Resources

Hello ACUA Members!
It’s April and spring is here! The flowers are blooming, the Carolina pine pollen is dropping, and we are enjoying the mild weather outdoors before the cicadas hatch en masse. April is also national volunteer month. It’s a great reminder to give back to your communities, whether on a professional or personal level. Volunteering has been on the decline, especially since the pandemic. The top reasons people are not volunteering is because they feel they do not have the time or cannot find meaningful assignments, but those fears can be eased by finding the right opportunities.

Our ACUA community has many volunteer committee openings right now, from historian to nominating committee, DEI leadership to standards and best practices. I’ve read that the number one reason people volunteer is because they’re asked, so let this be your invitation to try an ACUA committee. Complete the call for volunteers form in our new Committee Updates feature.

This is a great time to recognize the contributions of volunteers, like our fantastic C&U Journal team. I would like to thank Olga Polikarpova (University of Alaska) for serving as Deputy Editor before her departure from higher education. Former copy editor Tyler Morgan (Mississippi State University) volunteered to move into the Deputy Editor role and even penned his first article on improving workpaper documentation. I also wish to thank our copy editors for proofreading submitted articles, often on very short notice, sharing their writing talents: Susan Edinger (University of Toledo), Erica Smith and Amy Wilegus (both University of Tennessee), and newcomer Julee Otter (Oregon State University). If you would like to join our team, email editor@acua.org.

Every article this issue was written by an ACUA member volunteering their time to share their insight on emerging topics with their peers. Natalie Harrison (Rutgers) is a double volunteer this issue, contributing two must-read articles on DEI and tips for new internal auditors. From Qatar University, Saumy Thomas shares critical emerging risks in higher education and Carl Canlas (Church of Jesus Christ of Latter-day Saints) defines the agile auditing process. Beth Harry (Johns Hopkins) provides an in-depth look at research security best practices.

Volunteering is a great way to develop valuable skills, boost our well-being, and make a tangible impact in our community. Maybe we need to dig a bit deeper to find the right opportunities, like those cicadas did 13 and 17 years ago.

Sincerely,
Kara Hefner, Editor

Happy Spring, ACUA! I hope that everyone is packing away their cold-weather gear (depending on where you are in the country) and getting ready for flowers and sunshine. Personally, I love Spring. To me it represents new beginnings and fresh opportunities. So, in the spirit of Spring, if you have always wondered about volunteering but haven’t been sure where to begin, now is the time! A few weeks ago, ACUA sent out a “Call for Volunteers,” which listed over a dozen current volunteer opportunities. Take time to complete the survey here and a volunteer leader will be in touch with you!

On June 4^th we will hold our annual business meeting. This will be held virtually and is open to all active ACUA members. Various leaders from across the organization will provide valuable updates on items such as:

• State of ACUA
• Financial Updates
• Conference Trends

There will also be some exciting announcements, so be sure to attend if you are able! The presentation will be posted on ConnectACUA in the weeks following the meeting, should you not be able to attend.

Lastly, I’d like to thank our Professional Education Committee (PEC) for their tireless efforts to provide exceptionally relevant content to our members. Their work behind the scenes continues all year long, and that includes working with our management company to not only plan upcoming conferences, but also be thinking about future conferences. That said, I am excited to share that at the recommendation of PEC, we have finalized negotiations to host AuditCon 2025 in Louisville, Kentucky! Whether you prefer baseball bats or Derby hats, mark your calendar for September 14-19, 2025, for an in-person conference that is not to be missed. 

I hope everyone has a fantastic summer. I’ll look forward to seeing many of you in Atlanta, Georgia for AuditCon 2024 in September!

Marion Candrea, Boston University
ACUA President

The Association of College and University Auditor’s currently serves over 500 institutions of higher education in the United States, Canada, and abroad. Our members include schools of all sizes: from community colleges to large university systems, both public and private. Membership has grown tremendously over the past 76 years, when thirteen charter universities decided to share their professional knowledge with each other. ACUA Historian Toni Stephens explains how it all began:

On February 24, 1958, Fred Vorsanger from Purdue and Stanley Smith from the University of Illinois circulated the idea of forming a group to meet and discuss mutual audit issues to the other Big Ten schools of the time. The idea quickly spread, and the inaugural meeting of ACUA was held at the LaSalle Hotel in Chicago on Monday April 7, 1958. Lasting from 9:00am until 3:00pm, the meeting focused on reviews of internal audit reports in different areas of operation. Smith would become the first ACUA President.
Eleven people from the following eight Big Ten schools attended.

