Resources

Performing an Internal Self-Assessment of your Internal Audit Department

Internal audit departments following the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF or “Standards”) are required to develop and maintain a quality assurance and improvement program (QAIP) that includes internal and external assessments. A QAIP verifies the work is performed in accordance with the Standards and the IIA’s Code of Ethics and that the internal audit department operates in an efficient and effective manner.

Most audit shops are already performing ongoing reviews of their engagements through supervision, workpaper review, following established audit policies and procedures governing the audit process, and soliciting feedback from customers. Periodic self-assessments go beyond the routine supervision and monitoring of each engagement to evaluate each IIA Standard. Performing a thorough self-assessment can help increase efficiencies, create uniformity of documentation amongst your team, and help prepare the audit shop for a positive external review.

Periodic self-assessments are often conducted at the mid-point of the five-year external review cycle but may be conducted more frequently. The review may be performed by the chief audit executive (CAE), assigned to a senior auditor, preferably a Certified Internal Auditor (CIA), or divided amongst the staff. It is important that all members of your review team be open to change and allow a positive dialog for discussing potential weaknesses and recommendations.

There is no single method required for conducting a self-assessment. One way to efficiently evaluate all of the Standards is to design your self-assessment around the following four themes: Governance, Staff, Management, and Process, which is how the IIA teaches external reviews. The Governance and Staff sections address the IIA’s Attribute Standards and the Management and Process sections address the IIA’s Performance Standards.

If you are a state college or university and your state performs peer reviews, you may be able to obtain detailed templates from your state auditor’s office to help in your review. The following is a summary of the critical tests that the State of North Carolina uses for its external reviews:

Governance

These Standards refer to how the internal audit function is governed. Key documents include the Audit Charter, department procedures manual, organization chart, and independence attestations.

  • The Purpose, Authority, and Responsibility need to be defined in your Internal Audit Charter. The language in the charter should align with the IPPF, address both assurance and consulting services, and allow unrestricted access to records and personnel. Review your charter and ensure it reflects your current practices and has been approved by your Board of Trustees or Audit Committee.  
  • Independence of the internal audit department should be confirmed to the Board at least annually. Departmental independence is often achieved by reporting administratively to the President/Chancellor and functionally to the Board of Trustees or Audit Committee. Ensure your organizational chart reflects an independent reporting structure. Additionally, individual auditors must be independent of the areas audited, and new auditors must refrain from assessing specific operations for which they were previously responsible for within the last year. Auditor independence may be demonstrated by individual attestation for the audit plan year or for each engagement by each auditor.
  • The IIA Code of Ethics must be followed by all members of the Internal Audit department, whether or not they hold any IIA certifications. Consider whether all team members uphold the principles of integrity, objectivity, confidentiality and competency. One option to demonstrate awareness is to include the IIA Code of Ethics in your procedure manual and have team members sign an affidavit to confirm their understanding.
  • The Quality Assurance and Improvement Program must be developed and maintained by the CAE. A description of regular engagement monitoring, periodic internal assessment, and 5-year external assessments should be documented in the procedure manual. Verify prior assessments were timely and shared with senior management and the Board.

Staff

The Staff Standards focus on auditor competency and the ability to have sufficient knowledge and skills to perform engagements. Employee certifications and training records are tangible evidence, and the ability to exercise due professional care is reflected in the engagement work papers.

  • Proficiency must be demonstrated by all internal audit team members. Auditors must possess the knowledge and skills needed to perform their responsibilities individually and as a department. Maintain records on professional certifications and continuing professional education logs that show the staff collectively has specialty knowledge such as IT, fraud detection and data analytic skills required to complete the audit plan. Subject matter experts may be needed. Evidence of proficiency may be documented in performance reviews, and post-engagement client surveys should include feedback on staff proficiency.
  • Due Professional Care, that which is expected of a reasonably prudent and competent auditor, must be applied. Determine whether engagements were staffed and adequately supervised based on the complexity of the subject. Verify engagement planning considered fraud and the feasibility of using data analytics for a higher level of assurance.
  • Continuous Professional Development applies to all team members, not just those maintaining certifications. Define training requirements in the procedure manual and counsel staff on relevant training opportunities. Audit team members should track their continuing professional education training and ensure they meet licensing and departmental requirements.

Management

Management refers to managing the duties of the internal audit function along with the nature of work. The internal audit activity is effectively managed when it achieves the purpose of the audit charter, conforms with the Standards, and considers emerging trends that could impact the organization. Annual audit plans, performance metrics, achievement of the plan, reports to the Board, engagement reporting, and meeting minutes are key documents for the self-assessment.

  • An Audit Plan that determines the priorities of the internal audit activity must be established by the CAE, usually on an annual basis. The audit plan should be based on a risk assessment, input solicited from senior management and the Board, and consider resource management. Ensure the methodology for establishing the audit plan was documented, and the final plan was formally approved by the Board.
  • Policies and Procedures should be documented to guide the internal audit activity. Review the department’s procedure manual and verify that it is current, complete, and aligns with the Standards. Ensure that the procedure manual is being followed throughout the internal assessment process.
  • Reporting to Senior Management and the Board should occur regularly. Verify that the following items were reported at least annually: the audit charter, independence of the internal audit activity, the audit plan and progress against the plan, resource requirements, results of audit activities and conformance with the Standards.
  • The Governance of the organization needs to be assessed by the internal audit activity, and appropriate recommendations for improvement should be made. Verify there is documentation to support sufficient coverage of improvements to the organization’s governance process, such as memos and meeting minutes.
  • The Risk Management process of the organization must be evaluated, and the internal audit activity must evaluate the effectiveness and contribute recommendations for improvements. Auditors may collaborate with other areas such as Legal or the Enterprise Risk Management function. Significant risks, including fraud risks, should be addressed in the annual audit plan.
  • If Overall Opinions are used for engagements, they must be supported by a summary of the information that supports the opinion. Review your reports for appropriate overall opinions.
  • Communicating the Acceptance of Risk by management should be handled consistently. The procedure manual should state the process taken when management accepts a level of risk that may be unacceptable to the organization, such as escalation to the Board. Verify these processes were followed for any engagements where unacceptable risks were identified.  

Process

Process refers to the execution of engagements in the audit plan. Several engagements should be chosen for the self-assessment to evaluate workpapers for planning, fieldwork and reporting along with tracking follow up items. Sample different types of engagements such as audits, consultations and investigations performed by different auditors.

