Resources

ACUA 2024 Award Winners and Board Members

By C&U Journal Staff

Congratulations to the following 2024 award winners and new board members announced during AuditCon in Atlanta:

Outstanding Professional Contributions Award

John McDaniel is currently the Director of Internal Audit at the University of Alabama System and has 25 years of experience in higher education and academic medical center administration, compliance, and risk management. Since 2021, John has been a key member of the ACUA Professional Education Committee, contributing to the success of several AuditCon events, and currently serves as the Director of Audit Interactive. John also plays an active role on the ACUA Standards and Best Practices Committee, was instrumental in founding the ACUA Sideline Committee alongside other ACUA members and has published many articles in the ACUA journal and for other organizations. John is also a dedicated participant and leader in external Quality Assurance initiatives for fellow ACUA members and has served in leadership roles outside of ACUA.

Rising Star Awards

Jocelyn Edge joined the Duke University internal audit department in 2021 and has embraced the higher education industry. Jocelyn has already made significant contributions to ACUA by serving as presenter at several AuditCons. Serving on the Communications Committee, Jocelyn  supports social media content creation, design, posting and coordination with other committees. She took the initiative to standardize social media request processes to ensure individuals and committees have a clear path to promote ACUA activities and announcements. She continues to develop innovative ways to increase content posting to reach our members across several platforms and introducing video content to help engage members.

Erin Egan is the director of audit and advisory services for Rutgers University.Erin has been an active member of ACUA for the past ten years and was a member of the second cohort of the ACUA Leads program. Erin has served in a number of roles for ACUA over the years, including: Governmental Affairs committee co-chair, ACUA Journal article author, Conference speaker and proctor, and Mentor to other members. Erin has served as the director of the Auditing and Accounting Principles (AAP) sub-committee of the Standards and Best Practices committee, which has been focused on the changes to the IIA’s International Professional Practices Framework, specifically those to the new Global Internal Audit Standards.

Please make sure to congratulate our 2024 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

New Board Members

The 2024-2025 ACUA Board of Directors officially assumed their new roles at AuditCon and thanked Melissa Hall, Emory University for her prior role as past-president. The 2024-2025 Board of Directors are: 

  • Laura Buchhorn, President, University of Texas at San Antonio
  • Nikki Pittman, Vice President, University of Alaska
  • Eulonda Whitmore, Secretary/Treasurer, Wayne State University
  • Marion Candrea, Immediate Past President, Boston University

ACUA thanked Deidre Melton for her past service as a board member and welcomed Amy Kozak in her new role. The Board Members-at-Large are:

  • Jana Clark, Kansas State University
  • Kara Kearney-Saylor, University of Buffalo
  • William Hancock, Jr., Auburn University
  • Andre’ McMillan, University of Delaware
  • Amy Kozak, University of California, Santa Cruz

ACUA committee chairs and sub-committee directors were also celebrated at AuditCon.

Letter from the President – Fall 2024

Dear ACUA Colleagues,

I am honored and excited to address you as the newly appointed ACUA President. As I step into this role, I am filled with a deep sense of responsibility and commitment to continue the legacy of excellence that ACUA represents. First and foremost, I would like to extend my heartfelt gratitude to my predecessor, Marion Candrea, for her outstanding leadership and dedication.

I am eager to continue to work alongside our talented board members, dedicated volunteers, and all of you—our valued members. Together, we will strive to enhance our professional development programs, expand our resources, and foster a community where knowledge and best practices are shared freely.

It was great to see so many of you at AuditCon 2024 in Atlanta, where we achieved a record-breaking 508 attendees! I sincerely thank our Professional Education Committee, speakers, strategic partners, exhibitors, and the ACUA Staff. The in-person interactions and sharing of knowledge were very inspiring and uplifting. We look forward to seeing everyone again in Oklahoma City from March 9-12 for Audit Interactive! Be on the lookout for information on the amazing content coming your way very soon!

I’d also like to give a huge congratulations to the Website Redesign Task Force, the Logo Refresh Task Force, and the ACUA Staff for their astonishing work this past year. The new ACUA website is a breath of fresh air. I hope all our ACUA Members find the navigation to ACUA’s resources more streamlined and user-friendly.

