Resources

Are Agency Funds Driving up Your Costs?

Universities often have many affiliated entities that call the campus home. These may include student organizations, honor societies, academic journals, professional organizations like ACUA, alumni associations and more. It is common for institutions of higher education to account for the funds of these organizations through an agency fund relationship. In his book, “University Finances: Accounting and Budgeting Principles for Higher Education,” Dean O. Smith states: 

“Agency funds come from nonuniversity sources. The University serves as custodian of these funds. Accordingly, the funds ‘flow through’ the university, with the sources that provide the funds having the sole discretion over expenditures. Agency funds are not reported as university income and expenditures, as these sources are not considered official units of the university.” To understand the true nature of agency funds and associated costs, it is important to perform a detailed review of each affiliated organization and its history. A thorough examination of your university’s agency fund budgets may reveal that affiliates are driving up overall costs and may help to identify opportunities for cost savings or recovery. The following are some areas to consider when reviewing agency fund budgets:

  1. Payroll – This includes the cost of employing individuals at the university to manage or perform work for outside organizations. In some cases, universities do not allow payroll to be charged directly to an agency fund. Instead, the outside organization must transfer money from the agency fund to the university to cover payroll costs for employees who are funded by the university. Available documentation should identify payroll costs associated with the organization and explain to what extent the university is responsible for covering salaries, fringe benefits and other costs.
  2. Administrative Fees – These may include payment processing services (accounts payable), telephone service, copying and printing charges, postage and other charges. The university may be able to recover funding by charging the affiliated entity for various administrative items currently provided at no cost.
  3. Rent – Affiliated entities which list a campus address as their business address often operate within university facilities. Depending on the nature of the organization, they could be utilizing more than just office space. Sports camps, for example, which tend to operate as LLCs run by coaches, require the use of athletic facilities.
  4. Risk Management and Legal Liability – Management should consider whether affiliated organizations bring additional risk exposure to the university. This assessment depends on the type of organization and the liability associated with its activities. For example, if an individual is injured on campus while participating in an affiliated entity’s programming, is your university liable?
  5. Overdrafts – During periods of economic downturn, these types of organizations often struggle and could be operating at a deficit, which the university may ultimately need to cover. Budget administrators should review the budgets of affiliated entities for which they have oversight to ensure the entity’s deposits fully cover their expenditures. In the case of recurring overdrafts, the university should consider terminating the agency fund relationship. Alternatively, the university can develop a payment plan and invoice the affiliated entity. 

        Affiliated entities provide many positive experiences for students and employees. However, the agency fund relationship can result in excessive costs to the university if proper controls and oversight are not in place. Internal auditors are uniquely qualified to provide management advisory services regarding these kind of relationships. Such reviews may help to enhance efficiency and identify costs that may be weighing on the university’s finances.

        Auditing Pandemic Relief Funds: A Uniform Guidance Approach

        Since March of 2020, many colleges and universities have been fortunate to receive millions of dollars of COVID-19 federal aid in the form of Higher Education Emergency Relief Funds (HEERF I, II and III), Coronavirus Relief Funds (CRF), Governor’s Emergency Education Relief Funds (GEER) and Federal Emergency Management Agency (FEMA) grants. Internal audit departments play an integral role in verifying compliance with the terms and conditions for each program, especially prior to the final report submission and before the arrival of external auditors. However, each program has unique allowability, timing and reporting requirements which can be challenging to audit. 

        Non-federal entities that expend $750,000 or more in federal relief funds in one year are subject to a Single Audit, which focuses on ensuring compliance with applicable Uniform Guidance requirements. Creating an audit program based on Uniform Guidance requirements provides alignment with external auditors while testing internal adherence to program standards. The Uniform Guidance requirements most applicable to the majority of pandemic funds are outlined below, along with corresponding controls and test steps.

        Activities Allowed/Unallowed and Allowable Costs/Cost Principles

        The following audit procedures provide a methodology for testing federal award spending for allowability in compliance with program requirements and grant agreements:

        • Assess the design and effectiveness of the invoice review process, budget-to-actual cost comparisons and controls that detect, correct and prevent unallowable costs.
        • Select a sample of expenses and verify allowability and the existence of supporting documentation. HEERF expenses require a nexus to COVID while FEMA costs may be limited to Personal Protective Equipment (PPE). CRF expenditures must be necessary, COVID-related and not listed in the organization’s budget.
        • Review the expense descriptions in the final report and investigate any that do not appear allowable.
        • Review any payroll expenses and verify positions were substantially dedicated to COVID-related work.
        • For HEERF I student awards, verify monies were issued directly to qualifying students.

        Cash Management

        Federal funds must be tracked and spent on immediate needs. While cash management may only be required for funds provided by HEERF, all institutions will benefit from verifying that federal program funds are appropriately tracked. Audit procedures should include the following:

        • Determine whether the accounting method used to track the receipt and expenditure of funds is reasonable and consistent. 
        • Confirm that there is an appropriate level of supervisory review over the cash management process.
        • Run a transactions report and compare it to program reports for completeness and accuracy.
        • Verify receipt of funds and agree amounts with the award notification.
        • Test the controls in place to prevent “double dipping” amongst other pandemic funds.
        • Verify a sample of expenses for the existence of approvals prior to purchase.

        Matching and Earmarking

        Matching pertains to a specified percentage of funds allowed to be used towards particular expenditures, while earmarking is the minimum or maximum spending permitted on specified activities. To test these requirements for HEERF programs: 

        • Inquire how funds are tracked in the accounting system and whether there is an appropriate level of supervisory review of the matching and earmarking requirements.
        • Verify student spending met the minimum requirements, as follows:
          • HEERF I – at least 50% of the institution’s allotment.
          • HEERF II – the same amount issued to students as in HEERF I; for-profit institutions must use 100% of their allotment on student grants.
          • HEERF III – at least 50% of the institution’s allotment; for-profit institutions must use 100% of their allotment on student grants.

