Resources

Bull by the Horns: Conducting an Audit for Export Controls

Over the last 15 years, the academic community has made great strides in improving its understanding of the U.S. export controls regulations and building out the expertise to develop comprehensive export controls compliance programs. Now that many institutions have mature or semi-mature compliance programs, internal audit teams are being tasked with tackling this complex area of federal regulations. This article walks through the basic export controls regulations and provides insight into a U.S. government report that highlights gaps. It also provides guidance on how internal auditors can begin to think about constructing an export controls audit that is effective and comprehensive.

U.S. Export Controls Regulations: Basics and Key Elements of an Export Compliance Program

Did you know that not all “exports” leave U.S. borders? That is true if you are following the federal export controls regulations. These regulations cover sending tangible items, technical information, and software out of the U.S. and sharing it with non-U.S. Persons in the U.S. The latter is deemed to be an export to the recipient’s home country. In some cases, the export controls regulations cover even more types of transactions, but we’ll explain more on that below.

Three main federal agencies administer the U.S. export controls regulations. They are listed below in the order of sensitivity relative to national security and foreign policy. Essentially, the potential fines and penalties for violations increase as you go down this list.

  • Department of Commerce’s Bureau of Industry and Security (BIS): Export Administration Regulations (EAR)
  • Department of State’s Directorate of Defense Trade Controls (DDTC): International Traffic in Arms Regulations (ITAR)
  • Department of Treasury’s Office of Foreign Assets and Control (OFAC): Foreign Assets Control Regulations (FACR)

There are a few commonalities between these agencies and many differences. Fundamentally, they all have a framework for authorizing (or pre-authorizing) certain exports of tangible items, software, technology, and, in some cases, services as well. The concept of providing authorization comes from issuing a license to applicants requesting permission for an export or deemed export. All of them expect the exporting party to have an internal management plan, often referred to as Technology Control Plan, in the case of deemed exports.

Each agency above maintains its own list of restricted or denied parties. Parties can be universities, companies, individuals, or other groups/entities. In most cases, exporting items from the U.S. to entities captured on any of these “restricted party lists” demands meeting heavy licensing or other requirements.

Beyond this, the differences between the EAR, ITAR, and OFAC sanctions regulations are important to understand. We’ll point out three of the major distinctions.

The EAR and ITAR contain extensive lists of sensitive items that those agencies regulate. A key difference is that the impact of the “export controls lists” varies under each set of regulations. In the case of the Department of Commerce, the licensing requirements connect back to detailed numbers on the Commerce Control List (CCL). It contains specific export control classification numbers (ECCNs) that describe certain tangible items, technology, or software. In most cases, the licensing requirements will connect to the ECCN of the exported item. While the Department of State has its list of sensitive items, called the United States Munitions List (USML), the precise number (“Category”) on the USML does not impact the licensing decision. Anything listed on the USML will require a DDTC license for all non-U.S. Persons to access.

A second difference is that the ITAR and the OFAC regulations cover “services,” while the EAR does not strictly regulate services.

Lastly, the OFAC regulations are focused on the destination country and the overall nature of the transaction. The licensing framework is not driven by what is being shared or shipped, but rather, which country is receiving it. Certain destinations have more comprehensive sanctions against them (e.g., Iran), and thus, licenses are harder to obtain. Some countries bring on steep restrictions even though they are not comprehensively sanctioned (e.g., China and Russia). The key countries of concern are:

  • Iran
  • Cuba
  • Syria
  • North Korea
  • Certain Regions of Ukraine

How does this translate into university export compliance needs? The key elements of an Export Compliance Program at a university span a broad range of administrative offices. In a comprehensive compliance program, export compliance “steps” or aspects should exist in all the below operations. Furthermore, restricted party screeningprocesses should be incorporated into nearly all of them. The exact processes or procedures will vary across institutions due to the differences in basic operations. However, it’s important to establish standard processes.

  • Sponsored research screening process
  • Immigration/visas process
  • Visitors screening process
  • International shipping process
  • International travel process, in conjunction with IT protocols
  • Procurement processes
  • IT policies and processes

How are universities faring when it comes to handling all these decentralized needs? A recent government study provides some insight for university auditors.

GAO Report for University Export Controls

In May 2020, the Government Accountability Office (GAO) concluded a study of export compliance at U.S. Universities. The resulting report recognized the complexity of managing export controls in an academic setting and called for heightened clarity and guidance from the federal government. This section may serve university auditors by indicating key areas of focus for future audits.

The report, “State and Commerce Should Improve Guidance and Outreach to Address University-Specific Compliance Issues” (GAO 20-394), expressed concerns about undue foreign influence on universities and personnel. The study evaluated the management of export controls at nine universities. These anonymous institutions were sorted into three groups, those with high average research expenditures, a medium expenditures group, and universities with comparatively low research expenditures. The report concluded with four recommendations to the Departments of State, Commerce, and Defense to heighten clarity and improve guidance to institutions.

The following chart provides a summary of the GAO study findings.

Overall, GAO discovered that export controls were more fully implemented at universities with higher research expenditures, which aligns with the relatively greater risks faced at these institutions. Of the eight areas examined by the GAO, nearly all the universities visited were aligned with the requirements of four topics: management commitment, export authorization, recordkeeping, and reporting violations. In this article, the authors emphasized four areas with the most room for improvement, as was done during the corresponding panel presentation at AuditCon 2022. These areas are risk assessment, training, internal audits, and export compliance manual.

Four of the nine universities visited by GAO had not conducted risk assessments. A risk-based approach can empower an institution to address areas of greatest concern. Yet, export controls impact many activities at an academic institution, and the day-to-day demands can be so great that it is challenging to conduct such an assessment. GAO called for additional clarity from the Department of State, whose new guidance is anticipated by the end of 2022. 

GAO examined two elements of export control training programs: 1) whether suitable training was available and 2) whether training was mandatory for the appropriate employees. One could argue that training is the heart of any compliance program. Although the majority of universities visited were in alignment, GAO found that two universities were not aligned with this requirement.

Quite possibly, internal audits are the area of greatest interest for the reader of this article, and indeed this was one of the four areas in greatest need of attention, according to the GAO report. Only five of the nine universities visited met the standard, with the remaining four either partially or not yet aligned with this goal.

Finally, of the four areas evaluated by GAO, nearly half of the universities visited had not created an export control manual. Not only is such a manual essential for managing an effective compliance program, but it is also the basis for an audit of that program.

Design & Implementation of an Internal Audit for Export Controls: Scope & Tips

Scope of a University Export Control Program Internal Audit

The scope depends on the individual export control program. An internal audit may result from an export violation or best practice in compliance. A good place to start is by reviewing the export control program guidance from the Department of Commerce’s Bureau of Industry and Security (BIS)[1], the State Department’s Directorate of Defense Trade Controls (DDTC)[2], and the Department of Treasury’s Office of Foreign Assets Control (OFAC)[3] to see if your export control program contains all the required elements. The guidance documents outline the three agencies’ basic requirements for industry and college and university export control programs. All three agencies require audits as an effective export compliance program element. If your export program is missing an essential program element(s), you already have a recommended place to begin.

An internal audit of an entire university export control program will be overwhelming in scope. It is not recommended because export control programs are governed by multiple federal agencies and regulations and overlap with many university functions (e.g., international travel, international shipping, sponsored research, hosting and hiring international employees and scholars, etc.). However, a comprehensive gap analysis of your export control program may help determine the focus of an internal audit. The export control program, internal audit, or an outside consultant may handle a gap analysis. Internal audit will be unbiased, while export control will have more substantive knowledge. An outside consultant may have substantive knowledge but will require additional resources.