Finally, I’d like to thank our members who completed the Member Needs Assessment Survey this past summer. The responses will be instrumental as the board comes together in the spring to create ACUA’s Strategic Planning for 2025 – 2027. I encourage you to share additional ideas, feedback, and aspirations with me and the board. Together, we will make ACUA an even stronger and more vibrant organization.

Thank you for your trust and support. I look forward to serving you and working together to advance our profession.

Wishing you all a very happy and prosperous holiday season.

Laura Buchhorn, University of Texas at San Antonio

ACUA President

Letter from the Editor – Fall 2024

Unintentionally, this issue has a theme of seeing things in a new light. Changes so subtle that they could be missed, but the trained auditor eye will take notice.

Consider the new ACUA logo and brand identity. My favorite part of the design is the shield, purposefully representing auditors as protectors of our institutions. The network symbol also reminds us that we are stronger when we network with each other, as when members share their knowledge by replying to ConnectACUA posts.

In this issue, ACUA’s Outstanding Professional Contributions award winner, John McDaniel, challenges us to review policies and procedures in a new light to improve clarity and remove barriers to compliance. Priya Sall invites you to practice your professional skepticism skills, and Anthony Thompson gives a sneak peek into the proposed first IIA Topical Requirement on Cybersecurity.

Rachel Flenner and William Aurich from the ACUA Sidelines Committee break down key auditable areas in athletics, and I am sharing ways to add value by auditing your campus space utilization. Sponsor Baker Tilly highlights their video series on higher education internal audit challenges and explains how to navigate the updated NIST CSF 2.0 cybersecurity framework.

Don’t forget, the new IIA Global Internal Audit Standards take effect on January 9, 2025, and the AAP committee has prepared self-assessment guidance to help you get ready.

As we ease into winter and the middle of our fiscal years, it’s a great time to absorb all of the changes, see our profession in a new light, and pour yourself a hot, pumpkin-spiced beverage while you take it all in.

Sincerely,

Kara Hefner, Editor

Research Security Resources and Best Practices

As stewards of federal funding, institutions of higher education must play a role in protecting the security and integrity of the research enterprise. Maintaining an open and collaborative research environment is critical to fostering research discoveries and innovations that benefit the United States and the world. Simultaneously, this open environment must be balanced by guardrails that protect intellectual capital and prevent deceptive practices, foreign government influence, theft of research data, and unwanted knowledge transfer. Over the past few years, federal agencies have issued multiple guidance documents intended to support ongoing efforts to keep international research collaboration both open and secure.

Federal Agency Guidance

In December 2019, the National Science Foundation (NSF) released a report by the independent science advisory group JASON titled “Fundamental Research Security.” The report identified the need for a robust, coordinated approach to strengthen the integrity and security of the United States research enterprise by highlighting threats to basic research posed by foreign governments, which have taken actions that violate the principles of scientific ethics and research integrity. On January 14, 2021, the National Security Presidential Memorandum-33 (NSPM-33) was issued, which directs a national response intended to improve research security efforts at federal agencies. Approximately one year later, on January 4, 2022, the Office of Science and Technology Policy (OSTP) issued “Guidance for Implementing NSPM-33 on National Security Strategy for United States Government Supported Research and Development” (NSPM-33 Guidance). The NSPM-33 Guidance aims to clarify requirements for federally funded researchers, set best practices at federal agencies to strengthen research security, and offers direction on five major areas of research security addressed by NSPM-33: disclosure requirements and standardization, digital persistent identifiers, consequences for disclosure requirement violations, information sharing, and research security programs at federally funded research institutions.
In March 2023, OSTP requested public comment on the “DRAFT Research Security Programs Standard Requirement” (Draft Memorandum), prepared by the Interagency Working Group on Research Security Programs. The requirement applies to any research organization whose component parts receive at least $50 million in Federal science and engineering support annually in the aggregate. As of March 2024, the final research security program requirements have not been published. However, as per the Draft Memorandum, covered research organizations will need to certify they maintain a research security program which meets the requirements for foreign travel security, research security training, cybersecurity, and export control training. Additionally, they must:

