Resources

A Growing Trend: ESG Reporting for Higher Education Institutions

As they looked into their crystal balls for the year ahead, two organizations, Gartner and the Institute of Internal Auditors published lists of emerging risks for 2022. Not surprisingly, sustainability related to environmental and climate issues as well as social change made both lists.

These risks are just as relevant for public sector organizations, including higher education institutions, as they are for private and publicly held businesses, and they are only expected to grow in the years ahead.
Sustainability and social responsibility encompass a broad range of non-financial issues that may affect an organization’s financial condition and performance.

They may include environmental issues, such as the size of the organization’s carbon footprint, efforts to replace fossil fuels with renewable energy sources, and overall use of natural resources.
These responsibilities may also reference social issues, such as workplace diversity, health and safety, and consumer product safety risks. 

What is Environmental, Social and Governance (ESG)?

As implied by its name, ESG reporting is concerned with measuring performance in three very different domains: environmental sustainability, social responsibility and governance. The key measures used to document and report performance will differ significantly from one organization to another, and more importantly, from traditional accounting measures focused on financial performance.
For now, much of the focus of ESG reporting is on the private sector, especially publicly traded companies subject to U.S. Securities and Exchange Commission (SEC) regulations. The SEC is currently considering several proposed regulations incorporating elements of ESG reporting into the financial reporting requirements for public companies.

That doesn’t mean government entities and higher education institutions are off the hook. Concerns about climate change, expanded opportunities in the workplace, and effective governance are not expected to recede any time soon. History shows us that the public sector is usually not far behind the private sector when issuing guidance and requirements in emerging risk areas. Moreover, the same sentiment driving change in the public sector will affect government entities and higher education institutions as constituents seek more accountability for sustainability issues.

Forward-thinking universities and other public sector organizations can start to implement the appropriate processes to be better prepared to comply with new requirements that emerge.

Metrics and Reporting for Higher Education: The STARS Framework

When it comes to sustainability issues, higher education is not exempt from public sentiment and pressure. In recent years, “green rankings” of universities in various leading publications, including The Princeton Review, have highlighted the importance stakeholders are placing on sustainability. The rankings are based on metrics and voluntary reporting by the institutions themselves.

While there are several frameworks available, the most widely used ESG reporting framework is the Sustainability Tracking, Assessment & Rating System (STARS). It is a self-reporting framework open to the full spectrum of higher education institutions, from community colleges to research universities.
STARS was created in 2006 by the Association for Advancement of Sustainability in Higher Education (AASHE) in collaboration with higher education institutions. Currently, more than one thousand institutions have registered to use the STARS reporting tool to:

  • Provide a framework for understanding sustainability in all sectors of higher education.
  • Enable meaningful comparisons over time and across institutions using a common set of measurements developed with broad participation from the international campus sustainability community.
  • Create incentives for continual improvement toward sustainability.
  • Facilitate information sharing about higher education sustainability practices and performance.
  • Build a stronger, more diverse campus sustainability community.


The STARS framework includes long-term sustainability goals for already high-achieving institutions and entry points of recognition for institutions taking the first steps toward sustainability. Many institutions use STARS as a planning tool to identify areas of strength in sustainable practices and areas that need improvement. Each STARS report and rating is valid for up to three years, and a report may be submitted as often as once per year.

The framework is made up of five categories: Academics (AC), Engagement (EN), Operations (OP), Planning & Administration (PA) and Innovation & Leadership (IN), and these are broken into sub-categories for reporting purposes:

 

Each category is broken down into credits with specific metrics, activities, or practices needed to earn these credits. The institution identifies which credits they will pursue and collects the information from campus stakeholders. The institution accumulates points based on these practices and receives a rating of platinum, gold, silver, or bronze based on the number of points awarded. 



 
Below is an example of how one institution, the University of Georgia, appears in the STARS system. To allow institutions to compare their sustainability with others, the data used to assign points are made public.

Audit Committee and CAE Considerations

When it comes to ESG reporting, we have found that common questions arise among boards and audit committees as they consider the implications for their institution. These include:

  • Have we assessed the ESG disclosure criteria and determined which information is most relevant?
  • Do we have a strategy for identifying which ESG information is available?
  • How does our ESG performance relate to our institutional strategies and objectives?
  • Are our processes designed to produce accurate and complete information for our stakeholders?
  • Who is responsible for defining our institutional ESG strategy and overseeing information gathering through disclosure?

On a somewhat granular level, Chief Audit Executives and other audit leaders have questions related to ESG and reporting and disclosure. These include:

  • Do we have a published ESG or sustainability report or other available information? If so, is it still up to date and fit for purpose?
  • Is our ESG strategy aligned with our institutional objectives and long-term strategy? Does that strategy clearly state our ESG goals?
  • Who is responsible for overseeing the development and execution of the ESG program?
  • Have we defined the key metrics and data to quantitatively measure ESG performance across our institution?
  • Do we have defined, consistent processes and controls to identify, gather, aggregate and publish key ESG performance indicators?
  • Does our ESG/Sustainability strategy leverage one of the common reporting frameworks, and are we obtaining independent assurance or other support?

