Preliminary Risk Analysis and Proposed FY 2011 Internal Audit Scope Illinois Institute of Technology December 21 st, 2010

Preliminary Risk Analysis and Proposed FY 2011 Internal Audit Scope

Illinois Institute of TechnologyDecember 21st, 2010

© Grant Thornton LLP. All rights reserved.

Table of Contents

I. Executive Summary SlideAssessment Objectives 3

Risk Assessment Scope and Approach 4

Project Participants 5-6

Significant Observations and Considerations 7

Identifying Opportunities for Improvement 8

Overall Risk Analysis Results 9

Proposed 2011 Internal Audit Plan 10-11

II. Appendix – Detail AnalysisAudit Universe Listing – Business Processes 13

IIT Risk Analysis 14-18

Business Risk Profiling Analysis 19-22

2


Risk Assessment Objectives

• Assist Illinois Institute of Technology ("IIT") management and the Board in identifying relevant risks associated with the University's different business activities and assess the inherent risk significance of each

• Identify the audit universe and considerations for internal audit attention to 11 business processes and 63 sub-processes at IIT

• Assist IIT management and the Board in creating the FY 2011 – 2013 audit plan

• Increase practical awareness of risk and controls amongst IIT management

3


Risk Assessment Scope and Approach

• Conducted 15 interviews as a basis for analysis, observations and recommendations

• Reviewed key documents such as audited financial statements, organization charts, prior year’s audit reports, available policies and procedures, and the strategic plan

• Utilized Grant Thornton's proprietary risk model which is based on the Committee of Sponsoring Organizations (COSO*) Internal Control - Integrated Framework

Note: Our review did NOT include the performance of audit testing procedures or validation activities around any observations noted

* COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

4


Risk Assessment Participants

Illinois Institute of Technology

• John Anderson President• Pat Laughlin Chief Financial Officer• Brian Laffey Controller• Mary Ann Smith General Counsel• Ophir Trigalo Chief Information Officer• Alan Cramb Provost & Senior Vice President for Academic Affairs• David McCormick Senior Vice President, Director of IIT Research Institute• Donna Taylor Accounts Payable Manager• Betsy Hughes Vice President for Institutional Advancement• Bruce Mueller Chief People Officer• Sharon Muldrow-Thomas Payroll Manager• Jatan Clark Director, Grants and Contract Accounting• Deb Casales Bursar• Domenica Pappas Director of Sponsored Research and Programs• Frank FioRito Purchasing Manager

5


Risk Assessment Participants

Grant Thornton

• Steve Siemborski – Regional Practice Leader

• Larry Ladd – National Director, Higher Education Practice

• Rick O’Callaghan – Senior Manager

• Nick Saracco – Senior Associate

6


Observations and Considerations

• An extensive list of over 60 audit universe considerations has been identified for IIT across the university, including areas outside of the Finance and Administration functions.

• The areas of highest ‘inherent risk’ are not necessarily the areas of focus to select for the first year of the internal audit plan. In some cases, controls are considered to be commensurate with risk, or have been recently audited and found to be effective, and can therefore be appropriately scheduled in the second or third year of the audit plan.

• The distributed or decentralized nature of certain operations within a University heightens the inherent risk of inaccurate or incomplete management and financial information as well as the misappropriation of assets. This suggests a need for broad annual internal audit coverage and an audit approach and methodology that maximizes audit coverage within each review.

• Opportunities for immaterial theft, fraud or misappropriation of resources that is not detected timely appears to be higher in lower risk areas, e.g., auxiliary enterprises. As a result, the potential aggregate impact could be significant and internal audit coverage should include certain lower risk areas on a rotational basis, and include lower risk areas when sample testing higher risk processes across the University.

7


Identifying Opportunities for Improvement

8

• In every audit to be conducted, identifying potential opportunities for process improvement and cost savings is an expected outcome. Although audit procedures are primarily designed to evaluate the effectiveness and efficiency of internal controls and compliance with established policies and regulations, opportunities for operational improvements and/or direct or indirect cost savings are inevitably found through the audit process.

• Examples of some opportunities to improve internal controls identified through our discussions with management during the risk assessment include:

– The need to formalize, codify and/or reevaluate University policies and procedures, including trustee-level (i.e., conflict of interest, investment approval), financial/accounting (e.g., accounts receivable, payables, capital construction, etc.) and information technology (e.g., information security, application change management, etc.).

