Resources

Share Your Expertise: ACUA Mentorship Program

The ACUA mentorship program is in its 7th year of pairing those new to internal audit, higher education, and/or seeking professional development with experienced ACUA mentors. The program promotes networking, sharing knowledge, and professional growth, and is a no-cost member benefit. There are currently eighteen pairings for this fiscal year. Once a mentee is matched with a mentor, the two usually meet at AuditCon or virtually to start their fiscal year commitment, which often includes monthly or bimonthly meetings.

Patrick McKinney, Director of Internal Audit at The University of Texas, is the new director of the program and is in charge of matching mentee applicants with mentors. Mentees complete a questionnaire that includes key interest areas, such as creating audit plans, audit program management, creating a new audit function, and working with senior management). Mentors also complete an application that lists their strengths, time availability, institution type and size, and information about past experience. The program is currently in need of additional mentors.

“Give it a Shot.”

New mentor Matt Walsh, Audit Director at Texas Tech, wasn’t sure what to expect from the program. He volunteered because he wanted to give back to his profession and get more involved with ACUA. He met his mentee, who was new to internal audit, on a Zoom call. Walsh asked what she wanted to get out of the program, which was to learn more about career progression and the path he had taken. With 10 years of audit experience, mentoring turned out to be second nature for Walsh.

They established monthly meetings to talk about career paths and her projects at a high level, staying away from specific advice and project details that could affect confidentiality. While a mentor can share ideas on projects, it is encouraged to guide mentees to their supervisors for specific implementation advice.

It is also important to steer a mentee away from complaining about their job and keep the conversation positive. A good mentor can turn the conversation around and ask what the mentee can do to improve the situation. Walsh never experienced complaining and said they had productive conversations with each meeting.

Walsh’s mentee left internal audit during the program, but he is eager to work with a new mentee in the next year. “Mentors don’t have to have experience mentoring,” Walsh said, “they just need job experience. Find out what the mentee needs and go from there.” For those considering becoming a mentor, Walsh says, “Give it a shot. It’s a great way to give back to the profession without a huge time commitment, and a good way to network.”

From Mentee to Mentor

Andre’ McMillan, Associate Director at the University of Delaware, first learned about the mentorship program through the ACUA president who paired him up with a former ACUA member from the University of Alaska. A staff member at the time, McMillan wanted input on career coaching and to better understand the industry. His mentor shared her higher education experiences with him and gave him a better understanding of what his boss was looking for in a rising leader.

The next year McMillan re-applied for the program with a different goal in mind. He had just been promoted to Associate Director and wanted to learn more about effective leadership. With his mentor’s guidance, he learned positive ways to coach his staff members, how to train and develop new staff, and learned tips on assigning work and handling promotions and disciplinary situations. Together they set goals which McMillan shared with his director.

For McMillan, the results were immediate. His mentors asked him about his goals and what he wanted to get out of the program, then established a regular meeting schedule to make mentoring a priority. He was also encouraged to reach out to his mentor on an ad hoc basis when needed. He felt comfortable with the one-on-one interaction, noting it was helpful to get an outside opinion on topics that could not easily be discussed with a direct supervisor.

This year McMillan decided to take the next step and become a mentor himself, paired with new internal auditor Brandi Fleck from the University of Oregon. He took his own mentor’s advice and listened to her needs and set up monthly Zoom meetings for their discussions.

Personalized Support

Fleck was encouraged to apply for an ACUA mentor. While Fleck had worked in research compliance for 4 years, she was new in the internal audit department shop of four employees. She was most interested in learning different methods of auditing, getting a variety of perspectives, discovering career paths, and learning ways to get involved with ACUA. Fleck met her mentor McMillan for the first time at the 2022 Audit Con in Las Vegas.

She first wanted to discuss her current audit work with her mentor. While maintaining confidentiality, she would ask McMillan questions about performing everyday work such as developing a work plan and documenting workpapers. McMillan would ask open ended questions like what is the objective, what is the control, and how can you test the control. She asked for McMillan’s opinion on how to sample non-salary payments between different departments, and McMillan shared some ideas with her. Having a mentor is not a substitute for your own supervisor, but Fleck said it helped to gain a different perspective and bring back ideas to her own department.

McMillan also shared his experiences with professional development. Fleck learned tips on how to work with difficult clients and how to not take things personally after a difficult encounter. McMillan has encouraged her to take the CIA exam and Fleck has started studying for part one.