How the Audit Team Can Support ESG Efforts and Build Opportunities

For the audit team, it makes sense to approach ESG from a risk management perspective. In addition, contributing to the organization’s ESG efforts helps add value to the organization. The Internal Audit (IA) department can take these steps as part of the overall ESG program:

    1. Request an ESG risk assessment for the institution.
    2. In gathering information for STARS reports or other ESG disclosures, focus on adopting an enterprise-wide approach to managing ESG risks.
    3. Educate the administration about ESG reporting and the role organizational governance plays in the evaluation process.
    4. Identify and propose solutions to facilitate sharing information across siloed and decentralized approaches to risk management.
    5. Promote IA’s role in providing independent assurance.

    IA can anticipate emerging ESG disclosure expectations and requirements by encouraging and understanding processes and controls in the institution. IA can also advocate for the adoption of established ESG frameworks and relevant, data-driven reporting, help to assess institutional stakeholders’ expectations and gaps in currently disclosed information, and support process-integrity of reporting by assessing how key data is compiled and reported.

    Looking Ahead

    As higher education institutions of all types and sizes continue to adopt and embrace ESG reporting, internal auditors will have an important role in helping to lay the groundwork for success. They have an opportunity to play a key role in improving internal controls and the overall adoption of these processes. The risks are unlikely to go away any time soon. The important thing will be the way institutions prepare for them.

    Letter from the President

    Dear ACUA Colleagues,

    I hope everyone is enjoying the summer season! Nothing like summer on a college campus. I remember an administrator once telling me, “We love our students, but we love when they take the summer off too.”

    I wanted to mention a couple of things about the upcoming AuditCon in Las Vegas in September (in bulleted short form, because who has time for all the words):

    • Once again, this year we will have the CAE track.
    • Lots of hot topics will be covered, including: Title IX, Sports Betting, Cryptocurrency, IT, Research, Ethics, roundtables of all sorts, ADA, foreign gifts and contracts, back to basics (risk assessments, report writing, etc.), self-care, student mental health, and many others…wow!
    • Amazing keynotes including, but not limited to, hearing from:
      • Robert Chestnut of Airbnb on intentional integrity in organizations
      • Tim Renick of Georgia State on predictive analytics for student success
    • Caesar’s Palace – speaks for itself!
    • In a hybrid format, there are tracks that will stream live to allow virtual attendance.
    • And of course, what sets our organization apart from others is the professional networking opportunities with fellow ACUA colleagues at our conferences.

    Odds are good you won’t want to miss this conference!

    Finally, let me take a moment to introduce our new editors, Gavin Shubert of Georgetown University and Kara Hefner of the University of North Carolina at Chapel Hill, as well as send a special thanks to Claire Thomas and James Merritt who have since left higher education auditing and passed the editors’ torch.  

    See you in Vegas!
    Brian Daniels, University of Tennessee
    ACUA President

    Letter from the President

    Hello ACUA family!

    I hope your year is off to a happy and healthy start. We are eager to be starting a new ACUA year with some exciting initiatives and benefits for our members. I wanted to use this letter to highlight some of these initiatives ACUA is pursuing this spring. As a reminder, ACUA’s Member Needs Assessment Survey launched on February 28th. This is a great opportunity to help us shape the strategic trajectory of ACUA to meet your needs!

    Additionally, we are moving steadfastly toward the Audit Interactive (AI) conference, and for the first time, we will be co-located with URMIA for a portion of this event. ACUA members have paired with their own institutional experts to provide a number of sessions that will dive deep into various topics while keeping the internal audit perspective. This conference also promises to provide our members with coveted networking opportunities and new opportunities to network with our URMIA colleagues.

    At this point, registration numbers are looking great, and we cannot wait to see so many of you in person again. That being said, we haven’t forgotten about those of you who have embraced and thrived in the virtual learning environment. As such, our Virtual Learning Committee is working with ACUA members and strategic partners to provide a mix of 12 webinars and roundtables this year, some of which will be extended sessions. This will provide more opportunities to obtain CPE credits virtually, and we will soon be releasing a robust schedule of e-learning opportunities for the remainder of the year. With the success of last fall’s hybrid AuditCon conference, we are exploring options to embrace a hybrid platform again at AuditCon this September.

    As a reminder, we have a Call for Proposals open, and submissions are actively being accepted. I would especially challenge those of you who have never submitted a proposal to take a chance! In fact, we are introducing a new ACUA Future Speakers session at AI to bridge the knowledge gap on this process! If you participate in the session, you will still have time to submit a proposal for AuditCon this fall. (And, speaking of chances, AuditCon will be in Vegas this year!) 

    Finally, I should remind you that ACUA is committed to the safety and security of our membership for the upcoming conference, as indicated in our most recent communication:

    “ACUA cares about your well-being and has placed social distancing measures in place for attendees to gather safely and comfortably. Please find the official ACUA COVID statement here, which includes highlights of the safety plan and the City of Raleigh’s current procedures.

    While there are no guarantees of safety, ACUA is doing its best to safeguard your well-being, providing an engaging learning environment as well as opportunities to network with your colleagues, especially with our co-locators, URMIA.”

    Best wishes, and see you all at AI!

    Brian Daniels, President

    Letter from the Editor

    Hello ACUA,

    The new year is upon us! Although it may seem like we are still in the dead of winter, spring is already on the horizon. In our last issue, we reflected on the changes, struggles and accomplishments of the intense period of transformation we have all been living through. But now, as we turn the page to 2022, it’s time to do some spring cleaning and gear up for whatever the future holds.

