable
(1) Management,employees andfaculty may beaffected by processinefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpact customers
(1) Issues identifiedby Federal/State/ Other
(2) Issues identifiedby External Audit
(1) Currentinfrastructure is ableto support businessstrategy with work arounds
LOW
(1) Asset size(2) Minor potential cost(3) Transaction volume
stable
(1) No management,employees andfaculty are affectedby process
inefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpactemployees
(1) No issuesidentified byFederal/State/ Other
(2) No issuesidentified byExternal Audit
(1) Currentinfrastructure is ableto support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are notworking or do notexist.
No method foranticipating andaccessing specific
risk events exists,so issues are notescalated to theappropriateexecutiveseffectively.
Manualprocesses withmany data
transfer pointsand owners
A limitednumber of staff or
current staff has limitedcompetencyto managerisk events.Inadequatecross-trainingexists.
High/unmeasured cost of operations, many
quality concernsnoted, andunacceptable orunmeasuredcycle/processtime.
Systems are notoperating asdesigned or
design is flawed;very limitedcontrols
Risk is managedby or directlyimpacts people,
processes,systems, orbusinesses thathaveexperienced aHIGH rate of change over thelast 6 months.
MEDIUM
Controls aredetective but notpreventative andthere may or maynot be effectivereporting.
A method foranticipating andassessing specificrisk events existsbut issues are noteffectivelyescalated to theappropriateexecutives.
Automatedprocessencompassingmultiple systemsand owners.
A limitednumber of staff and/orstaff hasmoderatecompetencyto managerisk event.
Above industryaverage cost of operation, somequality concernsnoted, and belowindustry averagecycle/processtime.
Systems areoperating asdesigned, butdesign can beimproved;controls arebolted on top of the system.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aMODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive anddetective and thereis effectivereporting.
A method foranticipating andassessing specificrisk events existsand effectivelyescalates issues tothe appropriateexecutive.
Automatedprocesses withintegratedsystems.
Most staff hashighcompetencyto managerisk events.
Low/averagecost of operations, noquality concernsnoted, andcycle/processtimes withinspecifiedstandards.
Systems aredesigned,implemented,and operatingeffectively;controls areembedded in thesystem.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aLOW rate of change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 60/291
©2011 LarsonAllen LLP
Dickinson State University
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPAPrincipal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 61/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
October 14, 2011
Dr. D.C. Coston, Acting PresidentDickinson State University291 Campus DriveDickinson, ND 58601
Dr. Coston,
This report provides you, Dickinson State University (DSU) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed anexamination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacyof the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Dickinson State University with insight to inherent and
specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularitiesrelated to the scope of this project.
We appreciate the opportunity to assist Dickinson State University. Management and staff involved in theprocess were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal612/[email protected]
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 62/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 7
Appendix 26 Impact Criteria 26 Vulnerability Criteria 26
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 63/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Dickinson StateUniversity. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing thesignificant functional areas or processes within the institution. The enterprise-wide risk map is a graphicalrepresentation of the relative impact and vulnerability of a risk event for each of the key financial,operational, and IT processes. Detailed results are also provided communicating the explanation for therisk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what theentity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goalsetting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Dickinson State University.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 64/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s(the System) business by gathering the business objectives, goals, and strategies and identify the System’svarious universities and colleges in addition to the key financial, operational, and IT processes withineach university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event orcondition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,poorly communicated strategies, or the institution’s inability to execute these strategies due toinadequate organizational structure, infrastructure or alignment. Strategic risk is managed byappropriate organizational governance. Failure to adequately plan and execute against organizationalgoals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimelydue to a variety of factors including the pace of change, the amount of uncertainty, the presence of alarge error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectivesthey were designed for to support the business model. This risk addresses inefficient operations, pooralignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulationsand directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of useand speed, and accuracy of recovery/replacement of systems. This risk addresses the overallimportance of technology within the institution and the availability and quality of information theinstitution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methodsused to reward employees; the approach to consistently enforce policies and procedures; the selection,screening, and training of employees; and the reason and frequency of turnover. It also includes thelength, consistency, and nature of business relationships, including the handling of sensitive orconfidential information and the risk that business interruption would seriously impact thoserelationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool forrisk ranking procedures. In determining risk within the financial, operational, and IT processes, weassessed the impact of the process to the organization and the vulnerability that a risk would occur byevaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 65/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, includingkey risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and resultsare ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact andvulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are thenvalidated and shared with management, as appropriate. By prioritizing and validating risks, DickinsonState University can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 66/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at Dickinson State University and assess the levels of risk within each of the process areas. Inaddition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processeswithin the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/facultyresponsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,league compliance
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training, conferencemanagement
Emergency PreparednessEmergency preparedness and response procedures, business continuity,risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,estimates and judgments, annual close process, financial processes
GovernanceGeneral counsel, policies and procedures, internal audit and compliance,executive oversight, regulatory requirements (federal and state),statistical data, affirmative action
Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,foundation, donor concentrations, foundation investment strategy
Human Resources & PayrollPayroll, benefits, records management, FTE workload, job descriptions,recruiting, hiring, terminations, performance monitoring, new hireintegration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware andsoftware, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict of interest
Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, health services
Student Financial Processing Student/financial aid, tuition, enrollment fees, scholarships, funding,student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 67/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 5
Approach
With the assistance of Dickinson State University management, LarsonAllen identified 24 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process wereprioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 68/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on theinformation obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 69/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 70/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 71/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
Low Accountability for student enrollmentand retention is not consistent across all
functional administrative areas andfaculty. In addition, faculty and staff arenot always making themselves availableto current and potential future students.This includes faculty office hours,availability for high school studentvisits/campus tours, experience in theadministration offices, etc.
Review the Strategic Enrollment Planinitiatives and action plans to determine if
all functional areas and facultyresponsibilities are addressed to support andgrow headcount and accountability measuresto move forward.
Low A strong focus of the university isincreasing headcount; however, there areconcerns that appropriate thought has notbeen given to the facilities and resources
available at the university to supportadditional headcount.
Review the Strategic Enrollment Planinitiatives and action plans to determine if facilities and resources have been addressedto adequately support additional headcount.
Low Strom Center programs do not receiveuniversity and/or grant funding. If donations and/or grant dollars decrease,the sustainability of programs would beat risk.
Indentify additional marketing opportunitiesto reach a broader market, includingnetworking with other colleges anduniversities within North Dakota, additionalservices to support programs fees, andidentify additional grant opportunities.
Low The Strom Center Business ChallengeProgram is approximately $50k in debt.
Review the strategic plan to determine if theStrom Center’s debt is addressed withspecific measureable action plans. In
addition, consider whether updates shouldbe made to the strategic plan and whetherprogress is being made towards themeasureable action items.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 72/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 73/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Athletics
Low Transportation for the university’s rodeoteam is not provided and controlled,
resulting in the risk of liability to theinstitution.
Perform a cost/benefit analysis to determineif it makes good business sense to provide
transportation services for the university’srodeo team. In addition, consider reachingout to other colleges and universities thathave a rodeo team to determine the approachthey take.
Low
Recruiting new athletic program coachesand maintaining the existing coaches is aconcern due to the size of the institutionand compensation offered.
Continue to benchmark wages with otherNorth Dakota colleges and universities.
Campus Safety& Security
Moderate Concerns that staff and faculty are beingverbally and emotionally threatened to
increase student enrollment.
Obtain feedback from all staff and facultyrelated to the tone at the top and pressures to
increase student enrollment to determine if the environment is appropriate.
DSU hasimpleme
March 22harassmeMarch anCampus regular byear to adforward.
Low Concerns related to the safety of studentsand security of the campus with thesignificant numbers of oil field workersmigrating to the area. In addition, there isno security officer during the daytime
hours.
Perform a cost/benefit analysis to determineif security officers and resources are neededor if additional security measures should beimplemented.
EmergencyPreparedness
Low Lack of communication and requiredtraining related to emergency responseprocedures.
Consider requiring the current trainingavailable to employees twice a year to bemandatory training to enhance awareness.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 74/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
EnvironmentalHealth & Safety
Low Athletic facilities are outdated and needremodeling (i.e. handicap assessable,
strategic concession placement, etc.).
Continue to prioritize capital projects,renovations, and maintenance needs across
campus to determine if athletic facilities area priority in the next fiscal year’s budget.
Low The ability to attract local contractors hasdecreased over the last several years dueto the competition with the oil fields.
Consider reaching out to other colleges anduniversities that may also be affected by theincreased labor demand from the oil fields toidentify actions other institutions have taken,discuss contractor options, pricingconsiderations, etc.
Financial Close& Reporting
Moderate Bad debt write-offs continue to rise eachfiscal year due to the inability to collecttuition fees.
Review write-offs over the last several yearsto determine the amount of write-offs thatare tuition related. In addition, review
historical trends and determine the rootcause of tuition write-offs.
Many of through tPolicy th
financialentity hainternatiodays or m
Moderate Concerns that departmental budgetchanges are not being communicated ona timely basis and could result inpotential over spending.
Review the process to communicatedepartmental budget changes and determineif changes should be made to the process toallow more timely communication.
Unit supecommunbudgets cand progthe opporsessions.
Low Interest income has significantly declinedover the last several years. In addition,
net operating income has been negativefor the last three years.
Perform an analysis to determine the rootcause for the decrease in interest income and
the negative net operating income over thelast several years. Determine if theinstitution could make changes or identifyother opportunities to increase both in thefuture.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 75/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 76/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate The institution is maintaining an ad hocdatabase of alumni and donors; however,
under the verbal contract with theFoundation and Alumni organizationthey are not allowed to do so.
Reconfirm the verbal contract between theinstitution and the foundation to determine if
the contract should be revised or if theinstitution should delete its ad hoc database.
DSU wilthe Foun
a separatThis willagreemenBoard Po
Low The university is not PCI compliant. Consider identifying PCI compliance as aninitiative, including resource dedication, tobecome compliant in the future. In addition,reach out to other colleges and universitiesthat are compliant across the System todetermine the steps other institutions took tobecome compliant, lessons learned, etc.
Low Monitoring of international studentswhile attending the university andmonitoring their departure from the U.S.,procedures to verify and document theirdeparture, etc.
Review procedures to monitor internationalstudents while attending the university andtheir departure from the U.S. Determine if procedures are documented, communicated,and if proper monitoring controls are inplace.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 77/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
GrantAdministration
Moderate Lack of grant related policies andprocedures, specifically the overall grant
lifecycle, expense allocations,coordination of proposing on grants oncethe grant(s) have been identified,specifically persons that should beinvolved, timing, knowledge of qualification requirements, etc.
Develop policies and procedures for thegrant process. Review documents on an
ongoing basis to determine if changesshould be made.
Departmdiscussed
a VPAA were revdevelop uensure cogrant app
Moderate A grant roster is not maintained tocentrally track and monitor completenessand accuracy of current grants, renewalof grants, etc.
Develop a grant roster to centrally track andmonitor grants and enhance visibility of thestatus of all grants.
All grantfund in thconsider task to anmonitor g
Low Grant expenses, including payrollexpenses, may not be applied to thecorrect grant or expenses may beinaccurately applied due to lack of attention to detail.
Review the current processes to code/assignexpenses to grants and determine if properinternal controls exist to minimize the risk of coding expenses to incorrect grants orapplying inaccurate expense amounts.
Low Lack of resources to identify new grantopportunities.
Perform a cost/benefit analysis to determineif it makes good business sense to dedicateadditional resources to the grantidentification process.
Low The Foundation and Alumni organizationdoes not always process gift receipts
timely and alert the Business Office andStrom Center timely, resulting infinancial reports to lag a month or two.
Team with the Foundation and Alumniorganization to identify root causes for
untimely processing of cash receipts anddetermine if the Business Office and StromCenter could assist with improvements inthe process.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 78/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 79/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
HumanResources &
Payroll
Low There are concerns related to theaccuracy of the human resources master
file.
A review should be performed of the humanresources master file to determine if changes
need to be made to update information forstaff and/or faculty members.
Low Job descriptions are not up-to-date. Review all job descriptions and determine if updates need to be made. Make updates asneeded. In addition, if it is determined that a
job description does not exist for a position,per the review, develop a job description forthe position.
InformationTechnology
High The data center is located in thebasement of May Hall and containswindows in the room.
Consider moving the data center to a moresecure location.
The cost considerealthough
current lothis locatmoisture wiring inWater piplocation. viewing f
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 80/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Information
Technology
High There is no formal disaster recovery plan. Develop and document a formal disasterrecovery plan. This would include, but is not
limited to: Risk exposures
Recovery team responsibilities
First response process and procedures
Functional assessment process
Asset protection
Communications approach
System recovery timeframes
Maintenance and testing
Training
Senior lewith the
NDUS redocumenconsistenprocedur
A formal
Be
A cre
Crdeg
Pri
DSdat
Em
Moderate Data back-ups are stored on-site in thedata center.
Identify an off-site storage site to maintaindata back-ups. Employee’s homes shouldnot be utilized.
Backup m
Moderate Shared folders are not restricted on thenetwork. A policy is in place to restrictpersonnel from maintaining confidentialinformation in the shared folders, butconfidential information has been foundin the past.
Develop and assign user roles within sharedfolders to restrict access to confidentialinformation.
The localand studelocal sharnot to stogiven accnow (Aug
as needed
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 81/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
InformationTechnology
Moderate Laptops issued to staff and faculty is notencrypted. In addition, USB drives
purchased by functional departments arenot password protected or encrypted.
Develop a policy that requires all laptopsand USB drives to be encrypted. In addition,
determine if the process to issue technologyrelated items should be centralized withinthe IT group to allow for consistency andadherence to policy.
The NDUon all com
Ec
EpMk
Moderate A mobile device policy is in place;however, appropriate security measureshave not been technically enforced tosupport mobile devices.
Consider technically enforcing securitymeasures on mobile devices to enhancesecurity.
Currently
Dl
Tv
U
i
Low Password parameters for ActiveDirectory are not technically enforced torequire passwords to be changed after adefined period of time.
Consider changing the password parametersin Active Directory to technically enforcepasswords to be changed every 90 days.
Low Significant numbers of staff do not lock their computers when leaving their desk.
Develop a policy to require all staff andfaculty to lock their computers when leavingtheir desks to increase overall security of information on their computers.
Marketing &Communications
Low Duplicate information is being drafted inpublications that could potentially becombined to save time and costs.
Perform a review to determine if information drafted in publications could becombined in certain instances to allow fortime and cost savings.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 82/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Operations &AuxiliaryServices
Low Remodeling and technology upgrades areneeded for the library to better
accommodate student learning.
Continue to prioritize capital projects,renovations, and maintenance needs across
campus to determine if the library is apriority in the next fiscal year’s budget.
Low The bookstore sales return policy is notconsistently followed. Certain functionalareas require the bookstore to makeseveral exceptions to the policy.
Review the bookstore sales return policy todetermine if changes should be made to thepolicy or if the policy is appropriate andcurrent practices should be changed toadhere to the policy.
Low Concerns with theft in the bookstore.There are no security cameras, securitysystem, and students are trying onapparel in the restrooms.
Perform a cost/benefit analysis to determineif security measures and/or designatedfitting rooms should be implemented.
Low The bookstores apparel and inventory issold at offsite campus events. Allinventory and sales are manually trackedand entered into the POS system after theevent.
Review the internal controls in place forselling bookstore apparel and inventory atoffsite campus events to determine if additional controls should be implementedand if current controls are operatingeffectively.
Low Clubs, departments, organizations, etc.are not required to consider the bookstorewhen making purchases or involving thebookstore in the bidding or proposalprocess.
Develop a policy that requires clubs,departments, organizations, etc. to submit arequest for proposal to the bookstore to bidon the purchases.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 83/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Faculty & Staff
Moderate Overall employee work load is a concern.Most functional areas identified some
level of personnel needs.
Perform an assessment to determine howresources are being utilized across all
functional areas, tracking of hours worked,efficiencies that could be gained, etc.
On-goingefficienc
Moderate There has been a high turnover rate inkey leadership positions in the lastseveral years.
No proposed recommendation. The Cooconducteindividua
Moderate Lack of succession planning and crosstraining for most positions within theinstitution.
Functional areas should evaluate where it ismost critical to implement succession plansand cross train employees. Develop anaction plan to implement and cross trainwhere necessary.
DSU shotrain emp
Low Recruitment and retention of staff and
faculty is a concern, specifically as itrelates to the compensation offered andthe competition with the oil fieldpositions.
