Resources

Emerging Risks of Higher Education that Auditors Need to Know

Blue Logo for ACUA with the text Journal Articles

Higher education institutions play a vital role in an individual’s intellectual development as well as reshaping societal progress by offering advanced knowledge and skillsets that foster critical thinking and contributions to research and innovation. Serving as centers for academic and cultural exchange, higher education institutions are looked up to as catalysts for positive changes in the job market and drivers of humankind.
 
In recent times, higher education has been exposed to various emerging risks. Due to the nature of these risks, each one requires a concentrated approach for review. In this article, we investigate the following key risks that higher education auditors need to be aware of.

Impact of Digitalization

The rapid pace of technology advancements requires higher education institutions to stay abreast of digital trends that result in universities increasingly relying on digital infrastructure and the need to manage vast amounts of student data. Technology integration, if hindered at varying infrastructure levels can contribute to a digital divide for higher education institutions. Auditors need to evaluate the adequacy of the technology landscape of the institutions for information flow effectiveness and utilization of emerging technologies such as generative AI, blockchain, and cloud computing. Furthermore, protecting sensitive student data, research information, and financial records is crucial. Regular assessment of cybersecurity measures, incident reporting, response plans, and compliance with the data protection law should be performed. A robust data governance practice and institution data safeguarding protocol is paramount.

Shifts in Job Market Dynamics

Technological advancements, particularly in the fields of automation, biotechnology, and renewable energy, pose both opportunities and challenges for higher education. Even though these innovations offer potential for groundbreaking research and education programs, higher education institutions must adapt curricula to meet evolving industry demands, ensuring that the graduates possess relevant skills. They also need to collaborate with industry partners to align education with the evolving job markets. As auditors, we need to be able to evaluate the effectiveness of the academic program review process established in the institution for regular curriculum updates. To mitigate this risk, we need to incorporate periodic reviews focused on fostering critical thinking and adaptability of curricula.

Impact of Global Events and Climate Changes

The unpredictability around the unfolding of global events such as the recent pandemic, geopolitical tensions, economic downturns, and environmental changes like extreme weather events, can affect the institution’s infrastructure and disrupt the delivery of academic activities. Auditors should periodically assess institutional resilience and the adequacy of contingency plans to mitigate the effects of such unforeseen global events.

Diversity, Equity, and Inclusion

Higher education institutions are judged for the diversity, equity, and inclusion of students and faculty from all norms, posing reputational risks related to gender disparities and the preservation of cultural identity. Ensuring equal access to higher education for all socioeconomic groups and genders requires tailored strategies addressing cultural disparities. Auditors need to assess the effectiveness and adherence of inclusion policies and practices established in the institution. Periodic reviews of recruitment, admissions, and support services for inclusivity should be performed as well.

Funding and Financial Sustainability

In recent times, most higher education institutions have faced funding and financial struggles. Reduced government funding, uncertainties around tuition fees, and economic fluctuations, coupled with fewer private investments through research grants, limit the financial stability of universities, affecting academic program offerings and student services. Auditors need to evaluate the creditability and financial position of the institution through additional revenue creation assessment and accounts receivable reviews to identify any funding opportunities.

Social and Political Shifts

Social and political dynamics prevalent within the state also contribute to risks such as ideological divides on campuses, affecting academic freedom and fostering an environment where diverse perspectives may face challenges. Geopolitical complexities within a region may also affect the ease of establishing and maintaining international partnerships, which could limit the flow of talent and ideas. Furthermore, issues related to campus safety, including instances of violence and harassment, pose ongoing concerns. Auditors need to identify these risks and conduct institutional governance reviews to strike a balance between government priorities and maintaining the strategic plans of the university.

Demographic Changes and Internationalization of Institutions

Shifts in population demographics, such as changes in age distribution of students, diverse student profiles, socio-economic disparities, underrepresentation of certain demographics, and expansion of online education facilities provided by institutions require adjustments to educational approach and mode of delivery. Auditors need to evaluate the adequacy of internal controls prevalent around academic integrity, data privacy in virtual classrooms, and quality assurance mechanisms for academic programs offered by the institution. For higher education institutions with a global footprint, auditors should assess the risks associated with international collaborations, branch campus operations, and compliance with federal and state regulatory requirements governing student aid, accreditation, and financial reporting in the region of operations. In addition, the well-being of students, particularly mental health wellness, is a growing concern. Auditors need to assess the awareness of the importance of well-being in academic settings, the adequacy of student recreational programs, and the infrastructure available in the institution to ensure that adequate student support is provided in handling the pressures of academic life, social challenges, and transitions to the university.

