Please give a warm round of applause for ACUAs new president, Melissa Hall, who made her first appearance in the Journal in the Letter from the President. Melissa took over as President from Brian Daniels, who did a great job leading ACUA through the pandemic and out the other side.
This season’s Journal issue features several fantastic pieces from a broad range of writers. Jaime Fernandez wrote a terrific article about continuous auditing and how your shop can beneficially implement this process. In addition, Han Yan, Ph.D., examines how internal auditing changed because of COVID and what the future of internal audit looks like beyond COVID. Then, David Clark gives an overview of diversity, equity, and inclusion in higher education and what to consider as your institutions formalize their plans to become more inclusive. Next up, Tharanee Ravindran highlights how a Control Self-Assessment can add value to future engagements by addressing risks at your institution. After that, Rose Kelly, Lisa Palazzo, Tina Griffiths, and Elizabeth Walton wrote about a three-pronged approach to risk, compliance, and controls at Case Western Reserve University, co-sourced with Deloitte. Finally, Jennifer Saak, Ph.D., Sheila Cranman, Ph.D., and Scot Allen, Ph.D., analyze how your institution can audit export controls, a hot topic at research-oriented universities.
In this issue of the College and University Auditor, you will find a wide variety of topics written by talented authors who strove to make their knowledge and expertise relatable and valuable for professionals in every institution. Please consider joining a growing field of professionals making their mark on the collective learning of our ACUA community by reaching out to me at editor@ACUA.org. Questions, ideas, and comments are always welcome.
I hope everyone is enjoying the beginning of the Holiday season and is now on the countdown to Winter Break.
It was so great to see over 300 of you that were able to attend in person for AuditCon 2022 in Las Vegas. We also were glad to be able to provide content to the additional participants that were not able to attend in person. We had such a robust schedule of timely and relevant information. This is directly attributable to our fabulous volunteers, staff, and strategic partners, who work diligently to ensure that our continuing education content is relevant and addresses the emerging risks affecting our industry and profession. THANK YOU ALL!
As we look to the future of ACUA in 2023, I’m excited by all the possibilities as we embrace how the world has changed. Together we will all work to define the “new normal” for ACUA and our campuses. I hope that you will make plans to join us in Denver, Colorado, for Audit Interactive March 26-29, 2023, at the Grand Hyatt Denver.
Lastly, a special thanks to our Immediate Past President, Brian Daniels of The University of Tennessee, for setting me up for success. He graciously led us out of the pandemic and back to in-person conferences. His leadership style will be hard to duplicate, but I look forward to stepping into his shoes and leading ACUA into the future.
Sincerely,
Melissa Hall, Georgia Institute of Technology ACUA President
The ever-changing business environment requires institutions to embrace dynamic practices to manage risks appropriately and achieve organizational goals. Hence, audit departments worldwide strive to ensure their key activities align with the needs of the organizations. Control Self-Assessment (CSA) is an important tool that auditors can use to enhance the role of the internal audit function by adding value to the institution. By partnering with Internal Audit, institutions can take a structured approach to identify the risks associated with processes or activities, assess the related controls to ensure risks are managed effectively, and ensure organizational goals are achieved.
Management and Process Owners Buy-In
The success of the CSA program depends on buy-in at all levels of the organization: from management to department heads to process owners. This involves discussions on how the process works, the benefits of the program, and the resources required to execute the project successfully.
Project Selection Process
Similar to audit projects, the CSA engagements should add value to the institution by addressing the risks to the entity. By incorporating the CSA project selection process as part of the annual risk assessment, the internal audit department can ensure high risk areas are identified for potential projects. Based on residual risk, areas that are high-risk would be first considered for an audit. Any high-risk areas not selected for audits are viable candidates for a CSA project. Once identified, internal audit departments can recruit the departments to participate in the CSA program. During the infancy stage of the program, the audit departments may need to actively recruit volunteers to participate. As the program matures and the institution begins to reap the benefits of the program, internal audit departments will have departments actively volunteering to participate in the program.
CSA Process
The most important step in the process is selecting the CSA team that will oversee the project. It is vital that much consideration is given in selecting the team members. The CSA team mainly comprises of individuals who are involved in the process being assessed. These individuals will play a major role in ensuring the risks pertinent to the process/activity are identified and addressed appropriately. The internal auditor facilitates the CSA process by performing the following steps.
1. Conduct an Initial Meeting
Similar to the entrance meeting during an audit, the initial meeting is held to finalize the following details:
CSA team members,
Objectives and scope of the project
Timeline for completing the engagement
2. Execute the Engagement Letter
The Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing (Standards) states “Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented”. To comply with the letter and spirit of the Standards, a formal engagement letter should be prepared to document the objective, scope, process, and roles and responsibilities.
3. Perform the CSA
Each step listed below is crucial for the program’s success.
Step
Details of the process
Identify risks
The CSA team identifies and documents the risks pertinent to the process. This is the most important step in the process since the rest of the procedures stems from this.
Identify corresponding control(s) and evaluate the design effectiveness of the control(s)
Identify and document the corresponding controls for the risks identified in the procedure above. The design effectiveness of the controls is evaluated during this phase to determine whether adequate controls exist to address the risks. If the CSA team concludes that either control does not exist or is inadequate, an opportunity for improvement will be developed.
Evaluate the operating effectiveness of controls
For the controls that are designed effectively, one or more of the following techniques can be utilized to evaluate the operating effectiveness of the controls: Team Meeting, Survey, and Facilitated Workshop.
Validate Results
The assessments results must be validated by someone independent to ensure the results support the conclusion(s).
Identify opportunities for improvement
Opportunities for improvement are developed based on the conclusions from the Team Meeting, Survey, and Facilitated Workshop.
Develop Management Action Plan
Management develops an action plan that enhances controls, guided by auditors.
4. Share the results
The report is issued by the process owner and addressed to Management. It includes the following: Objective, Scope, Methodology, Analysis of Results, Conclusion, and Management Action Plan.
5. Post Engagement Survey
Consider sending a Post Engagement Survey to the CSA client to solicit feedback on the engagement; it will help improve the process.
6. Follow Up
Follow up on the planned action to ensure gaps in controls are remediated.
Conclusion
CSA promotes departments taking a structured approach in assessing risks and controls, through which it promotes accountability of controls. In addition, it helps the process owners and operational staff get a better understanding of the operations and helps them understand the importance of their respective roles and responsibilities in addressing the risks to the institution and achieving the organizational goals. By facilitating CSA projects, the audit department builds a trusting relationship with departments on campus. In addition, the audit team gets access to information, including risk management practices and control environment, that is vital in the annual risk assessment process. Internal audit departments can successfully facilitate CSA engagements using fewer resources than required for an audit while providing great benefits to the business units.
