Resources

How to Improve Your Audit Product

Professionals are generally aware that the final deliverable of a product is judged on more than the quality of the service itself. A client’s overall perception throughout an engagement plays a vital role in their satisfaction and cooperation with internal audit. This article provides suggestions on how to improve the overall audit product and relationships with audit clients.

1. Make it clear that you are there to help

Ask the client how internal audit can help. 

Ask the client how internal audit can help. A great way to start the conversation is by asking for a list of process improvements over a period of time (e.g. two years) and then verifying that they were implemented. Depending on the structure of the institution’s audit report, process improvements should be addressed first, if they are included in the report. If they are not included in the official report, auditors should outline process improvements in an informal memorandum or discuss them verbally with the client.

Additionally, internal audit can provide assistance to clients through the audit report, which can be leveraged to help the client achieve their goals. For example, making recommendations and highlighting areas for improvement may have more impact when included in an audit report and suggested in this formal manner to senior leadership. However, it is important to keep in mind that internal audit should not be involved in any implementation of these recommendations to maintain independence and objectivity.

2. Use proper terminology when addressing clients

In the business world, clients are generally referred to as, well, clients. Avoid addressing clients in ways that could have negative connotations, such as “entity under audit” or “auditee.” It may be helpful to think from the client’s perspective on how it might feel to be audited and referred to as the auditee. Being respectful and friendly to the client during communications will help with the intimidation factor that clients may feel when being audited. 

3. Put clients at ease

For many clients, learning that they are being audited or even meeting with internal audit induces a level of fear or anxiety. While it seems that auditors are stereotyped as scary intruders who want to upset the status quo, it is helpful to gently remind clients this is not the case and work to change their perspective. The following suggestions offer some ideas that may help convey that internal audit wants to collaborate with clients to achieve mutual goals:

  • Start the audit with Preliminary Information Gathering (PING) meetings. This allows internal audit to gather history and become familiar with the client’s operations. This information can then be used to shape the audit program. 
  • Document internal audit’s understanding in writing and distribute it to stakeholders, requesting confirmation that it is correct. To further demonstrate that internal audit seeks to collaborate with the client, suggest in the communication that stakeholders make comments and edits as they see fit.  

4. Report audit findings in context

Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources.


Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources. Including this information in the audit scope shows both stakeholders and leadership that internal audit has made a genuine effort to produce a quality, relevant deliverable.  

Example: Internal audit discovers that the database the client is using has duplications and errors. Internal audit becomes aware that the audit area had four directors in the last four years and that the data was managed by many individuals over this period. The current data manager has held the position for six months and made many improvements to fix the database. Internal audit highlights the data manager’s efforts during ongoing discussions and in the audit report. As a result, internal audit gains the trust and appreciation of the client and management, thereby developing the foundation for a great relationship.

5. Use graphics and other tools to emphasize your points and make them easily understood

The success of many online platforms depends on their ease of use and simplicity. Twitter, for example, limits messages to 280 characters. The most common length of a tweet is 33 characters. Historically, only nine percent of tweets hit Twitter’s former 140-character limit; now it is only one percent.

Another online platform, Pinterest, utilizes images, videos and text – infographics – that allow users to discover information through various means. As of the publication of this article, there are over 200 billion pins on Pinterest, and 87% of Pinners have purchased a product because of Pinterest.

The use of tables, graphs and slides can appeal to end users (e.g. stakeholders and leadership) and increase engagement during the presentation of a deliverable. Additionally, presenting a deliverable with PowerPoint seems to be underutilized in our profession. Introducing this as a method to present audit information and harnessing its formatting capabilities (e.g. fonts and color themes) can amaze management.  

6. Present executive highlights that convey some of the detail, and the entire picture, at the same time.

Management and clients want straightforward, easy-to-understand summaries.

While this may sound like a contradiction, here is how it is done. Auditors love spreadsheets, replete with formulas, tiny explanations, footnotes and other auditing paraphernalia. But, more often than not, it is only auditors who truly care about them. Management and clients want straightforward, easy-to-understand summaries. Therefore, consider highlighting – and succinctly conveying – major points with only as much detail as needed to clarify and support internal audit’s findings. These major points should be mutually exclusive and collectively exhaustive (MECE), which means they should stand alone and, together, present the complete picture. This allows internal audit to integrate the findings and recommendations in a way that conveys the total picture.  

In summary, internal audit can improve the quality of audits and relationships with clients by adhering to a few basic principles. Convey the idea that internal audit wants to help, treat clients respectfully, and keep the audience in mind when writing and presenting the audit report.  