Institutional Governance and Tone at the Top

An institution’s control culture is well determined by the Tone at the Top of the respective institution. A robust governance structure is crucial for ensuring ethical conduct and maintaining public trust. Auditors should periodically evaluate the effectiveness of internal controls, whistleblower mechanisms, and the effectiveness of the ethical policies practiced in the institution. The emphasis on metrics, institutional rankings, and performance indicators can create pressures on institutions to meet specific criteria, causing institutions to compromise on academic ethical standard practices followed in the institution. Balancing quality assurance with the need for diverse educational offerings and navigating changes in global dynamics are continual challenges for the institution that need to be assessed by auditors.
 
In conclusion, higher education faces multidimensional risks such as cybersecurity threats, regulatory compliance, geopolitical tensions, data integrity, job market dynamics, technological advancements, privacy, inclusion and diversity, and demographic student shifts that may disrupt academic activities, hinder international collaborations and lead to migration of students and faculty. As higher education institution auditors, the evolving risk magnitude requires us to stay informed, conduct thorough risk assessments, and collaborate to ensure institutional resilience through a proactive adaptive approach.

New Global Internal Audit Standards Released

Blue Logo for ACUA with the text Journal Articles

New Consolidated Structure

On January 9, 2024, the Institute of Internal Auditors (IIA) released their updated Global Internal Audit Standards, which will become effective on January 9, 2025. The ACUA Auditing & Accounting Principles (AAP) Subcommittee advocated for ACUA members during the comment period and recently presented the changes at the 2024 ACUA Virtual Spring Summit.

The prior International Professional Practices Framework (IPPF), published in 2017, was decentralized into four different documents: the Standards, Code of Ethics, Core Principles, and the Definition of Internal Auditing. The new IPPF is one single 120-page document comprising of five domains, 15 principles, and 52 standards. Each standard has its own requirements, considerations for implementation, and examples of evidence of conformance. Additional guidance in the form of Topical Requirements is forthcoming.

Structure of the International Professional Practices Framework, slide courtesy of the IIA.

The Five Domains

The new Standards are now organized into five logical domains that contain the 15 key principles. During the public comment period, most respondents appreciated the organization of the new domains.

The Global Internal Audit Standards five domains, slide courtesy of the IIA.

  • Domain I: Purpose of Internal Auditing updates the purpose and describes how internal auditing enhances the organization and when it is most effective. The new purpose statement reads “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”
  • Domain II: Ethics and Professionalism embodies the former Code of Ethics’ principles of integrity, objectivity, confidentiality, and competency, and adds maintaining confidentiality.
  • Domain III: Governing the Internal Audit Function includes “essential conditions” for an effective internal audit function, including organizational independence, internal audit charters, Board interaction, resources and support, plus external quality assessment.
  • Domain IV: Managing the Internal Audit Function describes Chief Audit Executive functions including departmental planning, managing resources, communicating, and performance measurement.
  • Domain V: Performing Internal Audit Services provides guidance on conducting engagements including planning, analysis, reporting, and confirming the implementation of action plans.

Major Changes

Overall, the biggest change to the new Standards is the consolidation and regrouping of topics. There is a new emphasis on serving the public interest and being able to apply the Standards to the public sector. The most significant changes include:

  • No more differentiation between assurance and consulting engagements. The Standards apply to all engagements.
  • There are new “essential conditions” in each of the nine standards in Domain III describing the appropriate governance arrangements essential for the internal audit function to be effective, which strengthens the importance of Board relations.
  • The Standards have become more prescriptive throughout. Recommendations that were previously labeled as “consider” or “should” have turned into “must.”
  • There is a greater emphasis on strategy, relationship building, and communication in the Management domain, along with new emphasis on internal audit performance measurement.
  • There is additional emphasis on performance management, where the CAE must develop performance measurement criteria and assess progress towards achieving the function’s objectives while promoting continuous improvement.
  • The final communication must include an engagement conclusion that summarizes the engagement results, and individual engagement findings must be prioritized based on significance but do not require rankings.
  • For external quality assessment reviews, at least one independent assessor must hold a Certified Internal Auditor (CIA) designation.

Topical Requirements

The IIA intends to release several Topical Requirements, which will cover aspects of governance, risk management, and control processes and include considerations related to a specific topic. This guidance will be required when auditing an area covered by a Topical Requirement. To date, the IIA has released a draft of their Topical Requirement on cybersecurity, which is for public comment through July 3, 2024. Please visit the IIA website to read the draft and make any comments. Other topics under consideration include sustainability, third-party management, IT governance, assessing organizational governance, fraud risk management, privacy risk management, and public sector performance audits.