        Period of Performance

        Federal funds must be used only during the authorized period of performance, which varies by fund. Note that extensions may apply. Audit procedures may include the following activities:

        • Determine if there are controls in place to prevent expenditures outside the specified period, such as:
          • Accounting system limits
          • Review of disbursement dates and cut-offs
          • Timely management review of budget-to-actual reports
        • For a sample of transactions, review invoices and other support to verify the occurrence of the expenditures during the period of performance.
        • Review the dates of expenditures on the final report for appropriateness.

        Reporting

        Federal funds must be reported timely and accurately based on program requirements. Reporting may be financial or performance-based. Financial reporting captures program expenditures as prescribed, while performance reporting shares how goals and objectives were met. Consider performing the following procedures:

        • Obtain the reports for each reporting period and verify they were submitted timely. For HEERF, verify your institution’s website included all the required public disclosures.
        • Ensure reported amounts agree with the general ledger and accounting system records.
        • Verify that the correct accounting method (cash or accrual) was utilized.
        • Confirm required supporting documentation was submitted in the appropriate format.
        • Ensure that the reports were appropriately reviewed prior to submission.
        • Review CRF performance reports to ensure the underlying data agrees with the financial reports and stated achievements and that it accurately reflects progress towards goals.

        Subrecipient Monitoring

        All pandemic relief funds are also subject to Uniform Guidance requirements related to subrecipient monitoring, where applicable. Testing should be designed for programs or areas where subrecipients are utilized. 

        Conclusion

        By aligning pandemic fund audit programs with Uniform Guidance compliance requirements, you can test program requirements and add value by addressing areas that will be covered during the Single Audit. This model also saves time, as it can be applied to all pandemic funding programs. 

        The Uniform Guidance sections applicable to each program are summarized below:

        HEERF CFDA 84.425 E,FCRF
        CFDA 21.019        		FEMA
        CFDA 97.036        		GEER
        CFDA 84.425C
        Activities Allowed or UnallowedYYYY
        Allowable Costs/Cost PrinciplesYYYY
        Cash ManagementNNNY
        Matching, Level of Effort, EarmarkingYNNY
        Period of PerformanceNYYN
        ReportingYYYY
        Subrecipient MonitoringYYYY
        Table of applicable Uniform Guidance sections.

        References

        Department of Education:  https://www2.ed.gov/about/offices/list/ope/caresact.html 

        NASFAA HEERF Comparison Chart: https://www.nasfaa.org/uploads/documents/HEERF_Funds_Comparison_Chart.pdf 

        2 CFR Part 200, Appendix XI 2021 Compliance Supplement: https://www.whitehouse.gov/wp-content/uploads/2021/08/OMB-2021-Compliance-Supplement_Final_V2.pdf 

        Letter from the President

        Dear ACUA Colleagues,

        I hope everyone is enjoying the autumn season! Before we know it, the holidays will be rolling around.

        Many of you were able to attend ACUA’s first hybrid conference: AuditCon 2021! Before discussing the conference itself, let’s pause and thank the dozens of volunteers who serve our organization so proudly. These events are incredibly difficult to pull off, even in the best of circumstances. Add in a global pandemic, and it is quite remarkable that our dedicated professionals, who have very busy lives, were able to create such a success!

        This year’s AuditCon boasted a wide array of dynamic speakers who shared their knowledge on a variety of emerging and important topics. Whether you were there in person, attended virtually or are considering how best to participate going forward, this hybrid event marked a Pivot Point in our organization’s storied history. We look forward to sorting through your feedback to determine what worked well and what can be improved for next year. As we consider how to position ACUA going forward to best serve the needs of our membership, we will remain alert for additional opportunities to ensure continued success.

        Lastly, a special thanks to our Immediate Past President, Patti Snopkowski of Oregon State University, for her stellar leadership in a challenging time. It will be difficult to fill her shoes, but I look forward to working with all of you in the coming months as we close out 2021 and look ahead to everything the new year holds.

        Sincerely,
        Brian Daniels, University of Tennessee
        ACUA President

        Letter from the Editor

        Hello ACUA!

        The nights are getting longer, there’s a chill in the air and (at least here in the Northeast) the leaves are aflame with vibrant color. As the season turns, the atmosphere seems charged with possibility and excitement. With the holidays quickly approaching and AuditCon behind us, now is the perfect time to look back and reflect on all of the changes, struggles and accomplishments of this eventful year. Autumn is a time of transition, which fits perfectly with our current theme of Reflection and Transformation.

        Although the last year and a half has been tumultuous, it has resulted in a flurry of new activity within the higher education landscape. Here, our members share their thoughts about the new and evolving risks that have been brought to the forefront by this time of transformation. First, Kara Hefner details a Uniform Guidance-based approach to auditing pandemic relief funds – a topic that is surely at the forefront of many institutions’ audit plans this year! Lily Young shares her strategies for understanding the true cost of your university’s agency fund relationships, while Joseph Iannini provides professional tips and tricks for preliminary information gathering. In addition, David Terry and Kyra Castano offer their insights from Portland State University’s recent contracting and procurement services audit and discuss the benefits of co-sourcing with a trusted advisor. Finally, Todd Knowles and Diane Padgett explore key privacy regulations and risks in the first half of their Data Privacy Primer series. (Expect the second installment in our Winter issue!)

        Every issue of College and University Auditor is a direct result of contributions from our incredibly knowledgeable community. Please consider sharing your experience and expertise with us in a future issue! The journal team is ready and willing to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (203) 218-7631.

        Many thanks to our community, and I hope you all enjoy this issue of College and University Auditor!

        Sincerely,
        Claire Thomas

        Preliminary Information Gathering (PING)

        Introduction

        One of the most challenging and time-consuming parts of an audit is drafting a well-written narrative that summarizes the significant processes and related internal controls. Factors such as client availability, lack of experience and scoping errors can contribute to the complexity of this task. This article offers a few suggestions to help navigate these common challenges.     

