Resources

On the Merits of Subtraction, a Discussion of Audit Documentation

Time spent on one task is time we cannot spend on other tasks; this is the law of opportunity cost. As internal auditors with limited time and an almost infinite supply of things that demand our attention, it is imperative that we prioritize efficient time management practices. Audit documentation practices may often be overlooked but can account for a significant amount of time spent on each engagement. Excessive audit documentation does not add value to the engagement and expends valuable time that could alternatively be used to expand audit coverage and increase effectiveness. This article encourages auditors to review their current practices and look for ways to reduce excessive audit documentation.

First Horse, Then Cart

Before diving into a project to get rid of unnecessary audit documentation, it is important first to understand the primary purpose of audit documentation, along with the documentation requirements stipulated in the IIA’s Global Internal Audit Standards. Fortunately, the section addressing audit documentation in the most-recent Standards (released on January 9, 2024) is a relatively brief two pages, and the language is not overly prescriptive, which should allow internal audit shops flexibility when implementing their individual documentation practices. The Standards provide the primary purpose of audit documentation and define the target audience with Standard 14.6:

“Internal auditors must document information and evidence to support the engagement results. The analyses, evaluations, and supporting information relevant to an engagement must be documented such that an informed, prudent internal auditor, or similarly informed and competent person, could repeat the work and derive the same engagement results.”

The key takeaways here are that documentation should always focus on supporting the conclusions of the engagement, and that documentation can be structured in a way that assumes a large degree of competence on the individuals who rely on the documentation (e.g., workpaper reviewers). If documentation does not support the engagement results, then it likely is not necessary and should be omitted from the workpapers. The Standards make it clear that the documentation can be tailored to a highly competent audience. Since a highly competent audience can be expected to more easily read between the lines, auditors may be able to significantly reduce the amount of detail included in the workpapers and thereby save lots of time for both the preparer and reviewer.

For those who comply with the IIA’s Standards, it is mandatory that their audit documentation practices meet or exceed the requirements. However, any additional time auditors spend on exceeding the Standards’ requirements is time that cannot be spent addressing other important audit priorities. While it may make sense for audit documentation to occasionally be more robust than that prescribed by the Standards, auditors would be wise to periodically assess their documentation procedures and determine where the fat can be trimmed.

The remainder of this article provides concrete examples for auditors to consider when examining their audit documentation protocols.

Just Say No to Redundancies

Documenting something on more than one workpaper at least doubles the work for both the preparer and reviewer. Therefore, much time and effort can be reduced by simply looking for redundancies in workpapers.

A good place to start is audit findings, since these may often be documented in multiple locations, including supporting source documentation, testing workpapers, audit programs, audit software widgets, etc. It may be sufficient to document audit findings in only one location, such as in an audit program or findings summary document. Remember that auditors should only include enough documentation so that a competent auditor could replicate their results. For a simpler finding or one that occurs frequently in many audits, a competent auditor might easily be able to reach the same conclusion with merely a brief reference to the finding in the audit program. Limiting redundant finding references will also make things go much more smoothly if the review process results in the modification, consolidation, or elimination of audit findings, as fewer workpapers will need to be modified.

Listing the full names and titles of individuals in multiple workpapers also adds extra time. While it does not take long to type out an individual’s full name and title, the time will really add up if names and titles of multiple individuals are listed on multiple workpapers. A simple hack is to use a name and titles index workpaper or organizational chart. This will allow the reviewer to reference a single workpaper to determine relevant employee titles, and preparers will not have to wonder whether they have already defined an employee’s title in documents where employees are mentioned multiple times, such as in process narratives.

Use Process Narratives Strategically – and Sparingly!

Usage of narrative structure has many benefits. In a recent interview with popular podcaster Lex Fridman, former Amazon CEO Jeff Bezos recounted how Amazon meetings often begin with executives reading a six-page, narratively structured memo on the topic at hand, in contrast to the conventional meeting structured around the ubiquitous PowerPoint presentation. Bezos points out a significant drawback of using tools like PowerPoint when discussing complex topics:

“[A] problem with PowerPoint[s], they’re often just bullet points. And you can hide a lot of sloppy thinking behind bullet points. When you have to write in complete sentences with narrative structure, it’s really hard to hide sloppy thinking. So…it forces the author to be at their best, and so you’re getting…their best thinking and then you don’t have to spend a lot of time trying to tease that thinking out of the person.”

Many of us can relate to Bezos’ mention of hiding sloppy thinking when broadly summarizing a topic. In contrast, having to elaborate our thoughts using a narrative format often blatantly reveals this sloppy thinking and prompts us to dig further and ask additional questions. Often the result is a much more solid understanding of the subject area than we would have otherwise had if we had not been writing with a narrative structure. In internal audit where auditors must quickly get up to speed on a multitude of complex topics, using narrative memos can clearly be a beneficial tool to help them better understand the audit area and increase the effectiveness of audits. This may especially be the case when dealing with more complex topics that demand extremely lucid analysis, so auditors should not necessarily shy away from using narrative memos when it is appropriate.