    In this issue, “Spring Forward: Planning for the Future,” we embrace the renewed energy that accompanies the start of the new year. Here, our members share their thoughts about a host of topics that will help audit teams create a culture of continuous improvement and prepare to face new and evolving risks. First, Sandy Jansen and Kimberly Turner provide their insights on how internal auditors can gain a seat at the table with institutional leadership. Then, Todd Knowles and Diane Padgett deliver the second part of their Data Privacy Primer series, in which they dive deeper into the topic of personal data and offer recommendations on how auditors can identify and mitigate privacy risks. Karletta Jones and Mark Ruppert also share their experiences using Microsoft Teams to enhance the efficiency of administrative audit tasks, client communication and documentation processes. In addition, Du’Neika Easley has an exciting update from the ACUA Board of Directors on the Diversity and Inclusion Leadership Committee. Finally, the journal team has tabulated your responses to our recent survey. Our article on succession planning and the Great Resignation offers results, resources and suggestions for adjusting to this new era in the workplace.

    Each issue of College and University Auditor journal is made possible by contributions from our wonderful community. Please consider sharing your knowledge and expertise in a future issue! The journal team is happy to assist you in developing a basic outline or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas at editor@ACUA.org, or contact me by phone at (203) 218-7631.

    Many thanks to our community, and I hope you enjoy this issue of College and University Auditor!

    Sincerely,

    Claire Thomas, Editor

    Secrets to Getting a Seat at the Table

    As chief audit executives and auditors, we want to be considered valued members of our organizations. Having a “seat at the table” may be one of the strongest indicators that you have succeeded in becoming a trusted advisor within your organization. However, this status is difficult to achieve and easy to lose. Obtaining (and keeping) a seat at the table requires dedication to certain tenets, including:

    • Consistently demonstrating your value.
    • Focusing on quality audit work and results.
    • Providing insight outside of the audit process to widen your circle of influence 

    Becoming a Valued Team Member

    The first step towards getting a seat at the table is becoming a valued team member. As detailed below, there are a number of important ways you can demonstrate your value to the team:

    • Listen more than you talk. If you were ever scolded for not listening as a child, your mother might have reminded you that everyone has two ears and one mouth. As it turns out, this is good advice for auditors and children alike. In fact, the word “audit” is derived from the Latin word “audire,” which means “to hear.” Listening helps auditors compare and synthesize conflicting points of view in order to find nuanced solutions. It enables us to understand our organization’s culture and politics and bring sensitivity to our analysis of the facts.
    • Do not play politics. While it is important to be aware of the politics in an organization, auditors should never get involved in them.  
    • Be constant in your ethics. Auditors must never forget that they live in glass houses. If your integrity is ever compromised, all is lost.
    • Demonstrate good judgment. Senior leadership hired you for your unique skillset and your decision-making capabilities. Use critical thinking to provide sound, solid and objective assessments and advice.
    • Build relationships. It is important to build positive relationships with key stakeholders outside of audit engagements and before a crisis. Good relationships will make it easier to deliver difficult news to stakeholders and ensure that they are open to your suggestions. In addition, a solid network of connections demonstrates the value of internal audit in strengthening cross-functional communication. If building relationships is not one of your strengths, seek additional training in this area and be willing to step out of your comfort zone. 
    • Share information. In the course of your work, you may learn of initiatives and key information that should be shared with other stakeholders. Because auditors have a 360-degree view into the operations of the institution, we can help connect people, break down silos and promote collaboration across the organization. In addition, we often are able to connect the dots between different data points to uncover problems and solutions that others cannot see. Coupled with an objective mindset, the insights we develop can be invaluable to senior leadership, even outside of formal audit reports. While sharing knowledge is important and can help built trust, remember that some information may be shared with you in confidence. It is critical that auditors never disclose confidential information.

    Focusing on the Audit Work and Results

    One of the most important things you can do as an auditor is to inspire trust. Though it may seem obvious, trust starts with providing complete and insightful audit results. Ensure your reports are fair, balanced, accurate and helpful, as clients may question your professionalism when your work contains errors or uses inflammatory language.

    In addition, auditors must focus on significant risks, consider the strategic direction of the institution and have a solid understanding of the organization and the broader higher education industry. Your audit plan should consider strategic goals, the institution-wide risk assessment and discussions with senior leaders and board members. Focusing on significant risks of strategic concern to university leadership demonstrates the value that you can bring to the institution. Senior leadership does not want to waste time reading a report focused on the small stuff, so avoid dwelling on minutia.

    During audits, it is critical to examine things from multiple vantage points. Zoom out to consider big picture implications. Zoom in to see details that may not be immediately apparent and look for patterns, relationships and linkages. It is important to synthesize this information and provide valuable insights in client communications, including audit reports. In doing so, make sure you connect the dots between your individual audits and advisory projects to detect patterns, trends and hot spots.

    Strong communication skills are required to effectively deliver the results of your work. In addition, auditors must be able to negotiate professionally to assist management in identifying and mitigating risk. While negotiation may at first seem like subordination of judgment, open conversation and consideration of all relevant facts can strengthen management’s commitment to resolve audit issues and implement suggested changes.

    The entire audit team’s attitude is also critical to building trust. The team should be viewed as professional, approachable and helpful rather than “too nice,” lacking professional skepticism, out to find problems (“gotcha”) or trying to surprise management. Nothing will result in exclusion from the leadership table faster than the wrong attitude from the audit team.

    Finally, your work must be high quality and consistent. The internal audit quality assurance and improvement program must be top notch to ensure your work meets professional standards. Of course, mistakes may happen, but if you make a mistake, own up to it and correct it.