ACUA’s Top Concerns

During the public comment period, the AAP polled the ACUA membership about their reaction to the proposed changes. Members appreciated the new organization, format, and clarification of roles and responsibilities of the internal auditors versus the Board, along with the de-emphasis on assurance versus consulting. Using membership feedback, ACUA President Melissa Hall formally responded on behalf of ACUA on May 31, 2023. In addition to the above-noted items of appreciation, this response also included top concerns, including the overly prescriptive nature of the Standards and its potential burden on smaller internal audit functions. The IIA considered the public comments and revised the draft Standards prior to publishing.
This is how the IIA addressed the top three ACUA concerns:

  • Domain III: Governance – ACUA members were concerned that the Standards pertaining to the Board were outside the control of the CAE. The final Standards focused on the CAE’s responsibilities and how the CAE can assist and inform the Board of their responsibilities.
  • Standard 8.4 External Quality Assurance – ACUA members were concerned the proposed Standards required external quality reviews be led by a CIA, and all team members needed to successfully complete an IIA training course. The final Standard does not require completion of an IIA course by external assessment team members, and only one team member (and not the lead) must hold the CIA designation. Also, the final Standards allows for self-assessment with independent validation.
  • Standard 15.1 Final Engagement Communication – The proposed Standard required findings be “ranked by significance,” generating concerns audit clients would be too focused on subjective rankings and unnecessary conflict between the internal audit function and management would ensueThe IIA removed the requirement to rank findings, instead requiring the final report include the significance and prioritization of the findings.

Implementation Next Steps

The ACUA AAP Subcommittee recommends the following next steps in your institution’s journey to the January 2025 implementation effective date:

  • Get familiar with the new Standards.
  • Start to develop a plan for implementation.
  • Communicate these changes with your senior leadership and Board.
  • Update the internal audit function’s strategy “that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.”
  • Update or create performance metrics and plan how to measure those metrics.

Consider performing an internal assessment using the new Standards this year and implement any changes prior to the January 2025 effective date. If your External Quality Assessment is due in 2025, consider completing it in 2024 before the Standards change and the CIA on the review team is a requirement. If your internal audit function is not conforming with all of the new standards by January 9, 2025, you must remove the phrase from audit deliverables indicating your engagement was performed in accordance with the Standards.
If you are considering becoming a Certified Internal Auditor, the IIA states there will not be any changes to the CIA exam before May 2025. The IIA plans on communicating any changes at least one year in advance and new study materials are not expected to be released before March 2025. Those candidates in-process will receive detailed information. In addition, there will be no changes to the Internal Audit Practitioner designation before the effective date, and the Certification in Risk Management Assurance (CRMA) exam is not affected by the changes.

DEI in Higher Education

Blue Logo for ACUA with the text Journal Articles

What is DEI?
Diversity, Equity, and Inclusion, commonly referred to as DEI, is a highly critical aspect of any organization; and DEI in education, specifically higher education, is especially important. DEI in higher education institutions encompasses the policies and practices designed to help ensure everyone in the institution, whether it is faculty, staff, or students, have equal opportunities for success and inclusion, no matter their background.
 
Understanding DEI
Diversity includes race, ethnicity, gender, religion, sexual orientation, geographical representation, and political beliefs, among many other factors. However, what diversity means varies amongst individuals. Studies have shown that race, gender, and sexual orientation are almost always the top three concerns for those working in the field, but inclusion is equally important.
 
DEI in Higher Education – why it’s important
Prioritizing DEI in higher education not only impacts students, faculty, and staff, but also the institution and entire campus. DEI provides advancement opportunities for underrepresented communities and comes into play when recruiting students, hiring faculty and staff, shaping campus culture, encouraging career advancement, setting up tenure processes, examining employment budgets, and making forward-looking decisions.
 
Benefits of DEI
DEI promotes personal growth, a healthy society, and fosters mutual respect and teamwork amongst the institution. DEI brings multiple perspectives and challenges stereotypical preconceptions, encourages problem-solving and critical thinking, and helps individuals learn how to communicate effectively with people of different backgrounds. Most importantly, DEI enriches the educational experience, as we learn from those whose experiences, beliefs, and perspectives are different from our own.
 