The scope of an internal audit may be limited to one federal agency’s regulations, such as the export administration regulations (EAR)[4] under the Commerce Department BIS or to a specific area of the program, such as international shipping, international travel, technology control plans (TCPs), hosting and hiring international visitors and employees, etc. The internal audit may focus on how restricted party screening is handled by the export program as a whole or for a specific area such as international shipping. An internal audit’s focus may be limited to online graduate programs and how a university complies with the OFAC sanctions’ prohibition against providing a “service” to comprehensively sanctioned countries (including online education).

Approach to University Audits

The BIS “Export Compliance Guidelines, The Elements of an Effective Export Compliance Program” requires eight (8) elements: 1. Management commitment, 2. Risk assessment, 3. Export authorization, 4. Recordkeeping, 5. Training, 6. Audits, 7. Handling export violations and taking corrective actions, and 8. Build and Maintain your Export Compliance Manual. This is a good framework to start with when determining the best approach for a university audit. [5]

Many campus compliance business areas overlap with export control and trade compliance; (e.g. hosting J-1 Exchange visitors {Bridge USA Program} overlaps with export compliance and Procurement and Accounts Payable overlap with international purchases (imports)). An internal audit may only cover a separate business area and not the overlapping export and trade compliance concerns.  However, the results of the internal audit may also impact export compliance. The export compliance program can highlight the risks found and advocate for additional resources to mitigate those risks, such as additional dedicated staff and training. The scope and approach depend on the reasons for the audit and the specifics of the individual export control program and college or university.

Frequency and Content of Audits

BIS, DDTC, and OFAC require audits in their export control program requirements.[6] These program audits may be conducted by the export control program (self-reviews), internal audit, or an outside auditor/consultant. The federal agencies do not specify who is to conduct the audits. The requirement is to make audits an essential element of export control programs to identify risks and compliance gaps and implement the mitigation. Federal agencies recommend the mitigation strategy is audited within one year to ensure it is effective[7]. BIS’ guidance specifically indicates, “[i]f resources allow, it is a good business practice to periodically utilize an outside auditor.”[8] The federal agencies do not specify or mandate who conducts the audits but rather require audits to make sure export control programs are continually reviewing the program annually to find compliance gaps and improve the program. These federal recommendations can serve as a basis for securing leadership buy-in for getting started with your first audit.

An export control compliance program may have internal audits periodically for specific areas of the program and the export control program staff may audit other areas annually. Technology Control Plans (TCPs) for sponsored research, for example, can have four annual audit requirements:

  1. Are there any changes in the scope of the work performed that require a change to the TCP?
  2. Are there changes in who is working on the project? (PIs need to contact the program to have new personnel read and sign the TCP and attend export control training before beginning work per the TCP.)
  3. Are there any changes in the physical location where the work is performed?
  4. Perform a new physical inspection annually.

In addition, internal audit may audit the entire TCP process above and provide recommendations and mitigation strategies. 

Benefits of Internal Audits

Auditing an export controls compliance program is a relatively new endeavor for many internal audit teams at universities. In fact, many institutions are still building out their initial export controls compliance program. Thus, internal audits can help frame what is going well and identify opportunities for improvement. Budget issues at colleges and universities are real, so an audit highlighting the need for additional staff and new tools has proven to be valuable at certain institutions. Audits can also highlight where export control programs overlap with other areas and recommend increased collaboration to eliminate silos on campus to increase compliance.

References

  1. https://www.bis.doc.gov/index.php/documents/pdfs/1641-ecp/file
  2.  https://www.pmddtc.state.gov/sys_attachment.do?sys_id=35c9a068db995f00d0a370131f9619bb (for download)
  3.  https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf
  4. https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear
  5. Ibid 1.
  6. Ibid 1-3.
  7. Ibid 1.
  8. https://www.bis.doc.gov/index.php/documents/pdfs/1641-ecp/file, page 30.

Risk, Compliance, and Controls: A Three-Pronged Approach

When it comes to risk management and compliance, the knowledge of three groups is better than one. At least, that has been the experience of Case Western Reserve University (CWRU or university). We have taken a three-pronged approach to risk, compliance, and controls. Internal Audit, co-sourced with Deloitte & Touche LLP (Deloitte[1]); Enterprise Risk Management (ERM); and Compliance are the three units that work together to safeguard the university’s community and assets.

Deloitte has been engaged by CWRU for over 10 years and assists in developing and executing the annual internal audit workplan and performing special, one-off reviews based on emerging areas of risk or potential for control deficiencies. ERM, which is headed by the University’s Director of Audit Services, takes a holistic approach to risk on a university-wide level. ERM identifies the university’s top ten risks, understands how CWRU is trying to mitigate them and predicts how they affect our operations and strategic plans. As these risks are often interconnected, we try to have a deeper understanding of their complexity so that we can mitigate or accept the risk. Lastly, the compliance function is headed by the Chief Compliance Officer, who reports to the Office of General Counsel. Compliance helps ensure that departments on campus understand their obligations from a legal and risk-based standpoint.

There are myriad benefits to this triumvirate approach. Having three separate departments look at risk and controls helps to give a broader perspective of the organization’s activities and brings a multidisciplinary approach to problem-solving. The different backgrounds allow for the coverage of a wide swath, with ERM focusing on strategy and operations, Internal Audit on internal controls, and Compliance on regulatory matters. These separate points of view allow us to see which issues may be on the horizon and which others may be starting to fade into the background. For instance, at CWRU, the Compliance Program leads the University on export controls compliance. When issues on undue foreign government influence rose in visibility over the past few years, Compliance brought that issue to the group. During the height of the COVID-19 pandemic, ERM was deeply involved with operational risks on campus relating to the rules of the road for faculty, staff, and students. Now that the risks of the pandemic are becoming more of a known, managed risk, we’ve been able to shift the ranking of the risk to one that is less urgent. In annual internal audits performed by Deloitte, we can learn whether and how the controls are working around areas that we are tracking in ERM and Compliance, like the management of grants or endowment stewardship, for example.

Not all risk is bad, and discussions within the group have prompted us to see which risks might represent opportunities. For example, the need to shift university operations and activities because of the pandemic allowed us to see new opportunities. Online learning, and the skills we gained from adapting to new modes of learning have blossomed in the pandemic’s wake. Each of our three unique offices has seats at different tables across campus, this has allowed us to disseminate our message regarding having a risk-intelligent tone at the top and a culture of compliance. Over the years, this has sunk in at various levels, and university community members now consult our departments when risk or control situations arise where they might not have done so in the past. This, of course, can be seen as a very good cultural shift on campus.

Annually, we perform a large risk assessment that is Internal Audit, with the support and participation of ERM and Compliance. The assessment usually is performed between the end of summer and the beginning of the academic year in early fall. We gather insights through live meetings with some groups (in person and virtually) and surveys for others, depending on risk profile and department size. This process usually  touches roughly 30 unique departments, schools, and units on campus. Some years we add additional units or drill-down deeper within a department if issues arise that warrant them. For individuals we speak with in person, there are some pre-determined questions sent ahead of time to the attendees on the risk topics, which allows them time to reflect on what they are seeing in their departments, schools, and university as a whole. In the meetings, the discussions organically move into various areas of concern and risk management practices. This process has become seen on campus as a safe space for people to express their thoughts and opinions. We have found that participants do not hold their concerns back, which is a good way to get many “real items” out on the table. We perform ad-hoc follow-ups during the year to see if there have been any changes to what people are seeing or hearing and always leave the door open for individuals to come to us with their concerns or ideas.

