Resources

AAP Roundtable on Implementing the New IIA Standards

On February 11, 2025, the ACUA Auditing and Accounting Principles (AAP) Committee hosted a roundtable discussion on implementing the Institute of Internal Auditors (IIA) Global Internal Audit Standards (Standards), which became effective on January 9, 2025. This event drew 35 ACUA members, who were divided into breakout rooms to share their questions and solutions on five topics with significant changes: reporting, governance/charter, performance metrics, strategic planning, and quality assessments. The AAP committee members facilitated the discussion and contributed to the following summary.

Reporting Requirements

The IIA added reporting elements in “Standard 15.1 Final Engagement Communication.” Changes include prioritizing findings, adding an overall summary of governance, risk, and controls, and adding an owner and due date to the management response.

How are departments reporting conformance in their audit reports while working on implementing the new Standards?  The internal audit departments that have already completed a gap analysis or an internal assessment and have modified their practices to agree with the new Standards continue to use the “in conformance” phrase in their reports. Departments that are still adjusting to the new Standards, or will have an external assessment soon, are temporarily omitting that phrase from their reports.

How are you prioritizing your findings? All members said they are consciously prioritizing their findings, but the methodologies varied. Some departments have defined a matrix for categorizing their findings as “high, medium, or low.” These ratings and definitions are sometimes presented in the reports for context. Other departments are relying on professional judgment in prioritizing their findings and are documenting their reasoning in the work papers. Most departments are including the phrase “findings are listed in order of priority” in the final reports.

How are departments concluding on the effectiveness of the governance, risk management, and control processes (GRC) of the activity reviewed? Most participants have not had to address this new requirement yet. Members are planning to give a conclusion on GRC as a whole, rather than addressing the three elements separately. Many plan to describe GRC from a selection of options, such as “needs improvement/adequate/good” or “satisfactory/enhancement required/significant enhancements required/ineffective.” Departments have begun developing criteria to facilitate consistent rankings of these areas.

Naming the individuals responsible for addressing the findings and the planned completion date is a new requirement, but is this a departure from your current practice? Most members said they are used to providing the estimated completion date on the final report but have not necessarily named the responsible party or division. Some departments that formerly only retained this information in the workpapers will now include this information in the management response section of the report. All agreed that providing the role or division responsible, rather than the name of the specific person, is sufficient.

Governance and Charters

“Standard 6.2 Internal Audit Charter” requires the internal audit charter to include the purpose of internal auditing, commitment to adhering to the Standards, a mandate including scope and types of services to be provided, and defines organization position and reporting relationships.

What changes are departments making to their audit charter? Many departments have been comparing their audit charter to the new Standards to determine what, if any, modifications are necessary. A few schools are using this opportunity to develop their initial charter. Minor changes include updating definitions, such as advisory services, and incorporating language from the IIA charter[TM1]  template, available from the IIA website. Another school looked at the “musts” in the Standards and ensured all were met. Other changes include adding required communications, enhancing the Standards on managing the internal audit function in Domain IV, and adding a section on ethics and professionalism.

Has anyone received any pushback or enthusiastic buy-in on their updated charters? Most members said neither, but mostly because people outside of the Internal Audit Department do not really understand the implication of these changes. However, most felt the Board and Audit Committees have been supportive.

How is the chief audit executive (CAE) managing the changes in communication with the board? Many schools have made presentations to their board regarding the changes to the Standards. Some CAEs are creating a document to formalize the discussions that take place between the CAE and the Board or Audit Committee. All agreed it is important to document what is required to be communicated to the Board.

Performance Metrics

“Standard 12.2 Performance Measurement” is new and states the CAE must develop objectives to evaluate the internal audit function’s performance and promote continuous improvement.

Which performance metrics have you found to be the best measurements of success? The most common metrics discussed at the roundtable included:

  • Status of the audit plan
  • Implementation of corrective actions
  • Post-engagement client surveys
  • Engagement time versus administrative time
  • Continuing professional education
  • Results of internal and external assessments
  • Project timeliness, such as completing engagements within time budgets, reports issued within X days of fieldwork, and hotline reports closed within X days.

Which new performance metrics are being considered as a result of this new standard? All schools said they did not make any changes to their existing performance metrics, though some did add existing metrics to their audit manual. Some were considering adding potential metrics about increasing the automation of work and applying data analytics to more projects. One school said their Board wanted a better understanding of the financial savings achieved, though it is difficult to quantify the value of compliance audits and process improvements.

