Resources

Data Privacy Primer: Regulations & Risks

Privacy Background

What is this concept of “privacy” we hear so much about in today’s news? Where did privacy originate, and why does it matter? In this article we will define privacy, discuss its importance and review some applicable laws.

The modern-day concept of privacy is often attributed to Samuel Warren and Louis Brandeis’ 1890 essay “The Right to Privacy,” in which they acknowledge “the right to be let alone” in their argument that existing laws facilitate individual privacy protections. Privacy is generally defined as the right to be let alone, or freedom from interference or intrusion. The International Association of Privacy Professionals defines information privacy as “the right to have some control over how your personal information is collected and used.” However, the meaning of privacy may vary depending on an individual’s, organization’s or country’s perspective. For some, privacy means being protected from data breaches or identity fraud. For others, privacy is a fundamental right related to personal and family life, home and correspondence.

When we refer to privacy, we are referring to those elements comprising personally identifiable information (PII). Examples include, but are not limited to, name, date of birth, physical address, phone number, Social Security number, financial account numbers (e.g., bank account and credit card numbers) and protected health information. Privacy principles created and defined by the Organization of Economic Cooperation and Development in 1980 form the backbone of privacy laws and privacy protection frameworks worldwide. The following elements of these principles are found throughout most privacy regulations:

 Collection Limitation: Data collection should only take place with knowledge and consent of the affected individual or data subject.

Data Quality: Information should only be collected which is relevant and accurate for a particular purpose.

 Individual Participation: An individual should be aware that their information has been collected and be able to access it.

Purpose Specification: The intended use of personal data must be known at time of collection, and data should not be arbitrarily collected.

 Use Limitation: Collected data is to be used only for purposes specified at time of collection, not broader future use. Consent should be secured from data subjects for use of data for other purposes.

 Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification or disclosure. Most laws reference reasonable and appropriate security measures based on risk determination rather than perfection.

   Openness: Data subjects should be able to contact the entity collecting or storing their information to ascertain types of data collected.

  Accountability: Data collectors should be accountable for adhering to these principles. Ideally, there should be a person in the organization dedicated to ensuring privacy principles are followed. The concept of a data protection or privacy officer originated with this principle.

Defining Key Concepts

While data privacy focuses on the use and governance of PII, data security focuses on protecting PII from malicious attacks and improper disclosure. Privacy cannot be protected without an associated security component.

Privacy professionals frequently reference Privacy by Design, a proactive and intentional approach where privacy is the default in technology system design and is considered at the earliest stage1. As opposed to an ad hoc approach, where privacy discussions take place in later stages of system development, the Privacy by Design framework is applied to the data life cycle from creation through collection, storage, archiving, de-identification and deletion.

PII processing refers to any operation or set of operations performed on personal data whether or not by automated means. It can refer to data collection, recording, storage, retrieval and erasure.

With these definitions in hand, let’s explore why privacy is important in today’s world.


Importance of Privacy

An individual’s privacy is a fundamental right and is closely connected to human dignity. It is the foundation on which other human rights are built. Privacy protects against the abuse of power by limiting what can be ascertained about individuals and providing shelter from those who may wish to exert control. Ensuring individual privacy protects us from the arbitrary and unjustified use of power by states, companies and other actors.

However, data is an increasingly valuable asset. With the rise of the data economy, organizations and nation-states have found significant value in collecting, sharing and using data. Companies like Amazon, Facebook and Google have built their organizations on data2. Collecting data provides organizations with the power to explain, predict and even control behavior. This is particularly valuable for advertising and marketing endeavors. For example, Netflix uses data analytics for targeted advertising. With over 100 million subscribers, Netflix collects large volumes of data. If you are a subscriber, you are familiar with how the company provides suggestions for the next movie you should watch by using your search history and viewership data. This data gives them insights into your interests. Without proper regulatory protections and legal recourse, you would have little control over how Netflix and other companies use and share your personal data.

