Minnesota State Colleges and Universities Meeting of the Board of Trustees December 16, 2003 Cliff Hoffman, Partner Kirsten Vosen, Partner Craig Popenhagen, Senior Manager This report is intended solely for the information and use of the Board of Trustees, management and others as designated by MnSCU and is not intended to be and should not be used by anyone other than these specified parties. ©2003 by Deloitte & Touche LLP. All rights reserved. Table of Contents Section I – 2003 Audit • Audit Results and Reports Issued • Financial Statement Highlights Section II – Minnesota State Colleges and Universities’ (MnSCU) Strengths and Challenges • Strengths and Challenges • Relative Values of Best Practices in Ratings Section III – Environmental Factors Affecting Audit Scope • GAO’s Revised Auditor Independence Standards • Internal Controls – Focus of Sarbanes-Oxley Act of 2002 – COSO Internal Control Framework 183060 PAGE 1 Section I — 2003 Audit Audit Results and Reports Issued • Independent Auditors’ Report on Financial Statements (system wide) – unqualified opinion • Independent Auditors’ Report on Financial Statements (Revenue Bond) – unqualified opinion • Independent Auditors’ Report on Compliance and on Internal Control Over Financial Reporting Based Upon the Audit Performed in Accordance with Government Auditing Standards – no findings or material weaknesses, with the exception of certain colleges and universities that did not maintain depository insurance/collateral securities at required minimum levels during the year 183060 PAGE 3 Audit Results and Reports Issued (continued) • Required Audit Communications - New Accounting Policies – Governmental Accounting Standards Board (GASB) Statement No. 38 required additional note disclosures for accounts receivable, accounts payable, other assets, and interfund balances and transfers and was effective July 1, 2002. No effect on net assets. – GASB Statement No. 39 requires reporting, as a component, an organization that raises and holds economic resources for the direct benefit of a governmental unit and will be effective for the fiscal year ending June 30, 2004. – GASB Statement No. 40 requires additional note disclosures for investment securities and will be effective for the fiscal year ending June 30, 2005. Will not affect net assets. – GASB Statement No. 42 requires reporting of the effects of capital asset impairment in the financial statements when it occurs and also enhances comparability of financial statements by requiring all insurance recoveries to be accounted for in the same manner. Effective for the fiscal year ending June 30, 2006. – Exposure draft of the proposed GASB statement, Accounting and Financial Reporting by Employers for Postemployment Benefits Other than Pensions, would require measurement and disclosure of postemployment benefits other than pensions and other information that is deemed useful in assessing future cash flows. If approved as presently written, would be effective for the fiscal year ending June 30, 2007. 183060 PAGE 4 Audit Results and Reports Issued (continued) • Required Audit Communications – Our responsibility under GAAS (Generally Accepted Auditing Standards) — among others to understand control structure — as described in our engagement letter. – Significant estimates » Significant estimates include: • Liabilities for workers’ compensation, determined primarily by the State of Minnesota Department of Employee Relations • Liabilities for compensated absences, determined by MnSCU and the State of Minnesota Department of Finance » No significant changes in methodology from prior year – Passed adjustments » Known and likely passed adjustments had the following effects: • Increase assets - $1.1 million • Increase liabilities - $2.3 million • Decrease net assets - $1.2 million » Projection of accounts payable error increases accounts payable $2.5 million not included in the above summary of known and likely passed adjustments – Received full cooperation of management 183060 PAGE 5 Audit Results and Reports Issued (continued) • Management letter – Structure of Finance Department and financial reporting » Too much reliance on the financial reporting personnel at the Office of the Chancellor » Consider developing a plan to balance responsibilities between colleges/ universities and Office of the Chancellor – Accounting disciplines » Need increased level of scrutiny, diligence, and uniformity in application of MnSCU accounting policies at the college and university level – Investment collateral » Improvement made in 2003: $9.7 million undercollateralized in 2003 versus $13.4 million in 2002 – Computer processing environment » Development and implementation of an information protection plan » Improve application and system software change control 183060 PAGE 6 Financial Statement Highlights June 30, 2003 June 30, 2002 Total Net Assets = $1,023,092,040 Total Net Assets = $949,805,965 Restricted 9.7% Restricted 8.3% Unrestricted 11.9% (2) Unrestricted 12.7% (2) Invested in Capital Assets, Net of Related Debt (1) 77.6% Invested in Capital Assets, Net of Related Debt (1) 79.8% Observations: (1) Net capital assets of $941.5 million and $877.4 million at June 30, 2003 and 2002, respectively, are partially offset by General Obligation bonds of $121.9 million and $104.6 million, respectively. (2) Unrestricted net assets of $129.4 million at June 30, 2003 ($112.9 million at June 30, 2002) would be consumed by MnSCU’s operations in 1.1 months in both fiscal years 2003 and 2002. 183060 PAGE 7 Financial Statement Highlights— Total Revenue Breakout (in millions) $700 $600 $500 $400 $300 $200 $100 $0 State Appropriations Tuition and Fees State and Federal Grants 2003 183060 Room and Board and Sales and Service, Net Capital Appropriations Other 2002 PAGE 8 Financial Statement Highlights— Unaudited Pro forma Results (in thousands) • Increase in net assets per audited financial statements, June 30, 2003 • Less — Revenue from 10% tuition increase and 5% enrollment growth • Pro forma increase in net assets at June 30, 2003 without necessary budget actions $ 73,286 (53,900) $ 19,386 • Fiscal year equivalent student enrollment 2003 132,586 • Fiscal year equivalent student enrollment 2002 126,215 183060 PAGE 9 Financial Statement Highlights— Operating Expense Breakout (in millions) $900 $800 $700 $600 $500 $400 $300 $200 $100 $0 Salaries Purchased Services Financial Aid, Net Supplies 2003 183060 Repair and Maintenance Depreciation Other 2002 PAGE 10 Financial Statement Highlights— Cash Flows (in thousands) 2003 2002 $ (549,238) $ (518,189) Cash provided by (used in): Operating activities Noncapital financing activities 605,198 (1) 623,093 (1) Capital and related financing activities (36,411)(2) 3,780 (2) Investing activities Net increase in cash Cash at beginning of year Cash at end of year 9,574 2,936 29,123 111,620 387,986 276,366 $ 417,109 $ 387,986 (1) Decrease in cash provided by noncapital financing activities is due to a decrease in appropriations of $9.4 million and a decrease in private grants of $8.4 million. (2) Change between 2002 and 2003 capital and related financing activities mainly relates to an increase in investments in capital assets of $27,892 and a decrease in proceeds from borrowing of $27,347, netted against an increase in capital appropriations of $12,230. 183060 PAGE 11 Financial Statement Highlights — Debt Service Schedule (Principal and Interest) (in thousands) $80,000 $70,000 $60,000 $50,000 $40,000 $30,000 $20,000 $10,000 $0 2004 2005 2006 Capital Leases 183060 2007 Revenue Bonds 2008 2009 2013 2014 2018 General Obligation Bonds 2019 2023 2024 2028 2029 2032 Notes payable PAGE 12 Section II — MnSCU’s Strengths and Challenges MnSCU’s Strengths • Management’s Tone at the Top – do things right! • GASB 35 – Ability to respond to new accounting pronouncements – Successful implementation of GASB 35 in 2002 • Strong internal audit function with experienced professionals • Diverse revenue base from tuition, state appropriations, federal grants, private gifts and state grants • Strong asset position • Retention of key financial reporting and internal audit personnel 183060 PAGE 14 MnSCU’s Challenges • Structure of the Finance Department and financial reporting • Decentralized structure – flow of information is critical • Accounting disciplines and workload – additional individual campus audits commenced in 2003 (total in 2003 = 14, total in 2002 = 6) • Maintaining collateral for cash and investments • Formalized policies for information systems – information protection plans and application and software change control • Annual appropriation from the State of Minnesota – Funding summary in general appropriations » FY 2002 $602M » FY 2004 $560M (approved) » FY 2003 592M » FY 2005 546M (approved) – Continued important decisions on who will bear the costs of these decreases • Liquidity – unrestricted net assets of $129.4 million would be consumed by MnSCU’s operations in less than two months • Need for continued recruitment and retention of high-quality individuals within the Finance and Accounting departments • Implementation of new GASB Statement No. 39 • Health insurance costs, which totaled $90.4 million in 2003 and $77.5 million in 2002 183060 PAGE 15 Relative Values of Best Practices in Ratings Fund balance reserve policy/working capital reserves Very Significant Multiyear financial forecasting Significant Quarterly financial reporting and monitoring Significant Contingency planning policies Influential Policies regarding nonrecurring revenue Influential Depreciation of general fixed assets Influential Debt affordability reviews and policies Very Significant Pay-as-you-go capital funding policies Significant Rapid debt retirement policies of more than 65% in ten years Significant Five-year capital improvement plan integrating operating costs Influential Financial reporting award (GFOA) Influential Budgeting award (GFOA) Influential GFOA = Government Finance Officers Association 183060 PAGE 16 Section III — Environmental Factors Affecting Audit Scope GAO’s Revised Auditor Independence Standards • All nonaudit services must meet overarching principles – Auditors should not perform management functions or make management decisions – Auditors should not audit their own work or provide nonaudit services in situations where the amounts or services involved are significant/material to the subject matter of the audit Effective Date • Amendment released January 25, 2002, effective for nonaudit services after June 30, 2002 and audit periods beginning on or after January 1, 2003 • Significant impact on scope of services — similar to Sarbanes-Oxley Nonaudit Services Covered • Basic accounting services • Appraisal & valuation services • Internal audit services • Tax services other than routine • Information technology services • Human capital services 183060 PAGE 18 Objectives of the Control Requirements in Sarbanes-Oxley • Restore public trust and confidence in the public securities market • Improve corporate governance and promote ethical business practices • Enhance transparency and completeness of financial statements and disclosures • Ensure that company executives are aware of material information emanating from a well-controlled environment • Hold company management accountable for material information that is filed with regulatory authorities and released to investors • Achieve new levels of corporate excellence 183060 PAGE 19 Linking Governance to Control Activities Governance Missing Link: Compliance Program and Infrastructure Control Activities 183060 The “missing link” is a compliance program and infrastructure to measure and monitor the effectiveness and alignment between corporate governance and business unit/functional control activities to provide a basis for management’s certification and assertion. PAGE 20 Highlights of Corporate Governance Practices Survey Number of Audit Committee Financial * Experts Per Respondent Still being determined, 23% Three or more, 8% None, 3% One, 42% Average Number of Audit Committee Meetings per Year 10 9 8 7 6 5 4 3 2 1 0 * 7.6 4.9 Before SarbanesOxley Enactment After SarbanesOxley Enactment Enactment date of Sarbanes-Oxley was July 30, 2003. Average Duration of Audit Committee Two, 24% *+ Meetings (in hours) 3 2.3 2 * The partners surveyed were not selected using a statistical sampling method. The results may not be indicative of those that would have been obtained had a statistical methodology been used to conduct the survey. + Includes all types of audit committee meetings (in person, telephone, Web conferences, etc.). Source: Deloitte non-statistical survey of 90 largest audit clients 183060 1.5 1 0 Before SarbanesOxley Enactment After SarbanesOxley Enactment Enactment date of Sarbanes-Oxley was July 30, 2003. PAGE 21 Disclosure Controls versus Internal Controls Over Financial Reporting Disclosure Controls • Designed to ensure that required disclosed information is recorded, processed, summarized, and reported within the time periods specified by the SEC. • Include controls and procedures to help ensure that the required disclosed information is accumulated and communicated to executive management to allow timely decisions regarding required disclosure. 