North Dakota University System Wasn't Even Bothering To Track Audits


Score a point for “legislative meddling” in the university system.

Because “meddling” is what university system partisans often accuse lawmakers of doing when they pass reforms for higher education, but it looks like some controversial changes made by the 2015 legislative session (which set off a five hour hissy fit by university system presidents when they were first proposed) are already having an impact.

Last night the State Board of Higher Education Audit Committee met to discuss audit and compliance issues (even as their former top compliance officer sues the board alleging myriad wrongs and misdeeds), and there were some startling revelations. Like the fact that dozens of university system audits hadn’t been tracked since 2012. Meaning nobody was following up on whether or not findings by auditors were being addressed.

“Audit reports come in and they’re stacked someplace … there were 25 that weren’t even tracked,” outgoing Chancellor Larry Skogen told the committee according to this Grand Forks Herald report.

content_what_would_you_say_you_do_hereThis was uncovered by personnel from the State Auditor’s Office which is involved now because lawmakers took the university system’s auditor positions away and put them under the purview of the State Auditor. You honestly have to wonder what the university system’s auditors were actually, you know, doing given that dozens of audits were going untracked.

Of course, in addition to firing their chief compliance officer who is now suing them, the university system also canned their top auditor last year after just a months on the job ultimately settling with him out of court. Both the auditor, Timothy Carlson, and the compliance officer, Kirsten Franzen, say they were terminated for trying to bring more transparency and accountability to the system.

Accountability as in maybe, you know, actually acting on problems found by audits.

In fact, just yesterday the State Auditor’s Office released a follow-up to a 2012 audit looking at IT security (see it here). It turns out that recommendations to immediately delete test accounts and remove security settings privileges from developers made about three years ago still hadn’t been implemented. SAB readers will remember that in 2014 the university system had three major security breaches exposing hundreds of thousands of private student, employee, and alumni data to hackers.

Could the changes suggested in the 2012 audit, which still haven’t been made here in 2015, have averted any or all of those breaches? Maybe, maybe not. But the fact that the university system is so lackadaisical in following up on those security holes indicates a sort of cavalier attitude about IT security, specifically, and audits generally.

Anyway, the university system is going to have no choice but to act on these audits now given that their audit personnel don’t answer to university system officials any more. That’s a big win for lawmakers, and they deserve credit for it, but they probably won’t get it.