After identifying concerns through an audit, we often find the same problems recurring. But how can this be? The client assured us that the issues had been addressed; however, the same risks persisted. Although different, continuous monitoring and continuous auditing are often mentioned in the same breath and can both increase the effectiveness and efficiency of the organization.
What Differentiates Continuous Monitoring from Continuous Auditing?
Continuous monitoring is an ongoing process used to monitor both processes and risks associated with an organization’s operations and is management’s responsibility. Monitoring programs should be designed to test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline. [1]
Continuous auditing is just auditing, but on a more frequent, regular basis than the standard auditing engagement and is performed by the audit department. Continuous auditing is often made possible by technology that can collect and analyze data quickly. [2] Furthermore, the auditor uses more frequent check-ins to provide assurance that controls are adequate and functioning properly. Additionally, continuous auditing may allow the organization to reduce the frequency of traditional assurance audits.
Where Do You Start with Continuous Auditing?
After engaging in conversations with numerous clients and completing your audit plan, you should be aware of key business objectives critical to the university’s operations.
For example, a critical operation for any university is the Admissions Office, and your office recently completed an Admissions audit as part of last year’s audit plan. Several findings were identified, and going forward, you have the opportunity to help your client resolve one or more of these concerns.
Based on this information, you should: a) Assess the risks associated with those objectives and identify areas that are potential candidates for Continuous Auditing. Example: The Admissions Office policy required more than one approver per applicant and include documentation comments about their approval. However, your audit found that students were admitted with only one approver and no comments on why they were approved.
b) Obtain an Understanding of How the Process Works Example: You are now challenged with identifying the weakened control in the admissions process. Based on work from the initial Admissions audit, the admissions process should already be documented. The process should be re-verified with someone who understands the process, and if there are process changes, the documentation should be updated.
c) Use Continuous Auditing to Determine the Cause of the Control Breakdown or Increased Risk Example: When using continuous auditing to determine how controls are performing, you may have identified that the review process needs modification. For instance, if the admissions application process is not automated, the solution may require an Admissions employee to select some reports periodically (daily, weekly, monthly) for compliance review. This is to determine if more than one reviewer has processed applications with comments justifying admission, as prescribed. In this example, the process was automated, a script modification was needed. This required adding a control which did not allow applications to advance within the process until two approvers signed off with comments justifying admission. Once the control correction had been placed, Internal Audit continuously audited to determine the effectiveness of this control.
d) Collaborate with Your Client Your client can assist with continuous monitoring efforts by performing compliance checks (daily, weekly or monthly) to determine how frequently errors occur. In our example, the client will likely be able to periodically pull admissions reports to assess whether process improvements are effective. The client may gain the ability to recognize and solve control issues themselves without getting Internal Audit involved.
e) Assess Results and Report Using the data you have gathered over time, you can determine if the controls are more effective at achieving the desired results.
In reference to our example, your institution will receive the most applications for the Fall semester. Therefore, it is most appropriate to do Fall to Fall comparisons as opposed to Fall to Spring. As we know, your institution will have fewer Freshman admissions in Spring. With a reduced workload, the Admissions review staff may make fewer errors.
However, for Fall admission assessments, Admissions will have more work, and more reviewers could be needed. Because of time constraints and inexperience, following admissions policies may not always happen. The Fall to Fall comparison may be more relevant for an effective evaluation regarding improvements in admission controls.
Example: Below is a visualization of comparative data between Fall 2020 and Fall 2021 for student admissions. Regarding the two Admission policy requirements mentioned in (a) above, which relate to having more than one approver and having approval comments, what is the data telling us?
For the admissions policy requirement of having at least two reviewers mention in (a) above, there are no concerns as this process appears to be working. In both years, there was only one application that showed one reviewer.
However, reviewers are not always documenting comments. In the example, “Reviewer 1” represents one Admissions staff member, “Reviewer 2” represents another, and so on. Reviewer 1 did not add the required comments for nine applications in Fall 2020 compared to 37 applications in Fall 2021. The trend is generally negative for many reviewers and this is where a deeper look into the controls is needed.
After reviewing the trend results, report the outcomes and determine if more continuous auditing is needed. Meet with your client and discuss the results. In our example, without the data analytics information, Admissions may not have known that the number of applications without comments had increased from 2020 to 2021. Using the new information, the client may already know the cause or may need further investigation. In this example, the client knew the automated application process was having problems, and some applicants had duplicated their applications. The client may continue with their own monitoring to determine if other adjustments are needed.
Continuous Auditing Benefits
Collecting audit evidence on a timely basis.
Better analysis of the strength of your controls through more frequent measurement and trending.
Better alignment with the pace of change in highly dynamic environments.
Automated compliance monitoring tools can help save time and resources in evidence collection.
The use of tools to help automate the collection of evidence and data, to perform trending, and to provide insights. [3]
Continuous Auditing Challenges
Understanding how to address the root cause and not the symptom.
Selling your client on the notion that you are there to help them and not get in their way.
Determining when the control is working at acceptable or reasonable levels.
Determining the frequency of performing the continuous audit.
Changing business environment.
Internal Audit’s proficiency in using data analytic tools.
New client staff understanding systems, processes, tools and control monitoring.
Management’s expectation that Internal Audit is the monitoring function.
Conclusion
As mentioned above, establishing a continuous audit program can be challenging. Therefore, continuous auditing should be carefully planned with your audit client. In the end, you can build goodwill with your client, increase operating efficiencies, and account for risks identified within your risk universe.
Additionally, your client’s involvement allows them more flexibility in providing a solution.
Two years into the COVID-19 pandemic, universities, together with their internal audit shops, have resumed normal operations, or more accurately, settled into their new norms. To reflect on the gains and losses occasioned by the pandemic, eleven chief audit executives (CAEs) from public and private universities in the U.S. were invited to participate in individual interviews. Looking back on this challenging time, the CAEs provided personal accounts on how their resource and audit work was impacted. And, more importantly, they offered a post-pandemic outlook on the future of the internal audit profession.
Managing Auditor Shortage
Many internal audit shops experienced budget cuts and hiring freezes during the pandemic. To manage the impact of budget reductions while meeting the demand of audit work, CAEs began restructuring vacant positions (e.g., change an IT audit manager position to an entry-level data analyst position) or “cannibalizing” positions to allow for salary increases for the current staff. Some shops also hired accounting student interns to mitigate staff shortages.