  • Engagement Planning is required for each engagement to establish the engagement’s objectives, scope, timing and resource allocations. For the sample of engagements, determine whether risks were identified, objectives were established, and appropriate scope and resources were defined and documented in an engagement letter to the client.
  • Engagement Work Programs should be developed and documented that address key risks, policies and procedures. Verify work programs were created that included clear instructions, addressed risks and objectives, and were approved prior to fieldwork.
  • While Performing the Engagement, auditors must identify, analyze, evaluate and document sufficient information to achieve the engagement’s objectives. Review engagement workpapers and verify they identified factual, adequate and convincing information. Workpapers should be consistently performed by all team members and reliable and useful enough to support the conclusions. Ensure sound and accurate sampling and testing procedures were performed. Confirm workpapers are retained per your institution’s requirements.
  • Engagement Supervision is necessary to ensure objectives are achieved, quality is assured and staff is developed. Verify there is evidence of workpaper review, which could be a manual or electronic sign-off or approval completed using audit software. Demonstrate that staff members receive feedback and training during engagements by retaining review notes.
  • Communicate the Results of engagements to the auditee and appropriate parties such as senior management and the Board. Confirm engagement report observations and conclusions were supported by the workpapers. Evaluate whether positive results and satisfactory performance were included in final communications. Ensure reported results were helpful to the client and organization and led to improvements where needed. Determine whether any errors or omissions were corrected and re-issued.
  • Monitoring Process must be developed by the CAE to ensure actions have been effectively implemented. This process should be defined in the procedure manual and followed for all engagements. Outstanding items should be tracked and monitored. Review past engagements with findings and verify there is evidence that management action plans are being followed-up and resolved timely.  

Conclusion

Complete your self-assessment by identifying areas of improvement and have team members collaborate on feasible solutions. As you would for any other audit, document the findings in a report along with your department’s management responses and due dates, and ensure those changes are made timely. Share your accomplishments and commitment to improvement with senior management and the Board.

While a full internal self-assessment can be time-consuming, it can be worked on intermittently throughout the year or completed all at once. By utilizing a team approach, the team members will learn the IIA Standards and strengthen their knowledge of departmental requirements. Single-member audit shops will also benefit from conducting an internal assessment by ensuring their department meets the Standards and is prepared for the external review. 

Ms. Hefner will be speaking on this topic at the 2022 AuditCon in Las Vegas, session A10 Internal Self-Assessments: Create A Winning Hand.

Letter from the Editor

Hello ACUA members,

My name is Gavin Shubert, and I’m the new editor of the College and University Auditor Journal. I want to thank Claire Thomas, my predecessor, and James Merritt, the Journal’s former deputy editor, for their valued and worthwhile contributions to the Journal. Additionally, their assistance transitioning a new editor and deputy editor onto the team has proved invaluable. Thank you both.

In case we haven’t crossed paths yet, I’m an Internal Auditor at Georgetown University. Our new deputy editor, Kara Hefner, is a Senior Auditor at the University of North Carolina, Chapel Hill. She has graciously contributed her time and efforts as a writer for this edition of the Journal, in addition to her capacity as deputy editor.

Kara’s article provides a great professional resource for audit shops looking to perform thorough and standards-compliant internal assessments. In addition, Kyra Castano and Adrienne Larmett provide insights on instituting environmental health and safety controls. Then, Daniel Graves and Greg Englert give guidance on ESG and sustainability reporting and how you can better document these emerging and meaningful metrics. Next up, Curt Plyler, a Certified Construction Auditor, dives deep into how to audit construction costs. Finally, Erin Egan and Colleen Tedeschi share how to comply with sponsored awards, emphasizing the significance of cost transfers.

In this issue of the College and University Auditor, aptly named “ACUA: Live in Las Vegas,” you will find a wide variety of topics written by talented authors who strove to make their knowledge and expertise relatable and valuable for ACUA members in every institution. Please consider joining a growing field of professionals making their mark on the collective learning of our ACUA community by reaching out to me at editor@ACUA.org. Questions, ideas, and comments are always welcome.

Please also keep in mind that the Early Bird Deadline for discounted registration to AuditCon has been extended until August 19th. Now, without further ado, please sit back, relax, and enjoy this summer issue of the College and University Auditor Journal.

Sincerely,

Gavin Shubert, Editor

Environmental Health and Safety in Higher Ed – How ‎institutions can implement internal controls to protect their ‎community

When you step on campus do you think about who and how your campus community is protected from the myriad environmental hazards potentially lurking in building, labs, and water fountains?

Colleges and universities have various environmental risks and events (e.g., water and air pollution, biohazardous materials and fire hazards) that must be managed daily. An institution’s Environmental Health and Safety (EH&S) function serves an essential role in supporting the mission of the institution with teaching, research, and service by providing safety evaluation and monitoring services to the campus community as a whole. EH&S works to ensure internal controls are formalized, comprehensive, and working effectively by performing a variety of activities including, but not limited to, laboratory inspections, monitoring existing hazards, identifying potential hazards, and reducing safety hazards.

In addition to the increasing safety concerns resulting from the 2020 global pandemic, there is an opportunity for Internal Audit to provide operational reviews of the current environment’s risk mitigating controls.

What is EH&S?

Environmental Health & Safety (EH&S) is the science and practice of preventing human injury and promoting well-being[1]. EH&S is a term used by laws, rules, regulations, professions, programs, and workplace efforts to protect the health and safety of the campus community. Other common ways to abbreviate EH&S are HSE or EHS&Q where the “Q” stands for Quality.

EH&S Responsibilities and Reporting Structure

EH&S functions are often the contact points for regulatory agencies and emergency response actions. EH&S is often responsible for educating the campus community on standards applicable to the institution.

EH&S is commonly tasked with:

  • Serving as the oversight and authority for EH&S compliance.
  • Implementing health and safety policies and procedures.
  • Conducting inspections and monitoring procedures to identify existing potential hazards.
  • Performing routine audits to measure compliance with regulations.
  • Measuring and improving environmental health and safety performance across campus.
  • Providing and supporting incident responses.

EH&S reporting structures look different at each institution. Some common reporting lines include:

  • Campus Safety
  • Campus Operations
  • Facilities
  • Risk Management
  • Research

Risk Universe

Just as institutions differ in reporting structure, an institution’s EH&S risk universe will differ as well. The most important thing to remember before you audit your institution’s EH&S function is to consider the environment and what risks may be more important than others. For example, a large research institution with a medical school may present risks such as biohazardous chemicals or radioactive materials, while an institution located in the southeast may be at a high risk for a potential weather-related hazard. Below are a few types of risks to consider based on your intuition’s academic, risk and geographic environment.

