Professional Skepticism

By Priya Sall

Professional skepticism is challenging to develop and apply as an internal auditor. We naturally desire to trust people, especially those we know. Professional skepticism is an audit skill developed over time and constantly refined. Successful auditors are able to strike a balance between trust and skepticism, as being too trusting can lead to inadequate oversight, and being overly skeptical can lead to unnecessary procedures.

Professional skepticism is an attitude that includes a questioning mind and a critical assessment of information. Applying the right level of skepticism can be challenging. Eager auditors might be too skeptical, resulting in extra or unnecessary audit procedures and increased audit costs. Auditors with a low level of skepticism may ignore red flags that justify spending further time and attention. When an auditee has an inadequate control structure, concerning tone at the top, or other red flags, auditors should gauge their skepticism and respond accordingly. Roadblocks or challenges can also tempt auditors to settle for less, as difficulties in obtaining a higher degree of evidence might lead auditors to rationalize that what they have is good enough.

Applying professional skepticism has inherent limitations, such as the impact on audit efficiency. The more skeptical the auditor, the more time the auditor typically takes to complete an audit. When an auditor is overly concerned with completing the audit within a fixed budget or timeline, professional skepticism and audit quality may be negatively impacted. It is important that budgets and deadlines do not unduly hinder the exercise of skepticism, and supervisors should help auditors develop skepticism skills.

The following methods can be used to enhance auditors’ skepticism skills.

  • Develop a questioning mindset – This is an attitude of curiosity and interest, as those who desire to satisfy curiosity naturally tend to exercise higher levels of professional skepticism. A questioning mindset requires professionals to continually ask questions and seek further clarification until they know they have the necessary information.
  • Suspend judgment – Wait until you are sure before reaching a conclusion. Just as you would not go in with the expectation that everything is wrong, do not assume everything is necessarily correct.
  • Assess evidence gathered and reach an independent judgment based on that evidence – Do not get caught up in groupthink. This means maintaining awareness and attempting to overcome judgment traps.
  • Hone self-confidence – Self-confidence describes the ability of a professional to act upon the information obtained. Sometimes, it is easier to follow the tide even when you know something does not feel right in your gut. If it does not feel right, it probably is not, and you need to keep digging until you are satisfied.
  • Use case studies and simulations – Practice applying professional skepticism using past scenarios and simulated audit engagements.
  • Encourage group discussions and brainstorming sessions – Allowing auditors to discuss and challenge each other’s assumptions and judgments fosters a skeptical mindset.
  • Engage in critical thinking exercises – Provide auditors with exercises that require them to analyze and evaluate information critically, and to consider alternative explanations and potential biases.
  • Train on cognitive biases – This involves raising awareness of common cognitive biases influencing judgment and decision-making, plus providing strategies to mitigate their impact.
  • Engage in continuous professional development – Continuous training keeps auditors updated on emerging issues and supports a balanced level of professional skepticism.

Professional skepticism can be learned just as it can be taught. Auditor working practices and supervisor mentorship must support and encourage skepticism. Learning the right questions to ask, verifying the answers, and knowing when to move on requires balance. Achieving a balanced level of professional skepticism at the onset of every audit supports the audit’s value.

Improving Communication by Reducing Ambiguity in Policies

By John McDaniel

Internal controls are not just a good practice, they are an absolute necessity for any organization, particularly in the complex realm of higher education. Effective communication and a comprehensive understanding of policies and procedures are key to maintaining these controls. However, when communication is unclear or ambiguous, it can lead to protocol violations and serious risks, threatening the integrity of research, financial compliance, and the institution’s reputation. This article delves into the concept of equivocality, its impact, and strategies to reduce it—all aimed at fortifying the internal control framework in higher education institutions.

Exploring Ambiguity

Unclear messages or instructions can lead to equivocality when they can be understood in multiple ways. Policies with conflicting language and ambiguous expectations can confuse the reader and result in inconsistent application. The lack of consistency in policy interpretations and the failure to provide timely updates further complicate matters. When faced with cultural discrepancies, individuals may need clarification about the appropriate course of action, especially when there is a clash between written policies and institutional culture.

Consider the institution’s travel policy, for example. If there is ambiguity about whether alcohol expenses are reimbursable, some employees may assume that alcohol is permitted during client dinners, while others may interpret the policy more restrictively and exclude alcohol altogether. This inconsistency in interpretation could lead to non-compliant expense submissions, with some employees inadvertently violating policy guidelines.

Similarly, confusion can arise when employees are unsure about claiming travel reimbursements. Employees may make incorrect assumptions, such as not deducting commuting miles when driving a personal vehicle in the opposite direction of the jobsite or rationalizing it is permissible to upgrade a flight to business class since it is for a business trip. They may not realize when prior approvals are required, such as when staying at an expensive hotel, or that there may be caps on certain expenses like dinners. Without clear, specific guidelines, employees may not consistently adhere to the travel policy, resulting in improper charges to the institution.

The Hazards of Ambiguity

The ripple effects of uncertainty are far-reaching. It can pave the way for unintended or deliberate deviations, escalating the risk of fraud and ethical breaches. Clear policies are not just about compliance, they are about optimizing resource utilization, which directly influences research outcomes and financial stability. Non-compliance with research and regulatory requirements can tarnish an institution’s reputation and alienate sponsors.

Moreover, uncertainty breeds frustration, casting a shadow on staff morale. For example, institutions with unclear per diem policies may lead to employees believing they can claim full per diem rates even though meals were provided at a conference, or their travel began late in the day. Employees may exceed their daily spending allowance when the per diem rates are not known, and mistakenly assume the university will reimburse them at full cost. This lack of clarity can result in disputes over reimbursements, creating administrative inefficiencies and reducing staff morale when employees feel they have been treated unjustly. A clear and regularly updated per diem policy, with specific guidelines on how to apply the daily rates, can help avoid such conflicts and reduce confusion.

Exploring the Impact of Equivocality on Control Breakdowns

Ambiguity can lead to control breaches in universities. For instance, when procurement procedures are unclear, faculty or staff might make unauthorized purchases or exceed spending limits, resulting in financial losses or non-compliance with external regulations. Similarly, unclear travel expenditure policies, such as the alcohol reimbursement example, can create ethical dilemmas and damage the reputation of individuals and the organization as a whole, especially if alcohol is inadvertently served to minors.

