Resources

Using Microsoft Teams to Facilitate Internal Audit Teamwork

Introduction

There are many options for internal auditors who wish to improve the automation of processes that support audit administration, completion and follow-up. However, access to those options is contingent upon the financial resources available to the internal audit function. When those resources do not exist, or are truncated, options become limited. This often results in the internal audit function either using paper records (egads!) or word processing and electronic spreadsheet files organized into folders. Neither of these methods results in improved efficiency, implementing best practices or improved client interactions.

At Northern Arizona University (NAU), we used a cloud service provider for our audit administration work for several years. Although this method was affordable and met our basic documentation needs, it offered no great strides forward for our audit team. Before the pandemic, we decided to take advantage of our corporate SharePoint license and began building a knowledge repository to help organize our records and reduce our carbon footprint. After studying several use cases from other internal audit departments, we began working on our own SharePoint prototype.

In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS.
And then the pandemic forced us to change our plans. Funding was slashed, and the university moved to a remote work environment. With reduced resources, we decided to put our plans on hold and move to SharePoint Online. As audit projects were delayed, we invested time in learning as much as we could about the new functionality available in SharePoint and Microsoft Teams (MS Teams).

In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS (Internal Audit Team Engagement Audit Management System).1 Although we have already made numerous improvements, our team meets quarterly to review what we’ve learned and identify ways to mature our processes.

Our approach has helped us achieve our objectives for automated audit administration, including:

  • Improving and documenting client interaction by reducing the need for tracking and documenting emails, video and other project-related communications.
  • Organizing project documentation in a secure and easy-to-use interface, with the ability to control individual access and allow for sharing and collaboration on individual documents.
  • Automating the audit administration process so team members can focus on their engagements.
  • Ensuring the system is available anywhere we have internet access.
  • Prioritizing opportunities for improvement as they are identified.

Project Set-Up

Throughout an audit, we use many MS applications, including Excel and Word. Because MS Teams and SharePoint are well-integrated, we’ve been able to use the features in MS Teams to link directly to source templates that are housed in the policy section of our SharePoint website (e.g., Excel and Word templates). This helps to ensure that we consistently use the latest versions of our audit templates. We have also leveraged the following features: 

  • Tasks by Planner and To-Do: This is a flexible tool to organize tasks not only for the Internal Audit Team, but for the client as well. It offers features like categorized scheduling and a calendar and allows users to attach files directly to a task (see Figure 1).
  • Document Library: This links directly to the SharePoint site that houses our policies, procedures and templates. Metadata added to these document libraries is also helpful for documenting and tracking audit plan status.
  • Request Sign-Off Flow: This provides the capability to route the preparer’s work to the reviewer in SharePoint with a documented approval workflow.
Figure 1
Improvement Opportunities Tracking and Task for Review Process

This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files.
MS Teams makes use of posts and file sharing as a means of helping teams stay connected and organized.  For each project, we create a separate “Team” within MS Teams.Each team originates with a General Channel, which we use for client communication and file sharing using the Posts and Files tabs that are created by default.

  • The Posts Tab allows for communication among all members of the Team and is great for capturing client input directly related to the project.
  • The Files Tab is an area where folders and files can be housed to organize documents provided by and shared with the client. 

This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files. Files can also be hyperlinked to support other work papers (See Figure 2).

Figure 2
 

Planning, Fieldwork and Reporting

We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers.
Each Team also allows for the creation of other channels, as needed. These channels can be made available to all Team members or can be restricted using Private Channels. We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers. Since we use templates throughout our audit engagement, we use the copy feature from the MS Teams template to quickly set up the tabs for each channel, as shown in Figure 3 below: 

Figure 3
General Channel (See also Figures 2 and 5)Private Channel: Audit Files (See also Figure 4)
Posts: Client CommunicationsFiles: File Sharing with ClientTasks: Tasks App for various tasksWelcome: Word template that welcomes clients and provides instructions for Team useAgenda: Word template for Entrance Conference meeting agenda
 		Statement of Independence: Excel template that tracks audit team conflict of interest reporting for the projectAudit Sections: Word template that summarizes the audit sections with links to the supporting work paper filesImprovement Opportunities: Word template that summarizes all identified audit findings and follow-up with clientTeam Assignments: Word template that identifies each team member’s responsibilities and tasksReview Notes: Word template that contains supervisory review notes and related follow-up or clearance activities
 

The Private Channel, “Audit Files,” is structured by project section, as shown in Figure 4.

Figure 4
This example shows the project file structure in Teams in a private channel. Private channels are identified with a lock icon to the right of the channel name. The Team administrator controls Team access. By default, all members added to the project Team have access to everything but private channels. Members must be granted Private Channel access by the administrator.

Due to the configuration of the General Channel, Posts is the default screen that will pop-up when clicking on a Team, which we use to direct the client to the Welcome tab. The Welcome tab is a word template that helps demonstrate to the client the benefits of using MS Teams for audit management. It also provides instructions to help those clients not familiar with MS Teams and establishes the expectation for the use of MS Teams during the audit. Files provided by the client in the General Channel can be linked to, or easily moved to, the Audit Files Private Channel (see Figure 5).  

Figure 5

For reporting, we share all initial draft reports through posts in the General Channel. However, we issue final reports through official email communication and store copies of those emails in the private channel Reports Folder. We also track all issued reports in a separate SharePoint document library that includes metadata for tracking when reports are due for presentation to the Board of Regents, the number and nature of improvement opportunities in each report, the type of audit conducted (compliance, financial or integrated) and other details (see Figure 6).

Figure 6
SharePoint Audit Report repository showing view by audit plan year.

SharePoint Audit Report repository showing view broken out by audit plan year.

