Resources

Game Changers: Navigating Audits during Athletics Transformation

Blue Logo for ACUA with the text Journal Articles

By Rachel Flenner and Will Aurich (ACUA Sidelines Committee)

Just as athletic scoreboards are transforming to become bigger and brighter, auditors need to continue to transform our focus to shine in the right direction. When we think of athletics risks, the first thing that often comes to mind are the high-profile court cases with the National Collegiate Athletics Association (NCAA). However, athletics is not immune to the risks we evaluate elsewhere on campus. The risks in the athletics environment are often heightened due to the high volume and visibility of expenses and unique positioning of the student-athletes. Athletics houses some of your university’s highest payroll and travel expenses, and heightened student-athlete welfare and privacy concerns are now in the limelight. Apply your university and audit knowledge to the following athletics risks to keep the scoreboard flashing wins.

The University of Minnesota marching band and classic scoreboard
Photo credit: University of Minnesota Library

Transformation of Expenses

A 2019 Forbes article reported that 15 of the 69 universities in the “Power Five” conferences spend five times more per student-athlete than regular full-time undergraduates, and these expenses are growing. If your audit office has not reviewed athletics expenses recently, it may be time to do so. The good news is you can easily apply your university audit skills to athletics.

  • Documentation and Purchasing Procedures: All athletics expense documents should be held to your institution’s standards and properly justified. Purchasing should follow the bidding and procurement requirements for other university units.
  • Food: According to the Forbes article, over five years ago 20 institutions were spending well over a million dollars annually to feed their student-athletes. From an audit point of view this raises several risk topics:
    • Food procurement and contracts, such as sourcing, supplier selection, and contract adherence.
    • Purchase methods including cash advance, credit cards, reimbursement, etc.
    • Meal allowances and per diem for appropriate rates, thresholds, and monitoring.
  • Travel: With the frequent travel schedule and widening of conference boundaries, auditors should verify if travel expensing adheres to the institution’s travel policies. Some areas specific to athletics travel include:
    • Allowability of business class or first class for coaches on recruiting trips.
    • Whether travel by a private or university owned jet is allowed.
    • Family member travel attendance expense limitations and potential IRS reporting requirements.
  • Hospitality: Athletics frequently hosts recruits and donors, and these dinners and events can push the boundaries of an institution’s allowances as the pressure in athletics to keep up with the next school is extremely high. Auditors should also examine the reasonableness of the donor-to-staff member ratios.
  • Payroll: Coaching contracts can be very complex, including items such as salary, performance-related bonuses, memberships, vehicles, and other fringe benefits. Today not only are head coaches’ salaries increasing, but those of assistant coaches are too. Internal audit can help ensure an institution’s general counsel is involved with coaches’ contract language, verify bonus payouts meet the contract expectations, and monitor the use of other benefits included in their contracts.

Transformation of Privacy

While privacy regulations are not new to auditors, we must think about the growing prevalence of student-athlete data and the risks of widespread exposure. Additionally, in a competitive recruiting environment, there is a heightened interest by the public, scouts, competitors, and agents to obtain student-athletes’ private data.

  • HIPAA/PHI: Student-athletes are not only being seen by doctors and athletic trainers, but are also receiving assistance from mental health professionals, massage therapists, and chiropractors, while also undergoing recurring drug testing. These services result in a large amount of student-athlete personal health information that must be protected. Auditors should review:
    • Medical data sharing with outside organizations and medical professionals, and whether it follows your institution’s policy or best practice.
    • Training and education of athletics staff on what is acceptable to share via different electronic mediums (Gmail, Outlook, MS Teams, Slack, or other information sharing tools) and acceptable ways to store data once received (systems, drives, etc.).
  • Internet of Things: Paper and clipboards are things of the past. Nowadays student-athletes wear devices that track their daily movement and key health metrics. Coaches are recording practices, and all this information is being carried around on iPads and other devices. From an audit perspective, consider:
    • Whether all electronic devices are secure and up to your university’s standards.
    • Whether athlete recording and monitoring is limited to only scheduled practices, and that the student-athlete is not being recorded without his/her knowledge.
    • Where other student-athlete private information may unexpectedly or unnecessarily appear, such as travel/flight manifests, invoices from providers, social media, etc.

The modern Oregon State University scoreboard
Photo credit: Nick Daschel, The Oregonian/OregonLive

Transformation of Well-Being

Scoreboards went from simply displaying the team score to displaying the jersey number of the player who scored, and now to replays and flashing pictures of the scoring athlete. The focus on the student-athlete has significantly increased and we are seeing a transformation of student-athlete welfare. While some changes are a result of court cases (e.g., Alston v. NCAA and House v. NCAA.), others result from NCAA regulations known as Student-Athlete Core Guarantees, while others simply stem from institutions seeing the need for increased awareness and spending in key areas to promote holistic student-athlete health. Areas that could be audited include:

  • Alston Awards: A university is now allowed to pay a student-athlete above and beyond the full cost of attendance, but it is capped at $5,980 per athlete. However, each institution can choose how to award Alston payments. Auditors could review the award distribution for consistency with their policies and procedures. Note this structure could be impacted by the recent House v. NCAA case.
  • Core Guarantees: While institutions have often provided their student-athletes with access to various career and academic services, the NCAA put in new core guarantees for D1 schools effective August 2024. These new core guarantees include life-skills training and education in various areas such as Name, Image and Likeness (NIL); nutrition; financial literacy; mental health; Diversity, Equity and Inclusion (DEI); sexual violence prevention; and transfer requirements. Your institution may need to secure more resources to develop and conduct this training. Additionally, your institution may engage a third party for these services (e.g., mental health professional), and Internal Audit can review these contracts.
  • Travel: Many institutions are experiencing conference realignment and changing conference boundaries. This can result in increased travel and longer travel times for student-athletes, which pose potential risks to academic performance and mental health.

Transformation of Compliance

For several years it has been considered a best practice to have an independent, external review of a university’s athletics compliance program. These often come in the form of recurring reviews by a contracted firm or the university’s internal audit function. Currently, such reviews are not required but do assist towards demonstrating institutional control and ensuring an effective compliance program. Upcoming updates to Division 1 Bylaw 20, effective August 2025, will require the completion of a compliance review at least once every four years and an attestation to its completion. These reviews must:

  • Involve an authority outside of the athletics department.
  • At a minimum, consider areas integral to serving the needs of student-athletes (to be annually determined by the NCAA Legislative Committee).
  • Have findings shared with the institution’s leadership and athletics director.

