My name is Gavin Shubert, and I’m the new editor of the College and University Auditor Journal. I want to thank Claire Thomas, my predecessor, and James Merritt, the Journal’s former deputy editor, for their valued and worthwhile contributions to the Journal. Additionally, their assistance transitioning a new editor and deputy editor onto the team has proved invaluable. Thank you both.
In case we haven’t crossed paths yet, I’m an Internal Auditor at Georgetown University. Our new deputy editor, Kara Hefner, is a Senior Auditor at the University of North Carolina, Chapel Hill. She has graciously contributed her time and efforts as a writer for this edition of the Journal, in addition to her capacity as deputy editor.
Kara’s article provides a great professional resource for audit shops looking to perform thorough and standards-compliant internal assessments. In addition, Kyra Castano and Adrienne Larmett provide insights on instituting environmental health and safety controls. Then, Daniel Graves and Greg Englert give guidance on ESG and sustainability reporting and how you can better document these emerging and meaningful metrics. Next up, Curt Plyler, a Certified Construction Auditor, dives deep into how to audit construction costs. Finally, Erin Egan and Colleen Tedeschi share how to comply with sponsored awards, emphasizing the significance of cost transfers.
In this issue of the College and University Auditor, aptly named “ACUA: Live in Las Vegas,” you will find a wide variety of topics written by talented authors who strove to make their knowledge and expertise relatable and valuable for ACUA members in every institution. Please consider joining a growing field of professionals making their mark on the collective learning of our ACUA community by reaching out to me at editor@ACUA.org. Questions, ideas, and comments are always welcome.
Please also keep in mind that the Early Bird Deadline for discounted registration to AuditCon has been extended until August 19th. Now, without further ado, please sit back, relax, and enjoy this summer issue of the College and University Auditor Journal.
When you step on campus do you think about who and how your campus community is protected from the myriad environmental hazards potentially lurking in building, labs, and water fountains?
Colleges and universities have various environmental risks and events (e.g., water and air pollution, biohazardous materials and fire hazards) that must be managed daily. An institution’s Environmental Health and Safety (EH&S) function serves an essential role in supporting the mission of the institution with teaching, research, and service by providing safety evaluation and monitoring services to the campus community as a whole. EH&S works to ensure internal controls are formalized, comprehensive, and working effectively by performing a variety of activities including, but not limited to, laboratory inspections, monitoring existing hazards, identifying potential hazards, and reducing safety hazards.
In addition to the increasing safety concerns resulting from the 2020 global pandemic, there is an opportunity for Internal Audit to provide operational reviews of the current environment’s risk mitigating controls.
What is EH&S?
Environmental Health & Safety (EH&S) is the science and practice of preventing human injury and promoting well-being[1]. EH&S is a term used by laws, rules, regulations, professions, programs, and workplace efforts to protect the health and safety of the campus community. Other common ways to abbreviate EH&S are HSE or EHS&Q where the “Q” stands for Quality.
EH&S Responsibilities and Reporting Structure
EH&S functions are often the contact points for regulatory agencies and emergency response actions. EH&S is often responsible for educating the campus community on standards applicable to the institution.
EH&S is commonly tasked with:
Serving as the oversight and authority for EH&S compliance.
Implementing health and safety policies and procedures.
Conducting inspections and monitoring procedures to identify existing potential hazards.
Performing routine audits to measure compliance with regulations.
Measuring and improving environmental health and safety performance across campus.
Providing and supporting incident responses.
EH&S reporting structures look different at each institution. Some common reporting lines include:
Campus Safety
Campus Operations
Facilities
Risk Management
Research
Risk Universe
Just as institutions differ in reporting structure, an institution’s EH&S risk universe will differ as well. The most important thing to remember before you audit your institution’s EH&S function is to consider the environment and what risks may be more important than others. For example, a large research institution with a medical school may present risks such as biohazardous chemicals or radioactive materials, while an institution located in the southeast may be at a high risk for a potential weather-related hazard. Below are a few types of risks to consider based on your intuition’s academic, risk and geographic environment.
Rules, Regulations, Polices and Procedures
EH&S is a highly regulated area with a number of laws and standards falling under:
Environmental Protection Agency (EPA)
Occupational Safety and Health Administration (OSHA)
International Fire Code (IFC)
Specific topical areas may include, but are not limited to:
Biohazardous materials in research and instruction
Confined space entry
Contractor safety
Eye protection
Fall protection
Occupational exposure to hazardous chemicals
Personal protective equipment, including COVID-19 exposure
Radioactive materials
Waste disposal
Since there are so many regulations to consider we recommend that you begin by reviewing your institution’s policies and procedures, as your EH&S function has likely already created internal controls for most key regulatory requirements.
Considerations for the Internal Audit Plan
Internal Audit can support the institution to better understand the design and effectiveness of the compliance framework, including internal controls, oversight, training, authority and applicable regulatory requirements. In addition, Internal Audit can perform testing procedures to determine the efficiency of controls in hazard identification, worker participation, laboratory safety and injury/illness prevention. Common audit activities are often related to:
Reviewing documentation (e.g., organizational charts, procedures, workflows, job descriptions, etc.) to understand current procedures.
Conducting interviews with key stakeholder to better understand key processes and practices.
Evaluating operations and internal controls in place.
Performing testing procedures to determine the effectiveness of controls.
Conducting testing procedures is one of the most valuable ways to review and assess the current compliance environment at your institution and to evaluate the current internal control process for remediating EH&S related risks. For example, performing a walkthrough of campus research laboratories typically provides Internal Audit with informative observations or enhancement opportunities. While conducting the walkthrough, a checklist is recommended to encourage documentation of all findings. Taking pictures during this process is a great way to provide key process owners and leadership with significant supporting documentation.
Key checklist questions include:
General work environment
Laboratory safety plans
Safety equipment
Security
Labels and signs
PPE
Chemical inventory waste and storage
Why is auditing your institution’s EH&S function important?