Uncertain data management practices in research can compromise integrity and attract regulatory scrutiny. For example, research universities need to be especially clear on policies for safeguarding study subject data. Inconsistent data governance practices are often due to unclear data storage, sharing, and ownership policies. Vague guidelines regarding conflicts of interest can undermine the objectivity of studies when there is confusion about reporting potential conflicts.

Compliance violations can also arise from a lack of clarity on export control restrictions, resulting in unintentional infractions, financial penalties, and impeding international research collaboration. Unclear guidelines on student data privacy standards can result in failure to comply with regulations, financial penalties, and damage to the university’s reputation. These examples highlight the importance of actively addressing uncertainty to mitigate risks and safeguard the organization’s financial resources, research, and adherence to regulations.

Internal Audit’s Role in Reducing Equivocality

Internal auditors can use their role as valuable strategic advisors by delving deeper into non-compliance observations. Recognizing situations where faculty and staff violated institutional policies and procedures is reactive and offers limited benefit. Instead, their value lies in uncovering the underlying reasons behind these mistakes. Discovering undisclosed process weaknesses reveals possibilities for enhancing and maximizing operational efficiency.

Through thorough investigation, internal auditors can uncover systemic issues such as unclear communication, inadequate training, or flawed policies by delving into the reasons behind non-compliance. Auditors can uncover inefficiencies or vulnerabilities within current processes, which can lead to improvements beyond immediate compliance concerns. With a deeper understanding, they can provide valuable recommendations that tackle the underlying issues of non-compliance, leading to specific and effective improvements.

Internal auditors should proactively evaluate policies, especially in high-risk areas like travel, procurement, and data governance, to enhance the risk management framework by anticipating and mitigating potential issues. Consider a dual approach where Internal Audit reviews policies during specific engagements and dedicated departmental compliance committees perform periodic reviews of high-risk areas.

Conclusion It is essential to actively reduce ambiguity in policies and procedures to strengthen internal controls, ensure policy compliance, and uphold institutional integrity. This requires a collaborative effort that necessitates dedication from management, Internal Audit, and all employees to cultivate a culture of transparent communication and ethical conduct. By working together, academic institutions can strengthen their internal control environment to protect their mission and resources.

Going back to basics: Higher education internal audit challenges, risks and strategies

A video series brought to you by Baker Tilly

Higher education institutions face myriad risks where an internal audit or advisory review would be beneficial (or necessary) to assess risk levels and drive action to mitigate risks on campus. Baker Tilly’s higher education risk advisory specialists have created a series of short internal audit videos focused on eight “back to basics” topics. This video series, which will continue through calendar year 2024, presents key challenges crucial to the higher education industry along with actionable strategies to assess and manage risk. The topics were selected based on recent audits and client inquiries and include: procurement, student accounts and financial aid, gifts and advancement, data analytics, human resources (HR) and payroll, cybersecurity and information technology (IT), construction risk management, and grants and sponsored research.

Episode 1: Procurement risks and controls

Before diving into specific topics, this video offers a comprehensive internal controls overview, walking through the five key components of internal controls and how risk is defined and measured in relation to achieving an institution’s mission and strategic objectives. It then identifies the top procurement risks in higher education and emphasizes the importance of establishing a strong control structure in this space. The discussion examines the risks posed by the decentralized nature of procurement in higher education, along with strategies to mitigate these risks. Additionally, the video explores challenges in contract management, the role of procurement cards (P-cards) and their associated risks and the application of segregation of duties to prevent fraud and misuse in procurement processes.

Episode 2: Student accounts and financial aid

This video discusses the critical role of student accounts in higher education institutions and the complexities of managing the associated functions and offices. It emphasizes the significance of auditing student accounts, offering insights and considerations for institutions conducting these audits. Risk specialists share an overview of the student account function and key risks, as well as potential audit objectives, approaches and outcomes.

Episode 3: Gifts and advancement

The third video in the series dives deep into the five stages of the gift management lifecycle. It highlights the importance of due diligence, legal compliance and managing reputational risks. The video covers key risks related to gift management, including the misuse and handling of donor funds, and offers best practices for managing and advancing gift strategies. It also addresses the implications of accepting restricted or controversial gifts and provides insights into IRS requirements for gift receipts and acknowledgment letters.

Episode 4: Data analytics: questions, challenges and the analysis process

In this video, Baker Tilly’s risk advisor outlines the five essential steps for a successful data analytics process, including the types and sources of data to consider, key questions to address and common challenges along with strategies to overcome them. The video emphasizes the importance of working with reliable data, applying leading practices for data quality and following an effective analysis process. It answers three crucial questions: What should institutions ask before starting data analysis? What challenges are common in higher education data analytics? And what types of data should be included in the analysis?

Episode 5: Navigating human resources and payroll compliance

In the human resources (HR) and payroll video, we explore key functional areas for internal audit to review, highlighting universal pitfalls and risks, along with critical aspects of HR compliance. Baker Tilly’s HR and risk advisory specialists provide key questions for consideration to help ensure your institution is prepared to address common obstacles. Additionally, we delve into specific examples, including multistate payroll obligations, employment eligibility verification and recruiting and hiring employees, and share how these may apply to your institution.

Episode 6: Cybersecurity and IT risks

Our cybersecurity focused video outlines information technology (IT) challenges and risks in the higher education environment and how the widely recognized National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can effectively guide your institution’s audit process, underscoring the critical importance of adhering to established standards and leading practices. We also discuss the Three Lines of Defense model, offering practical audit examples to demonstrate how IT audits can significantly strengthen your college or university’s security posture.

Episode 7: Construction risk management – coming November 2024

The construction risk episode will examine how capital projects on campus can deliver substantial value to any institution, yet present considerable risks. Conducting a construction audit not only promotes transparency but also fosters collaboration between internal audit, senior leadership and project management teams. This collaborative approach strengthens controls, enhances accountability, mitigates risks and improves financial oversight.

Episode 8: Grants and sponsored research – coming December 2024

In this video to wrap up the higher education internal audit series, we will examine the crucial role that internal audits serve to ensure compliance with grant requirements and the effective management of sponsored research funds. We will also cover compliance topics related to Uniform Guidance issues, including cost principles, effort reporting, procurement, cash management, indirect costs and fringe benefit rates.