    Widening Your Circle of Influence

    Assurance services: An objective examination of evidence for the purpose of providing independent assessments, the nature and scope of which are determined by the auditors. 

    Consulting services: Advisory and related client service activities, the nature and scope of which are agreed upon with the client.
     (from The IIA’s International Professional Practices Framework Glossary)​To further your team’s impact, consider moving beyond traditional audit areas. Here are some ideas for getting out of your comfort zone:

    • Leverage new technologies such as automated processes, data analytics and continuous monitoring to reduce time spent on routine operational and financial risks. The time saved could be used on advisory and consulting work, which may provide more insight and value to leaders at your institution.
    • Evaluate the institution’s strategic plans and determine how internal audit can provide advice and insight.
    • Consider when a consulting engagement would add more value than an assurance engagement.
    • Increase audit focus on strategic risks. 
    • Collaborate with other assurance providers, including campus police, general counsel, and compliance and risk management functions.
    • Consider co-sourcing or outsourcing arrangements with external assurance providers, such as independent audit firms, information technology consultants, state auditors or others to supplement your office’s knowledge and capabilities.

    Next Steps

    If you are developing key stakeholder relationships or working to re-establish those relationships, completing a few, easy steps can go a long way. First, schedule periodic meetings with key stakeholders. For example, some chief audit executives and team members meet quarterly or monthly with the institution’s chief financial officer, provost, president or others. Agendas for these meetings should include time to share risk insights and trends based on current and upcoming audit work, the status of any outstanding items (because no one likes surprises), and an opportunity for stakeholders to discuss any key initiatives or concerns. This time can also be used to gain an understanding of risks that senior management feels may be on the horizon for the institution and allow for preemptive risk assessment activities.  

    Auditors can also take advantage of seeing stakeholders outside of regular audit-related meetings. Campus celebrations such as retirement parties and welcome events provide great opportunities to get to know management on a more personal level. Make time to attend such events – and don’t be a wallflower!

    When you are included in meetings or initiatives, make an effort to add value. While you do not want to dominate the conversation, remember you have been asked to participate in the meeting to provide insight and thought leadership, not to sit on the sidelines.

    If you are not included in an initiative for which you can provide insight, senior leadership may not have thought to include you. Sometimes, politely asking if it is possible for internal audit to attend is all that is needed. However, asking for an invitation takes courage and may use some “personal capital,” so make sure it is an area where you have knowledge and insight rather than asking to be included in everything.

    Finally, be open to new information and opportunities to add value. The more you work to understand the university’s risks and challenges, the more likely you are to reach valuable conclusions. If you never change your mind, you probably are not approaching the work the right way. Adding value is an iterative process – you will never be “finished.”

    Getting a Seat is Worth It!

    For many audit professionals, having a seat at the table can impact career achievement. Job satisfaction and long-term success are directly tied to your perception of your own ability to add value and make a difference at the organization. For auditors in higher education institutions, adding value is particularly rewarding because the mission of higher education aligns so well with our own: creating a better world through education, research and other outreach activities.

    Most importantly, having a seat at the table will allow you to continue adding value in the future. The seat can be self-sustaining through continuous attention to positive professional relationships, commitment to a high-quality audit function and insightful dedication to the betterment of your organization.

    Using Microsoft Teams to Facilitate Internal Audit Teamwork

    Introduction

    There are many options for internal auditors who wish to improve the automation of processes that support audit administration, completion and follow-up. However, access to those options is contingent upon the financial resources available to the internal audit function. When those resources do not exist, or are truncated, options become limited. This often results in the internal audit function either using paper records (egads!) or word processing and electronic spreadsheet files organized into folders. Neither of these methods results in improved efficiency, implementing best practices or improved client interactions.

    At Northern Arizona University (NAU), we used a cloud service provider for our audit administration work for several years. Although this method was affordable and met our basic documentation needs, it offered no great strides forward for our audit team. Before the pandemic, we decided to take advantage of our corporate SharePoint license and began building a knowledge repository to help organize our records and reduce our carbon footprint. After studying several use cases from other internal audit departments, we began working on our own SharePoint prototype.

    In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS.
    And then the pandemic forced us to change our plans. Funding was slashed, and the university moved to a remote work environment. With reduced resources, we decided to put our plans on hold and move to SharePoint Online. As audit projects were delayed, we invested time in learning as much as we could about the new functionality available in SharePoint and Microsoft Teams (MS Teams).

    In this article, we will share how we have used this knowledge to implement MS Teams as our new and much improved audit administration system, iTEAMS (Internal Audit Team Engagement Audit Management System).1 Although we have already made numerous improvements, our team meets quarterly to review what we’ve learned and identify ways to mature our processes.

    Our approach has helped us achieve our objectives for automated audit administration, including:

    • Improving and documenting client interaction by reducing the need for tracking and documenting emails, video and other project-related communications.
    • Organizing project documentation in a secure and easy-to-use interface, with the ability to control individual access and allow for sharing and collaboration on individual documents.
    • Automating the audit administration process so team members can focus on their engagements.
    • Ensuring the system is available anywhere we have internet access.
    • Prioritizing opportunities for improvement as they are identified.