Additionally, the House v. NCAA case has started to change key NCAA regulations such as National Letters of Intent (NLI), transfer eligibility, scholarship caps, and roster limits which will change our audit focus.

Transformation of Revenue

The athletics revenue landscape is transforming, too, as conferences realign and new or increased revenue sources are needed to match growing expenses. Dollar signs are flashing everywhere, and everyone wants to be part of the action. Internal audit can add value by helping ensure universities are getting the dollars they are owed.

  • Media Rights Contracts: Revenue from athletics often comes from media rights agreements and conference agreements. Over the past decade we have seen an upheaval in these media rights as streaming services have begun to gain market share and compete with, or outcompete, traditional cable and satellite television. As court cases continue to pend and be resolved, there are emerging contingencies that could alter this revenue mix, including student-athlete revenue sharing agreements.
  • Concession Contracts: Many universities are outsourcing stadium concessions, potentially leading to more contract revenue. Like other third-party contracts around campus, audits can ensure that the concessions sales are providing the correct revenue and adhere to terms and conditions. Additionally, these concessions may be the only or highest volume sources of alcohol sales at your university. Alcohol sales come with increased risk, such as underaged serving. Internal audit can verify alcohol is purchased, stored, inventoried, and served in accordance with university policy.
  • Ticket Sales: Another vital revenue source is ticket sales, which hve primarily moved from hard copy paper tickets into an electronic format. Ticket prices will vary by cost based on their seat, and university employees may get discounted or free tickets. Internal audit can help ensure ticketing policies are followed, especially for complimentary tickets, and reconcile the accurate recording of ticket revenue. Auditors should also verify sufficient planning for e-ticketing outages and system recovery is in place.

While we cannot predict the future of the evolving world of athletics, we can provide assurance over existing controls and help prepare for future risks on the horizon. As the world of athletics continues to transform, and athletic scoreboards grow bigger and brighter, auditors must continue to know the risks in athletics and apply their exceptional institutional and internal control knowledge. No one wants to be flashing on the scoreboard for the wrong reasons.

References:

NCAA Student-Athlete Core Guarantees

2024 NCAA Compliance Report

Knight-Newhouse College Athletics Database Custom Reports

Power Five University Spend – Forbes 2024 article

Article: D1 College Athlete Diets and Spending – Forbes 2019 article

These 20 Colleges Spent $40 Million Just to Feed Student-Athletes – FanBuzz

How 3 Companies Put Health at the Heart of the Workplace – Forbes 2024 article

Auditing Campus Space Utilization

Blue Logo for ACUA with the text Journal Articles

Space utilization audits bring value to your campus by creating baseline statistics and identifying areas for improvement and cost savings opportunities. The number of students and workers on campus has likely changed in recent in recent years. Classroom and office space on campus has been radically disrupted since the start of the pandemic. National enrollment trends took a tumble, with two-year colleges facing the steepest declines. While enrollment is starting to trend upwards since the pandemic relief funds expired, the distribution of students is not consistent. Urban flagship schools are seeing the highest increases, leaving rural campuses struggling. Classroom seats remain empty as schools are offering more online courses.

Office space has also been impacted by the pandemic, as many employees never returned to their offices as their positions became partially or fully remote. Many schools enacted hiring freezes or did not fill vacancies, increasing the number of vacant offices across campus. This article provides guidance on performing impactful space utilization audits of classrooms and offices.

Why Classroom Utilization is Important

Accurate space utilization metrics can help your campus understand how space is currently used and identify where efficiencies can be gained. Utilization studies can help justify new construction funds for expanding campuses or determine the need for leased space. They may also identify opportunities to repurpose unused space and thereby decrease utilities, housekeeping, and maintenance costs. Other factors, such as reconfiguring traditional row seating with collaborative layouts, may also affect the number of seats in classrooms.

Utilization studies can also measure compliance with university policies and procedures. Universities often publish standard meeting patterns such as Monday/Wednesday/Friday classes lasting every 50 minutes and Tuesday/Thursday for 75 minutes with a defined break between classes. Deviations from this schedule result in overlapping classes which may cause students to have trouble scheduling the classes they need to graduate. Excessive classes held during peak hours result in overcrowding, a lack of parking, and long lines for food and student services. Having the incorrect number of seats in the scheduling system may lead to over or under-filled classes, with the potential to exceed the fire code.

Internal Audit departments can provide independent utilization analyses from cross-functional data. Campus space is usually tracked by the facilities department, which maintains the official list of classrooms and office assignments. Classroom space may be assigned by the registrar’s office, the schools/departments, or a combination of both, while office space typically is assigned by the departments.

Classroom Utilization Testing

Analysis from classroom utilization testing can add value to your university leadership by identifying trends that may contribute to overcrowding, underutilization, and noncompliance with goals and standards. There are many factors to consider during audit planning. Your campus or system office may have capacity goals or other criteria to measure against. The scope may be limited to classrooms or expanded to other spaces such as labs and rehearsal spaces. Consider testing undergraduate courses separately, as graduate classes may inherently have lower attendance and irregular class times.

Conduct the following utilization tests by comparing a report from Facilities of all classrooms with their room capacities with a comprehensive class listing from your system of record that shows the actual number of students in each classroom. Test 100% of classrooms using data analytics software or Excel subtotals and pivot tables for complete results.

  • Classroom Seat Utilization – Determine the percentage of seats filled per classroom by calculating the average enrollment of each class and dividing by the number of seats in the classroom. Lower percentages relate to underutilized classrooms.
  • Weekly Hours Used – Calculate the number of hours of class time each classroom is in use on a weekly basis by using the class duration and meeting frequency. The lower the weekly hours, the less utilized.
  • Standard Meeting Pattern – Identify classes that do not follow your university’s standard meeting pattern, such as Monday/Wednesday for 75 minutes, or classes starting at a non-standard start time, as they create overlap with other class times.
  • Prime Time Scheduling – Chart the number of classes held each hour of each day and compare with any university prime time constraints. This will identify if your university has few classes at 8:00am and too many classes at 11:00am.
  • Classroom Capacity Verification –Compare the maximum seats in the facilities report to the class report and identify any seat capacity differences. Visit the classrooms with discrepancies and perform a physical headcount to determine which system needs to be updated.
  • Unassigned Classrooms – Determine if there are any classrooms on the facilities report that are not included on the class list. Determine the root cause, such as the building being under renovation, or the department not updating the system with class counts.