Why does DEI fail?
Although investing in DEI is never a waste of an institution’s time or resources, there are several reasons why DEI efforts are not as effective. Despite overwhelming evidence that institutions are becoming more demographically diverse, research has shown that more than half of employees feel excluded and isolated at work. Institutions with DEI initiatives are also experiencing employee fatigue because employees either feel exhausted, frustrated, or skeptical whether their DEI efforts provide expected tangible results.
Many employees are trying to improve DEI initiatives by starting either an employee resource group or a DEI Council to get things started. However, over time those same employees often end up feeling frustrated, burned out, and discouraged because they do not believe that their institution is equally invested and committed to advancing DEI due to lack of participation, support, and investment. Unfortunately, when employees feel their efforts are in vain, they eventually give up. This is especially difficult when management and those in leadership positions lack diversity and often underestimate and overlook the time, commitment, money, and effort needed to improve and sustain DEI.
 
How to build a more successful DEI strategy
For DEI initiatives and strategies to succeed, institutions need to set the tone at the top and have a top-down, systemic, business-led approach to demonstrate DEI is an essential part of the culture and institution. It is also imperative that institutions set clear, specific, and achievable goals, establish accessible protocols, build equity into the structure, and, most importantly, lead by example. Management and leadership need to take an active role in implementing initiatives and prioritizing DEI. This should not be the sole responsibility of the DEI employees.
 
What can Internal Audit do?
Internal Audit can get involved and support DEI initiatives by conducting DEI audits for their institution. The DEI audit will highlight how well the institution supports diverse and underrepresented employees and put a spotlight on areas where the institution is progressing, as well as identify issues and challenges that exist that need a little more attention. Having Internal Audit support DEI fosters an institution that embraces inclusivity, nurtures a sense of belonging, and amplifies opportunities for individuals from historically underrepresented backgrounds. Internal Audit’s strategic commitment aids in creating a stronger institution that thrives on a diverse array of perspectives and experiences. DEI audits are an opportunity to dig beneath the surface and reflect on the institution’s own priorities and goals. DEI audits are critical tools that, when done properly and consistently, can be a real advocate for institutional change.
 
Because DEI success does not happen overnight, creating a diverse, equitable, and inclusive institution is a continual process; one that requires constant growth from all levels: individual to the institute.
 
Editor’s Note: The ACUA DEI committee plans to send a survey to its members in the coming months. Your participation is greatly encouraged.

Poll: Who Is Using AI?

Blue Logo for ACUA with the text Journal Articles

With the explosion of free artificial intelligence software at our fingertips, are we ready to embrace the future and utilize AI in our audit engagements?

At the 2023 AuditCon, there were numerous presentations about AI capabilities and how they will affect our world. From the dangers of undetectable plagiarism to the ease of summarizing income tax rules, the applications are far and wide.

Attendees went to the Whova app to consult with their peers on the use of ChatGPT and other AI software in their audit work. One poll showed nearly half of the voters were starting to dabble in AI.

Many auditors said they are already experimenting with the technology for work or personal reasons. Those already working with AI use it to create email communications, identifying common findings, and creating custom photos for reports and presentations. Many have found ChatGPT useful during the planning phase of an audit to generate risks and audit step procedures as part of the brainstorming process. Members said they are “using it cautiously” and are testing search results before relying on the data.

Presenters encouraged universities to establish AI policies for students and researchers alike. Another Whova poll said half of the auditors surveyed have already discussed AI with senior leadership.

Granted, the number of poll respondents was limited, but we at the C&U Journal think these percentages will change soon and that most audit shops will adopt this new technology to enhance their engagements. Are you benefiting from using ChatGPT in your shop? Please share your examples of AI success with us at editor@acua.org for a future story.

ACUA History Challenge

Blue Logo for ACUA with the text Journal Articles

Did you know that ACUA used to give out numbered certificates to member institutions?  This fun fact was shared with the ACUA Board, prompting several ACUA members to share photos of their certificates. Many proud institutions still hang these certificates in their offices! 

Original ACUA Membership Certifications

The search was on for the oldest certificate. The University of Washington thought their September 6, 1961, certificate was the oldest until Tanya Satterfield at the University of Mississippi shared their certificate dating back to September 10, 1959, just one year after ACUA was founded. Tanya and her colleagues proudly displayed the certificate at the 2023 AuditCon in Miami. 

Tanya Satterfield and University of Mississippi colleagues with their certificate at AuditCon.
Currently the oldest membership certificate.

The ACUA booth at Audit Con also displayed other ACUA artifacts from the past 65 years, including directories, information packets, conference agendas, coasters, and even old diskettes.  

ACUA artifacts

For those of you who like a challenge, if you have a Membership Certificate older than 1959 or have any “vintage” ACUA artifacts, please send a photo of your items to Toni Stephens at tstephens@utdallas.edu.  ACUA plans to collect and share these artifacts to preserve our great history!