Continue to benchmark wages with other
North Dakota colleges and universities.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 84/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student Affairs
Moderate Several international students are notfluent in English and the institution does
not have staff and/or faculty capable of speaking the languages to accommodatestudents, resulting in the inability toprovide these students with the academicand student experience that is the same asall other students.
Perform a cost/benefit analysis to determineif it makes good business sense to hire
personnel who are fluent in languagesspecific to the countries targeted forinternational students or if alternativecountries should be targeted based onlanguage capabilities at the institution.
DSU offiArticulat
in place wrequiremago, DSUeffort to htheir Engto look foconsisteneffort to iapplicant
Moderate The cost to live off campus hassignificantly increased due to the oilfields, resulting in limited residence hall
space as students are staying on campus alonger period of time.
Perform a cost/benefit analysis to determineif it makes good business sense to buildadditional residence halls, add on to
existing, or another alternative.
The VP oFinanciaCommitt
range solcampus a
Low Lack of recruiting efforts at local DSUevents where high school studentattendance is high. In addition, there is astronger focus on international studentrecruitment than the five-state region.
Review the current strategy to recruitstudents and determine if there is anappropriate balance of domestic andinternational students. In addition, determineif additional recruiting efforts should befocused on attendance of staff and faculty atlocal DSU events where high school studentattendance is high.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 85/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student Affairs
Low Mental health and medical issues areincreasing in the student body and the
institution does not have a counselor.
Perform a cost/benefit analysis to determineif a counselor position should be created.
Low Student contact information is notupdated and maintained on an ongoingbasis, resulting in inaccurate informationin the database.
Review the current procedures to update andmaintain the database that houses studentcontact information and determine if additional resources should be allocated toenhance the accuracy of information.
Student FinancialProcessing
Moderate Tracking and monitoring of collaborativestudents and qualification requirementsto receive financial aid, specificallydeclared institution of graduation,institution enrollment, grades received,
etc. If a student is not currently enrolledin classes in the declared institution of graduation, the financial aid office cannotmonitor their eligibility of a financial aidrecipient.
Develop a process to track and monitorcollaborative students and qualificationrequirements to receive financial aid.Determine if current technology could assistin the process.
DSU currcollaboraneed to dcollaborarequirem
Moderate Royalties received to support the internalscholarship program are decreasing andfive year commitments are made tostudents to receive scholarship dollars aslong as their GPA is appropriate. There isa risk that the institution is over-committing scholarship funds or will be
in the future.
Perform an assessment to determine if thereare enough funds to support the internalscholarship program commitments that havebeen made. Adjust future programcommitments as necessary based on theassessment results.
The Actito examiRoughridimpleme
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 86/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student Financial
Processing
Moderate Certain faculties do not submit theirbook/material requests to the bookstore
timely or change the books/materialsnear the start date of a semester, resultingin the bookstore not being able to providebooks/materials timely to students, keepcosts effective and affordable, andpossibly cause the institution to be inviolation of the Higher EducationOpportunity Act.
Continue to educate faculty about theimportance of submitting book and material
requests timely. In addition, identifyalternative methods of communication andeducation.
Senior leChairs, a
complianmaterial
Moderate It is challenging to identify the last day astudent attended classes if they havedropped out and are to pay back financialaid already received. This is especially
difficult for collaborative students.
Review the current process to identify whena student last attended classes to determineif improvements could be made. In addition,team with other college and universities to
develop a consistent process forcollaborative students.
Polices atracking and Progdocumen
with fedeattendancduring a October
Low Ability to stay proactive related tofinancial aid federal compliance.Changes in legislation are not alwaysknown and implemented timely. Inaddition, interpretation of regulations isdifficult.
Develop an action plan with specificmeasurable goals to continually monitor andstay abreast of financial aid federalregulations. Discuss regulations with theSystem Office and other colleges anduniversities in ND, as needed, to compareinterpretations and gain additionalconfidence that DSU is in compliance. In
addition, consider performing an internalaudit to review compliance with regulations.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 87/291
nterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student FinancialProcessing
Low Implementing financial aid regulationchanges timely and managing the student
experience while implementing changesis a challenge. Duplicate requests aresometimes required of students whenchanges in regulations occur during thesubmission and award process.
Continue to implement regulation changesas soon as possible to minimize duplicate
requests when processing and awardingfinancial aid. In addition, review the currentprocess to determine if efficiencies could begained.
Low Concerns related to communicationbetween faculty and the Financial Aiddepartment to understand the impact of curriculum changes on financial aiddistribution and regulations.
Additional communication and trainingshould be implemented to improveunderstanding of financial aid requirementsand the impact of curriculum changes.
Low There was a fraudulent high school
diploma and transcript received and thereare concerns related to how manyfraudulent documents have been used tobe a recipient of financial aid that havenot been identified.
Consider providing training to staff who
review documents collected in theapplication process to enhance theidentification of fraudulent documents andcreate awareness.
Low Concerned that the Financial AidDepartment is managed under StudentAffairs.
Perform an assessment to determine if itmakes good business sense to keep FinancialAid under Student Affairs, have the groupbe self-governed, or another option.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 88/291
Enterprise-Wide Risk Assessment | Dickinson State University
©2011 LarsonAllen LLP 26
Appendix
Impact CriteriaIMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size(2) Prior negative
exposure(3) Rapidly increasing
transaction volume
(1) Management,employees, andfaculty affected byprocessinefficiencies orcontrol breakdowns
(1) Potential adverseissues are knownto externalparties, such asmedia andregulatory bodies
(1) Any Federal/ State/Other action
(2) External Auditreportableconditions
(1) Currentinfrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost(3) Transaction volume
stable
(1) Management,employees andfaculty may beaffected by processinefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpact customers
(1) Issues identifiedby Federal/State/ Other
(2) Issues identifiedby External Audit
(1) Currentinfrastructure is ableto support businessstrategy with work arounds
LOW
(1) Asset size(2) Minor potential cost
(3) Transaction volumestable
(1) No management,employees and
faculty are affectedby processinefficiencies orcontrol breakdown
(1) Potential adverseissues could
impactemployees
(1) No issuesidentified by
Federal/State/ Other(2) No issues
identified byExternal Audit
(1) Currentinfrastructure is able
to support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are notworking or do notexist.
No method foranticipating andaccessing specific
risk events exists,so issues are notescalated to theappropriateexecutiveseffectively.
Manualprocesses withmany data
transfer pointsand owners
A limitednumber of staff or
current staff has limitedcompetencyto managerisk events.Inadequatecross-trainingexists.
High/unmeasured cost of operations, many
quality concernsnoted, andunacceptable orunmeasuredcycle/processtime.
Systems are notoperating asdesigned or
design is flawed;very limitedcontrols
Risk is managedby or directlyimpacts people,
processes,systems, orbusinesses thathaveexperienced aHIGH rate of change over thelast 6 months.
MEDIUM
Controls aredetective but notpreventative andthere may or maynot be effectivereporting.
A method foranticipating andassessing specificrisk events existsbut issues are noteffectivelyescalated to theappropriateexecutives.
Automatedprocessencompassingmultiple systemsand owners.
A limitednumber of staff and/orstaff hasmoderatecompetencyto managerisk event.
Above industryaverage cost of operation, somequality concernsnoted, and belowindustry averagecycle/processtime.
Systems areoperating asdesigned, butdesign can beimproved;controls arebolted on top of the system.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aMODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive anddetective and thereis effectivereporting.
A method foranticipating andassessing specificrisk events existsand effectivelyescalates issues tothe appropriateexecutive.
Automatedprocesses withintegratedsystems.
Most staff hashighcompetencyto managerisk events.
Low/averagecost of operations, noquality concernsnoted, andcycle/processtimes withinspecifiedstandards.
Systems aredesigned,implemented,and operatingeffectively;controls areembedded in thesystem.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aLOW rate of change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 89/291
©2011 LarsonAllen LLP
Lake Region State College
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 90/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
October 14, 2011
Dr. Mike BowerLake Region State College
1801 College Drive N.
Devils Lake, ND 58301-1598
Dr. Bower,
This report provides you, Lake Region State College (LRSC) leadership, the Audit Committee, and
members of the Board with the results of the risk assessment and a means to prioritize risk mitigation
strategies. An enterprise-wide risk assessment is the first step in your risk management program of
assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of
strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide Lake Region State College with insight to inherent and
specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularities
related to the scope of this project.
We appreciate the opportunity to assist Lake Region State College. Management and staff involved in the
process were a pleasure to work with and very open to sharing their opinions and knowledge. This
cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to
contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 91/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6
Appendix 16 Impact Criteria 16 Vulnerability Criteria 16
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 92/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Lake Region StateCollege. This included identifying and ranking the key financial, operational, strategic, and information
technology (IT) processes within the organization based on inherent and specific risks. The overall risk
for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity or
process level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Lake Region State College.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 93/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 94/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, Lake Region
State College can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 95/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at Lake Region State College and assess the levels of risk within each of the process areas. In
addition, provide Management with visibility to process areas that contain the highest potential risk as
determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,
conference management
Emergency PreparednessEmergency preparedness and response procedures, businesscontinuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental
risks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and
compliance, executive oversight, regulatory requirements (federal and
state), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job
descriptions, recruiting, hiring, terminations, performance monitoring,
new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, change
management, disaster recovery, data reporting capabilities, hardware
and software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,
advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict
of interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, health
services
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,
student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 96/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 5
Approach
With the assistance of Lake Region State College management, LarsonAllen identified 22 key process
owners in the significant financial, operational, and IT processes. Key process owners were interviewed
for the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 97/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 98/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 99/291
nterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Academic
Affairs
Low Students are required to report criminal
offenses on their applications based on an
“on your honor” approach and there is arisk that students may not report offenses.
No proposed recommendation. No addi
Low Enrollment will decrease if the Grand
Forks Air Force Base were to stop
offering courses which has been discussed
at previous legislative sessions.
No proposed recommendation. No addi
Low The number of high school studentsgraduating from North Dakota is declining
and competition is high with other North
Dakota colleges and universities to attract
and retain students.
Continue to identify opportunities on how toreach out to a broader group of potential
students. In addition, market studies should
be performed on potential major and course
offerings to improve enrollment.
No addit
Low Reading and writing skills of students atLRSC are below the national average.
No proposed recommendation. No addi
Athletics
High There are only two athletic programs;
therefore, the institution appears lessappealing for students who would like to
be involved in an athletic program,
affecting overall enrollment numbers.
Perform a cost/benefit analysis to determine
if additional athletic programs should beadded to the institution.
Agree. M
two athlprogram
enrollme
Low Adequacy of cash handling and
monitoring controls around concessions,
ticket, and fund raising revenue.
Internal controls should be reviewed to
identify potential risks related to existing
cash receipts processes.
No addi
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 100/291
nterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Campus Safety
& Security
Moderate Policies and procedures are not in place to
address safety and security incidents that
occur on campus and specific actions totake.
Develop a policy and procedures addressing
safety and security on campus, including
specific actions to take when an incidentoccurs. Communicate and train all
applicable employees on the procedures.
Instituti
complet
surveillcampus
Moderate Appropriate security resources are not in
place to perform sufficient ongoing
monitoring across campus.
Review the available security resources or
time allotted for police force to be on
campus and determine if additional
resources are needed or if additional security
measures should be implemented.
Again c
facilitie
ContinuingEducation
Moderate Significant growth and change has
occurred in the Train ND program over
the last several months.
Assess whether the appropriate number of
resources, proper oversight, internal controls,
relevant procedures, etc. are in place to
support the successful growth of the TrainND program. In addition, consider
documenting the long-term strategic plan of
the program and create measurable goals to
perform against.
Train ND
the need
the N.E.
consultawork in
Emergency
Preparedness
Moderate The flooding of Devils Lake and the
impact for employees to get to work, long-term existence of college, etc.
No proposed recommendation. Working
continuito have a
face or t
Moderate Lack of communication and training
related to emergency response procedures.
Identify additional ways to communicate
emergency response procedures and provide
training and testing that involves severalareas across the institution.
Risk Ma
to addre
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 101/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 102/291
nterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate Lack of communication related to the
Record Retention Policy, knowledge
around the policy, and specifically wheredocuments should be stored.
Identify additional methods to communicate
the Record Retention Policy and the
importance of adhering to the policy.
Commi
keeping
provide
Moderate Lack of understanding by end users for
how NDUS policies are categorized and
where they are stored. In addition, policies
are not always clearly titled to reflectcontent.
Work closely with the System office to
determine if changes should be made to the
storage structure and naming of policies to
add clarification.
This is w
availabl
Low Devils Lake is a small community and
local community members and businesses
are continually tapped for fund raising and
donation dollars making it difficult to
continually increase the amount raisedeach year.
Continue to identify additional alumni,
community members, and business
relationship opportunities to perform
fundraising activities. In addition, perform a
cost/benefit analysis to determine if additional funding should be allocated to
identifying and building these relationships.
No addi
Grant
Administration
Moderate A detailed review is not consistently
performed for grants expenses.
Develop a procedure that requires all grant
expenses to be reviewed on a consistent
basis.
Grant ex
coordin
Moderate PeopleSoft does not currently have the
capability to track and monitor effortreporting, resulting in the inability to
produce all information needed for a
compliance review.
Team with the System to review the current
methods to track and monitor effortreporting to determine if enhancements
could be made to the current reporting
methods. Alternatively, consider purchasinga grant and effort reporting tool to enhance
reporting accuracy and produce informationneeded internally and for compliance
reviews.
Working
to addreManage
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 103/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 104/291
nterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Information
Technology
Moderate The disaster recovery plan is not
complete. In addition, the portion that is
completed and documented are not up-to-date.
Complete the disaster recovery plan and
update portions that are not up-to-date. The
disaster recovery plan should include, but isnot limited to:
Risk exposures
Recovery team responsibilities
First response process and procedures
Functional assessment process
Asset protection
Communications approach
System recovery timeframes
Maintenance and testing
Training
Disaster
reorgan
updated
Moderate Data back-ups for network files are stored
on-site in the data center and taken off-siteto someone’s home periodically and
stored in a safe.
Identify an off-site storage site to maintain
data back-ups for network files. Employee’shomes should not be utilized.
The pre
providehome" a
be ident
Moderate Lack of PeopleSoft training, specifically
to provide additional education of the
overall functionality available in the
application and to possibly reduce manual
work-arounds.
Consider offering employees the opportunity
to attend PeopleSoft training to provide
additional education of the overall
functionality available in the application and
to possibly reduce manual work-arounds. In
addition, detailed procedures should be
documented by employees who attend the
training to reduce knowledge that is lost
with turnover in positions.
The “lac
addition
orientat
through
operatio
Low The data center is located in an office thathas windows.
Consider moving the data center to a moresecure location or removing the window.
The winto the ris
not actu
assessm
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 105/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 106/291
nterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student Financial
Processing
Moderate Student admission files are not always
completed timely and students have been
allowed to continue their education at theinstitution without a complete admissions
file violating financial aid eligibly.
Document a policy and related procedures
addressing the admissions process
requirements, including documents andinformation required to complete the
admissions file, deadline to complete the
file, risks of not completing the file, etc.
These a
addresse
large nuand lack
Moderate Ability to stay proactive related to
financial aid federal compliance. Changesin legislation are not always known and
implemented timely. In addition,
interpretation of regulations is difficult.
Develop an action plan with specific
measurable goals to continually monitor andstay abreast of financial aid regulations.
Discuss regulations with the System Office
and other colleges and universities in ND, as
needed, to compare interpretations and gainadditional confidence that LRSC is in
compliance. In addition, consider
performing an internal audit to reviewcompliance with regulations.
Internal
perform
Moderate Policies and procedures addressing
financial aid are not updated on an
ongoing basis to reflect current practices
and changes in regulations.
Review financial aid policies and procedures
on an ongoing and consistent basis (i.e.
annually) and make changes as deemed
necessary.
Federal
behind c
student
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 107/291
Enterprise-Wide Risk Assessment | Lake Region State College
©2011 LarsonAllen LLP 16
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size
(2) Prior negativeexposure
(3) Rapidly increasing
transaction volume
(1) Management,
employees, andfaculty affected byprocess
inefficiencies or
control breakdowns
(1) Potential adverse
issues are knownto externalparties, such as
media and
regulatory bodies
(1) Any Federal/
State/Other action(2) External Audit
reportable
conditions
(1) Current
infrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost
(3) Transaction volume
stable
(1) Management,employees and
faculty may be
affected by process
inefficiencies orcontrol breakdown
(1) Potential adverseissues could
impact customers
(1) Issues identifiedby Federal/State/
Other
(2) Issues identified
by External Audit
(1) Currentinfrastructure is able
to support business
strategy with work
arounds
LOW
(1) Asset size
(2) Minor potential cost(3) Transaction volume
stable
(1) No management,
employees andfaculty are affected
by process
inefficiencies orcontrol breakdown
(1) Potential adverse
issues couldimpact
employees
(1) No issues
identified byFederal/State/
Other
(2) No issuesidentified by
External Audit
(1) Current
infrastructure is ableto support business
strategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are not
working or do not
exist.