The annual risk assessment meetings inform and drive Internal Audit’s testing program for the year. The broad risk discussions and survey results help Internal Audit identify which auditable risks are top of mind for leaders. The risk assessment process also helps inform Internal Audit on areas where current control and process gaps may exist or where controls may be designed appropriately but are not consistently operating effectively. Having the perspectives from ERM and Compliance also helps Internal Audit prioritize the risk universe and develop a risk-based internal audit workplan. Internal Audit also gathers insights from ERM and Compliance on their upcoming initiatives and workplans. By working together on the risk assessment and sharing our plans, we can cover a broad spectrum of risk and avoid duplicating efforts or overwhelming stakeholders.
ERM benefits from these annual risk meetings in that they help refine the organization’s most significant risks.

Our ERM program is specifically designed to capture and monitor risks holistically for the university. While the program is formally updated three times a year, we generally reach out to key stakeholders more often throughout the year to get a sense of current or impending changes. We measure risk to the university by its expected impact, probability, outlook, and maturity of mitigation preparedness. It is also importantto see how the risk has altered over time. The ERM program is meant to be dynamic as the university changes and the environment we operate in also changes. Sometimes risks are added because they’ve become heightened, and sometimes they are removed from the top of the list as they shuffle towards the background as circumstances on campus change.

The annual risk assessment meetings help Compliance identify vulnerabilities in compliance functions across the organization. They help Compliance to have “eyes and ears” across a wide swath of campus, ensuring that if there are any new compliance-related risks on the horizon the appropriate unit is managing them. Compliance works continually with departments to ensure that areas with significant compliance requirements and risks make improvements and keep important metrics top of mind. The office has created an internally-used dashboard system to keep track of progress within fifteen key compliance areas at the university. Some tracked items include the assignment of oversight responsibilities, appropriate policies and procedures, compliance training and education, monitoring compliance with policies, and violation investigations. We have found this to be a very successful method of tracking and quantifying risk related to compliance.

This in-depth and three-pronged approach to risk, compliance, and controls has become a cornerstone in our ability to view and process risk on campus. It can be easy to fall into the trap of siloed offices and walled-off environments within a university, but this integrated and open method has allowed us to move forward and create new paths that could not have existed otherwise. The end goal is always to safeguard the university from unnecessary risk while allowing those risks which will let us flourish to be monitored and handled with well-placed guardrails. It is an enjoyable process that brings a sense of satisfaction and security to our campus.

[1] As used in this document, “Deloitte” means Deloitte & Touche LLP, which provides audit and enterprise risk services. Deloitte & Touche LLP is a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Engaging Internal Audit in Initiatives for Diversity, Equity, and Inclusion

Higher education is no stranger to the topic of Diversity, Equity and Inclusion (DEI) – if anything, higher ed institutions have historically been at the forefront of discussions about increasing access and success of underrepresented groups, and leveraging their classrooms and research to expand the view of future business leaders into the benefits of workplace diversity and equity. But DEI has garnered even more attention over the past several years. The disproportionate impacts of the COVID-19 pandemic and increased emphasis on racial inequality, social justice reform, corporate social responsibility, and the rise of Environmental, Social and Governance (ESG) reporting requirements have fueled a greater desire to address issues of DEI in higher education and ultimately improve the experience of students, faculty, staff, and the larger community.

The National Association of Diversity Officers in Higher Education (NADOHE) has placed an increased emphasis on Inclusive Excellence, which it views as transitioning from a singular focus on improving compositional diversity—who is present or absent on campus—to embracing comprehensive performance measurements linked to goals, objectives, strategies, indicators, and evidence.

Colleges and Universities are charged with three primary duties:

  1. Minimize risk and negligence and ensure legal and regulatory compliance with diversity and equity issues in higher education.
  2. Oversee, assess, and sustain campus policies that elevate equity, fairness, inclusion, and safety.
  3. Develop, implement, monitor, and make recommendations for nondiscrimination and anti-harassment policies, processes, and practices associated with Equal Employment, Titles VI, VII, and IX considerations, Americans with Disabilities Act, affirmative action, and other applicable human rights protections.

In higher education, DEI applies to all aspects of college or university operations, including recruitment and retention of a diverse student and faculty population, fair and equitable hiring and promotion of employees, supporting minority-owned vendors in procurement practices, providing diversity awareness and unconscious bias training, and providing additional resources and support for traditionally underrepresented student populations and material covered in course curricula.
In recent years, many colleges have furthered their commitment to improving equity among their communities by establishing formal DEI strategies, programming, and procedures that align with their organization’s mission, appointing Chief DEI Officers and creating offices to shape and execute these strategies.
There is still much progress to make.

A 2022 Hanover Research study on DEI surveyed nearly 1,000 undergraduate students from across the United States and found that the majority of BIPOC (Black and Indigenous People of Color) students agree that those with diverse backgrounds, identities, and experiences do not have equal access to academic opportunities. While 69% of students agreed that the faculty and staff population at their institutions are racially and ethnically diverse, students at private colleges or universities were found to have a more negative perception of their institution’s support of DEI efforts than those at public institutions.

Exemplifying the onus placed upon universities to increase efforts toward DEI programming, third-party evaluators have now begun factoring diversity and equity data into their scoring metrics. The U.S. News and World Report rated the most ethnically diverse campuses across the country by assigning a diversity index score based on the total proportion of minority students (excluding international). The INSIGHT Into Diversity HEED Award, open to all colleges and universities across the U.S. and Canada, measures an institution’s level of achievement and intensity of commitment regarding broadening diversity and inclusion on campus.

Internal Audit’s Role in Enhancing DEI Actions

A higher education internal audit (IA) function can help to support the institution’s DEI efforts in several ways. As discussed in a panel session at ACUA’s 2022 AuditCon, DEI continues to be an area of exploration and, at times, uncertainty for college and university auditors, but there have been several strategies employed across institutions that could help your audit shop get started.

First, as an operating unit within the school, IA can help lead by example in examining its practices regarding DEI and working to strengthen practices where possible and align with the institution’s broader strategies and goals as needed. 

Then IA should review whether your institution or system has established any strategies or goals regarding DEI across campus. If no such foundations exist, consider the ability for IA to play an advisory role and help leadership work to move the needle on setting DEI goals and measures, even if starting small with just a few focus areas (e.g., admissions, procurement or pay equity reviews).

Even without an institutional framework or goals, IA can still perform DEI-focused audits. This may include assessing compliance activities related to the number of diversity and equity laws in place regarding hiring practices, institutional program offerings or student services. With the increase in external metrics regarding DEI, IA could review the institutional data used and report for inclusion.
If goals, targets, and metrics have been established, IA can play a role in supporting the institution’s monitoring efforts, verifying those goals have been met, or looking at the overall management and structure of how such a program is enacted across campus.

AuditCon panelists also spoke about efforts to begin including considerations of DEI and overall institutional culture as a standard component of all audits. Similar to incorporating IT considerations into all audits conducted, these IA shops have started to leverage pre-audit control surveys to ask questions about the culture and processes of auditable units, including evaluating the diversity of staff and feelings of inclusion. This enables the IA function to identify non-traditional areas of risk and measure DEI effectiveness while providing valuable feedback to auditees to help promote DEI efforts and enhance morale.

One of the biggest takeaways from the ACUA panel was that there is no single right answer for how to incorporate DEI considerations into the work of IA. While conversations have begun to shed light on areas of DEI as a leading institutional priority and risk area, many audit shops are still uncovering how to include such topics within an audit plan. But no matter how mature your focus on DEI may be, there are ways to engage your IA team to help support or even drive DEI initiatives across campus.
DEI is an area that will continue to receive focus on campuses across the nation, with the goal of continual progress. In turn, DEI work performed by the IA function will continue to evolve and shift in alignment with your institution’s activities. IA’s willingness to engage with DEI topics will help your institution increase compliance and embrace inclusiveness with DEI measures.