Rules, Regulations, Polices and Procedures  

EH&S is a highly regulated area with a number of laws and standards falling under:

  • Environmental Protection Agency (EPA)
  • Occupational Safety and Health Administration (OSHA)
  • International Fire Code (IFC)

Specific topical areas may include, but are not limited to:

  • Biohazardous materials in research and instruction
  • Confined space entry
  • Contractor safety
  • Eye protection
  • Fall protection
  • Occupational exposure to hazardous chemicals
  • Personal protective equipment, including COVID-19 exposure
  • Radioactive materials
  • Waste disposal

Since there are so many regulations to consider we recommend that you begin by reviewing your institution’s policies and procedures, as your EH&S function has likely already created internal controls for most key regulatory requirements.

Considerations for the Internal Audit Plan

Internal Audit can support the institution to better understand the design and effectiveness of the compliance framework, including internal controls, oversight, training, authority and applicable regulatory requirements. In addition, Internal Audit can perform testing procedures to determine the efficiency of controls in hazard identification, worker participation, laboratory safety and injury/illness prevention.
Common audit activities are often related to:

  • Reviewing documentation (e.g., organizational charts, procedures, workflows, job descriptions, etc.) to understand current procedures.
  • Conducting interviews with key stakeholder to better understand key processes and practices.
  • Evaluating operations and internal controls in place.
  • Performing testing procedures to determine the effectiveness of controls.

Conducting testing procedures is one of the most valuable ways to review and assess the current compliance environment at your institution and to evaluate the current internal control process for remediating EH&S related risks. For example, performing a walkthrough of campus research laboratories typically provides Internal Audit with informative observations or enhancement opportunities. While conducting the walkthrough, a checklist is recommended to encourage documentation of all findings. Taking pictures during this process is a great way to provide key process owners and leadership with significant supporting documentation.

Key checklist questions include:

  • General work environment
  • Laboratory safety plans
  • Safety equipment
  • Security
  • Labels and signs
  • PPE
  • Chemical inventory waste and storage

Why is auditing your institution’s EH&S function important? 

If there are instances of noncompliance with key regulations, the safety of the campus community may be at risk. The institution may also be assessed for financial, regulatory, health and safety damages. For example, without wearing proper PPE during research procedures, a student is at risk for severe injury or death. Further, by not labeling and disposing biohazardous waste correctly, the waste may become the source of infections. Potential harm could be carried to other students in the room through air pollution, toxic exposure, chemical burns or radiation burns.

Next steps

The EH&S function is responsible for providing a strong foundation of safety through a commitment to compliance and overall protection. Many individuals within the campus community may not think about EH&S, however everyone does appreciate a safe environment. Internal Audit can help provide operational reviews of the current proactive, monitoring and detective controls that mitigate risks. Consider adding a review of your EH&S function to your audit plan.

References

[1] Definitions of Environmental Health | National Environmental Health Association: NEHA

Auditing Construction Costs

Higher education institutions are routinely engaged with the construction of new capital projects. The significant investments will likely necessitate routine internal audits to ensure funds are being expended appropriately. On campuses with multiple projects, the initial challenge is determining which project(s) to review. This article provides a primer to embarking on a construction audit when you have a limited background (at best) in construction by addressing the following items:

  • Selecting the project and scope of the audit
  • Requesting and evaluating support documentation
  • Direct labor costs
  • Contractor-owned equipment
  • Insurance
  • Information technology (IT)
  • Change orders
  • Other costs

Selecting the Project and Scope of the Audit

Construction is delivered under multiple approaches, often called “delivery methods.” The construction contract is tailored to the delivery method being employed on the project in question. Common delivery methods include Design-Bid-Build, Multi-Prime, Design-Build, Construction Manager-at-Risk, and Integrated Project Delivery.
 
The most common construction delivery methods in higher education today are Design-Bid-Build and Construction Manager-at-Risk. Design-Bid-Build contracts are commonly referred to as “hard bid” or “lump sum”. These projects are completed for a fixed price and are often used on smaller projects where drawings are complete and the scope has been finalized. Given the reduced risk from a financial perspective, the scope of an audit would be primarily focused on any change orders.
 
Larger projects are often built utilizing a Construction Manager-at-Risk delivery method. This method engages the construction manager prior to final drawings in order to leverage their expertise with constructability reviews at various stages of design. This approach utilizes a Guaranteed Maximum Price (GMP) contract. This contract segments the recovery of project costs into the following components:

  • General Conditions, the cost of managing the project
  • Cost of Work, subcontracted work, self-performed work
  • Insurance/Bonds
  • Fee, a percentage of the project cost or a stipulated amount

The GMP contract establishes a cap for the amount paid for the construction, but allows the project owner to retain any variance should the GMP exceed the total realized project costs. As a result, GMP contracts generally have more areas of potential audit exposure from a financial perspective. With resources often being limited, audits of construction in higher education naturally gravitate to GMP contracts given their compensation terms and greater project values.

Requesting and Evaluating Support Documentation

(For the purpose of this and the remaining steps, it is assumed a GMP contract is being reviewed)
 
Once the project(s) to audit has been selected, the Auditor will need to develop an initial documentation request to obtain the following items:

  • The executed construction contract with all amendments, exhibits, workbooks, etc.
  • Fully supported Owner Payment Applications from Owner or Contractor including:
    • Schedule of Values
    • Subcontract Payment Applications
  • A project cost report, for the period being audited, from the Contractor, inclusive of all reimbursable costs.

 
Requests sent to the Contractor should be directed to the Project Executive and/or Project Manager. The construction contract should then be reviewed, specifically sections addressing the “costs to be reimbursed” and the “costs not to be reimbursed.” The compensation terms should detail the usage of pre-determined rates and actual costs. Additionally, the contract should specify the overhead items covered by the Contractor’s fee.
 
source documentation request should then be sent by the Auditor to the Contractor’s Project Executive and/or Project Manager for multiple items:

  • Direct labor and equipment costs
  • Subcontractor costs (if not provided above as noted in the initial documentation request)
  • Insurance costs
  • Information Technology (IT) costs
  • Change orders
  • Other miscellaneous costs

The lowest source document should be determined for the request. For example, the original timesheet should be requested to validate the hours worked by an employee. These lowest source documents are utilized to create the monthly project billings and provide valuable insight often lost if reports are created specifically to satisfy audit requirements. These documents often contain commentary and details about transactions later adjusted and/or ‘corrected’. In some cases, the source document can further demonstrate how a transaction has been ‘cleaned’ to avoid scrutiny during the payment approval process.

Direct Labor Costs

The contract should specify whether labor is to be billed at pre-determined bill rates or actual cost plus burden. To effectively review labor costs utilizing bill rates, timekeeping records should be requested. To the extent the contract does not explicitly specify the bill rate components, the Contractor should be requested to provide them. Bill rates routinely include paid time off, benefits, base wages, payroll taxes and unemployment insurance.
 