That said, it is important to consider the downsides of using narrative memos so that they do not become a drag on productivity and efficiency. While the benefits of narrative memos are vast, there is no such thing as a free lunch, and the substantial time it takes to prepare and review narrative memos must be weighed against these benefits. In that same interview, Bezos was quick to point out the significant costs of preparing the six-page narrative memos:

“It’s hard to write a six-page memo. A good six-page memo might take two weeks to write. You have to write it, you have to rewrite it, you have to edit it, you have to talk to people about it.”

Bezos’ description of the challenges of writing a good narrative memo will not come as a surprise to anyone who has had to write a memo on a complex audit topic. With that in mind, auditors should carefully weigh the pros of using the narrative format with the fact that using it may add substantial time to the audit. Consideration should be given to both the complexity of the topic or process to be covered, along with its importance as support for the overall audit conclusions. If the topic or process scores low on both criteria — that is, if it is a relatively simple topic or process and is not critical for support of important audit conclusions — then consider whether it can be more efficiently summarized via another medium, such as covering it in an audit program step or with a basic process map.

If the narrative format ultimately is used, though, reviewers should not hesitate to give constructive feedback to audit staff who include too much irrelevant information. This feedback will ensure that audit staff always have management’s priority for conciseness at top of mind.

An Audit is Not a Criminal Trial

To be convicted of a crime in the U.S., one must be proven guilty beyond a reasonable doubt. Not so for audit findings, especially in internal audit. While audit documentation should clearly demonstrate how conclusions were determined, it is not always necessary to consider all possible alternatives and defenses to identified issues. This is especially the case when issues have been discussed with management as they have been uncovered and everyone agrees with the findings. It is also important to remember that internal auditors typically prioritize a proactive focus in their engagements. Auditors need to identify which processes and controls are broken so that they can be fixed, not because they want to point fingers and demonize employees for their past mistakes. Often, more time should be spent working with management to ensure they implement audit recommendations that mitigate risks identified during the audit than on documenting evidence for audit findings.

The Little Things

Be on the lookout for small inefficiencies that may add up. For instance, if multiple auditors rely on the same procedures, consider developing a standard tick mark legend that can be copied and pasted into each audit, rather than having auditors manually create one for each individual audit. Watch for over-referencing or over-ticking, considering whether a prudent auditor could follow the workpapers without the extra work. Consider annotating the first document in a large sample as a guide for finding the information in the rest of the sample. Ensure auditors are not spending too much time on PDFs with excessive highlighting, boxing, and linking that does not actually make it easier for that competent reviewer to understand the work performed. While it may be tempting for reviewers to ignore the little things to avoid seeming pedantic, keep in mind that these things add up. This is especially true if internal audit shops are in the habit of always adding rather than subtracting.

Addition by Subtraction

In his 2021 book, “Subtract: The Untapped Science of Less,” author Leidy Klotz points out the human tendency to add things rather than subtract. While addition is often necessary and useful, we often fail to consider subtraction as an option, even in cases when it may be more apt. Klotz makes it clear that he is not prioritizing one over the other, but notes that since we so often fail to consider subtraction as an option, there is much “untapped potential” to be gained by simplifying. If auditors only focus on what they can add to enhance their documentation, they might be missing easy improvements. Do not ignore that low hanging fruit! Consider which audit documentation can be subtracted to make audits more efficient and effective.

Emerging Risks of Higher Education that Auditors Need to Know

Higher education institutions play a vital role in an individual’s intellectual development as well as reshaping societal progress by offering advanced knowledge and skillsets that foster critical thinking and contributions to research and innovation. Serving as centers for academic and cultural exchange, higher education institutions are looked up to as catalysts for positive changes in the job market and drivers of humankind.
 
In recent times, higher education has been exposed to various emerging risks. Due to the nature of these risks, each one requires a concentrated approach for review. In this article, we investigate the following key risks that higher education auditors need to be aware of.

Impact of Digitalization

The rapid pace of technology advancements requires higher education institutions to stay abreast of digital trends that result in universities increasingly relying on digital infrastructure and the need to manage vast amounts of student data. Technology integration, if hindered at varying infrastructure levels can contribute to a digital divide for higher education institutions. Auditors need to evaluate the adequacy of the technology landscape of the institutions for information flow effectiveness and utilization of emerging technologies such as generative AI, blockchain, and cloud computing. Furthermore, protecting sensitive student data, research information, and financial records is crucial. Regular assessment of cybersecurity measures, incident reporting, response plans, and compliance with the data protection law should be performed. A robust data governance practice and institution data safeguarding protocol is paramount.