The Significance of Cost Transfers

Background

Colleges and universities are required to comply with numerous regulations when accepting grants or contracts from a governmental agency, private foundation, or other sponsors. Among these regulations is the requirement that expenditures related to the project are properly allocated and documented. These expenditures could include salaries of faculty and staff as well as supplies, equipment, travel, and other expenses incurred while working on the project. The principal investigator (PI) is responsible for allocating the sponsored project costs to the appropriate project when the costs are incurred.

Under certain circumstances, a cost transfer is allowable, which moves costs to or from a sponsored account to allocate costs properly. However, cost transfers cannot cover cost overruns or draw down on awards that have not been substantially used as the award term ends.

An abundance of cost transfers may alert award sponsors to potential weaknesses in the financial management of award funds. For example, frequent posting of cost transfers more than 90 days after the expense may indicate that the PI is either not performing the required routine reviews (e.g., monthly) of their award expenditures or is not sufficiently overseeing the progress made on the award. Similarly, a lack of oversight or mismanagement is a concern when a large percentage of the dollar amount of an award is transferred toward the end of an award term (e.g., the last quarter of a 2-year award).

Risks and Potential Impact

So, why does this matter? Often, a federal sponsor has committed millions of dollars to an institution across multiple awards. The discovery of any inappropriate use of federal dollars increases the likelihood that the federal sponsor will perform an audit of the institution’s use of dollars across all of its awards. Audit findings of noncompliance with Uniform Guidance or award terms result in fines and penalties, putting all current and future awards at risk. The trickle-down effect of negative publicity could impact the institution’s attractiveness to faculty, researchers, staff and students.

Audit Planning

To mitigate the risk of inappropriate cost transfers or misappropriation, Internal Audit can evaluate existing processes and controls relative to cost transfers, including monitoring activities to ensure compliance with federal or state requirements the sponsored awards.

When planning and scoping an audit for this area, first find out if your post-award office has completed any of the following best practices:

  • If it has developed its own set of cost transfer policies and procedures to guide PIs and accounting staff on how to record sponsored award expenditures appropriately.
  • If it has defined the acceptable period in which a cost transfer should be made after the expense has occurred.
  • If they require supporting documentation for late cost transfers.
  • It has defined what constitutes appropriate supporting documentation.
  • It has created and provided training to unit-level accountants.
  • They’ve required PIs to frequently (e.g., monthly) review sponsored project expenses.
  • They regularly meet with unit-level accountants to communicate and emphasize the significance of the cost transfer policies.
  • They include unit heads (e.g., deans, chairs) in the approval process for late cost transfers.
  • Whether they’ve trained and empowered the post-award staff to reject late cost transfers without appropriate justification.
  • If they’ve documented and enforced consequences (e.g., move the funds to a non-sponsored departmental account).
  • Whether they work with other internal departments (e.g., Payroll) to complete the cost transfer process.

For the items above that have been completed, Internal Audit can select a sample of cost transfers and units and review for compliance with internal procedures.

Other Considerations

Depending on the nature and maturity of the systems used by your post-award process, there may be a reliance on disparate systems or, worse, manual processes. This inefficiency increases staff time spent on the cost transfer process, the risk of human fatigue, errors in missed or delayed transfers, and potential noncompliance with federal agency policies.

Consider categorizing the rationale for cost transfers (e.g., delays in receiving awards from sponsors, reconciliation not performed timely, change in F&A rates, etc.). Use data analytics to help the post-award office identify if any units are consistently submitting late cost transfers, large or numerous transfers close to the award end date, and identify trends by unit, sponsor, length of time to complete and justification used on all cost transfers.

It is important to understand if units have access to run necessary cost reports for their sponsored projects. For both PIs and their delegates not accustomed to reviewing expenditures, training is critical. Training materials should be developed and provided for all types of cost transfers (e.g., transfers of both salary and non-salary expenditures and those that are recorded more than 90 days after initial expenditure or discovery of error) should be complete, updated and easily located together.

Conclusion

The cost transfer process at an institution is truly a collaborative effort—typically between the Post-Award Office, Payroll, individual units and PIs. Including Internal Audit in this collaboration helps create consistency throughout the institution and increase the knowledge of risk management to units.

Performing an Internal Self-Assessment of your Internal Audit Department

Internal audit departments following the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF or “Standards”) are required to develop and maintain a quality assurance and improvement program (QAIP) that includes internal and external assessments. A QAIP verifies the work is performed in accordance with the Standards and the IIA’s Code of Ethics and that the internal audit department operates in an efficient and effective manner.

Most audit shops are already performing ongoing reviews of their engagements through supervision, workpaper review, following established audit policies and procedures governing the audit process, and soliciting feedback from customers. Periodic self-assessments go beyond the routine supervision and monitoring of each engagement to evaluate each IIA Standard. Performing a thorough self-assessment can help increase efficiencies, create uniformity of documentation amongst your team, and help prepare the audit shop for a positive external review.

Periodic self-assessments are often conducted at the mid-point of the five-year external review cycle but may be conducted more frequently. The review may be performed by the chief audit executive (CAE), assigned to a senior auditor, preferably a Certified Internal Auditor (CIA), or divided amongst the staff. It is important that all members of your review team be open to change and allow a positive dialog for discussing potential weaknesses and recommendations.

There is no single method required for conducting a self-assessment. One way to efficiently evaluate all of the Standards is to design your self-assessment around the following four themes: Governance, Staff, Management, and Process, which is how the IIA teaches external reviews. The Governance and Staff sections address the IIA’s Attribute Standards and the Management and Process sections address the IIA’s Performance Standards.

If you are a state college or university and your state performs peer reviews, you may be able to obtain detailed templates from your state auditor’s office to help in your review. The following is a summary of the critical tests that the State of North Carolina uses for its external reviews:

Governance

These Standards refer to how the internal audit function is governed. Key documents include the Audit Charter, department procedures manual, organization chart, and independence attestations.

  • The Purpose, Authority, and Responsibility need to be defined in your Internal Audit Charter. The language in the charter should align with the IPPF, address both assurance and consulting services, and allow unrestricted access to records and personnel. Review your charter and ensure it reflects your current practices and has been approved by your Board of Trustees or Audit Committee.  
  • Independence of the internal audit department should be confirmed to the Board at least annually. Departmental independence is often achieved by reporting administratively to the President/Chancellor and functionally to the Board of Trustees or Audit Committee. Ensure your organizational chart reflects an independent reporting structure. Additionally, individual auditors must be independent of the areas audited, and new auditors must refrain from assessing specific operations for which they were previously responsible for within the last year. Auditor independence may be demonstrated by individual attestation for the audit plan year or for each engagement by each auditor.
  • The IIA Code of Ethics must be followed by all members of the Internal Audit department, whether or not they hold any IIA certifications. Consider whether all team members uphold the principles of integrity, objectivity, confidentiality and competency. One option to demonstrate awareness is to include the IIA Code of Ethics in your procedure manual and have team members sign an affidavit to confirm their understanding.
  • The Quality Assurance and Improvement Program must be developed and maintained by the CAE. A description of regular engagement monitoring, periodic internal assessment, and 5-year external assessments should be documented in the procedure manual. Verify prior assessments were timely and shared with senior management and the Board.

Staff

The Staff Standards focus on auditor competency and the ability to have sufficient knowledge and skills to perform engagements. Employee certifications and training records are tangible evidence, and the ability to exercise due professional care is reflected in the engagement work papers.

