Resources

Regulation Updates: Third-Party Topical Requirement, GRC Reporting, and 529 Plan Changes

Blue Logo for ACUA with the text Journal Articles

By the ACUA Auditing & Accounting Principles Subcommittee

The ACUA Auditing and Accounting Principles Subcommittee is committed to providing members with emerging information in our field. This article features the recently released IIA Third-Party Topical Requirement, clarification on the new reporting requirements on governance, risk management, and controls, plus modifications to the 529 education savings plan that allows tax savings for professional certification expenses.

Understanding the IIA’s Topical Requirements for Third-Party Relationships

Topical Requirements are a new, mandatory component of the Institute of Internal Auditors’ (IIA) Global Internal Audit Standards. Internal auditors must apply the Topical Requirements for assurance engagements in the following situations:

  • The topic is included in your audit plan as an assurance engagement.
  • The topic is identified during the course of an audit engagement.
  • The topic is requested as a new engagement, even if it was not part of your original audit plan.

What’s New?

The Third-Party Topical requirement was finalized on September 15, 2025, and will become effective September 15, 2026. According to the IIA, a third-party is “an external individual, group, or entity with whom an organization (‘the primary organization’) has a business relationship.” In simpler terms, this means any person, group, or business your institution works with.

Importantly, the requirement does not just apply to your direct third-party relationships. It also covers any subcontracted relationships, even those several layers down, such as fourth-level subcontractors, if your contract allows them. This broad scope ensures that risks are managed throughout your entire supply chain.

What does the Third-Party Topical Requirement involve?

Internal auditors need to assess their institution’s contract management throughout the third-party life cycle, consisting of selecting, contracting, onboarding, monitoring, and offboarding. Internal auditors should consider these stages when assessing the requirements for these three key areas:

  • Governance: Internal auditors must evaluate how their institution decides with whom to contract, how these relationships are managed, and who communicates with third parties and stakeholders. This includes assessing whether the organization has clearly defined roles and responsibilities for managing third-party relationships, and whether established policies and procedures align with regulations and are updated regularly. Auditors should confirm there is a formal approach to contracting third parties and there are protocols for communicating with relevant stakeholders.
  • Risk Management: Internal auditors must review how their institution identifies, assesses, and monitors third-party risks. This begins with examining due diligence procedures for onboarding third parties. There should be ongoing monitoring and corrective action for deviations, and risk assessments should classify and rank third-party risk. Check for escalation and remediation processes in place for unresolved issues, including remediation or termination.
  • Controls: Internal auditors should assess the controls in place to manage and monitor the risks associated with third parties. Review procurement controls for appropriate sourcing and selecting of third parties and ensure there is an appropriate approval process. Determine whether there is centralized contract management and verify contracts contain risk mitigation clauses, performance expectations, compliance obligations, and are reviewed and updated periodically. Review ongoing third-party monitoring and periodic evaluation, and the monitoring of contract renewal dates and offboarding plans.

By understanding and applying these requirements, your institution can better manage third-party risks and strengthen its overall governance.

Download the Third-Party Topical Requirement and a user guide from the IIA at:

https://www.theiia.org/en/standards/2024-standards/topical-requirements/third-party/

Other topical requirements to be aware of:

Cybersecurity – effective February 5, 2026

Organization Behavior – public comment period ended, pending finalization.

Organizational Resilience – pending public comment.

https://www.theiia.org/en/standards/2024-standards/topical-requirements

New Reporting Requirements for GRC

The new IIA Global Internal Audit Standards, effective January 9, 2025, introduce more structured and rigorous reporting requirements for Governance, Risk Management, and Controls (GRC). They emphasize clarity, consistency, and alignment with stakeholder expectations.

During an engagement, the Internal Audit function must evaluate the governance processes to ensure the organization promotes ethical behavior, accountability, and transparency. Auditors must identify key risks and ensure they are managed effectively, and review the control framework to identify control deficiencies, weaknesses, and failures.

Standard 14.5 Engagement Conclusions requires internal auditors to develop an engagement conclusion that summarizes the results relative to the engagement objectives. In addition, this standard states “assurance engagement conclusions must include the internal auditor’s judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgment of when processes are effective.”

The considerations for implementation of this standard recommend having methodologies for the internal audit function in the form of a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls. An example is developing criteria for a scale that indicates “satisfactory, partially satisfactory, needs improvement, or unsatisfactory.”

The AAP Committee aggregated the ratings used by the committee members and created the following example of a rating methodology that is applicable to report ratings and GRC ratings:

Example of Report/GRC Ratings

Standard 15.1 Final Engagement Communication states the final communication for assurance engagements must include a “conclusion regarding the effectiveness of the governance, risk management, and control processes of the activity required,” in addition to the continuing requirements of objectives, scope, recommendations, and any action plans. Auditors are encouraged to use their engagement conclusions derived from their methodologies to meet this reporting standard.

529 College Savings Plans Expanded to Cover Professional Certifications

A provision in the One Big Beautiful Bill Act (OBBBA) that was signed into law in July 2025 included changes in 529 education savings plans that may benefit ACUA members. Traditionally 529 plans were reserved for undergraduate and graduate degree programs, but now certain professional certification and credentialing programs are covered as qualifying expenses. This includes several of our most sought-after certifications, including the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), and the Certified Public Accountant (CPA).

This is a great opportunity to invest in your professional development, especially if your department does not cover or reimburse certification expenses. Eligible expenses can include study materials, exam fees, and even continuing education required to maintain your credential.

See Section 70414 of the OBBBA for more information. As always, everyone’s tax situation is different, so please consult with your tax advisor to confirm eligibility. Check with your financial institution for assistance setting up a 529 plan.

Mitigating Bias in Internal Auditing: Strategies for Enhanced Objectivity

Blue Logo for ACUA with the text Journal Articles

By Amaya Beck

Internal auditors are tasked with evaluating organizational processes to ensure compliance with laws and regulations, as well as identifying areas for improvement. However, like all professionals, they are prone to psychological biases that can influence their judgments and decisions. These biases can lead to inaccurate audit findings, undermine the credibility of the audit process, and ultimately affect organizational decision-making. By implementing mitigation strategies, Internal Auditors can implement mitigation strategies and enhance the credibility of their work and contribute to more effective organizational governance.

Common Biases in Internal Auditing

Several biases are particularly relevant to internal auditors:

  • Confirmation Bias: This involves favoring information that supports preconceived notions while disregarding contradictory evidence. It can lead auditors to overlook critical issues or misinterpret data.
  • Anchoring Bias: Auditors may rely too heavily on initial information, which can skew their assessment of subsequent data.
  • Overconfidence Bias: This occurs when auditors overestimate their knowledge or judgment, potentially leading to missed errors or omissions.
  • Availability Bias: Auditors may give undue weight to readily available information or recent events, rather than considering a broader range of data.

Strategies for Mitigating Bias

1. Structured Decision-Making Tools: Six Thinking Hats Technique

The Six Thinking Hats technique, developed by Edward de Bono, offers a structured approach to decision-making by encouraging diverse perspectives. This method involves assigning different colored hats to represent various thinking styles: White Hat for facts, Black Hat for risks, Green Hat for creativity, Red Hat for emotions, Yellow Hat for benefits, and Blue Hat for process management. Auditors should metaphorically don the different hats and systematically consider multiple viewpoints to reduce the impact of personal biases and ensure more comprehensive evaluations.