For more information, or to learn how Baker Tilly can help your higher education institution, contact our team.Subscribe here to Baker Tilly’s higher education mailing list so you don’t miss any new episodes or the latest insights on industry trends and topics.

Game Changers: Navigating Audits during Athletics Transformation

By Rachel Flenner and Will Aurich (ACUA Sidelines Committee)

Just as athletic scoreboards are transforming to become bigger and brighter, auditors need to continue to transform our focus to shine in the right direction. When we think of athletics risks, the first thing that often comes to mind are the high-profile court cases with the National Collegiate Athletics Association (NCAA). However, athletics is not immune to the risks we evaluate elsewhere on campus. The risks in the athletics environment are often heightened due to the high volume and visibility of expenses and unique positioning of the student-athletes. Athletics houses some of your university’s highest payroll and travel expenses, and heightened student-athlete welfare and privacy concerns are now in the limelight. Apply your university and audit knowledge to the following athletics risks to keep the scoreboard flashing wins.

The University of Minnesota marching band and classic scoreboard
Photo credit: University of Minnesota Library

Transformation of Expenses

A 2019 Forbes article reported that 15 of the 69 universities in the “Power Five” conferences spend five times more per student-athlete than regular full-time undergraduates, and these expenses are growing. If your audit office has not reviewed athletics expenses recently, it may be time to do so. The good news is you can easily apply your university audit skills to athletics.

  • Documentation and Purchasing Procedures: All athletics expense documents should be held to your institution’s standards and properly justified. Purchasing should follow the bidding and procurement requirements for other university units.
  • Food: According to the Forbes article, over five years ago 20 institutions were spending well over a million dollars annually to feed their student-athletes. From an audit point of view this raises several risk topics:
    • Food procurement and contracts, such as sourcing, supplier selection, and contract adherence.
    • Purchase methods including cash advance, credit cards, reimbursement, etc.
    • Meal allowances and per diem for appropriate rates, thresholds, and monitoring.
  • Travel: With the frequent travel schedule and widening of conference boundaries, auditors should verify if travel expensing adheres to the institution’s travel policies. Some areas specific to athletics travel include:
    • Allowability of business class or first class for coaches on recruiting trips.
    • Whether travel by a private or university owned jet is allowed.
    • Family member travel attendance expense limitations and potential IRS reporting requirements.
  • Hospitality: Athletics frequently hosts recruits and donors, and these dinners and events can push the boundaries of an institution’s allowances as the pressure in athletics to keep up with the next school is extremely high. Auditors should also examine the reasonableness of the donor-to-staff member ratios.
  • Payroll: Coaching contracts can be very complex, including items such as salary, performance-related bonuses, memberships, vehicles, and other fringe benefits. Today not only are head coaches’ salaries increasing, but those of assistant coaches are too. Internal audit can help ensure an institution’s general counsel is involved with coaches’ contract language, verify bonus payouts meet the contract expectations, and monitor the use of other benefits included in their contracts.

Transformation of Privacy

While privacy regulations are not new to auditors, we must think about the growing prevalence of student-athlete data and the risks of widespread exposure. Additionally, in a competitive recruiting environment, there is a heightened interest by the public, scouts, competitors, and agents to obtain student-athletes’ private data.

  • HIPAA/PHI: Student-athletes are not only being seen by doctors and athletic trainers, but are also receiving assistance from mental health professionals, massage therapists, and chiropractors, while also undergoing recurring drug testing. These services result in a large amount of student-athlete personal health information that must be protected. Auditors should review:
    • Medical data sharing with outside organizations and medical professionals, and whether it follows your institution’s policy or best practice.
    • Training and education of athletics staff on what is acceptable to share via different electronic mediums (Gmail, Outlook, MS Teams, Slack, or other information sharing tools) and acceptable ways to store data once received (systems, drives, etc.).
  • Internet of Things: Paper and clipboards are things of the past. Nowadays student-athletes wear devices that track their daily movement and key health metrics. Coaches are recording practices, and all this information is being carried around on iPads and other devices. From an audit perspective, consider:
    • Whether all electronic devices are secure and up to your university’s standards.
    • Whether athlete recording and monitoring is limited to only scheduled practices, and that the student-athlete is not being recorded without his/her knowledge.
    • Where other student-athlete private information may unexpectedly or unnecessarily appear, such as travel/flight manifests, invoices from providers, social media, etc.

The modern Oregon State University scoreboard
Photo credit: Nick Daschel, The Oregonian/OregonLive

Transformation of Well-Being

Scoreboards went from simply displaying the team score to displaying the jersey number of the player who scored, and now to replays and flashing pictures of the scoring athlete. The focus on the student-athlete has significantly increased and we are seeing a transformation of student-athlete welfare. While some changes are a result of court cases (e.g., Alston v. NCAA and House v. NCAA.), others result from NCAA regulations known as Student-Athlete Core Guarantees, while others simply stem from institutions seeing the need for increased awareness and spending in key areas to promote holistic student-athlete health. Areas that could be audited include:

  • Alston Awards: A university is now allowed to pay a student-athlete above and beyond the full cost of attendance, but it is capped at $5,980 per athlete. However, each institution can choose how to award Alston payments. Auditors could review the award distribution for consistency with their policies and procedures. Note this structure could be impacted by the recent House v. NCAA case.
  • Core Guarantees: While institutions have often provided their student-athletes with access to various career and academic services, the NCAA put in new core guarantees for D1 schools effective August 2024. These new core guarantees include life-skills training and education in various areas such as Name, Image and Likeness (NIL); nutrition; financial literacy; mental health; Diversity, Equity and Inclusion (DEI); sexual violence prevention; and transfer requirements. Your institution may need to secure more resources to develop and conduct this training. Additionally, your institution may engage a third party for these services (e.g., mental health professional), and Internal Audit can review these contracts.
  • Travel: Many institutions are experiencing conference realignment and changing conference boundaries. This can result in increased travel and longer travel times for student-athletes, which pose potential risks to academic performance and mental health.

Transformation of Compliance

For several years it has been considered a best practice to have an independent, external review of a university’s athletics compliance program. These often come in the form of recurring reviews by a contracted firm or the university’s internal audit function. Currently, such reviews are not required but do assist towards demonstrating institutional control and ensuring an effective compliance program. Upcoming updates to Division 1 Bylaw 20, effective August 2025, will require the completion of a compliance review at least once every four years and an attestation to its completion. These reviews must:

  • Involve an authority outside of the athletics department.
  • At a minimum, consider areas integral to serving the needs of student-athletes (to be annually determined by the NCAA Legislative Committee).
  • Have findings shared with the institution’s leadership and athletics director.