At the same time, the job market also became more challenging for the audit shops in higher education, especially for those located in or close to large cities. Due to the shortage of accounting professionals across industries, more job candidates were attracted by the relatively high salary and opportunities in private industry. Work-life balance is not the selling point it once was for higher education, as many organizations have allowed staff temporarily or permanently to work from home. It has become extremely challenging for audit shops in higher education to find highly qualified candidates. So much so, that many hired headhunters to fill their vacant positions.
Utilizing Data Analytics
When the pandemic hit the U.S. in March 2020, universities had little time to prepare for initial campus shutdowns. Then, two weeks of “flattening the curve” became one month. And one month then became three months or even longer. When university employees largely worked from home and facilities on campus were closed, internal auditors had to brainstorm new ways to conduct audits. Several CAEs increased the utilization of data analytics, which does not require physical access to facilities or in-person interactions. In fact, adopting data analytics was easier than before, because the whole organization started reengineering manual processes to make working from home possible and effective. This change in the organizational environment created a great opportunity for internal auditors to broaden the scope of data analytics. It also enabled them to connect different data sources and creatively investigate issues at the organizational level.
Reevaluating Audit Plan and Risk
Due to physical access constraints, many audit projects had to be delayed or removed from audit plans. For example, one CAE had to remove a scheduled space management audit from an audit plan, because after the campus shutdown, the buildings on campus were no longer in use. And, as another example, audits scheduled in university medical centers during the peak of the pandemic were indefinitely delayed. Given the high COVID exposure risk to internal auditors and the high stress level of the medical center staff, CAEs chose to save these projects for more appropriate times. As organizational and working environments changed during the pandemic, CAEs reevaluated audit plans to mitigate the risks that emerged during the pandemic. They planned audit projects to manage risks associated with: remote work, federal pandemic relief funds, FERPA compliance, and information security. The need for supporting external audits, such as audits conducted by federal and state agencies, also increased significantly for some audit shops.
Increasing Consulting Activities
When audit clients were “swamped by work” in the middle of the pandemic, the last thing that CAEs wanted to do was to create more work or, worse, distract their audit clients from their critical responsibilities. Consequently, the value of consulting work became more salient during the pandemic. Besides regular audit work, internal auditors gradually stepped into the roles of trusted advisors for management. They provided consulting services that directly addressed clients’ needs and assisted clients who struggled during the public health crisis. For example, internal auditors advised clients on how to improve business processes. They analyzed the existing manual business processes, identified issues and risks, and worked with clients to design more efficient and effective electronic working processes. Occasionally, an audit project transformed into a consulting project, because the clients needed more support through internal auditors’ consulting work during this critical time.
“Hallway Conversations”
When people began working from home, the primary method of communication quickly switched from in-person meetings to virtual meetings. Virtual meeting software, such as MS Teams, made it more convenient and efficient to “meet” and connect with people. However, much informal conversation that typically occurs during in-person meetings was lost. And these lost “hallway” or “watercooler” conversations with management turned out to present one of the biggest challenges for CAEs during the pandemic. Internal auditors often develop important insights from casual conversations with management, and these informal conversations happen literally by bumping into people within brick-and-mortar buildings. Beyond building personal connections, these conversations provide internal auditors opportunities to stay updated with the university’s operations, understand university culture, and better appreciate perceived existing issues and risks.
Internal Auditing beyond the Pandemic
Although the pandemic has accelerated the use of data analytics in internal auditing, internal auditors must remain committed to exploring new methods of incorporating data analytics into their work product. Since many manual business processes transformed into electronic processes during the pandemic, internal auditors now possess many more doors through which to investigate the interrelationship among different databases. Internal auditors are, thus, now poised to make novel uses.
Over the last 15 years, the academic community has made great strides in improving its understanding of the U.S. export controls regulations and building out the expertise to develop comprehensive export controls compliance programs. Now that many institutions have mature or semi-mature compliance programs, internal audit teams are being tasked with tackling this complex area of federal regulations. This article walks through the basic export controls regulations and provides insight into a U.S. government report that highlights gaps. It also provides guidance on how internal auditors can begin to think about constructing an export controls audit that is effective and comprehensive.
U.S. Export Controls Regulations: Basics and Key Elements of an Export Compliance Program
Did you know that not all “exports” leave U.S. borders? That is true if you are following the federal export controls regulations. These regulations cover sending tangible items, technical information, and software out of the U.S. and sharing it with non-U.S. Persons in the U.S. The latter is deemed to be an export to the recipient’s home country. In some cases, the export controls regulations cover even more types of transactions, but we’ll explain more on that below.
Three main federal agencies administer the U.S. export controls regulations. They are listed below in the order of sensitivity relative to national security and foreign policy. Essentially, the potential fines and penalties for violations increase as you go down this list.
Department of Commerce’s Bureau of Industry and Security (BIS): Export Administration Regulations (EAR)
Department of State’s Directorate of Defense Trade Controls (DDTC): International Traffic in Arms Regulations (ITAR)
Department of Treasury’s Office of Foreign Assets and Control (OFAC): Foreign Assets Control Regulations (FACR)
There are a few commonalities between these agencies and many differences. Fundamentally, they all have a framework for authorizing (or pre-authorizing) certain exports of tangible items, software, technology, and, in some cases, services as well. The concept of providing authorization comes from issuing a license to applicants requesting permission for an export or deemed export. All of them expect the exporting party to have an internal management plan, often referred to as Technology Control Plan, in the case of deemed exports.
Each agency above maintains its own list of restricted or denied parties. Parties can be universities, companies, individuals, or other groups/entities. In most cases, exporting items from the U.S. to entities captured on any of these “restricted party lists” demands meeting heavy licensing or other requirements.
Beyond this, the differences between the EAR, ITAR, and OFAC sanctions regulations are important to understand. We’ll point out three of the major distinctions.
The EAR and ITAR contain extensive lists of sensitive items that those agencies regulate. A key difference is that the impact of the “export controls lists” varies under each set of regulations. In the case of the Department of Commerce, the licensing requirements connect back to detailed numbers on the Commerce Control List (CCL). It contains specific export control classification numbers (ECCNs) that describe certain tangible items, technology, or software. In most cases, the licensing requirements will connect to the ECCN of the exported item. While the Department of State has its list of sensitive items, called the United States Munitions List (USML), the precise number (“Category”) on the USML does not impact the licensing decision. Anything listed on the USML will require a DDTC license for all non-U.S. Persons to access.