Supervisory Review and Improvement Opportunity Tracking

For quality assurance, we use a word template to track review notes. A SharePoint workflow initiates review by folder and audit program step and applies a pending or approved status as metadata for each folder (as shown by the sign-off status columns next to each file folder in Figure 4).

This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting.
To track improvement opportunities in real time, we use a word document that mirrors our audit report. When an improvement opportunity is identified, the document is made available as a tab in the General Channel for client review and feedback. This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting. This template is also used to document discussions with the client. Once client review is complete, the Improvement Opportunities are moved back to the Private Channel.

As we continue to mature the use of MS Teams and SharePoint, we hope to create a process for audit follow-up as well.

Limitations

As with any electronic tool, adjustments will always be needed. For MS Teams, we have encountered the following limitations:

  • Only nine attachments can be included in Tasks.
  • Anyone assigned to the task must reply to the comments section to be notified of future comments.
  • Lag time may exist due to the Cloud structure and network bandwidth.
  • MS teams provides access to many applications that help with building processes and workflows, but there is no way to easily identify applications that the university has purchased. It is important to gain an understanding of this issue before committing to using a specific application within MS teams. However, applications for Excel, Word and Calendar are default MS Teams applications available to all users.
  • Requesting sign-off cannot be done directly in MS Teams; it first requires that users log into SharePoint.
  • Tasks by Planner and To-Do are only available in the General Channel; such task management is not available in the Private Channel.
  • While we created an audit project template to initiate the creation of new project teams, only the Team structure can currently be copied from a template. Embedded files in the template do not transfer.
  • Most clients like the use of MS Teams for audit interactions. However, clients don’t use it continuously, so it cannot completely replace email communication. However, an email can be dragged directly from Outlook into the Team files in both General and Private channels.

Conclusion

MS Teams and SharePoint offer a lot of functionality and, with some training, they can be set up fairly easily. Larger audit teams may find it useful to work with PowerApps or other related tools to establish more edit controls, including workflow and document locking. If your organization is already using MS Teams and SharePoint, building out this functionality is unlikely to require license fees for third-party audit administration and documentation systems. If you are going through a similar transformation, please reach out to us for additional details and to share what you’ve learned and applied. Collaboration will help us all continue to improve!

References

1 We will be presenting this approach at ACUA Interactive on Tuesday, March 29th in greater detail.

Creating an Intentional Culture of Inclusiveness:‎ A Conversation with ACUA Leadership on Diversity and Inclusion ‎

For many, 2020 will long be remembered as a year of reckoning and change in the U.S., marked by a global pandemic, an economic crisis, political unrest and racial tension. In response to a year like no other, ACUA’s President, Julia Hann issued a call for volunteers on July 2, 2020 as ACUA prepared to launch its first-ever Diversity and Inclusion Leadership Committee. In her note to the ACUA family, Julia stated that “the board is deeply committed to examining our core values and making sure inclusivity, respect, appreciation and embracing our differences is part of our foundation as an association,” and that the board wants “to ensure ACUA is welcoming to everyone.”

The group began by exploring the definition of diversity and inclusion (D&I) and identifying the committee’s goals and objectives. 
Within weeks, the call was answered. Approximately 15 members convened at the initial meeting. The group began by exploring the definition of diversity and inclusion (D&I) and identifying the committee’s goals and objectives. As the conversation unfolded, it was clear that D&I is a multi-faceted construct that extends beyond gender and race. It continues to gain importance as consumers hold organizations accountable for creating a measurable culture of inclusivity.

ACUA conducted a baseline membership survey and identified ACUA’s membership demographics are approximately 55% female and 41% male, with 4% providing no response or preferring not to answer. In terms of race, 67% of the members identified as white (not Hispanic or Latino), 12% Black or African American, 7% Asian, 6% Hispanic, Latino, or of Spanish origin and 1% Native American. The remaining 7% identified as multiracial or preferred not to answer. The survey also explored other aspects of diversity including age, religion, ACUA volunteerism and the size and location of members’ institutions.

In addition, studies show that D&I committees are most successful when leadership is on board with the initiative.
A 2020 study published by McKinsey & Company, a global management consulting firm, found that “the greater the representation, the higher the likelihood of outperformance and the likelihood of outperformance continues to be higher for diversity in ethnicity than for gender.”[1] In addition, studies show that D&I committees are most successful when leadership is on board with the initiative. Therefore, the work of the committee, in collaboration with the board, includes examining how to use this information to identify and shape ACUA’s strategic priorities and desired outcomes. During the board meeting, Deidre Melton, D&I Committee Chair, detailed the committee’s conversation in order to gain insight on how ACUA leadership ranks the importance of D&I work and what they expect to gain by creating the sub-group. The board spoke candidly on the topic as reflected in the summary below.

Q: When you hear the words “diversity and inclusion,” what does that mean to you?

A: Taking different viewpoints, membership needs and perspectives into consideration. Allowing all voices to be heard, while making room at the table and creating a safe space. Proactively supporting a platform and opportunities (in the structures and processes of the organization) for people from different groups or backgrounds, including those who have been excluded.

A: Accepting all people, irrespective of group affiliation. Willingness to listen to and acknowledge our differences in order to confront issues that create barriers to addressing and eliminating bias.

There are many different aspects of diversity, but inclusion comes first.
A: There are many different aspects of diversity, but inclusion comes first. How do we ensure we welcome everyone who wants to be involved? Once people feel included, they may be more interested in volunteering and taking on leadership positions.

Q: Why is it important for ACUA to tackle this sensitive topic as an organization and within our separate institutions?

A: We don’t know what we don’t know, and we owe it to our membership to be intentional about ensuring that all members feel included, supported and valued, and to make sure they can participate as much as they want to.