If there are instances of noncompliance with key regulations, the safety of the campus community may be at risk. The institution may also be assessed for financial, regulatory, health and safety damages. For example, without wearing proper PPE during research procedures, a student is at risk for severe injury or death. Further, by not labeling and disposing biohazardous waste correctly, the waste may become the source of infections. Potential harm could be carried to other students in the room through air pollution, toxic exposure, chemical burns or radiation burns.
Next steps
The EH&S function is responsible for providing a strong foundation of safety through a commitment to compliance and overall protection. Many individuals within the campus community may not think about EH&S, however everyone does appreciate a safe environment. Internal Audit can help provide operational reviews of the current proactive, monitoring and detective controls that mitigate risks. Consider adding a review of your EH&S function to your audit plan.
Higher education institutions are routinely engaged with the construction of new capital projects. The significant investments will likely necessitate routine internal audits to ensure funds are being expended appropriately. On campuses with multiple projects, the initial challenge is determining which project(s) to review. This article provides a primer to embarking on a construction audit when you have a limited background (at best) in construction by addressing the following items:
Selecting the project and scope of the audit
Requesting and evaluating support documentation
Direct labor costs
Contractor-owned equipment
Insurance
Information technology (IT)
Change orders
Other costs
Selecting the Project and Scope of the Audit
Construction is delivered under multiple approaches, often called “delivery methods.” The construction contract is tailored to the delivery method being employed on the project in question. Common delivery methods include Design-Bid-Build, Multi-Prime, Design-Build, Construction Manager-at-Risk, and Integrated Project Delivery.
The most common construction delivery methods in higher education today are Design-Bid-Build and Construction Manager-at-Risk. Design-Bid-Build contracts are commonly referred to as “hard bid” or “lump sum”. These projects are completed for a fixed price and are often used on smaller projects where drawings are complete and the scope has been finalized. Given the reduced risk from a financial perspective, the scope of an audit would be primarily focused on any change orders.
Larger projects are often built utilizing a Construction Manager-at-Risk delivery method. This method engages the construction manager prior to final drawings in order to leverage their expertise with constructability reviews at various stages of design. This approach utilizes a Guaranteed Maximum Price (GMP) contract. This contract segments the recovery of project costs into the following components:
General Conditions, the cost of managing the project
Cost of Work, subcontracted work, self-performed work
Insurance/Bonds
Fee, a percentage of the project cost or a stipulated amount
The GMP contract establishes a cap for the amount paid for the construction, but allows the project owner to retain any variance should the GMP exceed the total realized project costs. As a result, GMP contracts generally have more areas of potential audit exposure from a financial perspective. With resources often being limited, audits of construction in higher education naturally gravitate to GMP contracts given their compensation terms and greater project values.
Requesting and Evaluating Support Documentation
(For the purpose of this and the remaining steps, it is assumed a GMP contract is being reviewed)
Once the project(s) to audit has been selected, the Auditor will need to develop an initial documentation request to obtain the following items:
The executed construction contract with all amendments, exhibits, workbooks, etc.
Fully supported Owner Payment Applications from Owner or Contractor including:
Schedule of Values
Subcontract Payment Applications
A project cost report, for the period being audited, from the Contractor, inclusive of all reimbursable costs.
Requests sent to the Contractor should be directed to the Project Executive and/or Project Manager. The construction contract should then be reviewed, specifically sections addressing the “costs to be reimbursed” and the “costs not to be reimbursed.” The compensation terms should detail the usage of pre-determined rates and actual costs. Additionally, the contract should specify the overhead items covered by the Contractor’s fee.
A source documentation request should then be sent by the Auditor to the Contractor’s Project Executive and/or Project Manager for multiple items:
Direct labor and equipment costs
Subcontractor costs (if not provided above as noted in the initial documentation request)
Insurance costs
Information Technology (IT) costs
Change orders
Other miscellaneous costs
The lowest source document should be determined for the request. For example, the original timesheet should be requested to validate the hours worked by an employee. These lowest source documents are utilized to create the monthly project billings and provide valuable insight often lost if reports are created specifically to satisfy audit requirements. These documents often contain commentary and details about transactions later adjusted and/or ‘corrected’. In some cases, the source document can further demonstrate how a transaction has been ‘cleaned’ to avoid scrutiny during the payment approval process.
Direct Labor Costs
The contract should specify whether labor is to be billed at pre-determined bill rates or actual cost plus burden. To effectively review labor costs utilizing bill rates, timekeeping records should be requested. To the extent the contract does not explicitly specify the bill rate components, the Contractor should be requested to provide them. Bill rates routinely include paid time off, benefits, base wages, payroll taxes and unemployment insurance.
Labor billed at actual cost plus burden will require payroll records, including employee deductions and timekeeping records. To the extent the contract does not explicitly specify the burden components, the Contractor should be requested to provide them. Burden rates are applied to base wages and routinely include paid time off, benefits, payroll taxes and unemployment insurance.
If the contract does not specify the use of pre-determined bill or labor burden rates, the labor is normally reimbursed at actual cost plus actual burden. The audit will need to independently estimate the cost of the labor burden. Documents needed to complete this estimate include:
State Unemployment Rate for your state.
Workers’ Compensation including Experience Modification from the insurance carrier.
Medical Insurance at the employee level from payroll records and at the firm level from the insurance carrier.
Retirement from payroll records.
Accidental Death/Long Term Disability from the insurance carrier.
Contractor-Owned Equipment
Contractors may lease their owned equipment to the project. The contract language often specifies these rental rates are to be indexed to a third-party source, such as the AED Green Book or EquipmentWatch Blue Book. The contract language may specify the lease rates are to be indexed at less than 100% to the index in question. Additionally, the language may specify when lease payments are to cease. If not, the fair market value or replacement value is the implied point when payments should cease. The Contractor should be requested to provide a leased equipment summary, inclusive of the following items:
Equipment tracked down to the serial number.
Fair market value when first utilized on the project.
Rental rate and index rate (if applicable).
Cumulative rental charges to date for each item.