        The term Preliminary Information Gathering process or “PING” refers to the phase of the audit that includes drafting an initial process narrative. PING is a critical stage for the ultimate success of the engagement, as it documents the significant processes and identifies the controls to be tested. Further, conducting a robust planning process is required to meet the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) standard 2200, Engagement Planning, which states:  
         
        “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.”


        Clarifying the Scope and Objectives

        Scoping

        The foundation of any process narrative is agreement on scope and objectives. Before addressing scope, verify the significance of the process with the client, including the estimated dollar value, volume of transactions and recent changes. During this meeting, the audit team should clarify the systems used, locations involved and process owners. Auditors should also inquire about the level of process uniformity. This will help to develop the scope and estimate the resources needed for the engagement. Depending on the type of review, you may need to ask if the client has an operational dashboard or key performance indicators (KPIs) that are used to measure success. Assessing operational metrics can provide insight into potential process issues, such as an increase in student billing errors or refunds that should be considered during the PING.    

        Objectives

        Keep the overall objective simple and high level. Using the procurement process as an example, the primary objective would be to verify that only properly authorized purchases are made, and that the complete population of purchases is accurately processed and in the proper accounting period. A secondary and broader objective might be verifying that the procurement process uses the existing technology to the highest possible extent and minimizes the use of paper.  

        Establishing agreement on the objectives minimizes any supervisor or client “expectation gap” and ensures any observations or recommendations are focused on the agreed-upon areas. Periodically refer back to the scope and objectives to keep the audit focused and avoid scope creep. 


        Interview Preparation 

        Many experienced internal auditors recall the stress of preparing for interviews and being overwhelmed with the amount of “data” obtained, much of which may not be needed. Often, the best weapons against stress are effective planning, ongoing communication and adherence to the agreed-upon scope and objectives. Consider this preparation time an investment in the future success of the audit rather than a burden. 

        Preparation should include the following activities:

        • Research the audit area and read any available background information, as this builds credibility. Background information can be found in prior work papers, websites, newsletters or procedure manuals. Reviewing competitor information may also be useful and can provide additional industry insights that lead to value-adding recommendations.  
        • Contact the interviewee and verify the subject matter you plan to discuss and the meeting objectives. Use this knowledge to prepare a written agenda, which you should email to participants in advance of the meeting. Using the procurement example above, you can state that the meeting objective is to walk through the process from purchase approval to vendor payment. This will ensure the client is adequately prepared and that the appropriate process owners are included in the meeting.
          • If you plan to obtain document copies, make that clear in advance of the meeting. A useful tip is to ask the process owner to email screenshots (or other documentation) to you at each step of the interview, including a brief description of the document in the subject line. If it is not possible to get emails during the interview, keep a detailed list of requested items, and be certain to use the same document names as the client.
        • Include specific questions, clarifications needed and any required background information on the agenda. 
        • Confirm the meeting date, subject matter and other key points in writing a few days before the scheduled interview.   
        • Practice your interview questions to increase your confidence.


        Conducting the Interview

        When conducting the interview, the following strategies may be helpful:

        • Open the interview by introducing yourself and thanking the participants for their time. If there are several process owners in the meeting, ask each to introduce themselves and explain their areas of responsibility. 
        • Use terms that are understood by the client, not audit jargon. If the auditee uses an unfamiliar term, ask for clarification.  
        • Distribute a copy of the agenda and re-state the purpose of the interview and the topics you wish to cover.
        • Explain that you wish to walk through the entire process and clarify any expectations, such as obtaining screenshots. Give an example of the level of detail you wish to obtain and ask if they have any questions.
        • Critical Concept: Do not assume the points described above were previously communicated to all meeting attendees.  
        • Take notes to document key processes, but do not try to write down every word or phrase.  
        • It is good practice to pause periodically and re-state your understanding of the key points.
        • When ending the interview, state the next steps, such as providing a draft of the narrative for validation or scheduling a follow-up call to clarify any open points.


        Critical Errors to Avoid

        Missing Key Processes

        When conducting a walkthrough, the main objective is to document the key processes and controls, not every step in the process. To keep things organized, it is helpful to think of a flowchart with decision boxes. For example, you may begin by asking about the procedure to approve a purchase. Once that process is understood, you can ask about the handling of unapproved or rejected purchases, and what would cause a purchase to be rejected (e.g., the purchase exceeds the purchase order limit). Asking about both approved and rejected transactions ensures that all relevant processes are documented. You may also want to ask how often purchases are rejected and why.

        Insignificant Processes

        Another risk is getting bogged down in data that is immaterial. When walking through purchasing processes, there may be transactions that are exceptions to the normal process, such as manual purchase orders or emergency expenditures. Clarify the frequency and materiality of these items before deciding to invest time in documenting matters that may be immaterial or insignificant. These items can be discussed later if they are selected as part of your substantive sample.  

        Jumping to Conclusions

        Using the written agenda, you should have identified all key process owners. However, there may be situations where you believe process gaps or missing controls may exist. In that case, you should calmly verify the facts with the interviewee and then follow up with their supervisor. While your initial assessment may be correct, the supervisor may have already developed effective compensating controls.  


        Manual or Automated?

        When documenting a key process flow, you should clarify which steps, if any, are automated. This important point is often overlooked when drafting the preliminary walkthrough, and can lead to confusion and excessive follow-up questions.

        No Time for Self-Review

        Be sure to build time into your budget to review your draft narrative, and consider having a peer read the draft and give you feedback. Before performing the self-review, you may wish to set the document aside for a few hours to clear your mind so you have a fresh perspective. In addition, make use of the spelling and grammar check features in your software. Failure to do so may make the draft appear unprofessional and sloppy.

        Inaccurate Information

        Once the self-review is completed, send a copy of the narrative to the process owners and ask for their feedback. If additional clarity is needed, schedule a follow-up meeting with the process owner.  