A second difference is that the ITAR and the OFAC regulations cover “services,” while the EAR does not strictly regulate services.
Lastly, the OFAC regulations are focused on the destination country and the overall nature of the transaction. The licensing framework is not driven by what is being shared or shipped, but rather, which country is receiving it. Certain destinations have more comprehensive sanctions against them (e.g., Iran), and thus, licenses are harder to obtain. Some countries bring on steep restrictions even though they are not comprehensively sanctioned (e.g., China and Russia). The key countries of concern are:
Iran
Cuba
Syria
North Korea
Certain Regions of Ukraine
How does this translate into university export compliance needs? The key elements of an Export Compliance Program at a university span a broad range of administrative offices. In a comprehensive compliance program, export compliance “steps” or aspects should exist in all the below operations. Furthermore, restricted party screeningprocesses should be incorporated into nearly all of them. The exact processes or procedures will vary across institutions due to the differences in basic operations. However, it’s important to establish standard processes.
Sponsored research screening process
Immigration/visas process
Visitors screening process
International shipping process
International travel process, in conjunction with IT protocols
Procurement processes
IT policies and processes
How are universities faring when it comes to handling all these decentralized needs? A recent government study provides some insight for university auditors.
GAO Report for University Export Controls
In May 2020, the Government Accountability Office (GAO) concluded a study of export compliance at U.S. Universities. The resulting report recognized the complexity of managing export controls in an academic setting and called for heightened clarity and guidance from the federal government. This section may serve university auditors by indicating key areas of focus for future audits.
The report, “State and Commerce Should Improve Guidance and Outreach to Address University-Specific Compliance Issues” (GAO 20-394), expressed concerns about undue foreign influence on universities and personnel. The study evaluated the management of export controls at nine universities. These anonymous institutions were sorted into three groups, those with high average research expenditures, a medium expenditures group, and universities with comparatively low research expenditures. The report concluded with four recommendations to the Departments of State, Commerce, and Defense to heighten clarity and improve guidance to institutions.
The following chart provides a summary of the GAO study findings.
Overall, GAO discovered that export controls were more fully implemented at universities with higher research expenditures, which aligns with the relatively greater risks faced at these institutions. Of the eight areas examined by the GAO, nearly all the universities visited were aligned with the requirements of four topics: management commitment, export authorization, recordkeeping, and reporting violations. In this article, the authors emphasized four areas with the most room for improvement, as was done during the corresponding panel presentation at AuditCon 2022. These areas are risk assessment, training, internal audits, and export compliance manual.
Four of the nine universities visited by GAO had not conducted risk assessments. A risk-based approach can empower an institution to address areas of greatest concern. Yet, export controls impact many activities at an academic institution, and the day-to-day demands can be so great that it is challenging to conduct such an assessment. GAO called for additional clarity from the Department of State, whose new guidance is anticipated by the end of 2022.
GAO examined two elements of export control training programs: 1) whether suitable training was available and 2) whether training was mandatory for the appropriate employees. One could argue that training is the heart of any compliance program. Although the majority of universities visited were in alignment, GAO found that two universities were not aligned with this requirement.
Quite possibly, internal audits are the area of greatest interest for the reader of this article, and indeed this was one of the four areas in greatest need of attention, according to the GAO report. Only five of the nine universities visited met the standard, with the remaining four either partially or not yet aligned with this goal.
Finally, of the four areas evaluated by GAO, nearly half of the universities visited had not created an export control manual. Not only is such a manual essential for managing an effective compliance program, but it is also the basis for an audit of that program.
Design & Implementation of an Internal Audit for Export Controls: Scope & Tips
Scope of a University Export Control Program Internal Audit
The scope depends on the individual export control program. An internal audit may result from an export violation or best practice in compliance. A good place to start is by reviewing the export control program guidance from the Department of Commerce’s Bureau of Industry and Security (BIS)[1], the State Department’s Directorate of Defense Trade Controls (DDTC)[2], and the Department of Treasury’s Office of Foreign Assets Control (OFAC)[3] to see if your export control program contains all the required elements. The guidance documents outline the three agencies’ basic requirements for industry and college and university export control programs. All three agencies require audits as an effective export compliance program element. If your export program is missing an essential program element(s), you already have a recommended place to begin.
An internal audit of an entire university export control program will be overwhelming in scope. It is not recommended because export control programs are governed by multiple federal agencies and regulations and overlap with many university functions (e.g., international travel, international shipping, sponsored research, hosting and hiring international employees and scholars, etc.). However, a comprehensive gap analysis of your export control program may help determine the focus of an internal audit. The export control program, internal audit, or an outside consultant may handle a gap analysis. Internal audit will be unbiased, while export control will have more substantive knowledge. An outside consultant may have substantive knowledge but will require additional resources.
The scope of an internal audit may be limited to one federal agency’s regulations, such as the export administration regulations (EAR)[4] under the Commerce Department BIS or to a specific area of the program, such as international shipping, international travel, technology control plans (TCPs), hosting and hiring international visitors and employees, etc. The internal audit may focus on how restricted party screening is handled by the export program as a whole or for a specific area such as international shipping. An internal audit’s focus may be limited to online graduate programs and how a university complies with the OFAC sanctions’ prohibition against providing a “service” to comprehensively sanctioned countries (including online education).
Approach to University Audits
The BIS “Export Compliance Guidelines, The Elements of an Effective Export Compliance Program” requires eight (8) elements: 1. Management commitment, 2. Risk assessment, 3. Export authorization, 4. Recordkeeping, 5. Training, 6. Audits, 7. Handling export violations and taking corrective actions, and 8. Build and Maintain your Export Compliance Manual. This is a good framework to start with when determining the best approach for a university audit. [5]
Many campus compliance business areas overlap with export control and trade compliance; (e.g. hosting J-1 Exchange visitors {Bridge USA Program} overlaps with export compliance and Procurement and Accounts Payable overlap with international purchases (imports)). An internal audit may only cover a separate business area and not the overlapping export and trade compliance concerns. However, the results of the internal audit may also impact export compliance. The export compliance program can highlight the risks found and advocate for additional resources to mitigate those risks, such as additional dedicated staff and training. The scope and approach depend on the reasons for the audit and the specifics of the individual export control program and college or university.