Insurance
The construction contract should specify the various insurance coverages required by the contract. The most common coverages, and their means of compensation, are as follows:
General Liability Insurance, which may or may not be defined as a percentage rate in the contract.
Contractor Controlled Insurance Program or ‘CCIP,’ often specified as a percentage rate in the contract or contract amendment.
Builder’s Risk Insurance, purchased specifically for the project.
Subcontractor Default Insurance, which is almost always specified as a percentage rate of the enrolled subcontracts.
Performance and Payment Bond, purchased specifically for the project.
General Liability Insurance will often be charged at a rate that may or may not be defined in the contract. If the rate is not specified in the contract, request a breakdown of the rate charged to the project. The rate breakdown provided should be analyzed to determine if it includes coverage not required and/or if overhead has been included. The project requirements for policy coverage and limits should be located in the Contract agreement. The Auditor should verify the coverage and appropriate limits have been obtained by requesting a Certificate of Insurance from the Contractor which lists the project owner as the named insured for the project in question.
Builder’s Risk Insurance and Performance and Payment Bonds are usually purchased specifically for the project. An invoice should be requested to document the purchase. The vendor providing the invoice should be confirmed to be an independent third party, as captive insurers are often used, reducing the transparency of the actual cost incurred.
Subcontractor Default Insurance is routinely charged at a rate specified in the contract. This rate is applied to the combined subcontract values enrolled in the program. To confirm the amount charged, a list of enrolled subcontracts should be requested. The Schedule of Values in each subcontractor payment application should then be separately scrutinized for the inclusion of bond costs. If identified, this is most likely a duplicate charge to the Subcontractor Default Insurance.
IT
IT expenditures are often allocated and charged to project costs by Contractors. Contracts may allow for “project-specific” IT expenditures such as laptop computers, internet connectivity, and on-site support. Correspondingly, contracts normally disallow corporate overhead IT expenditures (accounting systems, home office servers, and home office support). The contract language related to IT, however, is usually nebulous. As a “rule of thumb,” if the IT item is utilized on-site, it’s likely permissible, but if utilized in a home office, it is likely overhead and should not be billed. Invoices should be provided for all IT charges without contract language specifying an IT rate. This approach is the most transparent from an audit perspective. As with the insurance, the Auditor should be wary of any IT invoices from a related party. Any computers and other hardware charged to the project should revert to Owner control at the project’s end. To the extent an IT rate is specified in the contract, the project cost report should be scrutinized to ensure IT charges covered by the rate have not been direct billed to the project. If the IT rate’s components are not defined, the Contractor should be requested to provide them.
Change Orders
A retrospective review of project change orders will require copies of fully supported Owner Change Orders, which are the summation of multiple change requests made to the project owner for approval. The support should include a cover sheet with an itemized list of the change order items. The subcontractor support for each individual change order should then follow, and this support should then be reconciled to the cover sheet. The Contractor’s markups for insurance, overhead, and profit should be present on the cover sheet and should be confirmed against Contract stipulations. The markups applied on Change Orders should be validated for the following:
Will markup, overhead and profit (OH&P), insurance, bonds, etc., be applied to both additive and deductive Change Orders?
Is an OH&P cap defined separately for each tier (i.e., Contractor, Subcontractor, Sub-subcontractor)?
Can the Contractor get separate markups for its role on self-performed work?
Is the aggregate markup capped?
In addition to markups, the Change Order review focuses on these items:
Validation of costs (material, labor, etc.).
Identification of duplicate scope in selected instances such as rework, back charges, and items intended to be covered by the fee for overhead
Review of the approval process.
Other Costs
The project cost report provided in the initial document request should be sorted to segment transactions not falling into labor, equipment, subcontracts, insurance, and information technology categories. Most of these charges will be for vendors paid via purchase orders. The transactions should be further segmented into a list where the reimbursable basis cannot be readily determined – these invoices should then be requested from the Contractor. The invoice review should focus on the following items:
Is the charge reimbursable per the contract, or was it intended to be covered by a rate and not billed directly?
Was the charge incurred on the project in question?
Do the date and invoice number trace to the project cost report transaction?
Journal entries may comprise the remaining transactions, and backup should be requested for any that are questionable.
Conclusion
Auditing construction costs may seem like an impossible task without specific expertise and limited resources. However, focusing your audit program on projects with contracting terms with more material financial exposure is the first step in developing an effective review of these capital expenditures. Following project selection with targeted documentation requests will allow the development of an effective and efficient process for reviewing construction project costs.
As they looked into their crystal balls for the year ahead, two organizations, Gartner and the Institute of Internal Auditors published lists of emerging risks for 2022. Not surprisingly, sustainability related to environmental and climate issues as well as social change made both lists.
These risks are just as relevant for public sector organizations, including higher education institutions, as they are for private and publicly held businesses, and they are only expected to grow in the years ahead. Sustainability and social responsibility encompass a broad range of non-financial issues that may affect an organization’s financial condition and performance.
They may include environmental issues, such as the size of the organization’s carbon footprint, efforts to replace fossil fuels with renewable energy sources, and overall use of natural resources. These responsibilities may also reference social issues, such as workplace diversity, health and safety, and consumer product safety risks.
What is Environmental, Social and Governance (ESG)?
As implied by its name, ESG reporting is concerned with measuring performance in three very different domains: environmental sustainability, social responsibility and governance. The key measures used to document and report performance will differ significantly from one organization to another, and more importantly, from traditional accounting measures focused on financial performance. For now, much of the focus of ESG reporting is on the private sector, especially publicly traded companies subject to U.S. Securities and Exchange Commission (SEC) regulations. The SEC is currently considering several proposed regulations incorporating elements of ESG reporting into the financial reporting requirements for public companies.
That doesn’t mean government entities and higher education institutions are off the hook. Concerns about climate change, expanded opportunities in the workplace, and effective governance are not expected to recede any time soon. History shows us that the public sector is usually not far behind the private sector when issuing guidance and requirements in emerging risk areas. Moreover, the same sentiment driving change in the public sector will affect government entities and higher education institutions as constituents seek more accountability for sustainability issues.