Shifts in Job Market Dynamics

Technological advancements, particularly in the fields of automation, biotechnology, and renewable energy, pose both opportunities and challenges for higher education. Even though these innovations offer potential for groundbreaking research and education programs, higher education institutions must adapt curricula to meet evolving industry demands, ensuring that the graduates possess relevant skills. They also need to collaborate with industry partners to align education with the evolving job markets. As auditors, we need to be able to evaluate the effectiveness of the academic program review process established in the institution for regular curriculum updates. To mitigate this risk, we need to incorporate periodic reviews focused on fostering critical thinking and adaptability of curricula.

Impact of Global Events and Climate Changes

The unpredictability around the unfolding of global events such as the recent pandemic, geopolitical tensions, economic downturns, and environmental changes like extreme weather events, can affect the institution’s infrastructure and disrupt the delivery of academic activities. Auditors should periodically assess institutional resilience and the adequacy of contingency plans to mitigate the effects of such unforeseen global events.

Diversity, Equity, and Inclusion

Higher education institutions are judged for the diversity, equity, and inclusion of students and faculty from all norms, posing reputational risks related to gender disparities and the preservation of cultural identity. Ensuring equal access to higher education for all socioeconomic groups and genders requires tailored strategies addressing cultural disparities. Auditors need to assess the effectiveness and adherence of inclusion policies and practices established in the institution. Periodic reviews of recruitment, admissions, and support services for inclusivity should be performed as well.

Funding and Financial Sustainability

In recent times, most higher education institutions have faced funding and financial struggles. Reduced government funding, uncertainties around tuition fees, and economic fluctuations, coupled with fewer private investments through research grants, limit the financial stability of universities, affecting academic program offerings and student services. Auditors need to evaluate the creditability and financial position of the institution through additional revenue creation assessment and accounts receivable reviews to identify any funding opportunities.

Social and Political Shifts

Social and political dynamics prevalent within the state also contribute to risks such as ideological divides on campuses, affecting academic freedom and fostering an environment where diverse perspectives may face challenges. Geopolitical complexities within a region may also affect the ease of establishing and maintaining international partnerships, which could limit the flow of talent and ideas. Furthermore, issues related to campus safety, including instances of violence and harassment, pose ongoing concerns. Auditors need to identify these risks and conduct institutional governance reviews to strike a balance between government priorities and maintaining the strategic plans of the university.

Demographic Changes and Internationalization of Institutions

Shifts in population demographics, such as changes in age distribution of students, diverse student profiles, socio-economic disparities, underrepresentation of certain demographics, and expansion of online education facilities provided by institutions require adjustments to educational approach and mode of delivery. Auditors need to evaluate the adequacy of internal controls prevalent around academic integrity, data privacy in virtual classrooms, and quality assurance mechanisms for academic programs offered by the institution. For higher education institutions with a global footprint, auditors should assess the risks associated with international collaborations, branch campus operations, and compliance with federal and state regulatory requirements governing student aid, accreditation, and financial reporting in the region of operations. In addition, the well-being of students, particularly mental health wellness, is a growing concern. Auditors need to assess the awareness of the importance of well-being in academic settings, the adequacy of student recreational programs, and the infrastructure available in the institution to ensure that adequate student support is provided in handling the pressures of academic life, social challenges, and transitions to the university.

Institutional Governance and Tone at the Top

An institution’s control culture is well determined by the Tone at the Top of the respective institution. A robust governance structure is crucial for ensuring ethical conduct and maintaining public trust. Auditors should periodically evaluate the effectiveness of internal controls, whistleblower mechanisms, and the effectiveness of the ethical policies practiced in the institution. The emphasis on metrics, institutional rankings, and performance indicators can create pressures on institutions to meet specific criteria, causing institutions to compromise on academic ethical standard practices followed in the institution. Balancing quality assurance with the need for diverse educational offerings and navigating changes in global dynamics are continual challenges for the institution that need to be assessed by auditors.
 
In conclusion, higher education faces multidimensional risks such as cybersecurity threats, regulatory compliance, geopolitical tensions, data integrity, job market dynamics, technological advancements, privacy, inclusion and diversity, and demographic student shifts that may disrupt academic activities, hinder international collaborations and lead to migration of students and faculty. As higher education institution auditors, the evolving risk magnitude requires us to stay informed, conduct thorough risk assessments, and collaborate to ensure institutional resilience through a proactive adaptive approach.