2. Peer Reviews and Second Opinions

Engaging in peer reviews or seeking second opinions can help challenge assumptions and identify potential biases. This collaborative approach fosters a culture of critical evaluation and enhances the reliability of audit findings.

3. Training and Awareness Programs

Educating auditors about common biases and their effects is crucial. Training programs should emphasize the importance of recognizing and mitigating biases to promote a culture of objectivity within audit teams.

4. Organizational Independence and Reporting Lines

Ensuring internal auditors report directly to the audit committee or an equivalent body helps maintain independence and reduces the influence of organizational pressures that might lead to biased judgments.

Conclusion

Mitigating bias in internal auditing is essential for maintaining the integrity and credibility of audit processes. By employing structured decision-making techniques, fostering a culture of peer review, and enhancing awareness of cognitive biases, internal auditors can significantly reduce the impact of biases on their work. These strategies not only improve the quality of audit findings but also contribute to more informed organizational decision-making, ultimately enhancing governance and compliance. By adopting these strategies, internal auditors can enhance their role as guardians of organizational integrity and contribute to more effective governance and compliance practices.

Resources

  1. https://www.linkedin.com/pulse/psychological-biases-how-affect-internal-auditors-isaac-omosa  
  2. https://www.accaglobal.com/content/dam/ACCA_Global/Technical/audit/pi-banishing-bias-prof-scepticism.pdf 
  3. https://internalauditor.theiia.org/en/voices/2024/august/building-a-better-auditor-beating-behavioral-biases/   
  4. https://abmagazine.accaglobal.com/content/abmagazine/global/articles/2022/nov/practice/the-various-biases-in-audit.html 
  5. https://www.learnleansigma.com/guides/six-thinking-hats/
Avoiding Bias in Your Internal Audit Program

Game Plan: Evaluating Athletics Facility Security and Access

Blue Logo for ACUA with the text Journal Articles

By Candice Lewis and Marie Jackson, ACUA Sidelines Committee

Being a college athletics fan means being a part of something bigger than yourself. It’s about finding community and being a part of a shared experience with your fellow fans for those few hours when time stops but the game clock ticks down. It means retracing your steps on campus, reminiscing about years past, and revisiting traditions that you never seem to outgrow.

In this new era of college athletics, schools build on those feelings of nostalgia and use technology and social media to provide all-access passes to our favorite teams. Sports marketing teams share behind-the-scenes looks at the newest facility upgrades. Student-athletes share their workouts, nutrition tips, and “outfit-of-the-day” videos. Coaches speak on podcasts and break down plays. As schools look to partner more with alumni and donors in the new age of Name, Image, and Likeness (NIL), it becomes increasingly important to craft positive fan experiences. But how can schools boost fan engagement and provide innovative experiences while balancing security and access to protect our student-athletes, staff, and facilities?

This article will highlight some best practices for both routine as well as game day security and access. Your internal audit function can help your athletics department assess their approach to evaluating safety and security, including utilizing campus and third-party experts when needed. Remember that a comprehensive security plan will include physical security, operational security, and cyber security. This article will focus on suggested best practices for physical and operational security for on-campus events and hopefully will get you thinking about how to leverage these concepts for off-campus and cyber-related processes and controls

Ongoing Safety and Security

Academic institutions hold the utmost responsibility to provide a safe environment for their students, staff, and fans. The very nature of campuses, which are generally accessible to the community-at-large, creates additional complexities when planning for security and limiting access to restricted spaces. Poor security practices can significantly impact brand reputation and increase the potential for legal liabilities, so thinking about safety measures is a critical exercise for colleges and universities.

On any given day, access management is crucial to ensuring the ongoing security of athletic facilities and the safety of those that use them. An internal audit review of access management could include:

  • Ensure appropriate processes are in place to grant, manage, and terminate access (both physical keys and digital IDs). Evaluate policies and procedures for administering access, and ensure those policies include guests and third parties (e.g., guidelines for accompanying visiting recruits and their families, or temporary access and credentials for vendors, multimedia partners, press, etc.).
  • Determine who manages this access, and whether campus staff provide any support in this area. Athletics should have practices to effectively and timely address employee terminations, vendor terminations, and changes in student status. Communication protocols in place should ensure ongoing collaboration between campus and athletics staff.
  • Athletics facilities staff should develop a risk-based approach to restricting access and should equip entry points with physical or electronic locks. Entry access controls should include consideration of field gates, parking areas, stairwells, locker rooms, practice facilities, utilities, IT, electrical and mechanical spaces, and media and operation centers. Security alarms may also provide an additional layer of protection in these spaces to deter, detect, and notify staff of intrusions.
  • Evaluate the use of emerging technologies such as facial recognition. Many campuses are using biometric authentication to manage both access to facilities, and to admit fans through entry gates. Consider both security merchant contracts and user agreement terms related to data privacy, collection, and use of data.

Schools rely on security and facility staff to promote safe and secure spaces on their campuses. Here are some best practices to consider when evaluating security operations on your campus:

  • Use of initial and routine background checks for security staff. Consider the timing and renewal of these checks for employees, and in what way Athletics utilizes contracted security companies.
  • Obtain and review incident reporting and communication protocols. Evaluate whether Athletics effectively documents, communicates, and trains security staff on how, to whom, and in what timeframe they should report incidents.
  • Consider ongoing threat assessment practices, and coordination with campus leaders and campus police to ensure consistent application of protocols for gathering information and analyzing and assessing potential threats.
  • Video surveillance is a key component of security operations, and athletics should consider using and monitoring camera footage for athletics event management. Schools should have a policy in place governing the use of both cameras and footage which should include viewing, retention, and release guidance.
  • Determine whether trainings and drills are performed for evacuations, lockdowns, active shooter situations, etc. Verify there is an understanding of emergency management roles and responsibilities, and opportunities to identify shortcomings and enhance processes.
  • Consider cybersecurity risks that are unique to athletics. Network or application outages could affect security systems, parking access, concessions sales, scoreboards, electronic banners, spirit wear sales, fan ticketing, and facial recognition. Additionally, Athletics often uses unique vendor applications not used elsewhere in the university. Conducting an application inventory audit could be a great project for your department and could include data classification and storage, and application user access management.

The following athletics venue and facility risks should be considered:

  • Older stadiums and facilities were not designed with modern day safety and security threats in mind. Ongoing assessment of electrical and mechanical systems, screening systems, evacuation plans, accessibility, and other security technologies is a best practice to continually improve the safety and user experience within facilities.
  • Evaluate non-event credentialing processes for venue staff, security, and vehicles to control and restrict access to appropriate areas within the venue. This is a complex exercise with multiple groups needing unique access (e.g., equipment managers, sports medicine trainers, contractors, volunteers, campus recreation, visitors, and sport camp attendees).
  • Consider the “empty state” of venues, facilities, and fields and how Athletics incorporates closing processes, sweeps, and cameras both within the venue and outside (e.g., attached parking and other spaces included in defined security boundaries). For those schools that rent out facilities or premium spaces for non-athletic events, consider how Athletics is securing those spaces after rentals.

