Resources

Adding Value Through Control Self-Assessments

The ever-changing business environment requires institutions to embrace dynamic practices to manage risks appropriately and achieve organizational goals. Hence, audit departments worldwide strive to ensure their key activities align with the needs of the organizations. Control Self-Assessment (CSA) is an important tool that auditors can use to enhance the role of the internal audit function by adding value to the institution. By partnering with Internal Audit, institutions can take a structured approach to identify the risks associated with processes or activities, assess the related controls to ensure risks are managed effectively, and ensure organizational goals are achieved.

Management and Process Owners Buy-In

The success of the CSA program depends on buy-in at all levels of the organization: from management to department heads to process owners. This involves discussions on how the process works, the benefits of the program, and the resources required to execute the project successfully.

Project Selection Process

Similar to audit projects, the CSA engagements should add value to the institution by addressing the risks to the entity. By incorporating the CSA project selection process as part of the annual risk assessment, the internal audit department can ensure high risk areas are identified for potential projects. Based on residual risk, areas that are high-risk would be first considered for an audit. Any high-risk areas not selected for audits are viable candidates for a CSA project. Once identified, internal audit departments can recruit the departments to participate in the CSA program. During the infancy stage of the program, the audit departments may need to actively recruit volunteers to participate. As the program matures and the institution begins to reap the benefits of the program, internal audit departments will have departments actively volunteering to participate in the program.

CSA Process

The most important step in the process is selecting the CSA team that will oversee the project. It is vital that much consideration is given in selecting the team members. The CSA team mainly comprises of individuals who are involved in the process being assessed. These individuals will play a major role in ensuring the risks pertinent to the process/activity are identified and addressed appropriately.
The internal auditor facilitates the CSA process by performing the following steps.

    1. Conduct an Initial Meeting

    • Similar to the entrance meeting during an audit, the initial meeting is held to finalize the following details:
      • CSA team members,
      • Objectives and scope of the project
      • Timeline for completing the engagement

    2. Execute the Engagement Letter

    • The Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing (Standards) states “Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented”. To comply with the letter and spirit of the Standards, a formal engagement letter should be prepared to document the objective, scope, process, and roles and responsibilities.

    3. Perform the CSA

    • Each step listed below is crucial for the program’s success.
    StepDetails of the process
    Identify risksThe CSA team identifies and documents the risks pertinent to the process. This is the most important step in the process since the rest of the procedures stems from this.
    Identify corresponding control(s) and evaluate the design effectiveness of the control(s)Identify and document the corresponding controls for the risks identified in the procedure above. The design effectiveness of the controls is evaluated during this phase to determine whether adequate controls exist to address the risks. If the CSA team concludes that either control does not exist or is inadequate, an opportunity for improvement will be developed.
    Evaluate the operating effectiveness of controlsFor the controls that are designed effectively, one or more of the following techniques can be utilized to evaluate the operating effectiveness of the controls: Team Meeting, Survey, and Facilitated Workshop.
    Validate ResultsThe assessments results must be validated by someone independent to ensure the results support the conclusion(s).
    Identify opportunities for improvementOpportunities for improvement are developed based on the conclusions from the Team Meeting, Survey, and Facilitated Workshop.
    Develop Management Action PlanManagement develops an action plan that enhances controls, guided by auditors.

    4. Share the results

      • The report is issued by the process owner and addressed to Management. It includes the following: Objective, Scope, Methodology, Analysis of Results, Conclusion, and Management Action Plan.

      5. Post Engagement Survey

      • Consider sending a Post Engagement Survey to the CSA client to solicit feedback on the engagement; it will help improve the process.

      6. Follow Up

      • Follow up on the planned action to ensure gaps in controls are remediated.

      Conclusion

      CSA promotes departments taking a structured approach in assessing risks and controls, through which it promotes accountability of controls. In addition, it helps the process owners and operational staff get a better understanding of the operations and helps them understand the importance of their respective roles and responsibilities in addressing the risks to the institution and achieving the organizational goals. By facilitating CSA projects, the audit department builds a trusting relationship with departments on campus. In addition, the audit team gets access to information, including risk management practices and control environment, that is vital in the annual risk assessment process. Internal audit departments can successfully facilitate CSA engagements using fewer resources than required for an audit while providing great benefits to the business units.

      Risk, Compliance, and Controls: A Three-Pronged Approach

      When it comes to risk management and compliance, the knowledge of three groups is better than one. At least, that has been the experience of Case Western Reserve University (CWRU or university). We have taken a three-pronged approach to risk, compliance, and controls. Internal Audit, co-sourced with Deloitte & Touche LLP (Deloitte[1]); Enterprise Risk Management (ERM); and Compliance are the three units that work together to safeguard the university’s community and assets.

      Deloitte has been engaged by CWRU for over 10 years and assists in developing and executing the annual internal audit workplan and performing special, one-off reviews based on emerging areas of risk or potential for control deficiencies. ERM, which is headed by the University’s Director of Audit Services, takes a holistic approach to risk on a university-wide level. ERM identifies the university’s top ten risks, understands how CWRU is trying to mitigate them and predicts how they affect our operations and strategic plans. As these risks are often interconnected, we try to have a deeper understanding of their complexity so that we can mitigate or accept the risk. Lastly, the compliance function is headed by the Chief Compliance Officer, who reports to the Office of General Counsel. Compliance helps ensure that departments on campus understand their obligations from a legal and risk-based standpoint.