Forward-thinking universities and other public sector organizations can start to implement the appropriate processes to be better prepared to comply with new requirements that emerge.
Metrics and Reporting for Higher Education: The STARS Framework
When it comes to sustainability issues, higher education is not exempt from public sentiment and pressure. In recent years, “green rankings” of universities in various leading publications, including The Princeton Review, have highlighted the importance stakeholders are placing on sustainability. The rankings are based on metrics and voluntary reporting by the institutions themselves.
While there are several frameworks available, the most widely used ESG reporting framework is the Sustainability Tracking, Assessment & Rating System (STARS). It is a self-reporting framework open to the full spectrum of higher education institutions, from community colleges to research universities. STARS was created in 2006 by the Association for Advancement of Sustainability in Higher Education (AASHE) in collaboration with higher education institutions. Currently, more than one thousand institutions have registered to use the STARS reporting tool to:
Provide a framework for understanding sustainability in all sectors of higher education.
Enable meaningful comparisons over time and across institutions using a common set of measurements developed with broad participation from the international campus sustainability community.
Create incentives for continual improvement toward sustainability.
Facilitate information sharing about higher education sustainability practices and performance.
Build a stronger, more diverse campus sustainability community.
The STARS framework includes long-term sustainability goals for already high-achieving institutions and entry points of recognition for institutions taking the first steps toward sustainability. Many institutions use STARS as a planning tool to identify areas of strength in sustainable practices and areas that need improvement. Each STARS report and rating is valid for up to three years, and a report may be submitted as often as once per year.
The framework is made up of five categories: Academics (AC), Engagement (EN), Operations (OP), Planning & Administration (PA) and Innovation & Leadership (IN), and these are broken into sub-categories for reporting purposes:
Each category is broken down into credits with specific metrics, activities, or practices needed to earn these credits. The institution identifies which credits they will pursue and collects the information from campus stakeholders. The institution accumulates points based on these practices and receives a rating of platinum, gold, silver, or bronze based on the number of points awarded.
Below is an example of how one institution, the University of Georgia, appears in the STARS system. To allow institutions to compare their sustainability with others, the data used to assign points are made public.
Audit Committee and CAE Considerations
When it comes to ESG reporting, we have found that common questions arise among boards and audit committees as they consider the implications for their institution. These include:
Have we assessed the ESG disclosure criteria and determined which information is most relevant?
Do we have a strategy for identifying which ESG information is available?
How does our ESG performance relate to our institutional strategies and objectives?
Are our processes designed to produce accurate and complete information for our stakeholders?
Who is responsible for defining our institutional ESG strategy and overseeing information gathering through disclosure?
On a somewhat granular level, Chief Audit Executives and other audit leaders have questions related to ESG and reporting and disclosure. These include:
Do we have a published ESG or sustainability report or other available information? If so, is it still up to date and fit for purpose?
Is our ESG strategy aligned with our institutional objectives and long-term strategy? Does that strategy clearly state our ESG goals?
Who is responsible for overseeing the development and execution of the ESG program?
Have we defined the key metrics and data to quantitatively measure ESG performance across our institution?
Do we have defined, consistent processes and controls to identify, gather, aggregate and publish key ESG performance indicators?
Does our ESG/Sustainability strategy leverage one of the common reporting frameworks, and are we obtaining independent assurance or other support?
How the Audit Team Can Support ESG Efforts and Build Opportunities
For the audit team, it makes sense to approach ESG from a risk management perspective. In addition, contributing to the organization’s ESG efforts helps add value to the organization. The Internal Audit (IA) department can take these steps as part of the overall ESG program:
Request an ESG risk assessment for the institution.
In gathering information for STARS reports or other ESG disclosures, focus on adopting an enterprise-wide approach to managing ESG risks.
Educate the administration about ESG reporting and the role organizational governance plays in the evaluation process.
Identify and propose solutions to facilitate sharing information across siloed and decentralized approaches to risk management.
Promote IA’s role in providing independent assurance.
IA can anticipate emerging ESG disclosure expectations and requirements by encouraging and understanding processes and controls in the institution. IA can also advocate for the adoption of established ESG frameworks and relevant, data-driven reporting, help to assess institutional stakeholders’ expectations and gaps in currently disclosed information, and support process-integrity of reporting by assessing how key data is compiled and reported.
Looking Ahead
As higher education institutions of all types and sizes continue to adopt and embrace ESG reporting, internal auditors will have an important role in helping to lay the groundwork for success. They have an opportunity to play a key role in improving internal controls and the overall adoption of these processes. The risks are unlikely to go away any time soon. The important thing will be the way institutions prepare for them.
I hope everyone is enjoying the summer season! Nothing like summer on a college campus. I remember an administrator once telling me, “We love our students, but we love when they take the summer off too.”
I wanted to mention a couple of things about the upcoming AuditCon in Las Vegas in September (in bulleted short form, because who has time for all the words):
Once again, this year we will have the CAE track.
Lots of hot topics will be covered, including: Title IX, Sports Betting, Cryptocurrency, IT, Research, Ethics, roundtables of all sorts, ADA, foreign gifts and contracts, back to basics (risk assessments, report writing, etc.), self-care, student mental health, and many others…wow!
Amazing keynotes including, but not limited to, hearing from:
Robert Chestnut of Airbnb on intentional integrity in organizations
Tim Renick of Georgia State on predictive analytics for student success
Caesar’s Palace – speaks for itself!
In a hybrid format, there are tracks that will stream live to allow virtual attendance.
And of course, what sets our organization apart from others is the professional networking opportunities with fellow ACUA colleagues at our conferences.
Odds are good you won’t want to miss this conference!
Finally, let me take a moment to introduce our new editors, Gavin Shubert of Georgetown University and Kara Hefner of the University of North Carolina at Chapel Hill, as well as send a special thanks to Claire Thomas and James Merritt who have since left higher education auditing and passed the editors’ torch.
