Resources

Hello ACUA members,

Please give a warm round of applause for ACUAs new president, Melissa Hall, who made her first appearance in the Journal in the Letter from the President. Melissa took over as President from Brian Daniels, who did a great job leading ACUA through the pandemic and out the other side.

This season’s Journal issue features several fantastic pieces from a broad range of writers. Jaime Fernandez wrote a terrific article about continuous auditing and how your shop can beneficially implement this process. In addition, Han Yan, Ph.D., examines how internal auditing changed because of COVID and what the future of internal audit looks like beyond COVID. Then, David Clark gives an overview of diversity, equity, and inclusion in higher education and what to consider as your institutions formalize their plans to become more inclusive. Next up, Tharanee Ravindran highlights how a Control Self-Assessment can add value to future engagements by addressing risks at your institution. After that, Rose Kelly, Lisa Palazzo, Tina Griffiths, and Elizabeth Walton wrote about a three-pronged approach to risk, compliance, and controls at Case Western Reserve University, co-sourced with Deloitte. Finally, Jennifer Saak, Ph.D., Sheila Cranman, Ph.D., and Scot Allen, Ph.D., analyze how your institution can audit export controls, a hot topic at research-oriented universities.

In this issue of the College and University Auditor, you will find a wide variety of topics written by talented authors who strove to make their knowledge and expertise relatable and valuable for professionals in every institution. Please consider joining a growing field of professionals making their mark on the collective learning of our ACUA community by reaching out to me at editor@ACUA.org. Questions, ideas, and comments are always welcome.

Sincerely,

Gavin Shubert, Editor

Dear ACUA Colleagues,

I hope everyone is enjoying the beginning of the Holiday season and is now on the countdown to Winter Break.

It was so great to see over 300 of you that were able to attend in person for AuditCon 2022 in Las Vegas. We also were glad to be able to provide content to the additional participants that were not able to attend in person.  We had such a robust schedule of timely and relevant information. This is directly attributable to our fabulous volunteers, staff, and strategic partners, who work diligently to ensure that our continuing education content is relevant and addresses the emerging risks affecting our industry and profession. THANK YOU ALL!  

As we look to the future of ACUA in 2023, I’m excited by all the possibilities as we embrace how the world has changed. Together we will all work to define the “new normal” for ACUA and our campuses. I hope that you will make plans to join us in Denver, Colorado, for Audit Interactive March 26-29, 2023, at the Grand Hyatt Denver.  

Lastly, a special thanks to our Immediate Past President, Brian Daniels of The University of Tennessee, for setting me up for success. He graciously led us out of the pandemic and back to in-person conferences. His leadership style will be hard to duplicate, but I look forward to stepping into his shoes and leading ACUA into the future.  

Sincerely,

Melissa Hall, Georgia Institute of Technology
ACUA President

After identifying concerns through an audit, we often find the same problems recurring. But how can this be? The client assured us that the issues had been addressed; however, the same risks persisted.
Although different, continuous monitoring and continuous auditing are often mentioned in the same breath and can both increase the effectiveness and efficiency of the organization.

What Differentiates Continuous Monitoring from Continuous Auditing?

Continuous monitoring is an ongoing process used to monitor both processes and risks associated with an organization’s operations and is management’s responsibility.   Monitoring programs should be designed to test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline. [1]

Continuous auditing is just auditing, but on a more frequent, regular basis than the standard auditing engagement and is performed by the audit department. Continuous auditing is often made possible by technology that can collect and analyze data quickly. [2] Furthermore, the auditor uses more frequent check-ins to provide assurance that controls are adequate and functioning properly. Additionally, continuous auditing may allow the organization to reduce the frequency of traditional assurance audits.  

Where Do You Start with Continuous Auditing?

After engaging in conversations with numerous clients and completing your audit plan, you should be aware of key business objectives critical to the university’s operations.

For example, a critical operation for any university is the Admissions Office, and your office recently completed an Admissions audit as part of last year’s audit plan. Several findings were identified, and going forward, you have the opportunity to help your client resolve one or more of these concerns.

Based on this information, you should:
a) Assess the risks associated with those objectives and identify areas that are potential candidates for Continuous Auditing.
Example: The Admissions Office policy required more than one approver per applicant and include documentation comments about their approval. However, your audit found that students were admitted with only one approver and no comments on why they were approved.

b) Obtain an Understanding of How the Process Works
Example: You are now challenged with identifying the weakened control in the admissions process. Based on work from the initial Admissions audit, the admissions process should already be documented. The process should be re-verified with someone who understands the process, and if there are process changes, the documentation should be updated.