A: Higher education is sensitive to the cultural climate; therefore, this topic is important to our campus communities. Not every university offers training on D&I, but ACUA is positioned to train our members, offer education and provide resources.

A: We had more questions than answers and felt like we had a lot of growing and learning to do. We recognized possible issues, but also knew we needed help.

 A: As this is an important topic for everyone, for our growth as an organization and as individuals, we need to create processes and protocols that will support this issue. We need to act, not just put out a statement: walk the walk, not just talk the talk!


Q: What are some of the most beneficial things that can move the needle on inclusion or shift the culture within ACUA?

A: Being proactive and intentional with our plans to put this initiative at the top of the priority list for everything we do. Practicing [inclusivity] until it is second nature and an embedded part of our processes, planning and programming.

A: Adding D&I training at all levels, including the board, committees, members and volunteers. It should also be included as part of the volunteer recruitment process.

A: Building a future speaker’s program to help increase speaker diversity at our conferences and webinars.

A: Push our working partners to further their diversity initiatives and raise awareness of what steps they are taking at their organizations. Focus our work with likeminded groups that prioritize D&I as well.


Q: When thinking of successful outcomes for this committee, what does that look like to you?  What activities or initiatives would you like to see the committee lead?

A: Creating an intentional culture of inclusiveness where we encourage members to speak out.

A: Offering education and resources. Assisting members in evaluating their institutional D&I programs.

We all have a role to play, but we need the expertise of the D&I committee to help lead the association in the right direction.
A: Consultation, thought leadership and partnership with ACUA’s board and membership.

A: Diversifying speakers for conferences and webinars. Breaking the cycle of using the same people in the same way.

The conversation closed with this thought: We all have a role to play, but we need the expertise of the D&I committee to help lead the association in the right direction. As the committee’s final charter, goals and objectives take shape, the vision of creating a better tomorrow has never been clearer.

References

[1] https://www.mckinsey.com/featured-insights/diversity-and-inclusion/diversity-wins-how-inclusion-matters

Are Agency Funds Driving up Your Costs?

Universities often have many affiliated entities that call the campus home. These may include student organizations, honor societies, academic journals, professional organizations like ACUA, alumni associations and more. It is common for institutions of higher education to account for the funds of these organizations through an agency fund relationship. In his book, “University Finances: Accounting and Budgeting Principles for Higher Education,” Dean O. Smith states: 

“Agency funds come from nonuniversity sources. The University serves as custodian of these funds. Accordingly, the funds ‘flow through’ the university, with the sources that provide the funds having the sole discretion over expenditures. Agency funds are not reported as university income and expenditures, as these sources are not considered official units of the university.” To understand the true nature of agency funds and associated costs, it is important to perform a detailed review of each affiliated organization and its history. A thorough examination of your university’s agency fund budgets may reveal that affiliates are driving up overall costs and may help to identify opportunities for cost savings or recovery. The following are some areas to consider when reviewing agency fund budgets:

  1. Payroll – This includes the cost of employing individuals at the university to manage or perform work for outside organizations. In some cases, universities do not allow payroll to be charged directly to an agency fund. Instead, the outside organization must transfer money from the agency fund to the university to cover payroll costs for employees who are funded by the university. Available documentation should identify payroll costs associated with the organization and explain to what extent the university is responsible for covering salaries, fringe benefits and other costs.
  2. Administrative Fees – These may include payment processing services (accounts payable), telephone service, copying and printing charges, postage and other charges. The university may be able to recover funding by charging the affiliated entity for various administrative items currently provided at no cost.
  3. Rent – Affiliated entities which list a campus address as their business address often operate within university facilities. Depending on the nature of the organization, they could be utilizing more than just office space. Sports camps, for example, which tend to operate as LLCs run by coaches, require the use of athletic facilities.
  4. Risk Management and Legal Liability – Management should consider whether affiliated organizations bring additional risk exposure to the university. This assessment depends on the type of organization and the liability associated with its activities. For example, if an individual is injured on campus while participating in an affiliated entity’s programming, is your university liable?
  5. Overdrafts – During periods of economic downturn, these types of organizations often struggle and could be operating at a deficit, which the university may ultimately need to cover. Budget administrators should review the budgets of affiliated entities for which they have oversight to ensure the entity’s deposits fully cover their expenditures. In the case of recurring overdrafts, the university should consider terminating the agency fund relationship. Alternatively, the university can develop a payment plan and invoice the affiliated entity. 

        Affiliated entities provide many positive experiences for students and employees. However, the agency fund relationship can result in excessive costs to the university if proper controls and oversight are not in place. Internal auditors are uniquely qualified to provide management advisory services regarding these kind of relationships. Such reviews may help to enhance efficiency and identify costs that may be weighing on the university’s finances.

        Auditing Pandemic Relief Funds: A Uniform Guidance Approach

        Since March of 2020, many colleges and universities have been fortunate to receive millions of dollars of COVID-19 federal aid in the form of Higher Education Emergency Relief Funds (HEERF I, II and III), Coronavirus Relief Funds (CRF), Governor’s Emergency Education Relief Funds (GEER) and Federal Emergency Management Agency (FEMA) grants. Internal audit departments play an integral role in verifying compliance with the terms and conditions for each program, especially prior to the final report submission and before the arrival of external auditors. However, each program has unique allowability, timing and reporting requirements which can be challenging to audit. 

        Non-federal entities that expend $750,000 or more in federal relief funds in one year are subject to a Single Audit, which focuses on ensuring compliance with applicable Uniform Guidance requirements. Creating an audit program based on Uniform Guidance requirements provides alignment with external auditors while testing internal adherence to program standards. The Uniform Guidance requirements most applicable to the majority of pandemic funds are outlined below, along with corresponding controls and test steps.