      There are myriad benefits to this triumvirate approach. Having three separate departments look at risk and controls helps to give a broader perspective of the organization’s activities and brings a multidisciplinary approach to problem-solving. The different backgrounds allow for the coverage of a wide swath, with ERM focusing on strategy and operations, Internal Audit on internal controls, and Compliance on regulatory matters. These separate points of view allow us to see which issues may be on the horizon and which others may be starting to fade into the background. For instance, at CWRU, the Compliance Program leads the University on export controls compliance. When issues on undue foreign government influence rose in visibility over the past few years, Compliance brought that issue to the group. During the height of the COVID-19 pandemic, ERM was deeply involved with operational risks on campus relating to the rules of the road for faculty, staff, and students. Now that the risks of the pandemic are becoming more of a known, managed risk, we’ve been able to shift the ranking of the risk to one that is less urgent. In annual internal audits performed by Deloitte, we can learn whether and how the controls are working around areas that we are tracking in ERM and Compliance, like the management of grants or endowment stewardship, for example.

      Not all risk is bad, and discussions within the group have prompted us to see which risks might represent opportunities. For example, the need to shift university operations and activities because of the pandemic allowed us to see new opportunities. Online learning, and the skills we gained from adapting to new modes of learning have blossomed in the pandemic’s wake. Each of our three unique offices has seats at different tables across campus, this has allowed us to disseminate our message regarding having a risk-intelligent tone at the top and a culture of compliance. Over the years, this has sunk in at various levels, and university community members now consult our departments when risk or control situations arise where they might not have done so in the past. This, of course, can be seen as a very good cultural shift on campus.

      Annually, we perform a large risk assessment that is Internal Audit, with the support and participation of ERM and Compliance. The assessment usually is performed between the end of summer and the beginning of the academic year in early fall. We gather insights through live meetings with some groups (in person and virtually) and surveys for others, depending on risk profile and department size. This process usually  touches roughly 30 unique departments, schools, and units on campus. Some years we add additional units or drill-down deeper within a department if issues arise that warrant them. For individuals we speak with in person, there are some pre-determined questions sent ahead of time to the attendees on the risk topics, which allows them time to reflect on what they are seeing in their departments, schools, and university as a whole. In the meetings, the discussions organically move into various areas of concern and risk management practices. This process has become seen on campus as a safe space for people to express their thoughts and opinions. We have found that participants do not hold their concerns back, which is a good way to get many “real items” out on the table. We perform ad-hoc follow-ups during the year to see if there have been any changes to what people are seeing or hearing and always leave the door open for individuals to come to us with their concerns or ideas.

      The annual risk assessment meetings inform and drive Internal Audit’s testing program for the year. The broad risk discussions and survey results help Internal Audit identify which auditable risks are top of mind for leaders. The risk assessment process also helps inform Internal Audit on areas where current control and process gaps may exist or where controls may be designed appropriately but are not consistently operating effectively. Having the perspectives from ERM and Compliance also helps Internal Audit prioritize the risk universe and develop a risk-based internal audit workplan. Internal Audit also gathers insights from ERM and Compliance on their upcoming initiatives and workplans. By working together on the risk assessment and sharing our plans, we can cover a broad spectrum of risk and avoid duplicating efforts or overwhelming stakeholders.
      ERM benefits from these annual risk meetings in that they help refine the organization’s most significant risks.

      Our ERM program is specifically designed to capture and monitor risks holistically for the university. While the program is formally updated three times a year, we generally reach out to key stakeholders more often throughout the year to get a sense of current or impending changes. We measure risk to the university by its expected impact, probability, outlook, and maturity of mitigation preparedness. It is also importantto see how the risk has altered over time. The ERM program is meant to be dynamic as the university changes and the environment we operate in also changes. Sometimes risks are added because they’ve become heightened, and sometimes they are removed from the top of the list as they shuffle towards the background as circumstances on campus change.

      The annual risk assessment meetings help Compliance identify vulnerabilities in compliance functions across the organization. They help Compliance to have “eyes and ears” across a wide swath of campus, ensuring that if there are any new compliance-related risks on the horizon the appropriate unit is managing them. Compliance works continually with departments to ensure that areas with significant compliance requirements and risks make improvements and keep important metrics top of mind. The office has created an internally-used dashboard system to keep track of progress within fifteen key compliance areas at the university. Some tracked items include the assignment of oversight responsibilities, appropriate policies and procedures, compliance training and education, monitoring compliance with policies, and violation investigations. We have found this to be a very successful method of tracking and quantifying risk related to compliance.

      This in-depth and three-pronged approach to risk, compliance, and controls has become a cornerstone in our ability to view and process risk on campus. It can be easy to fall into the trap of siloed offices and walled-off environments within a university, but this integrated and open method has allowed us to move forward and create new paths that could not have existed otherwise. The end goal is always to safeguard the university from unnecessary risk while allowing those risks which will let us flourish to be monitored and handled with well-placed guardrails. It is an enjoyable process that brings a sense of satisfaction and security to our campus.

      [1] As used in this document, “Deloitte” means Deloitte & Touche LLP, which provides audit and enterprise risk services. Deloitte & Touche LLP is a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

      Data Privacy Primer: Regulations & Risks

      Privacy Background

      What is this concept of “privacy” we hear so much about in today’s news? Where did privacy originate, and why does it matter? In this article we will define privacy, discuss its importance and review some applicable laws.

      The modern-day concept of privacy is often attributed to Samuel Warren and Louis Brandeis’ 1890 essay “The Right to Privacy,” in which they acknowledge “the right to be let alone” in their argument that existing laws facilitate individual privacy protections. Privacy is generally defined as the right to be let alone, or freedom from interference or intrusion. The International Association of Privacy Professionals defines information privacy as “the right to have some control over how your personal information is collected and used.” However, the meaning of privacy may vary depending on an individual’s, organization’s or country’s perspective. For some, privacy means being protected from data breaches or identity fraud. For others, privacy is a fundamental right related to personal and family life, home and correspondence.