    Project Set-Up

    Throughout an audit, we use many MS applications, including Excel and Word. Because MS Teams and SharePoint are well-integrated, we’ve been able to use the features in MS Teams to link directly to source templates that are housed in the policy section of our SharePoint website (e.g., Excel and Word templates). This helps to ensure that we consistently use the latest versions of our audit templates. We have also leveraged the following features: 

    • Tasks by Planner and To-Do: This is a flexible tool to organize tasks not only for the Internal Audit Team, but for the client as well. It offers features like categorized scheduling and a calendar and allows users to attach files directly to a task (see Figure 1).
    • Document Library: This links directly to the SharePoint site that houses our policies, procedures and templates. Metadata added to these document libraries is also helpful for documenting and tracking audit plan status.
    • Request Sign-Off Flow: This provides the capability to route the preparer’s work to the reviewer in SharePoint with a documented approval workflow.
    Figure 1
    Improvement Opportunities Tracking and Task for Review Process

    This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files.
    MS Teams makes use of posts and file sharing as a means of helping teams stay connected and organized.  For each project, we create a separate “Team” within MS Teams.Each team originates with a General Channel, which we use for client communication and file sharing using the Posts and Files tabs that are created by default.

    • The Posts Tab allows for communication among all members of the Team and is great for capturing client input directly related to the project.
    • The Files Tab is an area where folders and files can be housed to organize documents provided by and shared with the client. 

    This approach not only supports client collaboration and communication in a single place (instead of relying on copious daily emails), but also serves to document those communications and files. Files can also be hyperlinked to support other work papers (See Figure 2).

    Figure 2
     

    Planning, Fieldwork and Reporting

    We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers.
    Each Team also allows for the creation of other channels, as needed. These channels can be made available to all Team members or can be restricted using Private Channels. We create and use a Private Channel, which we label “Audit Files,” to collaborate and communicate among the internal audit team, and for the storage and organization of the project working papers. Since we use templates throughout our audit engagement, we use the copy feature from the MS Teams template to quickly set up the tabs for each channel, as shown in Figure 3 below: 

    Figure 3
    General Channel (See also Figures 2 and 5)Private Channel: Audit Files (See also Figure 4)
    Posts: Client CommunicationsFiles: File Sharing with ClientTasks: Tasks App for various tasksWelcome: Word template that welcomes clients and provides instructions for Team useAgenda: Word template for Entrance Conference meeting agenda
         		Statement of Independence: Excel template that tracks audit team conflict of interest reporting for the projectAudit Sections: Word template that summarizes the audit sections with links to the supporting work paper filesImprovement Opportunities: Word template that summarizes all identified audit findings and follow-up with clientTeam Assignments: Word template that identifies each team member’s responsibilities and tasksReview Notes: Word template that contains supervisory review notes and related follow-up or clearance activities
     

    The Private Channel, “Audit Files,” is structured by project section, as shown in Figure 4.

    Figure 4
    This example shows the project file structure in Teams in a private channel. Private channels are identified with a lock icon to the right of the channel name. The Team administrator controls Team access. By default, all members added to the project Team have access to everything but private channels. Members must be granted Private Channel access by the administrator.

    Due to the configuration of the General Channel, Posts is the default screen that will pop-up when clicking on a Team, which we use to direct the client to the Welcome tab. The Welcome tab is a word template that helps demonstrate to the client the benefits of using MS Teams for audit management. It also provides instructions to help those clients not familiar with MS Teams and establishes the expectation for the use of MS Teams during the audit. Files provided by the client in the General Channel can be linked to, or easily moved to, the Audit Files Private Channel (see Figure 5).  

    Figure 5

    For reporting, we share all initial draft reports through posts in the General Channel. However, we issue final reports through official email communication and store copies of those emails in the private channel Reports Folder. We also track all issued reports in a separate SharePoint document library that includes metadata for tracking when reports are due for presentation to the Board of Regents, the number and nature of improvement opportunities in each report, the type of audit conducted (compliance, financial or integrated) and other details (see Figure 6).

    Figure 6
    SharePoint Audit Report repository showing view by audit plan year.

    SharePoint Audit Report repository showing view broken out by audit plan year.

    Supervisory Review and Improvement Opportunity Tracking

    For quality assurance, we use a word template to track review notes. A SharePoint workflow initiates review by folder and audit program step and applies a pending or approved status as metadata for each folder (as shown by the sign-off status columns next to each file folder in Figure 4).

    This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting.
    To track improvement opportunities in real time, we use a word document that mirrors our audit report. When an improvement opportunity is identified, the document is made available as a tab in the General Channel for client review and feedback. This template also helps the client see the details and layout of improvement opportunities (e.g., condition, cause, etc.) to improve buy-in and limit surprises during reporting. This template is also used to document discussions with the client. Once client review is complete, the Improvement Opportunities are moved back to the Private Channel.

    As we continue to mature the use of MS Teams and SharePoint, we hope to create a process for audit follow-up as well.

    Limitations

    As with any electronic tool, adjustments will always be needed. For MS Teams, we have encountered the following limitations:

    • Only nine attachments can be included in Tasks.
    • Anyone assigned to the task must reply to the comments section to be notified of future comments.
    • Lag time may exist due to the Cloud structure and network bandwidth.
    • MS teams provides access to many applications that help with building processes and workflows, but there is no way to easily identify applications that the university has purchased. It is important to gain an understanding of this issue before committing to using a specific application within MS teams. However, applications for Excel, Word and Calendar are default MS Teams applications available to all users.
    • Requesting sign-off cannot be done directly in MS Teams; it first requires that users log into SharePoint.
    • Tasks by Planner and To-Do are only available in the General Channel; such task management is not available in the Private Channel.
    • While we created an audit project template to initiate the creation of new project teams, only the Team structure can currently be copied from a template. Embedded files in the template do not transfer.
    • Most clients like the use of MS Teams for audit interactions. However, clients don’t use it continuously, so it cannot completely replace email communication. However, an email can be dragged directly from Outlook into the Team files in both General and Private channels.