Labor billed at actual cost plus burden will require payroll records, including employee deductions and timekeeping records. To the extent the contract does not explicitly specify the burden components, the Contractor should be requested to provide them. Burden rates are applied to base wages and routinely include paid time off, benefits, payroll taxes and unemployment insurance.
 
If the contract does not specify the use of pre-determined bill or labor burden rates, the labor is normally reimbursed at actual cost plus actual burden. The audit will need to independently estimate the cost of the labor burden. Documents needed to complete this estimate include:

  • State Unemployment Rate for your state.
  • Workers’ Compensation including Experience Modification from the insurance carrier.
  • Medical Insurance at the employee level from payroll records and at the firm level from the insurance carrier.
  • Retirement from payroll records.
  • Accidental Death/Long Term Disability from the insurance carrier.

Contractor-Owned Equipment

Contractors may lease their owned equipment to the project. The contract language often specifies these rental rates are to be indexed to a third-party source, such as the AED Green Book or EquipmentWatch Blue Book. The contract language may specify the lease rates are to be indexed at less than 100% to the index in question. Additionally, the language may specify when lease payments are to cease. If not, the fair market value or replacement value is the
implied point when payments should cease. The Contractor should be requested to provide a leased equipment summary, inclusive of the following items:

  • Equipment tracked down to the serial number.
  • Fair market value when first utilized on the project.
  • Rental rate and index rate (if applicable).
  • Cumulative rental charges to date for each item.

Insurance

The construction contract should specify the various insurance coverages required by the contract. The most common coverages, and their means of compensation, are as follows:

  • General Liability Insurance, which may or may not be defined as a percentage rate in the contract.
  • Contractor Controlled Insurance Program or ‘CCIP,’ often specified as a percentage rate in the contract or contract amendment.
  • Builder’s Risk Insurance, purchased specifically for the project.
  • Subcontractor Default Insurance, which is almost always specified as a percentage rate of the enrolled subcontracts.
  • Performance and Payment Bond, purchased specifically for the project.

 
General Liability Insurance will often be charged at a rate that may or may not be defined in the contract. If the rate is not specified in the contract, request a breakdown of the rate charged to the project. The rate breakdown provided should be analyzed to determine if it includes coverage not required and/or if overhead has been included. The project requirements for policy coverage and limits should be located in the Contract agreement. The Auditor should verify the coverage and appropriate limits have been obtained by requesting a Certificate of Insurance from the Contractor which lists the project owner as the named insured for the project in question.
 
Builder’s Risk Insurance and Performance and Payment Bonds are usually purchased specifically for the project. An invoice should be requested to document the purchase. The vendor providing the invoice should be confirmed to be an independent third party, as captive insurers are often used, reducing the transparency of the actual cost incurred.
 
Subcontractor Default Insurance is routinely charged at a rate specified in the contract. This rate is applied to the combined subcontract values enrolled in the program. To confirm the amount charged, a list of enrolled subcontracts should be requested. The Schedule of Values in each subcontractor payment application should then be separately scrutinized for the inclusion of bond costs. If identified, this is most likely a duplicate charge to the Subcontractor Default Insurance.

IT

IT expenditures are often allocated and charged to project costs by Contractors. Contracts may allow for “project-specific” IT expenditures such as laptop computers, internet connectivity, and on-site support. Correspondingly, contracts normally disallow corporate overhead IT expenditures (accounting systems, home office servers, and home office support). The contract language related to IT, however, is usually nebulous. As a “rule of thumb,” if the IT item is utilized on-site, it’s likely permissible, but if utilized in a home office, it is likely overhead and should not be billed. Invoices should be provided for all IT charges without contract language specifying an IT rate. This approach is the most transparent from an audit perspective. As with the insurance, the Auditor should be wary of any IT invoices from a related party. Any computers and other hardware charged to the project should revert to Owner control at the project’s end. To the extent an IT rate is specified in the contract, the project cost report should be scrutinized to ensure IT charges covered by the rate have not been direct billed to the project. If the IT rate’s components are not defined, the Contractor should be requested to provide them.

Change Orders

A retrospective review of project change orders will require copies of fully supported Owner Change Orders, which are the summation of multiple change requests made to the project owner for approval. The support should include a cover sheet with an itemized list of the change order items. The subcontractor support for each individual change order should then follow, and this support should then be reconciled to the cover sheet. The Contractor’s markups for insurance, overhead, and profit should be present on the cover sheet and should be confirmed against Contract stipulations. The markups applied on Change Orders should be validated for the following:

  • Will markup, overhead and profit (OH&P), insurance, bonds, etc., be applied to both additive and deductive Change Orders?
  • Is an OH&P cap defined separately for each tier (i.e., Contractor, Subcontractor, Sub-subcontractor)?
  • Can the Contractor get separate markups for its role on self-performed work?
  • Is the aggregate markup capped?

 In addition to markups, the Change Order review focuses on these items:

  • Validation of costs (material, labor, etc.).
  • Identification of duplicate scope in selected instances such as rework, back charges, and items intended to be covered by the fee for overhead
  • Review of the approval process.

Other Costs

The project cost report provided in the initial document request should be sorted to segment transactions not falling into labor, equipment, subcontracts, insurance, and information technology categories. Most of these charges will be for vendors paid via purchase orders. The transactions should be further segmented into a list where the reimbursable basis cannot be readily determined – these invoices should then be requested from the Contractor. The invoice review should focus on the following items:

  • Is the charge reimbursable per the contract, or was it intended to be covered by a rate and not billed directly?
  • Was the charge incurred on the project in question?
  • Do the date and invoice number trace to the project cost report transaction?

Journal entries may comprise the remaining transactions, and backup should be requested for any that are questionable.

Conclusion

Auditing construction costs may seem like an impossible task without specific expertise and limited resources. However, focusing your audit program on projects with contracting terms with more material financial exposure is the first step in developing an effective review of these capital expenditures. Following project selection with targeted documentation requests will allow the development of an effective and efficient process for reviewing construction project costs.

A Growing Trend: ESG Reporting for Higher Education Institutions

As they looked into their crystal balls for the year ahead, two organizations, Gartner and the Institute of Internal Auditors published lists of emerging risks for 2022. Not surprisingly, sustainability related to environmental and climate issues as well as social change made both lists.

These risks are just as relevant for public sector organizations, including higher education institutions, as they are for private and publicly held businesses, and they are only expected to grow in the years ahead.
Sustainability and social responsibility encompass a broad range of non-financial issues that may affect an organization’s financial condition and performance.

They may include environmental issues, such as the size of the organization’s carbon footprint, efforts to replace fossil fuels with renewable energy sources, and overall use of natural resources.
These responsibilities may also reference social issues, such as workplace diversity, health and safety, and consumer product safety risks. 