For those unsure about starting a mentor/mentee relationship, Fleck says to, “Go for it! It’s a great way to connect and develop relationships outside of your university and to get personalized help.”

Expand ACUA Involvement

Another benefit of the program is learning how to become more involved with ACUA. McMillan has been on the Marketing Task Force and the Communications Committee, and even participated on an external quality assessment review (QAR) through ACUA. Fleck has joined the Diversity and Inclusion Committee at ACUA.

All of our mentors and mentees expressed comfort in their relationships and agree there are great people at ACUA who are committed to helping each other and share a responsibility to the profession. While there is a one-year commitment for the mentee/mentor relationship, most pairs continue to keep in touch well after that period, and the benefits can last a lifetime.

The mentorship committee will begin advertising and seeking next year’s mentors and mentees early this summer. Be on the lookout for additional information in your email, Connect ACUA, and the ACUA website. You can also reach out directly to Patrick McKinney at 512-471-0663 or Patrick.mckinney@austin.utexas.edu with any questions you may have.

Reactions to the Proposed IIA Standards Changes

For the past two years the Internal Audit Standards Board (IASB) has been creating the first major update to the Institute of Internal Audit Standards in over 20 years. A draft of the new Standards was released to the public on March 1, 2023. The 90-day public comment phase will commence May 30, 2023. Details about the new Standards changes and a link to the comment survey are on the IIA’s International Professional Practices Framework (IPPF) Evolution website at: https://www.theiia.org/en/Standards/ippf-evolution/

The Current Standards

The existing IPPF consists of multiple documents and resources, often repetitive and difficult to locate. There is a standalone mission of internal audit, “To enhance and protect organizational value by providing risk‐based and objective assurance, advice, and insight.” Mandatory guidance is divided between Core PrinciplesDefinition of Internal AuditCode of Ethics, and the Standards. The current Standards are further divided between attribute and performance standards. Additional recommended guidance is provided by Implementation Guidance and Supplemental Guidance.

Image mapping current IPPF to new standards.
The existing pieces of the International Professional Practices Framework.

Proposed Changes to the Standards

One of the biggest objectives of the IASB was to consolidate the former fragmented guidance into a single, user-friendly format. The proposed IPPF contains the new Global Internal AuditStandards (“new Standards”) that combines the guidance and is the section that has been released for public comment. The IASB plans to add two additional elements which have not been released yet: Topical Standards, which add more requirements on specific audit topics, and additional guidance on performing engagements.

Image showing proposed IPPF.
The proposed IPPF, with Global Internal Audit Standards released for public comment.



The new Global Internal Audit Standards is a 108-page guide organized into five domains that more clearly indicate key roles and responsibilities. Each domain is broken down into different principles, each with its own requirements, considerations for implementation, and evidence of conformance. At first glance it appears the former guidance has merely been rearranged into a logical format, but the changes are in the details. There is a new purpose, new standards, additional mandatory requirements throughout, changes to quality assurance review (QAR) requirements, additional board oversite requirements, and an increased focus on stakeholders and the public interest. The new domains are as follows:

  • Domain I: Purpose of Internal Auditing – Contains elements of the current Definition and Mission of Internal Audit.
  • Domain II: Ethics and Professionalism – Incorporates and builds upon the current Code of Ethics.
  • Domain III: Governing the Internal Audit Function – Focuses on the relationship between the board and the chief audit executive.
  • Domain IV: Managing the Internal Audit Function – Focuses on the requirements for the chief audit executive to manage the internal audit function effectively
  • Domain V: Performing Internal Audit Services – Focuses on performing assurance and advisory engagements.

ACUA Survey Results

The ACUA Auditing and Accounting Principles sub-committee ecently asked members to complete a brief survey about the proposed changes to the IIA Standards. Surveys were completed by 58 members and gathered overall opinions along with open-ended questions about members’ top pros and cons of the changes.

Overall, 74% of respondents generally supported the proposed new Standards. Members appreciated the improved organization and structure of the domains and having one consolidated source of guidance. They cited the improved clarification of roles and responsibilities, especially regarding the chief audit executive (CAE) and audit committees. There was support over the additional standards and specific guidance within each standard. Some members favored additional emphasis on objectivity and professional skepticism, support for the public sector, and stronger requirements for continuing professional education and external assessors. Members also noted the de-emphasis on having separate Standards for assurance versus consulting engagements.