– The opportunity to strengthen control and security over IT assets through a periodic review of user access and information / network security related to critical IT applications, systems and resources to ensure it is maintained to restrict access to appropriate personnel and effective segregation of duties is enforced on an ongoing basis.

– A disaster recovery and business continuity plan, containing an appropriate level of detail and integration with business process priorities and a crisis management plan in order to be effective and reduce the potential impact on university operations in the event of IT systems outage.

– The need to reevaluate and enhance the controls around the use of endowment funds.


Overall Risk Analysis Results

# Process Inherent Risk Rating (Consolidated)

1 Governance, Risk & Compliance Medium

2 Revenue / Receivables Medium

3 Expenditures / Payables High

4 Human Resources Medium

5 Treasury High

6 Risk Management Medium

7 Financial Reporting & Other Accounting Medium

8 Auxiliary Activities & Other Considerations Low

9 Student Affairs Medium

10 Information Systems & Resources High

11 Development Medium


Proposed Internal Audit Plan for FY2011

The following conclusions were drawn based on our assessment of risk and preliminary perceptions on internal control within the University:

• Given the outcome of the risk analysis, a suggested audit plan containing approximately 500 – 750 hours per year appears reasonable and appropriate.

• All estimated hours for internal audit activities are intended to understand key risks and controls in each audit area for the purpose of assessing control design effectiveness and then performing tests of operating effectiveness.

• However, there are certain other ‘baseline’ audit activities such as external audit assistance and ongoing compliance monitoring as well as special request projects and follow-up procedures on prior year audits that are inherent to any University internal audit function and will need to be taken into consideration annually. These activities could require additional hours of internal audit effort.

• Overall, prioritization of the remaining audit areas identified should be a function of ongoing interaction between Grant Thornton, the Board and executive management.

10


Summary of Audit Areas to Include in the Audit Plan

Process # Audit Process Area Sub-process

AreaSuggested Audit

FrequencyEstimated

Hours

FY 2011 Internal Audit Plan

* General Audit Administration, Planning & Reporting N/A 1 50

5 Treasury

Cash Management /

Point of Service Collections

2 100 – 150

10 Information Systems & Resources Information / Network Security 1 100 – 150

10 Information Systems & ResourcesApplication

Development & Change Controls

1 100 – 150

3 Expenditures / Payables Purchasing / Payment Cards 2 70 – 120

3 Expenditures / Payables Accounts Payable 3 80 – 130

Total 2011 Hours 500 – 750

Audit Frequency Key: 1=yearly, 2=every other year, 3=every third year.

11


II. Appendix

12


Audit Universe*: Business Processes and Sub-Processes* The audit universe for a typical University environment

• Governance, Risk & Compliance– Control environment– Risk assessment– Information & communication– Monitoring– Fraud controls– Compliance– Strategic planning

• Revenue / Receivables– Tuition & fees– Credit & collections– Grants & contracts

• Expenditures / Payables– Purchasing / payment cards– Capital expenditures– Construction– T&E expenses– Accounts payable– Facilities maintenance

• Human Resources– Employment / employee

relations (Faculty & Staff)– Executive compensation– Payroll (employees &

students)– Employee benefits– Student employment

• Auxiliary Activities and Other Considerations

– Food service– Bookstore– Student/employee cards– University collectibles

• Development– Development / fund raising– Planned gifts– Alumni activities

• Information Systems & Resources– Applications– IT governance– Information security– Network security / architecture– Network & infrastructure change

management– Application integrity controls– Telecommunications– Physical security – Application development & change

controls– Third-party / vendor management– Computer operations– Third party interfaces & connectivity– Library– Disaster recovery

• Treasury– Cash management– Endowments– Financing– Investments

• Risk Management– Risk management– Insurance– Business continuity & crisis management– Environmental health & safety

• Financial Reporting & Other Accounting– General accounting– Internal reporting– External reporting– Budgeting– Tax compliance– Fixed assets– Intellectual property, copyrights & patents

• Student Affairs– Student activities, clubs & events– Admissions/student recruitment– Financial aid & scholarships– Health services– Residence halls– Athletics– Programs abroad & international initiatives– Privacy (FERPA, HIPAA compliance)