No method for
anticipating and
accessing specific
risk events exists,so issues are not
escalated to the
appropriateexecutives
effectively.
Manual
processes with
many data
transfer pointsand owners
A limited
number of
staff or
current staff has limited
competency
to managerisk events.
Inadequatecross-training
exists.
High/unmeasure
d cost of
operations, many
quality concernsnoted, and
unacceptable or
unmeasuredcycle/process
time.
Systems are not
operating as
designed or
design is flawed;very limited
controls
Risk is managed
by or directly
impacts people,
processes,systems, or
businesses that
haveexperienced a
HIGH rate of change over the
last 6 months.
MEDIUM
Controls are
detective but notpreventative and
there may or may
not be effectivereporting.
A method for
anticipating andassessing specific
risk events exists
but issues are noteffectivelyescalated to the
appropriate
executives.
Automated
processencompassing
multiple systems
and owners.
A limited
number of staff and/or
staff has
moderatecompetencyto manage
risk event.
Above industry
average cost of operation, some
quality concerns
noted, and belowindustry averagecycle/process
time.
Systems are
operating asdesigned, but
design can be
improved;controls arebolted on top of
the system.
Risk is managed
by or directlyimpacts people,
processes,
systems, orbusinesses thathave
experienced a
MODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive and
detective and there
is effectivereporting.
A method foranticipating andassessing specific
risk events exists
and effectivelyescalates issues to
the appropriateexecutive.
Automatedprocesses withintegrated
systems.
Most staff hashighcompetency
to manage
risk events.
Low/averagecost of operations, no
quality concerns
noted, andcycle/process
times withinspecified
standards.
Systems aredesigned,implemented,
and operating
effectively;controls are
embedded in thesystem.
Risk is managedby or directlyimpacts people,
processes,
systems, orbusinesses that
haveexperienced a
LOW rate of
change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 108/291
©2011 LarsonAllen LLP
Mayville State University
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPAPrincipal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 109/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP
October 14, 2011
Dr. Gary HagenMayville State University330 Third Street NEMain Building 113AMayville, ND 58257-1299
Dr. Gary Hagen,
This report provides you, Mayville State University (MaSU) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed anexamination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacyof the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide Mayville State University with insight to inherent and
specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularitiesrelated to the scope of this project.
We appreciate the opportunity to assist Mayville State University. Management and staff involved in theprocess were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal612/[email protected]
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 110/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6
Appendix 17 Impact Criteria 17 Vulnerability Criteria 17
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 111/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Mayville StateUniversity. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing thesignificant functional areas or processes within the institution. The enterprise-wide risk map is a graphicalrepresentation of the relative impact and vulnerability of a risk event for each of the key financial,operational, and IT processes. Detailed results are also provided communicating the explanation for therisk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what theentity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goalsetting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Mayville State University.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 112/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 113/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 114/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at Mayville State University and assess the levels of risk within each of the process areas. Inaddition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processeswithin the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/facultyresponsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,league compliance
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training, conferencemanagement
Emergency PreparednessEmergency preparedness and response procedures, business continuity,risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,estimates and judgments, annual close process, financial processes
GovernanceGeneral counsel, policies and procedures, internal audit and compliance,executive oversight, regulatory requirements (federal and state),statistical data, affirmative action
Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,foundation, donor concentrations, foundation investment strategy
Human Resources & PayrollPayroll, benefits, records management, FTE workload, job descriptions,recruiting, hiring, terminations, performance monitoring, new hireintegration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware andsoftware, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict of interest
Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, health services
Student Financial Processing Student/financial aid, tuition, enrollment fees, scholarships, funding,student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 115/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP 5
Approach
With the assistance of Mayville State University management, LarsonAllen identified 21 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process wereprioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 116/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on theinformation obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 117/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 118/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 119/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 120/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 121/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 122/291
nterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Human
Resources &Payroll
Moderate An independent Human Resourcesdepartment in not in place and
responsibilities are performed by anotherdepartment.
Perform a cost/benefit analysis todetermine if a Human Resources
department should be implemented tosegregate responsibilities and provideindependence.
A dedicateefforts acro
institutionaof a transiti
Moderate There is a lack of appropriate segregationof duties in the Payroll department.
Review the current responsibilities of each person performing payrollresponsibilities to determine if changesshould be made to allow for additionalsegregation of duties.
The Busineoptions to aadditional s
Low Payroll processes are manual in nature (i.e.nonexempt employee hours and allemployees sick and vacation time are
manually tracked and entered intoPeopleSoft).
Information technology personnelshould work in conjunction withPayroll personnel to identify potential
automated functions within the existingPeopleSoft system.
The NDUSefficiency a
Low The benefits election process for newemployees and annual renewal process isvery manual. Employees manuallycomplete forms and benefit elections fornew employees and annual open enrollmentchanges are manually entered into PERS.
No proposed recommendation as this ismanaged by the state.
No institutistate.
Low Overall employee work load is a concern.Most functional areas identified some levelof personnel needs.
Human Resources and other seniormanagement should assess current FTEworkload by department. Identify areasof concern and suggest departmental
changes to better manage existingworkload.
We will consatisfactioninstitutionaof concern
staffing pla
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 123/291
nterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
InformationTechnology
Moderate The server room is located in an oldclassroom and contains windows in the
room. In addition, the server room is notalways locked during business hours.
Consider locking the server room at alltimes, including business hours and
moving the server room to a more securelocation.
The issues previously
times. Becalocate to a dare secure aunapprovedinformation
Moderate A data back-up policy is in place, but thereis no formal disaster recovery plan.
Develop and document a formal disasterrecovery plan. This would include, but isnot limited to:
Risk exposures
Recovery team responsibilities
First response process andprocedures
Functional assessment process Asset protection
Communications approach
System recovery timeframes
Maintenance and testing
Training
Informal dipart of the cformal disadeveloped w2011.
Moderate A mobile device policy is in place;however, appropriate security measureshave not been technically enforced tosupport mobile devices.
Consider technically enforcing securitymeasures on mobile devices to enhancesecurity.
MaSU will security for
Moderate Gathering data and information quickly
requested by senior leadership, the state,etc. is challenging and time consuming. Inaddition, there is lack of query writers atthe institution.
Identify current reporting in PeopleSoft
that are not effective and efficient. Inaddition, identify additional query writersat MASU that could assist in enhancingreporting.
MaSU does
reporting anMaSU doesqueries andtrained.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 124/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 125/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 126/291
nterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
tudent FinancialProcessing
Moderate Class schedules are not finalized timely andfaculties do not always submit their
book/material requests to the bookstoretimely, resulting in the bookstore not beingable to provide books/materials timely tostudents, keep costs effective andaffordable, and possibly cause theinstitution to be in violation of the HEOA.
Continue to educate the registrationoffice and faculty about the importance
of finalizing class schedules andsubmitting book and material requeststimely. In addition, identify alternativemethods of communication andeducation.
Class schedto allow ad
deadlines tis the respofaculty andmet. A proc
Our campuRecords meto this issueto submit inHEOA & I
Low Lack of local financial aid policies andprocedures.
Develop financial aid policies andprocedures at the institutional level.
Most policfederal regu
documentaprogress po
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 127/291
Enterprise-Wide Risk Assessment | Mayville State University
©2011 LarsonAllen LLP 17
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size
(2) Prior negativeexposure
(3) Rapidly increasingtransaction volume
(1) Management,
employees, andfaculty affected byprocessinefficiencies orcontrol breakdowns
(1) Potential adverse
issues are knownto externalparties, such asmedia andregulatory bodies
(1) Any Federal/
State/Other action(2) External Audit
reportableconditions
(1) Current
infrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost(3) Transaction volume
stable
(1) Management,employees andfaculty may beaffected by processinefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpact customers
(1) Issues identifiedby Federal/State/ Other
(2) Issues identifiedby External Audit
(1) Currentinfrastructure is ableto support businessstrategy with work arounds
LOW
(1) Asset size(2) Minor potential cost(3) Transaction volume
stable
(1) No management,employees andfaculty are affectedby process
inefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpactemployees
(1) No issuesidentified byFederal/State/ Other
(2) No issuesidentified byExternal Audit
(1) Currentinfrastructure is ableto support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are notworking or do notexist.
No method foranticipating andaccessing specific
risk events exists,so issues are notescalated to theappropriateexecutiveseffectively.
Manualprocesses withmany data
transfer pointsand owners.
A limitednumber of staff or
current staff has limitedcompetencyto managerisk events.Inadequatecross-trainingexists.
High/unmeasured cost of operations, many
quality concernsnoted, andunacceptable orunmeasuredcycle/processtime.
Systems are notoperating asdesigned or
design is flawed;very limitedcontrols.
Risk is managedby or directlyimpacts people,
processes,systems, orbusinesses thathaveexperienced aHIGH rate of change over thelast 6 months.
MEDIUM
Controls aredetective but notpreventative andthere may or maynot be effectivereporting.
A method foranticipating andassessing specificrisk events existsbut issues are noteffectivelyescalated to theappropriateexecutives.
Automatedprocessencompassingmultiple systemsand owners.
A limitednumber of staff and/orstaff hasmoderatecompetencyto managerisk event.
Above industryaverage cost of operation, somequality concernsnoted, and belowindustry averagecycle/processtime.
Systems areoperating asdesigned, butdesign can beimproved;controls arebolted on top of the system.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aMODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive anddetective and thereis effectivereporting.
A method foranticipating andassessing specificrisk events existsand effectivelyescalates issues tothe appropriateexecutive.
Automatedprocesses withintegratedsystems.
Most staff hashighcompetencyto managerisk events.
Low/averagecost of operations, noquality concernsnoted, andcycle/processtimes withinspecifiedstandards.
Systems aredesigned,implemented,and operatingeffectively;controls areembedded in thesystem.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aLOW rate of change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 128/291
©2011 LarsonAllen LLP
Minot State University
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 129/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP
October 14, 2011
Dr. David FullerMinot State University
500 University Avenue West
Minot, ND 58707
Dr. Fuller,
This report provides you, Minot State University (MiSU) leadership, the Audit Committee, and members
of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An
enterprise-wide risk assessment is the first step in your risk management program of assessing risks,
evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve
the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide Minot State University with insight to inherent and specific
risks throughout the institution. While potential characteristics of unsupported financial and operationalactivity may be identified, our procedures alone cannot identify errors and irregularities related to the
scope of this project.
We appreciate the opportunity to assist Minot State University. Management and staff involved in the
process were a pleasure to work with and very open to sharing their opinions and knowledge. This
cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to
contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 130/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 7
Appendix 16 Impact Criteria 16 Vulnerability Criteria 16
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 131/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Minot State University.This included identifying and ranking the key financial, operational, strategic, and information technology
(IT) processes within the organization based on inherent and specific risks. The overall risk for each
process was based upon the process’s potential impact to the organization and the vulnerability of the risk
occurring given the current environment. The risk environment is dynamic and will continue to change;therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessmentperformed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity or
process level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the Minot State University.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 132/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 133/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, Minot State
University can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 134/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at Minot State University and assess the levels of risk within each of the process areas. In
addition, provide Management with visibility to process areas that contain the highest potential risk as
determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,
conference management
Emergency PreparednessEmergency preparedness and response procedures, businesscontinuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental
risks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and
compliance, executive oversight, regulatory requirements (federal and
state), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job
descriptions, recruiting, hiring, terminations, performance monitoring,
new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, change
management, disaster recovery, data reporting capabilities, hardware
and software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,
advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict
of interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, health
services
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,
student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 135/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 5
Approach
With the assistance of Minot State University management, LarsonAllen identified 24 key process owners
in the significant financial, operational, and IT processes. Key process owners were interviewed for the
purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 136/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education
Environmental Health & Safety
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 137/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 138/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 139/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 140/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 141/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 142/291
nterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Information
Technology
Moderate Internally developed software is being
utilized where PeopleSoft could
potentially be leveraged and manual work-arounds have been created outside of
PeopleSoft and other systems.
A current state assessment should be
performed for all functional areas to
identify where internally developedsoftware is being utilized and manual
work-arounds have been created outside of
PeopleSoft to determine if it continues to
make good business sense to continue with
the current methods.
Because o
consensus
upgrade todepartmen
external sy
for campu
enhance sy
Low Several buildings need fiber infrastructure
upgrades.
Review the current fiber infrastructure
upgrades needed in buildings across
campus to determine where there areconcerns and prioritize installation based
on risk.
N/A
Low Classes have been cancelled in the library
due to recent changes in the wireless.
Identify the root cause(s) of the
roadblocks with the wireless in the libraryto determine if changes need to be made
to limit classes that are cancelled.
N/A
Marketing &
Communications
Low Additional communication and marketing
should be implemented to promote the
primary programs offered by the
institution. In addition, there are concerns
that the community is not aware of the
primary programs offered by MiSU.
Review the current methods to
communicate and market the primary
programs at MiSU and determine if
changes need to be made to the current
methods, if additional communication and
marketing should be implemented, etc.
N/A
Low Staying abreast on new and current
marketing trends to reach students.
Continue to identify additional ways to
stay abreast with new and current
marketing trends to reach students.
N/A
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 143/291
nterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Operations &
AuxiliaryServices
Moderate Purchasing processes for the library are
inefficient with no use of purchase orders
to receive against, p-cards are not utilized,
and there is no automated workflow.
Perform an internal audit of the purchasing
processes at the library to identify
efficiencies that could be gained to reduce
time and cost in these processes. Inaddition, determine if additionaltechnology could be utilized to gain
inefficiencies.
PeopleSof
purchase o
to use p-ca
implemenon statewi
Faculty & Staff
Moderate There is only one person in the Human
Resources group to perform all
responsibilities; therefore, there is no cross
training or human resource personnel to
perform back up responsibilities when this
individual is out.
Identify a resource to cross train and
perform back-up responsibilities when the
Human Resources Director is out of the
office.
MiSU has
to provide
departmen
Moderate Lack of succession planning and cross
training for most positions within the
institution.
Functional areas should evaluate where it
is most critical to implement succession
plans and cross train employees. Developan action plan to implement and cross train
where necessary.
Cross train
departmen
are encourNew flexib
presidents
initiatives
Low Overall employee work load is a concern.Most functional areas identified some level
of personnel needs. In addition, there are
concerns how resources are being utilized
across the institution, what functionalareas are significantly lacking resources,
and what resources could be realigned to
even workloads.
Perform an assessment to determine howresources are being utilized across all
functional areas, tracking of hours worked,
efficiencies that could be gained, etc.
N/A
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 144/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 145/291
nterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student FinancialProcessing
Low The MiSU local manual for financial aid
needs to be updated to reflect current
practices and changes to regulations.
Review the local manual for financial aid
to determine where changes should be
made to reflect existing practices and
changes to regulations. In addition,perform a review of the manual on anongoing basis.
N/A
Low Scholarships are too narrow and specific
and do not reach a broad group of
students.
Review eligibility for scholarships and
determine if the criteria are too narrow or
specific and determine if scholarships
should reach a broader group of students.
N/A
Low Keeping tuition and room and board costs
effective and affordable for students. In
addition, off campus living costs are
continually increasing due to oil fields,
resulting in limited residence hall space on
campus.
Continue to perform appropriate research
and benchmarking to ensure MiSU tuition
and room and board prices are competitive
and in line with other colleges and
universities.
N/A
Low Reputation risk, specifically the measurestaken towards students who have not paid
their tuition or who make late payments
on tuition.
Review procedures to follow-up withstudents who have not paid their tuition to
determine if changes should be made. In
addition, evaluate the attitudes of staff towards students when following up.
