meeting of the board of trustees - university of north ......amanda balwah, secretary of the...
TRANSCRIPT
December 4, 2018
University of North Carolina School of the Arts
Kilpatrick Townsend & Stockton, LLP
1001 West Fourth Street
Winston-Salem, NC 27101
COMMITTEE MEMBERS:
Stephen Berlin, Chair
Pete Brunstetter
Anna Folwell
Rob King
Ralph Womble, ex officio
COMMITTEE STAFF:
Shannon Henry, Chief Audit, Risk, and Compliance Officer
David Harrison, General Counsel
Jim DeCristo, Vice Chancellor for Economic Development and Chief of Staff
Michael Smith, Vice Chancellor for Finance and Administration
Amanda Balwah, Secretary of the University
Michael Dodds, Faculty Council Representative
Martha Golden, Faculty Council Representative
Sharon Fogarty, Staff Council Representative
Cindy Liberty, Foundation Liaison
AGENDA
OPEN SESSION
1. Call to Order and Confirm Quorum…………………………………….……..Chairman Berlin
2. Approval of Minutes from the September 18, 2018 Meeting...…………….Chairman Berlin
3. Enterprise Risk Management:………………………………………………..……Jim DeCristo
a. Update on Risk Priorities for 2018-2019
4. Matters of Governance and Compliance……………………………………..Shannon Henry
a. Information Governance and Security…......Greg Gleghorn, Director of Information
Security
5. Discussion of External Audits & Reviews (if any)..........S. Henry & Lisa McClinton,
Associate Vice Chancellor for Finance and Controller
MEETING OF THE BOARD OF TRUSTEES
Audit, Risk, and Compliance Committee
Note: Information related to any external audits or reviews released prior to the meeting will be
provided at the meeting.
6. Internal Audit Update…………………………………………………….Rod Isom & S. Henry
*Additional information related to any internal audits or reviews released prior to the meeting will
be provided at the meeting.
CLOSED SESSION
7. Approval of Minutes from the September 18, 2018 Meeting.……………….Chairman Berlin
8. Discussion of Special Reviews and Investigations (if any)………………Internal Audit Staff
OPEN SESSION
9. Other Business……………………………………………………Committee Members & Staff
10. Adjourn…………………………………………………………………………..Chairman Berlin
September 18, 2018 DRAFT Audit Committee Minutes – Open Session
DRAFT OPEN MINUTES
September 18, 2018
University of North Carolina School of the Arts
Law Office of Kilpatrick Townsend & Stockton LLP
Winston-Salem, North Carolina
TRUSTEES PRESENT
Steve Berlin (Chair)*, Pete Brunstetter*, Anna Folwell (phone)*, Rob King*, Ralph Womble (ex
officio)*
*denotes voting member
COMMITTEE STAFF PRESENT
Shannon Henry (Chief Audit, Risk, and Compliance Officer), David Harrison (General Counsel),
Amanda Balwah (Secretary of the University), Martha Golden (Faculty Council Representative),
OTHERS PRESENT
Rod Isom (Audit Manager), Devin Doss (Internal Auditor), Lisa McClinton (Controller), Greg
Gleghorn (Director of Information Security), Jim DeCristo (Chief of Staff), Michael Smith (Vice
Chancellor for Finance and Administration)
CONVENE MEETING AND CONFIRM QUORUM
Committee Chair Steve Berlin convened the Open Session of the University of North Carolina
School of the Arts Audit Committee at 4:00 p.m. A quorum was confirmed.
APPROVAL OF MINUTES
MOTION: Rob King moved to approve the minutes from the April 24, 2018 meeting. Pete
Brunstetter seconded and the minutes were unanimously approved.
ENTERPRISE RISK MANAGEMENT (ERM) AND COMPLIANCE
Shannon Henry, Chief Audit, Risk, and Compliance Officer, and Jim DeCristo, Chief of Staff,
presented the Risk Appetite Statement drafted by the ERM Steering Committee and approved
by Chancellor Bierman. The Risk Appetite Statement is a guide to assist with decisions about
which goals or operational tactics to pursue.
MOTION: Pete Brunstetter moved to approve the Enterprise Risk Management Appetite
Statement as presented. Rob King seconded and the motion was unanimously
approved.
Mr. DeCristo presented the risk priorities for the 2018-2019 academic year as identified by the
ERM Steering Committee:
MEETING OF THE BOARD OF TRUSTEES
Audit, Risk, and Compliance Committee
September 18, 2018 DRAFT Audit Committee Minutes – Open Session
Compensation packages offered by UNCSA may make it increasingly difficult to
attract nationally known, top-tier faculty who are needed to maintain the
School’s national reputation.