        Activities Allowed/Unallowed and Allowable Costs/Cost Principles

        The following audit procedures provide a methodology for testing federal award spending for allowability in compliance with program requirements and grant agreements:

        • Assess the design and effectiveness of the invoice review process, budget-to-actual cost comparisons and controls that detect, correct and prevent unallowable costs.
        • Select a sample of expenses and verify allowability and the existence of supporting documentation. HEERF expenses require a nexus to COVID while FEMA costs may be limited to Personal Protective Equipment (PPE). CRF expenditures must be necessary, COVID-related and not listed in the organization’s budget.
        • Review the expense descriptions in the final report and investigate any that do not appear allowable.
        • Review any payroll expenses and verify positions were substantially dedicated to COVID-related work.
        • For HEERF I student awards, verify monies were issued directly to qualifying students.

        Cash Management

        Federal funds must be tracked and spent on immediate needs. While cash management may only be required for funds provided by HEERF, all institutions will benefit from verifying that federal program funds are appropriately tracked. Audit procedures should include the following:

        • Determine whether the accounting method used to track the receipt and expenditure of funds is reasonable and consistent. 
        • Confirm that there is an appropriate level of supervisory review over the cash management process.
        • Run a transactions report and compare it to program reports for completeness and accuracy.
        • Verify receipt of funds and agree amounts with the award notification.
        • Test the controls in place to prevent “double dipping” amongst other pandemic funds.
        • Verify a sample of expenses for the existence of approvals prior to purchase.

        Matching and Earmarking

        Matching pertains to a specified percentage of funds allowed to be used towards particular expenditures, while earmarking is the minimum or maximum spending permitted on specified activities. To test these requirements for HEERF programs: 

        • Inquire how funds are tracked in the accounting system and whether there is an appropriate level of supervisory review of the matching and earmarking requirements.
        • Verify student spending met the minimum requirements, as follows:
          • HEERF I – at least 50% of the institution’s allotment.
          • HEERF II – the same amount issued to students as in HEERF I; for-profit institutions must use 100% of their allotment on student grants.
          • HEERF III – at least 50% of the institution’s allotment; for-profit institutions must use 100% of their allotment on student grants.

        Period of Performance

        Federal funds must be used only during the authorized period of performance, which varies by fund. Note that extensions may apply. Audit procedures may include the following activities:

        • Determine if there are controls in place to prevent expenditures outside the specified period, such as:
          • Accounting system limits
          • Review of disbursement dates and cut-offs
          • Timely management review of budget-to-actual reports
        • For a sample of transactions, review invoices and other support to verify the occurrence of the expenditures during the period of performance.
        • Review the dates of expenditures on the final report for appropriateness.

        Reporting

        Federal funds must be reported timely and accurately based on program requirements. Reporting may be financial or performance-based. Financial reporting captures program expenditures as prescribed, while performance reporting shares how goals and objectives were met. Consider performing the following procedures:

        • Obtain the reports for each reporting period and verify they were submitted timely. For HEERF, verify your institution’s website included all the required public disclosures.
        • Ensure reported amounts agree with the general ledger and accounting system records.
        • Verify that the correct accounting method (cash or accrual) was utilized.
        • Confirm required supporting documentation was submitted in the appropriate format.
        • Ensure that the reports were appropriately reviewed prior to submission.
        • Review CRF performance reports to ensure the underlying data agrees with the financial reports and stated achievements and that it accurately reflects progress towards goals.

        Subrecipient Monitoring

        All pandemic relief funds are also subject to Uniform Guidance requirements related to subrecipient monitoring, where applicable. Testing should be designed for programs or areas where subrecipients are utilized. 

        Conclusion

        By aligning pandemic fund audit programs with Uniform Guidance compliance requirements, you can test program requirements and add value by addressing areas that will be covered during the Single Audit. This model also saves time, as it can be applied to all pandemic funding programs. 

        The Uniform Guidance sections applicable to each program are summarized below:

        HEERF CFDA 84.425 E,FCRF
        CFDA 21.019        		FEMA
        CFDA 97.036        		GEER
        CFDA 84.425C
        Activities Allowed or UnallowedYYYY
        Allowable Costs/Cost PrinciplesYYYY
        Cash ManagementNNNY
        Matching, Level of Effort, EarmarkingYNNY
        Period of PerformanceNYYN
        ReportingYYYY
        Subrecipient MonitoringYYYY
        Table of applicable Uniform Guidance sections.

        References

        Department of Education:  https://www2.ed.gov/about/offices/list/ope/caresact.html 

        NASFAA HEERF Comparison Chart: https://www.nasfaa.org/uploads/documents/HEERF_Funds_Comparison_Chart.pdf 

        2 CFR Part 200, Appendix XI 2021 Compliance Supplement: https://www.whitehouse.gov/wp-content/uploads/2021/08/OMB-2021-Compliance-Supplement_Final_V2.pdf 

        Letter from the President

        Dear ACUA Colleagues,

        I hope everyone is enjoying the autumn season! Before we know it, the holidays will be rolling around.

        Many of you were able to attend ACUA’s first hybrid conference: AuditCon 2021! Before discussing the conference itself, let’s pause and thank the dozens of volunteers who serve our organization so proudly. These events are incredibly difficult to pull off, even in the best of circumstances. Add in a global pandemic, and it is quite remarkable that our dedicated professionals, who have very busy lives, were able to create such a success!