Remember to include adjacent spaces as appropriate. These could include practice facilities, mobile or attached operation centers, broadcast and production facilities, school-sponsored tailgates, and museums.

Gameday Preparations

The safety and security of athletic venues becomes even more critical on game day. As your university prepares to host thousands of visiting fans, opposing team players and coaches, and game day staff, it is essential to ensure appropriate controls are in place for a fun and safe game day experience. Whether you are preparing for an audit or assisting with a review, consider the following points. Note that this list is not exhaustive and each game situation is unique and may require modified or additional controls.

Game day preparations begin way before the first tip of the ball, whistle by the referee, or points scored by the home team. Key coordination and pre-game preparation considerations undertaken by Athletics often include:

  • Game day safety and security requires coordinating multiple safety oversight units, agencies, and processes. University departments such as Athletics, Public Safety, Event Services, Emergency Management, and the Police Department must work with local law enforcement agencies, fire departments, emergency medical personnel, and any contracted security.
  • Ensure proper contracts are in place with external agencies where needed.
  • Verify that all key personnel from other agencies use the correct radio channels and communication methods.
  • Train all personnel in the correct university procedures and review game day operation plans and emergency action plans.
  • Hold pre-game safety meetings with key personnel to review game day events and important information.
  • Conduct tabletop exercises to walk through responses to potential game day risks.
  • Establish command centers both on-site and off-site (if feasible). The off-site command centers allow access to resources if the on-site command center goes offline. These centers should have access to all mentioned resources, personnel, security cameras, weather data, and other agency data as needed.

Athletics personnel should conduct a pre-game security sweep to ensure the venue is secure before players, coaches, and fans enter the venue. Key activities include:

  • Ensure all personnel in the venue prior to the game have proper uniforms and credentials visible. The credentialling process should include a secure storage location and ID verification prior to release. A good example of a credentialing control is the numbered photographer vests seen on the sidelines of conference tournament games.
  • Require University employees, vendors, and outside agencies to enter through authorized entrances, keeping other entrances locked or guarded by security personnel.
  • Place security personnel at key locations, such as all unlocked entrances, locker room entrances, and field access locations, to ensure only authorized personnel gain access.
  • If feasible, use a K-9 explosives detection team to sweep the entire venue, team buses, and any vendors and deliveries that enter after the original sweep.

Physical Security

As fans start arriving the excitement starts to build, and the game day experience begins. Athletics personnel should make additional efforts to ensure a safe and secure environment.

Traffic management controls should be coordinated between the university and local authorities so that fans can arrive at the game on time and depart safely. Implement a game day traffic flow with clear traffic patterns, directions, and signage. Consider non- motorized traffic such as foot or bike. There may also be mass transit routes to accommodate shuttle buses from park and ride lots.

Gate security includes ensuring barriers or barricades, such as concrete posts, are strategically placed to prevent motorized traffic from entering restricted areas. Ensure all gates have security present and gates not in use are locked. Once the gates are open to the public, patrons may go through metal detectors and have bag checks performed by trained personnel to ensure unallowable or dangerous items are not brought into the venue. Consider implementing a clear bag policy to enhance and ease the bag check process.

Field/court and locker-room security is necessary to keep coaches and student athletes safe. Consider using a credentialing process for field/court and locker room access that prevents unauthorized individuals from entering the areas. Security personnel should be positioned at all entry points to field/court to prevent unauthorized access and respond to situations as they arise.

Police/Security/EMS personnel should beproperly stationed at key locations throughout the venue to provide safety and assist patrons, act as a crime deterrent, and have access to resources as needed. They should provide on-going game day security sweeps.

Camera coverage is beneficial in key areas such as parking lots, seating areas, and concourses can help ensure a safe and secure game day environment and assist command centers and security personnel.

Post-Game Considerations

After the game ends and fans are exiting the venue, there is still work to be done.

Rowdy fans or court/field celebrations can happen, especially during rivalry games. In the heat of the moment, fans can get overly excited and take actions such as court/field storming, which could put the safety of players, coaches, and fans at risk. To prepare for this, Universities should educate fans on the consequences, such as fines/penalties, of storming the court/field. There should be an emergency plan that includes standard emergency response codes (e.g., code blue), personnel, and action to be taken.

After the game has concluded and everyone has left the venue it is important for key personnel to hold an official post-game debrief to determine what went well and what didn’t. Lessons learned from this debrief should be implemented at future events to enhance the game day experience for everyone.

Conclusion

The ACUA Sidelines Committee hopes this article provides valuable insights into best practices for routine and game day security and access. As you plan future engagements, consider applying these principles to other on-campus events and event planning. Embracing a proactive and collaborative approach to reviewing and updating security and access protocols is a winning strategy!

Letter from the Editor – Spring 2025

Blue Logo for ACUA with the text Journal Articles

Today the ACUA College and University Journal is graduating from an issue-based format to a rolling publication. I have to admit, initially I was a bit resistant. It’s easier to stay the course, and I was concerned about the impact. Would the articles still get noticed? Would members like the change? Will we have enough submissions to keep it rolling?

I soon found my fears were unfounded, thanks to such a great team who helped make this transition. My deputy editor, Tyler Morgan, advocated for rolling articles from the start as he knows people appreciate a quick read. The Communications committee enthusiastically adopted the change, and Bostrom was on board too. A huge thanks goes out to the Communication Committee’s social media expert Jocelyn Edge for enhancing the website, posting articles, and bringing this concept to life.

The extra push for this change came from the Auditing and Accounting Principles subcommittee, who wanted to publish an article about their IIA Standards Roundtable quickly to help our members with their implementations. Our inaugural rolling article contains member tips on adopting the new reporting requirements, updating charters, defining performance metrics, the new strategic planning element, and quality assessments.

New articles will be announced in three ways: 1) on a Connect ACUA post, 2) on ACUA’s social media platforms, and 3) in Bostrom’s bimonthly email newsletters. If you haven’t already selected your preference, you can choose to receive a daily summary of Connect ACUA posts to your email each morning.

The Communications Committee and I are very excited to offer this rolling format. Watch for upcoming articles on research, athletics safety, and mitigating bias coming soon. We would love to help you get published and earn CPE credits for writing – and now you can submit articles anytime. Please reach out to editor@acua.org for more information.in.

Sincerely,

Kara Hefner, Editor

AAP Roundtable on Implementing the New IIA Standards

Blue Logo for ACUA with the text Journal Articles

On February 11, 2025, the ACUA Auditing and Accounting Principles (AAP) Committee hosted a roundtable discussion on implementing the Institute of Internal Auditors (IIA) Global Internal Audit Standards (Standards), which became effective on January 9, 2025. This event drew 35 ACUA members, who were divided into breakout rooms to share their questions and solutions on five topics with significant changes: reporting, governance/charter, performance metrics, strategic planning, and quality assessments. The AAP committee members facilitated the discussion and contributed to the following summary.

Reporting Requirements

The IIA added reporting elements in “Standard 15.1 Final Engagement Communication.” Changes include prioritizing findings, adding an overall summary of governance, risk, and controls, and adding an owner and due date to the management response.