  • Proficiency must be demonstrated by all internal audit team members. Auditors must possess the knowledge and skills needed to perform their responsibilities individually and as a department. Maintain records on professional certifications and continuing professional education logs that show the staff collectively has specialty knowledge such as IT, fraud detection and data analytic skills required to complete the audit plan. Subject matter experts may be needed. Evidence of proficiency may be documented in performance reviews, and post-engagement client surveys should include feedback on staff proficiency.
  • Due Professional Care, that which is expected of a reasonably prudent and competent auditor, must be applied. Determine whether engagements were staffed and adequately supervised based on the complexity of the subject. Verify engagement planning considered fraud and the feasibility of using data analytics for a higher level of assurance.
  • Continuous Professional Development applies to all team members, not just those maintaining certifications. Define training requirements in the procedure manual and counsel staff on relevant training opportunities. Audit team members should track their continuing professional education training and ensure they meet licensing and departmental requirements.

Management

Management refers to managing the duties of the internal audit function along with the nature of work. The internal audit activity is effectively managed when it achieves the purpose of the audit charter, conforms with the Standards, and considers emerging trends that could impact the organization. Annual audit plans, performance metrics, achievement of the plan, reports to the Board, engagement reporting, and meeting minutes are key documents for the self-assessment.

  • An Audit Plan that determines the priorities of the internal audit activity must be established by the CAE, usually on an annual basis. The audit plan should be based on a risk assessment, input solicited from senior management and the Board, and consider resource management. Ensure the methodology for establishing the audit plan was documented, and the final plan was formally approved by the Board.
  • Policies and Procedures should be documented to guide the internal audit activity. Review the department’s procedure manual and verify that it is current, complete, and aligns with the Standards. Ensure that the procedure manual is being followed throughout the internal assessment process.
  • Reporting to Senior Management and the Board should occur regularly. Verify that the following items were reported at least annually: the audit charter, independence of the internal audit activity, the audit plan and progress against the plan, resource requirements, results of audit activities and conformance with the Standards.
  • The Governance of the organization needs to be assessed by the internal audit activity, and appropriate recommendations for improvement should be made. Verify there is documentation to support sufficient coverage of improvements to the organization’s governance process, such as memos and meeting minutes.
  • The Risk Management process of the organization must be evaluated, and the internal audit activity must evaluate the effectiveness and contribute recommendations for improvements. Auditors may collaborate with other areas such as Legal or the Enterprise Risk Management function. Significant risks, including fraud risks, should be addressed in the annual audit plan.
  • If Overall Opinions are used for engagements, they must be supported by a summary of the information that supports the opinion. Review your reports for appropriate overall opinions.
  • Communicating the Acceptance of Risk by management should be handled consistently. The procedure manual should state the process taken when management accepts a level of risk that may be unacceptable to the organization, such as escalation to the Board. Verify these processes were followed for any engagements where unacceptable risks were identified.  

Process

Process refers to the execution of engagements in the audit plan. Several engagements should be chosen for the self-assessment to evaluate workpapers for planning, fieldwork and reporting along with tracking follow up items. Sample different types of engagements such as audits, consultations and investigations performed by different auditors.

  • Engagement Planning is required for each engagement to establish the engagement’s objectives, scope, timing and resource allocations. For the sample of engagements, determine whether risks were identified, objectives were established, and appropriate scope and resources were defined and documented in an engagement letter to the client.
  • Engagement Work Programs should be developed and documented that address key risks, policies and procedures. Verify work programs were created that included clear instructions, addressed risks and objectives, and were approved prior to fieldwork.
  • While Performing the Engagement, auditors must identify, analyze, evaluate and document sufficient information to achieve the engagement’s objectives. Review engagement workpapers and verify they identified factual, adequate and convincing information. Workpapers should be consistently performed by all team members and reliable and useful enough to support the conclusions. Ensure sound and accurate sampling and testing procedures were performed. Confirm workpapers are retained per your institution’s requirements.
  • Engagement Supervision is necessary to ensure objectives are achieved, quality is assured and staff is developed. Verify there is evidence of workpaper review, which could be a manual or electronic sign-off or approval completed using audit software. Demonstrate that staff members receive feedback and training during engagements by retaining review notes.
  • Communicate the Results of engagements to the auditee and appropriate parties such as senior management and the Board. Confirm engagement report observations and conclusions were supported by the workpapers. Evaluate whether positive results and satisfactory performance were included in final communications. Ensure reported results were helpful to the client and organization and led to improvements where needed. Determine whether any errors or omissions were corrected and re-issued.
  • Monitoring Process must be developed by the CAE to ensure actions have been effectively implemented. This process should be defined in the procedure manual and followed for all engagements. Outstanding items should be tracked and monitored. Review past engagements with findings and verify there is evidence that management action plans are being followed-up and resolved timely.  

Conclusion

Complete your self-assessment by identifying areas of improvement and have team members collaborate on feasible solutions. As you would for any other audit, document the findings in a report along with your department’s management responses and due dates, and ensure those changes are made timely. Share your accomplishments and commitment to improvement with senior management and the Board.

While a full internal self-assessment can be time-consuming, it can be worked on intermittently throughout the year or completed all at once. By utilizing a team approach, the team members will learn the IIA Standards and strengthen their knowledge of departmental requirements. Single-member audit shops will also benefit from conducting an internal assessment by ensuring their department meets the Standards and is prepared for the external review. 

Ms. Hefner will be speaking on this topic at the 2022 AuditCon in Las Vegas, session A10 Internal Self-Assessments: Create A Winning Hand.

Letter from the Editor

Hello ACUA members,

My name is Gavin Shubert, and I’m the new editor of the College and University Auditor Journal. I want to thank Claire Thomas, my predecessor, and James Merritt, the Journal’s former deputy editor, for their valued and worthwhile contributions to the Journal. Additionally, their assistance transitioning a new editor and deputy editor onto the team has proved invaluable. Thank you both.

In case we haven’t crossed paths yet, I’m an Internal Auditor at Georgetown University. Our new deputy editor, Kara Hefner, is a Senior Auditor at the University of North Carolina, Chapel Hill. She has graciously contributed her time and efforts as a writer for this edition of the Journal, in addition to her capacity as deputy editor.

Kara’s article provides a great professional resource for audit shops looking to perform thorough and standards-compliant internal assessments. In addition, Kyra Castano and Adrienne Larmett provide insights on instituting environmental health and safety controls. Then, Daniel Graves and Greg Englert give guidance on ESG and sustainability reporting and how you can better document these emerging and meaningful metrics. Next up, Curt Plyler, a Certified Construction Auditor, dives deep into how to audit construction costs. Finally, Erin Egan and Colleen Tedeschi share how to comply with sponsored awards, emphasizing the significance of cost transfers.

In this issue of the College and University Auditor, aptly named “ACUA: Live in Las Vegas,” you will find a wide variety of topics written by talented authors who strove to make their knowledge and expertise relatable and valuable for ACUA members in every institution. Please consider joining a growing field of professionals making their mark on the collective learning of our ACUA community by reaching out to me at editor@ACUA.org. Questions, ideas, and comments are always welcome.

Please also keep in mind that the Early Bird Deadline for discounted registration to AuditCon has been extended until August 19th. Now, without further ado, please sit back, relax, and enjoy this summer issue of the College and University Auditor Journal.

Sincerely,

Gavin Shubert, Editor

Environmental Health and Safety in Higher Ed – How ‎institutions can implement internal controls to protect their ‎community

When you step on campus do you think about who and how your campus community is protected from the myriad environmental hazards potentially lurking in building, labs, and water fountains?