See you in Vegas! Brian Daniels, University of Tennessee ACUA President
I hope your year is off to a happy and healthy start. We are eager to be starting a new ACUA year with some exciting initiatives and benefits for our members. I wanted to use this letter to highlight some of these initiatives ACUA is pursuing this spring. As a reminder, ACUA’s Member Needs Assessment Survey launched on February 28th. This is a great opportunity to help us shape the strategic trajectory of ACUA to meet your needs!
Additionally, we are moving steadfastly toward the Audit Interactive (AI) conference, and for the first time, we will be co-located with URMIA for a portion of this event. ACUA members have paired with their own institutional experts to provide a number of sessions that will dive deep into various topics while keeping the internal audit perspective. This conference also promises to provide our members with coveted networking opportunities and new opportunities to network with our URMIA colleagues.
At this point, registration numbers are looking great, and we cannot wait to see so many of you in person again. That being said, we haven’t forgotten about those of you who have embraced and thrived in the virtual learning environment. As such, our Virtual Learning Committee is working with ACUA members and strategic partners to provide a mix of 12 webinars and roundtables this year, some of which will be extended sessions. This will provide more opportunities to obtain CPE credits virtually, and we will soon be releasing a robust schedule of e-learning opportunities for the remainder of the year. With the success of last fall’s hybrid AuditCon conference, we are exploring options to embrace a hybrid platform again at AuditCon this September.
As a reminder, we have a Call for Proposals open, and submissions are actively being accepted. I would especially challenge those of you who have never submitted a proposal to take a chance! In fact, we are introducing a new ACUA Future Speakers session at AI to bridge the knowledge gap on this process! If you participate in the session, you will still have time to submit a proposal for AuditCon this fall. (And, speaking of chances, AuditCon will be in Vegas this year!)
Finally, I should remind you that ACUA is committed to the safety and security of our membership for the upcoming conference, as indicated in our most recent communication:
“ACUA cares about your well-being and has placed social distancing measures in place for attendees to gather safely and comfortably. Please find the official ACUA COVID statement here, which includes highlights of the safety plan and the City of Raleigh’s current procedures.
While there are no guarantees of safety, ACUA is doing its best to safeguard your well-being, providing an engaging learning environment as well as opportunities to network with your colleagues, especially with our co-locators, URMIA.”
The new year is upon us! Although it may seem like we are still in the dead of winter, spring is already on the horizon. In our last issue, we reflected on the changes, struggles and accomplishments of the intense period of transformation we have all been living through. But now, as we turn the page to 2022, it’s time to do some spring cleaning and gear up for whatever the future holds.
In this issue, “Spring Forward: Planning for the Future,” we embrace the renewed energy that accompanies the start of the new year. Here, our members share their thoughts about a host of topics that will help audit teams create a culture of continuous improvement and prepare to face new and evolving risks. First, Sandy Jansen and Kimberly Turner provide their insights on how internal auditors can gain a seat at the table with institutional leadership. Then, Todd Knowles and Diane Padgett deliver the second part of their Data Privacy Primer series, in which they dive deeper into the topic of personal data and offer recommendations on how auditors can identify and mitigate privacy risks. Karletta Jones and Mark Ruppert also share their experiences using Microsoft Teams to enhance the efficiency of administrative audit tasks, client communication and documentation processes. In addition, Du’Neika Easley has an exciting update from the ACUA Board of Directors on the Diversity and Inclusion Leadership Committee. Finally, the journal team has tabulated your responses to our recent survey. Our article on succession planning and the Great Resignation offers results, resources and suggestions for adjusting to this new era in the workplace.
Each issue of College and University Auditor journal is made possible by contributions from our wonderful community. Please consider sharing your knowledge and expertise in a future issue! The journal team is happy to assist you in developing a basic outline or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas at editor@ACUA.org, or contact me by phone at (203) 218-7631.
Many thanks to our community, and I hope you enjoy this issue of College and University Auditor!
As chief audit executives and auditors, we want to be considered valued members of our organizations. Having a “seat at the table” may be one of the strongest indicators that you have succeeded in becoming a trusted advisor within your organization. However, this status is difficult to achieve and easy to lose. Obtaining (and keeping) a seat at the table requires dedication to certain tenets, including:
Consistently demonstrating your value.
Focusing on quality audit work and results.
Providing insight outside of the audit process to widen your circle of influence
Becoming a Valued Team Member
The first step towards getting a seat at the table is becoming a valued team member. As detailed below, there are a number of important ways you can demonstrate your value to the team:
Listen more than you talk. If you were ever scolded for not listening as a child, your mother might have reminded you that everyone has two ears and one mouth. As it turns out, this is good advice for auditors and children alike. In fact, the word “audit” is derived from the Latin word “audire,” which means “to hear.” Listening helps auditors compare and synthesize conflicting points of view in order to find nuanced solutions. It enables us to understand our organization’s culture and politics and bring sensitivity to our analysis of the facts.
Do not play politics. While it is important to be aware of the politics in an organization, auditors should never get involved in them.
Be constant in your ethics. Auditors must never forget that they live in glass houses. If your integrity is ever compromised, all is lost.
Demonstrate good judgment. Senior leadership hired you for your unique skillset and your decision-making capabilities. Use critical thinking to provide sound, solid and objective assessments and advice.
Build relationships. It is important to build positive relationships with key stakeholders outside of audit engagements and before a crisis. Good relationships will make it easier to deliver difficult news to stakeholders and ensure that they are open to your suggestions. In addition, a solid network of connections demonstrates the value of internal audit in strengthening cross-functional communication. If building relationships is not one of your strengths, seek additional training in this area and be willing to step out of your comfort zone.
Share information. In the course of your work, you may learn of initiatives and key information that should be shared with other stakeholders. Because auditors have a 360-degree view into the operations of the institution, we can help connect people, break down silos and promote collaboration across the organization. In addition, we often are able to connect the dots between different data points to uncover problems and solutions that others cannot see. Coupled with an objective mindset, the insights we develop can be invaluable to senior leadership, even outside of formal audit reports. While sharing knowledge is important and can help built trust, remember that some information may be shared with you in confidence. It is critical that auditors never disclose confidential information.