Frequency and Content of Audits
BIS, DDTC, and OFAC require audits in their export control program requirements.[6] These program audits may be conducted by the export control program (self-reviews), internal audit, or an outside auditor/consultant. The federal agencies do not specify who is to conduct the audits. The requirement is to make audits an essential element of export control programs to identify risks and compliance gaps and implement the mitigation. Federal agencies recommend the mitigation strategy is audited within one year to ensure it is effective[7]. BIS’ guidance specifically indicates, “[i]f resources allow, it is a good business practice to periodically utilize an outside auditor.”[8] The federal agencies do not specify or mandate who conducts the audits but rather require audits to make sure export control programs are continually reviewing the program annually to find compliance gaps and improve the program. These federal recommendations can serve as a basis for securing leadership buy-in for getting started with your first audit.
An export control compliance program may have internal audits periodically for specific areas of the program and the export control program staff may audit other areas annually. Technology Control Plans (TCPs) for sponsored research, for example, can have four annual audit requirements:
Are there any changes in the scope of the work performed that require a change to the TCP?
Are there changes in who is working on the project? (PIs need to contact the program to have new personnel read and sign the TCP and attend export control training before beginning work per the TCP.)
Are there any changes in the physical location where the work is performed?
Perform a new physical inspection annually.
In addition, internal audit may audit the entire TCP process above and provide recommendations and mitigation strategies.
Benefits of Internal Audits
Auditing an export controls compliance program is a relatively new endeavor for many internal audit teams at universities. In fact, many institutions are still building out their initial export controls compliance program. Thus, internal audits can help frame what is going well and identify opportunities for improvement. Budget issues at colleges and universities are real, so an audit highlighting the need for additional staff and new tools has proven to be valuable at certain institutions. Audits can also highlight where export control programs overlap with other areas and recommend increased collaboration to eliminate silos on campus to increase compliance.
When it comes to risk management and compliance, the knowledge of three groups is better than one. At least, that has been the experience of Case Western Reserve University (CWRU or university). We have taken a three-pronged approach to risk, compliance, and controls. Internal Audit, co-sourced with Deloitte & Touche LLP (Deloitte[1]); Enterprise Risk Management (ERM); and Compliance are the three units that work together to safeguard the university’s community and assets.
Deloitte has been engaged by CWRU for over 10 years and assists in developing and executing the annual internal audit workplan and performing special, one-off reviews based on emerging areas of risk or potential for control deficiencies. ERM, which is headed by the University’s Director of Audit Services, takes a holistic approach to risk on a university-wide level. ERM identifies the university’s top ten risks, understands how CWRU is trying to mitigate them and predicts how they affect our operations and strategic plans. As these risks are often interconnected, we try to have a deeper understanding of their complexity so that we can mitigate or accept the risk. Lastly, the compliance function is headed by the Chief Compliance Officer, who reports to the Office of General Counsel. Compliance helps ensure that departments on campus understand their obligations from a legal and risk-based standpoint.
There are myriad benefits to this triumvirate approach. Having three separate departments look at risk and controls helps to give a broader perspective of the organization’s activities and brings a multidisciplinary approach to problem-solving. The different backgrounds allow for the coverage of a wide swath, with ERM focusing on strategy and operations, Internal Audit on internal controls, and Compliance on regulatory matters. These separate points of view allow us to see which issues may be on the horizon and which others may be starting to fade into the background. For instance, at CWRU, the Compliance Program leads the University on export controls compliance. When issues on undue foreign government influence rose in visibility over the past few years, Compliance brought that issue to the group. During the height of the COVID-19 pandemic, ERM was deeply involved with operational risks on campus relating to the rules of the road for faculty, staff, and students. Now that the risks of the pandemic are becoming more of a known, managed risk, we’ve been able to shift the ranking of the risk to one that is less urgent. In annual internal audits performed by Deloitte, we can learn whether and how the controls are working around areas that we are tracking in ERM and Compliance, like the management of grants or endowment stewardship, for example.
Not all risk is bad, and discussions within the group have prompted us to see which risks might represent opportunities. For example, the need to shift university operations and activities because of the pandemic allowed us to see new opportunities. Online learning, and the skills we gained from adapting to new modes of learning have blossomed in the pandemic’s wake. Each of our three unique offices has seats at different tables across campus, this has allowed us to disseminate our message regarding having a risk-intelligent tone at the top and a culture of compliance. Over the years, this has sunk in at various levels, and university community members now consult our departments when risk or control situations arise where they might not have done so in the past. This, of course, can be seen as a very good cultural shift on campus.
Annually, we perform a large risk assessment that is Internal Audit, with the support and participation of ERM and Compliance. The assessment usually is performed between the end of summer and the beginning of the academic year in early fall. We gather insights through live meetings with some groups (in person and virtually) and surveys for others, depending on risk profile and department size. This process usually touches roughly 30 unique departments, schools, and units on campus. Some years we add additional units or drill-down deeper within a department if issues arise that warrant them. For individuals we speak with in person, there are some pre-determined questions sent ahead of time to the attendees on the risk topics, which allows them time to reflect on what they are seeing in their departments, schools, and university as a whole. In the meetings, the discussions organically move into various areas of concern and risk management practices. This process has become seen on campus as a safe space for people to express their thoughts and opinions. We have found that participants do not hold their concerns back, which is a good way to get many “real items” out on the table. We perform ad-hoc follow-ups during the year to see if there have been any changes to what people are seeing or hearing and always leave the door open for individuals to come to us with their concerns or ideas.
The annual risk assessment meetings inform and drive Internal Audit’s testing program for the year. The broad risk discussions and survey results help Internal Audit identify which auditable risks are top of mind for leaders. The risk assessment process also helps inform Internal Audit on areas where current control and process gaps may exist or where controls may be designed appropriately but are not consistently operating effectively. Having the perspectives from ERM and Compliance also helps Internal Audit prioritize the risk universe and develop a risk-based internal audit workplan. Internal Audit also gathers insights from ERM and Compliance on their upcoming initiatives and workplans. By working together on the risk assessment and sharing our plans, we can cover a broad spectrum of risk and avoid duplicating efforts or overwhelming stakeholders. ERM benefits from these annual risk meetings in that they help refine the organization’s most significant risks.
Our ERM program is specifically designed to capture and monitor risks holistically for the university. While the program is formally updated three times a year, we generally reach out to key stakeholders more often throughout the year to get a sense of current or impending changes. We measure risk to the university by its expected impact, probability, outlook, and maturity of mitigation preparedness. It is also importantto see how the risk has altered over time. The ERM program is meant to be dynamic as the university changes and the environment we operate in also changes. Sometimes risks are added because they’ve become heightened, and sometimes they are removed from the top of the list as they shuffle towards the background as circumstances on campus change.