      When we refer to privacy, we are referring to those elements comprising personally identifiable information (PII). Examples include, but are not limited to, name, date of birth, physical address, phone number, Social Security number, financial account numbers (e.g., bank account and credit card numbers) and protected health information. Privacy principles created and defined by the Organization of Economic Cooperation and Development in 1980 form the backbone of privacy laws and privacy protection frameworks worldwide. The following elements of these principles are found throughout most privacy regulations:

       Collection Limitation: Data collection should only take place with knowledge and consent of the affected individual or data subject.

      Data Quality: Information should only be collected which is relevant and accurate for a particular purpose.

       Individual Participation: An individual should be aware that their information has been collected and be able to access it.

      Purpose Specification: The intended use of personal data must be known at time of collection, and data should not be arbitrarily collected.

       Use Limitation: Collected data is to be used only for purposes specified at time of collection, not broader future use. Consent should be secured from data subjects for use of data for other purposes.

       Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification or disclosure. Most laws reference reasonable and appropriate security measures based on risk determination rather than perfection.

         Openness: Data subjects should be able to contact the entity collecting or storing their information to ascertain types of data collected.

        Accountability: Data collectors should be accountable for adhering to these principles. Ideally, there should be a person in the organization dedicated to ensuring privacy principles are followed. The concept of a data protection or privacy officer originated with this principle.

      Defining Key Concepts

      While data privacy focuses on the use and governance of PII, data security focuses on protecting PII from malicious attacks and improper disclosure. Privacy cannot be protected without an associated security component.

      Privacy professionals frequently reference Privacy by Design, a proactive and intentional approach where privacy is the default in technology system design and is considered at the earliest stage1. As opposed to an ad hoc approach, where privacy discussions take place in later stages of system development, the Privacy by Design framework is applied to the data life cycle from creation through collection, storage, archiving, de-identification and deletion.

      PII processing refers to any operation or set of operations performed on personal data whether or not by automated means. It can refer to data collection, recording, storage, retrieval and erasure.

      With these definitions in hand, let’s explore why privacy is important in today’s world.


      Importance of Privacy

      An individual’s privacy is a fundamental right and is closely connected to human dignity. It is the foundation on which other human rights are built. Privacy protects against the abuse of power by limiting what can be ascertained about individuals and providing shelter from those who may wish to exert control. Ensuring individual privacy protects us from the arbitrary and unjustified use of power by states, companies and other actors.

      However, data is an increasingly valuable asset. With the rise of the data economy, organizations and nation-states have found significant value in collecting, sharing and using data. Companies like Amazon, Facebook and Google have built their organizations on data2. Collecting data provides organizations with the power to explain, predict and even control behavior. This is particularly valuable for advertising and marketing endeavors. For example, Netflix uses data analytics for targeted advertising. With over 100 million subscribers, Netflix collects large volumes of data. If you are a subscriber, you are familiar with how the company provides suggestions for the next movie you should watch by using your search history and viewership data. This data gives them insights into your interests. Without proper regulatory protections and legal recourse, you would have little control over how Netflix and other companies use and share your personal data.

      In her 2019 book titled “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power,” Shoshana Zuboff discusses how surveillance capitalism is an economic system centered around commodification of personal data with the core purpose of profit-making. Commodification makes personal data a valuable resource. Zuboff points out that tech companies and other corporations are mining users’ information to predict and shape their behavior, undermining personal autonomy and potentially eroding democracy.

      Primary Privacy Laws

      But surely there are privacy laws that provide protection against this abuse of personal data?

      Unlike Europe, the U.S. has enacted a patchwork of privacy laws generally targeted to protect consumers. The Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for many businesses. Enforcement centers around fraud, deception and unfair business practices. Institutions that violate consumer privacy rights or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state authorities. The U.S. Department of Health and Human Services (HHS) governs health protections focusing on compliance guidance, with the Office of Civil Rights (OCR) acting as the enforcement arm for HHS privacy regulations.

      U.S. laws to be aware of in the education and health care sector (i.e., those that affect academic medical centers) include:

      Family Educational Rights and Privacy Act (FERPA) gives parents and students certain protections pertaining to student education records such as grade reporting, transcripts, disciplinary records, contact and family information, and class schedules. FERPA requires student or parent written consent for release of educational records.

      Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under 13 years of age. It requires website or online service providers request parental permission to collect data on children and stipulates how the data can be processed and held.

      Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined as companies offering financial products or services, to explain information sharing practices and protect against unauthorized access to, or use of, personal information that could result in substantial harm or inconvenience to a customer. GLBA stipulates financial institutions appropriately ensure the security and confidentiality of customers’ information.

      Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the confidentiality and security of a patient’s health care information, defined as any information identifying the past, present or future physical or mental health of an individual. It includes all communication media, whether written, verbal or electronic. HIPAA includes the Privacy Rule, which protects a patient’s right to keep health information private, and the Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. HIPAA violations can result in significant penalties for noncompliant organizations and individuals.

      In addition to these federal regulations, various states have enacted privacy laws to protect personal data in the consumer setting. Most notably, California enacted the California Consumer Privacy Act (CCPA) which is designed to protect the privacy rights of California’s citizens. It gives consumers the right to control how companies collect and use their personal data. Some states have already enacted similar laws, or carved out exceptions for the federal regulations, and more are expected to do so in the coming years. 

      From an international perspective, institutions should be aware of country-specific privacy laws. Most notably, the General Data Protection Regulation (GDPR) requires organizations to ensure that personal data of European Union citizens is gathered legally and under specific conditions. Institutions that process personal data are obliged to protect it from misuse and exploitation and to respect data subjects’ rights. Those who fail to do so may face significant penalties. GDPR requirements spurred the development of privacy policies (and cookie banners), in which organizations offer transparency into their data collection and management practices.

      Conclusion

      As more attention is focused on privacy, both internationally and domestically, consumers and clients will increasingly expect institutions to protect their personal information and embed privacy considerations into their business strategies. In a report published in November 2019 as part of Cisco’s Cybersecurity Series, “Consumer Privacy Survey, The Growing Imperative of Getting Privacy Right,” 2,601 adults, or 32% of respondents, stated that they care about privacy and had already taken action by switching companies or providers in response to data policies or data sharing practices. Along with the increase in privacy regulations worldwide, this should be a catalyst for organizations to establish or update their privacy programs.