    Conclusion

    MS Teams and SharePoint offer a lot of functionality and, with some training, they can be set up fairly easily. Larger audit teams may find it useful to work with PowerApps or other related tools to establish more edit controls, including workflow and document locking. If your organization is already using MS Teams and SharePoint, building out this functionality is unlikely to require license fees for third-party audit administration and documentation systems. If you are going through a similar transformation, please reach out to us for additional details and to share what you’ve learned and applied. Collaboration will help us all continue to improve!

    References

    1 We will be presenting this approach at ACUA Interactive on Tuesday, March 29th in greater detail.

    Creating an Intentional Culture of Inclusiveness:‎ A Conversation with ACUA Leadership on Diversity and Inclusion ‎

    For many, 2020 will long be remembered as a year of reckoning and change in the U.S., marked by a global pandemic, an economic crisis, political unrest and racial tension. In response to a year like no other, ACUA’s President, Julia Hann issued a call for volunteers on July 2, 2020 as ACUA prepared to launch its first-ever Diversity and Inclusion Leadership Committee. In her note to the ACUA family, Julia stated that “the board is deeply committed to examining our core values and making sure inclusivity, respect, appreciation and embracing our differences is part of our foundation as an association,” and that the board wants “to ensure ACUA is welcoming to everyone.”

    The group began by exploring the definition of diversity and inclusion (D&I) and identifying the committee’s goals and objectives. 
    Within weeks, the call was answered. Approximately 15 members convened at the initial meeting. The group began by exploring the definition of diversity and inclusion (D&I) and identifying the committee’s goals and objectives. As the conversation unfolded, it was clear that D&I is a multi-faceted construct that extends beyond gender and race. It continues to gain importance as consumers hold organizations accountable for creating a measurable culture of inclusivity.

    ACUA conducted a baseline membership survey and identified ACUA’s membership demographics are approximately 55% female and 41% male, with 4% providing no response or preferring not to answer. In terms of race, 67% of the members identified as white (not Hispanic or Latino), 12% Black or African American, 7% Asian, 6% Hispanic, Latino, or of Spanish origin and 1% Native American. The remaining 7% identified as multiracial or preferred not to answer. The survey also explored other aspects of diversity including age, religion, ACUA volunteerism and the size and location of members’ institutions.

    In addition, studies show that D&I committees are most successful when leadership is on board with the initiative.
    A 2020 study published by McKinsey & Company, a global management consulting firm, found that “the greater the representation, the higher the likelihood of outperformance and the likelihood of outperformance continues to be higher for diversity in ethnicity than for gender.”[1] In addition, studies show that D&I committees are most successful when leadership is on board with the initiative. Therefore, the work of the committee, in collaboration with the board, includes examining how to use this information to identify and shape ACUA’s strategic priorities and desired outcomes. During the board meeting, Deidre Melton, D&I Committee Chair, detailed the committee’s conversation in order to gain insight on how ACUA leadership ranks the importance of D&I work and what they expect to gain by creating the sub-group. The board spoke candidly on the topic as reflected in the summary below.

    Q: When you hear the words “diversity and inclusion,” what does that mean to you?

    A: Taking different viewpoints, membership needs and perspectives into consideration. Allowing all voices to be heard, while making room at the table and creating a safe space. Proactively supporting a platform and opportunities (in the structures and processes of the organization) for people from different groups or backgrounds, including those who have been excluded.

    A: Accepting all people, irrespective of group affiliation. Willingness to listen to and acknowledge our differences in order to confront issues that create barriers to addressing and eliminating bias.

    There are many different aspects of diversity, but inclusion comes first.
    A: There are many different aspects of diversity, but inclusion comes first. How do we ensure we welcome everyone who wants to be involved? Once people feel included, they may be more interested in volunteering and taking on leadership positions.

    Q: Why is it important for ACUA to tackle this sensitive topic as an organization and within our separate institutions?

    A: We don’t know what we don’t know, and we owe it to our membership to be intentional about ensuring that all members feel included, supported and valued, and to make sure they can participate as much as they want to.

    A: Higher education is sensitive to the cultural climate; therefore, this topic is important to our campus communities. Not every university offers training on D&I, but ACUA is positioned to train our members, offer education and provide resources.

    A: We had more questions than answers and felt like we had a lot of growing and learning to do. We recognized possible issues, but also knew we needed help.

     A: As this is an important topic for everyone, for our growth as an organization and as individuals, we need to create processes and protocols that will support this issue. We need to act, not just put out a statement: walk the walk, not just talk the talk!


    Q: What are some of the most beneficial things that can move the needle on inclusion or shift the culture within ACUA?

    A: Being proactive and intentional with our plans to put this initiative at the top of the priority list for everything we do. Practicing [inclusivity] until it is second nature and an embedded part of our processes, planning and programming.

    A: Adding D&I training at all levels, including the board, committees, members and volunteers. It should also be included as part of the volunteer recruitment process.

    A: Building a future speaker’s program to help increase speaker diversity at our conferences and webinars.

    A: Push our working partners to further their diversity initiatives and raise awareness of what steps they are taking at their organizations. Focus our work with likeminded groups that prioritize D&I as well.