        Conclusion

        The PING methodology that works best for each auditor will vary. However, the information above provides a framework to assist inexperienced auditors in approaching interviews and can be useful to more experienced auditors as a reminder of best practices and potential pitfalls.

        Data Privacy Primer: Regulations & Risks

        Privacy Background

        What is this concept of “privacy” we hear so much about in today’s news? Where did privacy originate, and why does it matter? In this article we will define privacy, discuss its importance and review some applicable laws.

        The modern-day concept of privacy is often attributed to Samuel Warren and Louis Brandeis’ 1890 essay “The Right to Privacy,” in which they acknowledge “the right to be let alone” in their argument that existing laws facilitate individual privacy protections. Privacy is generally defined as the right to be let alone, or freedom from interference or intrusion. The International Association of Privacy Professionals defines information privacy as “the right to have some control over how your personal information is collected and used.” However, the meaning of privacy may vary depending on an individual’s, organization’s or country’s perspective. For some, privacy means being protected from data breaches or identity fraud. For others, privacy is a fundamental right related to personal and family life, home and correspondence.

        When we refer to privacy, we are referring to those elements comprising personally identifiable information (PII). Examples include, but are not limited to, name, date of birth, physical address, phone number, Social Security number, financial account numbers (e.g., bank account and credit card numbers) and protected health information. Privacy principles created and defined by the Organization of Economic Cooperation and Development in 1980 form the backbone of privacy laws and privacy protection frameworks worldwide. The following elements of these principles are found throughout most privacy regulations:

         Collection Limitation: Data collection should only take place with knowledge and consent of the affected individual or data subject.

        Data Quality: Information should only be collected which is relevant and accurate for a particular purpose.

         Individual Participation: An individual should be aware that their information has been collected and be able to access it.

        Purpose Specification: The intended use of personal data must be known at time of collection, and data should not be arbitrarily collected.

         Use Limitation: Collected data is to be used only for purposes specified at time of collection, not broader future use. Consent should be secured from data subjects for use of data for other purposes.

         Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification or disclosure. Most laws reference reasonable and appropriate security measures based on risk determination rather than perfection.

           Openness: Data subjects should be able to contact the entity collecting or storing their information to ascertain types of data collected.

          Accountability: Data collectors should be accountable for adhering to these principles. Ideally, there should be a person in the organization dedicated to ensuring privacy principles are followed. The concept of a data protection or privacy officer originated with this principle.

        Defining Key Concepts

        While data privacy focuses on the use and governance of PII, data security focuses on protecting PII from malicious attacks and improper disclosure. Privacy cannot be protected without an associated security component.

        Privacy professionals frequently reference Privacy by Design, a proactive and intentional approach where privacy is the default in technology system design and is considered at the earliest stage1. As opposed to an ad hoc approach, where privacy discussions take place in later stages of system development, the Privacy by Design framework is applied to the data life cycle from creation through collection, storage, archiving, de-identification and deletion.

        PII processing refers to any operation or set of operations performed on personal data whether or not by automated means. It can refer to data collection, recording, storage, retrieval and erasure.

        With these definitions in hand, let’s explore why privacy is important in today’s world.


        Importance of Privacy

        An individual’s privacy is a fundamental right and is closely connected to human dignity. It is the foundation on which other human rights are built. Privacy protects against the abuse of power by limiting what can be ascertained about individuals and providing shelter from those who may wish to exert control. Ensuring individual privacy protects us from the arbitrary and unjustified use of power by states, companies and other actors.

        However, data is an increasingly valuable asset. With the rise of the data economy, organizations and nation-states have found significant value in collecting, sharing and using data. Companies like Amazon, Facebook and Google have built their organizations on data2. Collecting data provides organizations with the power to explain, predict and even control behavior. This is particularly valuable for advertising and marketing endeavors. For example, Netflix uses data analytics for targeted advertising. With over 100 million subscribers, Netflix collects large volumes of data. If you are a subscriber, you are familiar with how the company provides suggestions for the next movie you should watch by using your search history and viewership data. This data gives them insights into your interests. Without proper regulatory protections and legal recourse, you would have little control over how Netflix and other companies use and share your personal data.

        In her 2019 book titled “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power,” Shoshana Zuboff discusses how surveillance capitalism is an economic system centered around commodification of personal data with the core purpose of profit-making. Commodification makes personal data a valuable resource. Zuboff points out that tech companies and other corporations are mining users’ information to predict and shape their behavior, undermining personal autonomy and potentially eroding democracy.

        Primary Privacy Laws

        But surely there are privacy laws that provide protection against this abuse of personal data?

        Unlike Europe, the U.S. has enacted a patchwork of privacy laws generally targeted to protect consumers. The Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for many businesses. Enforcement centers around fraud, deception and unfair business practices. Institutions that violate consumer privacy rights or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state authorities. The U.S. Department of Health and Human Services (HHS) governs health protections focusing on compliance guidance, with the Office of Civil Rights (OCR) acting as the enforcement arm for HHS privacy regulations.

        U.S. laws to be aware of in the education and health care sector (i.e., those that affect academic medical centers) include:

        Family Educational Rights and Privacy Act (FERPA) gives parents and students certain protections pertaining to student education records such as grade reporting, transcripts, disciplinary records, contact and family information, and class schedules. FERPA requires student or parent written consent for release of educational records.

        Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under 13 years of age. It requires website or online service providers request parental permission to collect data on children and stipulates how the data can be processed and held.

        Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined as companies offering financial products or services, to explain information sharing practices and protect against unauthorized access to, or use of, personal information that could result in substantial harm or inconvenience to a customer. GLBA stipulates financial institutions appropriately ensure the security and confidentiality of customers’ information.

        Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the confidentiality and security of a patient’s health care information, defined as any information identifying the past, present or future physical or mental health of an individual. It includes all communication media, whether written, verbal or electronic. HIPAA includes the Privacy Rule, which protects a patient’s right to keep health information private, and the Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. HIPAA violations can result in significant penalties for noncompliant organizations and individuals.

