Risk Assessment ABOR Audit Committee April 5, 2017

Risk Assessment Process International Auditing Standards require that the “internal audit activity’s plan of engagements be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.”

Risk Assessment Process NAU’s approach to risk assessment has varied from year to year: Interviews FY 2017 – interviewed Executive Team regarding risks to attainment of NAU’s strategic objectives FY 2016 – interviewed members of Compliance Committee regarding risk to meeting compliance responsibilities FY 2015 – interviewed senior managers regarding operational risks FY 2014 – interviewed senior administrators

Risk Assessment Process Risk Assessment Evaluation Prior to FY 2014, NAU utilized a risk assessment evaluation where senior managers completed a spreadsheet that identified key risks, key control objectives related internal controls, and residual risks. Moved to interviews after several years to encourage more discussion.

Risk Assessment Process Link to Annual Audit Plan Each annual risk assessment is reviewed to identify potential internal audits for the annual internal audit plan. Examples: Past audits of Sponsored Projects and Minors on Campus Proposed audits also come from Regent and administration input, required audits, and results of past audits. Examples: NCAA Compliance Audit has been required by NCAA Departmental audits identified during Accounts Payable audit

FY 2017 Risk Assessment Details Members of the Executive Team were interviewed regarding obstacles to attainment of NAU’s strategic goals relevant to their job responsibilities: 1. Student Success 2. Nationally Recognized Research Excellence 3. Global Engagement 4. Diversity, Civic Engagement, and Community Building 5. Commitment to Native Americans 6. Sustainability and Effectiveness

FY 2017 Risk Assessment interviews Athletics Chief of Staff Development Diversity Economic Development Executive Reporting Facilities and Campus Operations Finance, Institutional Reporting and Analysis General Counsel Government Affairs Human Resources Information Technology Services Institutional Research and Analysis Native American Initiatives Provost Research Risk Manager

FY 2017 Risk Assessment Results Risks related to strategic goals were identified: Wide range of items were noted during the interviews with many of the items being better addressed with strong contingency planning and/or management actions than an audit process Classified by strategic goal and type of risk: Compliance Financial Life Safety Operational Reputational

FY 2017 Risk Assessment categories Recruitment and Retention of Students Facilities Faculty/Staff Recruiting and Retention Funding Operational Risks

Risk Assessment Process Next Steps - FY18 Annual Audit Plan Based on the Risk Assessment completed this Spring and ongoing review by the Audit Department, these are examples of audits being considered for the FY18 annual audit plan: Employment Eligibility Verification (I-9) Title IX of the Education Amendments Act of 1972 Comprehensive Departmental Audits Audit plan will be reviewed by NAU’s IARB and presented to the Audit Committee at the June ABOR meeting.

Risk Assessment ABOR Audit Committee April 5, 2017