The data gathered from these tests serve as both baseline statistics and support for your recommendations. Separate the results by the registering departments to help isolate the departments that are not meeting expectations.

Office Space Planning

Ever since that fateful day in March 2020 when everyone was sent home to work, many workers never returned to their offices. Employees became increasingly comfortable working from home, and employers became concerned whether their employees would come back to the office or elect to find remote work elsewhere. Many campuses decided to allow certain non-student facing departments to continue to work remotely on a part-time or permanent basis. Additionally, any hiring freezes and attrition during the pandemic may have reduced the workforce.

The resulting excess of empty offices creates an opportunity for internal auditors to analyze office assignments and identify underutilized office space. Potential cost-saving recommendations include repurposing office space for other uses, closing spaces altogether to save on heating and cleaning costs, and eliminating unneeded leased space. It may be practical to move workers to consolidate space or create shared hotel space for hybrid workers.

Office Space Utilization Testing

The first step is to determine the university’s criteria for having reserved office space. For example, your human resources department may have determined fully remote employees should not have dedicated office space and hybrid workers working in person less than 50% of the time should share hotel spaces. Human resources likely maintains a database of employees classified as remote workers and their percentage of offsite work. Facilities usually maintains a database of office space and its occupants. Their occupancy report should indicate whether an office is occupied or vacant and should have the employee ID of the person assigned to each office.

Define the scope of the occupancy testing. For example, consider testing administrative workers separately from faculty as on-campus requirements differ. Perform the following test steps to identify underutilized office space in accordance with your university’s policies and procedures:

  • Validate the Completeness of the Occupancy Report – Ensure the occupancy report has an assignment for every office so it can be determined whether the office is assigned or vacant. Determine whether there are multiple offices assigned to the same employee ID, shared offices, or other anomalies that would hinder specific identification.
  • Review HR Data on Remote Workers – Verify HR has updated and complete records for employee work status classification. Employees may be classified as remote, hybrid, or in-person, or the records may show the percentage of remote work (e.g., working 60% remotely).
  • Identify Remote Workers with Offices – Join the occupancy report with the HR remote worker data by employee ID and determine the number of remote workers with assigned office space, based on your university’s criteria. As an example, quantify the number of fully remote workers with offices and the number of hybrid workers working remotely over 50% of the time who have their own offices. Categorize by department and location.
  • Identify Unoccupied Rental Space – From the prior test, determine which unused offices are located in rented space. Rented space may be identified in the occupancy report or may come from a separate report from Facilities.

Results will be limited if the occupancy report and/or the remote worker data is incomplete. For the most accurate results, consider postponing the testing until management updates the reports or make a recommendation to update the data and perform a follow-up engagement.

Conclusion

The recent fluctuations in student and worker populations are driving the need for current space utilization reviews. Internal Audit can bring value to your university by independently analyzing classroom and office space usage from cross-functional sources and evaluating the results against university policies and procedures. These tests can be reperformed in the future to compare results and validate whether management’s action plans are resulting in improvements working.

Understanding the IIA’s Proposed Topical Requirement for Cybersecurity

Blue Logo for ACUA with the text Journal Articles

By Anthony Thompson

The Institute of Internal Auditors (IIA) is developing a new element of the International Professional Practices Framework called Topical Requirements. A Topical Requirement is a specific set of guidelines or standards focused on subject areas deemed essential by regulatory bodies or professional organizations. These requirements aim to ensure internal auditors possess the necessary knowledge and skills to address critical areas effectively and provide a framework for consistent and comprehensive auditing practices across various industries and environments. The use of Topical Requirements will be mandatory when an internal audit function performs an audit engagement of a covered topic.

In an era where cyber threats are rapidly evolving, the IIA recently unveiled a draft of the first Topical Requirement on Cybersecurity.  This framework provides structured guidelines for evaluating and enhancing organizational cybersecurity measures. The 90-day public comment period has closed, and the final version of this guidance is anticipated to become effective on January 1, 2025.

Topical Requirements are part of the IIA’s new global guidance.

Topical Requirement Format

The 15-page Cybersecurity Topical Requirement draft provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes. It provides requirements for evaluating and assessing each control process, links to related Standards and Global Technology Audit Guides (GTAGs), and detailed considerations for each requirement. There is a tool to document conformance with the Topical Requirement in Appendix B. The following are examples of the proposed requirements:

Governance

  • Establishment of policies and procedures related to cybersecurity risk management.
  • Examining the existing control environment, including preventative and detective controls, as well as a review of existing information security policies to determine alignment with industry standards (e.g., ISO 27001, CIS, and NIST).
  • Discussions with relevant stakeholders, senior management, and the board.
  • Sufficient required resources, including hardware, software, and training.
  • Regularly reviewing organizational policies related to information security, ensuring they are exhaustive and align with industry standards like ISO 27001.

Risk Management

  • Establishment of an organization-wide risk management process with a specific focus on cybersecurity risks.
  • Having a cross-functional management team that includes members from information technology, risk management, legal, compliance, etc.
  • Accountability and responsibility regarding the management of cybersecurity risks, including those who manage, mitigate and identify emerging risks.
  • Existing processes are in place to quickly escalate and evaluate risks.
  • Issues, gaps, deficiencies and control failures are communicated to appropriate parties, and the status of remediation is closely monitored and reported.

Control Processes

  • Ensuring cybersecurity controls are functioning in an effective manner.
  • Compliance monitoring is included within the scope of the Requirement to determine adherence to existing laws, regulations, and standards such as GDPR, HIPAA, or CCPA.
  • The existence of employee training and awareness initiatives which are considered vital for maintaining a robust cybersecurity culture within the organization.
  • Implementation of effective controls surrounding common desktop communication services such as email, internet browsers, videoconferencing, messaging, and file-sharing protocols.
  • Appropriate physical security controls.
  • Determining the effectiveness of incident management and recovery controls.