Focusing on the Audit Work and Results
One of the most important things you can do as an auditor is to inspire trust. Though it may seem obvious, trust starts with providing complete and insightful audit results. Ensure your reports are fair, balanced, accurate and helpful, as clients may question your professionalism when your work contains errors or uses inflammatory language.
In addition, auditors must focus on significant risks, consider the strategic direction of the institution and have a solid understanding of the organization and the broader higher education industry. Your audit plan should consider strategic goals, the institution-wide risk assessment and discussions with senior leaders and board members. Focusing on significant risks of strategic concern to university leadership demonstrates the value that you can bring to the institution. Senior leadership does not want to waste time reading a report focused on the small stuff, so avoid dwelling on minutia.
During audits, it is critical to examine things from multiple vantage points. Zoom out to consider big picture implications. Zoom in to see details that may not be immediately apparent and look for patterns, relationships and linkages. It is important to synthesize this information and provide valuable insights in client communications, including audit reports. In doing so, make sure you connect the dots between your individual audits and advisory projects to detect patterns, trends and hot spots.
Strong communication skills are required to effectively deliver the results of your work. In addition, auditors must be able to negotiate professionally to assist management in identifying and mitigating risk. While negotiation may at first seem like subordination of judgment, open conversation and consideration of all relevant facts can strengthen management’s commitment to resolve audit issues and implement suggested changes.
The entire audit team’s attitude is also critical to building trust. The team should be viewed as professional, approachable and helpful rather than “too nice,” lacking professional skepticism, out to find problems (“gotcha”) or trying to surprise management. Nothing will result in exclusion from the leadership table faster than the wrong attitude from the audit team.
Finally, your work must be high quality and consistent. The internal audit quality assurance and improvement program must be top notch to ensure your work meets professional standards. Of course, mistakes may happen, but if you make a mistake, own up to it and correct it.
Widening Your Circle of Influence
Assurance services: An objective examination of evidence for the purpose of providing independent assessments, the nature and scope of which are determined by the auditors.
Consulting services: Advisory and related client service activities, the nature and scope of which are agreed upon with the client. (from The IIA’s International Professional Practices Framework Glossary)To further your team’s impact, consider moving beyond traditional audit areas. Here are some ideas for getting out of your comfort zone:
Leverage new technologies such as automated processes, data analytics and continuous monitoring to reduce time spent on routine operational and financial risks. The time saved could be used on advisory and consulting work, which may provide more insight and value to leaders at your institution.
Evaluate the institution’s strategic plans and determine how internal audit can provide advice and insight.
Consider when a consulting engagement would add more value than an assurance engagement.
Increase audit focus on strategic risks.
Collaborate with other assurance providers, including campus police, general counsel, and compliance and risk management functions.
Consider co-sourcing or outsourcing arrangements with external assurance providers, such as independent audit firms, information technology consultants, state auditors or others to supplement your office’s knowledge and capabilities.
Next Steps
If you are developing key stakeholder relationships or working to re-establish those relationships, completing a few, easy steps can go a long way. First, schedule periodic meetings with key stakeholders. For example, some chief audit executives and team members meet quarterly or monthly with the institution’s chief financial officer, provost, president or others. Agendas for these meetings should include time to share risk insights and trends based on current and upcoming audit work, the status of any outstanding items (because no one likes surprises), and an opportunity for stakeholders to discuss any key initiatives or concerns. This time can also be used to gain an understanding of risks that senior management feels may be on the horizon for the institution and allow for preemptive risk assessment activities.
Auditors can also take advantage of seeing stakeholders outside of regular audit-related meetings. Campus celebrations such as retirement parties and welcome events provide great opportunities to get to know management on a more personal level. Make time to attend such events – and don’t be a wallflower!
When you are included in meetings or initiatives, make an effort to add value. While you do not want to dominate the conversation, remember you have been asked to participate in the meeting to provide insight and thought leadership, not to sit on the sidelines.
If you are not included in an initiative for which you can provide insight, senior leadership may not have thought to include you. Sometimes, politely asking if it is possible for internal audit to attend is all that is needed. However, asking for an invitation takes courage and may use some “personal capital,” so make sure it is an area where you have knowledge and insight rather than asking to be included in everything.
Finally, be open to new information and opportunities to add value. The more you work to understand the university’s risks and challenges, the more likely you are to reach valuable conclusions. If you never change your mind, you probably are not approaching the work the right way. Adding value is an iterative process – you will never be “finished.”
Getting a Seat is Worth It!
For many audit professionals, having a seat at the table can impact career achievement. Job satisfaction and long-term success are directly tied to your perception of your own ability to add value and make a difference at the organization. For auditors in higher education institutions, adding value is particularly rewarding because the mission of higher education aligns so well with our own: creating a better world through education, research and other outreach activities.
Most importantly, having a seat at the table will allow you to continue adding value in the future. The seat can be self-sustaining through continuous attention to positive professional relationships, commitment to a high-quality audit function and insightful dedication to the betterment of your organization.
There are many options for internal auditors who wish to improve the automation of processes that support audit administration, completion and follow-up. However, access to those options is contingent upon the financial resources available to the internal audit function. When those resources do not exist, or are truncated, options become limited. This often results in the internal audit function either using paper records (egads!) or word processing and electronic spreadsheet files organized into folders. Neither of these methods results in improved efficiency, implementing best practices or improved client interactions.
At Northern Arizona University (NAU), we used a cloud service provider for our audit administration work for several years. Although this method was affordable and met our basic documentation needs, it offered no great strides forward for our audit team. Before the pandemic, we decided to take advantage of our corporate SharePoint license and began building a knowledge repository to help organize our records and reduce our carbon footprint. After studying several use cases from other internal audit departments, we began working on our own SharePoint prototype.