In her 2019 book titled “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power,” Shoshana Zuboff discusses how surveillance capitalism is an economic system centered around commodification of personal data with the core purpose of profit-making. Commodification makes personal data a valuable resource. Zuboff points out that tech companies and other corporations are mining users’ information to predict and shape their behavior, undermining personal autonomy and potentially eroding democracy.

Primary Privacy Laws

But surely there are privacy laws that provide protection against this abuse of personal data?

Unlike Europe, the U.S. has enacted a patchwork of privacy laws generally targeted to protect consumers. The Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for many businesses. Enforcement centers around fraud, deception and unfair business practices. Institutions that violate consumer privacy rights or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state authorities. The U.S. Department of Health and Human Services (HHS) governs health protections focusing on compliance guidance, with the Office of Civil Rights (OCR) acting as the enforcement arm for HHS privacy regulations.

U.S. laws to be aware of in the education and health care sector (i.e., those that affect academic medical centers) include:

Family Educational Rights and Privacy Act (FERPA) gives parents and students certain protections pertaining to student education records such as grade reporting, transcripts, disciplinary records, contact and family information, and class schedules. FERPA requires student or parent written consent for release of educational records.

Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under 13 years of age. It requires website or online service providers request parental permission to collect data on children and stipulates how the data can be processed and held.

Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined as companies offering financial products or services, to explain information sharing practices and protect against unauthorized access to, or use of, personal information that could result in substantial harm or inconvenience to a customer. GLBA stipulates financial institutions appropriately ensure the security and confidentiality of customers’ information.

Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the confidentiality and security of a patient’s health care information, defined as any information identifying the past, present or future physical or mental health of an individual. It includes all communication media, whether written, verbal or electronic. HIPAA includes the Privacy Rule, which protects a patient’s right to keep health information private, and the Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. HIPAA violations can result in significant penalties for noncompliant organizations and individuals.

In addition to these federal regulations, various states have enacted privacy laws to protect personal data in the consumer setting. Most notably, California enacted the California Consumer Privacy Act (CCPA) which is designed to protect the privacy rights of California’s citizens. It gives consumers the right to control how companies collect and use their personal data. Some states have already enacted similar laws, or carved out exceptions for the federal regulations, and more are expected to do so in the coming years. 

From an international perspective, institutions should be aware of country-specific privacy laws. Most notably, the General Data Protection Regulation (GDPR) requires organizations to ensure that personal data of European Union citizens is gathered legally and under specific conditions. Institutions that process personal data are obliged to protect it from misuse and exploitation and to respect data subjects’ rights. Those who fail to do so may face significant penalties. GDPR requirements spurred the development of privacy policies (and cookie banners), in which organizations offer transparency into their data collection and management practices.

Conclusion

As more attention is focused on privacy, both internationally and domestically, consumers and clients will increasingly expect institutions to protect their personal information and embed privacy considerations into their business strategies. In a report published in November 2019 as part of Cisco’s Cybersecurity Series, “Consumer Privacy Survey, The Growing Imperative of Getting Privacy Right,” 2,601 adults, or 32% of respondents, stated that they care about privacy and had already taken action by switching companies or providers in response to data policies or data sharing practices. Along with the increase in privacy regulations worldwide, this should be a catalyst for organizations to establish or update their privacy programs.

In the second part of this article, we will explore areas auditors should consider reviewing when evaluating functions and processes involving personal data.

References

1) Deloitte, GDPR Top Ten #6: “Privacy by Design and by Default”; Shay Danon; February 2017
2) MIT Technology Review: “It’s time to rein in the data barons”; Martin Giles; June 19, 2018

Letter from the Editor

Hello fellow ACUA members!

My name is Claire Thomas, and I am delighted to be the new editor for College and University Auditor. First, I’d like to thank the prior editor, Jackie Pascoe, for her many contributions to the journal. I have enjoyed getting to know Jackie, and I have great respect for her work with ACUA. I would also like to thank our deputy editor, James Merritt, for his assistance with my transition into this role.