Implementation Guidelines

Internal Audit should share the final Topical Requirements with their IT departments. To effectively adopt these requirements, organizations should conduct an initial assessment, update policies accordingly, implement periodic employee training sessions, and perform periodic audits to ensure ongoing compliance with the requirements.  The internal audit function can test and evaluate these requirements using the tool in the appendix.

While implementing these requirements may present challenges such as resource constraints or resistance to change, overcoming these barriers is crucial for building a resilient cybersecurity framework.

Final Thoughts

Proactive cybersecurity measures are indispensable in today’s digital world. The IIA’s Cybersecurity Topical Requirement provides a comprehensive roadmap for internal auditors aiming to fortify their organization’s defenses against cyber threats through well-structured audits and proactive strategies. By adhering to these guidelines, organizations can expect an enhanced security posture, improved compliance measures, and more efficient incident response mechanisms. For more detailed information, visit the IIA’s Topical Requirements website and read the proposed Cybersecurity Topical Requirement.

Navigating the Update: Implementing NIST CSF 2.0 in Higher Education 

Blue Logo for ACUA with the text Journal Articles

Authors: Morgan Mincy, CPA, Manager – Baker Tilly 
Mike Cullen, CISA, CISSP, CIPP/US, CCP, Principal – Baker Tilly 

Since the National Institute of Standards and Technology (NIST) published the first version of the Cybersecurity Framework (CSF) in 2014, primarily for critical infrastructure organizations, many organizations have implemented the framework to guide and improve their cybersecurity programs. Over the last decade, evolving cyber threats and the wide adoption of the framework by most organizations has led to NIST publishing CSF version 2.0 this year.  

The higher education industry has embraced NIST CSF, and colleges and universities use the framework as a foundation for their cybersecurity programs. With numerous changes in version 2.0, institutions should develop a plan to incorporate the updated safeguards into their cybersecurity programs. 

What is NIST CSF? 

The NIST CSF is a risk-based framework that provides organizations with leading practices and guidelines to implement an effective cybersecurity program. Higher education, like many other industries, has adopted NIST because of its non-prescriptive safeguards that allow adaptability and flexibility in the complex higher education IT environment.  

Unfortunately, there is no genie in a bottle or snap of the fingers that will enable any college or university to instantly implement all NIST CSF controls and maintain a perfect cybersecurity program. Implementing NIST CSF requires time, effort, resources, and dedication to creating a strong cybersecurity program.  

To learn more about the specific changes from version 1.0 to 2.0, please read NIST publishes major revision to Cybersecurity Framework (CSF): What organizations need to know.  

Challenges of Implementing NIST CSF in Higher Education  

Higher education institutions face several challenges when implementing any framework, including NIST CSF 2.0, as the foundation for IT controls, governance and protections. Specifically, there are four common challenge areas:  

  • Distribution of IT systems, people, and processes 
  • Allocation of people and funding resources 
  • Balancing openness with security  
  • Training and awareness 

Due to the historical distribution of IT that typically occurs in higher education, driven by diverse IT needs and funding structures used to operate a modern institution, implementing any framework to align IT practices across many units and people is extremely difficult.  

Additionally, the resource shortage, including skilled personnel and funding constraints, both common issues in higher education, leaves few staff members available to implement and enforce safeguards, assuming there is even budget allocated for technological maintenance and updates.  

Another challenge of implementing any cybersecurity framework is tied to the unique mission of higher education to openly create and distribute knowledge. Specifically, for researchers and professors, there is an inherent juxtaposition of the desire to share research and information with students, other faculty, and staff within the institution, as well as with the broader academic and research community across the globe, with the need to protect university data, intellectual property, and any funded or sponsored data.  

Furthermore, the variety of stakeholders across the institution means that more people, typically the weakest link in cybersecurity, must receive basic training and awareness on cybersecurity threats and actions they need to take. This includes distributed IT personnel across departments or units, system business owners and data stewards, faculty, staff, and researchers handling sensitive or protected information. Even when controls and processes are perfectly designed, without buy-in and behavior changes from stakeholders, followed by training on relevant processes and policy requirements, successful implementation is unlikely. 

The challenges above will still exist, but NIST CSF 2.0 now includes a governance section to help organizations facilitate a consistent approach to managing cyber risks and the cybersecurity program.  

The Impact of the New Governance Section 

In contrast to NIST CSF 1.0, where aspects of governance were woven throughout but never fully encapsulated, NIST CSF 2.0 has dedicated an entire function (e.g., control family or domain) to governance, emphasizing the importance of addressing cybersecurity risks at the enterprise level with a strategic decision-making approach.  

While some of the subcategories (i.e., safeguards) existed previously, the new governance function includes updated categories (i.e., group of safeguards), such as organizational context, risk management strategy, roles, responsibilities and authorities, policy, oversight, and cybersecurity supply chain risk management. Particularly important for higher education are the categories of organizational context and roles, responsibilities, and authorities. These categories can help clarify and define roles among distributed IT resources, improving areas where responsibilities may be unclear. If not already in place, the organization context category can facilitate conversations between IT and institutional leaders to develop a holistic understanding of user expectations, legal and regulatory requirements and alignment of the institution’s mission and IT goals.  

Another benefit of the new governance section is enhanced accountability and reporting, which should help alleviate some of the administrative challenges faced by IT in higher education. With three subcategories focused on using the results of organization-wide cybersecurity risk management activities to inform and improve the strategy, IT functions will be encouraged to think strategically about how to best manage risks and identify measures to evaluate the effectiveness of those strategies. This higher-level strategic focus should encourage distributed IT leaders to align on metrics, increasing accountability and transparency across distributed units by reporting on metrics and results of risk management activities.  

While the governance section cannot solve all the common challenges in higher education, it serves as a catalyst to enhance the communication and alignment of IT operations.  

Other changes in NIST CSF 2.0 

As noted above, the governance section is a key difference in the new version, but there are other updates and additions to pay attention to prior to starting an audit – such as the addition of new NIST categories. The following are new or updated categories introduced in NIST CSF 2.0:  

  • ID.IM – Improvement  
  • PR.AA – Identity, Management, Authentication and Access Control 
  • PR.PS – Platform Security  
  • PR.IR – Technology Infrastructure Resilience  
  • RS.MA – Incident Management  
  • RC.RP – Incident Recovery Plan Execution  

For example, PR.IR – Technology Infrastructure Resiliency is a new category focused on ensuring that security architectures are managed using the organization’s risk strategy to protect its assets, systems, and data. While this may have been implied in the previous version, NIST CSF 2.0 explicitly emphasizes the importance of redundancy to ensure that backup systems or components are in place to maintain continuous operations and minimalize downtime, aligning with modern security architecture best practices.  