      In the second part of this article, we will explore areas auditors should consider reviewing when evaluating functions and processes involving personal data.

      References

      1) Deloitte, GDPR Top Ten #6: “Privacy by Design and by Default”; Shay Danon; February 2017
      2) MIT Technology Review: “It’s time to rein in the data barons”; Martin Giles; June 19, 2018

      ACUA and EDUCAUSE Intersect to Assist Campuses: An Interview with John O’Brien

      Forward by College and University Auditor Journal Editor:

      EDUCAUSE is a nonprofit association serving over 2,300 colleges, universities, and organizations across 45 countries, who are collectively responsible for developing over 16 million students. EDUCAUSE’s mission is to advance higher education through technology innovation—making it a great resource for ACUA members! EDUCAUSE’s president and CEO, Dr. John O’Brien, spent 30-years in higher education in key leadership roles and often shares his expertise regarding the intersection between higher education and technology. In May 2019, John interviewed ACUA Past-President, Justin Noble and published “The Internal Auditor as a Trusted Resource: An Interview with Justin Noble” in EDUCAUSE Review, and discussed how Information Technology (IT) leaders can partner with internal auditors. Now, ACUA interviewed John to understand how to work effectively with Chief Information Officers (CIOs), gain insight on some high-risk IT areas to watch out for, as well as information and resources available to member institutions. ACUA’s questions are in bold and John’s answers are below.

      Internal auditors base our audits on risk. Based on your research and input from CIOs, what do you see as the high risk IT areas over the next few years?

      For anyone  tracking EDUCAUSE’s top 10 IT issues over the years, it will come to no surprise that the first words out of my mouth are “cybersecurity.” This is an ongoing, dynamically changing threat for colleges and universities. The pandemic seems to accelerate so many trends we are seeing, including more nefarious activities and more sophisticated threats, such as nation states targeting intellectual property.

      There are, of course, many other risks on the radar of higher education CIOs, and because of the complexity of the risk landscape we strongly encourage campuses to consult resources on our IT Governance, Risk, and Compliance site, which includes risk management resources and a very useful IT risk register tool. With all the existing and changing risks, collaboration across an institution is necessary.

      In addition, our October 2020 EDUCAUSE QuickPoll data suggests that around two-thirds of campuses are experiencing IT budget cuts, with 10% as the median reduction—and over 40% expect more to come. Navigating decreased investments in IT at a time when technology has been the linchpin of strategic campus pandemic responses will be a big challenge this year and perhaps for many to years to come. With inevitable declining budgets, institutions also may want to identify new efficiencies and other transformational approaches to risk, compliance, and privacy.

      A significant shift to Cloud services is occurring across higher education. Are there EDUCAUSE resources auditors can leverage to keep up with Cloud developments?

      The cloud can be a pretty risky place. In many cases you are handing institutional data over to third party providers, and it is important to go forward with a clear understanding of the risks involved in cloud vendor relationships. To help institutions measure vendor risks, we have developed (along with our member-led Higher Education Information Security Council) the Higher Education Community Vendor Assessment Toolkit (HECVAT). It is a questionnaire framework specifically designed for higher education solutions providers to confirm that information, data, and cybersecurity policies are in place that protect sensitive information. Preparing the IT Organization for the Cloud is a good resource for background information about the cloud. While not focused on cloud computing technology, it does include a wealth of information about what it takes to move services to the cloud and how an institution might prepare for that. 

      What skills and abilities would a typical higher education CIO hope that an IT auditor would possess (e.g., technical, interpersonal, communications)?

      I think the dream auditor would be one who sees the engagement as an opportunity for collaborative discovery and who is willing to begin an audit with the goal of deep understanding, while resisting any rush to drive toward findings. In my opinion, what is true for great leaders is true for great auditors—a bias for “turning to wonder” rather than “turning to judgment.”  It is easier to judge than to wonder genuinely why something initially seems out of the norm. I do understand that you could make the case that turning to judgment is woven into the job description for an auditor—that is true, but one might also expect that tactics and operations are a core competency for a CIO; however, that has changed over the last decade. IT is far more than executing tactics, especially in a pandemic.

      We hope for auditors who understand that IT is more than just operations. IT has become less a utility and more and more a strategic asset. Understanding the work IT does in this broader strategic context would improve the audit process and results. 

      What are the best ways that internal audit can partner with CIOs to improve IT people, processes, and technology?

      I think it would be remarkable if IT auditors would dig into the priority work at EDUCAUSE over the last few years around digital transformation (“Dx”) and bring this lens and thinking into play. Being a partner with IT in advancing digital transformation as an institutional differentiator has great promise connecting “people, processes, and technology.”  The difference between ad hoc technology innovation and Dx is exactly that, that it embraces major shifts that go far beyond  technology alone. Technology can be cool, but transformational change embodies changes in workforce and culture as well.

      What do CIOs most appreciate about the audit process?

      CIOs most appreciate when an audit process is transparent and thoughtfully scoped so that focused resources can be directed at supporting meaningful exploration and helpful findings. Anything that can illuminate a pathway of authentic curiosity and discovery will make it less likely that the engagement will take on the “gotcha” aspect that benefits no one. Additionally, CIOs especially appreciate it when audit findings help her or him make the case for needed or overdue investments in technology or staffing.

      When Board members (or CIOs) come from a corporate background, what should they know about higher education?