For those of you who don’t know me, I am the Audit Manager for the Internal Audit & Advisory Services department at Boston University. Prior to that, I worked alongside James for several years as a Principal Auditor at Duke University, and I welcome this opportunity to collaborate with him again!

I have always enjoyed the unique challenges and opportunities associated with working in higher education. Our institutions are constantly evolving, and as auditors, we must be innovative and agile in order to meet their needs. Our ACUA network plays an important role in fostering this commitment to continuous growth and professional development, and I am excited to be taking part in such an important objective. I look forward to working alongside our members as they continue to share their insights, resources and experiences with the broader ACUA community.

This issue of the journal brings workplace culture to center stage. After the turmoil and pressures of the last year, conversations about culture have likely been relegated to the back burner. But as many of our organizations begin to resume in-person work, this topic is becoming increasingly important. What kind of environment awaits us when we return? In this issue, Sabine Charles provides recommendations for how internal auditors can enhance client relationships and overall success through emotional intelligence. Jennifer Roberson and Chrissy McKeown share their insights and discuss strategies related to delivering effective feedback, while Harold Lederman offers tips on how to improve client relationships throughout your audit. In addition, Jaime Fernandez discusses how to support and partner with your athletics department. Finally, the journal team has tabulated your responses to our recent survey on workplace culture. Our article offers results, insights and a few takeaways.

The content of this and every issue of College and University Auditor is made possible by the contributions of knowledgeable professionals throughout our community. Please consider sharing your experience and expertise with us. The journal team is always happy to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (617) 353-3324.

Thank you for your time, and I hope you enjoy this issue of College and University Auditor!

Sincerely,
Claire Thomas

How to Improve Your Audit Product

Professionals are generally aware that the final deliverable of a product is judged on more than the quality of the service itself. A client’s overall perception throughout an engagement plays a vital role in their satisfaction and cooperation with internal audit. This article provides suggestions on how to improve the overall audit product and relationships with audit clients.

1. Make it clear that you are there to help

Ask the client how internal audit can help. 

Ask the client how internal audit can help. A great way to start the conversation is by asking for a list of process improvements over a period of time (e.g. two years) and then verifying that they were implemented. Depending on the structure of the institution’s audit report, process improvements should be addressed first, if they are included in the report. If they are not included in the official report, auditors should outline process improvements in an informal memorandum or discuss them verbally with the client.

Additionally, internal audit can provide assistance to clients through the audit report, which can be leveraged to help the client achieve their goals. For example, making recommendations and highlighting areas for improvement may have more impact when included in an audit report and suggested in this formal manner to senior leadership. However, it is important to keep in mind that internal audit should not be involved in any implementation of these recommendations to maintain independence and objectivity.

2. Use proper terminology when addressing clients

In the business world, clients are generally referred to as, well, clients. Avoid addressing clients in ways that could have negative connotations, such as “entity under audit” or “auditee.” It may be helpful to think from the client’s perspective on how it might feel to be audited and referred to as the auditee. Being respectful and friendly to the client during communications will help with the intimidation factor that clients may feel when being audited. 

3. Put clients at ease

For many clients, learning that they are being audited or even meeting with internal audit induces a level of fear or anxiety. While it seems that auditors are stereotyped as scary intruders who want to upset the status quo, it is helpful to gently remind clients this is not the case and work to change their perspective. The following suggestions offer some ideas that may help convey that internal audit wants to collaborate with clients to achieve mutual goals:

  • Start the audit with Preliminary Information Gathering (PING) meetings. This allows internal audit to gather history and become familiar with the client’s operations. This information can then be used to shape the audit program. 
  • Document internal audit’s understanding in writing and distribute it to stakeholders, requesting confirmation that it is correct. To further demonstrate that internal audit seeks to collaborate with the client, suggest in the communication that stakeholders make comments and edits as they see fit.  