        This year’s AuditCon boasted a wide array of dynamic speakers who shared their knowledge on a variety of emerging and important topics. Whether you were there in person, attended virtually or are considering how best to participate going forward, this hybrid event marked a Pivot Point in our organization’s storied history. We look forward to sorting through your feedback to determine what worked well and what can be improved for next year. As we consider how to position ACUA going forward to best serve the needs of our membership, we will remain alert for additional opportunities to ensure continued success.

        Lastly, a special thanks to our Immediate Past President, Patti Snopkowski of Oregon State University, for her stellar leadership in a challenging time. It will be difficult to fill her shoes, but I look forward to working with all of you in the coming months as we close out 2021 and look ahead to everything the new year holds.

        Sincerely,
        Brian Daniels, University of Tennessee
        ACUA President

        Letter from the Editor

        Hello ACUA!

        The nights are getting longer, there’s a chill in the air and (at least here in the Northeast) the leaves are aflame with vibrant color. As the season turns, the atmosphere seems charged with possibility and excitement. With the holidays quickly approaching and AuditCon behind us, now is the perfect time to look back and reflect on all of the changes, struggles and accomplishments of this eventful year. Autumn is a time of transition, which fits perfectly with our current theme of Reflection and Transformation.

        Although the last year and a half has been tumultuous, it has resulted in a flurry of new activity within the higher education landscape. Here, our members share their thoughts about the new and evolving risks that have been brought to the forefront by this time of transformation. First, Kara Hefner details a Uniform Guidance-based approach to auditing pandemic relief funds – a topic that is surely at the forefront of many institutions’ audit plans this year! Lily Young shares her strategies for understanding the true cost of your university’s agency fund relationships, while Joseph Iannini provides professional tips and tricks for preliminary information gathering. In addition, David Terry and Kyra Castano offer their insights from Portland State University’s recent contracting and procurement services audit and discuss the benefits of co-sourcing with a trusted advisor. Finally, Todd Knowles and Diane Padgett explore key privacy regulations and risks in the first half of their Data Privacy Primer series. (Expect the second installment in our Winter issue!)

        Every issue of College and University Auditor is a direct result of contributions from our incredibly knowledgeable community. Please consider sharing your experience and expertise with us in a future issue! The journal team is ready and willing to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (203) 218-7631.

        Many thanks to our community, and I hope you all enjoy this issue of College and University Auditor!

        Sincerely,
        Claire Thomas

        Preliminary Information Gathering (PING)

        Introduction

        One of the most challenging and time-consuming parts of an audit is drafting a well-written narrative that summarizes the significant processes and related internal controls. Factors such as client availability, lack of experience and scoping errors can contribute to the complexity of this task. This article offers a few suggestions to help navigate these common challenges.     

        The term Preliminary Information Gathering process or “PING” refers to the phase of the audit that includes drafting an initial process narrative. PING is a critical stage for the ultimate success of the engagement, as it documents the significant processes and identifies the controls to be tested. Further, conducting a robust planning process is required to meet the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) standard 2200, Engagement Planning, which states:  
         
        “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.”


        Clarifying the Scope and Objectives

        Scoping

        The foundation of any process narrative is agreement on scope and objectives. Before addressing scope, verify the significance of the process with the client, including the estimated dollar value, volume of transactions and recent changes. During this meeting, the audit team should clarify the systems used, locations involved and process owners. Auditors should also inquire about the level of process uniformity. This will help to develop the scope and estimate the resources needed for the engagement. Depending on the type of review, you may need to ask if the client has an operational dashboard or key performance indicators (KPIs) that are used to measure success. Assessing operational metrics can provide insight into potential process issues, such as an increase in student billing errors or refunds that should be considered during the PING.    

        Objectives

        Keep the overall objective simple and high level. Using the procurement process as an example, the primary objective would be to verify that only properly authorized purchases are made, and that the complete population of purchases is accurately processed and in the proper accounting period. A secondary and broader objective might be verifying that the procurement process uses the existing technology to the highest possible extent and minimizes the use of paper.  

        Establishing agreement on the objectives minimizes any supervisor or client “expectation gap” and ensures any observations or recommendations are focused on the agreed-upon areas. Periodically refer back to the scope and objectives to keep the audit focused and avoid scope creep. 


        Interview Preparation 

        Many experienced internal auditors recall the stress of preparing for interviews and being overwhelmed with the amount of “data” obtained, much of which may not be needed. Often, the best weapons against stress are effective planning, ongoing communication and adherence to the agreed-upon scope and objectives. Consider this preparation time an investment in the future success of the audit rather than a burden. 

        Preparation should include the following activities:

        • Research the audit area and read any available background information, as this builds credibility. Background information can be found in prior work papers, websites, newsletters or procedure manuals. Reviewing competitor information may also be useful and can provide additional industry insights that lead to value-adding recommendations.  
        • Contact the interviewee and verify the subject matter you plan to discuss and the meeting objectives. Use this knowledge to prepare a written agenda, which you should email to participants in advance of the meeting. Using the procurement example above, you can state that the meeting objective is to walk through the process from purchase approval to vendor payment. This will ensure the client is adequately prepared and that the appropriate process owners are included in the meeting.
          • If you plan to obtain document copies, make that clear in advance of the meeting. A useful tip is to ask the process owner to email screenshots (or other documentation) to you at each step of the interview, including a brief description of the document in the subject line. If it is not possible to get emails during the interview, keep a detailed list of requested items, and be certain to use the same document names as the client.
        • Include specific questions, clarifications needed and any required background information on the agenda. 
        • Confirm the meeting date, subject matter and other key points in writing a few days before the scheduled interview.   
        • Practice your interview questions to increase your confidence.