      Folks moving from a corporate background to higher education should know that they may need to master another language. Some words and concepts that meant one thing in industry mean something else in higher education. For example, “customer” is inaccurate or even offensive to many in higher education circles, and even if it were generally accepted, it is more complex than for most businesses. IT’s “customer” may be the faculty, while faculty’s “customer” might be students or research funders, or both. And institutions don’t just serve students; they serve their communities, their local government bodies, and so much more. Aside from the language challenges, of course  those from a corporate background will need to adjust to the fact that it simply takes considerably longer to get things done in higher education.

      What EDUCAUSE resources are the most popular for your members?

      EDUCAUSE Review (ER), our digital flagship magazine, has a wide range of articles and content on many topics. ER has received numerous awards and continues to keep our members up-to-date at the crossroads of higher education and technology innovation. Of course, like ACUA, professional development is a big part of how we serve our members, and our conferences and events are very popular. In 2020, we added virtual conferences and institutes to the mix, with great results, and in early 2021 we will be launching a new mentoring initiative that I am really excited about. If your institution is an EDUCAUSE member, please let us know if you would like to become, or connect with, a mentor. Additionally, our research is very popular with our members, most notably the Top 10 IT Issues, as well as the Student Technologies and Horizon Reports.  

      Finally, as we reflect on the tremendous racial injustices last year, our members have appreciated our intentional effort to prioritize diversity, equity, and inclusion (DEI), including infusion of DEI themes in our professional development, publications, and research. In the second half of 2020, around 20% of our publications were related to DEI themes. Our CIO DEI Commitment statement has been signed by nearly 600 to date, and this year we are focusing on going beyond words and statements and prioritizing action.

      What could future collaboration between ACUA and EDUCAUSE look like?

      So many ACUA members are members of EDUCAUSE as well, and we could intentionally seek out and promote opportunities to point each other toward our resources. We have—thanks to the pandemic—been moving toward faster responsiveness to members through QuickPolls that launch and report on timely topics in days, not the months you would expect from more traditional research. QuickTalks (like this one) make it possible to spin up discussions on emerging topics for members. This agile programming would be useful to ACUA members, and we could explore areas of interest to both our members in these and other venues. I enjoyed the chance to be a keynote speaker at AuditCon 2019 and discuss digital ethics, and I think topics like these are the kind of thing that captures the imagination of auditors and IT professionals alike. 

      Many institutions are EDUCAUSE members, but if yours is not yet, join today!

      Student and Minor Safety

      Over the years the number and complexity of safety risks and requirements has steadily grown to the point that a strong safety governance structure is vital to ensure risks are properly identified and adequate resources and management support are in place to address these risks. There have been numerous safety incidents at colleges and universities which have had disastrous consequences that have made national headlines. Safeguarding students and employees is a paramount concern of federal, state, and local governments, as well as the colleges and universities that enroll and hire these individuals.

      Developing a Preventative and Sustainable P-Card Program

      Purchasing card (P-Card) spending is on the rise, particularly among colleges and universities. The use of P-Cards is expected to increase 62 percent by 2018 reaching $377 billion, according to the 2014 RPMG Purchasing Card Benchmark Survey. The expansion of P-Card programs and use is expected to continue given the myriad of benefits P-Cards offer including streamlining the procurement-to-pay process, lowering operational costs and taking advantage of supplier discounts. Originally, P-Cards were used for small dollar transactions to help reduce or eliminate the need for petty cash. However, while P-Card use has grown, it has become increasingly challenging to maintain compliance as organizations struggle to gain insights into their program. Analyzing high transaction volumes using spreadsheets and manually reviewing receipts becomes labor-intensive and inefficient.

      TWO PERSPECTIVES, ONE COMMON GOAL

      From the standpoint of internal audit, the objective of a P-Card system is to rid the organization of fraud, waste and abuse. While there are a variety of ways to search for fraud, most are not foolproof. Sampling is unreliable for detecting and preventing misuse, and card issuer applications provide limited data. Spreadsheets have capacity limitations and are prone to errors.

      Many auditors have found success in using purpose-built data analytics tools to extract and analyze data from different sources and file types to detect instances of fraud, waste and abuse. These tools provide the ability to examine 100 percent of the P-Card program data. More than ever, auditors are embracing technology to stay ahead of risks and exposures that may lead to revenue losses.

      From a business standpoint, the objectives are slightly different. While detection of misuse is important, stakeholders within the organization not only need to know that something went awry; they want to dive deeper into specific risk areas to identify underlying causes. Data analytics can help auditors look through high volumes of transactional data to identify anomalies, but it is often a reactionary approach. Infractions are seldom caught in time to recover funds. In fact, it takes an average of 24 months to detect procurement fraud at which time 89 percent of all proceeds are unrecoverable. The business goal is to stay well ahead of the problem.

      PREVENT A CULTURE OF MISUSE

      The tolerance threshold varies for every organization. If a $300 million P-Card program incurs $20,000 in annual misuse, the convenience and administrative cost savings may offset the loss. However, inappropriate spend involving large sums of money could quickly become newsworthy and damaging to the organization’s reputation. Stakeholders need assurance that preventative measures are in place and working properly.

      “Continuous monitoring is about creating a sustainable internal control environment, not creating more work. It goes beyond identifying a single set of problems to providing actionable insights to the business. Organizations can create a collaborative environment where everyone works to strengthen controls, while expanding the P-Card program.”


      Transactional data can be analyzed, but misuse goes unnoticed without information from other sources such as accounts payables and human resources. For example, if John uses his P-Card to purchase gasoline while on vacation, the misuse is typically not found using traditional auditing techniques because fuel is a normal expense for John since his position requires business travel. John shares his clever cost-saving tactic with a close coworker, who begins to take advantage of similar weaknesses in the system for personal gain. The culture of misuse perpetuates and continues to go undetected.

      When looking at exceptions, can you determine whether it was an isolated incident where clarification of policies and procedures need further explanation or a habitual problem? How many times has each employee violated the policies? Was one person in violation while the majority followed policy? Is there a department that tends to have multiple violations on a regular basis? Is misuse related to specific spending areas? These questions can only be addressed if the analysis includes data from different sources, such as employee data, category of spend, etc.