N/A
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 146/291
Enterprise-Wide Risk Assessment | Minot State University
©2011 LarsonAllen LLP 16
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size(2) Prior negative
exposure
(3) Rapidly increasingtransaction volume
(1) Management,employees, and
faculty affected by
processinefficiencies or
control breakdowns
(1) Potential adverseissues are known
to external
parties, such asmedia and
regulatory bodies
(1) Any Federal/ State/Other action
(2) External Audit
reportableconditions
(1) Currentinfrastructure cannot
support business
strategy
MEDIUM
(1) Asset size
(2) Major potential cost(3) Transaction volume
stable
(1) Management,
employees andfaculty may be
affected by process
inefficiencies or
control breakdown
(1) Potential adverse
issues couldimpact customers
(1) Issues identified
by Federal/State/ Other
(2) Issues identified
by External Audit
(1) Current
infrastructure is ableto support business
strategy with work
arounds
LOW
(1) Asset size
(2) Minor potential cost
(3) Transaction volumestable
(1) No management,
employees and
faculty are affectedby processinefficiencies or
control breakdown
(1) Potential adverse
issues could
impactemployees
(1) No issues
identified by
Federal/State/ Other(2) No issues
identified by
External Audit
(1) Current
infrastructure is able
to support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are notworking or do not
exist.
No method foranticipating and
accessing specificrisk events exists,
so issues are notescalated to the
appropriateexecutives
effectively.
Manualprocesses with
many datatransfer points
and owners.
A limitednumber of
staff orcurrent staff
has limitedcompetency
to managerisk events.
Inadequate
cross-trainingexists.
High/unmeasured cost of
operations, manyquality concerns
noted, andunacceptable or
unmeasuredcycle/process
time.
Systems are notoperating as
designed ordesign is flawed;
very limitedcontrols.
Risk is managedby or directly
impacts people,processes,
systems, orbusinesses that
haveexperienced a
HIGH rate of
change over thelast 6 months.
MEDIUM
Controls aredetective but notpreventative and
there may or may
not be effectivereporting.
A method foranticipating andassessing specific
risk events exists
but issues are noteffectively
escalated to theappropriate
executives.
Automatedprocessencompassing
multiple systems
and owners.
A limitednumber of staff and/or
staff has
moderatecompetency
to managerisk event.
Above industryaverage cost of operation, some
quality concerns
noted, and belowindustry average
cycle/processtime.
Systems areoperating asdesigned, but
design can be
improved;controls are
bolted on top of the system.
Risk is managedby or directlyimpacts people,
processes,
systems, orbusinesses that
haveexperienced a
MODERATErate of change
over the last 6
months.
LOW
Controls are
appropriatelypreventive anddetective and there
is effectivereporting.
A method for
anticipating andassessing specificrisk events exists
and effectivelyescalates issues to
the appropriate
executive.
Automated
processes withintegratedsystems.
Most staff has
highcompetencyto manage
risk events.
Low/average
cost of operations, noquality concerns
noted, andcycle/process
times within
specifiedstandards.
Systems are
designed,implemented,and operating
effectively;controls are
embedded in the
system.
Risk is managed
by or directlyimpacts people,processes,
systems, orbusinesses that
have
experienced aLOW rate of
change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 147/291
©2011 LarsonAllen LLP
North Dakota State College of Science
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 148/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP
October 14, 2011
Dr. John RichmanNorth Dakota State College of Science
800 Sixth Street North
Wahpeton, North Dakota 58076-0002
Dr. Richman,
This report provides you, North Dakota State College of Science (NDSCS) leadership, the Audit
Committee, and members of the Board with the results of the risk assessment and a means to prioritize
risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management
program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and
implementation of strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide North Dakota State College of Science with insight to
inherent and specific risks throughout the institution. While potential characteristics of unsupportedfinancial and operational activity may be identified, our procedures alone cannot identify errors and
irregularities related to the scope of this project.
We appreciate the opportunity to assist North Dakota State College of Science. Management and staff
involved in the process were a pleasure to work with and very open to sharing their opinions and
knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions,
please feel free to contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 149/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 7
Appendix 14 Impact Criteria 15 Vulnerability Criteria 15
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 150/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 151/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 152/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, North Dakota
State College of Science can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 153/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at North Dakota State College of Science and assess the levels of risk within each of the process
areas. In addition, provide Management with visibility to process areas that contain the highest potential
risk as determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,
conference management
Emergency PreparednessEmergency preparedness and response procedures, businesscontinuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental
risks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and
compliance, executive oversight, regulatory requirements (federal and
state), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job
descriptions, recruiting, hiring, terminations, performance monitoring,
new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, change
management, disaster recovery, data reporting capabilities, hardware
and software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,
advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict
of interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, health
services
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,
student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 154/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP 5
Approach
With the assistance of North Dakota State College of Science management, LarsonAllen identified 16 key
process owners in the significant financial, operational, and IT processes. Key process owners were
interviewed for the purpose of assessing the inherent and specific risks associated with each functionalarea.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to theorganization, and the vulnerability of the risk occurring (see Appendix A for further description of the
definitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 155/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education Marketing / communications
Student affairs
Student financial processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 156/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 157/291
nterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Academic
Affairs
Low Added re
Instructio
provide iinnovativ
techniqu
eCompan
Technolo
examples
Athletics
Low Adequacy of cash and inventory
handling, specifically monitoring
controls around concessions and ticket
revenue.
Internal controls should be reviewed to
identify potential risks related to existing
cash receipts and tracking of inventory
processes.
An intern
and impl
Campus Safety
& Security
Low Lack of security at weekend events. Perform a cost/benefit analysis to determine
if additional security resources should beallocated to weekend events on campus.
The NDS
security tduring ho
are sched
shift cove
athletic e
schedule
occasion
In Day an
volume o
campus w
of provid
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 158/291
nterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Emergency
Preparedness
Moderate Lack of communication and training
related to emergency response
procedures, including staff, faculty,students, and student workers.
Identify additional ways to communicate
emergency response procedures and provide
training and testing that involves severalareas across the institution.
Emergen
the emer
emergenare poste
employe
conducte
buildings
Environmental
Health & Safety
Low There is air quality, ventilation, and moldissues in the Old Main building. In
addition, the football locker rooms have
mold and are unusable.
Continue to prioritize capital projects,renovations, and maintenance needs across
campus to determine what facilities is a
priority in the next fiscal year’s budget.
The lockOld Main
biennium
Low Lack of classroom space at the Fargo
location. Credit programs courses are
utilizing space at the Fargo location andthe Fargo location was initially built for
workforce training only.
Continue to prioritize capital project needs
across campus to determine if additional
classroom space should be priority in thenext fiscal year’s budget.
An analy
projected
office spboth acad
evaluated
Beginnin
being inc
institutio
NDSCS-
annual ba
Wahpeto
Adequate
NDSCS-
upgradinOld Main
continge
accommo
Main ren
demolitio
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 159/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 160/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 161/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 162/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 163/291
nterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Operations &
Auxiliary
Services
Low Food costs continue to increase within
the Dining Services function and there
are concerns about maintaining sufficient
profit levels.
Continue to review food costs and identify
methods to keep costs down. In addition,
evaluate current sale prices to determine if
prices continue to be appropriate.
The Food
Dining S
levels: 20
2009: 33to studen
5%, 2009
concerne
beverage
are confimethods
managed
priority t
provide hprices to
Faculty & Staff
Moderate Several manager and supervisor positions
are filled with resources that have notpreviously been in a manager or
supervisory role.
Consider offering training for new managers
or supervisors (existing managers as needed)that addresses leadership, discipline,
adherence to policies, appropriate behavior,
etc.
A new L
been impaddress t
Moderate Recruitment and retention of faculty is a
concern, specifically as it relates to the
compensation offered for these positions.
Continue to benchmark wages with other
North Dakota colleges and universities.
Salary su
benchma
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 164/291
Enterprise-Wide Risk Assessment | North Dakota State College of Science
©2011 LarsonAllen LLP 15
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size
(2) Prior negativeexposure
(3) Rapidly increasing
transaction volume
(1) Management,
employees, andfaculty affected byprocess
inefficiencies or
control breakdowns
(1) Potential adverse
issues are knownto externalparties, such as
media and
regulatory bodies
(1) Any Federal/
State/Other action(2) External Audit
reportable
conditions
(1) Current
infrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost
(3) Transaction volume
stable
(1) Management,employees and
faculty may be
affected by process
inefficiencies orcontrol breakdown
(1) Potential adverseissues could
impact customers
(1) Issues identifiedby Federal/State/
Other
(2) Issues identified
by External Audit
(1) Currentinfrastructure is able
to support business
strategy with work
arounds
LOW
(1) Asset size
(2) Minor potential cost(3) Transaction volume
stable
(1) No management,
employees andfaculty are affected
by process
inefficiencies orcontrol breakdown
(1) Potential adverse
issues couldimpact
employees
(1) No issues
identified byFederal/State/
Other
(2) No issuesidentified by
External Audit
(1) Current
infrastructure is ableto support business
strategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are not
working or do not
exist.
No method for
anticipating and
accessing specific
risk events exists,so issues are not
escalated to the
appropriateexecutives
effectively.
Manual
processes with
many data
transfer pointsand owners.
A limited
number of
staff or
current staff has limited
competency
to managerisk events.
Inadequatecross-training
exists.
High/unmeasure
d cost of
operations, many
quality concernsnoted, and
unacceptable or
unmeasuredcycle/process
time.
Systems are not
operating as
designed or
design is flawed;very limited
controls.
Risk is managed
by or directly
impacts people,
processes,systems, or
businesses that
haveexperienced a
HIGH rate of change over the
last 6 months.
MEDIUM
Controls are
detective but notpreventative and
there may or may
not be effectivereporting.
A method for
anticipating andassessing specific
risk events exists
but issues are noteffectivelyescalated to the
appropriate
executives.
Automated
processencompassing
multiple systems
and owners.
A limited
number of staff and/or
staff has
moderatecompetencyto manage
risk event.
Above industry
average cost of operation, some
quality concerns
noted, and belowindustry averagecycle/process
time.
Systems are
operating asdesigned, but
design can be
improved;controls arebolted on top of
the system.
Risk is managed
by or directlyimpacts people,
processes,
systems, orbusinesses thathave
experienced a
MODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive and
detective and there
is effectivereporting.
A method foranticipating andassessing specific
risk events exists
and effectivelyescalates issues to
the appropriateexecutive.
Automatedprocesses withintegrated
systems.
Most staff hashighcompetency
to manage
risk events.
Low/averagecost of operations, no
quality concerns
noted, andcycle/process
times withinspecified
standards.
Systems aredesigned,implemented,
and operating
effectively;controls are
embedded in thesystem.
Risk is managedby or directlyimpacts people,
processes,
systems, orbusinesses that
haveexperienced a
LOW rate of
change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 165/291
©2011 LarsonAllen LLP
North Dakota State University
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPAPrincipal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 166/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
October 14, 2011
Dr. Dean BrescianiNorth Dakota State University1340 Administration Ave.Fargo, ND 58102
Dr. Bresciani,
This report provides you, North Dakota State University (NDSU) leadership, the Audit Committee, andmembers of the Board with the results of the risk assessment and a means to prioritize risk mitigationstrategies. An enterprise-wide risk assessment is the first step in your risk management program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed anexamination of internal controls in accordance with standards promulgated by the American Institute of Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacyof the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’sresponsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk assessment project was designed to provide North Dakota State University with insight to inherent andspecific risks throughout the institution. While potential characteristics of unsupported financial and
operational activity may be identified, our procedures alone cannot identify errors and irregularitiesrelated to the scope of this project.
We appreciate the opportunity to assist North Dakota State University. Management and staff involved inthe process were a pleasure to work with and very open to sharing their opinions and knowledge. Thiscooperation was invaluable to the outcome of this project. If you have any questions, please feel free tocontact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal612/[email protected]
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 167/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6
Appendix 31 Impact Criteria 31 Vulnerability Criteria 31
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 168/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for North Dakota StateUniversity. This included identifying and ranking the key financial, operational, strategic, and informationtechnology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing thesignificant functional areas or processes within the institution. The enterprise-wide risk map is a graphicalrepresentation of the relative impact and vulnerability of a risk event for each of the key financial,operational, and IT processes. Detailed results are also provided communicating the explanation for therisk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what theentity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goalsetting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota State University.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 169/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s(the System) business by gathering the business objectives, goals, and strategies and identify the System’svarious universities and colleges in addition to the key financial, operational, and IT processes withineach university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event orcondition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,poorly communicated strategies, or the institution’s inability to execute these strategies due toinadequate organizational structure, infrastructure or alignment. Strategic risk is managed byappropriate organizational governance. Failure to adequately plan and execute against organizationalgoals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimelydue to a variety of factors including the pace of change, the amount of uncertainty, the presence of alarge error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectivesthey were designed for to support the business model. This risk addresses inefficient operations, pooralignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulationsand directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of useand speed, and accuracy of recovery/replacement of systems. This risk addresses the overallimportance of technology within the institution and the availability and quality of information theinstitution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methodsused to reward employees; the approach to consistently enforce policies and procedures; the selection,screening, and training of employees; and the reason and frequency of turnover. It also includes thelength, consistency, and nature of business relationships, including the handling of sensitive orconfidential information and the risk that business interruption would seriously impact thoserelationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool forrisk ranking procedures. In determining risk within the financial, operational, and IT processes, weassessed the impact of the process to the organization and the vulnerability that a risk would occur byevaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 170/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, includingkey risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and resultsare ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact andvulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are thenvalidated and shared with management, as appropriate. By prioritizing and validating risks, North DakotaState University can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 171/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and ITprocesses at North Dakota State University and assess the levels of risk within each of the process areas.In addition, provide Management with visibility to process areas that contain the highest potential risk asdetermined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processeswithin the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/facultyresponsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,conference management
Emergency PreparednessEmergency preparedness and response procedures, businesscontinuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmentalrisks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,estimates and judgments, annual close process, financial processes
GovernanceGeneral counsel, policies and procedures, internal audit andcompliance, executive oversight, regulatory requirements (federal andstate), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & PayrollPayroll, benefits, records management, FTE workload, jobdescriptions, recruiting, hiring, terminations, performance monitoring,new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardwareand software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,
advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflictof interest
Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, healthservices
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 172/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 5
Approach
With the assistance of North Dakota State University management, LarsonAllen identified 24 key processowners in the significant financial, operational, and IT processes. Key process owners were interviewedfor the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process wereprioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 173/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on theinformation obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education Student affairs
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 174/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks ideisk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with proesting of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommend
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
High The institution is in need of a significantnumber of faculty positions and is alsosignificantly underfunded when reviewingthe total student population to currentfunding.
Review current faculty positions andcompare to growth strategies to ascertainwhether they are in alignment.
Due to sNDSU’1:16 hasratio NDadjunct students
Moderate Meeting federal requirements for distancelearning, specifically, procedures tofollow for state level requirements when
NDSU offers distance learning in otherstates, permissions needed, evidence anddocumentation to maintain, licensing fees,etc. In addition, determining if it is costbeneficial to offer distance learning invarious states.
Develop policies and procedures specific tooffering distance learning in other states toensure federal requirements are being met
and to determine if it makes good businesssense to offer distance learning in variousstates based on student interest and fees.
This hasDept. ofNDUS,
solutionthe USDimplemdevelopsolution
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 175/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Athletics
Low Athletic events have students consumingalcoholic beverages or who consumed
alcoholic beverages prior to arriving at theevent and this continues to be a liability.
Continue to assess policies, procedures,safety, and security on an ongoing basis,
specific to athletic events, to determine if appropriate measures are in place andactions taken.
Given thalcohol
sensitivsecuritycurrent Alcoholbelievesevents ikeenly aworks wthe Offifacilitiesharing regardinstaffs fr
review isite, admDirectorclose coabout anof alcohadminiscompetiresponsand secu
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 176/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 177/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
EnvironmentalHealth & Safety
High The IACC building’s environmentaltemperature control system is unable to
support the needs of the informationtechnology equipment it houses.
The current environmental temperaturecontrol system should be enhanced or
replaced to support the informationtechnology equipment.
The HVdone by
list of neContracAugust will be iissues insome isadded toproject l
High The demand to expand facilities, staycurrent with maintenance, etc. is notkeeping up with the growth of theuniversity. In addition, there are concerns
related to building safety and soundness;there are possible code violations. As codechanges evolve, several buildings were“grandfathered” in and proper assessmentshave not continued to take place.
Continue to prioritize capital projects,renovations, and maintenance needs acrosscampus to determine buildings that arepriority in the next fiscal year’s budget and
assess whether the institution is in violationof code.
NDSU hupdatedFacilitiedocume
activitieSBHE ghealth afollowemaintenfinanciarepairs. have a fbuildingconcerntop of th
NDSU’
extraordover $25mainten
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 178/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
EnvironmentalHealth & Safety
Low The structure of the Facilities function,including reporting lines, roles andresponsibilities, etc. are inconsistent and
certain responsibilities fall withinduplicate departmental divisions withinthe Facilities function. In addition, there isno cross training between departmentaldivisions.