  • Maintain a description of the finalized research security program made available on a publicly accessible website, with descriptions of each requirement.
  • Designate and provide contact information for a research security point of contact.
  • Maintain clear response procedures to address reported allegations of research security non-compliance.
  • Report incidents of research security violations to the federal awarding agency or agencies.
  • Establish or maintain international travel policies for covered individuals engaged in federally funded research and development (R&D) who are traveling internationally for organizational business, teaching, conference attendance, research purposes, or who receive offers of sponsored travel for research or professional purposes.
  • Implement research security training as a component of research security programs.
  • Implement baseline safeguarding protocols and procedures for information systems used to store, transmit, and conduct federally funded R&D.
  • Provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators, and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.

The National Institute of Standards and Technology (NIST) released further guidance in August 2023 entitled “Safeguarding International Science Research Security Framework,” which establishes a set of recommended best practices and a methodology for implementing a risk-balanced, institutional research security program that addresses the requirements of NSPM-33. Additionally, the NSF has developed resources to enhance research security practices and implement research security provisions of the CHIPS and Science Act of 2022, including:

  • Prohibition of malign foreign government talent recruitment programs where, beginning in May 2024, investigators submitting a proposal for NSF funding will need to certify that they are not part of such a program and the proposing institution will need to certify that they have a means to assess faculty participation in malign foreign government talent recruitment programs.
  • The development of research security training modules for covered personnel (i.e., What is Research Security, Disclosure, Manage and Mitigate Risk, and International Collaboration research security training modules) currently available for the research community to use based on their needs.
  • Establishment of a research security and integrity information sharing and analysis organization called SECURE to be operational by the end of calendar year 2024 that will develop tools and provide information and services to the research community.
  • Establishment of Research on Research Security (RORS) program, where NSF seeks to fund research that will identify attributes that distinguish research security from research integrity, improve understanding of research security risks, provide insight into methods for identifying and preventing research security violations, and develop methods to assess the potential impact of research security threats on the U.S. economy, national security, and the research enterprise.
  • The requirement for institutions of higher education that receive NSF funding to report foreign financial transactions, including contracts and gifts, totaling over $50,000 per year from foreign sources associated with countries of concern. The first report is due July 31, 2024.
  • Prohibition of NSF funding to universities with Confucius Institutes, effective in 2025.

Research Security Best Practices

As research focused institutions of higher education await the final research security program requirements, institutions should assess their current processes against the research security provisions and guidelines outlined in the aforementioned documents and implement best practices to strengthen and protect the security and integrity of the research enterprise. The Subcommittee on Research Security under the National Science & Technology Council Joint Committee on the Research Environment recommends the following practices for research institutions to effectively address threats to research security and integrity:

  • Demonstrate robust leadership and oversight that conveys the importance of research security and integrity.
  • Ensure an organizational approach to research security where responsibilities for research security span across the organization.
  • Establish research security and integrity working groups and task forces to develop and implement policies and practices.
  • Establish and operate a comprehensive research security program that includes elements of cyber security, foreign travel security, insider threat awareness and education, and export control training.
  • Establish and administer organizational policies regarding conflicts of interest, conflicts of commitment, and disclosure.
  • Require disclosure to the organization of all information necessary to identify and assess potential conflicts of interest and commitment, including affiliations and employment with outside entities, other support and current or pending participation in, or applications to, programs sponsored by foreign governments, including foreign government-sponsored talent recruitment programs.
  • Ensure compliance with requirements for reporting foreign gifts and contracts.
  • Provide researchers with responsible conduct of research training.
  • Promote awareness of circumstances and behaviors that may pose risk to research security and integrity.
  • Establish procedures to monitor for noncompliance with organizational policies.
  • Establish a centralized review and approval process for evaluating formal research partnerships.
  • Establish a risk-based security process for foreign travel review and guidance.
  • Develop and deploy requirements for vetting and securely hosting foreign visitors.
  • Identify and implement measures to improve data security, internal breach prevention, and incident response processes.