ACUA 2023 Award Winners and Board Members

Blue Logo for ACUA with the text Journal Articles

Member Excellence in Service Award

Justin Noble was selected for the Member Excellence in Service Award, which recognizes a member who has made outstanding contributions to the mission of ACUA through exceptional service.  Justin is the Chief Audit Executive at Virginia Tech and has served in numerous ACUA roles, including Distance Learning Chairman (2012-14), Board Member-at-Large (2014-17), Vice President (2017-18), President (2018-19), Immediate Past President (2019-2020), and Nominating Committee Chair (2019-20).

Outstanding Professional Contributions Award

Carolyn Saint was chosen for the Outstanding Professional Contributions Award, which recognizes a member who has made outstanding and noteworthy contributions to the profession of internal auditing in higher education.  Carolyn is the Chief Audit Executive at the University of Virginia and chaired the Institute of Internal Auditors’ (IIA) North American Board of Directors.  

Rising Star Award

Erica Smith received the Rising Star Award that recognizes an “up-and-coming” member who has made significant individual contributions in the areas of internal audit, compliance, or risk management that furthers the mission of ACUA.  Erica is a Principal Auditor at the University of Tennessee and has served as the ACUA Audit Interactive Conference Director.  Erica also is the incoming Professional Education Committee Chair.

Please make sure to congratulate our 2023 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

Board Members

The 2023-2024 ACUA Board of Directors officially assumed their new roles at AuditCon.  Marion Candrea, Associate Vice President of Internal Audit & Advisory Services at Boston University, succeeds Melissa Hall as ACUA President; Melissa will continue her work with the Board in her role as Immediate Past President.  Laura Buchhorn, Assistant Audit Director at the University of Texas San Antonio, will serve as Vice President, and Eulonda Whitmore, Associate Vice President and Chief Audit Executive at Wayne State University, will serve as Secretary and Treasurer.  The following members will round out the Board in their role as Board Member-at-Large:

  • Jana Clark, Chief Audit Executive at Kansas State University
  • William Hancock, Jr., Audit Manager at Auburn University
  • Andre’ McMillan, Director of Internal Audit at the University of Delaware
  • Deidre Melton, Associate Vice President for Audit and Chief Risk Officer at Florida A&M University
  • Kara Kearney-Saylor, Director of Internal Audit at the University of Buffalo

Letter from the Editor

Blue Logo for ACUA with the text Journal Articles

Hello ACUA Members!

Last week my county’s Superior Court summoned me for jury duty. I wound up being Juror #9 in a short two-day trial. The experience was nowhere as humorous as the Amazon Prime Video series “Jury Duty,” but it had its moments. While doing my civic duty was a bit of an inconvenience, it provided an interesting mental break. My only job was to listen and apply reason. No phones, emails, meetings, or daily distractions. Just calming focus.

I realized conducting an audit is like serving every position in a trial simultaneously. Like the attorneys, we must find facts, both positive and negative, and learn from our key witnesses and subject matter experts. We carefully document our workpapers, like the tireless court reporter capturing every word. As a judge, we keep the engagement relevant and on track until we, as our own jury, come to our conclusions.

One key difference is in a trial, you only measure against the law. Not what you think it should be, not what would be best. As auditors we have the amazing opportunity to go beyond merely judging compliance. We create recommendations to make things better. That is our value.

Like a law library, this issue of the C&U Journal adds several great resources to our collection. Ken Lish and Billy McCain from the National Science Foundation share their Promising Practices for NSF Award Management report, a must read for research universities. In a nod to October’s cybersecurity month, Bruce Tong presents his favorite IT tests when performing departmental audits, David Clark from BDO shares ways to leverage technology during audits, and Sabine Charles discusses authentication factors. Agnessa Vartanova invites you to consider culture in audits. Our ACUA news section includes award winners, an AI poll, and an artifact challenge.

As we strive to complete our audits before the hectic holiday season, let’s not forget the importance of listening and applying reason.

Sincerely,
Kara Hefner

Letter from the President

Blue Logo for ACUA with the text Journal Articles

Hello ACUA! I’d like to start by expressing my sincere gratitude and excitement about serving as your ACUA President for the upcoming year. This organization is near and dear to my heart and has been my professional home for learning, growing, and serving for more than a decade.
 
We had a fantastic AuditCon conference in Miami in September, where we had the second highest member attendance in ACUA’s history with over 470 attendees! I want to take a minute to personally thank all of our Professional Education Committee volunteers and ACUA staff for their hard work in creating an exceptional conference experience. As I reflect on the week spent together, I am immensely proud of the dedication and enthusiasm displayed by our members. The exchange of knowledge and vibrant discussions within this organization is so inspiring and makes me very excited for the year ahead!
 