        Conducting the Interview

        When conducting the interview, the following strategies may be helpful:

        • Open the interview by introducing yourself and thanking the participants for their time. If there are several process owners in the meeting, ask each to introduce themselves and explain their areas of responsibility. 
        • Use terms that are understood by the client, not audit jargon. If the auditee uses an unfamiliar term, ask for clarification.  
        • Distribute a copy of the agenda and re-state the purpose of the interview and the topics you wish to cover.
        • Explain that you wish to walk through the entire process and clarify any expectations, such as obtaining screenshots. Give an example of the level of detail you wish to obtain and ask if they have any questions.
        • Critical Concept: Do not assume the points described above were previously communicated to all meeting attendees.  
        • Take notes to document key processes, but do not try to write down every word or phrase.  
        • It is good practice to pause periodically and re-state your understanding of the key points.
        • When ending the interview, state the next steps, such as providing a draft of the narrative for validation or scheduling a follow-up call to clarify any open points.


        Critical Errors to Avoid

        Missing Key Processes

        When conducting a walkthrough, the main objective is to document the key processes and controls, not every step in the process. To keep things organized, it is helpful to think of a flowchart with decision boxes. For example, you may begin by asking about the procedure to approve a purchase. Once that process is understood, you can ask about the handling of unapproved or rejected purchases, and what would cause a purchase to be rejected (e.g., the purchase exceeds the purchase order limit). Asking about both approved and rejected transactions ensures that all relevant processes are documented. You may also want to ask how often purchases are rejected and why.

        Insignificant Processes

        Another risk is getting bogged down in data that is immaterial. When walking through purchasing processes, there may be transactions that are exceptions to the normal process, such as manual purchase orders or emergency expenditures. Clarify the frequency and materiality of these items before deciding to invest time in documenting matters that may be immaterial or insignificant. These items can be discussed later if they are selected as part of your substantive sample.  

        Jumping to Conclusions

        Using the written agenda, you should have identified all key process owners. However, there may be situations where you believe process gaps or missing controls may exist. In that case, you should calmly verify the facts with the interviewee and then follow up with their supervisor. While your initial assessment may be correct, the supervisor may have already developed effective compensating controls.  


        Manual or Automated?

        When documenting a key process flow, you should clarify which steps, if any, are automated. This important point is often overlooked when drafting the preliminary walkthrough, and can lead to confusion and excessive follow-up questions.

        No Time for Self-Review

        Be sure to build time into your budget to review your draft narrative, and consider having a peer read the draft and give you feedback. Before performing the self-review, you may wish to set the document aside for a few hours to clear your mind so you have a fresh perspective. In addition, make use of the spelling and grammar check features in your software. Failure to do so may make the draft appear unprofessional and sloppy.

        Inaccurate Information

        Once the self-review is completed, send a copy of the narrative to the process owners and ask for their feedback. If additional clarity is needed, schedule a follow-up meeting with the process owner.  

        Conclusion

        The PING methodology that works best for each auditor will vary. However, the information above provides a framework to assist inexperienced auditors in approaching interviews and can be useful to more experienced auditors as a reminder of best practices and potential pitfalls.

        Data Privacy Primer: Regulations & Risks

        Privacy Background

        What is this concept of “privacy” we hear so much about in today’s news? Where did privacy originate, and why does it matter? In this article we will define privacy, discuss its importance and review some applicable laws.

        The modern-day concept of privacy is often attributed to Samuel Warren and Louis Brandeis’ 1890 essay “The Right to Privacy,” in which they acknowledge “the right to be let alone” in their argument that existing laws facilitate individual privacy protections. Privacy is generally defined as the right to be let alone, or freedom from interference or intrusion. The International Association of Privacy Professionals defines information privacy as “the right to have some control over how your personal information is collected and used.” However, the meaning of privacy may vary depending on an individual’s, organization’s or country’s perspective. For some, privacy means being protected from data breaches or identity fraud. For others, privacy is a fundamental right related to personal and family life, home and correspondence.

        When we refer to privacy, we are referring to those elements comprising personally identifiable information (PII). Examples include, but are not limited to, name, date of birth, physical address, phone number, Social Security number, financial account numbers (e.g., bank account and credit card numbers) and protected health information. Privacy principles created and defined by the Organization of Economic Cooperation and Development in 1980 form the backbone of privacy laws and privacy protection frameworks worldwide. The following elements of these principles are found throughout most privacy regulations:

         Collection Limitation: Data collection should only take place with knowledge and consent of the affected individual or data subject.

        Data Quality: Information should only be collected which is relevant and accurate for a particular purpose.

         Individual Participation: An individual should be aware that their information has been collected and be able to access it.

        Purpose Specification: The intended use of personal data must be known at time of collection, and data should not be arbitrarily collected.

         Use Limitation: Collected data is to be used only for purposes specified at time of collection, not broader future use. Consent should be secured from data subjects for use of data for other purposes.

         Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification or disclosure. Most laws reference reasonable and appropriate security measures based on risk determination rather than perfection.

           Openness: Data subjects should be able to contact the entity collecting or storing their information to ascertain types of data collected.

          Accountability: Data collectors should be accountable for adhering to these principles. Ideally, there should be a person in the organization dedicated to ensuring privacy principles are followed. The concept of a data protection or privacy officer originated with this principle.

        Defining Key Concepts

        While data privacy focuses on the use and governance of PII, data security focuses on protecting PII from malicious attacks and improper disclosure. Privacy cannot be protected without an associated security component.

        Privacy professionals frequently reference Privacy by Design, a proactive and intentional approach where privacy is the default in technology system design and is considered at the earliest stage1. As opposed to an ad hoc approach, where privacy discussions take place in later stages of system development, the Privacy by Design framework is applied to the data life cycle from creation through collection, storage, archiving, de-identification and deletion.

        PII processing refers to any operation or set of operations performed on personal data whether or not by automated means. It can refer to data collection, recording, storage, retrieval and erasure.

