meeting of the board of trustees - university of north ......amanda balwah, secretary of the...

December 4, 2018

University of North Carolina School of the Arts

Kilpatrick Townsend & Stockton, LLP

1001 West Fourth Street

Winston-Salem, NC 27101

COMMITTEE MEMBERS:

Stephen Berlin, Chair

Pete Brunstetter

Anna Folwell

Rob King

Ralph Womble, ex officio

COMMITTEE STAFF:

Shannon Henry, Chief Audit, Risk, and Compliance Officer

David Harrison, General Counsel

Jim DeCristo, Vice Chancellor for Economic Development and Chief of Staff

Michael Smith, Vice Chancellor for Finance and Administration

Amanda Balwah, Secretary of the University

Michael Dodds, Faculty Council Representative

Martha Golden, Faculty Council Representative

Sharon Fogarty, Staff Council Representative

Cindy Liberty, Foundation Liaison

AGENDA

OPEN SESSION

1. Call to Order and Confirm Quorum…………………………………….……..Chairman Berlin

2. Approval of Minutes from the September 18, 2018 Meeting...…………….Chairman Berlin

3. Enterprise Risk Management:………………………………………………..……Jim DeCristo

a. Update on Risk Priorities for 2018-2019

4. Matters of Governance and Compliance……………………………………..Shannon Henry

a. Information Governance and Security…......Greg Gleghorn, Director of Information

Security

5. Discussion of External Audits & Reviews (if any)..........S. Henry & Lisa McClinton,

Associate Vice Chancellor for Finance and Controller

MEETING OF THE BOARD OF TRUSTEES

Audit, Risk, and Compliance Committee

Note: Information related to any external audits or reviews released prior to the meeting will be

provided at the meeting.

6. Internal Audit Update…………………………………………………….Rod Isom & S. Henry

*Additional information related to any internal audits or reviews released prior to the meeting will

be provided at the meeting.

CLOSED SESSION

7. Approval of Minutes from the September 18, 2018 Meeting.……………….Chairman Berlin

8. Discussion of Special Reviews and Investigations (if any)………………Internal Audit Staff

OPEN SESSION

9. Other Business……………………………………………………Committee Members & Staff

10. Adjourn…………………………………………………………………………..Chairman Berlin

September 18, 2018 DRAFT Audit Committee Minutes – Open Session

DRAFT OPEN MINUTES

September 18, 2018

University of North Carolina School of the Arts

Law Office of Kilpatrick Townsend & Stockton LLP

Winston-Salem, North Carolina

TRUSTEES PRESENT

Steve Berlin (Chair)*, Pete Brunstetter*, Anna Folwell (phone)*, Rob King*, Ralph Womble (ex

officio)*

*denotes voting member

COMMITTEE STAFF PRESENT

Shannon Henry (Chief Audit, Risk, and Compliance Officer), David Harrison (General Counsel),

Amanda Balwah (Secretary of the University), Martha Golden (Faculty Council Representative),

OTHERS PRESENT

Rod Isom (Audit Manager), Devin Doss (Internal Auditor), Lisa McClinton (Controller), Greg

Gleghorn (Director of Information Security), Jim DeCristo (Chief of Staff), Michael Smith (Vice

Chancellor for Finance and Administration)

CONVENE MEETING AND CONFIRM QUORUM

Committee Chair Steve Berlin convened the Open Session of the University of North Carolina

School of the Arts Audit Committee at 4:00 p.m. A quorum was confirmed.

APPROVAL OF MINUTES

MOTION: Rob King moved to approve the minutes from the April 24, 2018 meeting. Pete

Brunstetter seconded and the minutes were unanimously approved.

ENTERPRISE RISK MANAGEMENT (ERM) AND COMPLIANCE

Shannon Henry, Chief Audit, Risk, and Compliance Officer, and Jim DeCristo, Chief of Staff,

presented the Risk Appetite Statement drafted by the ERM Steering Committee and approved

by Chancellor Bierman. The Risk Appetite Statement is a guide to assist with decisions about

which goals or operational tactics to pursue.

MOTION: Pete Brunstetter moved to approve the Enterprise Risk Management Appetite

Statement as presented. Rob King seconded and the motion was unanimously

approved.

Mr. DeCristo presented the risk priorities for the 2018-2019 academic year as identified by the

ERM Steering Committee:


Audit, Risk, and Compliance Committee


Compensation packages offered by UNCSA may make it increasingly difficult to

attract nationally known, top-tier faculty who are needed to maintain the

School’s national reputation.