How are departments reporting conformance in their audit reports while working on implementing the new Standards?  The internal audit departments that have already completed a gap analysis or an internal assessment and have modified their practices to agree with the new Standards continue to use the “in conformance” phrase in their reports. Departments that are still adjusting to the new Standards, or will have an external assessment soon, are temporarily omitting that phrase from their reports.

How are you prioritizing your findings? All members said they are consciously prioritizing their findings, but the methodologies varied. Some departments have defined a matrix for categorizing their findings as “high, medium, or low.” These ratings and definitions are sometimes presented in the reports for context. Other departments are relying on professional judgment in prioritizing their findings and are documenting their reasoning in the work papers. Most departments are including the phrase “findings are listed in order of priority” in the final reports.

How are departments concluding on the effectiveness of the governance, risk management, and control processes (GRC) of the activity reviewed? Most participants have not had to address this new requirement yet. Members are planning to give a conclusion on GRC as a whole, rather than addressing the three elements separately. Many plan to describe GRC from a selection of options, such as “needs improvement/adequate/good” or “satisfactory/enhancement required/significant enhancements required/ineffective.” Departments have begun developing criteria to facilitate consistent rankings of these areas.

Naming the individuals responsible for addressing the findings and the planned completion date is a new requirement, but is this a departure from your current practice? Most members said they are used to providing the estimated completion date on the final report but have not necessarily named the responsible party or division. Some departments that formerly only retained this information in the workpapers will now include this information in the management response section of the report. All agreed that providing the role or division responsible, rather than the name of the specific person, is sufficient.

Governance and Charters

“Standard 6.2 Internal Audit Charter” requires the internal audit charter to include the purpose of internal auditing, commitment to adhering to the Standards, a mandate including scope and types of services to be provided, and defines organization position and reporting relationships.

What changes are departments making to their audit charter? Many departments have been comparing their audit charter to the new Standards to determine what, if any, modifications are necessary. A few schools are using this opportunity to develop their initial charter. Minor changes include updating definitions, such as advisory services, and incorporating language from the IIA charter[TM1]  template, available from the IIA website. Another school looked at the “musts” in the Standards and ensured all were met. Other changes include adding required communications, enhancing the Standards on managing the internal audit function in Domain IV, and adding a section on ethics and professionalism.

Has anyone received any pushback or enthusiastic buy-in on their updated charters? Most members said neither, but mostly because people outside of the Internal Audit Department do not really understand the implication of these changes. However, most felt the Board and Audit Committees have been supportive.

How is the chief audit executive (CAE) managing the changes in communication with the board? Many schools have made presentations to their board regarding the changes to the Standards. Some CAEs are creating a document to formalize the discussions that take place between the CAE and the Board or Audit Committee. All agreed it is important to document what is required to be communicated to the Board.

Performance Metrics

“Standard 12.2 Performance Measurement” is new and states the CAE must develop objectives to evaluate the internal audit function’s performance and promote continuous improvement.

Which performance metrics have you found to be the best measurements of success? The most common metrics discussed at the roundtable included:

  • Status of the audit plan
  • Implementation of corrective actions
  • Post-engagement client surveys
  • Engagement time versus administrative time
  • Continuing professional education
  • Results of internal and external assessments
  • Project timeliness, such as completing engagements within time budgets, reports issued within X days of fieldwork, and hotline reports closed within X days.

Which new performance metrics are being considered as a result of this new standard? All schools said they did not make any changes to their existing performance metrics, though some did add existing metrics to their audit manual. Some were considering adding potential metrics about increasing the automation of work and applying data analytics to more projects. One school said their Board wanted a better understanding of the financial savings achieved, though it is difficult to quantify the value of compliance audits and process improvements.

Do you have performance metrics that tie to an individual auditor or manager? Most schools said their goals are related to the entire team. One school said their managers have additional key performance indicators of timely review of reports and a percentage of their team’s engagements completed. Another said they tie annual merit increases to the number of projects completed.

Strategic Planning

“Principle 9 Plan Strategically” focuses on planning strategically, and “Standard 9.2 Internal Audit Strategy” requires the CAE to develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.

Is strategic planning a new area for internal audit departments? If not, what are your plans for meeting this new standard? Some departments already had a strategic plan and were taking the opportunity to revisit their plan. Many smaller departments had not yet implemented a strategic plan and were preparing to do so.

What resources have you found to be most helpful for developing a strategic plan? The roundtable group discussed some webinars they have attended on the subject. Others have found peer input and online searches on organizational goals and strategies to be helpful.

What types of input did you receive when building your strategic plan? Those who have completed their strategic plan used team feedback, client survey responses, management analysis, their internal audit mission and objectives, and audit committee feedback. Completed plans were shared with the Board and senior management.

Internal and External Quality Assessments

Assessments of internal audit departments now fall under different standards. “Standard 8.3 Quality” requires the CAE to develop, implement, and maintain a quality assurance and improvement function. “Standard 12.1 Internal Quality Assessment” covers ongoing monitoring, periodic self-assessments, and communicating results to the board and senior management about adherence with the Standards. “Standard 8.4 External Quality Assessment” requires an external review conducted every 5 years and include at least one Certified Internal Auditor (CIA) on the external review team.

For those who have completed an internal assessment or gap analysis, what resources did you use? All participants said they used the ACUA AAP – IIA Global Standards 2025 – Self-Assessment Tool and found it helpful in evaluating compliance with the new Standards. Members can download this workbook from the ACUA Resource Library after logging in and searching for “self-assessment tool.”

What were the biggest changes found in your gap assessment? Most felt the enhanced reporting and communication with the Board was the biggest change. Smaller changes needed to be addressed by revising audit manuals, audit charters, and strategic plans. The new ethics and professionalism domain and reporting requirements also needed to be incorporated into the audit manual. Roundtable attendees cited the need for training team members on the changes in the Standards to be able to effectively review engagement workpapers.

Which new topics have the most ambiguity for implementation? Small audit shops and those combined with other areas such as risk and compliance expressed difficulties in demonstrating conformance with the Standards due to inherent differences in organizational and operational structures. The group discussed ways to document conflict of interest disclosures and project-level independence. Others felt the requirements in “Domain III Governing the Internal Audit Function” are quite overarching and may be difficult to implement and document.

Who has plans to have an external assessment in 2025? Only one university said they were due for an external assessment in 2025. Others ensured they completed their assessment before the change in the Standards to allow for more time to conform. All acknowledged they will need to have a CIA on their next review team, though some cited this new criterion may be a challenge as there are not many CIAs in their current pool of assessors.

Conclusion

The first AAP roundtable on the new Standards was a big success. The participants appreciated hearing how fellow members are tackling these changes. Members enjoyed the small breakout group format and the ability to share and collaborate with peer universities on these topics. In the post-event survey, the roundtable attendees unanimously found the roundtable to be helpful and would be interested in attending future roundtables related to the Standards. Please watch for future roundtable opportunities hosted by the AAP!