      Running data analytics to test P-Card data provides some valuable details about exceptions, especially when you incorporate multiple data sources including:

      • P-Card Transaction Data – Provided by the card issuer and contains records of all transaction details including merchant category code, item description, purchase date, amount and vendor name.
      • Cardholder Master – Provided by the card issuer and contains data for all cardholders in the P Card program. Details include last four digits of each card, monthly card limit, card status, date issued, etc.
      • Employee Master File – File of employees with details such as employee name, identification number, department, vacation schedule and employment status.
      • Expense Signoff – Expenses submitted by employees with details such as purchase date, cardholder comments and manager signoff details.
      • Accounts Payable (AP) – Lists payments made by AP and details such as invoice date and number, vendor name, item description and transaction amount. This data can be used to detect duplicate transactions across P-Card and AP processes.

      Additionally, if the organization uses an expense management system such as Concur, data can be automatically extracted and analyzed on a regular basis to ensure compliance. Expense management systems allow employees to submit expenses for approval and/or reimbursements.

      Broadening the scope of data being examined helps bridge gaps and allows you to see fraud schemes that would be impossible to detect otherwise.

      ASSESS RISK AND CONTROLS

      To gain an understanding of the unique ways P-Cards are being used within the organization, and whether policies and procedures are being followed, perform a risk and controls assessment. By testing historical data, you can establish a benchmark to gauge the severity of issues and identify problem areas. Begin by comparing current data with the year prior to detect patterns for normal or abnormal spending trends. Calculate average spends by department to look for outliers and unusual spend patterns. Historical data is useful for assessing the entire data population year to year.

      Examples of Analytics Tests/Queries:

      • Monitor for duplicate payments between P-Card merchants and Accounts Payable vendors
      • Check for charges at inappropriate or unusual merchants (i.e. department stores, cash, personal care) by MCC code or vendor name keyword search
      • Pinpoint split charges to circumvent purchasing card limits
      • Identify cards used by terminated employees and/or employees on leave of absence
      • Search for expenses that may be approved without verification of receipt
      • Look for cardholders who made purchases on weekends or holidays
      • Check for unused or duplicate cards, which may be causing unnecessary liability
      • Search for sales tax charges. As a non-profit organization, most universities are exempted from sales tax.
      • Identify the top 20 spenders to pinpoint which cardholders have the highest total purchases

      Next, break the queries down into sub-processes to pinpoint problem areas such as:

      • Card issuance: Involves the assignment of cards to appropriate departments and employees
      • P-Card usage: Involves examining card spend across departments and employees to detect outliers or unusual spending patterns
      • Policy management: Determine whether existing policies and procedures are being followed by all employees

      Reliable Remediation

      When an exception is detected, how is it dealt with, or is it dealt with at all? Traditional remediation, usually involving emails, is time consuming, unreliable and error prone. Multiple follow-ups are necessary between several parties to ensure resolution, and managers are not always updated about whether or not the issue has been resolved. Continuous monitoring also automates remediation followups until resolution is achieved; including escalation if the issue is not addressed within a set timeframe. This process can be customized to align with business processes and structure.

      Get the Big Picture of the P-Card Program

      Continuous monitoring tools offer dashboards that present information graphically on key program metrics such as the amount of spend across a period of time and the level of exceptions. Dashboards can be configured based on what the end users want to see or what information is beneficial to department leaders.

      Reviewing trend and patterns can help gauge the performance of controls and policies, and identify any potential gaps that need addressing. Visualization helps the end user consume data and insights by looking at patterns, not just rows and columns of numbers. Trends become more apparent, and the data becomes more useful to everyone participating in the review process.

      Sustained Growth

      P-Card programs often lose the support of top management if there are repeated cases of misuse, especially if they are discovered too late to take corrective action and recover losses. The administrative cost savings, convenience and efficiency gains associated with using P-Cards benefits the organization, but only if exposure and risk are managed properly. Management needs assurance that policies and procedures are being followed, and audit is staying ahead of misuse.

      The University of Miami, which includes academics, hospitals and research facilities, is growing at a rapid pace. Their growth will undoubtedly lead to an increase in P-Card use. The university’s internal audit department has already taken steps to move from periodically reviewing random samples of P-Card transactions to continuously monitoring 100 percent through the use of data analytics technology. Exceptions are shared with department managers to provide a comfort level about how P-Cards are being used within the organization, and whether policies and procedures are being followed.

      “As our corporate cards program grows, we provide assurance at both the department and management levels that we have sufficient policies and procedures in place to review transactions,” said Hiram Sem, Executive Director of Treasury Operations and Cash Management, University of Miami. “Card holders must understand they are responsible and accountable, but we must also carefully monitor expenditures to identify unauthorized charges early. Technology has helped us refine our review process and handle larger data volumes that come with expansion.”

      The value of continuous monitoring reaches well beyond exception detection. There are three advantages driving the trend towards continuous monitoring:

      • access to more data sources to get a complete picture of what is transpiring within the organization;
      • the ability to assess whether policies are being followed; and
      • the empowerment to improve business processes by gaining deeper insights.

      When an organization is working towards a problem-free environment, it provides a sustainable process to proactively look for and address issues. When employees know every transaction is being monitored, it creates a catalyst for behavioral changes within the organization.

      Advisory Services: Balancing Value and Independence

      Internal audit offices are best positioned to enhance and protect their organizations when they provide both assurance and advisory services. Devoting more time to advisory services has both its risks and rewards. One of the greatest rewards includes enhancing relationships and building trust with management. However, if the advisory services do not meet clients’ expectations, there is a chance of harming the internal audit office’s reputation. This article will explore an example of advisory services from Montana State University as well as identify steps to enhance advisory services at your audit shop.