Beyond the governance section and new categories, NIST CSF 2.0 also offers an expanded scope, making it more applicable and adaptable to all organizations, rather than focusing solely on critical infrastructure. This includes enhanced guidance for integrating with other frameworks (e.g., the NIST Privacy framework), updated protection controls to align with modern technology (e.g., cloud platforms, multi-factor authentication) and revamped response and recovery functions to better address cybersecurity incidents.  

These updates, along with the governance section and new categories, promote proactive adoption and continuous improvement of cybersecurity practices to better protect an institution’s assets and information.  

Auditing with NIST CSF 2.0 in Higher Education 

Since NIST CSF 2.0 was only recently published, when should institutions be ready for an audit using this framework? This will depend on each institution’s unique environment. However, starting with a gap assessment can be a great way to jumpstart the implementation. It can help IT identify which controls are already implemented and functioning well and where gaps or weaknesses exist in the cybersecurity program.

As discussed earlier, a challenge with implementing NIST CSF 2.0 or any framework in higher education is the distribution of IT. For this reason, when starting on a NIST CSF 2.0 gap assessment or audit, it is important to scope the project appropriately. Controls can be implemented at the enterprise level, the department level, or a hybrid of both. Part of scoping will involve determining whether specific departments should be evaluated and who is responsible for owning and implementing each control process.  

To fully assess an institution’s cybersecurity protections, any audit or assessment should evaluate distributed IT departments, or at least a sample of units. Evaluating both centralized IT and distributed IT units provides detailed results, helping identity gaps and strengths across the institution, thus offering a more complete view of the cyber risk landscape.  

Next Steps to Take  

Institutions should take strategic action to address the updates in NIST CSF 2.0. Potential next steps include:  

  • Convene relevant stakeholders (e.g., information security, audit, distributed IT, IT governance) to discuss adopting NIST CSF 2.0.  
  • Develop a road map to implement or improve cybersecurity safeguards based on NIST CSF 2.0. 
  • Perform an assessment or audit of the cybersecurity program using NIST CSF 2.0.  
  • Update cybersecurity safeguards based on gaps and recommendations identified by the assessment or audit. 

For more information about NIST CSF 2.0, or to learn how Baker Tilly’s higher education cybersecurity specialists can help your institution, contact our team.

ACUA Committee Updates – Fall 2024

Blue Logo for ACUA with the text Journal Articles

By C&U Journal Staff

Here is the latest news from our ACUA Committees:

Communications Committee

Social Media

  • Follow us on LinkedIn, Facebook, X, and now Instagram.

Connect ACUA

  • As a valued member of ACUA, you are encouraged to fully leverage our online community platform to enhance your professional experience.
  • Here are some friendly reminders for using the ACUA Connect platform:
    • Reply All: When responding to posts, please use the “Reply All” feature. This ensures all members benefit from the shared information and helps maintain accurate records of member engagement.
    • Email Notifications: Are you overwhelmed by Connect ACUA emails or missing them entirely? Adjust your preferences in the Connect ACUA email notification settings to better suit your needs.
    • Engagement is Key: Our goal is to foster a vibrant and supportive community. Your active participation is crucial in making the platform both engaging and beneficial for all members.

Tools & Resources Committee

         Kick Starters

  • Student Mental Health Access and Awareness, June 2024
  • Exploratory and Descriptive Analytics, July 2024
  • Internal Quality Assessments under the IIA Global Internal Auditing Standards, August 2024
  • Assessing Voluntary University Climate Commitments, October 2024

         Resource Library

  • The ACUA AAP – IIA Global Standards 2025 – Self Assessment Tool was added.
  • Members are encouraged to share any resources that would benefit other members and help grow the resource library. Contact Amy Smite, Resource Library Program Director at amysmith@pdx.edu with your resource library suggestions.

         Audit Tools

  • The ACUA NCAA Audit Guides have been updated and posted to the Audit Tools page.

Recognition Committee

         Volunteer

  • Thank you for your volunteer spotlight nominations. Watch for volunteer spotlights published semi-monthly in the ACUA newsletter.

Professional Education Committee

         Audit Interactive

  • The March 9-12, 2025 Audit Interactive will be in person in Oklahoma City at the Sheraton Oklahoma City.
  • Oklahoma City – the Modern Frontier:  Named one of the Best Places to Visit by Frommer’s Travel and Travel + Leisure, Oklahoma City offers all the culture, cuisine, attractions and amenities you’d expect in a modern metropolis. And with its rugged Western past, working stockyards and title as “Horse Show Capital of the World,” it is rich in cowboy culture, as well. From family fun to romantic retreats to outdoor adventures you won’t find anywhere else, Oklahoma City has plenty of hustle without all the hassle.
2025 Audit Interactive Graphic - Oklahoma City, March 9-12, 2025. Sharaton Downtown Oklahoma

         Virtual Learning

  • Next webinar: Compliance Hot Topics with Baker Tilly on 12/5/24 at 1:00pm EST
  • Keep up and Catch up with upcoming and past webinars here:  ACUA – Webinars

         AuditCon

  • We had a great conference in Atlanta. 508 people attended. A new ACUA record! 
  • Next year’s AuditCon will be Louisville, KY September 14 – 18, 2025 at the Galt House.
  • Louisville is a different type of Southern. With a booming bourbon renaissance, iconic attractions, world-class hotels & venues and a renowned culinary scene, Louisville is an experience like no other city. Travel and Leisure voted Louisville one of the best places to travel in 2024.

Best Practices Committee

The Best Practices Committee strives to provide innovative, best-in-class audit methodology insights and resources to ACUA members. This is accomplished through educational presentations, journal articles, and other materials, such as publishing standalone kick starters or collaboration with the Tools & Resources Committee. Beginning September 2024, the Best Practices Committee is chaired by Agnessa Vartanova, University of Colorado.

The Best Practices Committee is currently comprised of four sub-committees:

  • Audit & Accounting Principles (AAP),
  • Athletics (The Sideline),
  • Data Analytics, and
  • Artificial Intelligence.