Do you have performance metrics that tie to an individual auditor or manager? Most schools said their goals are related to the entire team. One school said their managers have additional key performance indicators of timely review of reports and a percentage of their team’s engagements completed. Another said they tie annual merit increases to the number of projects completed.

Strategic Planning

“Principle 9 Plan Strategically” focuses on planning strategically, and “Standard 9.2 Internal Audit Strategy” requires the CAE to develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.

Is strategic planning a new area for internal audit departments? If not, what are your plans for meeting this new standard? Some departments already had a strategic plan and were taking the opportunity to revisit their plan. Many smaller departments had not yet implemented a strategic plan and were preparing to do so.

What resources have you found to be most helpful for developing a strategic plan? The roundtable group discussed some webinars they have attended on the subject. Others have found peer input and online searches on organizational goals and strategies to be helpful.

What types of input did you receive when building your strategic plan? Those who have completed their strategic plan used team feedback, client survey responses, management analysis, their internal audit mission and objectives, and audit committee feedback. Completed plans were shared with the Board and senior management.

Internal and External Quality Assessments

Assessments of internal audit departments now fall under different standards. “Standard 8.3 Quality” requires the CAE to develop, implement, and maintain a quality assurance and improvement function. “Standard 12.1 Internal Quality Assessment” covers ongoing monitoring, periodic self-assessments, and communicating results to the board and senior management about adherence with the Standards. “Standard 8.4 External Quality Assessment” requires an external review conducted every 5 years and include at least one Certified Internal Auditor (CIA) on the external review team.

For those who have completed an internal assessment or gap analysis, what resources did you use? All participants said they used the ACUA AAP – IIA Global Standards 2025 – Self-Assessment Tool and found it helpful in evaluating compliance with the new Standards. Members can download this workbook from the ACUA Resource Library after logging in and searching for “self-assessment tool.”

What were the biggest changes found in your gap assessment? Most felt the enhanced reporting and communication with the Board was the biggest change. Smaller changes needed to be addressed by revising audit manuals, audit charters, and strategic plans. The new ethics and professionalism domain and reporting requirements also needed to be incorporated into the audit manual. Roundtable attendees cited the need for training team members on the changes in the Standards to be able to effectively review engagement workpapers.

Which new topics have the most ambiguity for implementation? Small audit shops and those combined with other areas such as risk and compliance expressed difficulties in demonstrating conformance with the Standards due to inherent differences in organizational and operational structures. The group discussed ways to document conflict of interest disclosures and project-level independence. Others felt the requirements in “Domain III Governing the Internal Audit Function” are quite overarching and may be difficult to implement and document.

Who has plans to have an external assessment in 2025? Only one university said they were due for an external assessment in 2025. Others ensured they completed their assessment before the change in the Standards to allow for more time to conform. All acknowledged they will need to have a CIA on their next review team, though some cited this new criterion may be a challenge as there are not many CIAs in their current pool of assessors.

Conclusion

The first AAP roundtable on the new Standards was a big success. The participants appreciated hearing how fellow members are tackling these changes. Members enjoyed the small breakout group format and the ability to share and collaborate with peer universities on these topics. In the post-event survey, the roundtable attendees unanimously found the roundtable to be helpful and would be interested in attending future roundtables related to the Standards. Please watch for future roundtable opportunities hosted by the AAP!

DEI in Higher Education

What is DEI?
Diversity, Equity, and Inclusion, commonly referred to as DEI, is a highly critical aspect of any organization; and DEI in education, specifically higher education, is especially important. DEI in higher education institutions encompasses the policies and practices designed to help ensure everyone in the institution, whether it is faculty, staff, or students, have equal opportunities for success and inclusion, no matter their background.
 
Understanding DEI
Diversity includes race, ethnicity, gender, religion, sexual orientation, geographical representation, and political beliefs, among many other factors. However, what diversity means varies amongst individuals. Studies have shown that race, gender, and sexual orientation are almost always the top three concerns for those working in the field, but inclusion is equally important.
 
DEI in Higher Education – why it’s important
Prioritizing DEI in higher education not only impacts students, faculty, and staff, but also the institution and entire campus. DEI provides advancement opportunities for underrepresented communities and comes into play when recruiting students, hiring faculty and staff, shaping campus culture, encouraging career advancement, setting up tenure processes, examining employment budgets, and making forward-looking decisions.
 