New Global Internal Audit Standards Released

New Consolidated Structure

On January 9, 2024, the Institute of Internal Auditors (IIA) released their updated Global Internal Audit Standards, which will become effective on January 9, 2025. The ACUA Auditing & Accounting Principles (AAP) Subcommittee advocated for ACUA members during the comment period and recently presented the changes at the 2024 ACUA Virtual Spring Summit.

The prior International Professional Practices Framework (IPPF), published in 2017, was decentralized into four different documents: the Standards, Code of Ethics, Core Principles, and the Definition of Internal Auditing. The new IPPF is one single 120-page document comprising of five domains, 15 principles, and 52 standards. Each standard has its own requirements, considerations for implementation, and examples of evidence of conformance. Additional guidance in the form of Topical Requirements is forthcoming.

Structure of the International Professional Practices Framework, slide courtesy of the IIA.

The Five Domains

The new Standards are now organized into five logical domains that contain the 15 key principles. During the public comment period, most respondents appreciated the organization of the new domains.

The Global Internal Audit Standards five domains, slide courtesy of the IIA.

  • Domain I: Purpose of Internal Auditing updates the purpose and describes how internal auditing enhances the organization and when it is most effective. The new purpose statement reads “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”
  • Domain II: Ethics and Professionalism embodies the former Code of Ethics’ principles of integrity, objectivity, confidentiality, and competency, and adds maintaining confidentiality.
  • Domain III: Governing the Internal Audit Function includes “essential conditions” for an effective internal audit function, including organizational independence, internal audit charters, Board interaction, resources and support, plus external quality assessment.
  • Domain IV: Managing the Internal Audit Function describes Chief Audit Executive functions including departmental planning, managing resources, communicating, and performance measurement.
  • Domain V: Performing Internal Audit Services provides guidance on conducting engagements including planning, analysis, reporting, and confirming the implementation of action plans.

Major Changes

Overall, the biggest change to the new Standards is the consolidation and regrouping of topics. There is a new emphasis on serving the public interest and being able to apply the Standards to the public sector. The most significant changes include:

  • No more differentiation between assurance and consulting engagements. The Standards apply to all engagements.
  • There are new “essential conditions” in each of the nine standards in Domain III describing the appropriate governance arrangements essential for the internal audit function to be effective, which strengthens the importance of Board relations.
  • The Standards have become more prescriptive throughout. Recommendations that were previously labeled as “consider” or “should” have turned into “must.”
  • There is a greater emphasis on strategy, relationship building, and communication in the Management domain, along with new emphasis on internal audit performance measurement.
  • There is additional emphasis on performance management, where the CAE must develop performance measurement criteria and assess progress towards achieving the function’s objectives while promoting continuous improvement.
  • The final communication must include an engagement conclusion that summarizes the engagement results, and individual engagement findings must be prioritized based on significance but do not require rankings.
  • For external quality assessment reviews, at least one independent assessor must hold a Certified Internal Auditor (CIA) designation.

Topical Requirements

The IIA intends to release several Topical Requirements, which will cover aspects of governance, risk management, and control processes and include considerations related to a specific topic. This guidance will be required when auditing an area covered by a Topical Requirement. To date, the IIA has released a draft of their Topical Requirement on cybersecurity, which is for public comment through July 3, 2024. Please visit the IIA website to read the draft and make any comments. Other topics under consideration include sustainability, third-party management, IT governance, assessing organizational governance, fraud risk management, privacy risk management, and public sector performance audits.

ACUA’s Top Concerns

During the public comment period, the AAP polled the ACUA membership about their reaction to the proposed changes. Members appreciated the new organization, format, and clarification of roles and responsibilities of the internal auditors versus the Board, along with the de-emphasis on assurance versus consulting. Using membership feedback, ACUA President Melissa Hall formally responded on behalf of ACUA on May 31, 2023. In addition to the above-noted items of appreciation, this response also included top concerns, including the overly prescriptive nature of the Standards and its potential burden on smaller internal audit functions. The IIA considered the public comments and revised the draft Standards prior to publishing.
This is how the IIA addressed the top three ACUA concerns:

  • Domain III: Governance – ACUA members were concerned that the Standards pertaining to the Board were outside the control of the CAE. The final Standards focused on the CAE’s responsibilities and how the CAE can assist and inform the Board of their responsibilities.
  • Standard 8.4 External Quality Assurance – ACUA members were concerned the proposed Standards required external quality reviews be led by a CIA, and all team members needed to successfully complete an IIA training course. The final Standard does not require completion of an IIA course by external assessment team members, and only one team member (and not the lead) must hold the CIA designation. Also, the final Standards allows for self-assessment with independent validation.
  • Standard 15.1 Final Engagement Communication – The proposed Standard required findings be “ranked by significance,” generating concerns audit clients would be too focused on subjective rankings and unnecessary conflict between the internal audit function and management would ensueThe IIA removed the requirement to rank findings, instead requiring the final report include the significance and prioritization of the findings.