    Q: When thinking of successful outcomes for this committee, what does that look like to you?  What activities or initiatives would you like to see the committee lead?

    A: Creating an intentional culture of inclusiveness where we encourage members to speak out.

    A: Offering education and resources. Assisting members in evaluating their institutional D&I programs.

    We all have a role to play, but we need the expertise of the D&I committee to help lead the association in the right direction.
    A: Consultation, thought leadership and partnership with ACUA’s board and membership.

    A: Diversifying speakers for conferences and webinars. Breaking the cycle of using the same people in the same way.

    The conversation closed with this thought: We all have a role to play, but we need the expertise of the D&I committee to help lead the association in the right direction. As the committee’s final charter, goals and objectives take shape, the vision of creating a better tomorrow has never been clearer.

    References

    [1] https://www.mckinsey.com/featured-insights/diversity-and-inclusion/diversity-wins-how-inclusion-matters

    Are Agency Funds Driving up Your Costs?

    Universities often have many affiliated entities that call the campus home. These may include student organizations, honor societies, academic journals, professional organizations like ACUA, alumni associations and more. It is common for institutions of higher education to account for the funds of these organizations through an agency fund relationship. In his book, “University Finances: Accounting and Budgeting Principles for Higher Education,” Dean O. Smith states: 

    “Agency funds come from nonuniversity sources. The University serves as custodian of these funds. Accordingly, the funds ‘flow through’ the university, with the sources that provide the funds having the sole discretion over expenditures. Agency funds are not reported as university income and expenditures, as these sources are not considered official units of the university.” To understand the true nature of agency funds and associated costs, it is important to perform a detailed review of each affiliated organization and its history. A thorough examination of your university’s agency fund budgets may reveal that affiliates are driving up overall costs and may help to identify opportunities for cost savings or recovery. The following are some areas to consider when reviewing agency fund budgets:

    1. Payroll – This includes the cost of employing individuals at the university to manage or perform work for outside organizations. In some cases, universities do not allow payroll to be charged directly to an agency fund. Instead, the outside organization must transfer money from the agency fund to the university to cover payroll costs for employees who are funded by the university. Available documentation should identify payroll costs associated with the organization and explain to what extent the university is responsible for covering salaries, fringe benefits and other costs.
    2. Administrative Fees – These may include payment processing services (accounts payable), telephone service, copying and printing charges, postage and other charges. The university may be able to recover funding by charging the affiliated entity for various administrative items currently provided at no cost.
    3. Rent – Affiliated entities which list a campus address as their business address often operate within university facilities. Depending on the nature of the organization, they could be utilizing more than just office space. Sports camps, for example, which tend to operate as LLCs run by coaches, require the use of athletic facilities.
    4. Risk Management and Legal Liability – Management should consider whether affiliated organizations bring additional risk exposure to the university. This assessment depends on the type of organization and the liability associated with its activities. For example, if an individual is injured on campus while participating in an affiliated entity’s programming, is your university liable?
    5. Overdrafts – During periods of economic downturn, these types of organizations often struggle and could be operating at a deficit, which the university may ultimately need to cover. Budget administrators should review the budgets of affiliated entities for which they have oversight to ensure the entity’s deposits fully cover their expenditures. In the case of recurring overdrafts, the university should consider terminating the agency fund relationship. Alternatively, the university can develop a payment plan and invoice the affiliated entity. 

          Affiliated entities provide many positive experiences for students and employees. However, the agency fund relationship can result in excessive costs to the university if proper controls and oversight are not in place. Internal auditors are uniquely qualified to provide management advisory services regarding these kind of relationships. Such reviews may help to enhance efficiency and identify costs that may be weighing on the university’s finances.

          Auditing Pandemic Relief Funds: A Uniform Guidance Approach

          Since March of 2020, many colleges and universities have been fortunate to receive millions of dollars of COVID-19 federal aid in the form of Higher Education Emergency Relief Funds (HEERF I, II and III), Coronavirus Relief Funds (CRF), Governor’s Emergency Education Relief Funds (GEER) and Federal Emergency Management Agency (FEMA) grants. Internal audit departments play an integral role in verifying compliance with the terms and conditions for each program, especially prior to the final report submission and before the arrival of external auditors. However, each program has unique allowability, timing and reporting requirements which can be challenging to audit. 

          Non-federal entities that expend $750,000 or more in federal relief funds in one year are subject to a Single Audit, which focuses on ensuring compliance with applicable Uniform Guidance requirements. Creating an audit program based on Uniform Guidance requirements provides alignment with external auditors while testing internal adherence to program standards. The Uniform Guidance requirements most applicable to the majority of pandemic funds are outlined below, along with corresponding controls and test steps.

          Activities Allowed/Unallowed and Allowable Costs/Cost Principles

          The following audit procedures provide a methodology for testing federal award spending for allowability in compliance with program requirements and grant agreements:

          • Assess the design and effectiveness of the invoice review process, budget-to-actual cost comparisons and controls that detect, correct and prevent unallowable costs.
          • Select a sample of expenses and verify allowability and the existence of supporting documentation. HEERF expenses require a nexus to COVID while FEMA costs may be limited to Personal Protective Equipment (PPE). CRF expenditures must be necessary, COVID-related and not listed in the organization’s budget.
          • Review the expense descriptions in the final report and investigate any that do not appear allowable.
          • Review any payroll expenses and verify positions were substantially dedicated to COVID-related work.
          • For HEERF I student awards, verify monies were issued directly to qualifying students.