        In addition to these federal regulations, various states have enacted privacy laws to protect personal data in the consumer setting. Most notably, California enacted the California Consumer Privacy Act (CCPA) which is designed to protect the privacy rights of California’s citizens. It gives consumers the right to control how companies collect and use their personal data. Some states have already enacted similar laws, or carved out exceptions for the federal regulations, and more are expected to do so in the coming years. 

        From an international perspective, institutions should be aware of country-specific privacy laws. Most notably, the General Data Protection Regulation (GDPR) requires organizations to ensure that personal data of European Union citizens is gathered legally and under specific conditions. Institutions that process personal data are obliged to protect it from misuse and exploitation and to respect data subjects’ rights. Those who fail to do so may face significant penalties. GDPR requirements spurred the development of privacy policies (and cookie banners), in which organizations offer transparency into their data collection and management practices.

        Conclusion

        As more attention is focused on privacy, both internationally and domestically, consumers and clients will increasingly expect institutions to protect their personal information and embed privacy considerations into their business strategies. In a report published in November 2019 as part of Cisco’s Cybersecurity Series, “Consumer Privacy Survey, The Growing Imperative of Getting Privacy Right,” 2,601 adults, or 32% of respondents, stated that they care about privacy and had already taken action by switching companies or providers in response to data policies or data sharing practices. Along with the increase in privacy regulations worldwide, this should be a catalyst for organizations to establish or update their privacy programs.

        In the second part of this article, we will explore areas auditors should consider reviewing when evaluating functions and processes involving personal data.

        References

        1) Deloitte, GDPR Top Ten #6: “Privacy by Design and by Default”; Shay Danon; February 2017
        2) MIT Technology Review: “It’s time to rein in the data barons”; Martin Giles; June 19, 2018

        Letter from the Editor

        Hello fellow ACUA members!

        My name is Claire Thomas, and I am delighted to be the new editor for College and University Auditor. First, I’d like to thank the prior editor, Jackie Pascoe, for her many contributions to the journal. I have enjoyed getting to know Jackie, and I have great respect for her work with ACUA. I would also like to thank our deputy editor, James Merritt, for his assistance with my transition into this role.

        For those of you who don’t know me, I am the Audit Manager for the Internal Audit & Advisory Services department at Boston University. Prior to that, I worked alongside James for several years as a Principal Auditor at Duke University, and I welcome this opportunity to collaborate with him again!

        I have always enjoyed the unique challenges and opportunities associated with working in higher education. Our institutions are constantly evolving, and as auditors, we must be innovative and agile in order to meet their needs. Our ACUA network plays an important role in fostering this commitment to continuous growth and professional development, and I am excited to be taking part in such an important objective. I look forward to working alongside our members as they continue to share their insights, resources and experiences with the broader ACUA community.

        This issue of the journal brings workplace culture to center stage. After the turmoil and pressures of the last year, conversations about culture have likely been relegated to the back burner. But as many of our organizations begin to resume in-person work, this topic is becoming increasingly important. What kind of environment awaits us when we return? In this issue, Sabine Charles provides recommendations for how internal auditors can enhance client relationships and overall success through emotional intelligence. Jennifer Roberson and Chrissy McKeown share their insights and discuss strategies related to delivering effective feedback, while Harold Lederman offers tips on how to improve client relationships throughout your audit. In addition, Jaime Fernandez discusses how to support and partner with your athletics department. Finally, the journal team has tabulated your responses to our recent survey on workplace culture. Our article offers results, insights and a few takeaways.

        The content of this and every issue of College and University Auditor is made possible by the contributions of knowledgeable professionals throughout our community. Please consider sharing your experience and expertise with us. The journal team is always happy to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (617) 353-3324.

        Thank you for your time, and I hope you enjoy this issue of College and University Auditor!

        Sincerely,
        Claire Thomas

        How to Improve Your Audit Product

        Professionals are generally aware that the final deliverable of a product is judged on more than the quality of the service itself. A client’s overall perception throughout an engagement plays a vital role in their satisfaction and cooperation with internal audit. This article provides suggestions on how to improve the overall audit product and relationships with audit clients.

        1. Make it clear that you are there to help

        Ask the client how internal audit can help. 

        Ask the client how internal audit can help. A great way to start the conversation is by asking for a list of process improvements over a period of time (e.g. two years) and then verifying that they were implemented. Depending on the structure of the institution’s audit report, process improvements should be addressed first, if they are included in the report. If they are not included in the official report, auditors should outline process improvements in an informal memorandum or discuss them verbally with the client.

        Additionally, internal audit can provide assistance to clients through the audit report, which can be leveraged to help the client achieve their goals. For example, making recommendations and highlighting areas for improvement may have more impact when included in an audit report and suggested in this formal manner to senior leadership. However, it is important to keep in mind that internal audit should not be involved in any implementation of these recommendations to maintain independence and objectivity.

        2. Use proper terminology when addressing clients

        In the business world, clients are generally referred to as, well, clients. Avoid addressing clients in ways that could have negative connotations, such as “entity under audit” or “auditee.” It may be helpful to think from the client’s perspective on how it might feel to be audited and referred to as the auditee. Being respectful and friendly to the client during communications will help with the intimidation factor that clients may feel when being audited. 

        3. Put clients at ease

        For many clients, learning that they are being audited or even meeting with internal audit induces a level of fear or anxiety. While it seems that auditors are stereotyped as scary intruders who want to upset the status quo, it is helpful to gently remind clients this is not the case and work to change their perspective. The following suggestions offer some ideas that may help convey that internal audit wants to collaborate with clients to achieve mutual goals:

        • Start the audit with Preliminary Information Gathering (PING) meetings. This allows internal audit to gather history and become familiar with the client’s operations. This information can then be used to shape the audit program. 
        • Document internal audit’s understanding in writing and distribute it to stakeholders, requesting confirmation that it is correct. To further demonstrate that internal audit seeks to collaborate with the client, suggest in the communication that stakeholders make comments and edits as they see fit.  