During AuditCon, I spoke to the continually challenging economic landscape within our industry. This year, it is imperative for us to remain adaptive and resilient as we navigate the complexities posed by these challenges. Our Professional Education Committee is already beginning to prepare for a virtual spring conference that will provide opportunities for continued learning and collaboration. Stay tuned for more details in the coming weeks.
 
There are many ways in which our members have the ability to share their knowledge and expertise, which is truly what makes this organization so great. I would encourage anyone reading this to reflect on how you might use your time and talent to share your insight with others. For some that might be writing a Journal article, for others it might be partnering up with another auditor to create a Kick Starter. And I would be remiss if I did not also plug the tremendous value of raising your hand for a volunteer role! It could be the opportunity that forever changes your professional future.
 
In closing, I would like to extend my gratitude to Immediate Past President Melissa Hall. Her unwavering commitment and leadership have guided this organization through a year of challenges and successes. She leaves big shoes to fill, but I look forward to continuing the momentum she has built over the past year.  
 
Wishing all happiness and health as we move into the holiday season,
 
Marion Candrea, Boston University
ACUA President

Multi-factor Authentication vs. Single-factor Authentication: Safeguarding Your Digital World

Blue Logo for ACUA with the text Journal Articles

Due to our society’s increasing interconnection, protecting one’s digital identity has become increasingly important. The authentication approach is often regarded as the most crucial component of information security since it serves to authenticate an individual’s stated identity. The most often used authentication mechanisms are multi-factor authentication (MFA) and single-factor authentication (SFA). 

  • Single-factor Authentication (SFA): The traditional SFA authentication method, is based on a single, commonly recognized piece. Individuals may recognize, or have easy access to, this specific element. The data in question could be a personal identification number (PIN), a password, or any other type of information that is unique to the person doing the authentication.
  • Multi-factor Authentication (MFA): As its name would suggest, MFA requires two or more factors for access. For this reason MFA is regarded preferable to SFA for enhanced security. The attributes of authentication are typically classified into three main groups: possession (also known as ownership), knowledge (also known as cognition), and biometric (also known as intrinsic traits).

To protect the security of one’s online presence, it is critical to have a thorough grasp of the advantages and disadvantages between the many solutions accessible. A brief comparison analysis of the benefits and downsides of these authentication methods warrants a self-evident conclusion: SFA is the most viable authentication approach but has the most drawbacks.

Single-factor Authentication (SFA): The Weakest Link

SFA is the most viable authentication approach due to its simplicity. Users are only required to enter a single piece of information, such as a password, in order to obtain access to their accounts. Despite its widespread acceptance and ease of use, SFA has some important drawbacks:

  • Risk of Password Breaches: The weakness in SFA’s security is its password management system. Passwords have become a prominent target for hackers due to their susceptibility to misuse, theft, or compromise via data intrusions. If a password is overly simple or commonly used, its strength may be undermined.
  • Limited Security: Because of its single ingredient, SFA can only provide limited protection. If an adversary successfully discovers the password, obtaining unauthorized access would be simple.
  • Lack of Adaptability: The SFA needs to react more effectively to the ever-changing terrain of developing issues. The current level of security needs to be improved to combat the two sophisticated attacks of credential stuffing and phishing.

In view of these urgent threats, businesses are rapidly adopting MFA as a more reliable security approach.

Multi-factor Authentication (MFA): Layered Security

Implementing MFA improves security by adding levels of protection to solve the shortcomings of SFA. When users must meet multiple conditions, enemies find it much more difficult to get unauthorized access. Additional benefits to MFA include:

  • Enhanced Security: The use of MFA improves security by requesting the user to prompt multiple authentication factors at the same time. If a potential unauthorized user possesses only one of the crucial elements, such as a password, their ability to gain access to the system is reduced.
  • Resistance to Phishing: When done correctly, MFA can effectively prevent fraudulent attempts. If the user unintentionally discloses their password, the offender will have difficulties accessing the account without additional verification measures, such as a fingerprint or a paired smartphone. Despite the possibility of password leakage, the use of these supplemental components is still required.
  • Adaptive Security: The MFA program is capable of adapting and responding to various risk conditions. In the event a login attempt comes from a suspicious device or location, MFA can be enabled.