      DEFINING ADVISORY SERVICES

      According to the Institute of Internal Auditors (IIA), “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” At Montana State University (MSU), management has been more receptive to the term, advisory services, than to the term, consulting, because advisory services has more of a connotation of internal instead of external expert advice. These two terms will be used synonymously throughout this article.

      “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.”
      Internal auditors provide two basic types of services: assurance and consulting services. The IIA defines assurance services as, “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.” The IIA defines consulting services as, “Advisory and related client service activities, the nature and scope of which are agreed with the client, that are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility.”

      According to these definitions, one major difference between these two types of services is the level of independence the auditor must maintain. Assurance services require the auditor to conduct an “independent assessment.” The consulting services definition level of independence is “without the internal auditor assuming management responsibility.”

      These differences in the level of independence can be further highlighted by another key difference between assurance and advisory services. In Research Opportunities in Internal Auditing, Urton Anderson discusses the number of parties involved in assurance and advisory services. For assurance services, there are three parties involved: the auditor, activity management and the third party to which assurance is being provided. This third party could be the audit committee of the board, senior management or some other party, depending on the internal audit function’s specific circumstances.

      Although many internal auditors may refer to activity management as the client for their assurance projects, this third party could also be considered a client because they are receiving the benefits of assurance. It would follow that clear independence is necessary to ensure that the assurance provided to the third party client is objective and unbiased. Auditor judgment on an assurance project’s objectives, scope, procedures, results or any other matters must not be subordinated to influence from activity management.

      Advisory services only have two parties: the auditor and activity management, so activity management is clearly the client for these projects. The influence of activity management is built into advisory services because “the nature and scope of [the services] are agreed [upon] with the client.” Therefore, the level of independence for advisory services is for the auditor not to assume management responsibility.

      Anderson also presented the idea of the assurance/consulting continuum (see Exhibit 1) in Research Opportunities in Internal Auditing. The three types of services on the left side of the continuum are the traditional assurance services that many internal audit offices likely provide. Remediation services, on the far right side of the continuum, are a type of consulting service where an internal auditor “assumes a direct role designed to prevent or remediate known or suspected problems on behalf of the client.” Assessment and facilitation services are the two types of services where internal auditors in higher education have great opportunities for helping to enhance their organization’s operations.

      Fall-15-chart.PNG

      According to Anderson, assessment services are “engagements in which the auditor examines or evaluates a past, present or future aspect of operations and renders information to assist management in making decisions.” Examples of assessment services include:

      • The study and evaluation of the proposed restructure of the organization to reflect the most practical, economical and logical alignment;
      • Estimating the savings from outsourcing a process; and
      • Assessing the adequacy of internal control in a proposed accounts payable system.

      Facilitation services are “engagements in which the auditor assists management in examining organizational performance for the purpose of promoting change. The auditor does not judge organizational performance in this role. Rather, the auditor guides management in identifying organizational strengths and opportunities for improvement.” Examples of facilitation services include:

      • Control self-assessment;
      • Benchmarking;
      • Business process reengineering support;
      • Assistance in developing performance measurement; and
      • Strategic planning support.

      EXAMPLES OF ADVISORY SERVICES AT MSU

      MSU’s Office of Audit Services (OAS) had the opportunity to provide both facilitation and assessment services as part of an administrative operations efficiency and effectiveness initiative called OpenMSU. The director of OAS reports directly to the MSU president with no other functional reporting lines. This reporting line places OAS closer to senior management than to the board or the system-level administrative body.

      When MSU’s current president, Waded Cruzado, arrived in 2010, MSU was anticipating concerns about state appropriations as a result of the recession, so it began to consider new ways to become more efficient. President Cruzado initially developed a small working group to consider ways to more efficiently provide back-office administrative operations, such as finance, human resources and sponsored programs administration.

      President Cruzado’s leadership style involves having regular and broad inclusion of the campus community in its improvement initiatives, so she grew the small working group of five people into a group of 17 that included deans, directors, department heads, faculty and staff. I provided facilitation services to my client, the president, as we proceeded to coordinate this group and to develop the initiative’s mission, goals and program management structure.

      The goals of increased efficiency and improved effectiveness were balanced by goals of enriching the people who provide administrative services.
      Working with the 17 members of the OpenMSU steering committee was challenging, but rewarding, and led to the initiative’s unique character – the goals of increased efficiency and improved effectiveness were balanced by goals of enriching the people who provide administrative services and satisfying the people who receive the services. The plan for achieving these goals was to develop a series of recommendations for improvement based on thorough data collection and campus input.

      This led to OAS providing assessment services with the clients being the OpenMSU executive sponsors: the president, provost and vice president for administration and finance. OAS was selected because it had the skill set to gather information about administrative services and because it was independent of the functions being assessed. These assessment services included administering two surveys, measuring administrative
      processes and conducting other activities. The first survey was provided to the population of people that provided administrative services and was intended to identify which processes they felt were the most critical to improve. The second survey was provided to a random sample of university employees and was based on the SERVQUAL methodology for measuring service quality.

      The administrative process measurement activity was developed by first working with the different functions to inventory their processes. The APQC process classification framework was used as guidance for inventorying processes. Then Banner and other data was used to quantify process volumes (e.g., number of purchasing card transactions) and standard process times were obtained by working with a sample of departments’ staffs. This data proved to be very helpful as MSU worked to rightsize its first shared services operation. Shared services and the other projects that were undertaken as a result of recommendations from the OpenMSU initiative are included in the OpenMSU roadmap (see Exhibit 2). OpenMSU is now in its fifth year, and all of the projects on the roadmap are underway or completed.

      fall-15-roudmap.PNG

      OAS’s extensive work on OpenMSU was likely just a result of a unique set of circumstances. However, OAS still aims to include advisory services projects as a significant percentage of its annual work. During a typical year, OAS spends 10 percent to 15 percent of its direct time on advisory services, and this time is usually spent assisting management on emerging issues. For example, OAS intends to work with the Enterprise (information) Security Group (ESG) and the Payment Card Industry Data Security Standards (PCI DSS) working group in the current year. OAS will work with ESG by helping to implement a process to inventory servers maintained by distributed units and gather additional information on these servers, such as the type of data, the purpose of the server and the party responsible for security. For PCI DSS, OAS will augment the working group to assist departmental accountants and other merchants that receive credit card payments by helping them to understand the questionnaires that must be completed for all of MSU’s many credit card merchants.