          Cash Management

          Federal funds must be tracked and spent on immediate needs. While cash management may only be required for funds provided by HEERF, all institutions will benefit from verifying that federal program funds are appropriately tracked. Audit procedures should include the following:

          • Determine whether the accounting method used to track the receipt and expenditure of funds is reasonable and consistent. 
          • Confirm that there is an appropriate level of supervisory review over the cash management process.
          • Run a transactions report and compare it to program reports for completeness and accuracy.
          • Verify receipt of funds and agree amounts with the award notification.
          • Test the controls in place to prevent “double dipping” amongst other pandemic funds.
          • Verify a sample of expenses for the existence of approvals prior to purchase.

          Matching and Earmarking

          Matching pertains to a specified percentage of funds allowed to be used towards particular expenditures, while earmarking is the minimum or maximum spending permitted on specified activities. To test these requirements for HEERF programs: 

          • Inquire how funds are tracked in the accounting system and whether there is an appropriate level of supervisory review of the matching and earmarking requirements.
          • Verify student spending met the minimum requirements, as follows:
            • HEERF I – at least 50% of the institution’s allotment.
            • HEERF II – the same amount issued to students as in HEERF I; for-profit institutions must use 100% of their allotment on student grants.
            • HEERF III – at least 50% of the institution’s allotment; for-profit institutions must use 100% of their allotment on student grants.

          Period of Performance

          Federal funds must be used only during the authorized period of performance, which varies by fund. Note that extensions may apply. Audit procedures may include the following activities:

          • Determine if there are controls in place to prevent expenditures outside the specified period, such as:
            • Accounting system limits
            • Review of disbursement dates and cut-offs
            • Timely management review of budget-to-actual reports
          • For a sample of transactions, review invoices and other support to verify the occurrence of the expenditures during the period of performance.
          • Review the dates of expenditures on the final report for appropriateness.

          Reporting

          Federal funds must be reported timely and accurately based on program requirements. Reporting may be financial or performance-based. Financial reporting captures program expenditures as prescribed, while performance reporting shares how goals and objectives were met. Consider performing the following procedures:

          • Obtain the reports for each reporting period and verify they were submitted timely. For HEERF, verify your institution’s website included all the required public disclosures.
          • Ensure reported amounts agree with the general ledger and accounting system records.
          • Verify that the correct accounting method (cash or accrual) was utilized.
          • Confirm required supporting documentation was submitted in the appropriate format.
          • Ensure that the reports were appropriately reviewed prior to submission.
          • Review CRF performance reports to ensure the underlying data agrees with the financial reports and stated achievements and that it accurately reflects progress towards goals.

          Subrecipient Monitoring

          All pandemic relief funds are also subject to Uniform Guidance requirements related to subrecipient monitoring, where applicable. Testing should be designed for programs or areas where subrecipients are utilized. 

          Conclusion

          By aligning pandemic fund audit programs with Uniform Guidance compliance requirements, you can test program requirements and add value by addressing areas that will be covered during the Single Audit. This model also saves time, as it can be applied to all pandemic funding programs. 

          The Uniform Guidance sections applicable to each program are summarized below:

          HEERF CFDA 84.425 E,FCRF
          CFDA 21.019          		FEMA
          CFDA 97.036          		GEER
          CFDA 84.425C
          Activities Allowed or UnallowedYYYY
          Allowable Costs/Cost PrinciplesYYYY
          Cash ManagementNNNY
          Matching, Level of Effort, EarmarkingYNNY
          Period of PerformanceNYYN
          ReportingYYYY
          Subrecipient MonitoringYYYY
          Table of applicable Uniform Guidance sections.

          References

          Department of Education:  https://www2.ed.gov/about/offices/list/ope/caresact.html 

          NASFAA HEERF Comparison Chart: https://www.nasfaa.org/uploads/documents/HEERF_Funds_Comparison_Chart.pdf 

          2 CFR Part 200, Appendix XI 2021 Compliance Supplement: https://www.whitehouse.gov/wp-content/uploads/2021/08/OMB-2021-Compliance-Supplement_Final_V2.pdf 

          Letter from the President

          Dear ACUA Colleagues,

          I hope everyone is enjoying the autumn season! Before we know it, the holidays will be rolling around.

          Many of you were able to attend ACUA’s first hybrid conference: AuditCon 2021! Before discussing the conference itself, let’s pause and thank the dozens of volunteers who serve our organization so proudly. These events are incredibly difficult to pull off, even in the best of circumstances. Add in a global pandemic, and it is quite remarkable that our dedicated professionals, who have very busy lives, were able to create such a success!

          This year’s AuditCon boasted a wide array of dynamic speakers who shared their knowledge on a variety of emerging and important topics. Whether you were there in person, attended virtually or are considering how best to participate going forward, this hybrid event marked a Pivot Point in our organization’s storied history. We look forward to sorting through your feedback to determine what worked well and what can be improved for next year. As we consider how to position ACUA going forward to best serve the needs of our membership, we will remain alert for additional opportunities to ensure continued success.

          Lastly, a special thanks to our Immediate Past President, Patti Snopkowski of Oregon State University, for her stellar leadership in a challenging time. It will be difficult to fill her shoes, but I look forward to working with all of you in the coming months as we close out 2021 and look ahead to everything the new year holds.

          Sincerely,
          Brian Daniels, University of Tennessee
          ACUA President