What is Environmental, Social and Governance (ESG)?

As implied by its name, ESG reporting is concerned with measuring performance in three very different domains: environmental sustainability, social responsibility and governance. The key measures used to document and report performance will differ significantly from one organization to another, and more importantly, from traditional accounting measures focused on financial performance.
For now, much of the focus of ESG reporting is on the private sector, especially publicly traded companies subject to U.S. Securities and Exchange Commission (SEC) regulations. The SEC is currently considering several proposed regulations incorporating elements of ESG reporting into the financial reporting requirements for public companies.

That doesn’t mean government entities and higher education institutions are off the hook. Concerns about climate change, expanded opportunities in the workplace, and effective governance are not expected to recede any time soon. History shows us that the public sector is usually not far behind the private sector when issuing guidance and requirements in emerging risk areas. Moreover, the same sentiment driving change in the public sector will affect government entities and higher education institutions as constituents seek more accountability for sustainability issues.

Forward-thinking universities and other public sector organizations can start to implement the appropriate processes to be better prepared to comply with new requirements that emerge.

Metrics and Reporting for Higher Education: The STARS Framework

When it comes to sustainability issues, higher education is not exempt from public sentiment and pressure. In recent years, “green rankings” of universities in various leading publications, including The Princeton Review, have highlighted the importance stakeholders are placing on sustainability. The rankings are based on metrics and voluntary reporting by the institutions themselves.

While there are several frameworks available, the most widely used ESG reporting framework is the Sustainability Tracking, Assessment & Rating System (STARS). It is a self-reporting framework open to the full spectrum of higher education institutions, from community colleges to research universities.
STARS was created in 2006 by the Association for Advancement of Sustainability in Higher Education (AASHE) in collaboration with higher education institutions. Currently, more than one thousand institutions have registered to use the STARS reporting tool to:

  • Provide a framework for understanding sustainability in all sectors of higher education.
  • Enable meaningful comparisons over time and across institutions using a common set of measurements developed with broad participation from the international campus sustainability community.
  • Create incentives for continual improvement toward sustainability.
  • Facilitate information sharing about higher education sustainability practices and performance.
  • Build a stronger, more diverse campus sustainability community.


The STARS framework includes long-term sustainability goals for already high-achieving institutions and entry points of recognition for institutions taking the first steps toward sustainability. Many institutions use STARS as a planning tool to identify areas of strength in sustainable practices and areas that need improvement. Each STARS report and rating is valid for up to three years, and a report may be submitted as often as once per year.

The framework is made up of five categories: Academics (AC), Engagement (EN), Operations (OP), Planning & Administration (PA) and Innovation & Leadership (IN), and these are broken into sub-categories for reporting purposes:

 

Each category is broken down into credits with specific metrics, activities, or practices needed to earn these credits. The institution identifies which credits they will pursue and collects the information from campus stakeholders. The institution accumulates points based on these practices and receives a rating of platinum, gold, silver, or bronze based on the number of points awarded. 



 
Below is an example of how one institution, the University of Georgia, appears in the STARS system. To allow institutions to compare their sustainability with others, the data used to assign points are made public.

Audit Committee and CAE Considerations

When it comes to ESG reporting, we have found that common questions arise among boards and audit committees as they consider the implications for their institution. These include:

  • Have we assessed the ESG disclosure criteria and determined which information is most relevant?
  • Do we have a strategy for identifying which ESG information is available?
  • How does our ESG performance relate to our institutional strategies and objectives?
  • Are our processes designed to produce accurate and complete information for our stakeholders?
  • Who is responsible for defining our institutional ESG strategy and overseeing information gathering through disclosure?

On a somewhat granular level, Chief Audit Executives and other audit leaders have questions related to ESG and reporting and disclosure. These include:

  • Do we have a published ESG or sustainability report or other available information? If so, is it still up to date and fit for purpose?
  • Is our ESG strategy aligned with our institutional objectives and long-term strategy? Does that strategy clearly state our ESG goals?
  • Who is responsible for overseeing the development and execution of the ESG program?
  • Have we defined the key metrics and data to quantitatively measure ESG performance across our institution?
  • Do we have defined, consistent processes and controls to identify, gather, aggregate and publish key ESG performance indicators?
  • Does our ESG/Sustainability strategy leverage one of the common reporting frameworks, and are we obtaining independent assurance or other support?

How the Audit Team Can Support ESG Efforts and Build Opportunities

For the audit team, it makes sense to approach ESG from a risk management perspective. In addition, contributing to the organization’s ESG efforts helps add value to the organization. The Internal Audit (IA) department can take these steps as part of the overall ESG program:

    1. Request an ESG risk assessment for the institution.
    2. In gathering information for STARS reports or other ESG disclosures, focus on adopting an enterprise-wide approach to managing ESG risks.
    3. Educate the administration about ESG reporting and the role organizational governance plays in the evaluation process.
    4. Identify and propose solutions to facilitate sharing information across siloed and decentralized approaches to risk management.
    5. Promote IA’s role in providing independent assurance.

    IA can anticipate emerging ESG disclosure expectations and requirements by encouraging and understanding processes and controls in the institution. IA can also advocate for the adoption of established ESG frameworks and relevant, data-driven reporting, help to assess institutional stakeholders’ expectations and gaps in currently disclosed information, and support process-integrity of reporting by assessing how key data is compiled and reported.

    Looking Ahead

    As higher education institutions of all types and sizes continue to adopt and embrace ESG reporting, internal auditors will have an important role in helping to lay the groundwork for success. They have an opportunity to play a key role in improving internal controls and the overall adoption of these processes. The risks are unlikely to go away any time soon. The important thing will be the way institutions prepare for them.

    Letter from the President

    Dear ACUA Colleagues,

    I hope everyone is enjoying the summer season! Nothing like summer on a college campus. I remember an administrator once telling me, “We love our students, but we love when they take the summer off too.”

    I wanted to mention a couple of things about the upcoming AuditCon in Las Vegas in September (in bulleted short form, because who has time for all the words):

    • Once again, this year we will have the CAE track.
    • Lots of hot topics will be covered, including: Title IX, Sports Betting, Cryptocurrency, IT, Research, Ethics, roundtables of all sorts, ADA, foreign gifts and contracts, back to basics (risk assessments, report writing, etc.), self-care, student mental health, and many others…wow!
    • Amazing keynotes including, but not limited to, hearing from:
      • Robert Chestnut of Airbnb on intentional integrity in organizations
      • Tim Renick of Georgia State on predictive analytics for student success
    • Caesar’s Palace – speaks for itself!
    • In a hybrid format, there are tracks that will stream live to allow virtual attendance.
    • And of course, what sets our organization apart from others is the professional networking opportunities with fellow ACUA colleagues at our conferences.