When asked about their top two concerns over the proposed new Standards, 40% of respondents cited the overly prescriptive requirements throughout the document. The number of “musts” and “shoulds” has members wondering if the internal auditing profession is becoming a big administrative checklist rather than one of critical thinking and professional judgment.

The top concerns over specific sections of the new Standards are as follows:

  • 59% of respondents took issue of the excessive Board requirements throughout Domain III: Governing the Internal Audit Function. Most question whether the IIA has the authority to mandate specific Board requirements as board members are usually not IIA members and the CAE does not have authority over the board’s actions.
  • 41% disagreed with Standard 8.4 External Quality Assurance, which modifies the requirements by mandating an external review be performed every 10 years, instead of a self-assessment with validation, and requires having a Certified Internal Auditor (CIA) on the review team. This is cost-prohibitive and excludes seasoned reviewers who are not CIAs.
  • 21% were concerned with Standard 15.1 Final Engagement Communication because it requires findings to be ranked by significance, as rankings are subjective and cause conflict.
  • 10% disagreed with elements of the new Domain I: Purpose of Internal Auditing. The purpose statement focuses on “enhancing the organization’s success” and “serving the public interest.” The prior mission statement focused on providing a risk-based independent and objective service. Members believe the emphasis on success and serving the public interest presents a conflict of interest and shift in priorities.
  • 10% felt that acknowledgement of bias in Standard 2.1 Individual Objectivity and the statement “Internal auditors must be aware of and manage potential biases” negatively conveys auditors are inherently biased instead of being fair and impartial.

Additional concerns noted as particularly burdensome for the small shops were identified in the following areas:

  • Standard 2.2 Safeguarding Objectivity – Small shops felt the requirement that internal auditors must not provide assurance over an activity where they provided advisory services within the last year is too restrictive and limiting.
  • Standard 10.2 Human Resource Management – “The CAE must establish a program to recruit, develop, and retain qualified internal auditors” may be overly-burdensome.
  • Standard 12.1 Internal Quality Assessment – The suggested alternative for small shops “to consider requesting assistance from others within the organization to conduct periodic assessments, such as former internal auditors or others with suitable knowledge of internal auditing” may not be practical.
  • Standard 12.2 Performance Measurement– A new standard aiming to build upon accountability of internal audit to both the board and senior management requires the CAE to develop and report on a performance measurement methodology creates more administrative work.

Next Steps

While ACUA members are generally in favor of the modifications to the Standards, there are many details that members feel the IIA should reevaluate. The Auditing and Accounting Principles sub-committee have presented the survey results to the ACUA Board in preparation for the ACUA formal response to the IIA. The committee also encourages individual members to complete their own response to the IIA if desired at: https://www.theiia.org/en/Standards/Standards-Public-Comment/

After reviewing the public comments and making any modifications, the IIA anticipates releasing the new Standards in late 2023. The new Standards become effective 12 months from the release date in late 2024.

Letter from the Editor

Hello ACUA Members!

As the flowers bloom and the Class of 2023 graduates, one can’t help but feel the positive change that is occurring all around us, including changes within the Journal and our profession.

I want to thank former Journal editor Gavin Shubert on his work with the ACUA Journal and wish him the best as he leaves higher education to pursue a career in consulting. As the former Deputy Editor, I have graduated to the role as your new Editor, and I’m looking forward to finding a new Deputy Editor and more article contributors. Feel free to reach out to me with questions, comments, or ideas for future articles at editor@ACUA.org

The Journal is making a positive change to share more information about ACUA committees and members to keep you informed and encourage participation. This issue we highlight the ACUA mentorship program, whose FY23 mentees are about to graduate from the program. We also feature member poll results on hot audit topics, remote working, data analytics software, and more in the Tools and Resources section.

Last March in Denver many members graduated from the new auditor track at Audit Interactive, and seasoned auditors expanded their knowledge. Perhaps there are some new mentors and mentees in that group.

Even the IIA Standards are graduating to the new Global Internal Audit Standards. A big thanks to the Auditing and Accounting Principles sub-committee for gathering member concerns for a formal ACUA response. Learn more about the proposed changes in this issue and submit your concerns to the IIA before May 30th. I completed their quick online form already.