Consider developing formal job descriptionsfor all personnel within the Facilitiesfunction to determine if the roles and
responsibilities fall under the appropriatedepartmental division or if changes shouldbe made. Determine where there may beduplication of responsibilities acrossdivisions. In addition, consider the benefitsgained from cross training within and acrossdepartmental divisions.
NDSU Fof a re-o
job desc
trainingwill be rand crosassignedcurrentlpositionFacilitieprocess referenc
Financial Close& Reporting
High The institution has $12M in underfundedprojects.
Continue to review and update the strategicplan to assess underfunded projects andprioritize needs appropriately.
The diviwill worleadersh
appropridevelopcommitmUniversiwith exp
NDSU callocatiocontinuieffectivereallocathe abilistrategic
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 179/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 180/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
High Concerns related to the legislative sessionand the funding available to NDSU as a
result of the session. In addition, theuniversity is significantly underfundedwhen compared to its peers and there areconcerns whether the funding is beingdisbursed appropriately throughout all thecolleges and universities in North Dakota.
NDSU and NDUS should continue to work with the legislators to determine if funding
is appropriate for NDSU.
Agree.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 181/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate New System level policies and changes toexisting policies communicated to NDSU
are not always further communicated tothe appropriate personnel at theinstitution. In addition, policies are notalways interpreted appropriately.
Develop procedures institution-wide toensure all new System level policies and
changes to existing System level policies arecommunicated to applicable parties at theinstitution. In addition, identify policieswhere interpretation is difficult and continueto reach out to other campuses or the Systemoffice for further clarification.
NDSU dwhen ch
policiesthroughand forwfor inpurevieweand the the onlipolicies“It’s HafinalizePolicy C
In addit
CoordinFall 201to:a. Encouthoroughstimulatpolicy pb. CoordappropriFaculty c. Send pappropri
approvad. ServeFacultyand Stud
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 182/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate Campuses are allowed “flexibility” underthe flexibility with accountability
expectations of SB 2003 passed by the2001 Legislative Assembly; however,NDSU and the System office are notalways in agreement with the definition of flexibility and what processes and changesshould be driven by the System office vs.NDSU.
Team with the System office and othercampuses to define “flexibility”, discuss
concerns, and enhance communication. Inaddition, team with the informationtechnology group to determine if PeopleSoftcan report data in multiple ways to allow forthe System and NDSU to have the datareported in the format they need (i.e.institutional vs. cumulative GPA).
NDSU wOffice.
Moderate The Director of Internal Audit reportsdirectly to the President (i.e. Presidentprovides performance evaluations, wageadjustments, etc.) resulting in potentialindependence issues.
Per the Institute of Internal Auditors (IIA),PA 1110-1: Organizational Independence,consider changing the functional reportingstructure for the Director of Internal Audit tothe Board or Audit Committee with a dotted
line (administratively reporting) to thePresident.
Stronglytitle is inis considNDSU athe Pres
interest businesthat “exaudit coPresiden
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 183/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 184/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate Manstud
Conacceaccedutineedlongchan
Conneedlaw
Studentcompliaall new additionconsulteand inte
The GencompliaportionsResearchHR, Gra
The Inte
compliaareas of
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 185/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate A formal risk assessment is not performedto identify specific risks and to assist in
the development of the internal audit plan.
Consider leveraging the enterprise-wide risk assessment performed by LarsonAllen in the
development of future internal audit plans.In addition, continue to assess and rank riskson an ongoing basis with a full risk assessment being performed regularly.
NDSU uassessm
actions the annuwas hiredesigninplanninLarson Aaddress structurand repeutilize o
Moderate Processes to prioritize and make changeswithin PeopleSoft are governed by
Connect ND. Prioritization and decisionmaking is not clearly defined and does notalways involve NDSU when theinstitution feels it is necessary. NDSUstaff and faculty are users of PeopleSoftand are significantly affected by changes.
Team with the System office and ConnectND to determine if current policies and
procedures to prioritize and make changes toPeopleSoft should be more clearly definedand if involvement of the institutions isappropriate.
Additionresearch
the veryfrom theCurrent “democruniversisystem.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 186/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Low Concerns related to intellectual property,such as research, export controls, etc. and
if appropriate procedures are in place toreduce and address such risk.
Continue to communicate relevant policiesand procedures related to intellectual
property to appropriate personnel. Inaddition, continue to review such documentsto validate risks are continually discussedand addressed.
NDSU h(IP) pol
SBHE PproceduNDSU phttp://wpolicy aFY 200StandinConsultapprove2010 theForce copersonnTask Fo
to finalibe forwResearcTransfecampusvarious The Teca resourundersta
Based orisk issu
were idcharge to the ureview regardinrelating
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 187/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Chance"appropdesigne
innovatindividupromotfor the pand statGenerathat thegovernidiscovecourt opforce mimpact
task forlanguagemployinventioa samplused/in
Further,providesnotice oManageto read t
and signsignifyinAnnual Nand to co
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 188/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Low discuss. Policy 1Informa
providesemployeand info
GrantAdministration
High Congress is discussing making cuts relatedto earmarked dollars critical to research.
No proposed recommendation. The earzeroed oCongresearmarkVice PreActivitiplacing identifymitigate
Moderate Concerns related to the visibility andactions taken for excess funds that exceedthe grant term, specifically expenses beingapplied to grants that have expired if thereare still dollars left and carryoverapprovals from the grantor andcommunication related to carryovers.
Perform additional centralized review andoversight of the grant process to determinethe volume of excess funds and if appropriate internal controls are in place tocarryover the funds or return funds to thegrantor. In addition, review the expiration of grants and when expenses were applied todetermine if there were expenses applied togrants that expired without approval of continued use.
NDSU wthe overthe PI’s
Grants &Researcgrant tra
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 189/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 190/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
HumanResources &
Payroll
Low Payroll processes are very manual (i.e.Leave forms are used to approve sick and
vacation time, manual time cards areutilized in several instances, etc. Inaddition, PeopleSoft is manually updatedin all instances.
Payroll should work with the InformationTechnology group to determine if there are
additional processes that could be automatedin PeopleSoft, automated workflow toolsthat exist and/or could be utilized, andperform a cost/benefit analysis to determineif additional software should be purchased(if needed) to automate manual processes.
Connectreviewin
managerPeopleSNDSU’sthat com
In additiPeopleAbenefittesubmitte
PeopleSimplemecan mak
and direcompletand are e
Low The benefits election process for newemployees and annual renewal process isvery manual. Employees manuallycomplete forms and benefit elections if they are a new employee and for theannual open enrollment process. Changesare manually entered into PERS withduplicate entry into PeopleSoft.
No proposed recommendation as this ismanaged by the state.
NDPERonline emfuture. W
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 191/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
InformationTechnology
High There are many shadow systems that arebeing utilized outside of PeopleSoft and
across various functional areas. Inaddition, there is not an inventorymaintained of all the shadow systems toidentify what they are used for, whomanages them, etc.
Identify a resource(s) to inventory allshadow systems maintained outside of
PeopleSoft and gather additionalinformation such as what department isusing the system, the purpose for using it,who manages the system, if PeopleSoftoffers the functionality the shadow system isbeing used for, etc. Determine if shadowsystems can be eliminated and processesperformed in PeopleSoft.
PeopleSInforma
the DataSignificneed to
NDSU’all, shadinventor
A determcould suneed to Divisionsupport
High Electrical capacity in the technologybuilding is inadequate. There are alsoconcerns related to other buildings aroundcampus. In addition, there have beeninstances where back-up generators havefailed.
Review the current power methods andcapability in all buildings across campus todetermine where there are concerns andprioritize the risks and the need forreplacements.
In orderAg ComengineeHVAC of $4M.prioritizaddresse
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 192/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 193/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
InformationTechnology
Low There are several documents that addressdisaster recovery; however, they are not
consolidated into one document. Inaddition, the specific flood preparationsdocument for 2009-2011 is incomplete.
Consider consolidating all Plans into onedocument and review document(s) on an
ongoing basis to ensure they are completed.
(A) Disfunction
and docReady Callow Uquickly preparaand doc(B) In 2firm to icenter inremedy that it wIACC o(C) Thr
submittplan. Th($4.7M)and Em($5.2M)(D) Adddisasterthe creanotificanotificavoice brEmerge
GovernmTelecomWirelesensure e(E) RedfacilitieNDSCS
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 194/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 195/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 196/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Faculty & Staff
Moderate Lack of cross training for most positionswithin the institution.
Functional areas should evaluate where it ismost critical to cross train employees.
Develop an action plan to cross train wherenecessary.
Where ntrain em
Moderate The economy has had an impact on theability to attract faculty and staff for openpositions. People are not able to sell theirhomes and move to the area; therefore,positions cannot be accepted.
No proposed recommendation.
Low There has been a high turnover rate in keyleadership positions in the last severalyears and there may continue to be morein the future.
No proposed recommendation. Turnoveanticipa
Student FinancialProcessing
Low A significant number of faculties do notsubmit their book/material requests to thebookstore timely, resulting in thebookstore not being able to providebooks/materials timely to students, keepcosts effective and affordable (i.e. abilityto buy used books), and possibly cause theinstitution to be in violation of the HEOA.
Continue to educate faculty about theimportance of submitting book and materialrequests timely. In addition, identifyalternative methods of communication andeducation.
Bookstodepartmmerchanprocess fashion.remindedirector group toHEOA c
The deacoincide
register the fall tare receimonth papproximplaced, abefore th
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 197/291
nterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Student FinancialProcessing
Low When ordeadlineoffer useIn an attBookstofor somemore affare oftenorders tothe startadded onsemestershipping
Student with Acaprocess.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 198/291
Enterprise-Wide Risk Assessment | North Dakota State University
©2011 LarsonAllen LLP 31
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size
(2) Prior negativeexposure
(3) Rapidly increasingtransaction volume
(1) Management,
employees, andfaculty affected byprocessinefficiencies orcontrol breakdowns
(1) Potential adverse
issues are knownto externalparties, such asmedia andregulatory bodies
(1) Any Federal/
State/Other action(2) External Audit
reportableconditions
(1) Current
infrastructure cannotsupport businessstrategy
MEDIUM
(1) Asset size(2) Major potential cost(3) Transaction volume
stable
(1) Management,employees andfaculty may beaffected by processinefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpact customers
(1) Issues identifiedby Federal/State/ Other
(2) Issues identifiedby External Audit
(1) Currentinfrastructure is ableto support businessstrategy with work arounds
LOW
(1) Asset size(2) Minor potential cost(3) Transaction volume
stable
(1) No management,employees andfaculty are affectedby process
inefficiencies orcontrol breakdown
(1) Potential adverseissues couldimpactemployees
(1) No issuesidentified byFederal/State/ Other
(2) No issuesidentified byExternal Audit
(1) Currentinfrastructure is ableto support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are notworking or do notexist.
No method foranticipating andaccessing specific
risk events exists,so issues are notescalated to theappropriateexecutiveseffectively.
Manualprocesses withmany data
transfer pointsand owners
A limitednumber of staff or
current staff has limitedcompetencyto managerisk events.Inadequatecross-trainingexists.
High/unmeasured cost of operations, many
quality concernsnoted, andunacceptable orunmeasuredcycle/processtime.
Systems are notoperating asdesigned or
design is flawed;very limitedcontrols
Risk is managedby or directlyimpacts people,
processes,systems, orbusinesses thathaveexperienced aHIGH rate of change over thelast 6 months.
MEDIUM
Controls aredetective but notpreventative andthere may or maynot be effectivereporting.
A method foranticipating andassessing specificrisk events existsbut issues are noteffectivelyescalated to theappropriateexecutives.
Automatedprocessencompassingmultiple systemsand owners.
A limitednumber of staff and/orstaff hasmoderatecompetencyto managerisk event.
Above industryaverage cost of operation, somequality concernsnoted, and belowindustry averagecycle/processtime.
Systems areoperating asdesigned, butdesign can beimproved;controls arebolted on top of the system.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aMODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive anddetective and thereis effectivereporting.
A method foranticipating andassessing specificrisk events existsand effectivelyescalates issues tothe appropriateexecutive.
Automatedprocesses withintegratedsystems.
Most staff hashighcompetencyto managerisk events.
Low/averagecost of operations, noquality concernsnoted, andcycle/processtimes withinspecifiedstandards.
Systems aredesigned,implemented,and operatingeffectively;controls areembedded in thesystem.
Risk is managedby or directlyimpacts people,processes,systems, orbusinesses thathaveexperienced aLOW rate of change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 199/291
©2011 LarsonAllen LLP
University of North Dakota
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 200/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
October 14, 2011
Dr. Robert KellyUniversity of North Dakota
264 Centennial Drive Stop 8193
300 Twamley Hall
Grand Forks, ND 58202-8364
Dr. Robert Kelly,
This report provides you, the University of North Dakota (UND) leadership, the Audit Committee, and
members of the Board with the results of the risk assessment and a means to prioritize risk mitigation
strategies. An enterprise-wide risk assessment is the first step in your risk management program of
assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of
strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide University of North Dakota with insight to inherent andspecific risks throughout the institution. While potential characteristics of unsupported financial and
operational activity may be identified, our procedures alone cannot identify errors and irregularities
related to the scope of this project.
We appreciate the opportunity to assist University of North Dakota. Management and staff involved in the
process were a pleasure to work with and very open to sharing their opinions and knowledge. This
cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to
contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 201/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 7
Appendix 21 Impact Criteria 21 Vulnerability Criteria 21
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 202/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for the University of NorthDakota. This included identifying and ranking the key financial, operational, strategic, and information
technology (IT) processes within the organization based on inherent and specific risks. The overall risk
for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity or
process level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the University of North Dakota.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 203/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 204/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 205/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at the University of North Dakota and assess the levels of risk within each of the process areas.
In addition, provide Management with visibility to process areas that contain the highest potential risk as
determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,league compliance
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training, conference
management
Emergency PreparednessEmergency preparedness and response procedures, business continuity,risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,
facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and compliance,
executive oversight, regulatory requirements (federal and state),
statistical data, affirmative action
Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,foundation, donor concentrations, foundation investment strategy
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job descriptions,
recruiting, hiring, terminations, performance monitoring, new hire
integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, change
management, disaster recovery, data reporting capabilities, hardware and
software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict of
interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, health services
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,
student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 206/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP 5
Approach
With the assistance of University of North Dakota management, LarsonAllen identified 25 key process
owners in the significant financial, operational, and IT processes. Key process owners were interviewed
for the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 207/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 208/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 209/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Academic
Affairs
Moderate Concerns that foundations are
potentially no longer supporting UND
objectives or aligning with standards.
Identify specific objectives and standards that
UND feels are not being supported by
foundations and communicate these specifics tothe foundation to determine a future approach or
strategy and potentially clarify
misunderstandings.
In the co
this revie
Agreem
Moderate Visibility to the overall operations,
compliance, reporting, accountability,and safety of the Aerospace and
Research Foundations.
Identify specific topics that UND would like
more visibility to as it relates to the operations,compliance, reporting, accountability, and
safety of the Aerospace and Research
Foundations. In addition, UND and the
Foundations should work together so UND cangain further clarification on these topics.
In the co
this revieAgreem
Low Affiliated organizations operate
independently with minimal oversight
from the institution.
No proposed recommendation.
Athletics
Moderate Concerns related to the visibility of
where fund raising revenue is derived
from to more accurately report on
estimated budgeting and forecasting
processes.
Internal controls should be reviewed to identify
potential improvements related to the validity
of fund raising revenue and budgeting and
forecasting processes.
UND Fo
intellige
informa
revenue
Fundrai
periodic
toward t
Moderate Relationship between UND Marketing
Group and the Ralph Engelstad Arena
related to the sales of athleticmerchandise.
Identify opportunities to incorporate UND into
the Ralph Engelstad Arena marketing and sales
strategy.
Discuss
Usage A
negotiat
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 210/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 211/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Campus Safety
& Security
Low The scope of background and health
checks on students and employees is
potentially too narrow.
Review current policies and procedures to
determine the current scope of background and
health checks and evaluate whether the currentscope is appropriate. Background and health
checks should include, but is not limited to,
criminal, health, previous employment,
previous school enrollment, and financial
stability.
Federal
followe
constraifor infor
perform
Emergency
Preparedness
Moderate No formal policy and procedures related
to business continuity.
Develop a formal business continuity plan. Templa
Plan and
have be
has beenare plan
develop
review/
Moderate Increased racial and ethnic diversity of
student base.
Continually monitor and assess changes in
diversity within the existing and future student
body. Understand and educate faculty, staff,
and students on the importance of diversity at
UND.