Scholarships and financial aid packages offered by UNCSA may not be
sufficiently competitive to attract top student talent, particularly from outside
North Carolina.
The condition of facilities and residence halls may decline to the point that it
significantly deters students from attending UNCSA.
UNCSA may be unable to attract a sufficiently diverse faculty and student body
needed to advance its brand and reputation.
MATTERS OF GOVERNANCE AND SECURITY
Greg Gleghorn, Director of Information Security, gave an information governance and security
update:
The next generation firewall was updated and installed in July 2018. The reason for the
next generation firewall is to detect the information that passes through the system and
reduce the number of illegal downloads. There have been zero illegal downloads since
the firewall has been operational.
The gap and crosswalk analysis has been completed. UNCSA IT has closed some of
the gaps identified by this analysis and will provide current information to the UNC
Security Council no later than September 30th.
There are several ongoing projects. IT Security is currently working on:
o Drafting a road map for UNCSA’s Information Security Program that addresses
the current vs. desired state;
o Evaluating endpoint security vendors;
o Fine tuning 14 information security ISO 27002 compliant policies that will be
submitted for cabinet approval; and
o Continuing to monitor new students and faculty that fall under EU’s General Data
Protection Regulation (GDPR). Currently there are 5 students that have been
identified on UNCSA’s campus that fall under GDPR. Mr. Gleghorn has flagged
these students for continuous compliance monitoring.
DISCUSSION OF EXTERNAL AUDITS AND REVIEWS
Shannon Henry, Chief Audit, Risk, and Compliance Officer, presented the following external
audits and reviews to the committee:
UNCSA Foundation, Inc. Consolidated Financial Statements FY2018
o Conducted by private CPA firm Smith Leonard Accountants and Consultants
o Clean audit with no issues to report
Lisa McClinton, Associate Vice Chancellor for Finance and Controller, discussed that the
Office of the State Auditor (OSA) is currently conducting the annual financial statement
audit and an audit of the university’s blended component units, the Housing and
Program Support Corporations, and should be completed by the middle of October.
o OSA will release the reports together in late October, early November. Lisa
explained that OSA is doing this because of the pending allegations against
Rives & Associates, an external auditor for UNCSA. Ms. McClinton explained
September 18, 2018 DRAFT Audit Committee Minutes – Open Session
that after the reports are issued from OSA, the University will decide what to do
moving forward as it relates to Rives & Associates.
DISCUSSION OF INTERNAL AUDIT’S REPORTS, OPEN PROJECTS, AND PLANS
CDI Review – Internal Controls
Ms. Henry reported that, post completion of the Center for Design Innovation (CDI)
investigation, an additional review was performed to identify control deficiencies that
could have led to the misappropriation of assets and assist the University in instituting
further mitigations to prevent future occurrences of issues with CDI equipment.
Mr. Isom reported that there were four deficiencies noted, and each were followed with
recommendations to correct the issues. The four deficiencies noted were:
1. Inadequate Control Measures;
2. A Deficient Exit Process;
3. Inadequate Contract Management; and
4. Failure to comply with Employment Disclosure Policies.
Mr. DeCristo has been appointed the Interim CDI Director, and reported that the
University accepts the findings and recommendations in the report. The
recommendations are in the implementation phase, and Mr. DeCristo expects to close it
out in 90 days.
Follow-up Memos
Ms. Henry discussed that follow-up reviews are being conducted to assess the state of
past identified issues.
Fiscal Year 2018 Recap
Internal Audit’s services for the year resulted in four reports that produced
recommendations for improvements in the following departments: Purchasing, Finance
& Administration, and Legal Affairs. The total contracted hours = 3,100 and actual hours
were 3,217.
Annual Risk Assessment and Updated Internal Audit Plan
Ms. Henry reported that Internal Audit completed its annual risk assessment.
Admissions Operations and Social Media audits have been added to the audit plan
based upon risk assessment results. UNCSA is utilizing the expertise from the System
Office to conduct a Title IX review.
David Harrison, General Counsel, reported that he will be hiring an Interim Title IX
Coordinator that will be reporting to him.
MOTION: Rob King moved to approve the 2018-19 audit plan as presented. Pete
Brunstetter seconded and the motion was unanimously approved.
September 18, 2018 DRAFT Audit Committee Minutes – Open Session
Review of Committee and Office Charters
Internal auditing standards require a periodic review of the Internal Audit Charter by
senior management and the board.
The Audit, Risk, and Compliance Committee (ARCC) is charged with the responsibility to
direct and/or oversee the university’s activities and hold senior management
accountable.