Additionally, the House v. NCAA case has started to change key NCAA regulations such as National Letters of Intent (NLI), transfer eligibility, scholarship caps, and roster limits which will change our audit focus.

Transformation of Revenue

The athletics revenue landscape is transforming, too, as conferences realign and new or increased revenue sources are needed to match growing expenses. Dollar signs are flashing everywhere, and everyone wants to be part of the action. Internal audit can add value by helping ensure universities are getting the dollars they are owed.

  • Media Rights Contracts: Revenue from athletics often comes from media rights agreements and conference agreements. Over the past decade we have seen an upheaval in these media rights as streaming services have begun to gain market share and compete with, or outcompete, traditional cable and satellite television. As court cases continue to pend and be resolved, there are emerging contingencies that could alter this revenue mix, including student-athlete revenue sharing agreements.
  • Concession Contracts: Many universities are outsourcing stadium concessions, potentially leading to more contract revenue. Like other third-party contracts around campus, audits can ensure that the concessions sales are providing the correct revenue and adhere to terms and conditions. Additionally, these concessions may be the only or highest volume sources of alcohol sales at your university. Alcohol sales come with increased risk, such as underaged serving. Internal audit can verify alcohol is purchased, stored, inventoried, and served in accordance with university policy.
  • Ticket Sales: Another vital revenue source is ticket sales, which hve primarily moved from hard copy paper tickets into an electronic format. Ticket prices will vary by cost based on their seat, and university employees may get discounted or free tickets. Internal audit can help ensure ticketing policies are followed, especially for complimentary tickets, and reconcile the accurate recording of ticket revenue. Auditors should also verify sufficient planning for e-ticketing outages and system recovery is in place.

While we cannot predict the future of the evolving world of athletics, we can provide assurance over existing controls and help prepare for future risks on the horizon. As the world of athletics continues to transform, and athletic scoreboards grow bigger and brighter, auditors must continue to know the risks in athletics and apply their exceptional institutional and internal control knowledge. No one wants to be flashing on the scoreboard for the wrong reasons.

References:

NCAA Student-Athlete Core Guarantees

2024 NCAA Compliance Report

Knight-Newhouse College Athletics Database Custom Reports

Power Five University Spend – Forbes 2024 article

Article: D1 College Athlete Diets and Spending – Forbes 2019 article

These 20 Colleges Spent $40 Million Just to Feed Student-Athletes – FanBuzz

How 3 Companies Put Health at the Heart of the Workplace – Forbes 2024 article

Auditing Campus Space Utilization

Space utilization audits bring value to your campus by creating baseline statistics and identifying areas for improvement and cost savings opportunities. The number of students and workers on campus has likely changed in recent in recent years. Classroom and office space on campus has been radically disrupted since the start of the pandemic. National enrollment trends took a tumble, with two-year colleges facing the steepest declines. While enrollment is starting to trend upwards since the pandemic relief funds expired, the distribution of students is not consistent. Urban flagship schools are seeing the highest increases, leaving rural campuses struggling. Classroom seats remain empty as schools are offering more online courses.

Office space has also been impacted by the pandemic, as many employees never returned to their offices as their positions became partially or fully remote. Many schools enacted hiring freezes or did not fill vacancies, increasing the number of vacant offices across campus. This article provides guidance on performing impactful space utilization audits of classrooms and offices.

Why Classroom Utilization is Important

Accurate space utilization metrics can help your campus understand how space is currently used and identify where efficiencies can be gained. Utilization studies can help justify new construction funds for expanding campuses or determine the need for leased space. They may also identify opportunities to repurpose unused space and thereby decrease utilities, housekeeping, and maintenance costs. Other factors, such as reconfiguring traditional row seating with collaborative layouts, may also affect the number of seats in classrooms.

Utilization studies can also measure compliance with university policies and procedures. Universities often publish standard meeting patterns such as Monday/Wednesday/Friday classes lasting every 50 minutes and Tuesday/Thursday for 75 minutes with a defined break between classes. Deviations from this schedule result in overlapping classes which may cause students to have trouble scheduling the classes they need to graduate. Excessive classes held during peak hours result in overcrowding, a lack of parking, and long lines for food and student services. Having the incorrect number of seats in the scheduling system may lead to over or under-filled classes, with the potential to exceed the fire code.

Internal Audit departments can provide independent utilization analyses from cross-functional data. Campus space is usually tracked by the facilities department, which maintains the official list of classrooms and office assignments. Classroom space may be assigned by the registrar’s office, the schools/departments, or a combination of both, while office space typically is assigned by the departments.

Classroom Utilization Testing

Analysis from classroom utilization testing can add value to your university leadership by identifying trends that may contribute to overcrowding, underutilization, and noncompliance with goals and standards. There are many factors to consider during audit planning. Your campus or system office may have capacity goals or other criteria to measure against. The scope may be limited to classrooms or expanded to other spaces such as labs and rehearsal spaces. Consider testing undergraduate courses separately, as graduate classes may inherently have lower attendance and irregular class times.

Conduct the following utilization tests by comparing a report from Facilities of all classrooms with their room capacities with a comprehensive class listing from your system of record that shows the actual number of students in each classroom. Test 100% of classrooms using data analytics software or Excel subtotals and pivot tables for complete results.

  • Classroom Seat Utilization – Determine the percentage of seats filled per classroom by calculating the average enrollment of each class and dividing by the number of seats in the classroom. Lower percentages relate to underutilized classrooms.
  • Weekly Hours Used – Calculate the number of hours of class time each classroom is in use on a weekly basis by using the class duration and meeting frequency. The lower the weekly hours, the less utilized.
  • Standard Meeting Pattern – Identify classes that do not follow your university’s standard meeting pattern, such as Monday/Wednesday for 75 minutes, or classes starting at a non-standard start time, as they create overlap with other class times.
  • Prime Time Scheduling – Chart the number of classes held each hour of each day and compare with any university prime time constraints. This will identify if your university has few classes at 8:00am and too many classes at 11:00am.
  • Classroom Capacity Verification –Compare the maximum seats in the facilities report to the class report and identify any seat capacity differences. Visit the classrooms with discrepancies and perform a physical headcount to determine which system needs to be updated.
  • Unassigned Classrooms – Determine if there are any classrooms on the facilities report that are not included on the class list. Determine the root cause, such as the building being under renovation, or the department not updating the system with class counts.