UND ha
Advisor
Environmental
Health & Safety
Low Safety and soundness of campus
facilities.
Continually monitor the overall safety and
soundness of all buildings on campus to
identify the potential need for improvements.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 212/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 213/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 214/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 215/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Moderate There is no Compliance Officer or
compliance function to oversee the
various regulations the institution isrequired to comply with such as PCI,
HIPAA, FERPA, HEOA, etc. and assist
in proactively understanding
requirements.
Perform a cost/benefit analysis to determine if a
compliance function should be developed
within UND to monitor and communicatecompliance requirements. In addition, assess
whether the existing Internal Audit group has
the skills necessary and resource capacity to
assist with the communication of compliance
requirements.
Respons
currently
Conside
Moderate Concerns that contract terms and
conditions related to liability are not
consistently being reviewed.
All contracts, including terms and conditions,
should be reviewed.
We will
understa
to be.
Low A Quality Assessment Review of the
Internal Audit Department has never
been performed by a third party. TheInstitute of Internal Auditors (IIA)
International Standards for the
Professional Practice of Internal
Auditing (specifically 1312 – External
Assessments) states that an external
assessment must be conducted at least
once every five years by a qualified,
independent reviewer or review team
from outside the organization.
Perform a cost/benefit analysis to determine if a
third party should be engaged to perform an
external assessment of the Internal AuditDepartment.
Low Internal audit reports and specific audit
findings are not ranked to differentiate
the level of risk.
Develop an internal audit report and audit
finding ranking methodology that has clearly
defined ranking criteria to differentiate betweenthe level of risk associated with each report andaudit finding.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 216/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
Low Concerns related to the overall
awareness of the whistleblower hotline.
Human Resources should identify additional
opportunities (posters, intranet, etc.) to better
advertise the whistleblower hotline.
Grant
Administration
High Congress is discussing making cutsrelated to earmarked dollars critical to
research.
No proposed recommendation.
High Concerns related to effort reporting.
Policies and procedures are not in place
and there is not a tool to track reporting.
Develop and implement a policy and related
procedures related to effort reporting. In
addition, perform a cost/benefit analysis to
determine if a tool should be purchased and
utilized for effort reporting.
Policies
have be
campus
presente
impleme
process
reportin
determi
Human
Resources &
Payroll
Moderate Payroll processes are very manual (i.e.
Excel spreadsheets are used to calculate
and approve sick and vacation time,
manual time cards are utilized in several
instances, PeopleSoft is manually
updated, etc.).
Payroll should work with the Information
Technology group to determine if there are
additional processes that could be automated in
PeopleSoft, automated workflow tools that exist
and/or could be utilized, and perform a
cost/benefit analysis to determine if additional
software should be purchased (if needed) to
automate additional manual processes.
The Uni
the Nort
which ad
Managem
improve
HRMS m
campuse
team and
schedulesupporte
currently
implemethe next
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 217/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
HumanResources &
Payroll
Low Concerns related to employee retention. Human Resources should perform an
assessment to determine what employees enjoy
most and least about their jobs. In addition,evaluate exit interview documentation and
questionnaire results (if applicable) to determine
if there is a consistent theme(s) related to why
employees leave the university.
InformationTechnology
High IT infrastructure is maintainedunderground, including the data center.
Perform a cost/benefit analysis to determinewhere the infrastructure could be maintained
and still be within reasonable cost/budget.
Fundingbiennium
to house
under th
committ
High No formal disaster recovery plan. Develop a formal disaster recovery plan. This
would include, but is not limited to: Risk exposures
Recovery team responsibilities
First response process and procedures
Functional assessment process
Asset protection
Communications approach
System recovery timeframes
Maintenance and testing
Training
A Disas
proposaNDUS f
approve
Howeve
plan doe
initiate f
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 218/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 219/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Information
Technology
Moderate The IT function is not consistently
approving service level agreements
(SLAs).
The IT function should develop procedures or
scrutinize against existing procedures to require
SLA approval prior to receiving services. In
addition, monitoring controls should be in placeto ensure approved individuals are executing
contracts.
UND w
Low The UND helpdesk is shared with
NDSU and results in inefficiencies and
call forward discrepancies.
Develop a centralized helpdesk function to gain
efficiencies.
Helpdes
there is
can be s
the outsNDUS.
Marketing &
Communications
High Potential reputation impact and loss of
fan base when UND changes the
Fighting Sioux name and logo.
A comprehensive committee (i.e. staff,
students, and faculty) should be established to
identify and evaluate potential name and logo
considerations.
This pla
months
retire th
signed pSBHE a
SBHE a
plannin
name an
is chang
Low Staying abreast on new and current
marketing trends to reach students.
Continue to identify additional ways to stay
abreast with new and current marketing trendsto reach students.
Operations &Auxiliary
Services
Moderate Funding concerns related to the libraries
ability to maintain and increase
subscriptions and licensing to
adequately meet student and facultyneeds.
Funding to maintain adequate subscriptions and
licenses should be assessed and communicated
in the budgeting process.
Funding
been co
years as
has resuextent p
identify
predicta
research
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 220/291
nterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Operations &
Auxiliary
Services
Moderate Certain auxiliary services that are not
core to the institution are a financial
liability and do not receive funding. Allrevenue is generated based on
operations. Divergence of risk related to
proper procedures and reporting if
operations close.
Perform an assessment to determine if fees and
rates are appropriate and establish procedures to
ensure they are revisited on an ongoing basis. Inaddition, evaluate marketing techniques utilized
to advertise these services and determine if
improvements could be made.
During t
entities a
revenue Further
FY13 bu
Low Remodeling and technology upgradesneeded for the library to better
accommodate student learning.
A cost/benefit analysis should be performed toidentify what improvements need to be made
related to technology, resources, and space to
better accommodate student learning.
Low Security and safety of mail in the UND
post office.
Continue to evaluate security and safety with
mail. Perform an internal audit focused on
compliance with postal/government regulations.
Low Public use of the auditorium has
decreased due to the economy; therefore
revenue from operations has decreased.
Continue to identify additional ways to market
and advertise the public use options of the
auditorium.
Low The Director of Libraries is not
currently a member of the Academic
Council.
Assess the need to add the Director of Libraries
to the Academic Council.
Faculty & Staff
Moderate Lack of succession planning for most
positions within the institution.
Functional areas should evaluate where it is
most critical to implement a succession plan
and take steps to implementing where needed.
Human
tools/in
unit lev
Moderate There has been a high turnover rate in
key leadership positions in the last
several years.
No proposed recommendation.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 221/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 222/291
Enterprise-Wide Risk Assessment | University of North Dakota
©2011 LarsonAllen LLP 21
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size(2) Prior negative
exposure
(3) Rapidly increasingtransaction volume
(1) Management,employees, and
faculty affected by
processinefficiencies or
control breakdowns
(1) Potential adverseissues are known
to external
parties, such asmedia and
regulatory bodies
(1) Any Federal/ State/Other action
(2) External Audit
reportableconditions
(1) Currentinfrastructure cannot
support business
strategy
MEDIUM
(1) Asset size
(2) Major potential cost(3) Transaction volume
stable
(1) Management,
employees andfaculty may be
affected by process
inefficiencies or
control breakdown
(1) Potential adverse
issues couldimpact customers
(1) Issues identified
by Federal/State/ Other
(2) Issues identified
by External Audit
(1) Current
infrastructure is ableto support business
strategy with work
arounds
LOW
(1) Asset size
(2) Minor potential cost
(3) Transaction volumestable
(1) No management,
employees and
faculty are affectedby processinefficiencies or
control breakdown
(1) Potential adverse
issues could
impactemployees
(1) No issues
identified by
Federal/State/ Other(2) No issues
identified by
External Audit
(1) Current
infrastructure is able
to support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are notworking or do not
exist.
No method foranticipating and
accessing specificrisk events exists,
so issues are notescalated to the
appropriateexecutives
effectively.
Manualprocesses with
many datatransfer points
and owners
A limitednumber of
staff orcurrent staff
has limitedcompetency
to managerisk events.
Inadequate
cross-trainingexists.
High/unmeasured cost of
operations, manyquality concerns
noted, andunacceptable or
unmeasuredcycle/process
time.
Systems are notoperating as
designed ordesign is flawed;
very limitedcontrols
Risk is managedby or directly
impacts people,processes,
systems, orbusinesses that
haveexperienced a
HIGH rate of
change over thelast 6 months.
MEDIUM
Controls aredetective but notpreventative and
there may or may
not be effectivereporting.
A method foranticipating andassessing specific
risk events exists
but issues are noteffectively
escalated to theappropriate
executives.
Automatedprocessencompassing
multiple systems
and owners.
A limitednumber of staff and/or
staff has
moderatecompetency
to managerisk event.
Above industryaverage cost of operation, some
quality concerns
noted, and belowindustry average
cycle/processtime.
Systems areoperating asdesigned, but
design can be
improved;controls are
bolted on top of the system.
Risk is managedby or directlyimpacts people,
processes,
systems, orbusinesses that
haveexperienced a
MODERATErate of change
over the last 6
months.
LOW
Controls are
appropriatelypreventive anddetective and there
is effectivereporting.
A method for
anticipating andassessing specificrisk events exists
and effectivelyescalates issues to
the appropriate
executive.
Automated
processes withintegratedsystems.
Most staff has
highcompetencyto manage
risk events.
Low/average
cost of operations, noquality concerns
noted, andcycle/process
times within
specifiedstandards.
Systems are
designed,implemented,and operating
effectively;controls are
embedded in the
system.
Risk is managed
by or directlyimpacts people,processes,
systems, orbusinesses that
have
experienced aLOW rate of
change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 223/291
©2011 LarsonAllen LLP
Valley City State University
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 224/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
October 14, 2011
Dr. Steven ShirleyValley City State University
101 College Street SW
Valley City, ND 58072
Dr. Shirley,
This report provides you, Valley City State University (VCSU) leadership, the Audit Committee, and
members of the Board with the results of the risk assessment and a means to prioritize risk mitigation
strategies. An enterprise-wide risk assessment is the first step in your risk management program of
assessing risks, evaluating risks and controls, reviewing control effectiveness, and implementation of
strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide Valley City State University with insight to inherent and
specific risks throughout the institution. While potential characteristics of unsupported financial andoperational activity may be identified, our procedures alone cannot identify errors and irregularities
related to the scope of this project.
We appreciate the opportunity to assist Valley City State University. Management and staff involved in
the process were a pleasure to work with and very open to sharing their opinions and knowledge. This
cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to
contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 225/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6
Appendix 23 Impact Criteria 23 Vulnerability Criteria 23
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 226/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Valley City StateUniversity. This included identifying and ranking the key financial, operational, strategic, and information
technology (IT) processes within the organization based on inherent and specific risks. The overall risk
for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue tochange; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifyingrisks associated with business objectives linked through all levels of the institution whether it is entity or
process level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for Valley City State University.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 227/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 228/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, Valley City
State University can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 229/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at Valley City State University and assess the levels of risk within each of the process areas. In
addition, provide Management with visibility to process areas that contain the highest potential risk as
determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athletic scholarships,league compliance
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training, conference
management
Emergency PreparednessEmergency preparedness and response procedures, business continuity,risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental risks,
facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and compliance,
executive oversight, regulatory requirements (federal and state), statistical
data, affirmative action
Grant AdministrationGrant tracking and monitoring, accounting, budgeting, reporting,foundation, donor concentrations, foundation investment strategy
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job descriptions,
recruiting, hiring, terminations, performance monitoring, new hire
integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, change
management, disaster recovery, data reporting capabilities, hardware and
software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo, advertisingchannels
Operations & Auxiliary
Services
Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict of
interest
Student Affairs Student experience, registrar, student data, housing, campus use,counseling, academic support, career services, recruiting, health services
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 230/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP 5
Approach
With the assistance of Valley City State University management, LarsonAllen identified 20 key process
owners in the significant financial, operational, and IT processes. Key process owners were interviewed
for the purpose of assessing the inherent and specific risks associated with each functional area.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to the
organization, and the vulnerability of the risk occurring (see Appendix A for further description of thedefinitions of impact and vulnerability criteria).
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 231/291
Enterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Continuing education
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 232/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 233/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 234/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 235/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Emergency
Preparedness
Moderate Lack of communication related to emergency
response procedures and concerns that the
involvement of training and testing of theprocedures are not campus-wide.
Identify additional ways to communicate
emergency response procedures and provide
training and testing that involves severalareas across the institution.
Emer
build
The Ecamp
empl
coord
suffic
and i
prepa
In ad
Com
repre
mana
activ
Low Concerns related to flooding and whether theright business continuity and disaster
recovery plans are in place and if
communication and training regarding the
plans is sufficient.
Review the current business continuity anddisaster recovery plans to assess whether the
plans appear appropriate to address flooding
concerns. In addition, determine whether all
staff, faculty, and students have receivedsufficient training, communication, and
specific procedures on what to do in the
event of another flood incident.
Environmental
Health & Safety
Low Safety and soundness of campus facilities,
specifically the age of buildings, ventilation
issues, etc.
Continually monitor the overall safety and
soundness of all buildings on campus to
identify the potential need for
improvements.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 236/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Financial Close
& Reporting
Moderate There is segregation of duties concerns within
the business office due to the limited staff
size.
Perform a review of the responsibilities
assigned to each individual in the business
office to determine whether additionalresponsibilities could be segregated.
A rev
cond
we soptim
hamp
nece
will
VPB
trans
Low The account payable process is manual in
nature causing significant inefficiencies. For
example, the expense approval process forpurchases is not streamlined to eliminate
duplicate processes related to submission and
review of receipts, statements received fromvendors, etc.
Perform a cost/benefit analysis to determine
if an automated workflow should be
implemented for the account payableprocess to eliminate duplicate processes and
opportunities to make errors.
VCS
imple
Conn
Low Concerns that new GASB statements and/or
changes to existing GASB statements are not
monitored on a consistent basis, which could
result in inaccurate financial statements.
Continue to stay abreast of new GASB
statements and/or changes to existing GASB
statements.
The c
contr
repor
imple
the V
VCS
servi
NAC
GAS
relea
the re
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 237/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Governance
Moderate Contract start dates have been delayed due to
the turnaround time in the contract review
process.
Discuss the turnaround time of contract
review with the System Office to determine
if the review period could be shortened. Inaddition, determine if it makes good
business sense to centralize the General
Counsel function to allow further allocation
opportunities to the smaller colleges and
universities.
The G
the sy
Geneimpr
Low System level policy interpretation is difficult
and VCSU is unsure of their authority in all
circumstances.
Identify specific system level policies and/or
verbiage in policies that are difficult to
interpret and meet with the System Office to
obtain additional guidance related to thepolicies.
VCS
follo
comp
Comneed
polic
Low Concerns that personnel are using VCSU
property for personal use when not
authorized to do so.
Continue to communicate and train
personnel on the existing policy for
appropriate use of VCSU property.
Polic
over
Presi
use o
Grant
Administration
Moderate Lack of grant related policies and procedures,
specifically grant lifecycle and expense
allocations.
Develop policies and related procedures for
grant processes, specifically grant lifecycle
and expense allocations.
Mee
and t
was
respo
lifec
A gr
proc
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 238/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 239/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Human
Resources &
Payroll
Moderate Lack of payroll procedures specific to the
hiring and termination processes.
Develop procedures for payroll processes,
specifically for the hiring and termination
processes.
Proce
docu
increposit
The f
and d
proce
will c
cond
Moderate Recruitment and retention of faculty is a
concern, specifically as it relates to the
compensation offered for these positions.
No proposed recommendation. Reten
prese
past thad s
posit
hiredsucce
resul
facul
past 5Legis
recru
Moderate Employee work load is a concern. Several
functional areas identified some level of
personnel needs. An over worked employee
could potentially lead to burnout, low morale,
etc.
Human Resources and senior management
should assess current FTE workload by
department. Identify areas of concern and
suggest departmental changes and/or
identify ways to better manage workloads.
VCS
as re
man
work
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 240/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
HumanResources &
Payroll
Moderate Faculty sick leave is not tracked and
monitored causing concerns related to
compliance with the Family and MedicalLeave Act (FMLA).
Team with the System Office to assess
policies across all colleges and universities
and identify inconsistencies specific tofaculty sick leave. Evaluate how lack of
tracking faculty sick leave can impact
compliance with FMLA. In addition,
continue to educate staff and faculty related
to FMLA.
VCS
leave
systeleave
shoul
comp
Moderate There is only one person performing all
payroll responsibilities, resulting in
segregation of duties conflicts.