Implementation Next Steps

The ACUA AAP Subcommittee recommends the following next steps in your institution’s journey to the January 2025 implementation effective date:

  • Get familiar with the new Standards.
  • Start to develop a plan for implementation.
  • Communicate these changes with your senior leadership and Board.
  • Update the internal audit function’s strategy “that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.”
  • Update or create performance metrics and plan how to measure those metrics.

Consider performing an internal assessment using the new Standards this year and implement any changes prior to the January 2025 effective date. If your External Quality Assessment is due in 2025, consider completing it in 2024 before the Standards change and the CIA on the review team is a requirement. If your internal audit function is not conforming with all of the new standards by January 9, 2025, you must remove the phrase from audit deliverables indicating your engagement was performed in accordance with the Standards.
If you are considering becoming a Certified Internal Auditor, the IIA states there will not be any changes to the CIA exam before May 2025. The IIA plans on communicating any changes at least one year in advance and new study materials are not expected to be released before March 2025. Those candidates in-process will receive detailed information. In addition, there will be no changes to the Internal Audit Practitioner designation before the effective date, and the Certification in Risk Management Assurance (CRMA) exam is not affected by the changes.

DEI in Higher Education

What is DEI?
Diversity, Equity, and Inclusion, commonly referred to as DEI, is a highly critical aspect of any organization; and DEI in education, specifically higher education, is especially important. DEI in higher education institutions encompasses the policies and practices designed to help ensure everyone in the institution, whether it is faculty, staff, or students, have equal opportunities for success and inclusion, no matter their background.
 
Understanding DEI
Diversity includes race, ethnicity, gender, religion, sexual orientation, geographical representation, and political beliefs, among many other factors. However, what diversity means varies amongst individuals. Studies have shown that race, gender, and sexual orientation are almost always the top three concerns for those working in the field, but inclusion is equally important.
 
DEI in Higher Education – why it’s important
Prioritizing DEI in higher education not only impacts students, faculty, and staff, but also the institution and entire campus. DEI provides advancement opportunities for underrepresented communities and comes into play when recruiting students, hiring faculty and staff, shaping campus culture, encouraging career advancement, setting up tenure processes, examining employment budgets, and making forward-looking decisions.
 
Benefits of DEI
DEI promotes personal growth, a healthy society, and fosters mutual respect and teamwork amongst the institution. DEI brings multiple perspectives and challenges stereotypical preconceptions, encourages problem-solving and critical thinking, and helps individuals learn how to communicate effectively with people of different backgrounds. Most importantly, DEI enriches the educational experience, as we learn from those whose experiences, beliefs, and perspectives are different from our own.
 
Why does DEI fail?
Although investing in DEI is never a waste of an institution’s time or resources, there are several reasons why DEI efforts are not as effective. Despite overwhelming evidence that institutions are becoming more demographically diverse, research has shown that more than half of employees feel excluded and isolated at work. Institutions with DEI initiatives are also experiencing employee fatigue because employees either feel exhausted, frustrated, or skeptical whether their DEI efforts provide expected tangible results.
Many employees are trying to improve DEI initiatives by starting either an employee resource group or a DEI Council to get things started. However, over time those same employees often end up feeling frustrated, burned out, and discouraged because they do not believe that their institution is equally invested and committed to advancing DEI due to lack of participation, support, and investment. Unfortunately, when employees feel their efforts are in vain, they eventually give up. This is especially difficult when management and those in leadership positions lack diversity and often underestimate and overlook the time, commitment, money, and effort needed to improve and sustain DEI.
 
How to build a more successful DEI strategy
For DEI initiatives and strategies to succeed, institutions need to set the tone at the top and have a top-down, systemic, business-led approach to demonstrate DEI is an essential part of the culture and institution. It is also imperative that institutions set clear, specific, and achievable goals, establish accessible protocols, build equity into the structure, and, most importantly, lead by example. Management and leadership need to take an active role in implementing initiatives and prioritizing DEI. This should not be the sole responsibility of the DEI employees.
 
What can Internal Audit do?
Internal Audit can get involved and support DEI initiatives by conducting DEI audits for their institution. The DEI audit will highlight how well the institution supports diverse and underrepresented employees and put a spotlight on areas where the institution is progressing, as well as identify issues and challenges that exist that need a little more attention. Having Internal Audit support DEI fosters an institution that embraces inclusivity, nurtures a sense of belonging, and amplifies opportunities for individuals from historically underrepresented backgrounds. Internal Audit’s strategic commitment aids in creating a stronger institution that thrives on a diverse array of perspectives and experiences. DEI audits are an opportunity to dig beneath the surface and reflect on the institution’s own priorities and goals. DEI audits are critical tools that, when done properly and consistently, can be a real advocate for institutional change.
 