The data gathered from these tests serve as both baseline statistics and support for your recommendations. Separate the results by the registering departments to help isolate the departments that are not meeting expectations.

Office Space Planning

Ever since that fateful day in March 2020 when everyone was sent home to work, many workers never returned to their offices. Employees became increasingly comfortable working from home, and employers became concerned whether their employees would come back to the office or elect to find remote work elsewhere. Many campuses decided to allow certain non-student facing departments to continue to work remotely on a part-time or permanent basis. Additionally, any hiring freezes and attrition during the pandemic may have reduced the workforce.

The resulting excess of empty offices creates an opportunity for internal auditors to analyze office assignments and identify underutilized office space. Potential cost-saving recommendations include repurposing office space for other uses, closing spaces altogether to save on heating and cleaning costs, and eliminating unneeded leased space. It may be practical to move workers to consolidate space or create shared hotel space for hybrid workers.

Office Space Utilization Testing

The first step is to determine the university’s criteria for having reserved office space. For example, your human resources department may have determined fully remote employees should not have dedicated office space and hybrid workers working in person less than 50% of the time should share hotel spaces. Human resources likely maintains a database of employees classified as remote workers and their percentage of offsite work. Facilities usually maintains a database of office space and its occupants. Their occupancy report should indicate whether an office is occupied or vacant and should have the employee ID of the person assigned to each office.

Define the scope of the occupancy testing. For example, consider testing administrative workers separately from faculty as on-campus requirements differ. Perform the following test steps to identify underutilized office space in accordance with your university’s policies and procedures:

  • Validate the Completeness of the Occupancy Report – Ensure the occupancy report has an assignment for every office so it can be determined whether the office is assigned or vacant. Determine whether there are multiple offices assigned to the same employee ID, shared offices, or other anomalies that would hinder specific identification.
  • Review HR Data on Remote Workers – Verify HR has updated and complete records for employee work status classification. Employees may be classified as remote, hybrid, or in-person, or the records may show the percentage of remote work (e.g., working 60% remotely).
  • Identify Remote Workers with Offices – Join the occupancy report with the HR remote worker data by employee ID and determine the number of remote workers with assigned office space, based on your university’s criteria. As an example, quantify the number of fully remote workers with offices and the number of hybrid workers working remotely over 50% of the time who have their own offices. Categorize by department and location.
  • Identify Unoccupied Rental Space – From the prior test, determine which unused offices are located in rented space. Rented space may be identified in the occupancy report or may come from a separate report from Facilities.

Results will be limited if the occupancy report and/or the remote worker data is incomplete. For the most accurate results, consider postponing the testing until management updates the reports or make a recommendation to update the data and perform a follow-up engagement.

Conclusion

The recent fluctuations in student and worker populations are driving the need for current space utilization reviews. Internal Audit can bring value to your university by independently analyzing classroom and office space usage from cross-functional sources and evaluating the results against university policies and procedures. These tests can be reperformed in the future to compare results and validate whether management’s action plans are resulting in improvements working.

Understanding the IIA’s Proposed Topical Requirement for Cybersecurity

By Anthony Thompson

The Institute of Internal Auditors (IIA) is developing a new element of the International Professional Practices Framework called Topical Requirements. A Topical Requirement is a specific set of guidelines or standards focused on subject areas deemed essential by regulatory bodies or professional organizations. These requirements aim to ensure internal auditors possess the necessary knowledge and skills to address critical areas effectively and provide a framework for consistent and comprehensive auditing practices across various industries and environments. The use of Topical Requirements will be mandatory when an internal audit function performs an audit engagement of a covered topic.

In an era where cyber threats are rapidly evolving, the IIA recently unveiled a draft of the first Topical Requirement on Cybersecurity.  This framework provides structured guidelines for evaluating and enhancing organizational cybersecurity measures. The 90-day public comment period has closed, and the final version of this guidance is anticipated to become effective on January 1, 2025.

Topical Requirements are part of the IIA’s new global guidance.

Topical Requirement Format

The 15-page Cybersecurity Topical Requirement draft provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes. It provides requirements for evaluating and assessing each control process, links to related Standards and Global Technology Audit Guides (GTAGs), and detailed considerations for each requirement. There is a tool to document conformance with the Topical Requirement in Appendix B. The following are examples of the proposed requirements:

Governance

  • Establishment of policies and procedures related to cybersecurity risk management.
  • Examining the existing control environment, including preventative and detective controls, as well as a review of existing information security policies to determine alignment with industry standards (e.g., ISO 27001, CIS, and NIST).
  • Discussions with relevant stakeholders, senior management, and the board.
  • Sufficient required resources, including hardware, software, and training.
  • Regularly reviewing organizational policies related to information security, ensuring they are exhaustive and align with industry standards like ISO 27001.

Risk Management

  • Establishment of an organization-wide risk management process with a specific focus on cybersecurity risks.
  • Having a cross-functional management team that includes members from information technology, risk management, legal, compliance, etc.
  • Accountability and responsibility regarding the management of cybersecurity risks, including those who manage, mitigate and identify emerging risks.
  • Existing processes are in place to quickly escalate and evaluate risks.
  • Issues, gaps, deficiencies and control failures are communicated to appropriate parties, and the status of remediation is closely monitored and reported.

Control Processes

  • Ensuring cybersecurity controls are functioning in an effective manner.
  • Compliance monitoring is included within the scope of the Requirement to determine adherence to existing laws, regulations, and standards such as GDPR, HIPAA, or CCPA.
  • The existence of employee training and awareness initiatives which are considered vital for maintaining a robust cybersecurity culture within the organization.
  • Implementation of effective controls surrounding common desktop communication services such as email, internet browsers, videoconferencing, messaging, and file-sharing protocols.
  • Appropriate physical security controls.
  • Determining the effectiveness of incident management and recovery controls.

Implementation Guidelines

Internal Audit should share the final Topical Requirements with their IT departments. To effectively adopt these requirements, organizations should conduct an initial assessment, update policies accordingly, implement periodic employee training sessions, and perform periodic audits to ensure ongoing compliance with the requirements.  The internal audit function can test and evaluate these requirements using the tool in the appendix.