• University of Illinois
• University of Indiana
• University of Michigan
• Michigan State University
• University of Minnesota
• Northwestern University
• Ohio State University
• Purdue University

Though they did not attend the first meeting, the following schools became part of the thirteen charter members of ACUA:

• University of Chicago
• Iowa State University of Science and Technology
• University of Notre Dame
• Southern Illinois University
• University of Wisconsin

Shortly after the initial meetings, ACUA reached out to additional universities to join the group. In the last issue of the C&U Journal, the historian was looking for the oldest university membership certificate. No certificates from the original thirteen charter universities have been identified. The University of Mississippi still lays claim to displaying the oldest membership certificate from when they joined on September 10, 1959, just one year after the ACUA’s formation. Congratulations Ole Miss!

Starting a new job can be both exhilarating and daunting at first, and starting a new job as an internal auditor is no different. Internal audit is a unique and continuously evolving profession where internal auditors play a critical role in an organization’s operations and corporate governance. Internal auditors use their experience and knowledge of laws, regulations, and organizational policies to examine and analyze an organization’s financials and identify potential occurrences of noncompliance, fund misappropriation, and other risks to the organization. Becoming an internal auditor is rewarding and has a great opportunity for professional development and advancement. Here is what new internal auditors should do to be successful in their career.

Seek a mentor

All internal auditors, whether this is your first year as an internal auditor or you have over 25 years of auditing experience, can benefit from having a mentor. Mentors help internal auditors understand their profession and career opportunities. It is important to find a suitable mentor who has more industry experience, shares similar values or goals, and is someone you admire. The right mentor should be your biggest ally and have a passion for teaching while allowing you to be your own advocate.

Learn and understand the basics of internal auditing and how to conduct an audit

To begin in this field, you must learn the standards that govern the process. The IIA Standards on performance explain the processes for planning, performing, reporting, and following up on audit engagements. The sooner you become familiar with these concepts, the faster you will be able to understand and apply this knowledge for developing and performing internal audits.

Relax and stay calm

When starting a new job, internal auditors tend to put an immense amount of pressure on themselves to be perfect. Internal audit is known for having a steep learning curve, so new auditors should take a deep breath, relax, and know that you are not alone. There will be other auditors, managers, and directors to help you learn your department’s procedures and answer any questions you may have.

Know your limits and when to ask for help

One of the hardest things for new internal auditors to learn is when to speak up and ask for help. Auditing is very technical, and it is highly unlikely that a new internal auditor will be a compliance, accounting, or fraud expert overnight. Do not spend hours trying to figure things out on your own. Rather, seek guidance from a more experienced colleague who can help you. Knowing your limits and knowing when to ask for help can save you time and reduce frustration and misunderstandings.

Be eager to learn and develop new skills

As an internal auditor, you analyze a variety of processes and interact with all levels of employees and subject matter experts. Do not be afraid to ask questions that will help you understand what you are auditing. As time goes on and you gain more experience, you will learn that internal audit is about striking a balance between understanding the big picture and focusing on the small details. Having a good knowledge of your organization’s policies, procedures, and risks will make you a standout internal auditor.

Sharpen your communication skills

Although communication skills are essential in any job, internal audit requires developing two key skill sets: effective writing and effective interviewing. An internal auditor’s writing should be objective and clear, making compelling arguments that present your audit results effectively. For successful interviews, internal auditors must be prepared, ask the right questions, listen, take good notes, and confirm their understanding of the processes and controls being audited. It is also extremely important that the interview is not one-sided but flows naturally from both sides.

Be a sponge by listening and absorbing all the information

As an internal auditor, you will have the opportunity to interact with, and learn from, all levels of employees, including interns, associates, managers, VPs, and directors. You can learn something from everyone you encounter, so be open-minded and receptive. Take note of the valuable skills others possess, such as communication, organization, leadership, and networking skills and learn from them.

Volunteer and get involved in areas outside of your comfort zone

New internal auditors are usually assigned to a variety of different audit engagements before they begin to specialize in certain areas or become subject matter experts. Learn as much as possible from your different engagements, and volunteer to be put on engagements that are not so glamorous, ones you know nothing about, or topics you want to learn more about. By exploring different assignments, you may find a preference for a particular area and may have the opportunity to work with a subject matter expert. If you volunteer to get involved in areas you are unfamiliar with, management and others will take notice of the effort. Your passion may be hidden somewhere you would have not explored if you did not push yourself.