13


Risk Analysis for Illinois Institute of Technology

Process Sub Process Inherent Risk Rating

Governance, Risk & Compliance Control Environment HIGH

Risk Assessment MEDIUM

Information and Communication MEDIUM

Monitoring MEDIUM

Fraud Controls MEDIUM

Compliance MEDIUM

Strategic Planning MEDIUM

Revenue / Receivables Tuition and Fees MEDIUM

Credit and Collections MEDIUM

Grants and Contracts MEDIUM

14



15


Expenditures / Payables Purchasing / Payment Cards HIGH

Capital Expenditures MEDIUM

Construction MEDIUM

T&E Expenses LOW

Accounts Payable HIGH

Facilities Maintenance HIGH

Human Resources Employment / Employee Relations MEDIUM

Executive Compensation LOW

Payroll MEDIUM

Employee Benefits MEDIUM

Student Employment MEDIUM

Treasury Cash Management HIGH

Endowments HIGH

Financing HIGH

Investments HIGH



16


Risk Management Risk Management MEDIUM

Insurance MEDIUM

Business Continuity & Crisis Management HIGH

Environmental Health & Safety LOW

Financial Reporting & Other Accounting General Accounting MEDIUM

Internal Reporting MEDIUM

External Reporting MEDIUM

Budgeting MEDIUM

Tax Compliance LOW

Fixed Assets MEDIUM

Vehicle Inventory & Maintenance LOW

Intellectual Property, Copyrights & Patents MEDIUM

Auxiliary Activities & Other Considerations Food Service LOW

Bookstore LOW

Student / Employee Cards LOW

University Collectibles LOW



17


Student Affairs Student Activities, Clubs & Events LOW

Admissions / Student Recruitment HIGH

Financial Aid & Scholarships MEDIUM

Health Services LOW

Residence Halls LOW

Athletics LOW

Program Abroad & International Initiatives MEDIUM

Privacy MEDIUM

Development Development / Fund Raising HIGH

Planned Gifts MEDIUM

Alumni Activities MEDIUM



18


Information Systems & Resources Applications HIGH

IT Governance MEDIUM

Information Security HIGH

Network Security / Architecture HIGH

Network & Infrastructure Change Management MEDIUM

Application Integrity Controls MEDIUM

Telecommunications HIGH

Physical Security LOW

Application Development & Change Controls MEDIUM

Third-party / Vendor Management MEDIUM

Computer Operations LOW

Third-party Interfaces & Connectivity MEDIUM

Library LOW

Disaster Recovery HIGH


Business Risk Profiling Summary Analysis

Governance Risk

DefinitionRisk that the processes, customs, policies, procedures, communications and management attributes affecting the way in which an organization is directed, administered, controlled or internally monitored is not sufficient, effective or appropriate, impacting the achievement of organizational goals.

AnalysisOverall, governance risks are moderate to high due to their pervasive nature and impact, as well as the inherent risk. Although viewed favorably, changes in leadership can create perceptions of instability in certain areas. Given the increasing complexity of the organization's risk profile, the breadth, depth and focus of internal audit activities for addressing relevant organizational risks has become increasingly important. As there has been no consistent formal internal audit activity to ensure proper controls are in place and operating effectively, the University's risk could be increased, which is factored into this rating.

Personnel Risk

DefinitionThe risk that the Human Resources function is not adequate resulting in inconsistent or ineffective recruiting, application of policy or management of student employees. The risk that departments are not properly staffed due to turnover, attrition or lack of sufficient recruiting. The risk that people either do things they are not supposed to do or fail to do things they should do. The risk that the University is not fostering a positive working culture resulting in lower morale among employees.

AnalysisOverall, personnel risks are moderate. The decentralized nature of certain departments and programs and the corresponding responsibility and delegated authority for and monitoring increases the risk of misappropriation of assets. As with almost all universities, there is always a concern related to the recruitment and retention of key faculty in staff. Additionally, the Human Resources function should be closely monitored to ensure that it is meeting the needs of everyone it serves.

19



Financial Risk

DefinitionThe risk that an organization will be unable to fulfill its financial obligations as a party to a financial transaction. The risk that an entity cannot obtain cash quickly enough to pay current obligations. Actual losses may occur as a result of the entity's inability to fund the operational or financial obligations of the business. The risk that tuition pricing is more than students are willing to pay resulting in decreasing enrollment.