        4. Report audit findings in context

        Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources.


        Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources. Including this information in the audit scope shows both stakeholders and leadership that internal audit has made a genuine effort to produce a quality, relevant deliverable.  

        Example: Internal audit discovers that the database the client is using has duplications and errors. Internal audit becomes aware that the audit area had four directors in the last four years and that the data was managed by many individuals over this period. The current data manager has held the position for six months and made many improvements to fix the database. Internal audit highlights the data manager’s efforts during ongoing discussions and in the audit report. As a result, internal audit gains the trust and appreciation of the client and management, thereby developing the foundation for a great relationship.

        5. Use graphics and other tools to emphasize your points and make them easily understood

        The success of many online platforms depends on their ease of use and simplicity. Twitter, for example, limits messages to 280 characters. The most common length of a tweet is 33 characters. Historically, only nine percent of tweets hit Twitter’s former 140-character limit; now it is only one percent.

        Another online platform, Pinterest, utilizes images, videos and text – infographics – that allow users to discover information through various means. As of the publication of this article, there are over 200 billion pins on Pinterest, and 87% of Pinners have purchased a product because of Pinterest.

        The use of tables, graphs and slides can appeal to end users (e.g. stakeholders and leadership) and increase engagement during the presentation of a deliverable. Additionally, presenting a deliverable with PowerPoint seems to be underutilized in our profession. Introducing this as a method to present audit information and harnessing its formatting capabilities (e.g. fonts and color themes) can amaze management.  

        6. Present executive highlights that convey some of the detail, and the entire picture, at the same time.

        Management and clients want straightforward, easy-to-understand summaries.

        While this may sound like a contradiction, here is how it is done. Auditors love spreadsheets, replete with formulas, tiny explanations, footnotes and other auditing paraphernalia. But, more often than not, it is only auditors who truly care about them. Management and clients want straightforward, easy-to-understand summaries. Therefore, consider highlighting – and succinctly conveying – major points with only as much detail as needed to clarify and support internal audit’s findings. These major points should be mutually exclusive and collectively exhaustive (MECE), which means they should stand alone and, together, present the complete picture. This allows internal audit to integrate the findings and recommendations in a way that conveys the total picture.  

        In summary, internal audit can improve the quality of audits and relationships with clients by adhering to a few basic principles. Convey the idea that internal audit wants to help, treat clients respectfully, and keep the audience in mind when writing and presenting the audit report.  

        Employee Engagement in 2021: What’s Feedback Got to Do With it? ‎

        The definition of “feedback” in the Merriam-Webster dictionary is: “the transmission of evaluative or corrective information about an action, event, or process…”[1] As auditors, we should be great at this. We constantly give and receive feedback on our work through review notes. We should be masters of feedback!

        But are we?

        It doesn’t take much searching on the internet to find articles related to the latest and greatest team members in offices across the United States. Individuals from the Millennial and “Gen Z” demographics make up a growing percentage of the workforce, and research suggests that they want more feedback from their employers.

        They aren’t alone. Lately, it seems that everyone would like more feedback. As a result, human resource departments have developed new strategies, such as upward, downward, anonymous and 360-degree performance feedback.

        But employees don’t just want to receive more feedback; they also want it to be timely and constructive. To assist companies in meeting these expectations, HR software companies offer tools designed to generate feedback in real-time. For example, after giving a presentation, their systems allow you to send a request for immediate feedback using an app!

        Many of us in leadership positions are expected to attend classes about how to give feedback, how to receive feedback and how to be candid with team members. In these classes we are taught opening phrases like: “Is now a good time for me to give you feedback?” We’re also told to “mirror” what we hear when we receive feedback by asking questions like: “Did I hear you say that I need to work on my communication skills?”

        There are a plethora of books, articles and business journals full of information about better ways to give feedback. You may have picked up books along the way to help you have “Crucial Conversations,” maintain “The Growth Mindset” to fulfill your potential or discover how “The Feedback Imperative” will speed up your team’s success. These books provide specific tools to improve communication, stay open-minded and build resilience that is essential for living up to our potential. This is just a small sample of the resources available on this topic.

        The 2017 State of the Global Workplace report[2] by Gallup lists six broad changes that organizations need to make to attract and retain the newest U.S. workforce generation. Two of these focus on feedback and emphasize the need to transition from a “boss” to a “coach” and from having “an annual review” to holding “ongoing conversations.”

        Not long ago, a “60 Minutes” episode featured Bridgewater, the world’s largest hedge fund, which was founded by Ray Dalio. Mr. Dalio decided to build his company around a commitment to “radical transparency.” His book, “Principles,” is centered around this idea and offers 210 prescriptions for work and life. He believes that the way to be successful is to see the world clearly, no matter how positive or negative the reality is.

        Every meeting at Bridgewater is videotaped and archived. These tapes are made available for all team members in the company to view in their “Transparency Library.” Employees are also able to score their colleagues in real time on an iPad after calls, meetings or other interactions. Bridgewater calls these real-time ratings a “baseball card.” Its intent is to hold each individual accountable for who they really are.

        Because of his organization’s extreme stance on feedback, Dalio admitted that 30 percent of new hires leave within 18 months. But those who value the transparency and honesty stay.

        Since research indicates that people want more frequent and robust feedback, then as the individuals responsible for employee engagement, our job is to help our team members get better at giving and receiving feedback.

        At Stinnett, we’ve been focused on culture and employee engagement since 2014. We focus on building the culture that our team members want at work. Creating core values, guiding principles and a “why” statement that are authentic to who we are has required significant effort. Our culture was not manufactured by top leadership, but was created organically, by the team and for the team. This has allowed us to build a safe environment that encourages individuals to join and stay with the organization. This year, we were thrilled to earn a spot on the Great Place to Work’s Best Workplaces in Consulting and Professional Services. [3]

        We’d like to provide you with four items that we believe must exist to make feedback work. We call these the STAR approach to feedback.