Professional Skepticism

Blue Logo for ACUA with the text Journal Articles

By Priya Sall

Professional skepticism is challenging to develop and apply as an internal auditor. We naturally desire to trust people, especially those we know. Professional skepticism is an audit skill developed over time and constantly refined. Successful auditors are able to strike a balance between trust and skepticism, as being too trusting can lead to inadequate oversight, and being overly skeptical can lead to unnecessary procedures.

Professional skepticism is an attitude that includes a questioning mind and a critical assessment of information. Applying the right level of skepticism can be challenging. Eager auditors might be too skeptical, resulting in extra or unnecessary audit procedures and increased audit costs. Auditors with a low level of skepticism may ignore red flags that justify spending further time and attention. When an auditee has an inadequate control structure, concerning tone at the top, or other red flags, auditors should gauge their skepticism and respond accordingly. Roadblocks or challenges can also tempt auditors to settle for less, as difficulties in obtaining a higher degree of evidence might lead auditors to rationalize that what they have is good enough.

Applying professional skepticism has inherent limitations, such as the impact on audit efficiency. The more skeptical the auditor, the more time the auditor typically takes to complete an audit. When an auditor is overly concerned with completing the audit within a fixed budget or timeline, professional skepticism and audit quality may be negatively impacted. It is important that budgets and deadlines do not unduly hinder the exercise of skepticism, and supervisors should help auditors develop skepticism skills.

The following methods can be used to enhance auditors’ skepticism skills.

  • Develop a questioning mindset – This is an attitude of curiosity and interest, as those who desire to satisfy curiosity naturally tend to exercise higher levels of professional skepticism. A questioning mindset requires professionals to continually ask questions and seek further clarification until they know they have the necessary information.
  • Suspend judgment – Wait until you are sure before reaching a conclusion. Just as you would not go in with the expectation that everything is wrong, do not assume everything is necessarily correct.
  • Assess evidence gathered and reach an independent judgment based on that evidence – Do not get caught up in groupthink. This means maintaining awareness and attempting to overcome judgment traps.
  • Hone self-confidence – Self-confidence describes the ability of a professional to act upon the information obtained. Sometimes, it is easier to follow the tide even when you know something does not feel right in your gut. If it does not feel right, it probably is not, and you need to keep digging until you are satisfied.
  • Use case studies and simulations – Practice applying professional skepticism using past scenarios and simulated audit engagements.
  • Encourage group discussions and brainstorming sessions – Allowing auditors to discuss and challenge each other’s assumptions and judgments fosters a skeptical mindset.
  • Engage in critical thinking exercises – Provide auditors with exercises that require them to analyze and evaluate information critically, and to consider alternative explanations and potential biases.
  • Train on cognitive biases – This involves raising awareness of common cognitive biases influencing judgment and decision-making, plus providing strategies to mitigate their impact.
  • Engage in continuous professional development – Continuous training keeps auditors updated on emerging issues and supports a balanced level of professional skepticism.

Professional skepticism can be learned just as it can be taught. Auditor working practices and supervisor mentorship must support and encourage skepticism. Learning the right questions to ask, verifying the answers, and knowing when to move on requires balance. Achieving a balanced level of professional skepticism at the onset of every audit supports the audit’s value.

Improving Communication by Reducing Ambiguity in Policies

Blue Logo for ACUA with the text Journal Articles

By John McDaniel

Internal controls are not just a good practice, they are an absolute necessity for any organization, particularly in the complex realm of higher education. Effective communication and a comprehensive understanding of policies and procedures are key to maintaining these controls. However, when communication is unclear or ambiguous, it can lead to protocol violations and serious risks, threatening the integrity of research, financial compliance, and the institution’s reputation. This article delves into the concept of equivocality, its impact, and strategies to reduce it—all aimed at fortifying the internal control framework in higher education institutions.

Exploring Ambiguity

Unclear messages or instructions can lead to equivocality when they can be understood in multiple ways. Policies with conflicting language and ambiguous expectations can confuse the reader and result in inconsistent application. The lack of consistency in policy interpretations and the failure to provide timely updates further complicate matters. When faced with cultural discrepancies, individuals may need clarification about the appropriate course of action, especially when there is a clash between written policies and institutional culture.

Consider the institution’s travel policy, for example. If there is ambiguity about whether alcohol expenses are reimbursable, some employees may assume that alcohol is permitted during client dinners, while others may interpret the policy more restrictively and exclude alcohol altogether. This inconsistency in interpretation could lead to non-compliant expense submissions, with some employees inadvertently violating policy guidelines.

Similarly, confusion can arise when employees are unsure about claiming travel reimbursements. Employees may make incorrect assumptions, such as not deducting commuting miles when driving a personal vehicle in the opposite direction of the jobsite or rationalizing it is permissible to upgrade a flight to business class since it is for a business trip. They may not realize when prior approvals are required, such as when staying at an expensive hotel, or that there may be caps on certain expenses like dinners. Without clear, specific guidelines, employees may not consistently adhere to the travel policy, resulting in improper charges to the institution.

The Hazards of Ambiguity

The ripple effects of uncertainty are far-reaching. It can pave the way for unintended or deliberate deviations, escalating the risk of fraud and ethical breaches. Clear policies are not just about compliance, they are about optimizing resource utilization, which directly influences research outcomes and financial stability. Non-compliance with research and regulatory requirements can tarnish an institution’s reputation and alienate sponsors.

Moreover, uncertainty breeds frustration, casting a shadow on staff morale. For example, institutions with unclear per diem policies may lead to employees believing they can claim full per diem rates even though meals were provided at a conference, or their travel began late in the day. Employees may exceed their daily spending allowance when the per diem rates are not known, and mistakenly assume the university will reimburse them at full cost. This lack of clarity can result in disputes over reimbursements, creating administrative inefficiencies and reducing staff morale when employees feel they have been treated unjustly. A clear and regularly updated per diem policy, with specific guidelines on how to apply the daily rates, can help avoid such conflicts and reduce confusion.

Exploring the Impact of Equivocality on Control Breakdowns

Ambiguity can lead to control breaches in universities. For instance, when procurement procedures are unclear, faculty or staff might make unauthorized purchases or exceed spending limits, resulting in financial losses or non-compliance with external regulations. Similarly, unclear travel expenditure policies, such as the alcohol reimbursement example, can create ethical dilemmas and damage the reputation of individuals and the organization as a whole, especially if alcohol is inadvertently served to minors.

Uncertain data management practices in research can compromise integrity and attract regulatory scrutiny. For example, research universities need to be especially clear on policies for safeguarding study subject data. Inconsistent data governance practices are often due to unclear data storage, sharing, and ownership policies. Vague guidelines regarding conflicts of interest can undermine the objectivity of studies when there is confusion about reporting potential conflicts.

Compliance violations can also arise from a lack of clarity on export control restrictions, resulting in unintentional infractions, financial penalties, and impeding international research collaboration. Unclear guidelines on student data privacy standards can result in failure to comply with regulations, financial penalties, and damage to the university’s reputation. These examples highlight the importance of actively addressing uncertainty to mitigate risks and safeguard the organization’s financial resources, research, and adherence to regulations.

