Piecing Together the Puzzle of Auxiliaries at Your Institution
February 13, 2019
Typically, internal audit departments do not allocate much of their department’s audit hours to auxiliary operations, unless your institute of higher education has NCAA Division I athletics. This is primarily because most risk assessments of higher education institutions place auxiliaries in the moderate risk range category for a number of reasons. Auxiliaries typically do not receive large state or federal grants, have limited impact on research at universities, and are not responsible for overseeing financial aid funds. However, auxiliary operations can be interesting audit projects from time to time and some auxiliary operations can feed into key controls and compliance processes that should be spot-checked and tested periodically. Some examples of risk areas related to auxiliaries include:
Student Health and Counseling
With the risks related to opioid addiction in the United States, any controlled substances managed by Student Health and Counseling centers should be under heightened review for proper controls over drug diversion, as well as allow management to identify potential theft of controlled substances quickly.
Student Health and Counseling centers or clinics are typically setup as auxiliary operations in institutes of higher education. Most Student Health and Counseling centers receive funding mainly from student activity fees, which can lead to some administrators assessing lower risk for these types of funds than general funds of the university, or federal or state grant funds.
However, multiple high-risk areas may involve your institution’s Student Health and Counseling centers. For example, students suffering from a sexual assault may receive treatment and counseling from professional staff within your institution’s Student Health and Counseling center. In addition, counselors and psychologists from Student Health and Counseling may contribute a critical function to your university’s threat assessment processes and risk mitigation procedures for students dealing with mental health issues. With the risks related to opioid addiction in the United States, any controlled substances managed by Student Health and Counseling centers should be under heightened review for proper controls over drug diversion, as well as allow management to identify potential theft of controlled substances quickly. Lastly, these centers handle a broad array of personally identifiable information and possibly HIPAA (Health Insurance Portability and Accountability Act) data, depending on how your health and counseling center is established.
Housing and Residence Life
Housing and Residence Life operations can have some unique processes that you may want to consider for a future audit. For example, Title IV financial aid funds may be a major revenue stream for a university and, therefore, high risk due to the negative impact on operations if this funding source were to become temporarily unavailable or significantly reduced. As such, an audit team should look for decentralized departments that may process transactions that affect Financial Aid’s compliance processes. Another area to consider testing is how your higher education institution handles meal plan and dormitory room waivers for Resident Assistants receiving Title IV funds. Depending on how the job descriptions read for Resident Assistants, there may be a taxable fringe benefit situation for these waivers. In addition, auditors should review how the meal plan and dormitory waivers factor into the budgeted cost of attendance for financial aid awarding purposes.
Housing and Residence Life operations have different operations during summer break when the majority of the institution’s student body is home for the summer. To help the department generate revenue and utilize dormitory facilities that would otherwise go dormant for a couple of months, Housing and Residence Life may manage summer conferencing and event services. Typically, the department seeks to house professional groups looking to hold an educational conference at your institution, but you may determine that some groups present significant risks to your university. For example, some groups’ activities may not qualify for tax exemption under Unrelated Business Income tax regulations or may give rise to potential lodging taxes. Additionally, your institution may have risk exposure for areas that do not fall under your institution’s insurance policy, such as when Housing and Residence Life allows summer conference attendees to stay a few days before or after a professional conference hosted at your institution (property damage may occur from an attendee’s activities before the scheduled days of the conference).
Property Management
Your institution may have a department (or departments) that enter into leases for property intended for academic use or leased to retail businesses/non-profit organizations. Leases can be a great source of data to review if your audit department audits Clery Act compliance. Obtaining your university’s population of leases is an effective way to check that your university is inquiring about and tracking any reportable crimes under the Clery Act for all locations that your university controls. In addition, your university’s Financial Aid department periodically has to submit a form, Eligibility and Certification Approval Report (ECAR) to the federal government to report the usage of Title IV financial aid funds. Within the ECAR is a section that lists the addresses of qualifying Title IV academic programs operated by your university. This information in the ECAR can be a useful data source to check completeness of your university’s Clery Act reporting and tracking processes. Moreover, the ECAR can help provide assurance over the completeness of leased property data provided for an audit project.
While your institution may be generating revenue from leasing space to businesses, there can be some risks or controls to review periodically for these operations. Examples can include, but are not limited to:
- Property tax exemptions
- Common area maintenance expenses and reconciling or allocating those charges to tenant accounts
- Lease payment amounts that may be based on sales of a tenant’s business
- Insurance requirements and verification of insurance policies and coverage levels
- Cost escalation clauses in the lease agreement and controls used to ensure that the correct rate is charged to tenants
Information Technology
An area for potential data breach risk that sometimes gets overlooked relates to hard drives in leased copier and scanning machines. These hard drives may be setup to store sensitive data without encrypting the data after every scan or copy. In addition, it is important to determine if your organization has effective controls in place to secure the data on those hard drives before the machines leave your institution to help prevent or mitigate the risk of a data breach.
These are just a few reasons why you may want to dive into an audit project within your auxiliary operations in the near future.
About the Author
David Terry
David Terry, CPA, CFE, CIA leads Portland State University’s Internal Audit Office. He has more than 17 years of experience in auditing and also holds positions as an audit committee member on two Oregon governmental audit committees.
Read Full Author Bio