        STRENGTHS –We know our team members want opportunities to learn and grow. We also understand that an individual’s greatest opportunity for growth and success is in their areas of strength, not weakness. Providing strength-based feedback inspires next-level performance.

        As auditors, we are hardwired to review for errors. When we are reviewing the work of others, our first instinct is to look for mistakes and opportunities for improvement. Typical feedback also attempts to correct any negative behaviors or weaknesses. But research indicates that focusing on employee weaknesses doesn’t improve performance. Yes, critical feedback is sometimes necessary, but performance will be improved when feedback focuses on strengths as well as constructive criticism.

        TRUST – We believe that no matter how many books you read or what software your organization invests in, feedback is only received well when managers first build trust. If you want to influence performance, people need to know you are interested in their development as a person. There is a quote, often attributed to Theodore Roosevelt, that we reference frequently when thinking about feedback: “They don’t care how much you know, until they know how much you care.”

        Building trust begins with clarifying expectations. Each employee should be aware of their role and goals on the team or on the project, including discussions of appreciation for the employee’s strengths and the development opportunities the project brings. Once the project begins, the supervisor should check in with the employee frequently to stay abreast of their short-term priorities. This helps them see that the supervisor is invested in their day-to-day reality. Once or twice a month, managers should have a more in-depth conversation that focuses on short-term and long-term goals and priorities. This conversation deepens trust, as it is a frequent reminder that the supervisor is invested in the employee’s development and ensures that the goals set in the expectations discussion are being addressed.

        ACCOUNTABILITY – What accountability looks like in feedback is the creation of agreements. If the manager has developed trust with the employee and provided clear expectations and ongoing communication, there is an agreement made that the employee will fulfill their obligations or communicate when they can’t. When these agreements are broken, either due to lack of clear communication or unfulfilled responsibilities, both parties must acknowledge their role in the broken agreement and agree to move forward. The underlying element of trust in the relationship allows each party to move on without blame.

        RECOGNITION – In Marcus Buckingham and Ashley Goodall’s latest book, “Nine Lies about Work: A Freethinking Leader’s Guide to the Real World,” they dispel many of the accepted truths of the workplace today. Their fifth lie in the book is titled: “People Need Feedback.” Here, they argue against the theory that all people need feedback. Their research suggests that there are three theories related to feedback that are untrue. While we can’t hash out those three false beliefs in this article, they do reveal the truth that people need attention. Yes, feedback is attention. But Buckingham and Goodall argue that positive attention is 30 times more powerful than negative attention in creating high performance. The end goal should be to pay attention to what is working and help people build on it. Giving recognition and appreciation might be the most underused tool for increasing engagement and wellbeing.

        Based on Gallup’s State of the Global Workplace report, employees in today’s workforce expect their managers to coach them. If you want employees who are engaged and high performing, we challenge you to utilize the STAR approach to feedback. Know and understand your employee’s STRENGTHS to create a field of inclusion and celebrate differences. Ensure you provide an environment of TRUST. Use ACCOUNTABILITY to promote a culture of reliability, and provide appropriate positive RECOGNITION and appreciation to increase positive energy across your entire team.
         
        Further Reading:

        • “Crucial Conversations: Tools for Talking When Stakes Are High,” by Kerry Patterson, et al.
        • “The Feedback Imperative: How to Give Everyday Feedback to Speed Up Your Team’s Success,” by Anna Carroll
        • “The Growth Mindset: A Guide to Professional and Personal Growth,” by Joshua Moore and Helen Glasgow
        • “Nine Lies About Work: A Freethinking Leader’s Guide to the Real World,” by Marcus Buckingham and Ashley Goodall
        • “Principles: Life and Work,” by Ray Dalio
        • “StrengthsFinder 2.0,” by Tom Rath

        References

        1. “Feedback.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/feedback. Accessed 22 Jun. 2021.
        2. Gallup. State of the Global Workplace. Gallup Press, December 2017.
        3. Great Place to Work. “Working at Stinnett & Associates.” (Certified Oct 2020-Oct 2021 USA). Great Place to Work®, www.greatplacetowork.com/certified-company/7022171.

        Providing Value in the World of College Athletics

        Many institutions have an athletics department (Division I, II or III), which presents a myriad of challenges for both institutional administrators and auditors. In addition to the traditional “big three” risks for athletics departments (student-athlete recruiting, financial aid and eligibility), societal pressures have created a plethora of dynamic risks:  