Internal Audit’s Role in Reducing Equivocality

Internal auditors can use their role as valuable strategic advisors by delving deeper into non-compliance observations. Recognizing situations where faculty and staff violated institutional policies and procedures is reactive and offers limited benefit. Instead, their value lies in uncovering the underlying reasons behind these mistakes. Discovering undisclosed process weaknesses reveals possibilities for enhancing and maximizing operational efficiency.

Through thorough investigation, internal auditors can uncover systemic issues such as unclear communication, inadequate training, or flawed policies by delving into the reasons behind non-compliance. Auditors can uncover inefficiencies or vulnerabilities within current processes, which can lead to improvements beyond immediate compliance concerns. With a deeper understanding, they can provide valuable recommendations that tackle the underlying issues of non-compliance, leading to specific and effective improvements.

Internal auditors should proactively evaluate policies, especially in high-risk areas like travel, procurement, and data governance, to enhance the risk management framework by anticipating and mitigating potential issues. Consider a dual approach where Internal Audit reviews policies during specific engagements and dedicated departmental compliance committees perform periodic reviews of high-risk areas.

Conclusion It is essential to actively reduce ambiguity in policies and procedures to strengthen internal controls, ensure policy compliance, and uphold institutional integrity. This requires a collaborative effort that necessitates dedication from management, Internal Audit, and all employees to cultivate a culture of transparent communication and ethical conduct. By working together, academic institutions can strengthen their internal control environment to protect their mission and resources.

Going back to basics: Higher education internal audit challenges, risks and strategies

Blue Logo for ACUA with the text Journal Articles

A video series brought to you by Baker Tilly

Higher education institutions face myriad risks where an internal audit or advisory review would be beneficial (or necessary) to assess risk levels and drive action to mitigate risks on campus. Baker Tilly’s higher education risk advisory specialists have created a series of short internal audit videos focused on eight “back to basics” topics. This video series, which will continue through calendar year 2024, presents key challenges crucial to the higher education industry along with actionable strategies to assess and manage risk. The topics were selected based on recent audits and client inquiries and include: procurement, student accounts and financial aid, gifts and advancement, data analytics, human resources (HR) and payroll, cybersecurity and information technology (IT), construction risk management, and grants and sponsored research.

Episode 1: Procurement risks and controls

Before diving into specific topics, this video offers a comprehensive internal controls overview, walking through the five key components of internal controls and how risk is defined and measured in relation to achieving an institution’s mission and strategic objectives. It then identifies the top procurement risks in higher education and emphasizes the importance of establishing a strong control structure in this space. The discussion examines the risks posed by the decentralized nature of procurement in higher education, along with strategies to mitigate these risks. Additionally, the video explores challenges in contract management, the role of procurement cards (P-cards) and their associated risks and the application of segregation of duties to prevent fraud and misuse in procurement processes.

Episode 2: Student accounts and financial aid

This video discusses the critical role of student accounts in higher education institutions and the complexities of managing the associated functions and offices. It emphasizes the significance of auditing student accounts, offering insights and considerations for institutions conducting these audits. Risk specialists share an overview of the student account function and key risks, as well as potential audit objectives, approaches and outcomes.

Episode 3: Gifts and advancement

The third video in the series dives deep into the five stages of the gift management lifecycle. It highlights the importance of due diligence, legal compliance and managing reputational risks. The video covers key risks related to gift management, including the misuse and handling of donor funds, and offers best practices for managing and advancing gift strategies. It also addresses the implications of accepting restricted or controversial gifts and provides insights into IRS requirements for gift receipts and acknowledgment letters.

Episode 4: Data analytics: questions, challenges and the analysis process

In this video, Baker Tilly’s risk advisor outlines the five essential steps for a successful data analytics process, including the types and sources of data to consider, key questions to address and common challenges along with strategies to overcome them. The video emphasizes the importance of working with reliable data, applying leading practices for data quality and following an effective analysis process. It answers three crucial questions: What should institutions ask before starting data analysis? What challenges are common in higher education data analytics? And what types of data should be included in the analysis?

Episode 5: Navigating human resources and payroll compliance

In the human resources (HR) and payroll video, we explore key functional areas for internal audit to review, highlighting universal pitfalls and risks, along with critical aspects of HR compliance. Baker Tilly’s HR and risk advisory specialists provide key questions for consideration to help ensure your institution is prepared to address common obstacles. Additionally, we delve into specific examples, including multistate payroll obligations, employment eligibility verification and recruiting and hiring employees, and share how these may apply to your institution.

Episode 6: Cybersecurity and IT risks

Our cybersecurity focused video outlines information technology (IT) challenges and risks in the higher education environment and how the widely recognized National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can effectively guide your institution’s audit process, underscoring the critical importance of adhering to established standards and leading practices. We also discuss the Three Lines of Defense model, offering practical audit examples to demonstrate how IT audits can significantly strengthen your college or university’s security posture.

Episode 7: Construction risk management – coming November 2024

The construction risk episode will examine how capital projects on campus can deliver substantial value to any institution, yet present considerable risks. Conducting a construction audit not only promotes transparency but also fosters collaboration between internal audit, senior leadership and project management teams. This collaborative approach strengthens controls, enhances accountability, mitigates risks and improves financial oversight.

Episode 8: Grants and sponsored research – coming December 2024

In this video to wrap up the higher education internal audit series, we will examine the crucial role that internal audits serve to ensure compliance with grant requirements and the effective management of sponsored research funds. We will also cover compliance topics related to Uniform Guidance issues, including cost principles, effort reporting, procurement, cash management, indirect costs and fringe benefit rates.

For more information, or to learn how Baker Tilly can help your higher education institution, contact our team.Subscribe here to Baker Tilly’s higher education mailing list so you don’t miss any new episodes or the latest insights on industry trends and topics.

Game Changers: Navigating Audits during Athletics Transformation

Blue Logo for ACUA with the text Journal Articles

By Rachel Flenner and Will Aurich (ACUA Sidelines Committee)

Just as athletic scoreboards are transforming to become bigger and brighter, auditors need to continue to transform our focus to shine in the right direction. When we think of athletics risks, the first thing that often comes to mind are the high-profile court cases with the National Collegiate Athletics Association (NCAA). However, athletics is not immune to the risks we evaluate elsewhere on campus. The risks in the athletics environment are often heightened due to the high volume and visibility of expenses and unique positioning of the student-athletes. Athletics houses some of your university’s highest payroll and travel expenses, and heightened student-athlete welfare and privacy concerns are now in the limelight. Apply your university and audit knowledge to the following athletics risks to keep the scoreboard flashing wins.

The University of Minnesota marching band and classic scoreboard
Photo credit: University of Minnesota Library

Transformation of Expenses

A 2019 Forbes article reported that 15 of the 69 universities in the “Power Five” conferences spend five times more per student-athlete than regular full-time undergraduates, and these expenses are growing. If your audit office has not reviewed athletics expenses recently, it may be time to do so. The good news is you can easily apply your university audit skills to athletics.