Colleges and universities have various environmental risks and events (e.g., water and air pollution, biohazardous materials and fire hazards) that must be managed daily. An institution’s Environmental Health and Safety (EH&S) function serves an essential role in supporting the mission of the institution with teaching, research, and service by providing safety evaluation and monitoring services to the campus community as a whole. EH&S works to ensure internal controls are formalized, comprehensive, and working effectively by performing a variety of activities including, but not limited to, laboratory inspections, monitoring existing hazards, identifying potential hazards, and reducing safety hazards.

In addition to the increasing safety concerns resulting from the 2020 global pandemic, there is an opportunity for Internal Audit to provide operational reviews of the current environment’s risk mitigating controls.

What is EH&S?

Environmental Health & Safety (EH&S) is the science and practice of preventing human injury and promoting well-being[1]. EH&S is a term used by laws, rules, regulations, professions, programs, and workplace efforts to protect the health and safety of the campus community. Other common ways to abbreviate EH&S are HSE or EHS&Q where the “Q” stands for Quality.

EH&S Responsibilities and Reporting Structure

EH&S functions are often the contact points for regulatory agencies and emergency response actions. EH&S is often responsible for educating the campus community on standards applicable to the institution.

EH&S is commonly tasked with:

  • Serving as the oversight and authority for EH&S compliance.
  • Implementing health and safety policies and procedures.
  • Conducting inspections and monitoring procedures to identify existing potential hazards.
  • Performing routine audits to measure compliance with regulations.
  • Measuring and improving environmental health and safety performance across campus.
  • Providing and supporting incident responses.

EH&S reporting structures look different at each institution. Some common reporting lines include:

  • Campus Safety
  • Campus Operations
  • Facilities
  • Risk Management
  • Research

Risk Universe

Just as institutions differ in reporting structure, an institution’s EH&S risk universe will differ as well. The most important thing to remember before you audit your institution’s EH&S function is to consider the environment and what risks may be more important than others. For example, a large research institution with a medical school may present risks such as biohazardous chemicals or radioactive materials, while an institution located in the southeast may be at a high risk for a potential weather-related hazard. Below are a few types of risks to consider based on your intuition’s academic, risk and geographic environment.

Rules, Regulations, Polices and Procedures  

EH&S is a highly regulated area with a number of laws and standards falling under:

  • Environmental Protection Agency (EPA)
  • Occupational Safety and Health Administration (OSHA)
  • International Fire Code (IFC)

Specific topical areas may include, but are not limited to:

  • Biohazardous materials in research and instruction
  • Confined space entry
  • Contractor safety
  • Eye protection
  • Fall protection
  • Occupational exposure to hazardous chemicals
  • Personal protective equipment, including COVID-19 exposure
  • Radioactive materials
  • Waste disposal

Since there are so many regulations to consider we recommend that you begin by reviewing your institution’s policies and procedures, as your EH&S function has likely already created internal controls for most key regulatory requirements.

Considerations for the Internal Audit Plan

Internal Audit can support the institution to better understand the design and effectiveness of the compliance framework, including internal controls, oversight, training, authority and applicable regulatory requirements. In addition, Internal Audit can perform testing procedures to determine the efficiency of controls in hazard identification, worker participation, laboratory safety and injury/illness prevention.
Common audit activities are often related to:

  • Reviewing documentation (e.g., organizational charts, procedures, workflows, job descriptions, etc.) to understand current procedures.
  • Conducting interviews with key stakeholder to better understand key processes and practices.
  • Evaluating operations and internal controls in place.
  • Performing testing procedures to determine the effectiveness of controls.

Conducting testing procedures is one of the most valuable ways to review and assess the current compliance environment at your institution and to evaluate the current internal control process for remediating EH&S related risks. For example, performing a walkthrough of campus research laboratories typically provides Internal Audit with informative observations or enhancement opportunities. While conducting the walkthrough, a checklist is recommended to encourage documentation of all findings. Taking pictures during this process is a great way to provide key process owners and leadership with significant supporting documentation.

Key checklist questions include:

  • General work environment
  • Laboratory safety plans
  • Safety equipment
  • Security
  • Labels and signs
  • PPE
  • Chemical inventory waste and storage

Why is auditing your institution’s EH&S function important? 

If there are instances of noncompliance with key regulations, the safety of the campus community may be at risk. The institution may also be assessed for financial, regulatory, health and safety damages. For example, without wearing proper PPE during research procedures, a student is at risk for severe injury or death. Further, by not labeling and disposing biohazardous waste correctly, the waste may become the source of infections. Potential harm could be carried to other students in the room through air pollution, toxic exposure, chemical burns or radiation burns.

Next steps

The EH&S function is responsible for providing a strong foundation of safety through a commitment to compliance and overall protection. Many individuals within the campus community may not think about EH&S, however everyone does appreciate a safe environment. Internal Audit can help provide operational reviews of the current proactive, monitoring and detective controls that mitigate risks. Consider adding a review of your EH&S function to your audit plan.

References

[1] Definitions of Environmental Health | National Environmental Health Association: NEHA

Auditing Construction Costs

Higher education institutions are routinely engaged with the construction of new capital projects. The significant investments will likely necessitate routine internal audits to ensure funds are being expended appropriately. On campuses with multiple projects, the initial challenge is determining which project(s) to review. This article provides a primer to embarking on a construction audit when you have a limited background (at best) in construction by addressing the following items:

  • Selecting the project and scope of the audit
  • Requesting and evaluating support documentation
  • Direct labor costs
  • Contractor-owned equipment
  • Insurance
  • Information technology (IT)
  • Change orders
  • Other costs

Selecting the Project and Scope of the Audit

Construction is delivered under multiple approaches, often called “delivery methods.” The construction contract is tailored to the delivery method being employed on the project in question. Common delivery methods include Design-Bid-Build, Multi-Prime, Design-Build, Construction Manager-at-Risk, and Integrated Project Delivery.
 
The most common construction delivery methods in higher education today are Design-Bid-Build and Construction Manager-at-Risk. Design-Bid-Build contracts are commonly referred to as “hard bid” or “lump sum”. These projects are completed for a fixed price and are often used on smaller projects where drawings are complete and the scope has been finalized. Given the reduced risk from a financial perspective, the scope of an audit would be primarily focused on any change orders.
 
Larger projects are often built utilizing a Construction Manager-at-Risk delivery method. This method engages the construction manager prior to final drawings in order to leverage their expertise with constructability reviews at various stages of design. This approach utilizes a Guaranteed Maximum Price (GMP) contract. This contract segments the recovery of project costs into the following components:

  • General Conditions, the cost of managing the project
  • Cost of Work, subcontracted work, self-performed work
  • Insurance/Bonds
  • Fee, a percentage of the project cost or a stipulated amount

The GMP contract establishes a cap for the amount paid for the construction, but allows the project owner to retain any variance should the GMP exceed the total realized project costs. As a result, GMP contracts generally have more areas of potential audit exposure from a financial perspective. With resources often being limited, audits of construction in higher education naturally gravitate to GMP contracts given their compensation terms and greater project values.

Requesting and Evaluating Support Documentation

(For the purpose of this and the remaining steps, it is assumed a GMP contract is being reviewed)
 
Once the project(s) to audit has been selected, the Auditor will need to develop an initial documentation request to obtain the following items:

  • The executed construction contract with all amendments, exhibits, workbooks, etc.
  • Fully supported Owner Payment Applications from Owner or Contractor including:
    • Schedule of Values
    • Subcontract Payment Applications
  • A project cost report, for the period being audited, from the Contractor, inclusive of all reimbursable costs.