Benefits of DEI
DEI promotes personal growth, a healthy society, and fosters mutual respect and teamwork amongst the institution. DEI brings multiple perspectives and challenges stereotypical preconceptions, encourages problem-solving and critical thinking, and helps individuals learn how to communicate effectively with people of different backgrounds. Most importantly, DEI enriches the educational experience, as we learn from those whose experiences, beliefs, and perspectives are different from our own.
 
Why does DEI fail?
Although investing in DEI is never a waste of an institution’s time or resources, there are several reasons why DEI efforts are not as effective. Despite overwhelming evidence that institutions are becoming more demographically diverse, research has shown that more than half of employees feel excluded and isolated at work. Institutions with DEI initiatives are also experiencing employee fatigue because employees either feel exhausted, frustrated, or skeptical whether their DEI efforts provide expected tangible results.
Many employees are trying to improve DEI initiatives by starting either an employee resource group or a DEI Council to get things started. However, over time those same employees often end up feeling frustrated, burned out, and discouraged because they do not believe that their institution is equally invested and committed to advancing DEI due to lack of participation, support, and investment. Unfortunately, when employees feel their efforts are in vain, they eventually give up. This is especially difficult when management and those in leadership positions lack diversity and often underestimate and overlook the time, commitment, money, and effort needed to improve and sustain DEI.
 
How to build a more successful DEI strategy
For DEI initiatives and strategies to succeed, institutions need to set the tone at the top and have a top-down, systemic, business-led approach to demonstrate DEI is an essential part of the culture and institution. It is also imperative that institutions set clear, specific, and achievable goals, establish accessible protocols, build equity into the structure, and, most importantly, lead by example. Management and leadership need to take an active role in implementing initiatives and prioritizing DEI. This should not be the sole responsibility of the DEI employees.
 
What can Internal Audit do?
Internal Audit can get involved and support DEI initiatives by conducting DEI audits for their institution. The DEI audit will highlight how well the institution supports diverse and underrepresented employees and put a spotlight on areas where the institution is progressing, as well as identify issues and challenges that exist that need a little more attention. Having Internal Audit support DEI fosters an institution that embraces inclusivity, nurtures a sense of belonging, and amplifies opportunities for individuals from historically underrepresented backgrounds. Internal Audit’s strategic commitment aids in creating a stronger institution that thrives on a diverse array of perspectives and experiences. DEI audits are an opportunity to dig beneath the surface and reflect on the institution’s own priorities and goals. DEI audits are critical tools that, when done properly and consistently, can be a real advocate for institutional change.
 
Because DEI success does not happen overnight, creating a diverse, equitable, and inclusive institution is a continual process; one that requires constant growth from all levels: individual to the institute.
 
Editor’s Note: The ACUA DEI committee plans to send a survey to its members in the coming months. Your participation is greatly encouraged.

Considering Culture in Audits

An effective control environment is all about culture, ethical values, and appropriate governance structures. This includes attracting and retaining individuals whose values align with those of the organization and holding them accountable for their actions. It is about setting the norms for how members of an organization agree to treat each other, uphold policies, and deliver on the mission and strategy of the organization.
Culture drives behavior and underpins success or failure of any team. In the best of times, it is difficult to create and protect. Building a strong culture is a meticulous task that requires continuous focus and dedication. Within every interaction lies an opportunity to reinforce culture. Strong connections between people create a higher sense of accountability and responsibility. That is precisely why auditors should always consider cultural aspects of an organization in their engagements.

The Ripples of the Pandemic

In higher education, we operate in a world of multi-faceted operations, shared governance, and federated control structures. Even on a good day, it is challenging to bring the relevant parties to the table to lead conversations about internal controls, fraud risks, and policy governance. Add to the mix the historically poorly documented practices (because someone “has been in their role for many years and they know what they’re doing”), turnover brought on by the great resignation, and the inherently complex and ever-changing compliance and operations landscape, and you have a perfect recipe for the heightened risk of unintentional or intentional misapplication of policies and procedures that may lead to financial or reputational damage to our institutions.