AnalysisOverall financial risk at IIT appears to be high. IIT financial reporting and accounting departments have had significant write-offs in FY10, and issues have been raised in regards to the current endowment and debt financing positions. New management has assumed key roles in the finance and accounting departments with a goal of not only reviewing and correcting actions from prior year, but also establishing key objectives for future growth. However, since some of these initiatives are still in the early stages, the overall financial risk remains high.

Operational and Process Risk

DefinitionThe risk that organization operations and procedures are not effective or efficient resulting in incomplete or inaccurate financial or management information, frustration or loss of students and employees, or the loss or misappropriation of assets. The risk that employee and student health and safety is not sufficiently controlled exposing the university to potentially significant liability and impairment of image and reputation.

AnalysisOverall, the operational and process risks are moderate at IIT. Concerns related to the viability of the current business continuity and crisis management plans appear to be the highest inherent operational risk areas. Increased attention to purchasing and payables, including the use of procurement cards should also be considered.

20



Compliance Risk

DefinitionThe risk that reports of operating or financial information required by regulatory agencies (Federal / State government, NCAA, Accreditation, etc.) are incomplete, inaccurate or untimely, exposing the company to fines, penalties and sanctions. The risk that financial reports include material misstatements or omit material facts, making them misleading. The risk of noncompliance with tax regulations, payment and filing requirements or that transactions of the University have adverse tax consequences that could have been avoided had they been structured appropriately.

AnalysisOverall, compliance risks appears to be low to moderate. The inherent nature of the many rules and regulations that the University is subject to, raises the risk level in this area. Internal compliance with policies and procedures appears to be an area of lower risk, given the current state of formally documented policies and procedures. The lack of a full time Compliance Officer or department creates added risk; however, these risks are slightly mitigated by the Compliance Committee.

Technology Risk

DefinitionThe risk that the organization does not have an effective information technology infrastructure to support the current or future needs of the University in an efficient, cost-effective and well-controlled fashion. The risk that the processes used to develop, maintain and operate an information processing environment is not sufficient to provide for the accuracy, completeness, integrity, security, availability or recoverability of organizational information. This risk includes development or modification of applications and infrastructure as well as security related to end users and ISR personnel. The risk that a technology strategy does not exist or is not aligned with organizational strategy or objectives.

AnalysisOverall, technology risks are considered high. The University is highly dependent upon information technology for its administrative and academic operations. Information and network security, systems availability and recovery have become highly important considerations. There is a concern over the reliability of the current infrastructure as upgrades have not been possible given recent year budget constraints. Additional areas of concern include the viability of the disaster recovery plan, as well as the potential loss of revenue from the Educational Broadband Services ("EBS") channels.

21



Environmental Risk

DefinitionMajor competitors take actions to establish and sustain competitive advantage over the University or even threaten its ability to survive. Changes in regulations and actions by national or local regulators can result in increased competitive pressures and significantly affect an organization's ability to efficiently or effectively conduct business. Other environmental or external factors outside of the span of the University’s control may also adversely impact the organization and its operations. Failure to monitor a changing environment may result in obsolete strategies.

AnalysisOverall, environmental risks appear to be low and are monitored. Competitor risk is high as competition for qualified students increases, and close proximity to other universities dictates. Compliance with regulatory requirements and maintaining accreditation status is essential for preventing potential impairment of image and reputation.

Fraud Risk

DefinitionThe risk that employees, students, vendors or third parties individually or in collusion perpetrate fraud against the University, resulting in financial loss or unauthorized use or misappropriation of physical, financial or information assets. There is also potential for legal exposure, impairment of image and reputation as well as an adverse impact on operations.

AnalysisOverall, fraud risks appear to be moderate. As the University has tackled many pressing issues over the past couple years, it appears there has been less focus on ensuring that design and operating effectiveness of policies, procedures, and controls is adequate. Additionally, a lack of a consistent, formal internal audit program increases the opportunity for fraud and/or misappropriation of assets.

22

Documents

Preliminary Risk Analysis and Proposed FY 2011 Internal Audit Scope Illinois Institute of Technology December 21 st, 2010