In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS. And then the pandemic forced us to change our plans. Funding was slashed, and the university moved to a remote work environment. With reduced resources, we decided to put our plans on hold and move to SharePoint Online. As audit projects were delayed, we invested time in learning as much as we could about the new functionality available in SharePoint and Microsoft Teams (MS Teams).
In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS (Internal Audit Team Engagement Audit Management System).1 Although we have already made numerous improvements, our team meets quarterly to review what we’ve learned and identify ways to mature our processes.
Our approach has helped us achieve our objectives for automated audit administration, including:
Improving and documenting client interaction by reducing the need for tracking and documenting emails, video and other project-related communications.
Organizing project documentation in a secure and easy-to-use interface, with the ability to control individual access and allow for sharing and collaboration on individual documents.
Automating the audit administration process so team members can focus on their engagements.
Ensuring the system is available anywhere we have internet access.
Prioritizing opportunities for improvement as they are identified.
Project Set-Up
Throughout an audit, we use many MS applications, including Excel and Word. Because MS Teams and SharePoint are well-integrated, we’ve been able to use the features in MS Teams to link directly to source templates that are housed in the policy section of our SharePoint website (e.g., Excel and Word templates). This helps to ensure that we consistently use the latest versions of our audit templates. We have also leveraged the following features:
Tasks by Planner and To-Do: This is a flexible tool to organize tasks not only for the Internal Audit Team, but for the client as well. It offers features like categorized scheduling and a calendar and allows users to attach files directly to a task (see Figure 1).
Document Library: This links directly to the SharePoint site that houses our policies, procedures and templates. Metadata added to these document libraries is also helpful for documenting and tracking audit plan status.
Request Sign-Off Flow: This provides the capability to route the preparer’s work to the reviewer in SharePoint with a documented approval workflow.
Figure 1 Improvement Opportunities Tracking and Task for Review Process
This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files. MS Teams makes use of posts and file sharing as a means of helping teams stay connected and organized. For each project, we create a separate “Team” within MS Teams.Each team originates with a General Channel, which we use for client communication and file sharing using the Posts and Files tabs that are created by default.
The Posts Tab allows for communication among all members of the Team and is great for capturing client input directly related to the project.
The Files Tab is an area where folders and files can be housed to organize documents provided by and shared with the client.
This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files. Files can also be hyperlinked to support other work papers (See Figure 2).
Figure 2
Planning, Fieldwork and Reporting
We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers. Each Team also allows for the creation of other channels, as needed. These channels can be made available to all Team members or can be restricted using Private Channels. We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers. Since we use templates throughout our audit engagement, we use the copy feature from the MS Teams template to quickly set up the tabs for each channel, as shown in Figure 3 below:
Figure 3
General Channel (See also Figures 2 and 5)
Private Channel: Audit Files (See also Figure 4)
Posts: Client CommunicationsFiles: File Sharing with ClientTasks: Tasks App for various tasksWelcome: Word template that welcomes clients and provides instructions for Team useAgenda: Word template for Entrance Conference meeting agenda
Statement of Independence: Excel template that tracks audit team conflict of interest reporting for the projectAudit Sections: Word template that summarizes the audit sections with links to the supporting work paper filesImprovement Opportunities: Word template that summarizes all identified audit findings and follow-up with clientTeam Assignments: Word template that identifies each team member’s responsibilities and tasksReview Notes: Word template that contains supervisory review notes and related follow-up or clearance activities
The Private Channel, “Audit Files,” is structured by project section, as shown in Figure 4.
Figure 4 This example shows the project file structure in Teams in a private channel. Private channels are identified with a lock icon to the right of the channel name. The Team administrator controls Team access. By default, all members added to the project Team have access to everything but private channels. Members must be granted Private Channel access by the administrator.
Due to the configuration of the General Channel, Posts is the default screen that will pop-up when clicking on a Team, which we use to direct the client to the Welcome tab. The Welcome tab is a word template that helps demonstrate to the client the benefits of using MS Teams for audit management. It also provides instructions to help those clients not familiar with MS Teams and establishes the expectation for the use of MS Teams during the audit. Files provided by the client in the General Channel can be linked to, or easily moved to, the Audit Files Private Channel (see Figure 5).
Figure 5
For reporting, we share all initial draft reports through posts in the General Channel. However, we issue final reports through official email communication and store copies of those emails in the private channel Reports Folder. We also track all issued reports in a separate SharePoint document library that includes metadata for tracking when reports are due for presentation to the Board of Regents, the number and nature of improvement opportunities in each report, the type of audit conducted (compliance, financial or integrated) and other details (see Figure 6).
Figure 6
SharePoint Audit Report repository showing view by audit plan year. SharePoint Audit Report repository showing view broken out by audit plan year.
Supervisory Review and Improvement Opportunity Tracking
For quality assurance, we use a word template to track review notes. A SharePoint workflow initiates review by folder and audit program step and applies a pending or approved status as metadata for each folder (as shown by the sign-off status columns next to each file folder in Figure 4).
This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting. To track improvement opportunities in real time, we use a word document that mirrors our audit report. When an improvement opportunity is identified, the document is made available as a tab in the General Channel for client review and feedback. This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting. This template is also used to document discussions with the client. Once client review is complete, the Improvement Opportunities are moved back to the Private Channel.
As we continue to mature the use of MS Teams and SharePoint, we hope to create a process for audit follow-up as well.
Limitations
As with any electronic tool, adjustments will always be needed. For MS Teams, we have encountered the following limitations:
Only nine attachments can be included in Tasks.
Anyone assigned to the task must reply to the comments section to be notified of future comments.
Lag time may exist due to the Cloud structure and network bandwidth.
MS teams provides access to many applications that help with building processes and workflows, but there is no way to easily identify applications that the university has purchased. It is important to gain an understanding of this issue before committing to using a specific application within MS teams. However, applications for Excel, Word and Calendar are default MS Teams applications available to all users.
Requesting sign-off cannot be done directly in MS Teams; it first requires that users log into SharePoint.
Tasks by Planner and To-Do are only available in the General Channel; such task management is not available in the Private Channel.