While implementing these requirements may present challenges such as resource constraints or resistance to change, overcoming these barriers is crucial for building a resilient cybersecurity framework.

Final Thoughts

Proactive cybersecurity measures are indispensable in today’s digital world. The IIA’s Cybersecurity Topical Requirement provides a comprehensive roadmap for internal auditors aiming to fortify their organization’s defenses against cyber threats through well-structured audits and proactive strategies. By adhering to these guidelines, organizations can expect an enhanced security posture, improved compliance measures, and more efficient incident response mechanisms. For more detailed information, visit the IIA’s Topical Requirements website and read the proposed Cybersecurity Topical Requirement.

Navigating the Update: Implementing NIST CSF 2.0 in Higher Education 

Authors: Morgan Mincy, CPA, Manager – Baker Tilly 
Mike Cullen, CISA, CISSP, CIPP/US, CCP, Principal – Baker Tilly 

Since the National Institute of Standards and Technology (NIST) published the first version of the Cybersecurity Framework (CSF) in 2014, primarily for critical infrastructure organizations, many organizations have implemented the framework to guide and improve their cybersecurity programs. Over the last decade, evolving cyber threats and the wide adoption of the framework by most organizations has led to NIST publishing CSF version 2.0 this year.  

The higher education industry has embraced NIST CSF, and colleges and universities use the framework as a foundation for their cybersecurity programs. With numerous changes in version 2.0, institutions should develop a plan to incorporate the updated safeguards into their cybersecurity programs. 

What is NIST CSF? 

The NIST CSF is a risk-based framework that provides organizations with leading practices and guidelines to implement an effective cybersecurity program. Higher education, like many other industries, has adopted NIST because of its non-prescriptive safeguards that allow adaptability and flexibility in the complex higher education IT environment.  

Unfortunately, there is no genie in a bottle or snap of the fingers that will enable any college or university to instantly implement all NIST CSF controls and maintain a perfect cybersecurity program. Implementing NIST CSF requires time, effort, resources, and dedication to creating a strong cybersecurity program.  

To learn more about the specific changes from version 1.0 to 2.0, please read NIST publishes major revision to Cybersecurity Framework (CSF): What organizations need to know.  

Challenges of Implementing NIST CSF in Higher Education  

Higher education institutions face several challenges when implementing any framework, including NIST CSF 2.0, as the foundation for IT controls, governance and protections. Specifically, there are four common challenge areas:  

  • Distribution of IT systems, people, and processes 
  • Allocation of people and funding resources 
  • Balancing openness with security  
  • Training and awareness 

Due to the historical distribution of IT that typically occurs in higher education, driven by diverse IT needs and funding structures used to operate a modern institution, implementing any framework to align IT practices across many units and people is extremely difficult.  

Additionally, the resource shortage, including skilled personnel and funding constraints, both common issues in higher education, leaves few staff members available to implement and enforce safeguards, assuming there is even budget allocated for technological maintenance and updates.  

Another challenge of implementing any cybersecurity framework is tied to the unique mission of higher education to openly create and distribute knowledge. Specifically, for researchers and professors, there is an inherent juxtaposition of the desire to share research and information with students, other faculty, and staff within the institution, as well as with the broader academic and research community across the globe, with the need to protect university data, intellectual property, and any funded or sponsored data.  

Furthermore, the variety of stakeholders across the institution means that more people, typically the weakest link in cybersecurity, must receive basic training and awareness on cybersecurity threats and actions they need to take. This includes distributed IT personnel across departments or units, system business owners and data stewards, faculty, staff, and researchers handling sensitive or protected information. Even when controls and processes are perfectly designed, without buy-in and behavior changes from stakeholders, followed by training on relevant processes and policy requirements, successful implementation is unlikely. 

The challenges above will still exist, but NIST CSF 2.0 now includes a governance section to help organizations facilitate a consistent approach to managing cyber risks and the cybersecurity program.  

The Impact of the New Governance Section 

In contrast to NIST CSF 1.0, where aspects of governance were woven throughout but never fully encapsulated, NIST CSF 2.0 has dedicated an entire function (e.g., control family or domain) to governance, emphasizing the importance of addressing cybersecurity risks at the enterprise level with a strategic decision-making approach.  

While some of the subcategories (i.e., safeguards) existed previously, the new governance function includes updated categories (i.e., group of safeguards), such as organizational context, risk management strategy, roles, responsibilities and authorities, policy, oversight, and cybersecurity supply chain risk management. Particularly important for higher education are the categories of organizational context and roles, responsibilities, and authorities. These categories can help clarify and define roles among distributed IT resources, improving areas where responsibilities may be unclear. If not already in place, the organization context category can facilitate conversations between IT and institutional leaders to develop a holistic understanding of user expectations, legal and regulatory requirements and alignment of the institution’s mission and IT goals.  

Another benefit of the new governance section is enhanced accountability and reporting, which should help alleviate some of the administrative challenges faced by IT in higher education. With three subcategories focused on using the results of organization-wide cybersecurity risk management activities to inform and improve the strategy, IT functions will be encouraged to think strategically about how to best manage risks and identify measures to evaluate the effectiveness of those strategies. This higher-level strategic focus should encourage distributed IT leaders to align on metrics, increasing accountability and transparency across distributed units by reporting on metrics and results of risk management activities.  

While the governance section cannot solve all the common challenges in higher education, it serves as a catalyst to enhance the communication and alignment of IT operations.  

Other changes in NIST CSF 2.0 

As noted above, the governance section is a key difference in the new version, but there are other updates and additions to pay attention to prior to starting an audit – such as the addition of new NIST categories. The following are new or updated categories introduced in NIST CSF 2.0:  

  • ID.IM – Improvement  
  • PR.AA – Identity, Management, Authentication and Access Control 
  • PR.PS – Platform Security  
  • PR.IR – Technology Infrastructure Resilience  
  • RS.MA – Incident Management  
  • RC.RP – Incident Recovery Plan Execution  

For example, PR.IR – Technology Infrastructure Resiliency is a new category focused on ensuring that security architectures are managed using the organization’s risk strategy to protect its assets, systems, and data. While this may have been implied in the previous version, NIST CSF 2.0 explicitly emphasizes the importance of redundancy to ensure that backup systems or components are in place to maintain continuous operations and minimalize downtime, aligning with modern security architecture best practices.  