    Odds are good you won’t want to miss this conference!

    Finally, let me take a moment to introduce our new editors, Gavin Shubert of Georgetown University and Kara Hefner of the University of North Carolina at Chapel Hill, as well as send a special thanks to Claire Thomas and James Merritt who have since left higher education auditing and passed the editors’ torch.  

    See you in Vegas!
    Brian Daniels, University of Tennessee
    ACUA President

    Letter from the President

    Hello ACUA family!

    I hope your year is off to a happy and healthy start. We are eager to be starting a new ACUA year with some exciting initiatives and benefits for our members. I wanted to use this letter to highlight some of these initiatives ACUA is pursuing this spring. As a reminder, ACUA’s Member Needs Assessment Survey launched on February 28th. This is a great opportunity to help us shape the strategic trajectory of ACUA to meet your needs!

    Additionally, we are moving steadfastly toward the Audit Interactive (AI) conference, and for the first time, we will be co-located with URMIA for a portion of this event. ACUA members have paired with their own institutional experts to provide a number of sessions that will dive deep into various topics while keeping the internal audit perspective. This conference also promises to provide our members with coveted networking opportunities and new opportunities to network with our URMIA colleagues.

    At this point, registration numbers are looking great, and we cannot wait to see so many of you in person again. That being said, we haven’t forgotten about those of you who have embraced and thrived in the virtual learning environment. As such, our Virtual Learning Committee is working with ACUA members and strategic partners to provide a mix of 12 webinars and roundtables this year, some of which will be extended sessions. This will provide more opportunities to obtain CPE credits virtually, and we will soon be releasing a robust schedule of e-learning opportunities for the remainder of the year. With the success of last fall’s hybrid AuditCon conference, we are exploring options to embrace a hybrid platform again at AuditCon this September.

    As a reminder, we have a Call for Proposals open, and submissions are actively being accepted. I would especially challenge those of you who have never submitted a proposal to take a chance! In fact, we are introducing a new ACUA Future Speakers session at AI to bridge the knowledge gap on this process! If you participate in the session, you will still have time to submit a proposal for AuditCon this fall. (And, speaking of chances, AuditCon will be in Vegas this year!) 

    Finally, I should remind you that ACUA is committed to the safety and security of our membership for the upcoming conference, as indicated in our most recent communication:

    “ACUA cares about your well-being and has placed social distancing measures in place for attendees to gather safely and comfortably. Please find the official ACUA COVID statement here, which includes highlights of the safety plan and the City of Raleigh’s current procedures.

    While there are no guarantees of safety, ACUA is doing its best to safeguard your well-being, providing an engaging learning environment as well as opportunities to network with your colleagues, especially with our co-locators, URMIA.”

    Best wishes, and see you all at AI!

    Brian Daniels, President

    Letter from the Editor

    Hello ACUA,

    The new year is upon us! Although it may seem like we are still in the dead of winter, spring is already on the horizon. In our last issue, we reflected on the changes, struggles and accomplishments of the intense period of transformation we have all been living through. But now, as we turn the page to 2022, it’s time to do some spring cleaning and gear up for whatever the future holds.

    In this issue, “Spring Forward: Planning for the Future,” we embrace the renewed energy that accompanies the start of the new year. Here, our members share their thoughts about a host of topics that will help audit teams create a culture of continuous improvement and prepare to face new and evolving risks. First, Sandy Jansen and Kimberly Turner provide their insights on how internal auditors can gain a seat at the table with institutional leadership. Then, Todd Knowles and Diane Padgett deliver the second part of their Data Privacy Primer series, in which they dive deeper into the topic of personal data and offer recommendations on how auditors can identify and mitigate privacy risks. Karletta Jones and Mark Ruppert also share their experiences using Microsoft Teams to enhance the efficiency of administrative audit tasks, client communication and documentation processes. In addition, Du’Neika Easley has an exciting update from the ACUA Board of Directors on the Diversity and Inclusion Leadership Committee. Finally, the journal team has tabulated your responses to our recent survey. Our article on succession planning and the Great Resignation offers results, resources and suggestions for adjusting to this new era in the workplace.

    Each issue of College and University Auditor journal is made possible by contributions from our wonderful community. Please consider sharing your knowledge and expertise in a future issue! The journal team is happy to assist you in developing a basic outline or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas at editor@ACUA.org, or contact me by phone at (203) 218-7631.

    Many thanks to our community, and I hope you enjoy this issue of College and University Auditor!

    Sincerely,

    Claire Thomas, Editor

    Secrets to Getting a Seat at the Table

    As chief audit executives and auditors, we want to be considered valued members of our organizations. Having a “seat at the table” may be one of the strongest indicators that you have succeeded in becoming a trusted advisor within your organization. However, this status is difficult to achieve and easy to lose. Obtaining (and keeping) a seat at the table requires dedication to certain tenets, including:

    • Consistently demonstrating your value.
    • Focusing on quality audit work and results.
    • Providing insight outside of the audit process to widen your circle of influence 

    Becoming a Valued Team Member

    The first step towards getting a seat at the table is becoming a valued team member. As detailed below, there are a number of important ways you can demonstrate your value to the team:

    • Listen more than you talk. If you were ever scolded for not listening as a child, your mother might have reminded you that everyone has two ears and one mouth. As it turns out, this is good advice for auditors and children alike. In fact, the word “audit” is derived from the Latin word “audire,” which means “to hear.” Listening helps auditors compare and synthesize conflicting points of view in order to find nuanced solutions. It enables us to understand our organization’s culture and politics and bring sensitivity to our analysis of the facts.
    • Do not play politics. While it is important to be aware of the politics in an organization, auditors should never get involved in them.  
    • Be constant in your ethics. Auditors must never forget that they live in glass houses. If your integrity is ever compromised, all is lost.
    • Demonstrate good judgment. Senior leadership hired you for your unique skillset and your decision-making capabilities. Use critical thinking to provide sound, solid and objective assessments and advice.
    • Build relationships. It is important to build positive relationships with key stakeholders outside of audit engagements and before a crisis. Good relationships will make it easier to deliver difficult news to stakeholders and ensure that they are open to your suggestions. In addition, a solid network of connections demonstrates the value of internal audit in strengthening cross-functional communication. If building relationships is not one of your strengths, seek additional training in this area and be willing to step out of your comfort zone. 
    • Share information. In the course of your work, you may learn of initiatives and key information that should be shared with other stakeholders. Because auditors have a 360-degree view into the operations of the institution, we can help connect people, break down silos and promote collaboration across the organization. In addition, we often are able to connect the dots between different data points to uncover problems and solutions that others cannot see. Coupled with an objective mindset, the insights we develop can be invaluable to senior leadership, even outside of formal audit reports. While sharing knowledge is important and can help built trust, remember that some information may be shared with you in confidence. It is critical that auditors never disclose confidential information.