As this fiscal year comes to an end, I wish you a happy graduation and a positive start to FY24.

Sincerely,
Kara Hefner

ACUA Poll: Remote Work, Data Analytics and AuditCon

Last month the ACUA Journal launched a poll on ACUA Connect to get input from members on a variety of topics so that trends could be shared with the membership. This article summarizes remote work, data analytics, and AuditCon interest. Information on hot audit topics is shared in a separate article in this issue. There were 64 responses from small, medium, and large shops.

Chart of survey respondents' audit shop size

Remote Work

Since the pandemic, only 27% of respondents are working in the office every day. The number of hybrid workers make up the majority at 51%, while 22% primarily work from home full time.

Pie chart showing primary working arrangements of survey respondents.

For those on a hybrid schedule, 60% come to the office on a set pattern each week. The remainder can be flexible on which days they come in the office, with 22% stating they need to come in for a set number of days.

Pie chart showing hybrid schedules of survey respondents.

Data Analytics Software

Auditors are encouraged to incorporate data analytics into their engagements to identify patterns, detect outliers, test entire populations, identify duplicates, and understand the data better. There were 27 respondents who said they used data analytics software outside of Excel, some using multiple products. The most popular software was nearly evenly distributed between ACL, IDEA, PowerBI, Tableau, and IBM Cognos. Some schools were using TeamMate Analytics, and others used Alteryx and ActiveData plugins.

Pie chart showing data analytics software used by survey respondents.

AuditCon Attendance

This year’s AuditCon will be held in sunny Miami from September 24-28. The ACUA Journal asked the 64 respondents whether they plan to attend. While most were unsure at this time, 15 said yes to in person and 3 plan to attend virtually. We hope to see you there.

Chart showing responses about attending AuditCon in Fall 2023.

Letter from the President

Dear ACUA Colleagues,

I hope everyone is enjoying the beginning of Summer!

It was my pleasure to update the membership at the Annual Business Meeting that occurred on May 23, 2023.  If you were not able to join us, the presentation will be posted to ConnectACUA.  I especially want to take a moment thank our Treasurer, Chris Walker, for his and the Finance and Investment Committee’s work over the past year.

For 2024, the Board engaged a Task Force led by Toni Stephens, to assist in identifying the best path for delivering exceptionally relevant content to our members considering the increased costs of hotels, food and beverage, and hybrid streaming technology post COVID.  After thorough review and discussion of the task force recommendations as well as our financial projections, we are very excited to announce some changes to ACUA’s 2024 conference plans as follows: 

  • 2024 Audit Interactive will occur Virtually  
  • 2024 AuditCon will occur In-Person

After sending out requests for proposals to 9 different cities all over the United States, the Executive Committee reviewed the most economically feasible options for both the Members and the Organization.  I’m excited to share that we are working through final negotiations with a hotel in Atlanta, Georgia for AuditCon 2024.

I look forward to seeing you all in Miami, Florida for AuditCon 2023 September 24-28, 2023 at the Loews Miami Beach Hotel.     

Sincerely,
Melissa Hall, Georgia Institute of Technology
ACUA President

Letter from the Editor

Hello ACUA members,

Please give a warm round of applause for ACUAs new president, Melissa Hall, who made her first appearance in the Journal in the Letter from the President. Melissa took over as President from Brian Daniels, who did a great job leading ACUA through the pandemic and out the other side.

This season’s Journal issue features several fantastic pieces from a broad range of writers. Jaime Fernandez wrote a terrific article about continuous auditing and how your shop can beneficially implement this process. In addition, Han Yan, Ph.D., examines how internal auditing changed because of COVID and what the future of internal audit looks like beyond COVID. Then, David Clark gives an overview of diversity, equity, and inclusion in higher education and what to consider as your institutions formalize their plans to become more inclusive. Next up, Tharanee Ravindran highlights how a Control Self-Assessment can add value to future engagements by addressing risks at your institution. After that, Rose Kelly, Lisa Palazzo, Tina Griffiths, and Elizabeth Walton wrote about a three-pronged approach to risk, compliance, and controls at Case Western Reserve University, co-sourced with Deloitte. Finally, Jennifer Saak, Ph.D., Sheila Cranman, Ph.D., and Scot Allen, Ph.D., analyze how your institution can audit export controls, a hot topic at research-oriented universities.