The sub-committees are led by Erin Egan, Rutgers University; Rachel Fleener, University of Minnesota; Tiffany Yordan, Rutgers University; and Barry MacDougall, University of Michigan, and Muriel Foster, University of Alabama, respectively. Alongside a committed team of higher education audit professionals, the sub-committee leaders identify topics of interest to ACUA members, perform research, and develop valuable tools and resources which are shared via Connect ACUA posts, webinars, presentations, roundtables, social media, the ACUA Journal, and ACUA website.

         Audit & Accounting Principles (AAP)

  • The new IIA Global Internal Audit Standards go into effect on January 9, 2024.
    • AAP provided a Kick Starter and a self-assessment tool.
    • AAP will host a virtual roundtable in early 2025 to facilitate member discussion on lessons learned.
  • In 2025, AAP will refocus its efforts on providing updates and resources on other areas relevant to higher education and of interest to the ACUA membership.

         Athletics (The Sideline)

  • The Sideline Committee continues to meet monthly. During this meeting there is robust sharing of hot topics in the world of athletics and how institutions are tackling auditing of various athletic risks. Two members from the committee recently presented a webinar to the ACUA community in August and a newsletter will be published in the ACUA journal in November that was written by two other committee members.   

         Data Analytics

  • The Data Analytics Committee collaborates with the Kick Starter Committee to review the data analytics sections of kick starters.
  • A kick starter on Exploratory and Descriptive Analytics was published in July 2024.
  • A session on Cleaning and Transforming Data with Microsoft Power Query was presented at the Virtual Summit in April 2024, which was based on a previously published kick starter.

         Artificial Intelligence (AI)

  • The first official meeting was held in August 2024.
  • Developed and surveyed committee members on AI use. Results are being analyzed, with interest in an ACUA-wide survey and the possibility of a conference presentation to share results.
  • The AI Committee is preparing a list of projects and activities in which to engage its members.

Higher education continues to evolve and present new challenges and opportunities to auditors. We welcome and encourage ACUA members to join the sub-committees and contribute to the previously published stellar body of work!

ACUA 2024 Award Winners and Board Members

Blue Logo for ACUA with the text Journal Articles

By C&U Journal Staff

Congratulations to the following 2024 award winners and new board members announced during AuditCon in Atlanta:

Outstanding Professional Contributions Award

John McDaniel is currently the Director of Internal Audit at the University of Alabama System and has 25 years of experience in higher education and academic medical center administration, compliance, and risk management. Since 2021, John has been a key member of the ACUA Professional Education Committee, contributing to the success of several AuditCon events, and currently serves as the Director of Audit Interactive. John also plays an active role on the ACUA Standards and Best Practices Committee, was instrumental in founding the ACUA Sideline Committee alongside other ACUA members and has published many articles in the ACUA journal and for other organizations. John is also a dedicated participant and leader in external Quality Assurance initiatives for fellow ACUA members and has served in leadership roles outside of ACUA.

Rising Star Awards

Jocelyn Edge joined the Duke University internal audit department in 2021 and has embraced the higher education industry. Jocelyn has already made significant contributions to ACUA by serving as presenter at several AuditCons. Serving on the Communications Committee, Jocelyn  supports social media content creation, design, posting and coordination with other committees. She took the initiative to standardize social media request processes to ensure individuals and committees have a clear path to promote ACUA activities and announcements. She continues to develop innovative ways to increase content posting to reach our members across several platforms and introducing video content to help engage members.

Erin Egan is the director of audit and advisory services for Rutgers University.Erin has been an active member of ACUA for the past ten years and was a member of the second cohort of the ACUA Leads program. Erin has served in a number of roles for ACUA over the years, including: Governmental Affairs committee co-chair, ACUA Journal article author, Conference speaker and proctor, and Mentor to other members. Erin has served as the director of the Auditing and Accounting Principles (AAP) sub-committee of the Standards and Best Practices committee, which has been focused on the changes to the IIA’s International Professional Practices Framework, specifically those to the new Global Internal Audit Standards.

Please make sure to congratulate our 2024 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

New Board Members

The 2024-2025 ACUA Board of Directors officially assumed their new roles at AuditCon and thanked Melissa Hall, Emory University for her prior role as past-president. The 2024-2025 Board of Directors are: 

  • Laura Buchhorn, President, University of Texas at San Antonio
  • Nikki Pittman, Vice President, University of Alaska
  • Eulonda Whitmore, Secretary/Treasurer, Wayne State University
  • Marion Candrea, Immediate Past President, Boston University

ACUA thanked Deidre Melton for her past service as a board member and welcomed Amy Kozak in her new role. The Board Members-at-Large are:

  • Jana Clark, Kansas State University
  • Kara Kearney-Saylor, University of Buffalo
  • William Hancock, Jr., Auburn University
  • Andre’ McMillan, University of Delaware
  • Amy Kozak, University of California, Santa Cruz

ACUA committee chairs and sub-committee directors were also celebrated at AuditCon.

Letter from the President – Fall 2024

Blue Logo for ACUA with the text Journal Articles

Dear ACUA Colleagues,

I am honored and excited to address you as the newly appointed ACUA President. As I step into this role, I am filled with a deep sense of responsibility and commitment to continue the legacy of excellence that ACUA represents. First and foremost, I would like to extend my heartfelt gratitude to my predecessor, Marion Candrea, for her outstanding leadership and dedication.

I am eager to continue to work alongside our talented board members, dedicated volunteers, and all of you—our valued members. Together, we will strive to enhance our professional development programs, expand our resources, and foster a community where knowledge and best practices are shared freely.

It was great to see so many of you at AuditCon 2024 in Atlanta, where we achieved a record-breaking 508 attendees! I sincerely thank our Professional Education Committee, speakers, strategic partners, exhibitors, and the ACUA Staff. The in-person interactions and sharing of knowledge were very inspiring and uplifting. We look forward to seeing everyone again in Oklahoma City from March 9-12 for Audit Interactive! Be on the lookout for information on the amazing content coming your way very soon!

I’d also like to give a huge congratulations to the Website Redesign Task Force, the Logo Refresh Task Force, and the ACUA Staff for their astonishing work this past year. The new ACUA website is a breath of fresh air. I hope all our ACUA Members find the navigation to ACUA’s resources more streamlined and user-friendly.