    Focusing on the Audit Work and Results

    One of the most important things you can do as an auditor is to inspire trust. Though it may seem obvious, trust starts with providing complete and insightful audit results. Ensure your reports are fair, balanced, accurate and helpful, as clients may question your professionalism when your work contains errors or uses inflammatory language.

    In addition, auditors must focus on significant risks, consider the strategic direction of the institution and have a solid understanding of the organization and the broader higher education industry. Your audit plan should consider strategic goals, the institution-wide risk assessment and discussions with senior leaders and board members. Focusing on significant risks of strategic concern to university leadership demonstrates the value that you can bring to the institution. Senior leadership does not want to waste time reading a report focused on the small stuff, so avoid dwelling on minutia.

    During audits, it is critical to examine things from multiple vantage points. Zoom out to consider big picture implications. Zoom in to see details that may not be immediately apparent and look for patterns, relationships and linkages. It is important to synthesize this information and provide valuable insights in client communications, including audit reports. In doing so, make sure you connect the dots between your individual audits and advisory projects to detect patterns, trends and hot spots.

    Strong communication skills are required to effectively deliver the results of your work. In addition, auditors must be able to negotiate professionally to assist management in identifying and mitigating risk. While negotiation may at first seem like subordination of judgment, open conversation and consideration of all relevant facts can strengthen management’s commitment to resolve audit issues and implement suggested changes.

    The entire audit team’s attitude is also critical to building trust. The team should be viewed as professional, approachable and helpful rather than “too nice,” lacking professional skepticism, out to find problems (“gotcha”) or trying to surprise management. Nothing will result in exclusion from the leadership table faster than the wrong attitude from the audit team.

    Finally, your work must be high quality and consistent. The internal audit quality assurance and improvement program must be top notch to ensure your work meets professional standards. Of course, mistakes may happen, but if you make a mistake, own up to it and correct it.

    Widening Your Circle of Influence

    Assurance services: An objective examination of evidence for the purpose of providing independent assessments, the nature and scope of which are determined by the auditors. 

    Consulting services: Advisory and related client service activities, the nature and scope of which are agreed upon with the client.
     (from The IIA’s International Professional Practices Framework Glossary)​To further your team’s impact, consider moving beyond traditional audit areas. Here are some ideas for getting out of your comfort zone:

    • Leverage new technologies such as automated processes, data analytics and continuous monitoring to reduce time spent on routine operational and financial risks. The time saved could be used on advisory and consulting work, which may provide more insight and value to leaders at your institution.
    • Evaluate the institution’s strategic plans and determine how internal audit can provide advice and insight.
    • Consider when a consulting engagement would add more value than an assurance engagement.
    • Increase audit focus on strategic risks. 
    • Collaborate with other assurance providers, including campus police, general counsel, and compliance and risk management functions.
    • Consider co-sourcing or outsourcing arrangements with external assurance providers, such as independent audit firms, information technology consultants, state auditors or others to supplement your office’s knowledge and capabilities.

    Next Steps

    If you are developing key stakeholder relationships or working to re-establish those relationships, completing a few, easy steps can go a long way. First, schedule periodic meetings with key stakeholders. For example, some chief audit executives and team members meet quarterly or monthly with the institution’s chief financial officer, provost, president or others. Agendas for these meetings should include time to share risk insights and trends based on current and upcoming audit work, the status of any outstanding items (because no one likes surprises), and an opportunity for stakeholders to discuss any key initiatives or concerns. This time can also be used to gain an understanding of risks that senior management feels may be on the horizon for the institution and allow for preemptive risk assessment activities.  

    Auditors can also take advantage of seeing stakeholders outside of regular audit-related meetings. Campus celebrations such as retirement parties and welcome events provide great opportunities to get to know management on a more personal level. Make time to attend such events – and don’t be a wallflower!

    When you are included in meetings or initiatives, make an effort to add value. While you do not want to dominate the conversation, remember you have been asked to participate in the meeting to provide insight and thought leadership, not to sit on the sidelines.

    If you are not included in an initiative for which you can provide insight, senior leadership may not have thought to include you. Sometimes, politely asking if it is possible for internal audit to attend is all that is needed. However, asking for an invitation takes courage and may use some “personal capital,” so make sure it is an area where you have knowledge and insight rather than asking to be included in everything.

    Finally, be open to new information and opportunities to add value. The more you work to understand the university’s risks and challenges, the more likely you are to reach valuable conclusions. If you never change your mind, you probably are not approaching the work the right way. Adding value is an iterative process – you will never be “finished.”

    Getting a Seat is Worth It!

    For many audit professionals, having a seat at the table can impact career achievement. Job satisfaction and long-term success are directly tied to your perception of your own ability to add value and make a difference at the organization. For auditors in higher education institutions, adding value is particularly rewarding because the mission of higher education aligns so well with our own: creating a better world through education, research and other outreach activities.

    Most importantly, having a seat at the table will allow you to continue adding value in the future. The seat can be self-sustaining through continuous attention to positive professional relationships, commitment to a high-quality audit function and insightful dedication to the betterment of your organization.

    Using Microsoft Teams to Facilitate Internal Audit Teamwork

    Introduction

    There are many options for internal auditors who wish to improve the automation of processes that support audit administration, completion and follow-up. However, access to those options is contingent upon the financial resources available to the internal audit function. When those resources do not exist, or are truncated, options become limited. This often results in the internal audit function either using paper records (egads!) or word processing and electronic spreadsheet files organized into folders. Neither of these methods results in improved efficiency, implementing best practices or improved client interactions.

    At Northern Arizona University (NAU), we used a cloud service provider for our audit administration work for several years. Although this method was affordable and met our basic documentation needs, it offered no great strides forward for our audit team. Before the pandemic, we decided to take advantage of our corporate SharePoint license and began building a knowledge repository to help organize our records and reduce our carbon footprint. After studying several use cases from other internal audit departments, we began working on our own SharePoint prototype.

    In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS.
    And then the pandemic forced us to change our plans. Funding was slashed, and the university moved to a remote work environment. With reduced resources, we decided to put our plans on hold and move to SharePoint Online. As audit projects were delayed, we invested time in learning as much as we could about the new functionality available in SharePoint and Microsoft Teams (MS Teams).

    In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS (Internal Audit Team Engagement Audit Management System).1 Although we have already made numerous improvements, our team meets quarterly to review what we’ve learned and identify ways to mature our processes.