The annual risk assessment meetings help Compliance identify vulnerabilities in compliance functions across the organization. They help Compliance to have “eyes and ears” across a wide swath of campus, ensuring that if there are any new compliance-related risks on the horizon the appropriate unit is managing them. Compliance works continually with departments to ensure that areas with significant compliance requirements and risks make improvements and keep important metrics top of mind. The office has created an internally-used dashboard system to keep track of progress within fifteen key compliance areas at the university. Some tracked items include the assignment of oversight responsibilities, appropriate policies and procedures, compliance training and education, monitoring compliance with policies, and violation investigations. We have found this to be a very successful method of tracking and quantifying risk related to compliance.
This in-depth and three-pronged approach to risk, compliance, and controls has become a cornerstone in our ability to view and process risk on campus. It can be easy to fall into the trap of siloed offices and walled-off environments within a university, but this integrated and open method has allowed us to move forward and create new paths that could not have existed otherwise. The end goal is always to safeguard the university from unnecessary risk while allowing those risks which will let us flourish to be monitored and handled with well-placed guardrails. It is an enjoyable process that brings a sense of satisfaction and security to our campus.
[1] As used in this document, “Deloitte” means Deloitte & Touche LLP, which provides audit and enterprise risk services. Deloitte & Touche LLP is a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Higher education is no stranger to the topic of Diversity, Equity and Inclusion (DEI) – if anything, higher ed institutions have historically been at the forefront of discussions about increasing access and success of underrepresented groups, and leveraging their classrooms and research to expand the view of future business leaders into the benefits of workplace diversity and equity. But DEI has garnered even more attention over the past several years. The disproportionate impacts of the COVID-19 pandemic and increased emphasis on racial inequality, social justice reform, corporate social responsibility, and the rise of Environmental, Social and Governance (ESG) reporting requirements have fueled a greater desire to address issues of DEI in higher education and ultimately improve the experience of students, faculty, staff, and the larger community.
The National Association of Diversity Officers in Higher Education (NADOHE) has placed an increased emphasis on Inclusive Excellence, which it views as transitioning from a singular focus on improving compositional diversity—who is present or absent on campus—to embracing comprehensive performance measurements linked to goals, objectives, strategies, indicators, and evidence.
Colleges and Universities are charged with three primary duties:
Minimize risk and negligence and ensure legal and regulatory compliance with diversity and equity issues in higher education.
Oversee, assess, and sustain campus policies that elevate equity, fairness, inclusion, and safety.
Develop, implement, monitor, and make recommendations for nondiscrimination and anti-harassment policies, processes, and practices associated with Equal Employment, Titles VI, VII, and IX considerations, Americans with Disabilities Act, affirmative action, and other applicable human rights protections.
In higher education, DEI applies to all aspects of college or university operations, including recruitment and retention of a diverse student and faculty population, fair and equitable hiring and promotion of employees, supporting minority-owned vendors in procurement practices, providing diversity awareness and unconscious bias training, and providing additional resources and support for traditionally underrepresented student populations and material covered in course curricula. In recent years, many colleges have furthered their commitment to improving equity among their communities by establishing formal DEI strategies, programming, and procedures that align with their organization’s mission, appointing Chief DEI Officers and creating offices to shape and execute these strategies. There is still much progress to make.
A 2022 Hanover Research study on DEI surveyed nearly 1,000 undergraduate students from across the United States and found that the majority of BIPOC (Black and Indigenous People of Color) students agree that those with diverse backgrounds, identities, and experiences do not have equal access to academic opportunities. While 69% of students agreed that the faculty and staff population at their institutions are racially and ethnically diverse, students at private colleges or universities were found to have a more negative perception of their institution’s support of DEI efforts than those at public institutions.
Exemplifying the onus placed upon universities to increase efforts toward DEI programming, third-party evaluators have now begun factoring diversity and equity data into their scoring metrics. The U.S. News and World Report rated the most ethnically diverse campuses across the country by assigning a diversity index score based on the total proportion of minority students (excluding international). The INSIGHT Into Diversity HEED Award, open to all colleges and universities across the U.S. and Canada, measures an institution’s level of achievement and intensity of commitment regarding broadening diversity and inclusion on campus.
Internal Audit’s Role in Enhancing DEI Actions
A higher education internal audit (IA) function can help to support the institution’s DEI efforts in several ways. As discussed in a panel session at ACUA’s 2022 AuditCon, DEI continues to be an area of exploration and, at times, uncertainty for college and university auditors, but there have been several strategies employed across institutions that could help your audit shop get started.
First, as an operating unit within the school, IA can help lead by example in examining its practices regarding DEI and working to strengthen practices where possible and align with the institution’s broader strategies and goals as needed.
Then IA should review whether your institution or system has established any strategies or goals regarding DEI across campus. If no such foundations exist, consider the ability for IA to play an advisory role and help leadership work to move the needle on setting DEI goals and measures, even if starting small with just a few focus areas (e.g., admissions, procurement or pay equity reviews).
Even without an institutional framework or goals, IA can still perform DEI-focused audits. This may include assessing compliance activities related to the number of diversity and equity laws in place regarding hiring practices, institutional program offerings or student services. With the increase in external metrics regarding DEI, IA could review the institutional data used and report for inclusion. If goals, targets, and metrics have been established, IA can play a role in supporting the institution’s monitoring efforts, verifying those goals have been met, or looking at the overall management and structure of how such a program is enacted across campus.
AuditCon panelists also spoke about efforts to begin including considerations of DEI and overall institutional culture as a standard component of all audits. Similar to incorporating IT considerations into all audits conducted, these IA shops have started to leverage pre-audit control surveys to ask questions about the culture and processes of auditable units, including evaluating the diversity of staff and feelings of inclusion. This enables the IA function to identify non-traditional areas of risk and measure DEI effectiveness while providing valuable feedback to auditees to help promote DEI efforts and enhance morale.
One of the biggest takeaways from the ACUA panel was that there is no single right answer for how to incorporate DEI considerations into the work of IA. While conversations have begun to shed light on areas of DEI as a leading institutional priority and risk area, many audit shops are still uncovering how to include such topics within an audit plan. But no matter how mature your focus on DEI may be, there are ways to engage your IA team to help support or even drive DEI initiatives across campus. DEI is an area that will continue to receive focus on campuses across the nation, with the goal of continual progress. In turn, DEI work performed by the IA function will continue to evolve and shift in alignment with your institution’s activities. IA’s willingness to engage with DEI topics will help your institution increase compliance and embrace inclusiveness with DEI measures.