Because DEI success does not happen overnight, creating a diverse, equitable, and inclusive institution is a continual process; one that requires constant growth from all levels: individual to the institute.
 
Editor’s Note: The ACUA DEI committee plans to send a survey to its members in the coming months. Your participation is greatly encouraged.

Poll: Who Is Using AI?

With the explosion of free artificial intelligence software at our fingertips, are we ready to embrace the future and utilize AI in our audit engagements?

At the 2023 AuditCon, there were numerous presentations about AI capabilities and how they will affect our world. From the dangers of undetectable plagiarism to the ease of summarizing income tax rules, the applications are far and wide.

Attendees went to the Whova app to consult with their peers on the use of ChatGPT and other AI software in their audit work. One poll showed nearly half of the voters were starting to dabble in AI.

Many auditors said they are already experimenting with the technology for work or personal reasons. Those already working with AI use it to create email communications, identifying common findings, and creating custom photos for reports and presentations. Many have found ChatGPT useful during the planning phase of an audit to generate risks and audit step procedures as part of the brainstorming process. Members said they are “using it cautiously” and are testing search results before relying on the data.

Presenters encouraged universities to establish AI policies for students and researchers alike. Another Whova poll said half of the auditors surveyed have already discussed AI with senior leadership.

Granted, the number of poll respondents was limited, but we at the C&U Journal think these percentages will change soon and that most audit shops will adopt this new technology to enhance their engagements. Are you benefiting from using ChatGPT in your shop? Please share your examples of AI success with us at editor@acua.org for a future story.

ACUA History Challenge

Did you know that ACUA used to give out numbered certificates to member institutions?  This fun fact was shared with the ACUA Board, prompting several ACUA members to share photos of their certificates. Many proud institutions still hang these certificates in their offices! 

Original ACUA Membership Certifications

The search was on for the oldest certificate. The University of Washington thought their September 6, 1961, certificate was the oldest until Tanya Satterfield at the University of Mississippi shared their certificate dating back to September 10, 1959, just one year after ACUA was founded. Tanya and her colleagues proudly displayed the certificate at the 2023 AuditCon in Miami. 

Tanya Satterfield and University of Mississippi colleagues with their certificate at AuditCon.
Currently the oldest membership certificate.

The ACUA booth at Audit Con also displayed other ACUA artifacts from the past 65 years, including directories, information packets, conference agendas, coasters, and even old diskettes.  

ACUA artifacts

For those of you who like a challenge, if you have a Membership Certificate older than 1959 or have any “vintage” ACUA artifacts, please send a photo of your items to Toni Stephens at tstephens@utdallas.edu.  ACUA plans to collect and share these artifacts to preserve our great history!

ACUA 2023 Award Winners and Board Members

Member Excellence in Service Award

Justin Noble was selected for the Member Excellence in Service Award, which recognizes a member who has made outstanding contributions to the mission of ACUA through exceptional service.  Justin is the Chief Audit Executive at Virginia Tech and has served in numerous ACUA roles, including Distance Learning Chairman (2012-14), Board Member-at-Large (2014-17), Vice President (2017-18), President (2018-19), Immediate Past President (2019-2020), and Nominating Committee Chair (2019-20).

Outstanding Professional Contributions Award

Carolyn Saint was chosen for the Outstanding Professional Contributions Award, which recognizes a member who has made outstanding and noteworthy contributions to the profession of internal auditing in higher education.  Carolyn is the Chief Audit Executive at the University of Virginia and chaired the Institute of Internal Auditors’ (IIA) North American Board of Directors.  

Rising Star Award

Erica Smith received the Rising Star Award that recognizes an “up-and-coming” member who has made significant individual contributions in the areas of internal audit, compliance, or risk management that furthers the mission of ACUA.  Erica is a Principal Auditor at the University of Tennessee and has served as the ACUA Audit Interactive Conference Director.  Erica also is the incoming Professional Education Committee Chair.

Please make sure to congratulate our 2023 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

Board Members

The 2023-2024 ACUA Board of Directors officially assumed their new roles at AuditCon.  Marion Candrea, Associate Vice President of Internal Audit & Advisory Services at Boston University, succeeds Melissa Hall as ACUA President; Melissa will continue her work with the Board in her role as Immediate Past President.  Laura Buchhorn, Assistant Audit Director at the University of Texas San Antonio, will serve as Vice President, and Eulonda Whitmore, Associate Vice President and Chief Audit Executive at Wayne State University, will serve as Secretary and Treasurer.  The following members will round out the Board in their role as Board Member-at-Large:

  • Jana Clark, Chief Audit Executive at Kansas State University
  • William Hancock, Jr., Audit Manager at Auburn University
  • Andre’ McMillan, Director of Internal Audit at the University of Delaware
  • Deidre Melton, Associate Vice President for Audit and Chief Risk Officer at Florida A&M University
  • Kara Kearney-Saylor, Director of Internal Audit at the University of Buffalo

Letter from the Editor

Hello ACUA Members!