    Our approach has helped us achieve our objectives for automated audit administration, including:

    • Improving and documenting client interaction by reducing the need for tracking and documenting emails, video and other project-related communications.
    • Organizing project documentation in a secure and easy-to-use interface, with the ability to control individual access and allow for sharing and collaboration on individual documents.
    • Automating the audit administration process so team members can focus on their engagements.
    • Ensuring the system is available anywhere we have internet access.
    • Prioritizing opportunities for improvement as they are identified.

    Project Set-Up

    Throughout an audit, we use many MS applications, including Excel and Word. Because MS Teams and SharePoint are well-integrated, we’ve been able to use the features in MS Teams to link directly to source templates that are housed in the policy section of our SharePoint website (e.g., Excel and Word templates). This helps to ensure that we consistently use the latest versions of our audit templates. We have also leveraged the following features: 

    • Tasks by Planner and To-Do: This is a flexible tool to organize tasks not only for the Internal Audit Team, but for the client as well. It offers features like categorized scheduling and a calendar and allows users to attach files directly to a task (see Figure 1).
    • Document Library: This links directly to the SharePoint site that houses our policies, procedures and templates. Metadata added to these document libraries is also helpful for documenting and tracking audit plan status.
    • Request Sign-Off Flow: This provides the capability to route the preparer’s work to the reviewer in SharePoint with a documented approval workflow.
    Figure 1
    Improvement Opportunities Tracking and Task for Review Process

    This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files.
    MS Teams makes use of posts and file sharing as a means of helping teams stay connected and organized.  For each project, we create a separate “Team” within MS Teams.Each team originates with a General Channel, which we use for client communication and file sharing using the Posts and Files tabs that are created by default.

    • The Posts Tab allows for communication among all members of the Team and is great for capturing client input directly related to the project.
    • The Files Tab is an area where folders and files can be housed to organize documents provided by and shared with the client. 

    This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files. Files can also be hyperlinked to support other work papers (See Figure 2).

    Figure 2
     

    Planning, Fieldwork and Reporting

    We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers.
    Each Team also allows for the creation of other channels, as needed. These channels can be made available to all Team members or can be restricted using Private Channels. We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers. Since we use templates throughout our audit engagement, we use the copy feature from the MS Teams template to quickly set up the tabs for each channel, as shown in Figure 3 below: 

    Figure 3
    General Channel (See also Figures 2 and 5)Private Channel: Audit Files (See also Figure 4)
    Posts: Client CommunicationsFiles: File Sharing with ClientTasks: Tasks App for various tasksWelcome: Word template that welcomes clients and provides instructions for Team useAgenda: Word template for Entrance Conference meeting agenda
         		Statement of Independence: Excel template that tracks audit team conflict of interest reporting for the projectAudit Sections: Word template that summarizes the audit sections with links to the supporting work paper filesImprovement Opportunities: Word template that summarizes all identified audit findings and follow-up with clientTeam Assignments: Word template that identifies each team member’s responsibilities and tasksReview Notes: Word template that contains supervisory review notes and related follow-up or clearance activities
     

    The Private Channel, “Audit Files,” is structured by project section, as shown in Figure 4.

    Figure 4
    This example shows the project file structure in Teams in a private channel. Private channels are identified with a lock icon to the right of the channel name. The Team administrator controls Team access. By default, all members added to the project Team have access to everything but private channels. Members must be granted Private Channel access by the administrator.

    Due to the configuration of the General Channel, Posts is the default screen that will pop-up when clicking on a Team, which we use to direct the client to the Welcome tab. The Welcome tab is a word template that helps demonstrate to the client the benefits of using MS Teams for audit management. It also provides instructions to help those clients not familiar with MS Teams and establishes the expectation for the use of MS Teams during the audit. Files provided by the client in the General Channel can be linked to, or easily moved to, the Audit Files Private Channel (see Figure 5).  

    Figure 5

    For reporting, we share all initial draft reports through posts in the General Channel. However, we issue final reports through official email communication and store copies of those emails in the private channel Reports Folder. We also track all issued reports in a separate SharePoint document library that includes metadata for tracking when reports are due for presentation to the Board of Regents, the number and nature of improvement opportunities in each report, the type of audit conducted (compliance, financial or integrated) and other details (see Figure 6).

    Figure 6
    SharePoint Audit Report repository showing view by audit plan year.

    SharePoint Audit Report repository showing view broken out by audit plan year.

    Supervisory Review and Improvement Opportunity Tracking

    For quality assurance, we use a word template to track review notes. A SharePoint workflow initiates review by folder and audit program step and applies a pending or approved status as metadata for each folder (as shown by the sign-off status columns next to each file folder in Figure 4).

    This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting.
    To track improvement opportunities in real time, we use a word document that mirrors our audit report. When an improvement opportunity is identified, the document is made available as a tab in the General Channel for client review and feedback. This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting. This template is also used to document discussions with the client. Once client review is complete, the Improvement Opportunities are moved back to the Private Channel.

    As we continue to mature the use of MS Teams and SharePoint, we hope to create a process for audit follow-up as well.

    Limitations

    As with any electronic tool, adjustments will always be needed. For MS Teams, we have encountered the following limitations:

    • Only nine attachments can be included in Tasks.
    • Anyone assigned to the task must reply to the comments section to be notified of future comments.
    • Lag time may exist due to the Cloud structure and network bandwidth.
    • MS teams provides access to many applications that help with building processes and workflows, but there is no way to easily identify applications that the university has purchased. It is important to gain an understanding of this issue before committing to using a specific application within MS teams. However, applications for Excel, Word and Calendar are default MS Teams applications available to all users.
    • Requesting sign-off cannot be done directly in MS Teams; it first requires that users log into SharePoint.
    • Tasks by Planner and To-Do are only available in the General Channel; such task management is not available in the Private Channel.
    • While we created an audit project template to initiate the creation of new project teams, only the Team structure can currently be copied from a template. Embedded files in the template do not transfer.
    • Most clients like the use of MS Teams for audit interactions. However, clients don’t use it continuously, so it cannot completely replace email communication. However, an email can be dragged directly from Outlook into the Team files in both General and Private channels.

    Conclusion

    MS Teams and SharePoint offer a lot of functionality and, with some training, they can be set up fairly easily. Larger audit teams may find it useful to work with PowerApps or other related tools to establish more edit controls, including workflow and document locking. If your organization is already using MS Teams and SharePoint, building out this functionality is unlikely to require license fees for third-party audit administration and documentation systems. If you are going through a similar transformation, please reach out to us for additional details and to share what you’ve learned and applied. Collaboration will help us all continue to improve!

    References

    1 We will be presenting this approach at ACUA Interactive on Tuesday, March 29th in greater detail.