In this issue of the College and University Auditor, you will find a wide variety of topics written by talented authors who strove to make their knowledge and expertise relatable and valuable for professionals in every institution. Please consider joining a growing field of professionals making their mark on the collective learning of our ACUA community by reaching out to me at editor@ACUA.org. Questions, ideas, and comments are always welcome.

Sincerely,

Gavin Shubert, Editor

Letter from the President

Dear ACUA Colleagues,

I hope everyone is enjoying the beginning of the Holiday season and is now on the countdown to Winter Break.

It was so great to see over 300 of you that were able to attend in person for AuditCon 2022 in Las Vegas. We also were glad to be able to provide content to the additional participants that were not able to attend in person.  We had such a robust schedule of timely and relevant information. This is directly attributable to our fabulous volunteers, staff, and strategic partners, who work diligently to ensure that our continuing education content is relevant and addresses the emerging risks affecting our industry and profession. THANK YOU ALL!  

As we look to the future of ACUA in 2023, I’m excited by all the possibilities as we embrace how the world has changed. Together we will all work to define the “new normal” for ACUA and our campuses. I hope that you will make plans to join us in Denver, Colorado, for Audit Interactive March 26-29, 2023, at the Grand Hyatt Denver.  

Lastly, a special thanks to our Immediate Past President, Brian Daniels of The University of Tennessee, for setting me up for success. He graciously led us out of the pandemic and back to in-person conferences. His leadership style will be hard to duplicate, but I look forward to stepping into his shoes and leading ACUA into the future.  

Sincerely,

Melissa Hall, Georgia Institute of Technology
ACUA President

Adding Value Through Control Self-Assessments

The ever-changing business environment requires institutions to embrace dynamic practices to manage risks appropriately and achieve organizational goals. Hence, audit departments worldwide strive to ensure their key activities align with the needs of the organizations. Control Self-Assessment (CSA) is an important tool that auditors can use to enhance the role of the internal audit function by adding value to the institution. By partnering with Internal Audit, institutions can take a structured approach to identify the risks associated with processes or activities, assess the related controls to ensure risks are managed effectively, and ensure organizational goals are achieved.

Management and Process Owners Buy-In

The success of the CSA program depends on buy-in at all levels of the organization: from management to department heads to process owners. This involves discussions on how the process works, the benefits of the program, and the resources required to execute the project successfully.

Project Selection Process

Similar to audit projects, the CSA engagements should add value to the institution by addressing the risks to the entity. By incorporating the CSA project selection process as part of the annual risk assessment, the internal audit department can ensure high risk areas are identified for potential projects. Based on residual risk, areas that are high-risk would be first considered for an audit. Any high-risk areas not selected for audits are viable candidates for a CSA project. Once identified, internal audit departments can recruit the departments to participate in the CSA program. During the infancy stage of the program, the audit departments may need to actively recruit volunteers to participate. As the program matures and the institution begins to reap the benefits of the program, internal audit departments will have departments actively volunteering to participate in the program.

CSA Process

The most important step in the process is selecting the CSA team that will oversee the project. It is vital that much consideration is given in selecting the team members. The CSA team mainly comprises of individuals who are involved in the process being assessed. These individuals will play a major role in ensuring the risks pertinent to the process/activity are identified and addressed appropriately.
The internal auditor facilitates the CSA process by performing the following steps.

    1. Conduct an Initial Meeting

    • Similar to the entrance meeting during an audit, the initial meeting is held to finalize the following details:
      • CSA team members,
      • Objectives and scope of the project
      • Timeline for completing the engagement

    2. Execute the Engagement Letter

    • The Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing (Standards) states “Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented”. To comply with the letter and spirit of the Standards, a formal engagement letter should be prepared to document the objective, scope, process, and roles and responsibilities.