Internal Audit Approach to Mitigate Research Security Risks

Internal audit functions within research focused institutions of higher education can help improve the organization’s research security posture by providing management and the board with independent and objective assurance on governance, risk management, and controls pertaining to research security. This includes assessing the overall effectiveness of the institution’s research security program to ensure compliance with all applicable federal laws, regulations, rules, and directives. Focus areas for internal audit may include:

  • Assessing organizational culture and tone at the top relative to research security priorities and directives.
  • Reviewing the results of risk assessments performed to assess the sensitivity of the institution’s research, including risks of theft, espionage, or foreign influence.
  • Evaluating the institution’s research security program against the NIST Safeguarding International Science Research Security Framework.
  • Comparing conflict of interest and commitment disclosures for key personnel to investigator certification questionnaire responses obtained during the proposal submission process to identify undisclosed appointments or affiliations with foreign institutions.
  • Assessing compliance with institutional policies (i.e., foreign travel, other support, export controls, visitors, intellectual property, or code of conduct).
  • Assessing compliance with institutional training requirements (i.e., conflict of interest and commitment, responsible conduct of research, export controls, electronic device security, research security, disclosure, risk mitigation, and international collaboration)
  • Conducting searches of open-source information to identify any key risk indicators for research associate appointments, including participation in a foreign talent or malign foreign talent recruitment program.
  • Reviewing research data handling, storage, and protection practices to ensure compliance with encryption protocols, data protection regulations, and privacy requirements.
  • Assessing compliance with reporting requirements for foreign gifts and contracts.
  • Evaluating the sufficiency of the institution’s incident response plan, communication protocols, and recovery procedures.

Council on Governmental Relations

In addition to guidance provided by federal agencies, the Council on Governmental Relations (COGR), an association of research universities, affiliated medical centers, and independent research institutes, has developed a Science and Security webpage to provide resources and analysis to assist member institutions in navigating requirements in this area. The webpage provides links to statues, regulations, and other sources of legal requirements related to science and security, including links to federal research agency policy and guidance. Two recently updated COGR publications contain useful information regarding federal research security requirements:

Final Thought

As the timeline for issuance of final research security program requirements is uncertain, research focused institutions of higher education should continue to engage with institutional leaders to determine how the new requirements may impact current processes and procedures and ensure appropriate steps are taken to protect the security and integrity of the research they conduct.

Letter from the Editor

Hello ACUA Members!
It’s April and spring is here! The flowers are blooming, the Carolina pine pollen is dropping, and we are enjoying the mild weather outdoors before the cicadas hatch en masse. April is also national volunteer month. It’s a great reminder to give back to your communities, whether on a professional or personal level. Volunteering has been on the decline, especially since the pandemic. The top reasons people are not volunteering is because they feel they do not have the time or cannot find meaningful assignments, but those fears can be eased by finding the right opportunities.

Our ACUA community has many volunteer committee openings right now, from historian to nominating committee, DEI leadership to standards and best practices. I’ve read that the number one reason people volunteer is because they’re asked, so let this be your invitation to try an ACUA committee. Complete the call for volunteers form in our new Committee Updates feature.

This is a great time to recognize the contributions of volunteers, like our fantastic C&U Journal team. I would like to thank Olga Polikarpova (University of Alaska) for serving as Deputy Editor before her departure from higher education. Former copy editor Tyler Morgan (Mississippi State University) volunteered to move into the Deputy Editor role and even penned his first article on improving workpaper documentation. I also wish to thank our copy editors for proofreading submitted articles, often on very short notice, sharing their writing talents: Susan Edinger (University of Toledo), Erica Smith and Amy Wilegus (both University of Tennessee), and newcomer Julee Otter (Oregon State University). If you would like to join our team, email editor@acua.org.

Every article this issue was written by an ACUA member volunteering their time to share their insight on emerging topics with their peers. Natalie Harrison (Rutgers) is a double volunteer this issue, contributing two must-read articles on DEI and tips for new internal auditors. From Qatar University, Saumy Thomas shares critical emerging risks in higher education and Carl Canlas (Church of Jesus Christ of Latter-day Saints) defines the agile auditing process. Beth Harry (Johns Hopkins) provides an in-depth look at research security best practices.