While we created an audit project template to initiate the creation of new project teams, only the Team structure can currently be copied from a template. Embedded files in the template do not transfer.
Most clients like the use of MS Teams for audit interactions. However, clients don’t use it continuously, so it cannot completely replace email communication. However, an email can be dragged directly from Outlook into the Team files in both General and Private channels.
Conclusion
MS Teams and SharePoint offer a lot of functionality and, with some training, they can be set up fairly easily. Larger audit teams may find it useful to work with PowerApps or other related tools to establish more edit controls, including workflow and document locking. If your organization is already using MS Teams and SharePoint, building out this functionality is unlikely to require license fees for third-party audit administration and documentation systems. If you are going through a similar transformation, please reach out to us for additional details and to share what you’ve learned and applied. Collaboration will help us all continue to improve!
References
1 We will be presenting this approach at ACUA Interactive on Tuesday, March 29th in greater detail.
For many, 2020 will long be remembered as a year of reckoning and change in the U.S., marked by a global pandemic, an economic crisis, political unrest and racial tension. In response to a year like no other, ACUA’s President, Julia Hann issued a call for volunteers on July 2, 2020 as ACUA prepared to launch its first-ever Diversity and Inclusion Leadership Committee. In her note to the ACUA family, Julia stated that “the board is deeply committed to examining our core values and making sure inclusivity, respect, appreciation and embracing our differences is part of our foundation as an association,” and that the board wants “to ensure ACUA is welcoming to everyone.”
The group began by exploring the definition of diversity and inclusion (D&I) and identifying the committee’s goals and objectives. Within weeks, the call was answered. Approximately 15 members convened at the initial meeting. The group began by exploring the definition of diversity and inclusion (D&I) and identifying the committee’s goals and objectives. As the conversation unfolded, it was clear that D&I is a multi-faceted construct that extends beyond gender and race. It continues to gain importance as consumers hold organizations accountable for creating a measurable culture of inclusivity.
ACUA conducted a baseline membership survey and identified ACUA’s membership demographics are approximately 55% female and 41% male, with 4% providing no response or preferring not to answer. In terms of race, 67% of the members identified as white (not Hispanic or Latino), 12% Black or African American, 7% Asian, 6% Hispanic, Latino, or of Spanish origin and 1% Native American. The remaining 7% identified as multiracial or preferred not to answer. The survey also explored other aspects of diversity including age, religion, ACUA volunteerism and the size and location of members’ institutions.
In addition, studies show that D&I committees are most successful when leadership is on board with the initiative. A 2020 study published by McKinsey & Company, a global management consulting firm, found that “the greater the representation, the higher the likelihood of outperformance and the likelihood of outperformance continues to be higher for diversity in ethnicity than for gender.”[1] In addition, studies show that D&I committees are most successful when leadership is on board with the initiative. Therefore, the work of the committee, in collaboration with the board, includes examining how to use this information to identify and shape ACUA’s strategic priorities and desired outcomes. During the board meeting, Deidre Melton, D&I Committee Chair, detailed the committee’s conversation in order to gain insight on how ACUA leadership ranks the importance of D&I work and what they expect to gain by creating the sub-group. The board spoke candidly on the topic as reflected in the summary below.
Q: When you hear the words “diversity and inclusion,” what does that mean to you?
A: Taking different viewpoints, membership needs and perspectives into consideration. Allowing all voices to be heard, while making room at the table and creating a safe space. Proactively supporting a platform and opportunities (in the structures and processes of the organization) for people from different groups or backgrounds, including those who have been excluded.
A: Accepting all people, irrespective of group affiliation. Willingness to listen to and acknowledge our differences in order to confront issues that create barriers to addressing and eliminating bias.
There are many different aspects of diversity, but inclusion comes first. A: There are many different aspects of diversity, but inclusion comes first. How do we ensure we welcome everyone who wants to be involved? Once people feel included, they may be more interested in volunteering and taking on leadership positions.
Q: Why is it important for ACUA to tackle this sensitive topic as an organization and within our separate institutions?
A: We don’t know what we don’t know, and we owe it to our membership to be intentional about ensuring that all members feel included, supported and valued, and to make sure they can participate as much as they want to.
A: Higher education is sensitive to the cultural climate; therefore, this topic is important to our campus communities. Not every university offers training on D&I, but ACUA is positioned to train our members, offer education and provide resources.
A: We had more questions than answers and felt like we had a lot of growing and learning to do. We recognized possible issues, but also knew we needed help.
A: As this is an important topic for everyone, for our growth as an organization and as individuals, we need to create processes and protocols that will support this issue. We need to act, not just put out a statement: walk the walk, not just talk the talk!
Q: What are some of the most beneficial things that can move the needle on inclusion or shift the culture within ACUA?
A: Being proactive and intentional with our plans to put this initiative at the top of the priority list for everything we do. Practicing [inclusivity] until it is second nature and an embedded part of our processes, planning and programming.
A: Adding D&I training at all levels, including the board, committees, members and volunteers. It should also be included as part of the volunteer recruitment process.
A: Building a future speaker’s program to help increase speaker diversity at our conferences and webinars.
A: Push our working partners to further their diversity initiatives and raise awareness of what steps they are taking at their organizations. Focus our work with likeminded groups that prioritize D&I as well.
Q: When thinking of successful outcomes for this committee, what does that look like to you? What activities or initiatives would you like to see the committee lead?
A: Creating an intentional culture of inclusiveness where we encourage members to speak out.
A: Offering education and resources. Assisting members in evaluating their institutional D&I programs.
We all have a role to play, but we need the expertise of the D&I committee to help lead the association in the right direction. A: Consultation, thought leadership and partnership with ACUA’s board and membership.
A: Diversifying speakers for conferences and webinars. Breaking the cycle of using the same people in the same way.
The conversation closed with this thought: We all have a role to play, but we need the expertise of the D&I committee to help lead the association in the right direction. As the committee’s final charter, goals and objectives take shape, the vision of creating a better tomorrow has never been clearer.