Last week my county’s Superior Court summoned me for jury duty. I wound up being Juror #9 in a short two-day trial. The experience was nowhere as humorous as the Amazon Prime Video series “Jury Duty,” but it had its moments. While doing my civic duty was a bit of an inconvenience, it provided an interesting mental break. My only job was to listen and apply reason. No phones, emails, meetings, or daily distractions. Just calming focus.

I realized conducting an audit is like serving every position in a trial simultaneously. Like the attorneys, we must find facts, both positive and negative, and learn from our key witnesses and subject matter experts. We carefully document our workpapers, like the tireless court reporter capturing every word. As a judge, we keep the engagement relevant and on track until we, as our own jury, come to our conclusions.

One key difference is in a trial, you only measure against the law. Not what you think it should be, not what would be best. As auditors we have the amazing opportunity to go beyond merely judging compliance. We create recommendations to make things better. That is our value.

Like a law library, this issue of the C&U Journal adds several great resources to our collection. Ken Lish and Billy McCain from the National Science Foundation share their Promising Practices for NSF Award Management report, a must read for research universities. In a nod to October’s cybersecurity month, Bruce Tong presents his favorite IT tests when performing departmental audits, David Clark from BDO shares ways to leverage technology during audits, and Sabine Charles discusses authentication factors. Agnessa Vartanova invites you to consider culture in audits. Our ACUA news section includes award winners, an AI poll, and an artifact challenge.

As we strive to complete our audits before the hectic holiday season, let’s not forget the importance of listening and applying reason.

Sincerely,
Kara Hefner

Letter from the President

Hello ACUA! I’d like to start by expressing my sincere gratitude and excitement about serving as your ACUA President for the upcoming year. This organization is near and dear to my heart and has been my professional home for learning, growing, and serving for more than a decade.
 
We had a fantastic AuditCon conference in Miami in September, where we had the second highest member attendance in ACUA’s history with over 470 attendees! I want to take a minute to personally thank all of our Professional Education Committee volunteers and ACUA staff for their hard work in creating an exceptional conference experience. As I reflect on the week spent together, I am immensely proud of the dedication and enthusiasm displayed by our members. The exchange of knowledge and vibrant discussions within this organization is so inspiring and makes me very excited for the year ahead!
 
During AuditCon, I spoke to the continually challenging economic landscape within our industry. This year, it is imperative for us to remain adaptive and resilient as we navigate the complexities posed by these challenges. Our Professional Education Committee is already beginning to prepare for a virtual spring conference that will provide opportunities for continued learning and collaboration. Stay tuned for more details in the coming weeks.
 
There are many ways in which our members have the ability to share their knowledge and expertise, which is truly what makes this organization so great. I would encourage anyone reading this to reflect on how you might use your time and talent to share your insight with others. For some that might be writing a Journal article, for others it might be partnering up with another auditor to create a Kick Starter. And I would be remiss if I did not also plug the tremendous value of raising your hand for a volunteer role! It could be the opportunity that forever changes your professional future.
 
In closing, I would like to extend my gratitude to Immediate Past President Melissa Hall. Her unwavering commitment and leadership have guided this organization through a year of challenges and successes. She leaves big shoes to fill, but I look forward to continuing the momentum she has built over the past year.  
 
Wishing all happiness and health as we move into the holiday season,
 
Marion Candrea, Boston University
ACUA President

Multi-factor Authentication vs. Single-factor Authentication: Safeguarding Your Digital World

Due to our society’s increasing interconnection, protecting one’s digital identity has become increasingly important. The authentication approach is often regarded as the most crucial component of information security since it serves to authenticate an individual’s stated identity. The most often used authentication mechanisms are multi-factor authentication (MFA) and single-factor authentication (SFA). 

  • Single-factor Authentication (SFA): The traditional SFA authentication method, is based on a single, commonly recognized piece. Individuals may recognize, or have easy access to, this specific element. The data in question could be a personal identification number (PIN), a password, or any other type of information that is unique to the person doing the authentication.
  • Multi-factor Authentication (MFA): As its name would suggest, MFA requires two or more factors for access. For this reason MFA is regarded preferable to SFA for enhanced security. The attributes of authentication are typically classified into three main groups: possession (also known as ownership), knowledge (also known as cognition), and biometric (also known as intrinsic traits).