Volunteering is a great way to develop valuable skills, boost our well-being, and make a tangible impact in our community. Maybe we need to dig a bit deeper to find the right opportunities, like those cicadas did 13 and 17 years ago.

Sincerely,
Kara Hefner, Editor

Letter from the President

Happy Spring, ACUA! I hope that everyone is packing away their cold-weather gear (depending on where you are in the country) and getting ready for flowers and sunshine. Personally, I love Spring. To me it represents new beginnings and fresh opportunities. So, in the spirit of Spring, if you have always wondered about volunteering but haven’t been sure where to begin, now is the time! A few weeks ago, ACUA sent out a “Call for Volunteers,” which listed over a dozen current volunteer opportunities. Take time to complete the survey here and a volunteer leader will be in touch with you!

On June 4th we will hold our annual business meeting. This will be held virtually and is open to all active ACUA members. Various leaders from across the organization will provide valuable updates on items such as:

  • State of ACUA
  • Financial Updates
  • Conference Trends

There will also be some exciting announcements, so be sure to attend if you are able! The presentation will be posted on ConnectACUA in the weeks following the meeting, should you not be able to attend.

Lastly, I’d like to thank our Professional Education Committee (PEC) for their tireless efforts to provide exceptionally relevant content to our members. Their work behind the scenes continues all year long, and that includes working with our management company to not only plan upcoming conferences, but also be thinking about future conferences. That said, I am excited to share that at the recommendation of PEC, we have finalized negotiations to host AuditCon 2025 in Louisville, Kentucky! Whether you prefer baseball bats or Derby hats, mark your calendar for September 14-19, 2025, for an in-person conference that is not to be missed. 

I hope everyone has a fantastic summer. I’ll look forward to seeing many of you in Atlanta, Georgia for AuditCon 2024 in September!

Marion Candrea, Boston University
ACUA President

Agile Auditing: Three Pillars for Effective Implementation

With the changing landscape of both internal and external audit environments, industry researchers are eager to suggest that the traditional waterfall approach to conducting audits needs to be adjusted to make way for a more flexible, responsive, transparent, and engaged audit process. G.L. Joshi belives agile auditing, when implemented effectively, can “elevate the performance and value of internal audits.” Agile auditing is based on the principles and values from agile methodologies used extensively in software development. It consists of focusing on individuals and interactions, working products and services, customer collaboration, and responding to change.

This methodology adapts to focus on the needs of the stakeholders, expedite audit cycles, reduce effort and time, and create less unnecessary documentation. Liz Berger, former Director at Protiviti, explained that as an alternative to the traditional and sequential waterfall process, agile auditing does not necessarily change what auditors do, but how an audit is done. Agile auditing can offer opportunities to evolve auditing with the times. Agile auditing’s application to audit, risk, and compliance, and effective implementation relies on three pillars: risk-based audits, stakeholder management, and agile ceremonies.

agile auditing tree
Figure 1. Three Pillars of Agile Auditing: risk-based audits, stakeholder management, and agile ceremonies

Risk-Based Audits

A crucial step for internal auditors is to prioritize and audit the highest risk to the organization. Auditors need to focus on the areas most likely to impact the organization’s business objectives. Effective audits result from the application of key aspects in risk-based auditing including risk identification and assessment, risk-based audit plan, testing and evaluation, and reporting and communication.

Spiros Alexiou explained in an ISACA article that agile models involve the bare minimum required documentation, making the process more streamlined. This, in turn, gives the auditors an opportunity to focus on the “insights, risks, and opportunities that stakeholders need,” according to Galvanize (now Diligent). Joshi also emphasized that agile auditing enables auditors to become more flexible and adaptive as they are able to check their progress in short intervals instead of waiting until the whole audit process has been completed, thus increasing value and risk-specific insights. When applied to higher education audits, for example, an agile audit can improve risk management practices across the institution. Agile audit practices can enable colleges and universities to identify, assess, and mitigate risks more effectively, safeguarding the institution’s assets, reputation, and compliance with regulatory requirements.

