Operations, Audit and Risk Committee Meeting April 14, 2022
The Operations, Audit and Risk Committee met on Thursday, April 14, 2022 at 10:00 a.m. in the Jefferson Room of the David Student Union with Chair Terri M. McKnight presiding.
Present from the Committee
- Mrs. Terri M. McKnight, CPA, Chair
- Mr. William R. Ermatinger
- The Honorable Gabriel A. Morgan, Sr.
Absent from the Committee
- Dr. Ella Ward
Present from the University
- Ashleigh Andrews, Assistant Vice President for Finance and Planning
- Ms. Faith Belote, Director of Internal Audit
- Jered Benoit, Associate Director for Enterprise Services
- Ms. Wendy Corrice, Information Security Officer
- Mr. Andrew Crawford, Chief Information Officer
- Ms. Sherry Crotts, Executive Administrative Assistant
- Dr. Jonathan Backens, Associate Professor and Faculty Senate Representative
- Ms. Stephanie Hautz, Director of Human Resources
- Ms. Sarah Herzog, Director of Planning and Budget
- Ms. Jennifer Latour, Vice President for Finance and Planning and Chief Financial Officer
- Shane Leasure, Associate Director of ITS Systems and Support & Deputy CIO
- Ms. Christine Ledford, Vice President for Administration and Auxiliary Services
- Ms. Adelia Thompson, Chief of Staff
Public in attendance
- None
At 10:04 a.m. Chair McKnight called the meeting to order and welcomed everyone in attendance.
Approval of Minutes
Chair McKnight asked if everyone had a chance to review the minutes from the February 4, 2022 Operations, Audit and Risk Committee meeting. There being no comments or edits, Chair McKnight called for a motion to approve the minutes as presented. Mr. Ermatinger provided the motion, which was seconded by Sheriff Morgan and the minutes were approved by unanimous vote of the committee.
Internal Audit Report
Ms. Belote reported that the Laboratory Safety audit has been finalized with fourteen open audit points and a target completion of April 1, 2023, to allow for additional staff recruitment. Ms. Belote stated that this was a first and successful audit for Laboratory Safety.
Ms. Belote reported the Faculty Recruitment and Succession Planning audit planning is underway. The IT Disaster Recovery Planning audit fieldwork is nearing completion with IT consultant services and that the Maxient Software Application audit planning is complete and fieldwork has begun.
Ms. Belote recognized that going through the audit process can be intimidating. They have developed and launched an orientation, What to Expect when Audited, to prepare colleagues for the process and to develop a good working relationship early on in the process.
Ms. Belote confirmed they continue to look for an audit software solution. They are moving forward with the tech vetting process, preparing documentation and getting quotes to submit to the IT Department for review.
Coming up next, they will be working on the IT risk assessment and the general university wide risk assessment. They will use that to prepare an audit plan for the committee to review and approve at the June board meeting.
Ms. Belote updated the Committee on the Auditor of Public Accounts Financial Aid audit. Christopher Newport was not selected for a CARES Act review. CNU was not identified as a major federal program. Ryan Carter will be performing a review of the CARES Act funding to confirm proper recording and reporting of the financial statements and that Christopher Newport has met certain compliance requirements over the Higher Education Emergency Relief Fund and the Corona Virus Relief Fund. They anticipate wrapping up the Financial Aid portion in May.
Additionally, JLARC, the Joint Legislative Audit and Review Commission, announced in January that they will be reviewing Virginia Higher Education Student Financial Aid award policies and procedures and they will focus on state funding for financial aid of all fifteen 4-year higher education public institutions. They will be comparing and evaluating our student awards. There has already been an entrance meeting with the University.
Ms. Belote reported that Athletics has closed eight audit points with one remaining point that is due to be completed by July 1, 2022. They will continue to follow up with Kyle McMullin on the last audit point to replace an athletic trainer system which is software used to track injuries. Response was received from the NCAA on the self-reported clerical and administrative issues that was reported at the last committee meeting. The NCAA classified the issues as secondary requiring no action by the NCAA enforcement staff. Ms. Belote said that the Athletic Director and Manager of Athletic Administration have done a great job establishing a comprehensive compliance manual with newly developed and revised policies and procedures.
Ms. McKnight asked Ms. Belote to review the audit plan for the year. Ms. Belote said that the Faculty Recruitment Audit should be done by the September board meeting; Student Accounts audit hours may be reduced if they can rely on and share resources with Ryan Carter; lastly, for University Fraud Training they are waiting on approval of a new fraud policy to begin training. Ms. McKnight said that fraud training is crucial in our current environment and asked that this be made a priority.
Internal Audit reviewed the Physics, Computer Science and Engineering (PCSE) Department server attack and provided written preliminary observations and recommendations which were discussed during separate meetings with the ITS and the PCSE departments for feedback. Next steps are the development of management action plans, and some resolutions have already been implemented.
Ms. McKnight offered follow up on the APA audit and said that the University being able to clear the prior management letter comment is great news. She has been in contact with Linda Wade who was responsible for the FY2021 audit to talk about the audit process and scope and that the audit is underway. They are doing a compliance audit associated with student loans (none of the COVID funding) to incorporate with the whole audit.
Ms. Latour gave an update on the Emergency Management tabletop exercise since Tammy Sommer, Director of Emergency Management, could not be at the meeting. She said the exercise was four hours long and thirty-five people participated. It was an all hands-on deck exercise and everyone took it very seriously. Tammy Sommer facilitated the exercise and Andrew Crawford stood in for her as the Director of Emergency Management. The exercise was structured in the incident command system and included a cyber-attack and then an active shooter. Outside members also participated including the City of Newport News, Riverside and other emergency managers. Positive outcomes from the exercise included: strong communication among the team members, awareness of the need for timely and accurate messaging, willingness to work with one another, good grasp of continuity of operations plan. Ms. Latour discussed areas of improvement with the committee. Mr. Ermatinger suggested that in the future they consider having an exercise with a mock press conference.
Ms. Latour reported that Tammy Sommer will retire June 1, 2022. The job has been posted and they expect a great candidate pool. Ms. Latour said that Tammy will be hard to replace and will be missed. The state allows dual incumbency for a short period of time and with the advance notice given by Tammy they will have plenty of time to transfer knowledge.
Information Technology Services – Cybersecurity Updates
Ms. Corrice and Mr. Crawford updated the committee on recent incidents, responses and improvements.
There being no further business the meeting adjourned at 10:56 a.m.