Assess the need to move certain
responsibilities to another functional area or
person to segregate significant
responsibilities in the payroll process.
Upon
reass
Busin
emplimpr
respo
trainibe co
are a
Low Payroll processes are very manual (i.e. Excel
spreadsheets are used to calculate and
approve sick and vacation time, manual time
sheets are utilized, PeopleSoft is manually
updated, etc.). In addition, time sheets are not
always turned in timely and approval
signatures are missing.
Payroll should work with the Information
Technology group to determine if there are
additional processes that could be automated
in PeopleSoft, automated workflow tools
that exist and/or could be utilized, and
perform a cost/benefit analysis to determine
if additional software should be purchased
(if needed) to automate additional manual
processes.
Low There are concerns related to the accuracy of the human resources master file, specifically
faculty information (i.e. tenure, status, etc.).
A review should be performed of the humanresources master file to determine if changes
need to be made to update information for
staff and/or faculty members.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 241/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Information
Technology
Moderate Security roles in Campus Connection are too
broad for the size of the institution; therefore,
employees have additional access than what isneeded based on job responsibility.
Work with the System office to evaluate the
permissions assigned to security roles to
determine if changes could be made. Inaddition, identify and review manual
controls to mitigate the risk of inappropriate
access.
Camp
whic
updainfor
This
roles
user g
conti
evalu
by se
Low Concerns that the back-up generator does notsupply appropriate power and cooling needs
are not being met in one of the two data
centers.
Review the current power and coolingmethods in the data center and determine if
enhancements to the generator should be
made.
In Jucurre
powe
cente
Low Gathering data and information quickly
requested by senior leadership, the state, etc.
is challenging and time consuming.
Information needed for reporting and
retrieved from PeopleSoft is at a “point in
time” and a significant amount of time is
spent manipulating and reporting on
historical information. Several manual work-
arounds have been created to meet specific
needs.
Identify current reporting in PeopleSoft that
are not effective and efficient. Utilize
appropriate resources to determine if current
reports could be enhanced to allow for
historical reporting, new reports developed,
etc. to obtain the information needed and in
the appropriate format for reporting.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 242/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Marketing &
Communications
Low Ongoing concern related to marketing and
ability to attract students for programs,
specifically where and what should bemarketed and communicated.
Identify additional marketing opportunities
on how to reach a broader group of potential
students by networking and determiningwhat other colleges and universities across
the nation are doing to attract students.
Low There is no Social Media Policy in place. VCSU is currently utilizing facebook as a
marketing technique; therefore, a Social
Media Policy should be developed toestablish appropriate use, ethical behavior,
etc.
Prese
speci
has arespo
not re
sanct
The D
form
and fVCS
seme
neces
publiensur
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 243/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Operations &
AuxiliaryServices
Moderate There is no POS system utilized by the
bookstore which poses a risk of recording
accuracy and completeness of purchases.
Perform a cost/benefit analysis to determine
if it makes good business sense to purchase
and implement a POS system. In addition,perform a review of the internal controls in
place to determine if additional controls
should be implemented and existing controls
strengthened.
How
Book
syste
Low The bookstore does not currently offer onlinepurchasing capabilities potentially resulting in
missed revenue opportunities.
Perform a cost/benefit analysis to determineif it makes good business sense to
implement bookstore purchasing capabilities
online.
Howpurch
Low Concerns that the library hours are not
meeting student needs, especially during peak
periods.
Perform an assessment, receiving student
input, to determine how many students are
utilizing the library, if library hours areadequate, when students feel hours are the
most adequate, etc. Adjust library hours as
appropriate, based on the results.
This
stude
to inrequ
Low There are two bookstore locations on campus,
creating additional oversight to monitor
inventory level needs in each location,
increased staffing oversight, and other
inefficiencies that exist by having two
locations.
Assess the need to continue having two
bookstore locations on campus and
determine if the two locations should be
consolidated into one to allow for more
efficient and cost effective processes.
Arch
ident
locat
Low Concerns related to the type of inventory soldin the bookstore and if it is appropriate (i.e.
appropriate sizes of clothing merchandise in
stock to maximize sales).
Track and monitor historical trends of merchandise sales and perform an analysis
of the type of inventory to maintain in the
bookstore to maximize sales.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 244/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Faculty & Staff
Moderate Current staffing model at the library and
training available to meet the changing
information technology demand of students.
Consideration should be given to provide
increased information technology training to
existing personnel, specific to libraryservices within higher education, and
potentially develop job qualifications for
new applicants.
The D
for cu
manaand s
Direc
comp
are av
highe
Moderate Concerns that succession planning has not
been a key priority where deemed necessary.
Perform an assessment to determine where
succession planning would be deemed most
critical and develop a plan to implement
with key action plans and milestone dates.
Succ
ongo
key p
plan.
Low Current relationships with vendors could
potentially be a conflict of interest as certainaccusations have been made.
Continue to communicate and train
personnel on the existing conflict of interestpolicy. In addition, the vendor master file
should be reviewed on an ongoing basis to
identify potential conflicts of interest.
Emp
withbusin
empl
agree
Cond
langu
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 245/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Student Affairs
Low Athletes may not be receiving the appropriate
level of academic advising, due to lack of
resources.
Review the allocation of academic advising
resources to determine whether resources
are appropriately allocated to studentathletes or if changes should be made. In
addition, perform a cost/benefit analysis to
determine if additional dollars should be
budgeted for academic advising.
Athl
supp
they decla
their
seme
to Li
remi
their
addit
and m
Lear
close
for a
athle
tutor
Dire
coac
acad
deter
need
athlein in
Inve
day o
LearStud
to Liinterwho
supp
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 246/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Student Affairs
Low Mental health and medical issues are
increasing in the student body, resulting in an
increased need for student counselingservices.
Assess the current workload in the Student
Counseling Services group to determine if
current resources are adequate to supportstudent needs.
In rec
use M
NDSbasis
by th
acade
hours
Abus
curre
part-
VCS
Educ
Preve
resou
activ
The N
need
ident
Even
for co
fulltim
availthe d
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 247/291
nterprise-Wide Risk Assessment | Valley City State University
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Recommendations
Student Financial
Processing
Moderate Concerns related to communication between
faculty and the Financial Aid department to
understand the impact of potential curriculumchanges on financial aid distribution and
regulations.
Communication between faculty and the
Financial Aid department should be
enhanced to improve the understanding of the financial aid requirements and the
potential impact on curriculum changes. In
addition, develop specific procedures and
distribute to all applicable parties related to
the process and communication that should
occur when there are curriculum changes.
We h
like t
occurdocu
effec
Stude
Curri
To in
issue
adde
to aff
any c
Low Ability to stay proactive related to financial
aid federal compliance. Changes in
legislation are not always known andimplemented timely as monitoring of new
regulations and changes to existing
regulations is not performed on a consistent
basis. In addition, interpretation of regulations is difficult.
Develop an action plan with specific
measurable goals to continually monitor and
stay abreast of financial aid federalregulations. Discuss regulations with the
System Office and other colleges and
universities in ND, as needed, to compare
interpretations and gain additionalconfidence that VCSU is in compliance. In
addition, consider performing an internal
audit to review compliance with regulations.
Thes
of fed
staff and n
unde
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 248/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 249/291
©2011 LarsonAllen LLP
Williston State College
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 250/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP
October 14, 2011
Dr. Raymond A. Nadolny
Williston State College
1410 University Avenue
Williston, ND 58801
Dr. Raymond Nadolny,
This report provides you, Williston State College (WSC) leadership, the Audit Committee, and members
of the Board with the results of the risk assessment and a means to prioritize risk mitigation strategies. An
enterprise-wide risk assessment is the first step in your risk management program of assessing risks,evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve
the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide Williston State College with insight to inherent and specificrisks throughout the institution. While potential characteristics of unsupported financial and operational
activity may be identified, our procedures alone cannot identify errors and irregularities related to the
scope of this project.
We appreciate the opportunity to assist Williston State College. Management and staff involved in the
process were a pleasure to work with and very open to sharing their opinions and knowledge. This
cooperation was invaluable to the outcome of this project. If you have any questions, please feel free to
contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 251/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 4
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 6
Appendix 15 Impact Criteria 15 Vulnerability Criteria 15
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 252/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for Williston State
College. This included identifying and ranking the key financial, operational, strategic, and information
technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process was based upon the process’s potential impact to the organization and the vulnerability
of the risk occurring given the current environment. The risk environment is dynamic and will continue to
change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the institution. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the institution. The process starts with identifying
risks associated with business objectives linked through all levels of the institution whether it is entity orprocess level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk
assessment for Williston State College.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 253/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the North Dakota University System’s
(the System) business by gathering the business objectives, goals, and strategies and identify the System’s
various universities and colleges in addition to the key financial, operational, and IT processes within
each university and college. Next, we assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of an institution to achieve its objectives. Risks are
generally thought to be associated with taking actions; however, risks can also occur when no action istaken in the form of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the institution’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the institution’s reputation.
Financial: The risk that the institution’s financial reporting is inaccurate, incomplete, or untimely
due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a
large error, or the pressure on management to meet certain expectations.
Operational: The risk that the institutions operational processes are not achieving the objectives
they were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The institution is subject to a variety of federal, state and local laws, regulations
and directives, or accreditation agencies. Failure to follow prescribed directives may result insubstantial fines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the institution and the availability and quality of information the
institution can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the institution to be utilized as a tool for
risk ranking procedures. In determining risk within the financial, operational, and IT processes, we
assessed the impact of the process to the organization and the vulnerability that a risk would occur by
evaluating the underlying attributes of the process and by assessing the effectiveness of the control
environment around that process. The criteria are defined in terms of high, moderate, and low. Seeillustration below for definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 254/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, Williston
State College can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 255/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at Williston State College and assess the levels of risk within each of the process areas. In
addition, provide Management with visibility to process areas that contain the highest potential risk as
determined by the risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the institution:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/faculty
responsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athleticscholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,
conference management
Emergency PreparednessEmergency preparedness and response procedures, business
continuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental
risks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
Governance
General counsel, policies and procedures, internal audit and
compliance, executive oversight, regulatory requirements (federal and
state), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job
descriptions, recruiting, hiring, terminations, performance monitoring,
new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, change
management, disaster recovery, data reporting capabilities, hardware
and software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,
advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict
of interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, health
services
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 256/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 257/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 258/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 259/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 260/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Financial Close
& Reporting
Moderate Concerns related to oversight related to
significant capital projects currently
maintained on campus.
Perform a cost/benefit analysis to determine if a
position should be created or utilize an existing
WSC employee to monitor and oversee capitalprojects.
W
de
pro
Moderate Duplicate financial transactions are entered
into the ACEware and PeopleSoft systems
as there is no direct interface between them.
In addition, PeopleSoft does not currentlyhave the functionality to support non-credit
student registration.
WSC should evaluate the processes to determine
if the most efficient methods are being utilized for
this area.
A
an
tra
Moderate ACEware non-credit registration software
continues to have significant unresolved or
aged reconciling items in relation to the
PeopleSoft.
All open and aged reconciling items should be
reviewed and resolved on a timely basis.
A
all
Moderate Concerns that departmental budget changes
are not being communicated on a timely
basis, resulting in over spending.
When a revision in the budget is determined
necessary, WSC should communicate with
impacted departments on a timely basis.
W
im
Moderate There have been instances identified where
expenses are misclassified between
programs, etc.
WSC should review their process of expense
classification to include the process owner when
possible in account classification.
W
wh
Moderate Balance sheet reconciliations are not being
completed on a timely basis.
A schedule of all reconciliations should be created
to identify the individual responsible for executing
the reconciliation and expected timeframe for
completion. This schedule should be reviewed by
management on an ongoing basis to identify anydelays.
Th
an
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 261/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 262/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Human
Resources &
Payroll
Moderate Concerns around the training available and
needed for the Human Resources Group
related to technical benefits and human
resources related issues.
Consideration should be given to provide
increased training to existing personnel and
potentially develop job qualifications for new
applicants.
W
an
de
Moderate Overall employee work load is a concern.
Most functional areas identified some levelof personnel needs.
Human Resources and senior
management should assess current FTEwork load by department. Identify areas of
concern and suggest departmental changes to
better manage existing workload.
W
cre
Low Hourly employees worked hours and all
vacation and sick leave are tracked
manually.
WSC should assess the opportunity to improve
efficiency and internal controls over tracking of
employee hours.
Low Faculty is not required to record sick time. WSC should assess whether tracking of sick time
is necessary for faculty.
Low Recruitment of staff positions is done
primarily through the local newspaper.
The opportunity to attract more qualified
candidates may be achieved with a larger number
of resources used to conduct the search.
Low Staff and faculty handbooks have dated
material.
The handbooks should be reviewed and updated
on an ongoing basis.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 263/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 264/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Faculty & Staff
High Concerns related to faculty wages in
comparison to industry averages. In
addition, WSC wages are under the localhigh school wages.
WSC should consider benchmarking wages with
other North Dakota colleges and universities to
help monitor wages.
W
fac
stabri
Moderate Concerns how resources are being utilized
across the institution, what functional areas
are significantly lacking resources, and
what resources could be realigned to evenworkloads.
Perform an assessment to determine how
resources are being utilized across all functional
areas, tracking of hours worked, efficiencies that
could be gained, etc.
As
do
an
exres
Student Affairs
Moderate WSC currently does not have a counselor
on campus.
Consideration should be given to potentially
hiring a counselor to assist students on mental
health, academic assistance and career
assessments.
Fa
ass
loc
ass
Wthe
me
Low Lack of available housing and residence
space due to increase enrollment and
overall population of Williston.
WSC should continue to identify additional
opportunities for student housing as student
enrollment continues to increase.
A
20
an
nu
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 265/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
tudent FinancialProcessing
Moderate Ability to stay proactive related to financial
aid federal compliance due to limited
staffing and potential legislation changes.
WSC should assess the current staffing levels
with the financial aid department. In addition,
WSC should consider identifying opportunities to
utilize the System Office and othercolleges/universities to improve their
understanding of potential legislation changes.
Pe
uti
co
theND
en
ch
mo
Moderate Concerns related to communication
between faculty and the Financial Aiddepartment to understand the impact of
potential curriculum changes on financial
aid distribution and regulations.
Ongoing communication should be implemented
to improve understanding of financial aidrequirements and the potential impact on
curriculum changes.
A
increv
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 266/291
Enterprise-Wide Risk Assessment | Williston State College
©2011 LarsonAllen LLP 15
Appendix
Impact Criteria IMPACT CRITERIA
FINANCIAL STAKEHOLDER REPUTATIONLEGAL /
REGULATORYOPERATIONS
HIGH
(1) Asset size(2) Prior negative
exposure
(3) Rapidly increasingtransaction volume
(1) Management,employees, and
faculty affected by
processinefficiencies or
control breakdowns
(1) Potential adverseissues are known
to external
parties, such asmedia and
regulatory bodies
(1) Any Federal/ State/Other action
(2) External Audit
reportableconditions
(1) Currentinfrastructure cannot
support business
strategy
MEDIUM
(1) Asset size
(2) Major potential cost(3) Transaction volume
stable
(1) Management,
employees andfaculty may be
affected by process
inefficiencies or
control breakdown
(1) Potential adverse
issues couldimpact customers
(1) Issues identified
by Federal/State/ Other
(2) Issues identified
by External Audit
(1) Current
infrastructure is ableto support business
strategy with work
arounds
LOW
(1) Asset size
(2) Minor potential cost
(3) Transaction volumestable
(1) No management,
employees and
faculty are affectedby processinefficiencies or
control breakdown
(1) Potential adverse
issues could
impactemployees
(1) No issues
identified by
Federal/State/ Other(2) No issues
identified by
External Audit
(1) Current
infrastructure is able
to support businessstrategy
Vulnerability CriteriaVULNERABILITY CRITERIA
CONTROL
EFFECTIVENESS
AND EFFICIENCY
SPEED OF
RESPONSECOMPLEXITY PEOPLE
OPERATIONAL
EFFICIENCY
SYSTEM
CAPABILITY
RATE OF
CHANGE
HIGH
Controls are not
working or do not
exist.
No method for
anticipating and
accessing specific
risk events exists,so issues are not
escalated to the
appropriateexecutives
effectively.
Manual
processes with
many data
transfer pointsand owners
A limited
number of
staff or
current staff has limited
competency
to managerisk events.
Inadequatecross-training
exists.
High/unmeasure
d cost of
operations, many
quality concernsnoted, and
unacceptable or
unmeasuredcycle/process
time.
Systems are not
operating as
designed or
design is flawed;very limited
controls
Risk is managed
by or directly
impacts people,
processes,systems, or
businesses that
haveexperienced a
HIGH rate of change over the
last 6 months.