        • Name, Image and Likeness (NIL) – National Collegiate Athletics Administration (NCAA) regulations will now allow student-athletes the opportunity to make money from their name, image or likeness. With this new opportunity come potential risks like: (a) gauging fair market compensation for athletes who are contracted under NIL, (b) agent participation and regulation, and (c) differences in contracts for alchohol and gambling at private versus public schools.  
        • Knight Commission Guidance – This is a commission of university presidents, former athletic directors and other leaders. Risks are related to changes in their guidance in December 2020, which included recommending that:
          • A new entity be created, independent of the NCAA and funded by the College Football Playoff Committee (CFP), to oversee football in the Football Bowl Subdivision (FBS) and manage all related issues (e.g. athlete education, health and safety, revenue distribution, litigation, eligibility and enforcement).
          • The NCAA continues to govern all other sports, including football in the Football Championship Subdivision (FCS) and men’s basketball, under a reorganized governance system that would establish equal voting representation for all Division I conferences.
          • The NCAA and the new FBS football entity adopt governing principles to “maintain college athletics as a public trust, rooted in the mission of higher education” and prioritize student athletes’ education, health, safety and success. [1]
        • COVID Relief – Many institutions received federal funds from the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Risks associated with CARES relief include providing funding to student athletes who are ineligible and using money to upgrade athletic facilities. 
        • Financial Pressures Due to the COVID-19 Pandemic – The financial risks associated with the COVID-19 Pandemic include: a) loss of ticket revenue, b) increased financial aid obligations due to the NCAA granting athletes an extra year of eligibility, and c) potential increase of operational expenditures due to the need for more cleaning staff, contract tracing and testing.
        • Student-Athlete Health –  Potential student athlete health risks may be physical, arising from overtraining or unsafe practicing, or mental, due to academic and athletic pressures. 
        • Vaccine Distribution – There is concern over the equity of vaccine distribution and whether  athletes and coaches will be prioritized over other populations.
        • Donor Compliance – The athletics department must utilize funds in accordance with donor restrictions. Additionally donors may put pressure on the institution’s administration to retain unpopular coaches, not move to a desired conference, play or not play a particular rival, or change longtime traditions.
        • Concession Vendors – The athletics department may not always receive its agreed-upon share of revenues from third-party concession contracts.
        • Construction Audits – Construction projects generate significant capital expenditures and may encounter contract compliance issues.
        • Conflict of Interest – Coaches may not report all camps for which they are compensated.
        • Minors on Campus – Minors coming onto campus for athletics camps must be protected from physical, sexual and mental abuse. 
        • Athletics Fees – The athletics department should be compared to its conference/national peers to determine how fees are utilized and reported. [2] 
        • Team Roster Management – Due to new rules, student athletes may transfer without any penalities. 

        So Where Does Internal Audit Begin?

        Develop Relationships with Key Stakeholders in Athletics

        Set up a periodic meeting with the Athletic Director (AD) to determine if there are emerging risks or current areas of concern. 

        • Work on your relationship with the school’s Athletics Compliance Office (ACO). Ideally, aim to meet with the ACO at least once a quarter. This may be a challenge and will likely take a considerable amount of effort. To achieve this goal, let them know how it benefits them. For example, identify opportunities for improved controls that are not only more effective, but also more efficient for the ACO to monitor.  
        • Set up a periodic meeting with the Athletic Director (AD) to determine if there are emerging risks or current areas of concern. 
        • Talk to your institution’s athletics academic staff to gain insight into potential risk areas around eligibility and financial aid. This discussion may include staff members from the Offices of the Registrar, Admissions and Financial Aid. 

        Have conversations with coaches and student-athletes to gain insight into additional risks.

        • Have conversations with coaches and student-athletes to gain insight into additional risks. For example, it may become apparent that the institution lacks adequate athletics compliance training.
        • Finally, it is vital to build a relationship with the school’s faculty athletic representative and, if possible, obtain a seat within the school’s athletic council. 

        ​Use Other Athletic Resources

        • Contact ACUA members who have athletics departments or reach out to institutional audit shops within your athletic conference. Keep abreast of collegiate information through newspaper sites (e.g. local or large city newspapers) and other sports media (e.g. ESPN and Yahoo). These sites may provide straightforward explanations of new NCAA regulations.
        • Periodically refer to the following online resources. They may be helpful in identifying significant risks to your institution:
        • ACUA also has valuable resources available:
          • NCAA Compliance: Eligibility, Financial Aid, and Recruiting Kick Starter
          • NCAA Division I and II compliance audit guides

        Tools for Athletics Work

        Auditing athletics compliance through the use of athletics compliance software (ACS) can help to automate the process. Many athletics compliance departments use Front Rush ACS to help manage their athletics compliance activities. Internal audit may explore utilizing their athletics compliance department’s ACS, which has the following benefits: 

        • Athletics compliance will not need to use additional resources to provide documentation for audits.
        • Internal Audit can assist with some of the work required of athletics compliance. 
        • Internal Audit may identify gaps in internal controls and provide ideas for increasing effectiveness.

        Additionally, NCAA Compliance Assistant assists athletics administrators with the management of student-athlete information to ensure compliance with NCAA regulations. This tool houses information on financial aid, eligibility and roster sizes, and may be downloaded and utilized by Internal Audit for analytical testing.

        Data Analytics

        As previously mentioned, data may be downloaded from NCAA Compliance Assistant, student information systems (e.g. Banner) and the institutional financial system. Consider performing the following procedures:

        • Test individual and team equivalencies with financial aid data. This may include working with Financial Aid and the ACO to obtain information on cost of attendance and aid not counted as athletic aid.
        • For eligibility testing, you may use the student information system to find courses where larger pools of athletes are enrolled. Subsequently, test their grades against the general student population for those courses.    
        • Compare student-athlete rosters in NCAA Compliance Assistant to student-athlete rosters in the student information system.
        • Within the student information system, review incoming freshmen and transfer admissions data to determine if student-athletes are admitted in accordance with institutional standards. Assess the validity of exceptions granted to student-athletes for admission after stated deadlines.
        • Download financial data for athletics and compare with previous year(s) to determine if there are significant variances and whether the variances are reasonable. 

        Conclusion

        We know the world of college athletics is important and makes significant contributions to our colleges and universities. These contributions include increases in donations, financial aid, brand recognition and camaraderie. However, these benefits and financial commitments are accompanied by additional risk. As Yogi Berra once said: “The future ain’t what it used to be.” By helping our colleges and universities address the risks of college athletics, Internal Audit has the opportunity to be creative, stay ahead of the curve and provide value.

        References

        1. Andrews, Katlyn (Dec. 17, 2020). Knight Commission report – key implications of a FBS and NCAA split., Baker Tilly, From:  https://www.bakertilly.com/insights/knight-commission-report-key-implications-of-a-fbs-ncaa-separation 
        2. Connect ACUA e-mail (Dec. 10, 2020), Re: Athletics Brainstorming, Summary by Brian Daniels. 

        Note: My sincere thanks to members of the ACUA College and University Journal editorial staff (Jackie Pascoe, James Merritt and Paul Harris) for their editorial contributions.