c) Use Continuous Auditing to Determine the Cause of the Control Breakdown or Increased Risk
Example: When using continuous auditing to determine how controls are performing, you may have identified that the review process needs modification. For instance, if the admissions application process is not automated, the solution may require an Admissions employee to select some reports periodically (daily, weekly, monthly) for compliance review. This is to determine if more than one reviewer has processed applications with comments justifying admission, as prescribed. In this example, the process was automated, a script modification was needed. This required adding a control which did not allow applications to advance within the process until two approvers signed off with comments justifying admission. Once the control correction had been placed, Internal Audit continuously audited to determine the effectiveness of this control.

d) Collaborate with Your Client
Your client can assist with continuous monitoring efforts by performing compliance checks (daily, weekly or monthly) to determine how frequently errors occur. In our example, the client will likely be able to periodically pull admissions reports to assess whether process improvements are effective. The client may gain the ability to recognize and solve control issues themselves without getting Internal Audit involved.    

e) Assess Results and Report
Using the data you have gathered over time, you can determine if the controls are more effective at achieving the desired results.

In reference to our example, your institution will receive the most applications for the Fall semester. Therefore, it is most appropriate to do Fall to Fall comparisons as opposed to Fall to Spring. As we know, your institution will have fewer Freshman admissions in Spring. With a reduced workload, the Admissions review staff may make fewer errors.

However, for Fall admission assessments, Admissions will have more work, and more reviewers could be needed. Because of time constraints and inexperience, following admissions policies may not always happen. The Fall to Fall comparison may be more relevant for an effective evaluation regarding improvements in admission controls.

Example: Below is a visualization of comparative data between Fall 2020 and Fall 2021 for student admissions. Regarding the two Admission policy requirements mentioned in (a) above, which relate to having more than one approver and having approval comments, what is the data telling us?

• For the admissions policy requirement of having at least two reviewers mention in (a) above, there are no concerns as this process appears to be working. In both years, there was only one application that showed one reviewer.
• However, reviewers are not always documenting comments. In the example, “Reviewer 1” represents one Admissions staff member, “Reviewer 2” represents another, and so on. Reviewer 1 did not add the required comments for nine applications in Fall 2020 compared to 37 applications in Fall 2021. The trend is generally negative for many reviewers and this is where a deeper look into the controls is needed. 

After reviewing the trend results, report the outcomes and determine if more continuous auditing is needed. Meet with your client and discuss the results. In our example, without the data analytics information, Admissions may not have known that the number of applications without comments had increased from 2020 to 2021. Using the new information, the client may already know the cause or may need further investigation. In this example, the client knew the automated application process was having problems, and some applicants had duplicated their applications. The client may continue with their own monitoring to determine if other adjustments are needed.

Continuous Auditing Benefits

• Collecting audit evidence on a timely basis.
• Better analysis of the strength of your controls through more frequent measurement and trending.
• Better alignment with the pace of change in highly dynamic environments.
• Automated compliance monitoring tools can help save time and resources in evidence collection.
• The use of tools to help automate the collection of evidence and data, to perform trending, and to provide insights. [3]

Continuous Auditing Challenges

• Understanding how to address the root cause and not the symptom.
• Selling your client on the notion that you are there to help them and not get in their way.
• Determining when the control is working at acceptable or reasonable levels.
• Determining the frequency of performing the continuous audit.
• Changing business environment.
• Internal Audit’s proficiency in using data analytic tools.
• New client staff understanding systems, processes, tools and control monitoring.
• Management’s expectation that Internal Audit is the monitoring function.

Conclusion

As mentioned above, establishing a continuous audit program can be challenging. Therefore, continuous auditing should be carefully planned with your audit client. In the end, you can build goodwill with your client, increase operating efficiencies, and account for risks identified within your risk universe.

Additionally, your client’s involvement allows them more flexibility in providing a solution.

References

[1] Monitoring and Auditing Practices for Effective Compliance: Best Practices for Compliance Officers. Blog Post. (2017, February), Richard P. Kusserow, Strategic Management Services
https://www.compliance.com/resources/compliance-officers-responsibility-ongoing-auditing-monitoring-high-risk-areas/

[2] Continuous Auditing vs. Continuous Monitoring. (2017, April 12). https://study.com/academy/lesson/continuous-auditing-vs-continuous-monitoring.html

[3] What is Continuous Auditing and How Can You Leverage It? (2020, March 03), Paul J. Johnson, WIPFLI, Articles & E-Books, https://www.wipfli.com/insights/articles/ra-what-is-continuous-auditing-and-how-can-you-leverage-it


Special thanks to Paul Tyler, Carol Rapps and Joselyn Rameau, UTSA Data Analysts, for visualization contributions and review.

Two years into the COVID-19 pandemic, universities, together with their internal audit shops, have resumed normal operations, or more accurately, settled into their new norms. To reflect on the gains and losses occasioned by the pandemic, eleven chief audit executives (CAEs) from public and private universities in the U.S. were invited to participate in individual interviews. Looking back on this challenging time, the CAEs provided personal accounts on how their resource and audit work was impacted. And, more importantly, they offered a post-pandemic outlook on the future of the internal audit profession.