    3. Perform the CSA

    • Each step listed below is crucial for the program’s success.
    StepDetails of the process
    Identify risksThe CSA team identifies and documents the risks pertinent to the process. This is the most important step in the process since the rest of the procedures stems from this.
    Identify corresponding control(s) and evaluate the design effectiveness of the control(s)Identify and document the corresponding controls for the risks identified in the procedure above. The design effectiveness of the controls is evaluated during this phase to determine whether adequate controls exist to address the risks. If the CSA team concludes that either control does not exist or is inadequate, an opportunity for improvement will be developed.
    Evaluate the operating effectiveness of controlsFor the controls that are designed effectively, one or more of the following techniques can be utilized to evaluate the operating effectiveness of the controls: Team Meeting, Survey, and Facilitated Workshop.
    Validate ResultsThe assessments results must be validated by someone independent to ensure the results support the conclusion(s).
    Identify opportunities for improvementOpportunities for improvement are developed based on the conclusions from the Team Meeting, Survey, and Facilitated Workshop.
    Develop Management Action PlanManagement develops an action plan that enhances controls, guided by auditors.

    4. Share the results

      • The report is issued by the process owner and addressed to Management. It includes the following: Objective, Scope, Methodology, Analysis of Results, Conclusion, and Management Action Plan.

      5. Post Engagement Survey

      • Consider sending a Post Engagement Survey to the CSA client to solicit feedback on the engagement; it will help improve the process.

      6. Follow Up

      • Follow up on the planned action to ensure gaps in controls are remediated.

      Conclusion

      CSA promotes departments taking a structured approach in assessing risks and controls, through which it promotes accountability of controls. In addition, it helps the process owners and operational staff get a better understanding of the operations and helps them understand the importance of their respective roles and responsibilities in addressing the risks to the institution and achieving the organizational goals. By facilitating CSA projects, the audit department builds a trusting relationship with departments on campus. In addition, the audit team gets access to information, including risk management practices and control environment, that is vital in the annual risk assessment process. Internal audit departments can successfully facilitate CSA engagements using fewer resources than required for an audit while providing great benefits to the business units.

      Continuous Auditing Can Work For You!

      After identifying concerns through an audit, we often find the same problems recurring. But how can this be? The client assured us that the issues had been addressed; however, the same risks persisted.
      Although different, continuous monitoring and continuous auditing are often mentioned in the same breath and can both increase the effectiveness and efficiency of the organization.

      What Differentiates Continuous Monitoring from Continuous Auditing?

      Continuous monitoring is an ongoing process used to monitor both processes and risks associated with an organization’s operations and is management’s responsibility.   Monitoring programs should be designed to test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline. [1]

      Continuous auditing is just auditing, but on a more frequent, regular basis than the standard auditing engagement and is performed by the audit department. Continuous auditing is often made possible by technology that can collect and analyze data quickly. [2] Furthermore, the auditor uses more frequent check-ins to provide assurance that controls are adequate and functioning properly. Additionally, continuous auditing may allow the organization to reduce the frequency of traditional assurance audits.  

      Where Do You Start with Continuous Auditing?

      After engaging in conversations with numerous clients and completing your audit plan, you should be aware of key business objectives critical to the university’s operations.

      For example, a critical operation for any university is the Admissions Office, and your office recently completed an Admissions audit as part of last year’s audit plan. Several findings were identified, and going forward, you have the opportunity to help your client resolve one or more of these concerns.

      Based on this information, you should:
      a) Assess the risks associated with those objectives and identify areas that are potential candidates for Continuous Auditing.
      Example: The Admissions Office policy required more than one approver per applicant and include documentation comments about their approval. However, your audit found that students were admitted with only one approver and no comments on why they were approved.

      b) Obtain an Understanding of How the Process Works
      Example: You are now challenged with identifying the weakened control in the admissions process. Based on work from the initial Admissions audit, the admissions process should already be documented. The process should be re-verified with someone who understands the process, and if there are process changes, the documentation should be updated.

      c) Use Continuous Auditing to Determine the Cause of the Control Breakdown or Increased Risk
      Example: When using continuous auditing to determine how controls are performing, you may have identified that the review process needs modification. For instance, if the admissions application process is not automated, the solution may require an Admissions employee to select some reports periodically (daily, weekly, monthly) for compliance review. This is to determine if more than one reviewer has processed applications with comments justifying admission, as prescribed. In this example, the process was automated, a script modification was needed. This required adding a control which did not allow applications to advance within the process until two approvers signed off with comments justifying admission. Once the control correction had been placed, Internal Audit continuously audited to determine the effectiveness of this control.

      d) Collaborate with Your Client
      Your client can assist with continuous monitoring efforts by performing compliance checks (daily, weekly or monthly) to determine how frequently errors occur. In our example, the client will likely be able to periodically pull admissions reports to assess whether process improvements are effective. The client may gain the ability to recognize and solve control issues themselves without getting Internal Audit involved.    

      e) Assess Results and Report
      Using the data you have gathered over time, you can determine if the controls are more effective at achieving the desired results.