Beyond the governance section and new categories, NIST CSF 2.0 also offers an expanded scope, making it more applicable and adaptable to all organizations, rather than focusing solely on critical infrastructure. This includes enhanced guidance for integrating with other frameworks (e.g., the NIST Privacy framework), updated protection controls to align with modern technology (e.g., cloud platforms, multi-factor authentication) and revamped response and recovery functions to better address cybersecurity incidents.  

These updates, along with the governance section and new categories, promote proactive adoption and continuous improvement of cybersecurity practices to better protect an institution’s assets and information.  

Auditing with NIST CSF 2.0 in Higher Education 

Since NIST CSF 2.0 was only recently published, when should institutions be ready for an audit using this framework? This will depend on each institution’s unique environment. However, starting with a gap assessment can be a great way to jumpstart the implementation. It can help IT identify which controls are already implemented and functioning well and where gaps or weaknesses exist in the cybersecurity program.

As discussed earlier, a challenge with implementing NIST CSF 2.0 or any framework in higher education is the distribution of IT. For this reason, when starting on a NIST CSF 2.0 gap assessment or audit, it is important to scope the project appropriately. Controls can be implemented at the enterprise level, the department level, or a hybrid of both. Part of scoping will involve determining whether specific departments should be evaluated and who is responsible for owning and implementing each control process.  

To fully assess an institution’s cybersecurity protections, any audit or assessment should evaluate distributed IT departments, or at least a sample of units. Evaluating both centralized IT and distributed IT units provides detailed results, helping identity gaps and strengths across the institution, thus offering a more complete view of the cyber risk landscape.  

Next Steps to Take  

Institutions should take strategic action to address the updates in NIST CSF 2.0. Potential next steps include:  

  • Convene relevant stakeholders (e.g., information security, audit, distributed IT, IT governance) to discuss adopting NIST CSF 2.0.  
  • Develop a road map to implement or improve cybersecurity safeguards based on NIST CSF 2.0. 
  • Perform an assessment or audit of the cybersecurity program using NIST CSF 2.0.  
  • Update cybersecurity safeguards based on gaps and recommendations identified by the assessment or audit. 

For more information about NIST CSF 2.0, or to learn how Baker Tilly’s higher education cybersecurity specialists can help your institution, contact our team.

ACUA Committee Updates – Fall 2024

By C&U Journal Staff

Here is the latest news from our ACUA Committees:

Communications Committee

Social Media

  • Follow us on LinkedIn, Facebook, X, and now Instagram.

Connect ACUA

  • As a valued member of ACUA, you are encouraged to fully leverage our online community platform to enhance your professional experience.
  • Here are some friendly reminders for using the ACUA Connect platform:
    • Reply All: When responding to posts, please use the “Reply All” feature. This ensures all members benefit from the shared information and helps maintain accurate records of member engagement.
    • Email Notifications: Are you overwhelmed by Connect ACUA emails or missing them entirely? Adjust your preferences in the Connect ACUA email notification settings to better suit your needs.
    • Engagement is Key: Our goal is to foster a vibrant and supportive community. Your active participation is crucial in making the platform both engaging and beneficial for all members.

Tools & Resources Committee

         Kick Starters

  • Student Mental Health Access and Awareness, June 2024
  • Exploratory and Descriptive Analytics, July 2024
  • Internal Quality Assessments under the IIA Global Internal Auditing Standards, August 2024
  • Assessing Voluntary University Climate Commitments, October 2024

         Resource Library

  • The ACUA AAP – IIA Global Standards 2025 – Self Assessment Tool was added.
  • Members are encouraged to share any resources that would benefit other members and help grow the resource library. Contact Amy Smite, Resource Library Program Director at amysmith@pdx.edu with your resource library suggestions.

         Audit Tools

  • The ACUA NCAA Audit Guides have been updated and posted to the Audit Tools page.

Recognition Committee

         Volunteer

  • Thank you for your volunteer spotlight nominations. Watch for volunteer spotlights published semi-monthly in the ACUA newsletter.

Professional Education Committee

         Audit Interactive

  • The March 9-12, 2025 Audit Interactive will be in person in Oklahoma City at the Sheraton Oklahoma City.
  • Oklahoma City – the Modern Frontier:  Named one of the Best Places to Visit by Frommer’s Travel and Travel + Leisure, Oklahoma City offers all the culture, cuisine, attractions and amenities you’d expect in a modern metropolis. And with its rugged Western past, working stockyards and title as “Horse Show Capital of the World,” it is rich in cowboy culture, as well. From family fun to romantic retreats to outdoor adventures you won’t find anywhere else, Oklahoma City has plenty of hustle without all the hassle.
2025 Audit Interactive Graphic - Oklahoma City, March 9-12, 2025. Sharaton Downtown Oklahoma

         Virtual Learning

  • Next webinar: Compliance Hot Topics with Baker Tilly on 12/5/24 at 1:00pm EST
  • Keep up and Catch up with upcoming and past webinars here:  ACUA – Webinars

         AuditCon

  • We had a great conference in Atlanta. 508 people attended. A new ACUA record! 
  • Next year’s AuditCon will be Louisville, KY September 14 – 18, 2025 at the Galt House.
  • Louisville is a different type of Southern. With a booming bourbon renaissance, iconic attractions, world-class hotels & venues and a renowned culinary scene, Louisville is an experience like no other city. Travel and Leisure voted Louisville one of the best places to travel in 2024.

Best Practices Committee

The Best Practices Committee strives to provide innovative, best-in-class audit methodology insights and resources to ACUA members. This is accomplished through educational presentations, journal articles, and other materials, such as publishing standalone kick starters or collaboration with the Tools & Resources Committee. Beginning September 2024, the Best Practices Committee is chaired by Agnessa Vartanova, University of Colorado.

The Best Practices Committee is currently comprised of four sub-committees:

  • Audit & Accounting Principles (AAP),
  • Athletics (The Sideline),
  • Data Analytics, and
  • Artificial Intelligence.

The sub-committees are led by Erin Egan, Rutgers University; Rachel Fleener, University of Minnesota; Tiffany Yordan, Rutgers University; and Barry MacDougall, University of Michigan, and Muriel Foster, University of Alabama, respectively. Alongside a committed team of higher education audit professionals, the sub-committee leaders identify topics of interest to ACUA members, perform research, and develop valuable tools and resources which are shared via Connect ACUA posts, webinars, presentations, roundtables, social media, the ACUA Journal, and ACUA website.