        With these definitions in hand, let’s explore why privacy is important in today’s world.


        Importance of Privacy

        An individual’s privacy is a fundamental right and is closely connected to human dignity. It is the foundation on which other human rights are built. Privacy protects against the abuse of power by limiting what can be ascertained about individuals and providing shelter from those who may wish to exert control. Ensuring individual privacy protects us from the arbitrary and unjustified use of power by states, companies and other actors.

        However, data is an increasingly valuable asset. With the rise of the data economy, organizations and nation-states have found significant value in collecting, sharing and using data. Companies like Amazon, Facebook and Google have built their organizations on data2. Collecting data provides organizations with the power to explain, predict and even control behavior. This is particularly valuable for advertising and marketing endeavors. For example, Netflix uses data analytics for targeted advertising. With over 100 million subscribers, Netflix collects large volumes of data. If you are a subscriber, you are familiar with how the company provides suggestions for the next movie you should watch by using your search history and viewership data. This data gives them insights into your interests. Without proper regulatory protections and legal recourse, you would have little control over how Netflix and other companies use and share your personal data.

        In her 2019 book titled “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power,” Shoshana Zuboff discusses how surveillance capitalism is an economic system centered around commodification of personal data with the core purpose of profit-making. Commodification makes personal data a valuable resource. Zuboff points out that tech companies and other corporations are mining users’ information to predict and shape their behavior, undermining personal autonomy and potentially eroding democracy.

        Primary Privacy Laws

        But surely there are privacy laws that provide protection against this abuse of personal data?

        Unlike Europe, the U.S. has enacted a patchwork of privacy laws generally targeted to protect consumers. The Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for many businesses. Enforcement centers around fraud, deception and unfair business practices. Institutions that violate consumer privacy rights or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state authorities. The U.S. Department of Health and Human Services (HHS) governs health protections focusing on compliance guidance, with the Office of Civil Rights (OCR) acting as the enforcement arm for HHS privacy regulations.

        U.S. laws to be aware of in the education and health care sector (i.e., those that affect academic medical centers) include:

        Family Educational Rights and Privacy Act (FERPA) gives parents and students certain protections pertaining to student education records such as grade reporting, transcripts, disciplinary records, contact and family information, and class schedules. FERPA requires student or parent written consent for release of educational records.

        Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under 13 years of age. It requires website or online service providers request parental permission to collect data on children and stipulates how the data can be processed and held.

        Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined as companies offering financial products or services, to explain information sharing practices and protect against unauthorized access to, or use of, personal information that could result in substantial harm or inconvenience to a customer. GLBA stipulates financial institutions appropriately ensure the security and confidentiality of customers’ information.

        Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the confidentiality and security of a patient’s health care information, defined as any information identifying the past, present or future physical or mental health of an individual. It includes all communication media, whether written, verbal or electronic. HIPAA includes the Privacy Rule, which protects a patient’s right to keep health information private, and the Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. HIPAA violations can result in significant penalties for noncompliant organizations and individuals.

        In addition to these federal regulations, various states have enacted privacy laws to protect personal data in the consumer setting. Most notably, California enacted the California Consumer Privacy Act (CCPA) which is designed to protect the privacy rights of California’s citizens. It gives consumers the right to control how companies collect and use their personal data. Some states have already enacted similar laws, or carved out exceptions for the federal regulations, and more are expected to do so in the coming years. 

        From an international perspective, institutions should be aware of country-specific privacy laws. Most notably, the General Data Protection Regulation (GDPR) requires organizations to ensure that personal data of European Union citizens is gathered legally and under specific conditions. Institutions that process personal data are obliged to protect it from misuse and exploitation and to respect data subjects’ rights. Those who fail to do so may face significant penalties. GDPR requirements spurred the development of privacy policies (and cookie banners), in which organizations offer transparency into their data collection and management practices.

        Conclusion

        As more attention is focused on privacy, both internationally and domestically, consumers and clients will increasingly expect institutions to protect their personal information and embed privacy considerations into their business strategies. In a report published in November 2019 as part of Cisco’s Cybersecurity Series, “Consumer Privacy Survey, The Growing Imperative of Getting Privacy Right,” 2,601 adults, or 32% of respondents, stated that they care about privacy and had already taken action by switching companies or providers in response to data policies or data sharing practices. Along with the increase in privacy regulations worldwide, this should be a catalyst for organizations to establish or update their privacy programs.

        In the second part of this article, we will explore areas auditors should consider reviewing when evaluating functions and processes involving personal data.

        References

        1) Deloitte, GDPR Top Ten #6: “Privacy by Design and by Default”; Shay Danon; February 2017
        2) MIT Technology Review: “It’s time to rein in the data barons”; Martin Giles; June 19, 2018

        Letter from the Editor

        Hello fellow ACUA members!

        My name is Claire Thomas, and I am delighted to be the new editor for College and University Auditor. First, I’d like to thank the prior editor, Jackie Pascoe, for her many contributions to the journal. I have enjoyed getting to know Jackie, and I have great respect for her work with ACUA. I would also like to thank our deputy editor, James Merritt, for his assistance with my transition into this role.

        For those of you who don’t know me, I am the Audit Manager for the Internal Audit & Advisory Services department at Boston University. Prior to that, I worked alongside James for several years as a Principal Auditor at Duke University, and I welcome this opportunity to collaborate with him again!

        I have always enjoyed the unique challenges and opportunities associated with working in higher education. Our institutions are constantly evolving, and as auditors, we must be innovative and agile in order to meet their needs. Our ACUA network plays an important role in fostering this commitment to continuous growth and professional development, and I am excited to be taking part in such an important objective. I look forward to working alongside our members as they continue to share their insights, resources and experiences with the broader ACUA community.