Letter from the President

Dear ACUA Colleagues,

Summer is upon us! You all deserve a long-awaited vacation with family and friends. I sincerely hope you take some time to kick back and celebrate all that we have accomplished and the new beginnings to come.  

If you joined us for the first annual virtual spring membership meeting, you already learned about the initiatives ACUA volunteers have been working on to continue to move our industry forward. The advocacy program, diversity and inclusive leadership efforts, and our new fall conference platform will help position ACUA and our industry for long-term success.   

Similarly, I hope this edition of the ACUA Journal provides some insight and inspiration as we look ahead to the next academic year. The articles collected here tap into the accumulated expertise of our ACUA community. Please consider taking the time to reach out to the authors to thank them for sharing their knowledge. You may get an idea for a future audit or article of your own or build upon your ACUA network.  

Our volunteers made the ACUA community thrive during the pandemic, and they deserve a special note of thanks. It is a pleasure to work with such a great community, and I hope to see many of you at ACUACon, whether you attend in person or virtually. 

Sincerely,

Patti Snopkowski

ACUA President 

Auditor as an Investigator?

As auditors, we are sometimes called upon to participate in investigations at our institution. Investigations may be the result of a financial fraud allegation, a complaint of time misappropriation submitted through an ethics hotline, or a management request regarding questionable travel and entertainment expenses. To some, the word “investigation” may be intimidating. In hopes of demystifying the process, this article provides general information on investigations, why they are performed, and what auditors should consider while conducting an investigation.

What is an investigation?

An investigation is a determination of facts related to a specific concern (or concerns) raised by an individual (e.g., via hotline complaint or management request) or, less often, as the result of an audit. The results of an investigation include determining whether the concerns are substantiated by assessing what happened, the timeline of events, and what policies or laws were violated. The matters under investigation often implicate an individual in wrongdoing, so they require a discrete, thorough, and independent analysis. Confidentiality is critical throughout an investigation to protect both a falsely accused person and the overall integrity of the process. While limited in scope, investigations focus on facts solely related to the concern(s) presented; provide all parties with an opportunity to be heard; and provide management with clear and concise findings, as well as potential recommendations when appropriate.

Why do auditors perform investigations?

As auditors, we are uniquely suited to perform the detailed, analytical work required to complete a thorough investigation. In addition, higher education auditors tend to have a breadth of institutional knowledge and an expansive professional network. We are independent, trained to recognize fraud red flags, and know what areas to focus on. Furthermore, there is a need—employee reports are the most common sources of uncovering fraud. Performing investigations exhibits to your institution’s community—students, faculty, staff, patients, visitors—that the institution is committed to an ethical culture rooted in honesty and accountability.

Auditor Considerations

General

  • Maintaining confidentiality is in the best interest of all parties involved in an investigation and should be discussed based on the nature of the investigation and parties involved
  • Review of documentation and interviews should be limited to the specific concerns raised
  • Availability of audit professional resources should be considered to complete investigations timely
  • Investigations inherently have increased litigation risk; therefore, the results (and supporting work-papers) of a given investigation may be subject to a subpoena if the matter is not resolved to either party’s satisfaction
  • All parties are entitled to an impartial, objective, and thorough investigation and have the right to be presumed innocent unless proven otherwise

Planning the Investigation

  • Understand the concern under investigation (interview hotline reporter or management, if necessary)
  • Identify, and request, any information necessary to substantiate the concern (e.g., general ledger, procurement details, Travel and Entertainment records, time system logs, emails, people to interview)
  • Review and identify any policies or regulations that may have been violated
  • Consider the amount of information provided by hotline reporters prior to moving forward with performing an investigation

Performing the Investigation

  • Follow procedures developed for audit investigation fieldwork and documentation
  • Maintain a document log as work-papers are requested, received, and prepared
  • Access to all documentation and work-papers should be limited to only those who have a need-to-know (i.e., Principle of Least Privilege)
  • All work-papers, both paper and electronic versions, are potentially subject to subpoena and must be maintained (refer to your institution’s record retention policy or general counsel for guidance)
  • Maintain open communication between team members, management, and peer units at the institution (e.g., Human Resources, Police Department, Compliance), disclosing only pertinent information for the investigation
  • Seek guidance from your institution’s General Counsel as to whether including “Confidential and Privileged”, or a similar statement, is appropriate to identify all work-papers, if included in the investigation’s legal documentation