Finally, I’d like to thank our members who completed the Member Needs Assessment Survey this past summer. The responses will be instrumental as the board comes together in the spring to create ACUA’s Strategic Planning for 2025 – 2027. I encourage you to share additional ideas, feedback, and aspirations with me and the board. Together, we will make ACUA an even stronger and more vibrant organization.

Thank you for your trust and support. I look forward to serving you and working together to advance our profession.

Wishing you all a very happy and prosperous holiday season.

Laura Buchhorn, University of Texas at San Antonio

ACUA President

Letter from the Editor – Fall 2024

Blue Logo for ACUA with the text Journal Articles

Unintentionally, this issue has a theme of seeing things in a new light. Changes so subtle that they could be missed, but the trained auditor eye will take notice.

Consider the new ACUA logo and brand identity. My favorite part of the design is the shield, purposefully representing auditors as protectors of our institutions. The network symbol also reminds us that we are stronger when we network with each other, as when members share their knowledge by replying to ConnectACUA posts.

In this issue, ACUA’s Outstanding Professional Contributions award winner, John McDaniel, challenges us to review policies and procedures in a new light to improve clarity and remove barriers to compliance. Priya Sall invites you to practice your professional skepticism skills, and Anthony Thompson gives a sneak peek into the proposed first IIA Topical Requirement on Cybersecurity.

Rachel Flenner and William Aurich from the ACUA Sidelines Committee break down key auditable areas in athletics, and I am sharing ways to add value by auditing your campus space utilization. Sponsor Baker Tilly highlights their video series on higher education internal audit challenges and explains how to navigate the updated NIST CSF 2.0 cybersecurity framework.

Don’t forget, the new IIA Global Internal Audit Standards take effect on January 9, 2025, and the AAP committee has prepared self-assessment guidance to help you get ready.

As we ease into winter and the middle of our fiscal years, it’s a great time to absorb all of the changes, see our profession in a new light, and pour yourself a hot, pumpkin-spiced beverage while you take it all in.

Sincerely,

Kara Hefner, Editor

Research Security Resources and Best Practices

Blue Logo for ACUA with the text Journal Articles

As stewards of federal funding, institutions of higher education must play a role in protecting the security and integrity of the research enterprise. Maintaining an open and collaborative research environment is critical to fostering research discoveries and innovations that benefit the United States and the world. Simultaneously, this open environment must be balanced by guardrails that protect intellectual capital and prevent deceptive practices, foreign government influence, theft of research data, and unwanted knowledge transfer. Over the past few years, federal agencies have issued multiple guidance documents intended to support ongoing efforts to keep international research collaboration both open and secure.

Federal Agency Guidance

In December 2019, the National Science Foundation (NSF) released a report by the independent science advisory group JASON titled “Fundamental Research Security.” The report identified the need for a robust, coordinated approach to strengthen the integrity and security of the United States research enterprise by highlighting threats to basic research posed by foreign governments, which have taken actions that violate the principles of scientific ethics and research integrity. On January 14, 2021, the National Security Presidential Memorandum-33 (NSPM-33) was issued, which directs a national response intended to improve research security efforts at federal agencies. Approximately one year later, on January 4, 2022, the Office of Science and Technology Policy (OSTP) issued “Guidance for Implementing NSPM-33 on National Security Strategy for United States Government Supported Research and Development” (NSPM-33 Guidance). The NSPM-33 Guidance aims to clarify requirements for federally funded researchers, set best practices at federal agencies to strengthen research security, and offers direction on five major areas of research security addressed by NSPM-33: disclosure requirements and standardization, digital persistent identifiers, consequences for disclosure requirement violations, information sharing, and research security programs at federally funded research institutions.
In March 2023, OSTP requested public comment on the “DRAFT Research Security Programs Standard Requirement” (Draft Memorandum), prepared by the Interagency Working Group on Research Security Programs. The requirement applies to any research organization whose component parts receive at least $50 million in Federal science and engineering support annually in the aggregate. As of March 2024, the final research security program requirements have not been published. However, as per the Draft Memorandum, covered research organizations will need to certify they maintain a research security program which meets the requirements for foreign travel security, research security training, cybersecurity, and export control training. Additionally, they must:

  • Maintain a description of the finalized research security program made available on a publicly accessible website, with descriptions of each requirement.
  • Designate and provide contact information for a research security point of contact.
  • Maintain clear response procedures to address reported allegations of research security non-compliance.
  • Report incidents of research security violations to the federal awarding agency or agencies.
  • Establish or maintain international travel policies for covered individuals engaged in federally funded research and development (R&D) who are traveling internationally for organizational business, teaching, conference attendance, research purposes, or who receive offers of sponsored travel for research or professional purposes.
  • Implement research security training as a component of research security programs.
  • Implement baseline safeguarding protocols and procedures for information systems used to store, transmit, and conduct federally funded R&D.
  • Provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators, and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.

The National Institute of Standards and Technology (NIST) released further guidance in August 2023 entitled “Safeguarding International Science Research Security Framework,” which establishes a set of recommended best practices and a methodology for implementing a risk-balanced, institutional research security program that addresses the requirements of NSPM-33. Additionally, the NSF has developed resources to enhance research security practices and implement research security provisions of the CHIPS and Science Act of 2022, including:

  • Prohibition of malign foreign government talent recruitment programs where, beginning in May 2024, investigators submitting a proposal for NSF funding will need to certify that they are not part of such a program and the proposing institution will need to certify that they have a means to assess faculty participation in malign foreign government talent recruitment programs.
  • The development of research security training modules for covered personnel (i.e., What is Research Security, Disclosure, Manage and Mitigate Risk, and International Collaboration research security training modules) currently available for the research community to use based on their needs.
  • Establishment of a research security and integrity information sharing and analysis organization called SECURE to be operational by the end of calendar year 2024 that will develop tools and provide information and services to the research community.
  • Establishment of Research on Research Security (RORS) program, where NSF seeks to fund research that will identify attributes that distinguish research security from research integrity, improve understanding of research security risks, provide insight into methods for identifying and preventing research security violations, and develop methods to assess the potential impact of research security threats on the U.S. economy, national security, and the research enterprise.
  • The requirement for institutions of higher education that receive NSF funding to report foreign financial transactions, including contracts and gifts, totaling over $50,000 per year from foreign sources associated with countries of concern. The first report is due July 31, 2024.
  • Prohibition of NSF funding to universities with Confucius Institutes, effective in 2025.