Join a professional network or organization

Consider joining networks or organizations that support and cater to your interests, professional growth, and development. These groups usually offer members training opportunities to help you enhance your skills and stay current on auditing news and publications. Becoming a member of network groups or organizations can also help you grow your professional network and learn about other career opportunities.

Enjoy the experience

You are only a new internal auditor for a brief time. The beginning of your internal audit experience should be embraced because there is no other time in your auditing career when so much knowledge is obtained in such a short period. In addition to the new experiences and learning curve, new auditors are exposed to a vast array of unique individuals with wonderful backgrounds and experiences. Embrace the relationships you develop and the things you learn along the way. But most importantly, enjoy the journey!

Time spent on one task is time we cannot spend on other tasks; this is the law of opportunity cost. As internal auditors with limited time and an almost infinite supply of things that demand our attention, it is imperative that we prioritize efficient time management practices. Audit documentation practices may often be overlooked but can account for a significant amount of time spent on each engagement. Excessive audit documentation does not add value to the engagement and expends valuable time that could alternatively be used to expand audit coverage and increase effectiveness. This article encourages auditors to review their current practices and look for ways to reduce excessive audit documentation.

First Horse, Then Cart

Before diving into a project to get rid of unnecessary audit documentation, it is important first to understand the primary purpose of audit documentation, along with the documentation requirements stipulated in the IIA’s Global Internal Audit Standards. Fortunately, the section addressing audit documentation in the most-recent Standards (released on January 9, 2024) is a relatively brief two pages, and the language is not overly prescriptive, which should allow internal audit shops flexibility when implementing their individual documentation practices. The Standards provide the primary purpose of audit documentation and define the target audience with Standard 14.6:

“Internal auditors must document information and evidence to support the engagement results. The analyses, evaluations, and supporting information relevant to an engagement must be documented such that an informed, prudent internal auditor, or similarly informed and competent person, could repeat the work and derive the same engagement results.”

The key takeaways here are that documentation should always focus on supporting the conclusions of the engagement, and that documentation can be structured in a way that assumes a large degree of competence on the individuals who rely on the documentation (e.g., workpaper reviewers). If documentation does not support the engagement results, then it likely is not necessary and should be omitted from the workpapers. The Standards make it clear that the documentation can be tailored to a highly competent audience. Since a highly competent audience can be expected to more easily read between the lines, auditors may be able to significantly reduce the amount of detail included in the workpapers and thereby save lots of time for both the preparer and reviewer.

For those who comply with the IIA’s Standards, it is mandatory that their audit documentation practices meet or exceed the requirements. However, any additional time auditors spend on exceeding the Standards’ requirements is time that cannot be spent addressing other important audit priorities. While it may make sense for audit documentation to occasionally be more robust than that prescribed by the Standards, auditors would be wise to periodically assess their documentation procedures and determine where the fat can be trimmed.

The remainder of this article provides concrete examples for auditors to consider when examining their audit documentation protocols.

Just Say No to Redundancies

Documenting something on more than one workpaper at least doubles the work for both the preparer and reviewer. Therefore, much time and effort can be reduced by simply looking for redundancies in workpapers.

A good place to start is audit findings, since these may often be documented in multiple locations, including supporting source documentation, testing workpapers, audit programs, audit software widgets, etc. It may be sufficient to document audit findings in only one location, such as in an audit program or findings summary document. Remember that auditors should only include enough documentation so that a competent auditor could replicate their results. For a simpler finding or one that occurs frequently in many audits, a competent auditor might easily be able to reach the same conclusion with merely a brief reference to the finding in the audit program. Limiting redundant finding references will also make things go much more smoothly if the review process results in the modification, consolidation, or elimination of audit findings, as fewer workpapers will need to be modified.

Listing the full names and titles of individuals in multiple workpapers also adds extra time. While it does not take long to type out an individual’s full name and title, the time will really add up if names and titles of multiple individuals are listed on multiple workpapers. A simple hack is to use a name and titles index workpaper or organizational chart. This will allow the reviewer to reference a single workpaper to determine relevant employee titles, and preparers will not have to wonder whether they have already defined an employee’s title in documents where employees are mentioned multiple times, such as in process narratives.

Use Process Narratives Strategically – and Sparingly!