Interviewing Key Participants

  • Conduct interviews in a location comfortable (and neutral) for you and the interviewee[1]
  • Identify pertinent questions requiring answers prior to the interview
  • Prepare for each interview individually (different interviews will warrant different questions)
    • Ask open-ended questions
    • Keep questions short and simple
    • Let the interviewee do most of the talking
  • Maintain an interview log (e.g., who, when, where)
  • Interview the individual accused of wrong-doing last

Reporting the Investigation Results

  • Write a straightforward report. (i.e., concern, procedures performed, conclusion)
  • Consider the necessity of including supporting documentation as appendices to report
  • Determine who the report will go to and who will be included on the distribution list
  • Complete report writing timely (definition is subjective at each institution and the nature of the investigation)

Common Jargon

Becoming familiar with and understanding key terms will help you navigate an investigation with ease. Below are some terms and definitions commonly used during the investigations process:

TermExplanation
AllegationClaim or assertion that someone has done something illegal or wrong
ArbitrationA form of alternative dispute resolution; a way to resolve disputes outside of court
Attorney/Client PrivilegeLegal protection to keep communications between attorneys and clients confidential
E-discoveryElectronic information requested to be produced during litigation
EvidenceCompilation of documents and analyses supporting a conclusion
GrievanceFormal complaint raised by an employee within the workplace
HotlineReporting tool, typically with option to report anonymously
Hotline Reporter (or Complainant)Individual initiating hotline report (or complaint)
MediationDispute resolution using an impartial third party trained in specialized communication and negotiation techniques
Target (or Respondent)Individual whom a hotline report is against
ParticipantAn individual interviewed and/or identified as a witness during an investigation
Subpoena A court order commanding a person to appear in court
Substantiated Results of an investigation support the concern/allegation
UnsubstantiatedResults of an investigation do not support the concern/allegation
Table of common terms and definitions used in the investigations process.

Conclusion

In closing, remember we are all investigators. Use your auditor tool box to perform tests and analyses to assist in closing an investigation. Document everything and file it separately from other audit work-papers. Communicate often with the investigation team and ask questions of the investigation owner (whether inside, or outside of, your audit department). Utilize the experience to learn a new process and/or deepen working relationships within your institution. Learn more about partnering with other investigative units at your institution at ACUA’s Audit Interactive 2021.

[1] Given the current pandemic, interviews may need to be conducted virtually. To conduct a virtual interview in as similar of circumstances as meeting in-person, all parties should utilize a video setting and be in a room without distractions.

ACUA and EDUCAUSE Intersect to Assist Campuses: An Interview with John O’Brien

Forward by College and University Auditor Journal Editor:

EDUCAUSE is a nonprofit association serving over 2,300 colleges, universities, and organizations across 45 countries, who are collectively responsible for developing over 16 million students. EDUCAUSE’s mission is to advance higher education through technology innovation—making it a great resource for ACUA members! EDUCAUSE’s president and CEO, Dr. John O’Brien, spent 30-years in higher education in key leadership roles and often shares his expertise regarding the intersection between higher education and technology. In May 2019, John interviewed ACUA Past-President, Justin Noble and published “The Internal Auditor as a Trusted Resource: An Interview with Justin Noble” in EDUCAUSE Review, and discussed how Information Technology (IT) leaders can partner with internal auditors. Now, ACUA interviewed John to understand how to work effectively with Chief Information Officers (CIOs), gain insight on some high-risk IT areas to watch out for, as well as information and resources available to member institutions. ACUA’s questions are in bold and John’s answers are below.

Internal auditors base our audits on risk. Based on your research and input from CIOs, what do you see as the high risk IT areas over the next few years?

For anyone  tracking EDUCAUSE’s top 10 IT issues over the years, it will come to no surprise that the first words out of my mouth are “cybersecurity.” This is an ongoing, dynamically changing threat for colleges and universities. The pandemic seems to accelerate so many trends we are seeing, including more nefarious activities and more sophisticated threats, such as nation states targeting intellectual property.

There are, of course, many other risks on the radar of higher education CIOs, and because of the complexity of the risk landscape we strongly encourage campuses to consult resources on our IT Governance, Risk, and Compliance site, which includes risk management resources and a very useful IT risk register tool. With all the existing and changing risks, collaboration across an institution is necessary.

In addition, our October 2020 EDUCAUSE QuickPoll data suggests that around two-thirds of campuses are experiencing IT budget cuts, with 10% as the median reduction—and over 40% expect more to come. Navigating decreased investments in IT at a time when technology has been the linchpin of strategic campus pandemic responses will be a big challenge this year and perhaps for many to years to come. With inevitable declining budgets, institutions also may want to identify new efficiencies and other transformational approaches to risk, compliance, and privacy.