  • Documentation and Purchasing Procedures: All athletics expense documents should be held to your institution’s standards and properly justified. Purchasing should follow the bidding and procurement requirements for other university units.
  • Food: According to the Forbes article, over five years ago 20 institutions were spending well over a million dollars annually to feed their student-athletes. From an audit point of view this raises several risk topics:
    • Food procurement and contracts, such as sourcing, supplier selection, and contract adherence.
    • Purchase methods including cash advance, credit cards, reimbursement, etc.
    • Meal allowances and per diem for appropriate rates, thresholds, and monitoring.
  • Travel: With the frequent travel schedule and widening of conference boundaries, auditors should verify if travel expensing adheres to the institution’s travel policies. Some areas specific to athletics travel include:
    • Allowability of business class or first class for coaches on recruiting trips.
    • Whether travel by a private or university owned jet is allowed.
    • Family member travel attendance expense limitations and potential IRS reporting requirements.
  • Hospitality: Athletics frequently hosts recruits and donors, and these dinners and events can push the boundaries of an institution’s allowances as the pressure in athletics to keep up with the next school is extremely high. Auditors should also examine the reasonableness of the donor-to-staff member ratios.
  • Payroll: Coaching contracts can be very complex, including items such as salary, performance-related bonuses, memberships, vehicles, and other fringe benefits. Today not only are head coaches’ salaries increasing, but those of assistant coaches are too. Internal audit can help ensure an institution’s general counsel is involved with coaches’ contract language, verify bonus payouts meet the contract expectations, and monitor the use of other benefits included in their contracts.

Transformation of Privacy

While privacy regulations are not new to auditors, we must think about the growing prevalence of student-athlete data and the risks of widespread exposure. Additionally, in a competitive recruiting environment, there is a heightened interest by the public, scouts, competitors, and agents to obtain student-athletes’ private data.

  • HIPAA/PHI: Student-athletes are not only being seen by doctors and athletic trainers, but are also receiving assistance from mental health professionals, massage therapists, and chiropractors, while also undergoing recurring drug testing. These services result in a large amount of student-athlete personal health information that must be protected. Auditors should review:
    • Medical data sharing with outside organizations and medical professionals, and whether it follows your institution’s policy or best practice.
    • Training and education of athletics staff on what is acceptable to share via different electronic mediums (Gmail, Outlook, MS Teams, Slack, or other information sharing tools) and acceptable ways to store data once received (systems, drives, etc.).
  • Internet of Things: Paper and clipboards are things of the past. Nowadays student-athletes wear devices that track their daily movement and key health metrics. Coaches are recording practices, and all this information is being carried around on iPads and other devices. From an audit perspective, consider:
    • Whether all electronic devices are secure and up to your university’s standards.
    • Whether athlete recording and monitoring is limited to only scheduled practices, and that the student-athlete is not being recorded without his/her knowledge.
    • Where other student-athlete private information may unexpectedly or unnecessarily appear, such as travel/flight manifests, invoices from providers, social media, etc.

The modern Oregon State University scoreboard
Photo credit: Nick Daschel, The Oregonian/OregonLive

Transformation of Well-Being

Scoreboards went from simply displaying the team score to displaying the jersey number of the player who scored, and now to replays and flashing pictures of the scoring athlete. The focus on the student-athlete has significantly increased and we are seeing a transformation of student-athlete welfare. While some changes are a result of court cases (e.g., Alston v. NCAA and House v. NCAA.), others result from NCAA regulations known as Student-Athlete Core Guarantees, while others simply stem from institutions seeing the need for increased awareness and spending in key areas to promote holistic student-athlete health. Areas that could be audited include:

  • Alston Awards: A university is now allowed to pay a student-athlete above and beyond the full cost of attendance, but it is capped at $5,980 per athlete. However, each institution can choose how to award Alston payments. Auditors could review the award distribution for consistency with their policies and procedures. Note this structure could be impacted by the recent House v. NCAA case.
  • Core Guarantees: While institutions have often provided their student-athletes with access to various career and academic services, the NCAA put in new core guarantees for D1 schools effective August 2024. These new core guarantees include life-skills training and education in various areas such as Name, Image and Likeness (NIL); nutrition; financial literacy; mental health; Diversity, Equity and Inclusion (DEI); sexual violence prevention; and transfer requirements. Your institution may need to secure more resources to develop and conduct this training. Additionally, your institution may engage a third party for these services (e.g., mental health professional), and Internal Audit can review these contracts.
  • Travel: Many institutions are experiencing conference realignment and changing conference boundaries. This can result in increased travel and longer travel times for student-athletes, which pose potential risks to academic performance and mental health.

Transformation of Compliance

For several years it has been considered a best practice to have an independent, external review of a university’s athletics compliance program. These often come in the form of recurring reviews by a contracted firm or the university’s internal audit function. Currently, such reviews are not required but do assist towards demonstrating institutional control and ensuring an effective compliance program. Upcoming updates to Division 1 Bylaw 20, effective August 2025, will require the completion of a compliance review at least once every four years and an attestation to its completion. These reviews must:

  • Involve an authority outside of the athletics department.
  • At a minimum, consider areas integral to serving the needs of student-athletes (to be annually determined by the NCAA Legislative Committee).
  • Have findings shared with the institution’s leadership and athletics director.

Additionally, the House v. NCAA case has started to change key NCAA regulations such as National Letters of Intent (NLI), transfer eligibility, scholarship caps, and roster limits which will change our audit focus.

Transformation of Revenue

The athletics revenue landscape is transforming, too, as conferences realign and new or increased revenue sources are needed to match growing expenses. Dollar signs are flashing everywhere, and everyone wants to be part of the action. Internal audit can add value by helping ensure universities are getting the dollars they are owed.

  • Media Rights Contracts: Revenue from athletics often comes from media rights agreements and conference agreements. Over the past decade we have seen an upheaval in these media rights as streaming services have begun to gain market share and compete with, or outcompete, traditional cable and satellite television. As court cases continue to pend and be resolved, there are emerging contingencies that could alter this revenue mix, including student-athlete revenue sharing agreements.
  • Concession Contracts: Many universities are outsourcing stadium concessions, potentially leading to more contract revenue. Like other third-party contracts around campus, audits can ensure that the concessions sales are providing the correct revenue and adhere to terms and conditions. Additionally, these concessions may be the only or highest volume sources of alcohol sales at your university. Alcohol sales come with increased risk, such as underaged serving. Internal audit can verify alcohol is purchased, stored, inventoried, and served in accordance with university policy.
  • Ticket Sales: Another vital revenue source is ticket sales, which hve primarily moved from hard copy paper tickets into an electronic format. Ticket prices will vary by cost based on their seat, and university employees may get discounted or free tickets. Internal audit can help ensure ticketing policies are followed, especially for complimentary tickets, and reconcile the accurate recording of ticket revenue. Auditors should also verify sufficient planning for e-ticketing outages and system recovery is in place.

While we cannot predict the future of the evolving world of athletics, we can provide assurance over existing controls and help prepare for future risks on the horizon. As the world of athletics continues to transform, and athletic scoreboards grow bigger and brighter, auditors must continue to know the risks in athletics and apply their exceptional institutional and internal control knowledge. No one wants to be flashing on the scoreboard for the wrong reasons.