Stakeholder Management

There is an art and a science in managing both internal and external audit stakeholders. Identification and prioritization of impacted stakeholders is an important step. The level of stakeholder influence and interest in the audit process can influence the success or failure of an audit. Hence, it is important to manage expectations proactively by fostering collaboration and engagement. There needs to be a clear and timely communication channel tailored to each stakeholder’s specific needs and information level. Most importantly, auditors need to invest time in building and maintaining positive relationships with key stakeholders using skills such as regular engagement, professionalism, and empathy when addressing stakeholder concerns.

For agile auditing to be implemented successfully, KPMG cites the vision must be shared by top management and leadership, auditors, and clients. DBS, the largest bank in Singapore and Southeast Asia, was one of the early adopters of agile auditing. According to DBS, the secret to their success implementation was the supportive tone from management across the board, auditors who fully immersed themselves in the methodology, and clients who were knowledgeable of agile auditing, which allowed for close collaboration. As a result, the DBS Internal Audit team was able to boost the number and gravity of the risks they found, which improved the level of audit assurance they were able to provide to their stakeholders. In the bigger scheme, the process does not really change, but auditors become more equipped and knowledgeable about where to look harder.

Agile Ceremonies

The ceremonies within agile auditing facilitate effective communication, collaboration, and planning within Agile Teams. The four main Agile ceremonies are: Sprint Planning, Daily Stand-up, Sprint Review and Sprint Retrospective/Lessons Learned.

  • Sprint Planning’s goal is to prioritize the highest risks, define the scope for the upcoming schedule/sprint and requires audit teams to estimate the work according to their personal velocity and bandwidth.
  • Daily Stand-ups help the audit team identify roadblocks and adjust plans as needed. Each team member focuses on three main questions: what I worked on yesterday, what will I work on today, and what roadblocks prevent me from completing assigned audit work.
  • Sprint Review showcases the completed work and gathers feedback for completed audit workpapers and reports. This allows the audit management team to strategize and define the next audit work to be completed.
  • Sprint Retrospective allows the team to identify areas for improvement and agree on action items for implementation in the next sprint.

KPMG describes how a global banking institution implemented agile auditing by doing organizing daily stand-up meetings within the audit teams. This allowed them to evaluate whether the execution and performance corresponded with planning. These daily stand-up meetings gave the teams an opportunity to check for bottlenecks, assess prioritization, and provide feedback. They also organized a bi-weekly “market place” where sprint reviews were evaluated and discussed with all the teams involved so they could review the total audit plan’s progress and provide mutual feedback.

Agile auditing is more than the ceremonies, as it also must work hand-in-hand with risk-based audits and effective stakeholder management. Success in agile auditing requires an agile mindset, dedicated to continuous improvement.

References

Joshi, P. L. (2021). A review of agile internal auditing: Retrospective and prospective. International Journal of Smart Business and Technology, 9(2), 13 – 32.
KPMG. (2020, October). Agile internal audit. White paper on working Agile within internal audit functions. https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2020/10/agile-internal-audit-white-paper-on-working-agile-within-internal-audit-functions-part-2.pdf
Deloitte. (2017). Becoming agile: A guide to elevating internal audit’s performance and value. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/finance/deloitte-uk-understanding-agile-ia.pdf
Berger, L. (2020, January 2020). Agile internal audit: How to audit at the speed of risk. Protiviti. https://blog.protiviti.com/2020/01/27/agile-internal-audit-how-to-audit-at-the-speed-of-risk/
Galvanize. (2019, April 23). An overview of agile auditing. Galvanize. https://www.wegalvanize.com/audit/an-overview-of-agile-auditing/#:~:text=The%20main%20difference%20between%20agile,work%2C%20and%20increased%20collaboration).
Alexiou, S. (2017). Agile audit. ISACA Journal (2), 27 – 35. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/agile-audit

ACUA Committee Updates

Join ACUA in making a positive impact! We are looking for dedicated individuals to volunteer and contribute their skills to the organization. Whether you have experience in community outreach, research and analytics, or digital marketing, your passion and commitment is needed. If you’re interested in becoming an ACUA volunteer, please review the current volunteer openings and complete the ACUA Call for Volunteers survey.