The Internal Audit Charter is a formal document that defines the internal audit activity’s
purpose, authority, and responsibility. It further establishes the activity’s position within
the organization; authorizes access to records, personnel, and physical properties
relevant to the performance of engagements; and defines the scope of audit activities.
Ms. Henry reviewed the Audit, Risk, and Compliance Charter and the Internal Audit
Charter; and asked that the committee review the same. No updates or changes are
considered necessary at this time.
CLOSED SESSION
MOTION: Pete Brunstetter moved to go into closed session to prevent the disclosure of
privileged Internal Auditor’s work papers, under Section 116-40.7 of the North Carolina
General Statutes. Rob King seconded and the motion was unanimously approved.
ADJOURNMENT
After returning to Open Session, there was no further business to discuss. Chairman Berlin
adjourned the meeting at 4:53 p.m.
Respectfully submitted by: Amanda G. Balwah Assistant Secretary to the Board of Trustees
AGENDA ITEM
Enterprise Risk Management………...………….…….presented by Jim DeCristo, Chief of Staff
Summary: The Enterprise Risk Management (ERM) Steering Committee has identified four risks
that are priorities for the 2018-2019 academic year. Progress has been made in thoroughly
examining and evaluating these risks while determining appropriate mitigations. The Steering
Committee Chair and ERM Coordinator have met with each Priority Risk Owner at least once,
and each Priority Risk Team is having individual meetings. Regular meetings will resume
throughout the winter to develop concrete actions that will be implemented in the winter and
spring. A more detailed progress update will be provided at the February 2019 meeting.
Action: This agenda item is for informational purposes only.
MEETING OF THE BOARD OF TRUSTEES
Audit, Risk, and Compliance Committee Tuesday, December 4, 2018
4 – 5:00 PM
AGENDA ITEM
Information Security Update.……presented by Greg Gleghorn, Director of Information Security
Summary:
No significant changes from last board meeting. We are still on milestone 2 of the information
security road map. Targeted completion of milestone 2 is December 2018, however this date
may change as we wait for the new CIO to come on board. Below are the current projects
underway for Milestone 2.
Evaluating Microsoft’s Advanced Threat Protection, Multi-Factor Authentication, Data
Loss Prevention, Encryption, Anti-phishing Protection, Safe Links and Attachments.
Implemented cabinet impersonation rules to provide a control against phishing attempts
impersonating cabinet level members.
Implementing and testing End Point Protection McAfee ePO Orchestrator for central
management
Fine Tuning 10 information security ISO 27002 compliant policies prior to submitting for
cabinet approval
Action: This is for informational purposes only.
MEETING OF THE BOARD OF TRUSTEES
Audit, Risk, and Compliance Committee Tuesday, December 4, 2018
4 – 5:00 PM
AGENDA ITEM
External Financial Statement Audits…………….….Lisa McClinton, Associate Vice Chancellor
for Finance and Controller
Summary: The NC Office of State Auditor conducted the FY 2018 audits for the University,
UNCSA Housing Corporation, and UNCSA Program Support Corporation.
UNCSA Financial Statement Audit for Fiscal Year 2018 - The University received a clean
financial statement audit with no issues to report.
UNCSA Housing Corporation Financial Statement Audit 2018 - Housing Corp. received
a clean audit with no issues to report.
UNCSA Program Support Corporation Financial Statement Audit 2018 – Program
Support Corp. received a clean audit with no issues to report.
A clean financial statement audit means that stakeholders can place reliance on the reported
numbers; that there are no material misstatements. While clean annual Financial Statement
Audits are a good thing, they do not give insight into whether or not there is fraud, waste, or
abuse, or if the school and/or foundations uses its resources efficiently.
Action: This item is for informational purposes only.
MEETING OF THE BOARD OF TRUSTEES
Audit, Risk, and Compliance Committee Tuesday, December 4, 2018
4 – 5:00 PM
AGENDA ITEM
Internal Audit Activity Update………………………….. presented by Rod Isom & Shannon Henry
Summary of Internal Audit Reviews:
1. In-Progress Internal Audit Reviews*
o Human Resources – Control Environment Review
2. Summary of Observations and Recommendations for FY2019 – YTD
3. Other Internal Audit Activity
o Results of Internal Audit Activity for FY2018
4. Next Planned Reviews**
o Vendor Contract Review - Follow-up Audit
o Environmental Health and Safety
* Internal Audit Reports released prior to the meeting will be provided at the meeting. Additional
information related to in-progress work may be shared in closed session to protect the confidentiality of
Internal Audit’s work papers.
Action: This item is for informational purposes only.
MEETING OF THE BOARD OF TRUSTEES
Audit, Risk, and Compliance Committee Tuesday, December 4, 2018
4 – 5:00 PM