Colleges and universities are required to comply with numerous regulations when accepting grants or contracts from a governmental agency, private foundation, or other sponsors. Among these regulations is the requirement that expenditures related to the project are properly allocated and documented. These expenditures could include salaries of faculty and staff as well as supplies, equipment, travel, and other expenses incurred while working on the project. The principal investigator (PI) is responsible for allocating the sponsored project costs to the appropriate project when the costs are incurred.
Under certain circumstances, a cost transfer is allowable, which moves costs to or from a sponsored account to allocate costs properly. However, cost transfers cannot cover cost overruns or draw down on awards that have not been substantially used as the award term ends.
An abundance of cost transfers may alert award sponsors to potential weaknesses in the financial management of award funds. For example, frequent posting of cost transfers more than 90 days after the expense may indicate that the PI is either not performing the required routine reviews (e.g., monthly) of their award expenditures or is not sufficiently overseeing the progress made on the award. Similarly, a lack of oversight or mismanagement is a concern when a large percentage of the dollar amount of an award is transferred toward the end of an award term (e.g., the last quarter of a 2-year award).
Risks and Potential Impact
So, why does this matter? Often, a federal sponsor has committed millions of dollars to an institution across multiple awards. The discovery of any inappropriate use of federal dollars increases the likelihood that the federal sponsor will perform an audit of the institution’s use of dollars across all of its awards. Audit findings of noncompliance with Uniform Guidance or award terms result in fines and penalties, putting all current and future awards at risk. The trickle-down effect of negative publicity could impact the institution’s attractiveness to faculty, researchers, staff and students.
Audit Planning
To mitigate the risk of inappropriate cost transfers or misappropriation, Internal Audit can evaluate existing processes and controls relative to cost transfers, including monitoring activities to ensure compliance with federal or state requirements the sponsored awards.
When planning and scoping an audit for this area, first find out if your post-award office has completed any of the following best practices:
If it has developed its own set of cost transfer policies and procedures to guide PIs and accounting staff on how to record sponsored award expenditures appropriately.
If it has defined the acceptable period in which a cost transfer should be made after the expense has occurred.
If they require supporting documentation for late cost transfers.
It has defined what constitutes appropriate supporting documentation.
It has created and provided training to unit-level accountants.
They’ve required PIs to frequently (e.g., monthly) review sponsored project expenses.
They regularly meet with unit-level accountants to communicate and emphasize the significance of the cost transfer policies.
They include unit heads (e.g., deans, chairs) in the approval process for late cost transfers.
Whether they’ve trained and empowered the post-award staff to reject late cost transfers without appropriate justification.
If they’ve documented and enforced consequences (e.g., move the funds to a non-sponsored departmental account).
Whether they work with other internal departments (e.g., Payroll) to complete the cost transfer process.
For the items above that have been completed, Internal Audit can select a sample of cost transfers and units and review for compliance with internal procedures.
Other Considerations
Depending on the nature and maturity of the systems used by your post-award process, there may be a reliance on disparate systems or, worse, manual processes. This inefficiency increases staff time spent on the cost transfer process, the risk of human fatigue, errors in missed or delayed transfers, and potential noncompliance with federal agency policies.
Consider categorizing the rationale for cost transfers (e.g., delays in receiving awards from sponsors, reconciliation not performed timely, change in F&A rates, etc.). Use data analytics to help the post-award office identify if any units are consistently submitting late cost transfers, large or numerous transfers close to the award end date, and identify trends by unit, sponsor, length of time to complete and justification used on all cost transfers.
It is important to understand if units have access to run necessary cost reports for their sponsored projects. For both PIs and their delegates not accustomed to reviewing expenditures, training is critical. Training materials should be developed and provided for all types of cost transfers (e.g., transfers of both salary and non-salary expenditures and those that are recorded more than 90 days after initial expenditure or discovery of error) should be complete, updated and easily located together.
Conclusion
The cost transfer process at an institution is truly a collaborative effort—typically between the Post-Award Office, Payroll, individual units and PIs. Including Internal Audit in this collaboration helps create consistency throughout the institution and increase the knowledge of risk management to units.
Internal audit departments following the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF or “Standards”) are required to develop and maintain a quality assurance and improvement program (QAIP) that includes internal and external assessments. A QAIP verifies the work is performed in accordance with the Standards and the IIA’s Code of Ethics and that the internal audit department operates in an efficient and effective manner.
Most audit shops are already performing ongoing reviews of their engagements through supervision, workpaper review, following established audit policies and procedures governing the audit process, and soliciting feedback from customers. Periodic self-assessments go beyond the routine supervision and monitoring of each engagement to evaluate each IIA Standard. Performing a thorough self-assessment can help increase efficiencies, create uniformity of documentation amongst your team, and help prepare the audit shop for a positive external review.
Periodic self-assessments are often conducted at the mid-point of the five-year external review cycle but may be conducted more frequently. The review may be performed by the chief audit executive (CAE), assigned to a senior auditor, preferably a Certified Internal Auditor (CIA), or divided amongst the staff. It is important that all members of your review team be open to change and allow a positive dialog for discussing potential weaknesses and recommendations.
There is no single method required for conducting a self-assessment. One way to efficiently evaluate all of the Standards is to design your self-assessment around the following four themes: Governance, Staff, Management, and Process, which is how the IIA teaches external reviews. The Governance and Staff sections address the IIA’s Attribute Standards and the Management and Process sections address the IIA’s Performance Standards.
If you are a state college or university and your state performs peer reviews, you may be able to obtain detailed templates from your state auditor’s office to help in your review. The following is a summary of the critical tests that the State of North Carolina uses for its external reviews:
Governance
These Standards refer to how the internal audit function is governed. Key documents include the Audit Charter, department procedures manual, organization chart, and independence attestations.
The Purpose, Authority, and Responsibility need to be defined in your Internal Audit Charter. The language in the charter should align with the IPPF, address both assurance and consulting services, and allow unrestricted access to records and personnel. Review your charter and ensure it reflects your current practices and has been approved by your Board of Trustees or Audit Committee.