To protect the security of one’s online presence, it is critical to have a thorough grasp of the advantages and disadvantages between the many solutions accessible. A brief comparison analysis of the benefits and downsides of these authentication methods warrants a self-evident conclusion: SFA is the most viable authentication approach but has the most drawbacks.

Single-factor Authentication (SFA): The Weakest Link

SFA is the most viable authentication approach due to its simplicity. Users are only required to enter a single piece of information, such as a password, in order to obtain access to their accounts. Despite its widespread acceptance and ease of use, SFA has some important drawbacks:

  • Risk of Password Breaches: The weakness in SFA’s security is its password management system. Passwords have become a prominent target for hackers due to their susceptibility to misuse, theft, or compromise via data intrusions. If a password is overly simple or commonly used, its strength may be undermined.
  • Limited Security: Because of its single ingredient, SFA can only provide limited protection. If an adversary successfully discovers the password, obtaining unauthorized access would be simple.
  • Lack of Adaptability: The SFA needs to react more effectively to the ever-changing terrain of developing issues. The current level of security needs to be improved to combat the two sophisticated attacks of credential stuffing and phishing.

In view of these urgent threats, businesses are rapidly adopting MFA as a more reliable security approach.

Multi-factor Authentication (MFA): Layered Security

Implementing MFA improves security by adding levels of protection to solve the shortcomings of SFA. When users must meet multiple conditions, enemies find it much more difficult to get unauthorized access. Additional benefits to MFA include:

  • Enhanced Security: The use of MFA improves security by requesting the user to prompt multiple authentication factors at the same time. If a potential unauthorized user possesses only one of the crucial elements, such as a password, their ability to gain access to the system is reduced.
  • Resistance to Phishing: When done correctly, MFA can effectively prevent fraudulent attempts. If the user unintentionally discloses their password, the offender will have difficulties accessing the account without additional verification measures, such as a fingerprint or a paired smartphone. Despite the possibility of password leakage, the use of these supplemental components is still required.
  • Adaptive Security: The MFA program is capable of adapting and responding to various risk conditions. In the event a login attempt comes from a suspicious device or location, MFA can be enabled.

Common Mistakes in Installing Multi-Factor Authentication

Although MFA is recognized to considerably improve security, organizations should avoid making the following mistakes:

  • Weak Recovery Processes: Employers have the burden of ensuring secure access to user accounts, even when one of the authentication components is unavailable. More mechanisms for recovering lost or stolen accounts may expose a system to security risks if not properly secured.
  • Inadequate or Lack of Training: Inadequate MFA implementation can cause user confusion and displeasure. These difficulties can be avoided with proper user education. MFA program participants require extensive rules and thorough education.
  • Limited Device Options: Companies must provide a comprehensive range of MFA device solutions in order to meet the diverse demands and preferences of their clientele. This requires several authentication methods such as text message codes, mobile authenticator apps, biometrics, and hardware tokens.
  • Complexity of Implementation:  The effectiveness of overly sophisticated MFA systems is likely to be reduced. When it comes to accessing their accounts, the smooth coexistence of security and usability should not impose additional costs on consumers.

Balancing Security and User Experience

MFA provides a strong security mechanism; nonetheless, organizations should remember the importance of addressing the user experience. Users are likely to be dissatisfied if MFA solutions prove difficult to use or involve an excessive number of steps. The ideal balance between user experience and data security is critical in the effective deployment of MFA.

Conclusion: The Power of Multi-Factor Authentication

MFA has evolved into a dependable protection for our digital identities in the digital world resulting from the rising diversity of cyberattacks. This is because MFA needs the confirmation of many data elements. MFA fortifies a system’s defenses and boosts its resilience against a wide range of attacks by requiring the usage of several authentication factors.

Although single-element authentication is widely used, it is incapable of withstanding the frequent and sophisticated attacks that are common in today’s culture. Therefore, MFA should be part of every individual’s and organization’s security policy.

References

Cherry, D. (2022). Multi-Factor Authentication. In Enterprise-Grade IT Security for Small and Medium        Businesses: Building Security Systems, in Plain English (pp. 83–96). Berkeley, CA: Apress.

Karie, N. M., Kebande, V. R., Ikuesan, R. A., Sookhak, M., & Venter, H. S. (2020, March). Hardening SAML by Integrating SSO and Multi-Factor Authentication (MFA) in the Cloud. In Proceedings of the 3rd International Conference on Networking, Information Systems & Security (pp. 1–6).

Sharphathy, M. N., & Sumalatha, V. (2023, July). SSS-EC: Cryptographic-based Single-Factor Authentication for Fingerprint Data with Machine Learning Technique. In 2023 2nd International Conference on Edge Computing and Applications (ICECAA) (pp. 308–315). IEEE.