        This issue of the journal brings workplace culture to center stage. After the turmoil and pressures of the last year, conversations about culture have likely been relegated to the back burner. But as many of our organizations begin to resume in-person work, this topic is becoming increasingly important. What kind of environment awaits us when we return? In this issue, Sabine Charles provides recommendations for how internal auditors can enhance client relationships and overall success through emotional intelligence. Jennifer Roberson and Chrissy McKeown share their insights and discuss strategies related to delivering effective feedback, while Harold Lederman offers tips on how to improve client relationships throughout your audit. In addition, Jaime Fernandez discusses how to support and partner with your athletics department. Finally, the journal team has tabulated your responses to our recent survey on workplace culture. Our article offers results, insights and a few takeaways.

        The content of this and every issue of College and University Auditor is made possible by the contributions of knowledgeable professionals throughout our community. Please consider sharing your experience and expertise with us. The journal team is always happy to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (617) 353-3324.

        Thank you for your time, and I hope you enjoy this issue of College and University Auditor!

        Sincerely,
        Claire Thomas

        How to Improve Your Audit Product

        Professionals are generally aware that the final deliverable of a product is judged on more than the quality of the service itself. A client’s overall perception throughout an engagement plays a vital role in their satisfaction and cooperation with internal audit. This article provides suggestions on how to improve the overall audit product and relationships with audit clients.

        1. Make it clear that you are there to help

        Ask the client how internal audit can help. 

        Ask the client how internal audit can help. A great way to start the conversation is by asking for a list of process improvements over a period of time (e.g. two years) and then verifying that they were implemented. Depending on the structure of the institution’s audit report, process improvements should be addressed first, if they are included in the report. If they are not included in the official report, auditors should outline process improvements in an informal memorandum or discuss them verbally with the client.

        Additionally, internal audit can provide assistance to clients through the audit report, which can be leveraged to help the client achieve their goals. For example, making recommendations and highlighting areas for improvement may have more impact when included in an audit report and suggested in this formal manner to senior leadership. However, it is important to keep in mind that internal audit should not be involved in any implementation of these recommendations to maintain independence and objectivity.

        2. Use proper terminology when addressing clients

        In the business world, clients are generally referred to as, well, clients. Avoid addressing clients in ways that could have negative connotations, such as “entity under audit” or “auditee.” It may be helpful to think from the client’s perspective on how it might feel to be audited and referred to as the auditee. Being respectful and friendly to the client during communications will help with the intimidation factor that clients may feel when being audited. 

        3. Put clients at ease

        For many clients, learning that they are being audited or even meeting with internal audit induces a level of fear or anxiety. While it seems that auditors are stereotyped as scary intruders who want to upset the status quo, it is helpful to gently remind clients this is not the case and work to change their perspective. The following suggestions offer some ideas that may help convey that internal audit wants to collaborate with clients to achieve mutual goals:

        • Start the audit with Preliminary Information Gathering (PING) meetings. This allows internal audit to gather history and become familiar with the client’s operations. This information can then be used to shape the audit program. 
        • Document internal audit’s understanding in writing and distribute it to stakeholders, requesting confirmation that it is correct. To further demonstrate that internal audit seeks to collaborate with the client, suggest in the communication that stakeholders make comments and edits as they see fit.  

        4. Report audit findings in context

        Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources.


        Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources. Including this information in the audit scope shows both stakeholders and leadership that internal audit has made a genuine effort to produce a quality, relevant deliverable.  

        Example: Internal audit discovers that the database the client is using has duplications and errors. Internal audit becomes aware that the audit area had four directors in the last four years and that the data was managed by many individuals over this period. The current data manager has held the position for six months and made many improvements to fix the database. Internal audit highlights the data manager’s efforts during ongoing discussions and in the audit report. As a result, internal audit gains the trust and appreciation of the client and management, thereby developing the foundation for a great relationship.

        5. Use graphics and other tools to emphasize your points and make them easily understood

        The success of many online platforms depends on their ease of use and simplicity. Twitter, for example, limits messages to 280 characters. The most common length of a tweet is 33 characters. Historically, only nine percent of tweets hit Twitter’s former 140-character limit; now it is only one percent.

        Another online platform, Pinterest, utilizes images, videos and text – infographics – that allow users to discover information through various means. As of the publication of this article, there are over 200 billion pins on Pinterest, and 87% of Pinners have purchased a product because of Pinterest.

        The use of tables, graphs and slides can appeal to end users (e.g. stakeholders and leadership) and increase engagement during the presentation of a deliverable. Additionally, presenting a deliverable with PowerPoint seems to be underutilized in our profession. Introducing this as a method to present audit information and harnessing its formatting capabilities (e.g. fonts and color themes) can amaze management.  

        6. Present executive highlights that convey some of the detail, and the entire picture, at the same time.

        Management and clients want straightforward, easy-to-understand summaries.

        While this may sound like a contradiction, here is how it is done. Auditors love spreadsheets, replete with formulas, tiny explanations, footnotes and other auditing paraphernalia. But, more often than not, it is only auditors who truly care about them. Management and clients want straightforward, easy-to-understand summaries. Therefore, consider highlighting – and succinctly conveying – major points with only as much detail as needed to clarify and support internal audit’s findings. These major points should be mutually exclusive and collectively exhaustive (MECE), which means they should stand alone and, together, present the complete picture. This allows internal audit to integrate the findings and recommendations in a way that conveys the total picture.  

        In summary, internal audit can improve the quality of audits and relationships with clients by adhering to a few basic principles. Convey the idea that internal audit wants to help, treat clients respectfully, and keep the audience in mind when writing and presenting the audit report.