 
Requests sent to the Contractor should be directed to the Project Executive and/or Project Manager. The construction contract should then be reviewed, specifically sections addressing the “costs to be reimbursed” and the “costs not to be reimbursed.” The compensation terms should detail the usage of pre-determined rates and actual costs. Additionally, the contract should specify the overhead items covered by the Contractor’s fee.
 
source documentation request should then be sent by the Auditor to the Contractor’s Project Executive and/or Project Manager for multiple items:

  • Direct labor and equipment costs
  • Subcontractor costs (if not provided above as noted in the initial documentation request)
  • Insurance costs
  • Information Technology (IT) costs
  • Change orders
  • Other miscellaneous costs

The lowest source document should be determined for the request. For example, the original timesheet should be requested to validate the hours worked by an employee. These lowest source documents are utilized to create the monthly project billings and provide valuable insight often lost if reports are created specifically to satisfy audit requirements. These documents often contain commentary and details about transactions later adjusted and/or ‘corrected’. In some cases, the source document can further demonstrate how a transaction has been ‘cleaned’ to avoid scrutiny during the payment approval process.

Direct Labor Costs

The contract should specify whether labor is to be billed at pre-determined bill rates or actual cost plus burden. To effectively review labor costs utilizing bill rates, timekeeping records should be requested. To the extent the contract does not explicitly specify the bill rate components, the Contractor should be requested to provide them. Bill rates routinely include paid time off, benefits, base wages, payroll taxes and unemployment insurance.
 
Labor billed at actual cost plus burden will require payroll records, including employee deductions and timekeeping records. To the extent the contract does not explicitly specify the burden components, the Contractor should be requested to provide them. Burden rates are applied to base wages and routinely include paid time off, benefits, payroll taxes and unemployment insurance.
 
If the contract does not specify the use of pre-determined bill or labor burden rates, the labor is normally reimbursed at actual cost plus actual burden. The audit will need to independently estimate the cost of the labor burden. Documents needed to complete this estimate include:

  • State Unemployment Rate for your state.
  • Workers’ Compensation including Experience Modification from the insurance carrier.
  • Medical Insurance at the employee level from payroll records and at the firm level from the insurance carrier.
  • Retirement from payroll records.
  • Accidental Death/Long Term Disability from the insurance carrier.

Contractor-Owned Equipment

Contractors may lease their owned equipment to the project. The contract language often specifies these rental rates are to be indexed to a third-party source, such as the AED Green Book or EquipmentWatch Blue Book. The contract language may specify the lease rates are to be indexed at less than 100% to the index in question. Additionally, the language may specify when lease payments are to cease. If not, the fair market value or replacement value is the
implied point when payments should cease. The Contractor should be requested to provide a leased equipment summary, inclusive of the following items:

  • Equipment tracked down to the serial number.
  • Fair market value when first utilized on the project.
  • Rental rate and index rate (if applicable).
  • Cumulative rental charges to date for each item.

Insurance

The construction contract should specify the various insurance coverages required by the contract. The most common coverages, and their means of compensation, are as follows:

  • General Liability Insurance, which may or may not be defined as a percentage rate in the contract.
  • Contractor Controlled Insurance Program or ‘CCIP,’ often specified as a percentage rate in the contract or contract amendment.
  • Builder’s Risk Insurance, purchased specifically for the project.
  • Subcontractor Default Insurance, which is almost always specified as a percentage rate of the enrolled subcontracts.
  • Performance and Payment Bond, purchased specifically for the project.

 
General Liability Insurance will often be charged at a rate that may or may not be defined in the contract. If the rate is not specified in the contract, request a breakdown of the rate charged to the project. The rate breakdown provided should be analyzed to determine if it includes coverage not required and/or if overhead has been included. The project requirements for policy coverage and limits should be located in the Contract agreement. The Auditor should verify the coverage and appropriate limits have been obtained by requesting a Certificate of Insurance from the Contractor which lists the project owner as the named insured for the project in question.
 
Builder’s Risk Insurance and Performance and Payment Bonds are usually purchased specifically for the project. An invoice should be requested to document the purchase. The vendor providing the invoice should be confirmed to be an independent third party, as captive insurers are often used, reducing the transparency of the actual cost incurred.
 
Subcontractor Default Insurance is routinely charged at a rate specified in the contract. This rate is applied to the combined subcontract values enrolled in the program. To confirm the amount charged, a list of enrolled subcontracts should be requested. The Schedule of Values in each subcontractor payment application should then be separately scrutinized for the inclusion of bond costs. If identified, this is most likely a duplicate charge to the Subcontractor Default Insurance.

IT

IT expenditures are often allocated and charged to project costs by Contractors. Contracts may allow for “project-specific” IT expenditures such as laptop computers, internet connectivity, and on-site support. Correspondingly, contracts normally disallow corporate overhead IT expenditures (accounting systems, home office servers, and home office support). The contract language related to IT, however, is usually nebulous. As a “rule of thumb,” if the IT item is utilized on-site, it’s likely permissible, but if utilized in a home office, it is likely overhead and should not be billed. Invoices should be provided for all IT charges without contract language specifying an IT rate. This approach is the most transparent from an audit perspective. As with the insurance, the Auditor should be wary of any IT invoices from a related party. Any computers and other hardware charged to the project should revert to Owner control at the project’s end. To the extent an IT rate is specified in the contract, the project cost report should be scrutinized to ensure IT charges covered by the rate have not been direct billed to the project. If the IT rate’s components are not defined, the Contractor should be requested to provide them.

Change Orders

A retrospective review of project change orders will require copies of fully supported Owner Change Orders, which are the summation of multiple change requests made to the project owner for approval. The support should include a cover sheet with an itemized list of the change order items. The subcontractor support for each individual change order should then follow, and this support should then be reconciled to the cover sheet. The Contractor’s markups for insurance, overhead, and profit should be present on the cover sheet and should be confirmed against Contract stipulations. The markups applied on Change Orders should be validated for the following:

  • Will markup, overhead and profit (OH&P), insurance, bonds, etc., be applied to both additive and deductive Change Orders?
  • Is an OH&P cap defined separately for each tier (i.e., Contractor, Subcontractor, Sub-subcontractor)?
  • Can the Contractor get separate markups for its role on self-performed work?
  • Is the aggregate markup capped?

 In addition to markups, the Change Order review focuses on these items:

  • Validation of costs (material, labor, etc.).
  • Identification of duplicate scope in selected instances such as rework, back charges, and items intended to be covered by the fee for overhead
  • Review of the approval process.

Other Costs

The project cost report provided in the initial document request should be sorted to segment transactions not falling into labor, equipment, subcontracts, insurance, and information technology categories. Most of these charges will be for vendors paid via purchase orders. The transactions should be further segmented into a list where the reimbursable basis cannot be readily determined – these invoices should then be requested from the Contractor. The invoice review should focus on the following items:

  • Is the charge reimbursable per the contract, or was it intended to be covered by a rate and not billed directly?
  • Was the charge incurred on the project in question?
  • Do the date and invoice number trace to the project cost report transaction?

Journal entries may comprise the remaining transactions, and backup should be requested for any that are questionable.

Conclusion

Auditing construction costs may seem like an impossible task without specific expertise and limited resources. However, focusing your audit program on projects with contracting terms with more material financial exposure is the first step in developing an effective review of these capital expenditures. Following project selection with targeted documentation requests will allow the development of an effective and efficient process for reviewing construction project costs.

A Growing Trend: ESG Reporting for Higher Education Institutions

As they looked into their crystal balls for the year ahead, two organizations, Gartner and the Institute of Internal Auditors published lists of emerging risks for 2022. Not surprisingly, sustainability related to environmental and climate issues as well as social change made both lists.