      In reference to our example, your institution will receive the most applications for the Fall semester. Therefore, it is most appropriate to do Fall to Fall comparisons as opposed to Fall to Spring. As we know, your institution will have fewer Freshman admissions in Spring. With a reduced workload, the Admissions review staff may make fewer errors.

      However, for Fall admission assessments, Admissions will have more work, and more reviewers could be needed. Because of time constraints and inexperience, following admissions policies may not always happen. The Fall to Fall comparison may be more relevant for an effective evaluation regarding improvements in admission controls.

      Example: Below is a visualization of comparative data between Fall 2020 and Fall 2021 for student admissions. Regarding the two Admission policy requirements mentioned in (a) above, which relate to having more than one approver and having approval comments, what is the data telling us?




      • For the admissions policy requirement of having at least two reviewers mention in (a) above, there are no concerns as this process appears to be working. In both years, there was only one application that showed one reviewer.
      • However, reviewers are not always documenting comments. In the example, “Reviewer 1” represents one Admissions staff member, “Reviewer 2” represents another, and so on. Reviewer 1 did not add the required comments for nine applications in Fall 2020 compared to 37 applications in Fall 2021. The trend is generally negative for many reviewers and this is where a deeper look into the controls is needed. 

      After reviewing the trend results, report the outcomes and determine if more continuous auditing is needed. Meet with your client and discuss the results. In our example, without the data analytics information, Admissions may not have known that the number of applications without comments had increased from 2020 to 2021. Using the new information, the client may already know the cause or may need further investigation. In this example, the client knew the automated application process was having problems, and some applicants had duplicated their applications. The client may continue with their own monitoring to determine if other adjustments are needed.

      Continuous Auditing Benefits

      • Collecting audit evidence on a timely basis.
      • Better analysis of the strength of your controls through more frequent measurement and trending.
      • Better alignment with the pace of change in highly dynamic environments.
      • Automated compliance monitoring tools can help save time and resources in evidence collection.
      • The use of tools to help automate the collection of evidence and data, to perform trending, and to provide insights. [3]

      Continuous Auditing Challenges

      • Understanding how to address the root cause and not the symptom.
      • Selling your client on the notion that you are there to help them and not get in their way.
      • Determining when the control is working at acceptable or reasonable levels.
      • Determining the frequency of performing the continuous audit.
      • Changing business environment.
      • Internal Audit’s proficiency in using data analytic tools.
      • New client staff understanding systems, processes, tools and control monitoring.
      • Management’s expectation that Internal Audit is the monitoring function.

      Conclusion

      As mentioned above, establishing a continuous audit program can be challenging. Therefore, continuous auditing should be carefully planned with your audit client. In the end, you can build goodwill with your client, increase operating efficiencies, and account for risks identified within your risk universe.

      Additionally, your client’s involvement allows them more flexibility in providing a solution.

      References

      [1] Monitoring and Auditing Practices for Effective Compliance: Best Practices for Compliance Officers. Blog Post. (2017, February), Richard P. Kusserow, Strategic Management Services
      https://www.compliance.com/resources/compliance-officers-responsibility-ongoing-auditing-monitoring-high-risk-areas/

      [2] Continuous Auditing vs. Continuous Monitoring. (2017, April 12). https://study.com/academy/lesson/continuous-auditing-vs-continuous-monitoring.html

      [3] What is Continuous Auditing and How Can You Leverage It? (2020, March 03), Paul J. Johnson, WIPFLI, Articles & E-Books, https://www.wipfli.com/insights/articles/ra-what-is-continuous-auditing-and-how-can-you-leverage-it


      Special thanks to Paul Tyler, Carol Rapps and Joselyn Rameau, UTSA Data Analysts, for visualization contributions and review.

      Transforming Internal Auditing during the COVID-19 Pandemic and Beyond

      Two years into the COVID-19 pandemic, universities, together with their internal audit shops, have resumed normal operations, or more accurately, settled into their new norms. To reflect on the gains and losses occasioned by the pandemic, eleven chief audit executives (CAEs) from public and private universities in the U.S. were invited to participate in individual interviews. Looking back on this challenging time, the CAEs provided personal accounts on how their resource and audit work was impacted. And, more importantly, they offered a post-pandemic outlook on the future of the internal audit profession.