Scholarships and financial aid packages offered by UNCSA may not be

sufficiently competitive to attract top student talent, particularly from outside

North Carolina.

The condition of facilities and residence halls may decline to the point that it

significantly deters students from attending UNCSA.

UNCSA may be unable to attract a sufficiently diverse faculty and student body

needed to advance its brand and reputation.

MATTERS OF GOVERNANCE AND SECURITY

Greg Gleghorn, Director of Information Security, gave an information governance and security

update:

The next generation firewall was updated and installed in July 2018. The reason for the

next generation firewall is to detect the information that passes through the system and

reduce the number of illegal downloads. There have been zero illegal downloads since

the firewall has been operational.

The gap and crosswalk analysis has been completed. UNCSA IT has closed some of

the gaps identified by this analysis and will provide current information to the UNC

Security Council no later than September 30th.

There are several ongoing projects. IT Security is currently working on:

o Drafting a road map for UNCSA’s Information Security Program that addresses

the current vs. desired state;

o Evaluating endpoint security vendors;

o Fine tuning 14 information security ISO 27002 compliant policies that will be

submitted for cabinet approval; and

o Continuing to monitor new students and faculty that fall under EU’s General Data

Protection Regulation (GDPR). Currently there are 5 students that have been

identified on UNCSA’s campus that fall under GDPR. Mr. Gleghorn has flagged

these students for continuous compliance monitoring.

DISCUSSION OF EXTERNAL AUDITS AND REVIEWS

Shannon Henry, Chief Audit, Risk, and Compliance Officer, presented the following external

audits and reviews to the committee:

UNCSA Foundation, Inc. Consolidated Financial Statements FY2018

o Conducted by private CPA firm Smith Leonard Accountants and Consultants

o Clean audit with no issues to report

Lisa McClinton, Associate Vice Chancellor for Finance and Controller, discussed that the

Office of the State Auditor (OSA) is currently conducting the annual financial statement

audit and an audit of the university’s blended component units, the Housing and

Program Support Corporations, and should be completed by the middle of October.

o OSA will release the reports together in late October, early November. Lisa

explained that OSA is doing this because of the pending allegations against

Rives & Associates, an external auditor for UNCSA. Ms. McClinton explained


that after the reports are issued from OSA, the University will decide what to do

moving forward as it relates to Rives & Associates.

DISCUSSION OF INTERNAL AUDIT’S REPORTS, OPEN PROJECTS, AND PLANS

CDI Review – Internal Controls

Ms. Henry reported that, post completion of the Center for Design Innovation (CDI)

investigation, an additional review was performed to identify control deficiencies that

could have led to the misappropriation of assets and assist the University in instituting

further mitigations to prevent future occurrences of issues with CDI equipment.

Mr. Isom reported that there were four deficiencies noted, and each were followed with

recommendations to correct the issues. The four deficiencies noted were:

1. Inadequate Control Measures;

2. A Deficient Exit Process;

3. Inadequate Contract Management; and

4. Failure to comply with Employment Disclosure Policies.

Mr. DeCristo has been appointed the Interim CDI Director, and reported that the

University accepts the findings and recommendations in the report. The

recommendations are in the implementation phase, and Mr. DeCristo expects to close it

out in 90 days.

Follow-up Memos

Ms. Henry discussed that follow-up reviews are being conducted to assess the state of

past identified issues.

Fiscal Year 2018 Recap

Internal Audit’s services for the year resulted in four reports that produced

recommendations for improvements in the following departments: Purchasing, Finance

& Administration, and Legal Affairs. The total contracted hours = 3,100 and actual hours

were 3,217.

Annual Risk Assessment and Updated Internal Audit Plan

Ms. Henry reported that Internal Audit completed its annual risk assessment.

Admissions Operations and Social Media audits have been added to the audit plan

based upon risk assessment results. UNCSA is utilizing the expertise from the System

Office to conduct a Title IX review.

David Harrison, General Counsel, reported that he will be hiring an Interim Title IX

Coordinator that will be reporting to him.

MOTION: Rob King moved to approve the 2018-19 audit plan as presented. Pete

Brunstetter seconded and the motion was unanimously approved.


Review of Committee and Office Charters

Internal auditing standards require a periodic review of the Internal Audit Charter by

senior management and the board.

The Audit, Risk, and Compliance Committee (ARCC) is charged with the responsibility to

direct and/or oversee the university’s activities and hold senior management

accountable.