Managing Auditor Shortage

Many internal audit shops experienced budget cuts and hiring freezes during the pandemic. To manage the impact of budget reductions while meeting the demand of audit work, CAEs began restructuring vacant positions (e.g., change an IT audit manager position to an entry-level data analyst position) or “cannibalizing” positions to allow for salary increases for the current staff. Some shops also hired accounting student interns to mitigate staff shortages.

At the same time, the job market also became more challenging for the audit shops in higher education, especially for those located in or close to large cities. Due to the shortage of accounting professionals across industries, more job candidates were attracted by the relatively high salary and opportunities in private industry. Work-life balance is not the selling point it once was for higher education, as many organizations have allowed staff temporarily or permanently to work from home. It has become extremely challenging for audit shops in higher education to find highly qualified candidates. So much so, that many hired headhunters to fill their vacant positions.

Utilizing Data Analytics

When the pandemic hit the U.S. in March 2020, universities had little time to prepare for initial campus shutdowns. Then, two weeks of “flattening the curve” became one month. And one month then became three months or even longer. When university employees largely worked from home and facilities on campus were closed, internal auditors had to brainstorm new ways to conduct audits. Several CAEs increased the utilization of data analytics, which does not require physical access to facilities or in-person interactions. In fact, adopting data analytics was easier than before, because the whole organization started reengineering manual processes to make working from home possible and effective. This change in the organizational environment created a great opportunity for internal auditors to broaden the scope of data analytics. It also enabled them to connect different data sources and creatively investigate issues at the organizational level.

Reevaluating Audit Plan and Risk

Due to physical access constraints, many audit projects had to be delayed or removed from audit plans. For example, one CAE had to remove a scheduled space management audit from an audit plan, because after the campus shutdown, the buildings on campus were no longer in use. And, as another example, audits scheduled in university medical centers during the peak of the pandemic were indefinitely delayed. Given the high COVID exposure risk to internal auditors and the high stress level of the medical center staff, CAEs chose to save these projects for more appropriate times.
As organizational and working environments changed during the pandemic, CAEs reevaluated audit plans to mitigate the risks that emerged during the pandemic. They planned audit projects to manage risks associated with: remote work, federal pandemic relief funds, FERPA compliance, and information security. The need for supporting external audits, such as audits conducted by federal and state agencies, also increased significantly for some audit shops.

Increasing Consulting Activities

When audit clients were “swamped by work” in the middle of the pandemic, the last thing that CAEs wanted to do was to create more work or, worse, distract their audit clients from their critical responsibilities. Consequently, the value of consulting work became more salient during the pandemic. Besides regular audit work, internal auditors gradually stepped into the roles of trusted advisors for management. They provided consulting services that directly addressed clients’ needs and assisted clients who struggled during the public health crisis. For example, internal auditors advised clients on how to improve business processes. They analyzed the existing manual business processes, identified issues and risks, and worked with clients to design more efficient and effective electronic working processes. Occasionally, an audit project transformed into a consulting project, because the clients needed more support through internal auditors’ consulting work during this critical time.

“Hallway Conversations”

When people began working from home, the primary method of communication quickly switched from in-person meetings to virtual meetings. Virtual meeting software, such as MS Teams, made it more convenient and efficient to “meet” and connect with people. However, much informal conversation that typically occurs during in-person meetings was lost. And these lost “hallway” or “watercooler” conversations with management turned out to present one of the biggest challenges for CAEs during the pandemic. Internal auditors often develop important insights from casual conversations with management, and these informal conversations happen literally by bumping into people within brick-and-mortar buildings. Beyond building personal connections, these conversations provide internal auditors opportunities to stay updated with the university’s operations, understand university culture, and better appreciate perceived existing issues and risks.

Internal Auditing beyond the Pandemic

Although the pandemic has accelerated the use of data analytics in internal auditing, internal auditors must remain committed to exploring new methods of incorporating data analytics into their work product. Since many manual business processes transformed into electronic processes during the pandemic, internal auditors now possess many more doors through which to investigate the interrelationship among different databases. Internal auditors are, thus, now poised to make novel uses.

Higher education is no stranger to the topic of Diversity, Equity and Inclusion (DEI) – if anything, higher ed institutions have historically been at the forefront of discussions about increasing access and success of underrepresented groups, and leveraging their classrooms and research to expand the view of future business leaders into the benefits of workplace diversity and equity. But DEI has garnered even more attention over the past several years. The disproportionate impacts of the COVID-19 pandemic and increased emphasis on racial inequality, social justice reform, corporate social responsibility, and the rise of Environmental, Social and Governance (ESG) reporting requirements have fueled a greater desire to address issues of DEI in higher education and ultimately improve the experience of students, faculty, staff, and the larger community.