Common Mistakes in Installing Multi-Factor Authentication

Although MFA is recognized to considerably improve security, organizations should avoid making the following mistakes:

  • Weak Recovery Processes: Employers have the burden of ensuring secure access to user accounts, even when one of the authentication components is unavailable. More mechanisms for recovering lost or stolen accounts may expose a system to security risks if not properly secured.
  • Inadequate or Lack of Training: Inadequate MFA implementation can cause user confusion and displeasure. These difficulties can be avoided with proper user education. MFA program participants require extensive rules and thorough education.
  • Limited Device Options: Companies must provide a comprehensive range of MFA device solutions in order to meet the diverse demands and preferences of their clientele. This requires several authentication methods such as text message codes, mobile authenticator apps, biometrics, and hardware tokens.
  • Complexity of Implementation:  The effectiveness of overly sophisticated MFA systems is likely to be reduced. When it comes to accessing their accounts, the smooth coexistence of security and usability should not impose additional costs on consumers.

Balancing Security and User Experience

MFA provides a strong security mechanism; nonetheless, organizations should remember the importance of addressing the user experience. Users are likely to be dissatisfied if MFA solutions prove difficult to use or involve an excessive number of steps. The ideal balance between user experience and data security is critical in the effective deployment of MFA.

Conclusion: The Power of Multi-Factor Authentication

MFA has evolved into a dependable protection for our digital identities in the digital world resulting from the rising diversity of cyberattacks. This is because MFA needs the confirmation of many data elements. MFA fortifies a system’s defenses and boosts its resilience against a wide range of attacks by requiring the usage of several authentication factors.

Although single-element authentication is widely used, it is incapable of withstanding the frequent and sophisticated attacks that are common in today’s culture. Therefore, MFA should be part of every individual’s and organization’s security policy.

References

Cherry, D. (2022). Multi-Factor Authentication. In Enterprise-Grade IT Security for Small and Medium        Businesses: Building Security Systems, in Plain English (pp. 83–96). Berkeley, CA: Apress.

Karie, N. M., Kebande, V. R., Ikuesan, R. A., Sookhak, M., & Venter, H. S. (2020, March). Hardening SAML by Integrating SSO and Multi-Factor Authentication (MFA) in the Cloud. In Proceedings of the 3rd International Conference on Networking, Information Systems & Security (pp. 1–6).

Sharphathy, M. N., & Sumalatha, V. (2023, July). SSS-EC: Cryptographic-based Single-Factor Authentication for Fingerprint Data with Machine Learning Technique. In 2023 2nd International Conference on Edge Computing and Applications (ICECAA) (pp. 308–315). IEEE.

Leveraging Technology and AI Tools in Internal Audit: Enhancing Efficiency and Effectiveness

Blue Logo for ACUA with the text Journal Articles

As colleges and universities continue to experience a changing operating environment and the world experiences political and economic challenges, higher education institutions are looking for ways to gain efficiencies within their processes and procedures. At the same time, in the past year, the world has been introduced to astounding technological advancements with the public launch of ChatGPT and availability and improvement of similar Generative Pre-Trained (GPT) Transformers.

As institutions are identifying ways to leverage technology in many areas of operations, Internal Audit also has the opportunity to enhance the efficiency and effectiveness of its work. The use of technology and data analytics have transformed the internal audit function by enabling data-driven insights into new and emerging risks, productivity gains with the automation of labor-intensive audit tasks, increased risk coverage, and repeatable processes for continuous risk monitoring.

The Evolution of Internal Audit

Internal audit functions play a crucial role in ensuring the integrity, compliance, and effectiveness of an organization’s operations. However, Internal Audit is no longer tasked with simply performing evaluations and assessing the effectiveness of risk management, control, and governance processes. Internal auditors are now being tasked with playing a more active role in guiding executive decision-making, leveraging data to identify anomalies and vulnerabilities as well as identifying opportunities to optimize operations across the organization. Further, the nature of risks or activities in which internal audit engagements have become more dynamic and complex.

With the rapid advancements in technology and the rise of artificial intelligence (AI), internal auditors now have powerful tools at their disposal to enhance their work. Today’s technology and digital tools can be utilized throughout the internal audit lifecycle: from information gathering and goal setting, development of risk assessments and audit plans, assessments of plans, performing audits, and reporting results. Automated workflows and data visualizations have improved the process to be more cost-effective and collaborative to allow for more informed decisions.