      Managing Auditor Shortage

      Many internal audit shops experienced budget cuts and hiring freezes during the pandemic. To manage the impact of budget reductions while meeting the demand of audit work, CAEs began restructuring vacant positions (e.g., change an IT audit manager position to an entry-level data analyst position) or “cannibalizing” positions to allow for salary increases for the current staff. Some shops also hired accounting student interns to mitigate staff shortages.

      At the same time, the job market also became more challenging for the audit shops in higher education, especially for those located in or close to large cities. Due to the shortage of accounting professionals across industries, more job candidates were attracted by the relatively high salary and opportunities in private industry. Work-life balance is not the selling point it once was for higher education, as many organizations have allowed staff temporarily or permanently to work from home. It has become extremely challenging for audit shops in higher education to find highly qualified candidates. So much so, that many hired headhunters to fill their vacant positions.

      Utilizing Data Analytics

      When the pandemic hit the U.S. in March 2020, universities had little time to prepare for initial campus shutdowns. Then, two weeks of “flattening the curve” became one month. And one month then became three months or even longer. When university employees largely worked from home and facilities on campus were closed, internal auditors had to brainstorm new ways to conduct audits. Several CAEs increased the utilization of data analytics, which does not require physical access to facilities or in-person interactions. In fact, adopting data analytics was easier than before, because the whole organization started reengineering manual processes to make working from home possible and effective. This change in the organizational environment created a great opportunity for internal auditors to broaden the scope of data analytics. It also enabled them to connect different data sources and creatively investigate issues at the organizational level.

      Reevaluating Audit Plan and Risk

      Due to physical access constraints, many audit projects had to be delayed or removed from audit plans. For example, one CAE had to remove a scheduled space management audit from an audit plan, because after the campus shutdown, the buildings on campus were no longer in use. And, as another example, audits scheduled in university medical centers during the peak of the pandemic were indefinitely delayed. Given the high COVID exposure risk to internal auditors and the high stress level of the medical center staff, CAEs chose to save these projects for more appropriate times.
      As organizational and working environments changed during the pandemic, CAEs reevaluated audit plans to mitigate the risks that emerged during the pandemic. They planned audit projects to manage risks associated with: remote work, federal pandemic relief funds, FERPA compliance, and information security. The need for supporting external audits, such as audits conducted by federal and state agencies, also increased significantly for some audit shops.

      Increasing Consulting Activities

      When audit clients were “swamped by work” in the middle of the pandemic, the last thing that CAEs wanted to do was to create more work or, worse, distract their audit clients from their critical responsibilities. Consequently, the value of consulting work became more salient during the pandemic. Besides regular audit work, internal auditors gradually stepped into the roles of trusted advisors for management. They provided consulting services that directly addressed clients’ needs and assisted clients who struggled during the public health crisis. For example, internal auditors advised clients on how to improve business processes. They analyzed the existing manual business processes, identified issues and risks, and worked with clients to design more efficient and effective electronic working processes. Occasionally, an audit project transformed into a consulting project, because the clients needed more support through internal auditors’ consulting work during this critical time.

      “Hallway Conversations”

      When people began working from home, the primary method of communication quickly switched from in-person meetings to virtual meetings. Virtual meeting software, such as MS Teams, made it more convenient and efficient to “meet” and connect with people. However, much informal conversation that typically occurs during in-person meetings was lost. And these lost “hallway” or “watercooler” conversations with management turned out to present one of the biggest challenges for CAEs during the pandemic. Internal auditors often develop important insights from casual conversations with management, and these informal conversations happen literally by bumping into people within brick-and-mortar buildings. Beyond building personal connections, these conversations provide internal auditors opportunities to stay updated with the university’s operations, understand university culture, and better appreciate perceived existing issues and risks.

      Internal Auditing beyond the Pandemic

      Although the pandemic has accelerated the use of data analytics in internal auditing, internal auditors must remain committed to exploring new methods of incorporating data analytics into their work product. Since many manual business processes transformed into electronic processes during the pandemic, internal auditors now possess many more doors through which to investigate the interrelationship among different databases. Internal auditors are, thus, now poised to make novel uses.