A significant shift to Cloud services is occurring across higher education. Are there EDUCAUSE resources auditors can leverage to keep up with Cloud developments?

The cloud can be a pretty risky place. In many cases you are handing institutional data over to third party providers, and it is important to go forward with a clear understanding of the risks involved in cloud vendor relationships. To help institutions measure vendor risks, we have developed (along with our member-led Higher Education Information Security Council) the Higher Education Community Vendor Assessment Toolkit (HECVAT). It is a questionnaire framework specifically designed for higher education solutions providers to confirm that information, data, and cybersecurity policies are in place that protect sensitive information. Preparing the IT Organization for the Cloud is a good resource for background information about the cloud. While not focused on cloud computing technology, it does include a wealth of information about what it takes to move services to the cloud and how an institution might prepare for that. 

What skills and abilities would a typical higher education CIO hope that an IT auditor would possess (e.g., technical, interpersonal, communications)?

I think the dream auditor would be one who sees the engagement as an opportunity for collaborative discovery and who is willing to begin an audit with the goal of deep understanding, while resisting any rush to drive toward findings. In my opinion, what is true for great leaders is true for great auditors—a bias for “turning to wonder” rather than “turning to judgment.”  It is easier to judge than to wonder genuinely why something initially seems out of the norm. I do understand that you could make the case that turning to judgment is woven into the job description for an auditor—that is true, but one might also expect that tactics and operations are a core competency for a CIO; however, that has changed over the last decade. IT is far more than executing tactics, especially in a pandemic.

We hope for auditors who understand that IT is more than just operations. IT has become less a utility and more and more a strategic asset. Understanding the work IT does in this broader strategic context would improve the audit process and results. 

What are the best ways that internal audit can partner with CIOs to improve IT people, processes, and technology?

I think it would be remarkable if IT auditors would dig into the priority work at EDUCAUSE over the last few years around digital transformation (“Dx”) and bring this lens and thinking into play. Being a partner with IT in advancing digital transformation as an institutional differentiator has great promise connecting “people, processes, and technology.”  The difference between ad hoc technology innovation and Dx is exactly that, that it embraces major shifts that go far beyond  technology alone. Technology can be cool, but transformational change embodies changes in workforce and culture as well.

What do CIOs most appreciate about the audit process?

CIOs most appreciate when an audit process is transparent and thoughtfully scoped so that focused resources can be directed at supporting meaningful exploration and helpful findings. Anything that can illuminate a pathway of authentic curiosity and discovery will make it less likely that the engagement will take on the “gotcha” aspect that benefits no one. Additionally, CIOs especially appreciate it when audit findings help her or him make the case for needed or overdue investments in technology or staffing.

When Board members (or CIOs) come from a corporate background, what should they know about higher education?

Folks moving from a corporate background to higher education should know that they may need to master another language. Some words and concepts that meant one thing in industry mean something else in higher education. For example, “customer” is inaccurate or even offensive to many in higher education circles, and even if it were generally accepted, it is more complex than for most businesses. IT’s “customer” may be the faculty, while faculty’s “customer” might be students or research funders, or both. And institutions don’t just serve students; they serve their communities, their local government bodies, and so much more. Aside from the language challenges, of course  those from a corporate background will need to adjust to the fact that it simply takes considerably longer to get things done in higher education.

What EDUCAUSE resources are the most popular for your members?

EDUCAUSE Review (ER), our digital flagship magazine, has a wide range of articles and content on many topics. ER has received numerous awards and continues to keep our members up-to-date at the crossroads of higher education and technology innovation. Of course, like ACUA, professional development is a big part of how we serve our members, and our conferences and events are very popular. In 2020, we added virtual conferences and institutes to the mix, with great results, and in early 2021 we will be launching a new mentoring initiative that I am really excited about. If your institution is an EDUCAUSE member, please let us know if you would like to become, or connect with, a mentor. Additionally, our research is very popular with our members, most notably the Top 10 IT Issues, as well as the Student Technologies and Horizon Reports.  

Finally, as we reflect on the tremendous racial injustices last year, our members have appreciated our intentional effort to prioritize diversity, equity, and inclusion (DEI), including infusion of DEI themes in our professional development, publications, and research. In the second half of 2020, around 20% of our publications were related to DEI themes. Our CIO DEI Commitment statement has been signed by nearly 600 to date, and this year we are focusing on going beyond words and statements and prioritizing action.