While nearly all core university operations are back on campus in full swing, support operations, such as accounting, finance, information technology, and yes, internal audit, have a varied degree of presence. And while we all have grown to appreciate the flexibility, especially when needing to take care of children, elderly parents, or pets, I can’t help but wonder what might auditors be missing by not being in closer physical proximity with our stakeholders. What has been the impact of multiple work modalities on an organization’s ability to keep focused efforts on compliance and maintaining an effective control environment, particularly in a space as complex and distributed as higher education? If culture truly is the single biggest determinant of employee behavior and organizational success, how can it be cultivated, maintained, and shared, with some employees never having set foot on campus? If there isn’t an intentional effort to create that focus, what is the impact on fraud risk?

The cost of fraud extends well beyond the actual loss suffered. It leads to additional time and money invested in investigations, pursuing actions against perpetrators, and remediating control weaknesses. Fraud also causes a decrease in employee confidence and morale, loss of productivity, and the decline in institutional reputation and degree value. The list of fraud victims at institutions is broad: research sponsors, donors, alumni, current and prospective students, faculty, staff, and larger communities.

With the ripples of the pandemic, we went from knowing and conversing with  our office neighbors to working in near isolation. Not many leaders thought of preserving culture as they scrambled to keep core operations on track, getting creative about adapting processes to the new realities. When not actively and intentionally cultivated, culture fades, as do relationships and accountability.

And that is where auditors need to pay attention. Auditing culture is hard, complex, sensitive, politically charged, often subjective, and, let’s be honest, frustrating. But that doesn’t mean we can’t be alert to the associated risks and incorporate them in our engagements.

No Longer Business as Usual

The post-pandemic working modalities have added new risks and opportunities to organizations. With increased turnover, there was a loss of institutional knowledge. With less tenured staff, or less staff period, there was an actual or a perceived lessoning of oversight. As staff were re-thinking their priorities, so were the students. With enrollment numbers fluctuating and the federal and state support weaning, institutions began to experience budgetary pressures. Faculty and staff were taking on additional responsibilities, which, coupled with higher turnover and overall uncertainty, led to burnout. It became a lot easier to rationalize circumventing controls when feeling overworked, underpaid, and doing the job of several people. Along with a lack of feeling connected to the organization, the risk of unnoticed mistakes and fraud increased.

Trust is Not a Control

Trust helps organizations thrive and achieve goals with greater efficiency. It is an imperative ingredient for healthy relationships and operational effectiveness. However, it does not replace strong internal controls that are tailored, documented, and tested. During the pandemic, many core processes were adjusted for the needs of the times. In some cases, those changes created efficiencies that would stand the test of time, while in other cases controls may have been over-simplified, leading to design weaknesses in the post-pandemic space. Now is an excellent opportunity for auditors to help their organizations evaluate which changes have the staying power and which ones need to be reverted or reconsidered to ensure a strong control environment.
Auditors must possess curiosity, critical thinking, and connectedness with the organization and its culture. Audit planning is the ideal time to understand what has changed in the organization in terms of leadership priorities and risks to help create a more relevant scope and objectives for the audit. The audit universe should be reviewed periodically to identify changes that affect culture and help keep the internal audit function stay systematic and organized.

Auditors should not underestimate the power of a relationship with stakeholders. The quality of those relationships should be cultivated over time. Every interaction can be an opportunity to establish trust in the audit process and provide comfort to stakeholders that they will be supported by Internal Audit with utmost professionalism at the time of need. Auditors should remember to listen with intent to the insights the stakeholder may want to share about departmental changes and cultural shifts.

Culture Matters

Incorporating cultural factors into audit work can enrich perspectives on the organizational control environment. Here are just a few examples of questions to consider:  

Tone at the top:

  • Does leadership set realistic performance targets and communicate them consistently and clearly across the organization?
  • How is organizational culture shared with fully remote employees? How is their sense of belonging fostered?
  • Has the institution performed a climate and culture survey after the pandemic? What were the trends and action items?

Employee services processes:

  • Does your institution consider ethics and integrity of candidates in the hiring process?
  • Does your institution’s philosophy on performance management reflect its values and creates an environment of accountability, integrity, and respect?
  • Is success enabled through periodic training and documented performance guidelines and expectations?
  • Are core hiring processes which may have been simplified during the pandemic, being executed with sufficient law and policy compliance? This includes background checks, I-9 reviews, salary change approvals, vacancy postings, etc.