Leveraging Technology for Internal Audit Effectiveness and Efficiency

When fully integrated, technology tools can be embedded into all elements of the audit lifecycle providing valuable efficiencies and risk insights in the areas below:

Planning & Scoping

Auditors can use technology tools to provide a deeper view of risk when conducting annual audit planning or in scoping each individual audit:

  • Enterprise Risk Assessment and Audit Plan Creation: AI and GPT tools can be used to brainstorm risk areas or industry challenges or assist in creating questions to ask in risk assessment surveys or interviews. Data analytics can be leveraged to help institutions quickly gain insights into enterprise risks and controls, and to prioritize management’s actions by analyzing historical risk factors or identifying areas of lesser controls or ineffectiveness. Technology tools can also be leveraged to provide data visualization of key performance indicators (KPIs) that more readily identify outliers or target areas of greater performance challenges.
  • Audit Planning: Like the items noted above, technology tools can be leveraged for planning specific audits as well. Providing deeper insight into transactional information to better understand key operational activities and risks involved in the audit area allows auditors to prioritize and focus efforts. Further, GPT-style tools can help auditors to develop draft audit plans and identify work steps.

Fieldwork

Technology tools can deeply enhance and streamline fieldwork activities, primarily through leveraging data analysis. Examples below highlight how analytics can be used across a number of common audit areas to provide greater coverage and visibility, with the potential to leverage such actions either for building continuous monitoring programs or for completing distinct audits within the plan.

  • General Ledger Close and Financial Reporting: Analysis of journal entry data can assist institutions in quickly identifying unusual and unauthorized journal entries, automate completeness tests, and prioritize reviews based on risks.
  • Payroll: Payroll data can be visualized to obtain a high-level overview of payroll activity by employee, level, and location including deductions, pay rates, and overtime payments. Testing can be automated to identify payments made before hire date or after termination, excessive overtime per pay period and off-cycle payments.
  • Travel and Entertainment Expense Process: Analytics on travel and expense data can help institutions perform a more targeted and automated review of employee expenses by reviewing data by employee, period, and expense type. Search functions and drill down capabilities can help identify excessive spending, inaccurate or duplicate submissions, and non-compliance with company policy. Results can also be used to select a more targeted sample for detailed testing.
  • Vendor Master Management: An analytic of vendor master data can provide insights into top vendors, inactive vendors, and vendor data integrity. Predetermined tests can identify vendors with missing, inaccurate, or duplicate data which may lead to an inefficient business process or potential fraudulent business activity. 
  • Accounts Payable Process: Data analytics enables institutions to quickly identify inaccurate or duplicate payments, invoice processing delays, segregation of duties conflicts, and distribution of invoices processed and paid for a scope period. These results allow management the ability to drill down to root cause and perform timely resolution of risk areas.
  • Research Expenditures: Expenses charged to sponsored research activities can be reviewed to identify cost allowability concerns or provide opportunities for stronger risk identification. Tools can be deployed to evaluate against common standards (such as the Uniform Guidance or institutional policies) as well as built to leverage system data to check against items like an award’s specific budget.
  • System Access: Data analytics can be leveraged to ensure user access to enterprise systems is accurate and adherence to corporate policy is managed correctly during employee terminations and transfers.
  • Fraud Detection: Machine learning algorithms can learn from historical data to detect new and emerging fraud patterns, enabling auditors to stay ahead of fraudsters. By leveraging AI for fraud detection, internal auditors can enhance their ability to identify and investigate potential fraud, ultimately safeguarding the organization’s assets and reputation. 

Reporting

  • Drafting Reports: GPT technology can be used to write first drafts of audit reports or details for specific findings and recommendations.
  • Action & Issues Tracking: Analytics can be leveraged to continuously monitor audit issues and action plans to drive behavioral change with how issues are remediated.
  • Executive Reporting: The use of technology can optimize Board and Audit Committee reporting on the status of the overall internal audit program to guide executive decision making.

The integration of technology and AI tools in Internal Audit has the potential to revolutionize the profession. Advancements in digital technology can empower institutions to conduct detailed self-audits at regular intervals and continuously monitor risk in a timely, cost-effective, and collaborative manner.

However, internal audit functions must carefully consider how and where they deploy technology tools, especially GPT-type assistance. After attending the recent AuditCon in Miami and hearing the Tuesday morning keynote session from Paul Roetzer, it is clear that with great power comes great responsibility. Users of AI and other technology aided audit processes must ensure there is proper governance in place to support the use of such tools. Internal audit functions must consider any risks associated with the use of tools or other policies or restrictions implemented for their organization, and always remember that GPT-style tools are merely another tool in an auditor’s toolkit and not a fully vetted answer. Challenges include relevancy of data (most tools were last trained on comprehensive data sets from 2021) and accuracy and verifiability of the results provided. Additionally, many data analytics technologies or machine learning models require specialized skillsets and knowledge to appropriately design and deploy.

While the rapidly evolving enhancements to technology capabilities present a bevy of opportunities to increase audit efficiency and effectiveness, it must be done in a thoughtful and intentional manner to best elevate your specific audit function.