MEDIUM
Controls are
detective but notpreventative and
there may or may
not be effectivereporting.
A method for
anticipating andassessing specific
risk events exists
but issues are noteffectivelyescalated to the
appropriate
executives.
Automated
processencompassing
multiple systems
and owners.
A limited
number of staff and/or
staff has
moderatecompetencyto manage
risk event.
Above industry
average cost of operation, some
quality concerns
noted, and belowindustry averagecycle/process
time.
Systems are
operating asdesigned, but
design can be
improved;controls arebolted on top of
the system.
Risk is managed
by or directlyimpacts people,
processes,
systems, orbusinesses thathave
experienced a
MODERATErate of change
over the last 6months.
LOW
Controls areappropriatelypreventive and
detective and there
is effectivereporting.
A method foranticipating andassessing specific
risk events exists
and effectivelyescalates issues to
the appropriateexecutive.
Automatedprocesses withintegrated
systems.
Most staff hashighcompetency
to manage
risk events.
Low/averagecost of operations, no
quality concerns
noted, andcycle/process
times withinspecified
standards.
Systems aredesigned,implemented,
and operating
effectively;controls are
embedded in thesystem.
Risk is managedby or directlyimpacts people,
processes,
systems, orbusinesses that
haveexperienced a
LOW rate of
change over thelast 6 months.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 267/291
©2011 LarsonAllen LLP
North Dakota University System
Risk Assessment Results
October 14, 2011
Craig W. Popenhagen, CPA
Principal612/397-3087
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 268/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
October 14, 2011
Chancellor Goetz
North Dakota University System10th Floor, State Capitol
600 East Boulevard Ave, Dept. 215
Bismarck, ND 58505-0230
Dear Chancellor Goetz,
This report provides you, North Dakota University System (NDUS or the System) leadership, the Audit
Committee, and members of the Board with the results of the risk assessment and a means to prioritize
risk mitigation strategies. An enterprise-wide risk assessment is the first step in your risk management
program of assessing risks, evaluating risks and controls, reviewing control effectiveness, and
implementation of strategies to achieve the Board’s acceptable risk level.
LarsonAllen did not audit or review any of the information provided, nor have we performed an
examination of internal controls in accordance with standards promulgated by the American Institute of
Certified Public Accountants; therefore, we do not provide any assurance over the accuracy and adequacy
of the information that management has provided.
In addition, the procedures performed by LarsonAllen are not a substitution for management’s
responsibility to maintain a system of controls to mitigate enterprise-wide risk. The enterprise-wide risk
assessment project was designed to provide the System with insight to inherent and specific risks
throughout the System. While potential characteristics of unsupported financial and operational activitymay be identified, our procedures alone cannot identify errors and irregularities related to the scope of
this project.
We appreciate the opportunity to assist the North Dakota University System. Management and staff
involved in the process were a pleasure to work with and very open to sharing their opinions and
knowledge. This cooperation was invaluable to the outcome of this project. If you have any questions,
please feel free to contact us for assistance.
Sincerely,
LarsonAllen LLP
Craig W. Popenhagen, CPA Principal
612/397-3087
220 South Sixth Street, Suite 300Minneapolis, MN 55402-1436612-376-4500, Fax 612-376-4850
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 269/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
Table of Contents
Executive Summary 1 What is Risk Assessment? 1 Risk Assessment Methodology 1
Project Overview 4 Objectives and Scope 4 Approach 5
Risk Assessment Results 6 Enterprise-Wide Risk Map 6 Detailed Results 7
Appendix 22 Impact Criteria 22 Vulnerability Criteria 22
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 270/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP 1
Executive Summary
LarsonAllen LLP (LarsonAllen) performed an enterprise-wide risk assessment for the North DakotaUniversity System. This included identifying and ranking the key financial, operational, strategic, and
information technology (IT) processes within the organization based on inherent and specific risks. The
overall risk for each process was based upon the process’s potential impact to the organization and the
vulnerability of the risk occurring given the current environment. The risk environment is dynamic andwill continue to change; therefore, risk should be assessed on an ongoing basis with a formal enterprise-wide risk assessment performed periodically.
Documentation for the risk assessment consists of an enterprise-wide risk map encompassing the
significant functional areas or processes within the System. The enterprise-wide risk map is a graphical
representation of the relative impact and vulnerability of a risk event for each of the key financial,
operational, and IT processes. Detailed results are also provided communicating the explanation for the
risk ranking and recommendations for addressing the risks.
What is Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the System. The process starts with identifyingrisks associated with business objectives linked through all levels of the System whether it is entity or
process level.
Entity level is the cornerstone for effective control and its objectives provide guidance on what the
entity wants to achieve. It should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
Risk Assessment Methodology
The following model illustrates the LarsonAllen methodology utilized throughout the enterprise-wide risk assessment for the North Dakota University System.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 271/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP 2
Understand the Client’s Business: We begin by understanding the System’s business by gathering the
business objectives, goals, and strategies and identified the System’s various universities and colleges in
addition to the key financial, operational, and IT processes within each university and college. Next, we
assess the external and internal risks related to the industry.
Develop Risk Model: We begin by defining risk and creating a risk framework. Risk is an event or
condition that can negatively affect the ability of the System to achieve its objectives. Risks are generally
thought to be associated with taking actions; however, risks can also occur when no action is taken in theform of missed opportunities. There are six types of risks:
Strategic: The risk that business objectives will not be met due to poorly defined business strategies,
poorly communicated strategies, or the System’s inability to execute these strategies due to
inadequate organizational structure, infrastructure or alignment. Strategic risk is managed by
appropriate organizational governance. Failure to adequately plan and execute against organizational
goals may result in significant damage to the System’s reputation.
Financial: The risk that the System’s financial reporting is inaccurate, incomplete, or untimely due
to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large
error, or the pressure on management to meet certain expectations.
Operational: The risk that the System’s operational processes are not achieving the objectives they
were designed for to support the business model. This risk addresses inefficient operations, poor
alignment of processes with objectives and strategies, failure to protect assets, etc.
Legal/Regulatory: The System is subject to a variety of federal, state and local laws, regulations and
directives, or accreditation agencies. Failure to follow prescribed directives may result in substantialfines, restrictions, loss of business, and/or legal action taken by regulators.
Technology: This risk considers the level of use, sophistication, complexity, robustness, ease of use
and speed, and accuracy of recovery/replacement of systems. This risk addresses the overall
importance of technology within the System and the availability and quality of information the
System can access to support decision making, and the security of key information.
Human Capital: This risk addresses the type of behaviors encouraged by management; the methods
used to reward employees; the approach to consistently enforce policies and procedures; the selection,
screening, and training of employees; and the reason and frequency of turnover. It also includes the
length, consistency, and nature of business relationships, including the handling of sensitive or
confidential information and the risk that business interruption would seriously impact those
relationships.
Next, we define impact and vulnerability criteria applicable to the System to be utilized as a tool for risk
ranking procedures. In determining risk within the financial, operational, and IT processes, we assessed
the impact of the process to the organization and the vulnerability that a risk would occur by evaluating
the underlying attributes of the process and by assessing the effectiveness of the control environment
around that process. The criteria are defined in terms of high, moderate, and low. See illustration belowfor definitions.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 272/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP 3
Areas of Focus Definitions
Financial
Stakeholder
Reputation
Legal / Regulatory
Operations
Control Efficiency & Operating Effectiveness
Speed of Response
Complexity
People
Operational Efficiency
System Capability
Rate of Change
High Risk
Moderate Risk
Low Risk
Execute Risk Assessment Approach: We begin by identifying various interview participants, including
key risk owners and conduct interviews, as applicable. Key risks are gathered during this stage and results
are ranked by defined impact and vulnerability criteria.
Prioritize and Validate Risk: Risks identified are prioritized and placed on an enterprise-wide risk map.An enterprise-wide risk map is a graphic tool that assists in plotting the risk’s relative impact and
vulnerability of a risk event for each of the key financial, operational, and IT processes. Risks are then
validated and shared with management, as appropriate. By prioritizing and validating risks, the System
can align and prioritize its resources to manage and mitigate risks appropriately.
Impact
Vulnerability
Measurement
Scale
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 273/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP 4
Project Overview
Objectives and Scope
The objective of the enterprise-wide risk assessment was to identify the key financial, operational, and IT
processes at the System and assess the levels of risk within each of the process areas. In addition, provide
Management with visibility to process areas that contain the highest potential risk as determined by the
risk assessment process.
The scope of the enterprise-wide risk assessment included the following functional areas / processes
within the System:
Functional Area / Process Detailed Coverage of Functional Area / Process
Academic Affairs On-line education, academic experience, employee/facultyresponsibilities, academic data, enrollment
Athletics Ticket revenue, concessions revenue, fund raising, athletic
scholarships, league compliance, player and spectator liability
Campus Safety & Security Building security, campus police/security
Continuing EducationNon-credit courses, community programs, workforce training,
conference management
Emergency PreparednessEmergency preparedness and response procedures, business
continuity, risk management
Environmental Health & SafetyPhysical safety and soundness of campus buildings, environmental
risks, facilities/classroom
Financial Close & ReportingReconciliations, financial statements, segregation of duties, budgeting,
estimates and judgments, annual close process, financial processes
GovernanceGeneral counsel, policies and procedures, internal audit andcompliance, executive oversight, regulatory requirements (federal and
state), statistical data, affirmative action
Grant Administration Grant tracking and monitoring, accounting, budgeting, reporting
Human Resources & Payroll
Payroll, benefits, records management, FTE workload, job
descriptions, recruiting, hiring, terminations, performance monitoring,
new hire integration, employee retention
Information Technology IT infrastructure, security (logical and physical), operations, changemanagement, disaster recovery, data reporting capabilities, hardware
and software, applications, servers, wireless networks, help desk
Marketing / Communications Social media, publications, web development, brand and logo,advertising channels
Operations & Auxiliary Services Bookstore, libraries, food services
Faculty & Staff Workforce training, competency, professional environment, conflict
of interest
Student Affairs Student experience, registrar, student data, housing, campus use,
counseling, academic support, career services, recruiting, healthservices
Student Financial Processing Student financial aid, tuition, enrollment fees, scholarships, funding,
student loan processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 274/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP 5
Approach
With the assistance of North Dakota University System management, LarsonAllen identified 10 key
process owners in the significant financial, operational, and IT processes. Key process owners were
interviewed for the purpose of assessing the inherent and specific risks associated with each functionalarea.
Upon completion of the interviews, the inherent and specific risks identified in each process were
prioritized and placed on the enterprise-wide risk map based on the impact of the process to theorganization, and the vulnerability of the risk occurring (see Appendix A for further description of the
definitions of impact and vulnerability criteria).
Note that risks identified at the institutional level that were System related or recommendations involved
the System, were communicated in the institution reports; however, they were also included in the System
report.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 275/291
Enterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP 6
Risk Assessment Results
Enterprise-Wide Risk Map
The enterprise-wide risk map communicates the risk results at the functional area / process based on the
information obtained during the interviews. The description of the risk map is as follows:
Green – Low Risk
Yellow – Moderate Risk
Red – High Risk
The following functional areas / processes are not on the above risk map as there were no risks
identified by stakeholders, per the interview discussions:
Athletics
Campus safety & security
Continuing education
Emergency preparedness
Environmental health & safety
Operations & auxiliary services
Student affairs
Student financial processing
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 276/291
nterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
Detailed Results
Per discussions with process owners, LarsonAllen identified several processes where specific risks may exist. These risks iden
isk ranking of each key financial, operational, and IT processes. The risks identified were based upon discussions with proces
esting of controls. The following is a list of the risks identified by LarsonAllen, in addition to the risk ranking and recommend
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
AcademicAffairs
High Forecasts predict that there will be a
significant decrease in student enrollment
by 2017 due to a decrease in the overall
population in North Dakota.
No proposed recommendation. Agree. T
similar
will take
continu
High Several campuses are behind intechnology used to deliver online classes.
In addition, differing tools are used
across the System.
Assess each institution’s technology used todeliver online classes and identify individual
campus or system-wide improvements.
Consider consistency of approach in the use
of on-line development software to assist in
training, lowering barriers to use, andpossible cost reduction.
Agree. Wtaken in
instituti
manage
authenti
academisupport
institutioaddress
Moderate A for-profit institution entered into the
state of North Dakota. This could have a
negative impact on enrollment if for-
profit and on-line institutions continue to
enter the state.
No proposed recommendation. Agree. R
Chancel
out of st
standard
understa
maintain
access to
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 277/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 278/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 279/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 280/291
nterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Governance
High The System does not consistently operate
as a unified system of higher education,
with the primary focus on what is in thebest interest of the student and state, as
opposed to the institution. In addition,
there is not a collaborative mentality
within some institutions and it is not
productive to meeting the state’s
expectations.
In order for the System to truly operate as a
unified system of higher education, it is
important that the following is in place: 1)clear and strong SBHE direction,
expectations, and support; 2) cooperation
and support at all levels of the System; 3)
adherence and respect for various roles and
responsibilities; and performance
accountability.
Agree. T
the SBH
Moderate Lack of general counsel resources at the
System level to supply legal thought
leadership and guidance to the nineinstitutions that do not maintain their
own general counsel office.
Perform a cost/benefit analysis to determine
the need to expand the number of general
counsel resources at the System office tosupport the various institutions.
Agree. T
addition
additionyear-lon
legal se
steps wiforce re
Moderate Overall availability of funding was raised
during each individual campus visit;
however, it is only noted in a few select
campus reports based on the level of
institutional concern expressed. It should
be noted that all institutions indicated
funding is a challenge.
Funding levels for all NDUS institutions
should be reviewed, and adjusted as
necessary.
Agree. T
Governo
develop
addition
develop
compon
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 281/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 282/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 283/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 284/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 285/291
nterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Grant
Administration
High PeopleSoft may not have the complete
capability to track and monitor effort
reporting, resulting in the inability toproduce all information needed for a
compliance review. In addition, there are
concerns that institutions would not be in
compliance.
Ensure that the institutions are following
consistent best practice business procedures
at all institutions.
Review the current methods to track and
monitor effort reporting to determine if
enhancements could be made to the current
reporting methods.
Alternatively, consider purchasing a grant
and effort reporting tool to enhance
reporting accuracy and produce information
needed internally and for compliance
reviews. This will not be successful without
consistent business processes at the
institutions.
Agree. W
instituti
institutieffort.
The aud
processe
determi
practice
enhance
If it is d
an RFP
addition
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 286/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 287/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 288/291
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 289/291
nterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Information
Technology
Low Several students were inappropriately
suspended at NDSU due to incorrect
academic reporting from PeopleSoft,
specifically issues with reporting forstudents taking repeat courses. However,
multiple new end-of-term processes have
been put into place to identify future
instances of this problem.
Review the current change management
process specific to PeopleSoft reports to
determine if adequate policies and
procedures are in place to test and approvechanges to reports. In addition, identify the
root cause of the issue and determine if the
issue has been resolved.
Agree. T
the codin
NDUS a
bundle 1Once the
determin
the fall s
institutio
given socould de
impleme
repeat pr
suspensiaddition
suspensi
Marketing &
Communications
Low Negative information could potentiallybe received by the media prior to the
System office becoming aware of an
issue.
No proposed recommendation. Agree.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 290/291
nterprise-Wide Risk Assessment | North Dakota University System
©2011 LarsonAllen LLP
FunctionalArea / Process
RiskRanking
Identified Risk Proposed Recommendations
Faculty & Staff
High Overall employee work load at the
System office is a concern. Most
functional areas identified some level of staff needs to meet state, SBHE and
campus expectations. In addition, areas
of expertise are insufficient to meet the
demands and expectations (i.e. capital
projects, compliance, HR).
Perform an assessment to determine how
resources are being utilized across all
functional areas, tracking of hours worked,efficiencies that could be gained, etc.
Determine if additional resources are needed
and what specific areas of expertise they are
needed.
Agree. T
priority
staff as recomm
Moderate There has been a high turnover rate in
key leadership positions in the last
several years at both the System and
institution level, specifically vicepresidents, presidents and Chancellor.
No proposed recommendation. Agree.
Moderate The housing market (nation-wide), ruralnature of North Dakota, and the
perception of North Dakota has had an
impact on the ability to attract personnel
system-wide with the appropriate
qualifications to fill open positions.
No proposed recommendation. Agree.
8/3/2019 NDUS Performance Audits
http://slidepdf.com/reader/full/ndus-performance-audits 291/291
Enterprise-Wide Risk Assessment | North Dakota University System
Appendix