      OAS also provides advisory services to stay abreast of and to help with activities throughout the university by serving on committees and councils. OAS staff serve as non-voting members on the following committees and councils:

      • Environmental, Health and Safety Committee;
      • Information Security Council;
      • President’s Executive Council;
      • Research Compliance Committee; and
      • University Council (where all university policies are discussed and approved.

      KEYS TO SUCCESSFUL ADVISORY SERVICES

      An initial step in providing advisory services is having the office’s charter include a statement allowing advisory services. The biggest key, however, for successful advisory service is to build trust and relationships with management. Patience is essential as this takes time, but auditors should always treat management and all employees with respect, interact with others with a positive demeanor and not be perceived as playing “gotcha.”

      Management also needs to know how having an auditor provide advisory services can help them…
      Management also needs to know how having an auditor provide advisory services can help them, so auditors should use opportunities to communicate to management about their strengths. Through auditors’ core competency of evaluating processes, they develop strengths such as rigorously researching regulations and policies to determine what is and isn’t allowed; analyzing data and processes to develop insights into opportunities and problems; and gathering information that can be used to understand complex situations. Management will be more likely to engage auditors for advisory services once they trust auditors and understand what they can bring to the table. Also, auditors shouldn’t be afraid to offer their services to management if they think their skills can add value to a project.

      After management engages auditors for advisory services, it is important to clarify the expectations for the objectives, deliverables and level of audit resources that will be dedicated to the project. This could be done formally or informally. In addition, auditors should educate their clients about The IIA standards and auditors’ responsibility to maintain independence and objectivity, so that it is clear where the lines are drawn regarding the auditor’s involvement with the project.

      RISK AND REWARDS OF ADVISORY SERVICES

      The greatest risk of providing advisory services is the actual or perceived loss of independence.
      The greatest risk of providing advisory services is the actual or perceived loss of independence. According to “Internal Auditing: Assurance and Consulting Services,” there are two thresholds that auditors should not surpass when providing advisory services. Auditors must ensure that management responsibilities are not assumed, and auditors must not audit their own work. Auditing one’s own work is self-explanatory, however, assuming management responsibilities is more open to interpretation. “Internal Auditing: Assurance and Consulting Services” describes assumption of management responsibilities as follows, “Internal auditors should not make ultimate decisions or execute transactions as if they were part of management.”

      Those in public universities could also be subject to the U.S. Government Accountability Office’s (GAO’s) Government Auditing Standards, also known as the Yellow Book. In Chapter 3 General Standards, Requirements for Performing Nonaudit Services, the Yellow Book lists 10 examples of management responsibilities. The following is a selection of these examples:

      • Setting policies and strategic direction for the audited entity;
      • Accepting responsibility for the management of an audited entity’s project;
      • Accepting responsibility for designing, implementing or maintaining internal control; and
      • Providing services that are intended to be used as management’s primary basis for making decisions that are significant to the subject matter of the audit.

      Other risks associated with providing advisory services include: using limited audit office resources on less significant risks; not having the knowledge, skills or other competencies to perform a project; and suffering from a damaged reputation if services do not meet client expectations.

      Building trust and better relationships with management is one of the greatest rewards of providing advisory services. These were also mentioned in the section on keys to successful advisory services because they are part of a virtuous cycle. Stronger relationships lead to greater involvement; this leads to a better reputation, which ultimately leads to being asked to be involved with more important projects. Building trust with management can also allow auditors to have greater access to organizational knowledge, which is critical to effectively assessing risk at the audit universe level.

      Working on different types of projects also provides auditors with opportunities to develop new skills and knowledge. Advisory services projects particularly help auditors improve their understanding of the business, which is often cited as a key attribute of successful auditors. Finally, working with staff from other units helps auditors to become better at collaboration, which is essential to implementing positive change in higher education.

      The IIA’s new Mission of Internal Audit is “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” “To enhance and protect” really sums up what internal audit can provide to its organizations. To enhance the organization by providing objective expert advice on operations, and to protect by looking for emerging issues and reviewing internal practices to assure leadership that all is well. Internal audit offices that can effectively provide both assurance and advisory services will be best equipped to deliver on fulfilling this mission to both enhance and protect their organizations.

      References

      International Professional Practices Framework, Altamonte Springs, FL: The Institute of Internal Auditors, 2013.

      Anderson, Urton, Research Opportunities in Internal Auditing, Chapter 4: Assurance and Consulting Services, Altamonte Springs, FL: The Institute of Internal Auditors, Research Foundation, 2003.

      Reding, K. F., Sobel, P. J., Anderson, U. L., Head, M. J., Ramamoorti, S., & Salamasick, M, Internal Auditing: Assurance & Consulting Services, Chapter 12: The Consulting Engagement, Altamonte Springs, FL: The Institute of Internal Auditors, Research Foundation, 2008.

      GAO-12-331G Government Auditing Standards, Chapter 3 General Standards, Requirements for Performing Nonaudit Services, U.S. Government Accountability Office, December 2011.

      Mission of Internal Audit, The Institute of Internal Auditors, Retrieved August 13, 2015 from: https://global.theiia.org/ standards-guidance/Pages/Mission-of-Internal-Audit.aspx.