Communications Committee

  • The Connect ACUA forum has many communities that focus on small shops, data analytics, AutoAudit users, Workday ERP, athletics, and more. Click on the “communities” tab and join a group for tailored questions and answers.

Diversity and Inclusive Leadership Committee

  • The committee recently sent a survey to ACUA members regarding DEI and kindly request that you complete the survey.

Membership/Mentorship Program

  • The ACUA mentorship program is seeking new mentors and mentees to share university auditing career guidance and support. This program is open to all members of any size audit shop. To inquire about the program or get matched with a mentor/mentee please contact program director Earl Jackson at earl.jackson@unc.edu

Professional Education Committee

  • The 2024 ACUA AuditCon Conference will be held in-person September 15-19, 2024, at the Westin Peachtree in Atlanta, GA.
  • The 2025 ACUA AuditCon will be in Louisville, KY on September 14-19, 2025

Standards & Best Practice Committee

Auditing & Accounting Principles Subcommittee

  • The IIA released the new Global Internal Audit Standards on January 9, 2024. While they do not take into effect until January 9, 2025, the IIA is encouraging early adoption.
  • The first IIA Topical Requirement on Cybersecurity has been released in draft format and is open to public comments until July 3, 2024. Read the draft and provide your comments.

Kick Starter Subcommittee

  • Three new kick starters have recently dropped:
    • Travel Expense Review by Toni Stephens, The University of Texas at Dallas, in December 2023
    • Banner User Access by Annette Alboreo, Kent State University, in January 2024
    • Student Free Speech and Expression Events by John Winn, University of South Carolina, in March 2024

Virtual Learning Subcommittee

  • Upcoming webinars:
    • Fort Hill will discuss Subcontractor Bidding Process: Contract Controls and Auditing on June 20, 2024.

How Did ACUA Begin?

The Association of College and University Auditor’s currently serves over 500 institutions of higher education in the United States, Canada, and abroad. Our members include schools of all sizes: from community colleges to large university systems, both public and private. Membership has grown tremendously over the past 76 years, when thirteen charter universities decided to share their professional knowledge with each other. ACUA Historian Toni Stephens explains how it all began:

On February 24, 1958, Fred Vorsanger from Purdue and Stanley Smith from the University of Illinois circulated the idea of forming a group to meet and discuss mutual audit issues to the other Big Ten schools of the time. The idea quickly spread, and the inaugural meeting of ACUA was held at the LaSalle Hotel in Chicago on Monday April 7, 1958. Lasting from 9:00am until 3:00pm, the meeting focused on reviews of internal audit reports in different areas of operation. Smith would become the first ACUA President.
Eleven people from the following eight Big Ten schools attended.

  • University of Illinois
  • University of Indiana
  • University of Michigan
  • Michigan State University
  • University of Minnesota
  • Northwestern University
  • Ohio State University
  • Purdue University

Though they did not attend the first meeting, the following schools became part of the thirteen charter members of ACUA:

  • University of Chicago
  • Iowa State University of Science and Technology
  • University of Notre Dame
  • Southern Illinois University
  • University of Wisconsin

Shortly after the initial meetings, ACUA reached out to additional universities to join the group. In the last issue of the C&U Journal, the historian was looking for the oldest university membership certificate. No certificates from the original thirteen charter universities have been identified. The University of Mississippi still lays claim to displaying the oldest membership certificate from when they joined on September 10, 1959, just one year after the ACUA’s formation. Congratulations Ole Miss!

Earliest ACUA member certificate on record.

Tips for New Internal Auditors

Starting a new job can be both exhilarating and daunting at first, and starting a new job as an internal auditor is no different. Internal audit is a unique and continuously evolving profession where internal auditors play a critical role in an organization’s operations and corporate governance. Internal auditors use their experience and knowledge of laws, regulations, and organizational policies to examine and analyze an organization’s financials and identify potential occurrences of noncompliance, fund misappropriation, and other risks to the organization. Becoming an internal auditor is rewarding and has a great opportunity for professional development and advancement. Here is what new internal auditors should do to be successful in their career.