4. Report audit findings in context

Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources.


Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources. Including this information in the audit scope shows both stakeholders and leadership that internal audit has made a genuine effort to produce a quality, relevant deliverable.  

Example: Internal audit discovers that the database the client is using has duplications and errors. Internal audit becomes aware that the audit area had four directors in the last four years and that the data was managed by many individuals over this period. The current data manager has held the position for six months and made many improvements to fix the database. Internal audit highlights the data manager’s efforts during ongoing discussions and in the audit report. As a result, internal audit gains the trust and appreciation of the client and management, thereby developing the foundation for a great relationship.

5. Use graphics and other tools to emphasize your points and make them easily understood

The success of many online platforms depends on their ease of use and simplicity. Twitter, for example, limits messages to 280 characters. The most common length of a tweet is 33 characters. Historically, only nine percent of tweets hit Twitter’s former 140-character limit; now it is only one percent.

Another online platform, Pinterest, utilizes images, videos and text – infographics – that allow users to discover information through various means. As of the publication of this article, there are over 200 billion pins on Pinterest, and 87% of Pinners have purchased a product because of Pinterest.

The use of tables, graphs and slides can appeal to end users (e.g. stakeholders and leadership) and increase engagement during the presentation of a deliverable. Additionally, presenting a deliverable with PowerPoint seems to be underutilized in our profession. Introducing this as a method to present audit information and harnessing its formatting capabilities (e.g. fonts and color themes) can amaze management.  

6. Present executive highlights that convey some of the detail, and the entire picture, at the same time.

Management and clients want straightforward, easy-to-understand summaries.

While this may sound like a contradiction, here is how it is done. Auditors love spreadsheets, replete with formulas, tiny explanations, footnotes and other auditing paraphernalia. But, more often than not, it is only auditors who truly care about them. Management and clients want straightforward, easy-to-understand summaries. Therefore, consider highlighting – and succinctly conveying – major points with only as much detail as needed to clarify and support internal audit’s findings. These major points should be mutually exclusive and collectively exhaustive (MECE), which means they should stand alone and, together, present the complete picture. This allows internal audit to integrate the findings and recommendations in a way that conveys the total picture.  

In summary, internal audit can improve the quality of audits and relationships with clients by adhering to a few basic principles. Convey the idea that internal audit wants to help, treat clients respectfully, and keep the audience in mind when writing and presenting the audit report.  

Employee Engagement in 2021: What’s Feedback Got to Do With it? ‎

The definition of “feedback” in the Merriam-Webster dictionary is: “the transmission of evaluative or corrective information about an action, event, or process…”[1] As auditors, we should be great at this. We constantly give and receive feedback on our work through review notes. We should be masters of feedback!

But are we?

It doesn’t take much searching on the internet to find articles related to the latest and greatest team members in offices across the United States. Individuals from the Millennial and “Gen Z” demographics make up a growing percentage of the workforce, and research suggests that they want more feedback from their employers.

They aren’t alone. Lately, it seems that everyone would like more feedback. As a result, human resource departments have developed new strategies, such as upward, downward, anonymous and 360-degree performance feedback.

But employees don’t just want to receive more feedback; they also want it to be timely and constructive. To assist companies in meeting these expectations, HR software companies offer tools designed to generate feedback in real-time. For example, after giving a presentation, their systems allow you to send a request for immediate feedback using an app!

Many of us in leadership positions are expected to attend classes about how to give feedback, how to receive feedback and how to be candid with team members. In these classes we are taught opening phrases like: “Is now a good time for me to give you feedback?” We’re also told to “mirror” what we hear when we receive feedback by asking questions like: “Did I hear you say that I need to work on my communication skills?”