Independence of the internal audit department should be confirmed to the Board at least annually. Departmental independence is often achieved by reporting administratively to the President/Chancellor and functionally to the Board of Trustees or Audit Committee. Ensure your organizational chart reflects an independent reporting structure. Additionally, individual auditors must be independent of the areas audited, and new auditors must refrain from assessing specific operations for which they were previously responsible for within the last year. Auditor independence may be demonstrated by individual attestation for the audit plan year or for each engagement by each auditor.
The IIA Code of Ethics must be followed by all members of the Internal Audit department, whether or not they hold any IIA certifications. Consider whether all team members uphold the principles of integrity, objectivity, confidentiality and competency. One option to demonstrate awareness is to include the IIA Code of Ethics in your procedure manual and have team members sign an affidavit to confirm their understanding.
The Quality Assurance and Improvement Program must be developed and maintained by the CAE. A description of regular engagement monitoring, periodic internal assessment, and 5-year external assessments should be documented in the procedure manual. Verify prior assessments were timely and shared with senior management and the Board.
Staff
The Staff Standards focus on auditor competency and the ability to have sufficient knowledge and skills to perform engagements. Employee certifications and training records are tangible evidence, and the ability to exercise due professional care is reflected in the engagement work papers.
Proficiency must be demonstrated by all internal audit team members. Auditors must possess the knowledge and skills needed to perform their responsibilities individually and as a department. Maintain records on professional certifications and continuing professional education logs that show the staff collectively has specialty knowledge such as IT, fraud detection and data analytic skills required to complete the audit plan. Subject matter experts may be needed. Evidence of proficiency may be documented in performance reviews, and post-engagement client surveys should include feedback on staff proficiency.
Due Professional Care, that which is expected of a reasonably prudent and competent auditor, must be applied. Determine whether engagements were staffed and adequately supervised based on the complexity of the subject. Verify engagement planning considered fraud and the feasibility of using data analytics for a higher level of assurance.
Continuous Professional Development applies to all team members, not just those maintaining certifications. Define training requirements in the procedure manual and counsel staff on relevant training opportunities. Audit team members should track their continuing professional education training and ensure they meet licensing and departmental requirements.
Management
Management refers to managing the duties of the internal audit function along with the nature of work. The internal audit activity is effectively managed when it achieves the purpose of the audit charter, conforms with the Standards, and considers emerging trends that could impact the organization. Annual audit plans, performance metrics, achievement of the plan, reports to the Board, engagement reporting, and meeting minutes are key documents for the self-assessment.
An Audit Plan that determines the priorities of the internal audit activity must be established by the CAE, usually on an annual basis. The audit plan should be based on a risk assessment, input solicited from senior management and the Board, and consider resource management. Ensure the methodology for establishing the audit plan was documented, and the final plan was formally approved by the Board.
Policies and Procedures should be documented to guide the internal audit activity. Review the department’s procedure manual and verify that it is current, complete, and aligns with the Standards. Ensure that the procedure manual is being followed throughout the internal assessment process.
Reporting to Senior Management and the Board should occur regularly. Verify that the following items were reported at least annually: the audit charter, independence of the internal audit activity, the audit plan and progress against the plan, resource requirements, results of audit activities and conformance with the Standards.
The Governance of the organization needs to be assessed by the internal audit activity, and appropriate recommendations for improvement should be made. Verify there is documentation to support sufficient coverage of improvements to the organization’s governance process, such as memos and meeting minutes.
The Risk Management process of the organization must be evaluated, and the internal audit activity must evaluate the effectiveness and contribute recommendations for improvements. Auditors may collaborate with other areas such as Legal or the Enterprise Risk Management function. Significant risks, including fraud risks, should be addressed in the annual audit plan.
If Overall Opinions are used for engagements, they must be supported by a summary of the information that supports the opinion. Review your reports for appropriate overall opinions.
Communicating the Acceptance of Risk by management should be handled consistently. The procedure manual should state the process taken when management accepts a level of risk that may be unacceptable to the organization, such as escalation to the Board. Verify these processes were followed for any engagements where unacceptable risks were identified.
Process
Process refers to the execution of engagements in the audit plan. Several engagements should be chosen for the self-assessment to evaluate workpapers for planning, fieldwork and reporting along with tracking follow up items. Sample different types of engagements such as audits, consultations and investigations performed by different auditors.
Engagement Planning is required for each engagement to establish the engagement’s objectives, scope, timing and resource allocations. For the sample of engagements, determine whether risks were identified, objectives were established, and appropriate scope and resources were defined and documented in an engagement letter to the client.
Engagement Work Programs should be developed and documented that address key risks, policies and procedures. Verify work programs were created that included clear instructions, addressed risks and objectives, and were approved prior to fieldwork.
While Performing the Engagement, auditors must identify, analyze, evaluate and document sufficient information to achieve the engagement’s objectives. Review engagement workpapers and verify they identified factual, adequate and convincing information. Workpapers should be consistently performed by all team members and reliable and useful enough to support the conclusions. Ensure sound and accurate sampling and testing procedures were performed. Confirm workpapers are retained per your institution’s requirements.
Engagement Supervision is necessary to ensure objectives are achieved, quality is assured and staff is developed. Verify there is evidence of workpaper review, which could be a manual or electronic sign-off or approval completed using audit software. Demonstrate that staff members receive feedback and training during engagements by retaining review notes.
Communicate the Results of engagements to the auditee and appropriate parties such as senior management and the Board. Confirm engagement report observations and conclusions were supported by the workpapers. Evaluate whether positive results and satisfactory performance were included in final communications. Ensure reported results were helpful to the client and organization and led to improvements where needed. Determine whether any errors or omissions were corrected and re-issued.
A Monitoring Process must be developed by the CAE to ensure actions have been effectively implemented. This process should be defined in the procedure manual and followed for all engagements. Outstanding items should be tracked and monitored. Review past engagements with findings and verify there is evidence that management action plans are being followed-up and resolved timely.
Conclusion
Complete your self-assessment by identifying areas of improvement and have team members collaborate on feasible solutions. As you would for any other audit, document the findings in a report along with your department’s management responses and due dates, and ensure those changes are made timely. Share your accomplishments and commitment to improvement with senior management and the Board.
While a full internal self-assessment can be time-consuming, it can be worked on intermittently throughout the year or completed all at once. By utilizing a team approach, the team members will learn the IIA Standards and strengthen their knowledge of departmental requirements. Single-member audit shops will also benefit from conducting an internal assessment by ensuring their department meets the Standards and is prepared for the external review.
Ms. Hefner will be speaking on this topic at the 2022 AuditCon in Las Vegas, session A10 Internal Self-Assessments: Create A Winning Hand.