References:

NCAA Student-Athlete Core Guarantees

2024 NCAA Compliance Report

Knight-Newhouse College Athletics Database Custom Reports

Power Five University Spend – Forbes 2024 article

Article: D1 College Athlete Diets and Spending – Forbes 2019 article

These 20 Colleges Spent $40 Million Just to Feed Student-Athletes – FanBuzz

How 3 Companies Put Health at the Heart of the Workplace – Forbes 2024 article

Auditing Campus Space Utilization

Blue Logo for ACUA with the text Journal Articles

Space utilization audits bring value to your campus by creating baseline statistics and identifying areas for improvement and cost savings opportunities. The number of students and workers on campus has likely changed in recent in recent years. Classroom and office space on campus has been radically disrupted since the start of the pandemic. National enrollment trends took a tumble, with two-year colleges facing the steepest declines. While enrollment is starting to trend upwards since the pandemic relief funds expired, the distribution of students is not consistent. Urban flagship schools are seeing the highest increases, leaving rural campuses struggling. Classroom seats remain empty as schools are offering more online courses.

Office space has also been impacted by the pandemic, as many employees never returned to their offices as their positions became partially or fully remote. Many schools enacted hiring freezes or did not fill vacancies, increasing the number of vacant offices across campus. This article provides guidance on performing impactful space utilization audits of classrooms and offices.

Why Classroom Utilization is Important

Accurate space utilization metrics can help your campus understand how space is currently used and identify where efficiencies can be gained. Utilization studies can help justify new construction funds for expanding campuses or determine the need for leased space. They may also identify opportunities to repurpose unused space and thereby decrease utilities, housekeeping, and maintenance costs. Other factors, such as reconfiguring traditional row seating with collaborative layouts, may also affect the number of seats in classrooms.

Utilization studies can also measure compliance with university policies and procedures. Universities often publish standard meeting patterns such as Monday/Wednesday/Friday classes lasting every 50 minutes and Tuesday/Thursday for 75 minutes with a defined break between classes. Deviations from this schedule result in overlapping classes which may cause students to have trouble scheduling the classes they need to graduate. Excessive classes held during peak hours result in overcrowding, a lack of parking, and long lines for food and student services. Having the incorrect number of seats in the scheduling system may lead to over or under-filled classes, with the potential to exceed the fire code.

Internal Audit departments can provide independent utilization analyses from cross-functional data. Campus space is usually tracked by the facilities department, which maintains the official list of classrooms and office assignments. Classroom space may be assigned by the registrar’s office, the schools/departments, or a combination of both, while office space typically is assigned by the departments.

Classroom Utilization Testing

Analysis from classroom utilization testing can add value to your university leadership by identifying trends that may contribute to overcrowding, underutilization, and noncompliance with goals and standards. There are many factors to consider during audit planning. Your campus or system office may have capacity goals or other criteria to measure against. The scope may be limited to classrooms or expanded to other spaces such as labs and rehearsal spaces. Consider testing undergraduate courses separately, as graduate classes may inherently have lower attendance and irregular class times.

Conduct the following utilization tests by comparing a report from Facilities of all classrooms with their room capacities with a comprehensive class listing from your system of record that shows the actual number of students in each classroom. Test 100% of classrooms using data analytics software or Excel subtotals and pivot tables for complete results.

  • Classroom Seat Utilization – Determine the percentage of seats filled per classroom by calculating the average enrollment of each class and dividing by the number of seats in the classroom. Lower percentages relate to underutilized classrooms.
  • Weekly Hours Used – Calculate the number of hours of class time each classroom is in use on a weekly basis by using the class duration and meeting frequency. The lower the weekly hours, the less utilized.
  • Standard Meeting Pattern – Identify classes that do not follow your university’s standard meeting pattern, such as Monday/Wednesday for 75 minutes, or classes starting at a non-standard start time, as they create overlap with other class times.
  • Prime Time Scheduling – Chart the number of classes held each hour of each day and compare with any university prime time constraints. This will identify if your university has few classes at 8:00am and too many classes at 11:00am.
  • Classroom Capacity Verification –Compare the maximum seats in the facilities report to the class report and identify any seat capacity differences. Visit the classrooms with discrepancies and perform a physical headcount to determine which system needs to be updated.
  • Unassigned Classrooms – Determine if there are any classrooms on the facilities report that are not included on the class list. Determine the root cause, such as the building being under renovation, or the department not updating the system with class counts.

The data gathered from these tests serve as both baseline statistics and support for your recommendations. Separate the results by the registering departments to help isolate the departments that are not meeting expectations.

Office Space Planning

Ever since that fateful day in March 2020 when everyone was sent home to work, many workers never returned to their offices. Employees became increasingly comfortable working from home, and employers became concerned whether their employees would come back to the office or elect to find remote work elsewhere. Many campuses decided to allow certain non-student facing departments to continue to work remotely on a part-time or permanent basis. Additionally, any hiring freezes and attrition during the pandemic may have reduced the workforce.

The resulting excess of empty offices creates an opportunity for internal auditors to analyze office assignments and identify underutilized office space. Potential cost-saving recommendations include repurposing office space for other uses, closing spaces altogether to save on heating and cleaning costs, and eliminating unneeded leased space. It may be practical to move workers to consolidate space or create shared hotel space for hybrid workers.

Office Space Utilization Testing

The first step is to determine the university’s criteria for having reserved office space. For example, your human resources department may have determined fully remote employees should not have dedicated office space and hybrid workers working in person less than 50% of the time should share hotel spaces. Human resources likely maintains a database of employees classified as remote workers and their percentage of offsite work. Facilities usually maintains a database of office space and its occupants. Their occupancy report should indicate whether an office is occupied or vacant and should have the employee ID of the person assigned to each office.

Define the scope of the occupancy testing. For example, consider testing administrative workers separately from faculty as on-campus requirements differ. Perform the following test steps to identify underutilized office space in accordance with your university’s policies and procedures:

  • Validate the Completeness of the Occupancy Report – Ensure the occupancy report has an assignment for every office so it can be determined whether the office is assigned or vacant. Determine whether there are multiple offices assigned to the same employee ID, shared offices, or other anomalies that would hinder specific identification.
  • Review HR Data on Remote Workers – Verify HR has updated and complete records for employee work status classification. Employees may be classified as remote, hybrid, or in-person, or the records may show the percentage of remote work (e.g., working 60% remotely).
  • Identify Remote Workers with Offices – Join the occupancy report with the HR remote worker data by employee ID and determine the number of remote workers with assigned office space, based on your university’s criteria. As an example, quantify the number of fully remote workers with offices and the number of hybrid workers working remotely over 50% of the time who have their own offices. Categorize by department and location.
  • Identify Unoccupied Rental Space – From the prior test, determine which unused offices are located in rented space. Rented space may be identified in the occupancy report or may come from a separate report from Facilities.

Results will be limited if the occupancy report and/or the remote worker data is incomplete. For the most accurate results, consider postponing the testing until management updates the reports or make a recommendation to update the data and perform a follow-up engagement.

Conclusion

The recent fluctuations in student and worker populations are driving the need for current space utilization reviews. Internal Audit can bring value to your university by independently analyzing classroom and office space usage from cross-functional sources and evaluating the results against university policies and procedures. These tests can be reperformed in the future to compare results and validate whether management’s action plans are resulting in improvements working.