There are a plethora of books, articles and business journals full of information about better ways to give feedback. You may have picked up books along the way to help you have “Crucial Conversations,” maintain “The Growth Mindset” to fulfill your potential or discover how “The Feedback Imperative” will speed up your team’s success. These books provide specific tools to improve communication, stay open-minded and build resilience that is essential for living up to our potential. This is just a small sample of the resources available on this topic.

The 2017 State of the Global Workplace report[2] by Gallup lists six broad changes that organizations need to make to attract and retain the newest U.S. workforce generation. Two of these focus on feedback and emphasize the need to transition from a “boss” to a “coach” and from having “an annual review” to holding “ongoing conversations.”

Not long ago, a “60 Minutes” episode featured Bridgewater, the world’s largest hedge fund, which was founded by Ray Dalio. Mr. Dalio decided to build his company around a commitment to “radical transparency.” His book, “Principles,” is centered around this idea and offers 210 prescriptions for work and life. He believes that the way to be successful is to see the world clearly, no matter how positive or negative the reality is.

Every meeting at Bridgewater is videotaped and archived. These tapes are made available for all team members in the company to view in their “Transparency Library.” Employees are also able to score their colleagues in real time on an iPad after calls, meetings or other interactions. Bridgewater calls these real-time ratings a “baseball card.” Its intent is to hold each individual accountable for who they really are.

Because of his organization’s extreme stance on feedback, Dalio admitted that 30 percent of new hires leave within 18 months. But those who value the transparency and honesty stay.

Since research indicates that people want more frequent and robust feedback, then as the individuals responsible for employee engagement, our job is to help our team members get better at giving and receiving feedback.

At Stinnett, we’ve been focused on culture and employee engagement since 2014. We focus on building the culture that our team members want at work. Creating core values, guiding principles and a “why” statement that are authentic to who we are has required significant effort. Our culture was not manufactured by top leadership, but was created organically, by the team and for the team. This has allowed us to build a safe environment that encourages individuals to join and stay with the organization. This year, we were thrilled to earn a spot on the Great Place to Work’s Best Workplaces in Consulting and Professional Services. [3]

We’d like to provide you with four items that we believe must exist to make feedback work. We call these the STAR approach to feedback.

STRENGTHS –We know our team members want opportunities to learn and grow. We also understand that an individual’s greatest opportunity for growth and success is in their areas of strength, not weakness. Providing strength-based feedback inspires next-level performance.

As auditors, we are hardwired to review for errors. When we are reviewing the work of others, our first instinct is to look for mistakes and opportunities for improvement. Typical feedback also attempts to correct any negative behaviors or weaknesses. But research indicates that focusing on employee weaknesses doesn’t improve performance. Yes, critical feedback is sometimes necessary, but performance will be improved when feedback focuses on strengths as well as constructive criticism.

TRUST – We believe that no matter how many books you read or what software your organization invests in, feedback is only received well when managers first build trust. If you want to influence performance, people need to know you are interested in their development as a person. There is a quote, often attributed to Theodore Roosevelt, that we reference frequently when thinking about feedback: “They don’t care how much you know, until they know how much you care.”

Building trust begins with clarifying expectations. Each employee should be aware of their role and goals on the team or on the project, including discussions of appreciation for the employee’s strengths and the development opportunities the project brings. Once the project begins, the supervisor should check in with the employee frequently to stay abreast of their short-term priorities. This helps them see that the supervisor is invested in their day-to-day reality. Once or twice a month, managers should have a more in-depth conversation that focuses on short-term and long-term goals and priorities. This conversation deepens trust, as it is a frequent reminder that the supervisor is invested in the employee’s development and ensures that the goals set in the expectations discussion are being addressed.

ACCOUNTABILITY – What accountability looks like in feedback is the creation of agreements. If the manager has developed trust with the employee and provided clear expectations and ongoing communication, there is an agreement made that the employee will fulfill their obligations or communicate when they can’t. When these agreements are broken, either due to lack of clear communication or unfulfilled responsibilities, both parties must acknowledge their role in the broken agreement and agree to move forward. The underlying element of trust in the relationship allows each party to move on without blame.