183060 Internal Controls Over Financial Reporting • Controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles. PAGE 22 Disclosure Controls versus Internal Controls Over Financial Reporting Supplementary Information Financial Statements Business Transmittal Letters Annual Financial Report Notes Consolidated Cash Flow Consolidated Statement of Activities Consolidated Statement of Net Assets Consolidated Financial Statements Disclosure Controls Procedures Internal Controls Over Financial Reporting • New for SEC companies • New for SEC companies • Not required for MnSCU • Long-time requirement for MnSCU 183060 PAGE 23 Why Is Internal Control Important? OPERATIONS FINANCIAL • Promotes efficiency and effectiveness of operations through standardized processes • Ensures the safeguarding of assets through control activities • Promotes integrity of data used in making business decisions • Assists in fraud prevention and detection through the creation of an auditable trail of evidence COMPLIANCE • Helps maintain compliance with laws and regulations through periodic monitoring 183060 PAGE 24 The Committee of Sponsoring Organizations (COSO) Internal Control Framework The process to determine whether internal control is adequately designed, executed, effective and adaptive Management Analysis The process which ensures that relevant information is identified and communicated in a timely manner Messages from Senior Management Policies and Procedures Training Disclosure Committee Internal Audits The policies and procedures that help ensure that actions identified to manage risk are executed and timely Code of Ethics Delegation of Authority Approvals Common Processes and Systems Segregation of Duties Account Reconciliations The evaluation of internal and external factors that impact an organization’s performance Business Risk Management Process Risk Management Internal Audit Risk Assessment Information Technology Controls The control conscience of an organization. The “tone at the top” Code of Ethics Documented Policies and Procedures Cultural Assessment Endorsed by the AICPA, GAO, and others. © 1992 by the American Institute of Certified Public Accountants, Inc. Reprinted with permission. 183060 PAGE 25 Implications Characteristics Internal Control Reliability Model 183060 Stage 1: Unreliable Stage 2: Insufficient Stage 3: Reliable Stage 4: Optimal • Controls and related policies and procedures are not in place and documented. • A disclosure creation process does not exist. • Employees are not aware of their responsibility for control activities. • The operating effectiveness of control activities is not evaluated on a regular basis. • Control deficiencies are not identified. • Controls and related policies and procedures are in place but not fully documented. • A disclosure creation process is in place but not fully documented. • Employees may not be aware of their responsibility for control activities. • The operating effectiveness of control activities is not adequately evaluated on a regular basis and the process is not fully documented. • Control deficiencies may be identified but are not remediated in a timely manner. • Controls and related policies and procedures are in place and adequately documented. • A disclosure creation process is in place and adequately documented. • Employees are aware of their responsibility for control activities. • The operating effectiveness of control activities is evaluated on a periodic basis (e.g., quarterly) and the process is adequately documented. • Control deficiencies are identified and remediated in a timely manner. • Meets all of the characteristics of Stage 3. • An enterprise-wide control and risk management program exists such that controls and procedures are documented and continuously reevaluated to reflect major process or organizational changes. • A self-assessment process is used to evaluate the design and effectiveness of controls. • Technology is leveraged to document processes, control objectives and activities, identify gaps, and evaluate the effectiveness of controls. • Insufficient documentation to support management’s certification and assertion. • Level of effort to document, test, and remediate controls is significant. • Insufficient documentation to support management’s certification and assertion. • Level of effort to document, test, and remediate controls is significant. • Sufficient documentation to support management’s certification and assertion. • Level of effort to document, test, and remediate controls may be significant depending on the company’s circumstances. • Implications of Stage 3. • Improved decision-making because of high-quality, timely information. • Efficient use of internal resources. • Real-time monitoring. PAGE 26 Entity-Level Control Environment • When does an effective control environment exist? – When management has communicated to the employees, and when the employees understand, their responsibilities, authority, and role in creating value to the company and are committed to acting ethically. • Characteristics of an effectively controlled entity: – Competent people – Positive tone at the top – Established policies and procedures 183060 PAGE 27