These risks are just as relevant for public sector organizations, including higher education institutions, as they are for private and publicly held businesses, and they are only expected to grow in the years ahead.
Sustainability and social responsibility encompass a broad range of non-financial issues that may affect an organization’s financial condition and performance.

They may include environmental issues, such as the size of the organization’s carbon footprint, efforts to replace fossil fuels with renewable energy sources, and overall use of natural resources.
These responsibilities may also reference social issues, such as workplace diversity, health and safety, and consumer product safety risks. 

What is Environmental, Social and Governance (ESG)?

As implied by its name, ESG reporting is concerned with measuring performance in three very different domains: environmental sustainability, social responsibility and governance. The key measures used to document and report performance will differ significantly from one organization to another, and more importantly, from traditional accounting measures focused on financial performance.
For now, much of the focus of ESG reporting is on the private sector, especially publicly traded companies subject to U.S. Securities and Exchange Commission (SEC) regulations. The SEC is currently considering several proposed regulations incorporating elements of ESG reporting into the financial reporting requirements for public companies.

That doesn’t mean government entities and higher education institutions are off the hook. Concerns about climate change, expanded opportunities in the workplace, and effective governance are not expected to recede any time soon. History shows us that the public sector is usually not far behind the private sector when issuing guidance and requirements in emerging risk areas. Moreover, the same sentiment driving change in the public sector will affect government entities and higher education institutions as constituents seek more accountability for sustainability issues.

Forward-thinking universities and other public sector organizations can start to implement the appropriate processes to be better prepared to comply with new requirements that emerge.

Metrics and Reporting for Higher Education: The STARS Framework

When it comes to sustainability issues, higher education is not exempt from public sentiment and pressure. In recent years, “green rankings” of universities in various leading publications, including The Princeton Review, have highlighted the importance stakeholders are placing on sustainability. The rankings are based on metrics and voluntary reporting by the institutions themselves.

While there are several frameworks available, the most widely used ESG reporting framework is the Sustainability Tracking, Assessment & Rating System (STARS). It is a self-reporting framework open to the full spectrum of higher education institutions, from community colleges to research universities.
STARS was created in 2006 by the Association for Advancement of Sustainability in Higher Education (AASHE) in collaboration with higher education institutions. Currently, more than one thousand institutions have registered to use the STARS reporting tool to:

  • Provide a framework for understanding sustainability in all sectors of higher education.
  • Enable meaningful comparisons over time and across institutions using a common set of measurements developed with broad participation from the international campus sustainability community.
  • Create incentives for continual improvement toward sustainability.
  • Facilitate information sharing about higher education sustainability practices and performance.
  • Build a stronger, more diverse campus sustainability community.


The STARS framework includes long-term sustainability goals for already high-achieving institutions and entry points of recognition for institutions taking the first steps toward sustainability. Many institutions use STARS as a planning tool to identify areas of strength in sustainable practices and areas that need improvement. Each STARS report and rating is valid for up to three years, and a report may be submitted as often as once per year.

The framework is made up of five categories: Academics (AC), Engagement (EN), Operations (OP), Planning & Administration (PA) and Innovation & Leadership (IN), and these are broken into sub-categories for reporting purposes:

 

Each category is broken down into credits with specific metrics, activities, or practices needed to earn these credits. The institution identifies which credits they will pursue and collects the information from campus stakeholders. The institution accumulates points based on these practices and receives a rating of platinum, gold, silver, or bronze based on the number of points awarded. 



 
Below is an example of how one institution, the University of Georgia, appears in the STARS system. To allow institutions to compare their sustainability with others, the data used to assign points are made public.

Audit Committee and CAE Considerations

When it comes to ESG reporting, we have found that common questions arise among boards and audit committees as they consider the implications for their institution. These include:

  • Have we assessed the ESG disclosure criteria and determined which information is most relevant?
  • Do we have a strategy for identifying which ESG information is available?
  • How does our ESG performance relate to our institutional strategies and objectives?
  • Are our processes designed to produce accurate and complete information for our stakeholders?
  • Who is responsible for defining our institutional ESG strategy and overseeing information gathering through disclosure?

On a somewhat granular level, Chief Audit Executives and other audit leaders have questions related to ESG and reporting and disclosure. These include:

  • Do we have a published ESG or sustainability report or other available information? If so, is it still up to date and fit for purpose?
  • Is our ESG strategy aligned with our institutional objectives and long-term strategy? Does that strategy clearly state our ESG goals?
  • Who is responsible for overseeing the development and execution of the ESG program?
  • Have we defined the key metrics and data to quantitatively measure ESG performance across our institution?
  • Do we have defined, consistent processes and controls to identify, gather, aggregate and publish key ESG performance indicators?
  • Does our ESG/Sustainability strategy leverage one of the common reporting frameworks, and are we obtaining independent assurance or other support?

How the Audit Team Can Support ESG Efforts and Build Opportunities

For the audit team, it makes sense to approach ESG from a risk management perspective. In addition, contributing to the organization’s ESG efforts helps add value to the organization. The Internal Audit (IA) department can take these steps as part of the overall ESG program:

    1. Request an ESG risk assessment for the institution.
    2. In gathering information for STARS reports or other ESG disclosures, focus on adopting an enterprise-wide approach to managing ESG risks.
    3. Educate the administration about ESG reporting and the role organizational governance plays in the evaluation process.
    4. Identify and propose solutions to facilitate sharing information across siloed and decentralized approaches to risk management.
    5. Promote IA’s role in providing independent assurance.

    IA can anticipate emerging ESG disclosure expectations and requirements by encouraging and understanding processes and controls in the institution. IA can also advocate for the adoption of established ESG frameworks and relevant, data-driven reporting, help to assess institutional stakeholders’ expectations and gaps in currently disclosed information, and support process-integrity of reporting by assessing how key data is compiled and reported.

    Looking Ahead

    As higher education institutions of all types and sizes continue to adopt and embrace ESG reporting, internal auditors will have an important role in helping to lay the groundwork for success. They have an opportunity to play a key role in improving internal controls and the overall adoption of these processes. The risks are unlikely to go away any time soon. The important thing will be the way institutions prepare for them.

    Letter from the President

    Dear ACUA Colleagues,

    I hope everyone is enjoying the summer season! Nothing like summer on a college campus. I remember an administrator once telling me, “We love our students, but we love when they take the summer off too.”

    I wanted to mention a couple of things about the upcoming AuditCon in Las Vegas in September (in bulleted short form, because who has time for all the words):

    • Once again, this year we will have the CAE track.
    • Lots of hot topics will be covered, including: Title IX, Sports Betting, Cryptocurrency, IT, Research, Ethics, roundtables of all sorts, ADA, foreign gifts and contracts, back to basics (risk assessments, report writing, etc.), self-care, student mental health, and many others…wow!
    • Amazing keynotes including, but not limited to, hearing from:
      • Robert Chestnut of Airbnb on intentional integrity in organizations
      • Tim Renick of Georgia State on predictive analytics for student success
    • Caesar’s Palace – speaks for itself!
    • In a hybrid format, there are tracks that will stream live to allow virtual attendance.
    • And of course, what sets our organization apart from others is the professional networking opportunities with fellow ACUA colleagues at our conferences.

    Odds are good you won’t want to miss this conference!

    Finally, let me take a moment to introduce our new editors, Gavin Shubert of Georgetown University and Kara Hefner of the University of North Carolina at Chapel Hill, as well as send a special thanks to Claire Thomas and James Merritt who have since left higher education auditing and passed the editors’ torch.  

    See you in Vegas!
    Brian Daniels, University of Tennessee
    ACUA President