RECOGNITION – In Marcus Buckingham and Ashley Goodall’s latest book, “Nine Lies about Work: A Freethinking Leader’s Guide to the Real World,” they dispel many of the accepted truths of the workplace today. Their fifth lie in the book is titled: “People Need Feedback.” Here, they argue against the theory that all people need feedback. Their research suggests that there are three theories related to feedback that are untrue. While we can’t hash out those three false beliefs in this article, they do reveal the truth that people need attention. Yes, feedback is attention. But Buckingham and Goodall argue that positive attention is 30 times more powerful than negative attention in creating high performance. The end goal should be to pay attention to what is working and help people build on it. Giving recognition and appreciation might be the most underused tool for increasing engagement and wellbeing.

Based on Gallup’s State of the Global Workplace report, employees in today’s workforce expect their managers to coach them. If you want employees who are engaged and high performing, we challenge you to utilize the STAR approach to feedback. Know and understand your employee’s STRENGTHS to create a field of inclusion and celebrate differences. Ensure you provide an environment of TRUST. Use ACCOUNTABILITY to promote a culture of reliability, and provide appropriate positive RECOGNITION and appreciation to increase positive energy across your entire team.
 
Further Reading:

  • “Crucial Conversations: Tools for Talking When Stakes Are High,” by Kerry Patterson, et al.
  • “The Feedback Imperative: How to Give Everyday Feedback to Speed Up Your Team’s Success,” by Anna Carroll
  • “The Growth Mindset: A Guide to Professional and Personal Growth,” by Joshua Moore and Helen Glasgow
  • “Nine Lies About Work: A Freethinking Leader’s Guide to the Real World,” by Marcus Buckingham and Ashley Goodall
  • “Principles: Life and Work,” by Ray Dalio
  • “StrengthsFinder 2.0,” by Tom Rath

References

  1. “Feedback.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/feedback. Accessed 22 Jun. 2021.
  2. Gallup. State of the Global Workplace. Gallup Press, December 2017.
  3. Great Place to Work. “Working at Stinnett & Associates.” (Certified Oct 2020-Oct 2021 USA). Great Place to Work®, www.greatplacetowork.com/certified-company/7022171.

Providing Value in the World of College Athletics

Many institutions have an athletics department (Division I, II or III), which presents a myriad of challenges for both institutional administrators and auditors. In addition to the traditional “big three” risks for athletics departments (student-athlete recruiting, financial aid and eligibility), societal pressures have created a plethora of dynamic risks:  