Seek a mentor

All internal auditors, whether this is your first year as an internal auditor or you have over 25 years of auditing experience, can benefit from having a mentor. Mentors help internal auditors understand their profession and career opportunities. It is important to find a suitable mentor who has more industry experience, shares similar values or goals, and is someone you admire. The right mentor should be your biggest ally and have a passion for teaching while allowing you to be your own advocate.

Learn and understand the basics of internal auditing and how to conduct an audit

To begin in this field, you must learn the standards that govern the process. The IIA Standards on performance explain the processes for planning, performing, reporting, and following up on audit engagements. The sooner you become familiar with these concepts, the faster you will be able to understand and apply this knowledge for developing and performing internal audits.

Relax and stay calm

When starting a new job, internal auditors tend to put an immense amount of pressure on themselves to be perfect. Internal audit is known for having a steep learning curve, so new auditors should take a deep breath, relax, and know that you are not alone. There will be other auditors, managers, and directors to help you learn your department’s procedures and answer any questions you may have.

Know your limits and when to ask for help

One of the hardest things for new internal auditors to learn is when to speak up and ask for help. Auditing is very technical, and it is highly unlikely that a new internal auditor will be a compliance, accounting, or fraud expert overnight. Do not spend hours trying to figure things out on your own. Rather, seek guidance from a more experienced colleague who can help you. Knowing your limits and knowing when to ask for help can save you time and reduce frustration and misunderstandings.

Be eager to learn and develop new skills

As an internal auditor, you analyze a variety of processes and interact with all levels of employees and subject matter experts. Do not be afraid to ask questions that will help you understand what you are auditing. As time goes on and you gain more experience, you will learn that internal audit is about striking a balance between understanding the big picture and focusing on the small details. Having a good knowledge of your organization’s policies, procedures, and risks will make you a standout internal auditor.

Sharpen your communication skills

Although communication skills are essential in any job, internal audit requires developing two key skill sets: effective writing and effective interviewing. An internal auditor’s writing should be objective and clear, making compelling arguments that present your audit results effectively. For successful interviews, internal auditors must be prepared, ask the right questions, listen, take good notes, and confirm their understanding of the processes and controls being audited. It is also extremely important that the interview is not one-sided but flows naturally from both sides.

Be a sponge by listening and absorbing all the information

As an internal auditor, you will have the opportunity to interact with, and learn from, all levels of employees, including interns, associates, managers, VPs, and directors. You can learn something from everyone you encounter, so be open-minded and receptive. Take note of the valuable skills others possess, such as communication, organization, leadership, and networking skills and learn from them.

Volunteer and get involved in areas outside of your comfort zone

New internal auditors are usually assigned to a variety of different audit engagements before they begin to specialize in certain areas or become subject matter experts. Learn as much as possible from your different engagements, and volunteer to be put on engagements that are not so glamorous, ones you know nothing about, or topics you want to learn more about. By exploring different assignments, you may find a preference for a particular area and may have the opportunity to work with a subject matter expert. If you volunteer to get involved in areas you are unfamiliar with, management and others will take notice of the effort. Your passion may be hidden somewhere you would have not explored if you did not push yourself.

Join a professional network or organization

Consider joining networks or organizations that support and cater to your interests, professional growth, and development. These groups usually offer members training opportunities to help you enhance your skills and stay current on auditing news and publications. Becoming a member of network groups or organizations can also help you grow your professional network and learn about other career opportunities.

Enjoy the experience

You are only a new internal auditor for a brief time. The beginning of your internal audit experience should be embraced because there is no other time in your auditing career when so much knowledge is obtained in such a short period. In addition to the new experiences and learning curve, new auditors are exposed to a vast array of unique individuals with wonderful backgrounds and experiences. Embrace the relationships you develop and the things you learn along the way. But most importantly, enjoy the journey!