Reporting mechanisms:

  • Are reporting mechanisms, such as a hotline, implemented and effective?
  • What has been the volume trend for the hotline in the past three years? Is there a change in the types or number of allegations reported? Are the allegations being investigated and resolved?

Business processes:

  • Are internal controls designed for new work modalities?
  • Are policies relatable, enforceable, simple, and easy to use?
  • Have cash management controls reverted back to pre-pandemic standards? Cash management controls may have been adapted during the pandemic, with no one in the office to receive checks, make deposits, or allow for sufficient segregation of duties.
  • Have procurement purchasing cards been adequately monitored? Were higher approval thresholds or looser controls adopted to cope with procurement shortages?
  • Are conflict of interest processes robust enough to educate reporters on what should be disclosed and provide the appropriate level of information for review of possible issues? Are the mitigating plans consistently established, monitored, and enforced?

Next Steps

Due to today’s high pace of macro-environmental changes, multiple work modalities, and continued impacts of the pandemic effects, sustained attention to organizational culture remains critical for effective mitigation of financial, ethical, and compliance risk. Internal auditors can play a vital role in educating their organizations about effective internal controls. There is value in reminding business leaders that trust is not a control, and that they play an important role in establishing the right combination of mechanisms, rules, and procedures to ensure the integrity of information, promoting accountability, and preventing fraud.

If there is one thing we learned in the last four years, it is that change is a constant. Internal auditors can support their institutions attain their goals and objectives by periodically re-evaluating the control design for continued appropriateness. Although internal auditors may not be experts in every process they review, they are experts in validating the design and effectiveness of internal controls. Considering cultural nuances when planning and executing internal audit engagements will only amplify their value.

Are Agency Funds Driving up Your Costs?

Universities often have many affiliated entities that call the campus home. These may include student organizations, honor societies, academic journals, professional organizations like ACUA, alumni associations and more. It is common for institutions of higher education to account for the funds of these organizations through an agency fund relationship. In his book, “University Finances: Accounting and Budgeting Principles for Higher Education,” Dean O. Smith states: 

“Agency funds come from nonuniversity sources. The University serves as custodian of these funds. Accordingly, the funds ‘flow through’ the university, with the sources that provide the funds having the sole discretion over expenditures. Agency funds are not reported as university income and expenditures, as these sources are not considered official units of the university.” To understand the true nature of agency funds and associated costs, it is important to perform a detailed review of each affiliated organization and its history. A thorough examination of your university’s agency fund budgets may reveal that affiliates are driving up overall costs and may help to identify opportunities for cost savings or recovery. The following are some areas to consider when reviewing agency fund budgets:

  1. Payroll – This includes the cost of employing individuals at the university to manage or perform work for outside organizations. In some cases, universities do not allow payroll to be charged directly to an agency fund. Instead, the outside organization must transfer money from the agency fund to the university to cover payroll costs for employees who are funded by the university. Available documentation should identify payroll costs associated with the organization and explain to what extent the university is responsible for covering salaries, fringe benefits and other costs.
  2. Administrative Fees – These may include payment processing services (accounts payable), telephone service, copying and printing charges, postage and other charges. The university may be able to recover funding by charging the affiliated entity for various administrative items currently provided at no cost.
  3. Rent – Affiliated entities which list a campus address as their business address often operate within university facilities. Depending on the nature of the organization, they could be utilizing more than just office space. Sports camps, for example, which tend to operate as LLCs run by coaches, require the use of athletic facilities.
  4. Risk Management and Legal Liability – Management should consider whether affiliated organizations bring additional risk exposure to the university. This assessment depends on the type of organization and the liability associated with its activities. For example, if an individual is injured on campus while participating in an affiliated entity’s programming, is your university liable?
  5. Overdrafts – During periods of economic downturn, these types of organizations often struggle and could be operating at a deficit, which the university may ultimately need to cover. Budget administrators should review the budgets of affiliated entities for which they have oversight to ensure the entity’s deposits fully cover their expenditures. In the case of recurring overdrafts, the university should consider terminating the agency fund relationship. Alternatively, the university can develop a payment plan and invoice the affiliated entity. 

        Affiliated entities provide many positive experiences for students and employees. However, the agency fund relationship can result in excessive costs to the university if proper controls and oversight are not in place. Internal auditors are uniquely qualified to provide management advisory services regarding these kind of relationships. Such reviews may help to enhance efficiency and identify costs that may be weighing on the university’s finances.