         Audit & Accounting Principles (AAP)

  • The new IIA Global Internal Audit Standards go into effect on January 9, 2024.
    • AAP provided a Kick Starter and a self-assessment tool.
    • AAP will host a virtual roundtable in early 2025 to facilitate member discussion on lessons learned.
  • In 2025, AAP will refocus its efforts on providing updates and resources on other areas relevant to higher education and of interest to the ACUA membership.

         Athletics (The Sideline)

  • The Sideline Committee continues to meet monthly. During this meeting there is robust sharing of hot topics in the world of athletics and how institutions are tackling auditing of various athletic risks. Two members from the committee recently presented a webinar to the ACUA community in August and a newsletter will be published in the ACUA journal in November that was written by two other committee members.   

         Data Analytics

  • The Data Analytics Committee collaborates with the Kick Starter Committee to review the data analytics sections of kick starters.
  • A kick starter on Exploratory and Descriptive Analytics was published in July 2024.
  • A session on Cleaning and Transforming Data with Microsoft Power Query was presented at the Virtual Summit in April 2024, which was based on a previously published kick starter.

         Artificial Intelligence (AI)

  • The first official meeting was held in August 2024.
  • Developed and surveyed committee members on AI use. Results are being analyzed, with interest in an ACUA-wide survey and the possibility of a conference presentation to share results.
  • The AI Committee is preparing a list of projects and activities in which to engage its members.

Higher education continues to evolve and present new challenges and opportunities to auditors. We welcome and encourage ACUA members to join the sub-committees and contribute to the previously published stellar body of work!

ACUA 2024 Award Winners and Board Members

By C&U Journal Staff

Congratulations to the following 2024 award winners and new board members announced during AuditCon in Atlanta:

Outstanding Professional Contributions Award

John McDaniel is currently the Director of Internal Audit at the University of Alabama System and has 25 years of experience in higher education and academic medical center administration, compliance, and risk management. Since 2021, John has been a key member of the ACUA Professional Education Committee, contributing to the success of several AuditCon events, and currently serves as the Director of Audit Interactive. John also plays an active role on the ACUA Standards and Best Practices Committee, was instrumental in founding the ACUA Sideline Committee alongside other ACUA members and has published many articles in the ACUA journal and for other organizations. John is also a dedicated participant and leader in external Quality Assurance initiatives for fellow ACUA members and has served in leadership roles outside of ACUA.

Rising Star Awards

Jocelyn Edge joined the Duke University internal audit department in 2021 and has embraced the higher education industry. Jocelyn has already made significant contributions to ACUA by serving as presenter at several AuditCons. Serving on the Communications Committee, Jocelyn  supports social media content creation, design, posting and coordination with other committees. She took the initiative to standardize social media request processes to ensure individuals and committees have a clear path to promote ACUA activities and announcements. She continues to develop innovative ways to increase content posting to reach our members across several platforms and introducing video content to help engage members.

Erin Egan is the director of audit and advisory services for Rutgers University.Erin has been an active member of ACUA for the past ten years and was a member of the second cohort of the ACUA Leads program. Erin has served in a number of roles for ACUA over the years, including: Governmental Affairs committee co-chair, ACUA Journal article author, Conference speaker and proctor, and Mentor to other members. Erin has served as the director of the Auditing and Accounting Principles (AAP) sub-committee of the Standards and Best Practices committee, which has been focused on the changes to the IIA’s International Professional Practices Framework, specifically those to the new Global Internal Audit Standards.

Please make sure to congratulate our 2024 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

New Board Members

The 2024-2025 ACUA Board of Directors officially assumed their new roles at AuditCon and thanked Melissa Hall, Emory University for her prior role as past-president. The 2024-2025 Board of Directors are: 

  • Laura Buchhorn, President, University of Texas at San Antonio
  • Nikki Pittman, Vice President, University of Alaska
  • Eulonda Whitmore, Secretary/Treasurer, Wayne State University
  • Marion Candrea, Immediate Past President, Boston University

ACUA thanked Deidre Melton for her past service as a board member and welcomed Amy Kozak in her new role. The Board Members-at-Large are:

  • Jana Clark, Kansas State University
  • Kara Kearney-Saylor, University of Buffalo
  • William Hancock, Jr., Auburn University
  • Andre’ McMillan, University of Delaware
  • Amy Kozak, University of California, Santa Cruz

ACUA committee chairs and sub-committee directors were also celebrated at AuditCon.

Letter from the President – Fall 2024

Dear ACUA Colleagues,

I am honored and excited to address you as the newly appointed ACUA President. As I step into this role, I am filled with a deep sense of responsibility and commitment to continue the legacy of excellence that ACUA represents. First and foremost, I would like to extend my heartfelt gratitude to my predecessor, Marion Candrea, for her outstanding leadership and dedication.

I am eager to continue to work alongside our talented board members, dedicated volunteers, and all of you—our valued members. Together, we will strive to enhance our professional development programs, expand our resources, and foster a community where knowledge and best practices are shared freely.

It was great to see so many of you at AuditCon 2024 in Atlanta, where we achieved a record-breaking 508 attendees! I sincerely thank our Professional Education Committee, speakers, strategic partners, exhibitors, and the ACUA Staff. The in-person interactions and sharing of knowledge were very inspiring and uplifting. We look forward to seeing everyone again in Oklahoma City from March 9-12 for Audit Interactive! Be on the lookout for information on the amazing content coming your way very soon!

I’d also like to give a huge congratulations to the Website Redesign Task Force, the Logo Refresh Task Force, and the ACUA Staff for their astonishing work this past year. The new ACUA website is a breath of fresh air. I hope all our ACUA Members find the navigation to ACUA’s resources more streamlined and user-friendly.

Finally, I’d like to thank our members who completed the Member Needs Assessment Survey this past summer. The responses will be instrumental as the board comes together in the spring to create ACUA’s Strategic Planning for 2025 – 2027. I encourage you to share additional ideas, feedback, and aspirations with me and the board. Together, we will make ACUA an even stronger and more vibrant organization.

Thank you for your trust and support. I look forward to serving you and working together to advance our profession.

Wishing you all a very happy and prosperous holiday season.

Laura Buchhorn, University of Texas at San Antonio

ACUA President