Usage of narrative structure has many benefits. In a recent interview with popular podcaster Lex Fridman, former Amazon CEO Jeff Bezos recounted how Amazon meetings often begin with executives reading a six-page, narratively structured memo on the topic at hand, in contrast to the conventional meeting structured around the ubiquitous PowerPoint presentation. Bezos points out a significant drawback of using tools like PowerPoint when discussing complex topics:

“[A] problem with PowerPoint[s], they’re often just bullet points. And you can hide a lot of sloppy thinking behind bullet points. When you have to write in complete sentences with narrative structure, it’s really hard to hide sloppy thinking. So…it forces the author to be at their best, and so you’re getting…their best thinking and then you don’t have to spend a lot of time trying to tease that thinking out of the person.”

Many of us can relate to Bezos’ mention of hiding sloppy thinking when broadly summarizing a topic. In contrast, having to elaborate our thoughts using a narrative format often blatantly reveals this sloppy thinking and prompts us to dig further and ask additional questions. Often the result is a much more solid understanding of the subject area than we would have otherwise had if we had not been writing with a narrative structure. In internal audit where auditors must quickly get up to speed on a multitude of complex topics, using narrative memos can clearly be a beneficial tool to help them better understand the audit area and increase the effectiveness of audits. This may especially be the case when dealing with more complex topics that demand extremely lucid analysis, so auditors should not necessarily shy away from using narrative memos when it is appropriate.

That said, it is important to consider the downsides of using narrative memos so that they do not become a drag on productivity and efficiency. While the benefits of narrative memos are vast, there is no such thing as a free lunch, and the substantial time it takes to prepare and review narrative memos must be weighed against these benefits. In that same interview, Bezos was quick to point out the significant costs of preparing the six-page narrative memos:

“It’s hard to write a six-page memo. A good six-page memo might take two weeks to write. You have to write it, you have to rewrite it, you have to edit it, you have to talk to people about it.”

Bezos’ description of the challenges of writing a good narrative memo will not come as a surprise to anyone who has had to write a memo on a complex audit topic. With that in mind, auditors should carefully weigh the pros of using the narrative format with the fact that using it may add substantial time to the audit. Consideration should be given to both the complexity of the topic or process to be covered, along with its importance as support for the overall audit conclusions. If the topic or process scores low on both criteria — that is, if it is a relatively simple topic or process and is not critical for support of important audit conclusions — then consider whether it can be more efficiently summarized via another medium, such as covering it in an audit program step or with a basic process map.

If the narrative format ultimately is used, though, reviewers should not hesitate to give constructive feedback to audit staff who include too much irrelevant information. This feedback will ensure that audit staff always have management’s priority for conciseness at top of mind.

An Audit is Not a Criminal Trial

To be convicted of a crime in the U.S., one must be proven guilty beyond a reasonable doubt. Not so for audit findings, especially in internal audit. While audit documentation should clearly demonstrate how conclusions were determined, it is not always necessary to consider all possible alternatives and defenses to identified issues. This is especially the case when issues have been discussed with management as they have been uncovered and everyone agrees with the findings. It is also important to remember that internal auditors typically prioritize a proactive focus in their engagements. Auditors need to identify which processes and controls are broken so that they can be fixed, not because they want to point fingers and demonize employees for their past mistakes. Often, more time should be spent working with management to ensure they implement audit recommendations that mitigate risks identified during the audit than on documenting evidence for audit findings.

The Little Things

Be on the lookout for small inefficiencies that may add up. For instance, if multiple auditors rely on the same procedures, consider developing a standard tick mark legend that can be copied and pasted into each audit, rather than having auditors manually create one for each individual audit. Watch for over-referencing or over-ticking, considering whether a prudent auditor could follow the workpapers without the extra work. Consider annotating the first document in a large sample as a guide for finding the information in the rest of the sample. Ensure auditors are not spending too much time on PDFs with excessive highlighting, boxing, and linking that does not actually make it easier for that competent reviewer to understand the work performed. While it may be tempting for reviewers to ignore the little things to avoid seeming pedantic, keep in mind that these things add up. This is especially true if internal audit shops are in the habit of always adding rather than subtracting.

Addition by Subtraction

In his 2021 book, “Subtract: The Untapped Science of Less,” author Leidy Klotz points out the human tendency to add things rather than subtract. While addition is often necessary and useful, we often fail to consider subtraction as an option, even in cases when it may be more apt. Klotz makes it clear that he is not prioritizing one over the other, but notes that since we so often fail to consider subtraction as an option, there is much “untapped potential” to be gained by simplifying. If auditors only focus on what they can add to enhance their documentation, they might be missing easy improvements. Do not ignore that low hanging fruit! Consider which audit documentation can be subtracted to make audits more efficient and effective.