What could future collaboration between ACUA and EDUCAUSE look like?

So many ACUA members are members of EDUCAUSE as well, and we could intentionally seek out and promote opportunities to point each other toward our resources. We have—thanks to the pandemic—been moving toward faster responsiveness to members through QuickPolls that launch and report on timely topics in days, not the months you would expect from more traditional research. QuickTalks (like this one) make it possible to spin up discussions on emerging topics for members. This agile programming would be useful to ACUA members, and we could explore areas of interest to both our members in these and other venues. I enjoyed the chance to be a keynote speaker at AuditCon 2019 and discuss digital ethics, and I think topics like these are the kind of thing that captures the imagination of auditors and IT professionals alike. 

Many institutions are EDUCAUSE members, but if yours is not yet, join today!

Collective Learning Communities for Internal Auditors

Forward by College and University Auditor Journal Editor:

Members of ACUA receive many benefits, such as Connect ACUA, an online community of internal audit, risk, and compliance professionals from higher education institutions sharing higher education-focused knowledge and experience. ACUA strives to share useful resources with its members to help them build their knowledge base and expand their network. We hope our readers will engage in discourse across many platforms to build their repertoire of awareness and intelligence. A growing and interactive community for internal audit professionals is AuditWithoutWalls!

Learn, Share, Explore, and Grow…

AuditWithoutWalls!, established in 2017, is a free virtual collective learning community for sharing knowledge and exploring ideas on technical issues, including governance, risks, and controls. The community began in Asia, and has since expanded across the world. It now has a global reach, connecting over 1,200 public sector internal auditors from more than 110 countries across all continents. While initially geared toward public sector internal auditors, it is now expanding into the private sector to provide more opportunities for developing professional and supportive relationships.

AuditWithoutWalls! fosters a democratic ethos, where all members play a vital role in the community’s learning.

A collective learning community enables individuals to learn without a hierarchal structure—learning is triggered and motivated by common interests, not by rigid rules. The needs and goals of members set the course of conversation and out-of-the-box thinking. AuditWithoutWalls! fosters a democratic ethos, where all members play a vital role in the community’s learning. The environment encourages members to share their personal knowledge and expertise, motivates one another to learn, commits to mentoring new auditors, and cultivates relationships by listening compassionately and exercising empathy.

AuditWithoutWalls! primarily uses a social media platform, Yammer, to collaborate and network, but also has a presence on LinkedIn. By using online discussions, members can ask questions and share information anytime, anywhere. Since members are from all over the world, this platform truly never sleeps! Interaction and participation is constant and thought provoking, making it a great resource to learn a myriad of new things. Hot topics discussed lately include leveraging digital technology in audit and adapting the audit plan to current risks (e.g., COVID-19 pandemic, cyber hygiene).

Interaction and participation is constant and thought provoking, making it a great resource to learn a myriad of new things.

The community also shares information on relevant continuing education opportunities, videos that provide useful information to internal auditors, and other useful internal audit services. The monthly bulletin called AuditorsHelpingAuditors! provides practitioners with up-to-date studies published by academics and researchers.

Join Today

AuditWithoutWalls! has an open-form membership concept, which allows members to join the community by requesting an invitation and also allows members to leave voluntarily. For more information, or to request an invitation to join, email auditwithoutwalls@adb.org.

Letter from the President

Dear ACUA Colleagues,

I hope you had a restful holiday season and took time to enjoy those closest to you. I had the time to reflect and celebrate our accomplishments and, most of all, our resilience.   

With a new year comes the opportunity to set new goals. ACUA is optimistic about 2021, as we plan to build an even stronger community to serve our industry. One way to achieve this is through continued contributions from industry leaders to College and University Auditor. The Journal provided a way for me to connect with individuals on a variety of topics, such as annual audit planning, fraud investigations, audit reporting, and even COVID-19.

I encourage you to reach out to our authors and learn from each other. I also encourage you to share your experiences in a future ACUA journal article. Turning to the Journal to gain valuable insights is just one of many benefits we have as a community. Many thanks to the authors, volunteers, and staff for showcasing their higher education knowledge.

In addition to sharing knowledge in a professional journal, ACUA is dedicated to providing relevant trainings and networking. So, you will not want to miss the opportunity to build on your professional expertise at Audit Interactive! The Professional Education Committee is hard at work, so save the dates—March 21-25, 2021. I hope to see a record number of attendees from our ACUA community. 

I look forward to interacting with you on Connect ACUA and seeing everyone at Audit Interactive in March!

Sincerely,
Patti Snopkowki 
ACUA President