Research Security Best Practices

As research focused institutions of higher education await the final research security program requirements, institutions should assess their current processes against the research security provisions and guidelines outlined in the aforementioned documents and implement best practices to strengthen and protect the security and integrity of the research enterprise. The Subcommittee on Research Security under the National Science & Technology Council Joint Committee on the Research Environment recommends the following practices for research institutions to effectively address threats to research security and integrity:

  • Demonstrate robust leadership and oversight that conveys the importance of research security and integrity.
  • Ensure an organizational approach to research security where responsibilities for research security span across the organization.
  • Establish research security and integrity working groups and task forces to develop and implement policies and practices.
  • Establish and operate a comprehensive research security program that includes elements of cyber security, foreign travel security, insider threat awareness and education, and export control training.
  • Establish and administer organizational policies regarding conflicts of interest, conflicts of commitment, and disclosure.
  • Require disclosure to the organization of all information necessary to identify and assess potential conflicts of interest and commitment, including affiliations and employment with outside entities, other support and current or pending participation in, or applications to, programs sponsored by foreign governments, including foreign government-sponsored talent recruitment programs.
  • Ensure compliance with requirements for reporting foreign gifts and contracts.
  • Provide researchers with responsible conduct of research training.
  • Promote awareness of circumstances and behaviors that may pose risk to research security and integrity.
  • Establish procedures to monitor for noncompliance with organizational policies.
  • Establish a centralized review and approval process for evaluating formal research partnerships.
  • Establish a risk-based security process for foreign travel review and guidance.
  • Develop and deploy requirements for vetting and securely hosting foreign visitors.
  • Identify and implement measures to improve data security, internal breach prevention, and incident response processes.

Internal Audit Approach to Mitigate Research Security Risks

Internal audit functions within research focused institutions of higher education can help improve the organization’s research security posture by providing management and the board with independent and objective assurance on governance, risk management, and controls pertaining to research security. This includes assessing the overall effectiveness of the institution’s research security program to ensure compliance with all applicable federal laws, regulations, rules, and directives. Focus areas for internal audit may include:

  • Assessing organizational culture and tone at the top relative to research security priorities and directives.
  • Reviewing the results of risk assessments performed to assess the sensitivity of the institution’s research, including risks of theft, espionage, or foreign influence.
  • Evaluating the institution’s research security program against the NIST Safeguarding International Science Research Security Framework.
  • Comparing conflict of interest and commitment disclosures for key personnel to investigator certification questionnaire responses obtained during the proposal submission process to identify undisclosed appointments or affiliations with foreign institutions.
  • Assessing compliance with institutional policies (i.e., foreign travel, other support, export controls, visitors, intellectual property, or code of conduct).
  • Assessing compliance with institutional training requirements (i.e., conflict of interest and commitment, responsible conduct of research, export controls, electronic device security, research security, disclosure, risk mitigation, and international collaboration)
  • Conducting searches of open-source information to identify any key risk indicators for research associate appointments, including participation in a foreign talent or malign foreign talent recruitment program.
  • Reviewing research data handling, storage, and protection practices to ensure compliance with encryption protocols, data protection regulations, and privacy requirements.
  • Assessing compliance with reporting requirements for foreign gifts and contracts.
  • Evaluating the sufficiency of the institution’s incident response plan, communication protocols, and recovery procedures.

Council on Governmental Relations

In addition to guidance provided by federal agencies, the Council on Governmental Relations (COGR), an association of research universities, affiliated medical centers, and independent research institutes, has developed a Science and Security webpage to provide resources and analysis to assist member institutions in navigating requirements in this area. The webpage provides links to statues, regulations, and other sources of legal requirements related to science and security, including links to federal research agency policy and guidance. Two recently updated COGR publications contain useful information regarding federal research security requirements:

Final Thought

As the timeline for issuance of final research security program requirements is uncertain, research focused institutions of higher education should continue to engage with institutional leaders to determine how the new requirements may impact current processes and procedures and ensure appropriate steps are taken to protect the security and integrity of the research they conduct.

Letter from the Editor

Blue Logo for ACUA with the text Journal Articles

Hello ACUA Members!
It’s April and spring is here! The flowers are blooming, the Carolina pine pollen is dropping, and we are enjoying the mild weather outdoors before the cicadas hatch en masse. April is also national volunteer month. It’s a great reminder to give back to your communities, whether on a professional or personal level. Volunteering has been on the decline, especially since the pandemic. The top reasons people are not volunteering is because they feel they do not have the time or cannot find meaningful assignments, but those fears can be eased by finding the right opportunities.

Our ACUA community has many volunteer committee openings right now, from historian to nominating committee, DEI leadership to standards and best practices. I’ve read that the number one reason people volunteer is because they’re asked, so let this be your invitation to try an ACUA committee. Complete the call for volunteers form in our new Committee Updates feature.

This is a great time to recognize the contributions of volunteers, like our fantastic C&U Journal team. I would like to thank Olga Polikarpova (University of Alaska) for serving as Deputy Editor before her departure from higher education. Former copy editor Tyler Morgan (Mississippi State University) volunteered to move into the Deputy Editor role and even penned his first article on improving workpaper documentation. I also wish to thank our copy editors for proofreading submitted articles, often on very short notice, sharing their writing talents: Susan Edinger (University of Toledo), Erica Smith and Amy Wilegus (both University of Tennessee), and newcomer Julee Otter (Oregon State University). If you would like to join our team, email editor@acua.org.

Every article this issue was written by an ACUA member volunteering their time to share their insight on emerging topics with their peers. Natalie Harrison (Rutgers) is a double volunteer this issue, contributing two must-read articles on DEI and tips for new internal auditors. From Qatar University, Saumy Thomas shares critical emerging risks in higher education and Carl Canlas (Church of Jesus Christ of Latter-day Saints) defines the agile auditing process. Beth Harry (Johns Hopkins) provides an in-depth look at research security best practices.

Volunteering is a great way to develop valuable skills, boost our well-being, and make a tangible impact in our community. Maybe we need to dig a bit deeper to find the right opportunities, like those cicadas did 13 and 17 years ago.

Sincerely,
Kara Hefner, Editor