The Internal Audit Charter is a formal document that defines the internal audit activity’s

purpose, authority, and responsibility. It further establishes the activity’s position within

the organization; authorizes access to records, personnel, and physical properties

relevant to the performance of engagements; and defines the scope of audit activities.

Ms. Henry reviewed the Audit, Risk, and Compliance Charter and the Internal Audit

Charter; and asked that the committee review the same. No updates or changes are

considered necessary at this time.

CLOSED SESSION

MOTION: Pete Brunstetter moved to go into closed session to prevent the disclosure of

privileged Internal Auditor’s work papers, under Section 116-40.7 of the North Carolina

General Statutes. Rob King seconded and the motion was unanimously approved.

ADJOURNMENT

After returning to Open Session, there was no further business to discuss. Chairman Berlin

adjourned the meeting at 4:53 p.m.

Respectfully submitted by: Amanda G. Balwah Assistant Secretary to the Board of Trustees

AGENDA ITEM

Enterprise Risk Management………...………….…….presented by Jim DeCristo, Chief of Staff

Summary: The Enterprise Risk Management (ERM) Steering Committee has identified four risks

that are priorities for the 2018-2019 academic year. Progress has been made in thoroughly

examining and evaluating these risks while determining appropriate mitigations. The Steering

Committee Chair and ERM Coordinator have met with each Priority Risk Owner at least once,

and each Priority Risk Team is having individual meetings. Regular meetings will resume

throughout the winter to develop concrete actions that will be implemented in the winter and

spring. A more detailed progress update will be provided at the February 2019 meeting.

Action: This agenda item is for informational purposes only.


Audit, Risk, and Compliance Committee Tuesday, December 4, 2018

4 – 5:00 PM

AGENDA ITEM

Information Security Update.……presented by Greg Gleghorn, Director of Information Security

Summary:

No significant changes from last board meeting. We are still on milestone 2 of the information

security road map. Targeted completion of milestone 2 is December 2018, however this date

may change as we wait for the new CIO to come on board. Below are the current projects

underway for Milestone 2.

Evaluating Microsoft’s Advanced Threat Protection, Multi-Factor Authentication, Data

Loss Prevention, Encryption, Anti-phishing Protection, Safe Links and Attachments.

Implemented cabinet impersonation rules to provide a control against phishing attempts

impersonating cabinet level members.

Implementing and testing End Point Protection McAfee ePO Orchestrator for central

management

Fine Tuning 10 information security ISO 27002 compliant policies prior to submitting for

cabinet approval

Action: This is for informational purposes only.



4 – 5:00 PM

AGENDA ITEM

External Financial Statement Audits…………….….Lisa McClinton, Associate Vice Chancellor

for Finance and Controller

Summary: The NC Office of State Auditor conducted the FY 2018 audits for the University,

UNCSA Housing Corporation, and UNCSA Program Support Corporation.

UNCSA Financial Statement Audit for Fiscal Year 2018 - The University received a clean

financial statement audit with no issues to report.

UNCSA Housing Corporation Financial Statement Audit 2018 - Housing Corp. received

a clean audit with no issues to report.

UNCSA Program Support Corporation Financial Statement Audit 2018 – Program

Support Corp. received a clean audit with no issues to report.

A clean financial statement audit means that stakeholders can place reliance on the reported

numbers; that there are no material misstatements. While clean annual Financial Statement

Audits are a good thing, they do not give insight into whether or not there is fraud, waste, or

abuse, or if the school and/or foundations uses its resources efficiently.

Action: This item is for informational purposes only.



4 – 5:00 PM

AGENDA ITEM

Internal Audit Activity Update………………………….. presented by Rod Isom & Shannon Henry

Summary of Internal Audit Reviews:

1. In-Progress Internal Audit Reviews*

o Human Resources – Control Environment Review

2. Summary of Observations and Recommendations for FY2019 – YTD

3. Other Internal Audit Activity

o Results of Internal Audit Activity for FY2018

4. Next Planned Reviews**

o Vendor Contract Review - Follow-up Audit

o Environmental Health and Safety

* Internal Audit Reports released prior to the meeting will be provided at the meeting. Additional

information related to in-progress work may be shared in closed session to protect the confidentiality of

Internal Audit’s work papers.

Action: This item is for informational purposes only.



4 – 5:00 PM

meeting of the board of trustees - university of north ......amanda balwah, secretary of the...

Documents