The National Association of Diversity Officers in Higher Education (NADOHE) has placed an increased emphasis on Inclusive Excellence, which it views as transitioning from a singular focus on improving compositional diversity—who is present or absent on campus—to embracing comprehensive performance measurements linked to goals, objectives, strategies, indicators, and evidence.

Colleges and Universities are charged with three primary duties:

1. Minimize risk and negligence and ensure legal and regulatory compliance with diversity and equity issues in higher education.
2. Oversee, assess, and sustain campus policies that elevate equity, fairness, inclusion, and safety.
3. Develop, implement, monitor, and make recommendations for nondiscrimination and anti-harassment policies, processes, and practices associated with Equal Employment, Titles VI, VII, and IX considerations, Americans with Disabilities Act, affirmative action, and other applicable human rights protections.

In higher education, DEI applies to all aspects of college or university operations, including recruitment and retention of a diverse student and faculty population, fair and equitable hiring and promotion of employees, supporting minority-owned vendors in procurement practices, providing diversity awareness and unconscious bias training, and providing additional resources and support for traditionally underrepresented student populations and material covered in course curricula.
In recent years, many colleges have furthered their commitment to improving equity among their communities by establishing formal DEI strategies, programming, and procedures that align with their organization’s mission, appointing Chief DEI Officers and creating offices to shape and execute these strategies.
There is still much progress to make.

A 2022 Hanover Research study on DEI surveyed nearly 1,000 undergraduate students from across the United States and found that the majority of BIPOC (Black and Indigenous People of Color) students agree that those with diverse backgrounds, identities, and experiences do not have equal access to academic opportunities. While 69% of students agreed that the faculty and staff population at their institutions are racially and ethnically diverse, students at private colleges or universities were found to have a more negative perception of their institution’s support of DEI efforts than those at public institutions.

Exemplifying the onus placed upon universities to increase efforts toward DEI programming, third-party evaluators have now begun factoring diversity and equity data into their scoring metrics. The U.S. News and World Report rated the most ethnically diverse campuses across the country by assigning a diversity index score based on the total proportion of minority students (excluding international). The INSIGHT Into Diversity HEED Award, open to all colleges and universities across the U.S. and Canada, measures an institution’s level of achievement and intensity of commitment regarding broadening diversity and inclusion on campus.

Internal Audit’s Role in Enhancing DEI Actions

A higher education internal audit (IA) function can help to support the institution’s DEI efforts in several ways. As discussed in a panel session at ACUA’s 2022 AuditCon, DEI continues to be an area of exploration and, at times, uncertainty for college and university auditors, but there have been several strategies employed across institutions that could help your audit shop get started.

First, as an operating unit within the school, IA can help lead by example in examining its practices regarding DEI and working to strengthen practices where possible and align with the institution’s broader strategies and goals as needed. 

Then IA should review whether your institution or system has established any strategies or goals regarding DEI across campus. If no such foundations exist, consider the ability for IA to play an advisory role and help leadership work to move the needle on setting DEI goals and measures, even if starting small with just a few focus areas (e.g., admissions, procurement or pay equity reviews).

Even without an institutional framework or goals, IA can still perform DEI-focused audits. This may include assessing compliance activities related to the number of diversity and equity laws in place regarding hiring practices, institutional program offerings or student services. With the increase in external metrics regarding DEI, IA could review the institutional data used and report for inclusion.
If goals, targets, and metrics have been established, IA can play a role in supporting the institution’s monitoring efforts, verifying those goals have been met, or looking at the overall management and structure of how such a program is enacted across campus.

AuditCon panelists also spoke about efforts to begin including considerations of DEI and overall institutional culture as a standard component of all audits. Similar to incorporating IT considerations into all audits conducted, these IA shops have started to leverage pre-audit control surveys to ask questions about the culture and processes of auditable units, including evaluating the diversity of staff and feelings of inclusion. This enables the IA function to identify non-traditional areas of risk and measure DEI effectiveness while providing valuable feedback to auditees to help promote DEI efforts and enhance morale.

One of the biggest takeaways from the ACUA panel was that there is no single right answer for how to incorporate DEI considerations into the work of IA. While conversations have begun to shed light on areas of DEI as a leading institutional priority and risk area, many audit shops are still uncovering how to include such topics within an audit plan. But no matter how mature your focus on DEI may be, there are ways to engage your IA team to help support or even drive DEI initiatives across campus.
DEI is an area that will continue to receive focus on campuses across the nation, with the goal of continual progress. In turn, DEI work performed by the IA function will continue to evolve and shift in alignment with your institution’s activities. IA’s willingness to engage with DEI topics will help your institution increase compliance and embrace inclusiveness with DEI measures.