  • Name, Image and Likeness (NIL) – National Collegiate Athletics Administration (NCAA) regulations will now allow student-athletes the opportunity to make money from their name, image or likeness. With this new opportunity come potential risks like: (a) gauging fair market compensation for athletes who are contracted under NIL, (b) agent participation and regulation, and (c) differences in contracts for alchohol and gambling at private versus public schools.  
  • Knight Commission Guidance – This is a commission of university presidents, former athletic directors and other leaders. Risks are related to changes in their guidance in December 2020, which included recommending that:
    • A new entity be created, independent of the NCAA and funded by the College Football Playoff Committee (CFP), to oversee football in the Football Bowl Subdivision (FBS) and manage all related issues (e.g. athlete education, health and safety, revenue distribution, litigation, eligibility and enforcement).
    • The NCAA continues to govern all other sports, including football in the Football Championship Subdivision (FCS) and men’s basketball, under a reorganized governance system that would establish equal voting representation for all Division I conferences.
    • The NCAA and the new FBS football entity adopt governing principles to “maintain college athletics as a public trust, rooted in the mission of higher education” and prioritize student athletes’ education, health, safety and success. [1]
  • COVID Relief – Many institutions received federal funds from the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Risks associated with CARES relief include providing funding to student athletes who are ineligible and using money to upgrade athletic facilities. 
  • Financial Pressures Due to the COVID-19 Pandemic – The financial risks associated with the COVID-19 Pandemic include: a) loss of ticket revenue, b) increased financial aid obligations due to the NCAA granting athletes an extra year of eligibility, and c) potential increase of operational expenditures due to the need for more cleaning staff, contract tracing and testing.
  • Student-Athlete Health –  Potential student athlete health risks may be physical, arising from overtraining or unsafe practicing, or mental, due to academic and athletic pressures. 
  • Vaccine Distribution – There is concern over the equity of vaccine distribution and whether  athletes and coaches will be prioritized over other populations.
  • Donor Compliance – The athletics department must utilize funds in accordance with donor restrictions. Additionally donors may put pressure on the institution’s administration to retain unpopular coaches, not move to a desired conference, play or not play a particular rival, or change longtime traditions.
  • Concession Vendors – The athletics department may not always receive its agreed-upon share of revenues from third-party concession contracts.
  • Construction Audits – Construction projects generate significant capital expenditures and may encounter contract compliance issues.
  • Conflict of Interest – Coaches may not report all camps for which they are compensated.
  • Minors on Campus – Minors coming onto campus for athletics camps must be protected from physical, sexual and mental abuse. 
  • Athletics Fees – The athletics department should be compared to its conference/national peers to determine how fees are utilized and reported. [2] 
  • Team Roster Management – Due to new rules, student athletes may transfer without any penalities. 

So Where Does Internal Audit Begin?

Develop Relationships with Key Stakeholders in Athletics

Set up a periodic meeting with the Athletic Director (AD) to determine if there are emerging risks or current areas of concern. 

  • Work on your relationship with the school’s Athletics Compliance Office (ACO). Ideally, aim to meet with the ACO at least once a quarter. This may be a challenge and will likely take a considerable amount of effort. To achieve this goal, let them know how it benefits them. For example, identify opportunities for improved controls that are not only more effective, but also more efficient for the ACO to monitor.  
  • Set up a periodic meeting with the Athletic Director (AD) to determine if there are emerging risks or current areas of concern. 
  • Talk to your institution’s athletics academic staff to gain insight into potential risk areas around eligibility and financial aid. This discussion may include staff members from the Offices of the Registrar, Admissions and Financial Aid. 

Have conversations with coaches and student-athletes to gain insight into additional risks.

  • Have conversations with coaches and student-athletes to gain insight into additional risks. For example, it may become apparent that the institution lacks adequate athletics compliance training.
  • Finally, it is vital to build a relationship with the school’s faculty athletic representative and, if possible, obtain a seat within the school’s athletic council. 

​Use Other Athletic Resources

  • Contact ACUA members who have athletics departments or reach out to institutional audit shops within your athletic conference. Keep abreast of collegiate information through newspaper sites (e.g. local or large city newspapers) and other sports media (e.g. ESPN and Yahoo). These sites may provide straightforward explanations of new NCAA regulations.
  • Periodically refer to the following online resources. They may be helpful in identifying significant risks to your institution:
  • ACUA also has valuable resources available:
    • NCAA Compliance: Eligibility, Financial Aid, and Recruiting Kick Starter
    • NCAA Division I and II compliance audit guides

Tools for Athletics Work

Auditing athletics compliance through the use of athletics compliance software (ACS) can help to automate the process. Many athletics compliance departments use Front Rush ACS to help manage their athletics compliance activities. Internal audit may explore utilizing their athletics compliance department’s ACS, which has the following benefits: 

  • Athletics compliance will not need to use additional resources to provide documentation for audits.
  • Internal Audit can assist with some of the work required of athletics compliance. 
  • Internal Audit may identify gaps in internal controls and provide ideas for increasing effectiveness.

Additionally, NCAA Compliance Assistant assists athletics administrators with the management of student-athlete information to ensure compliance with NCAA regulations. This tool houses information on financial aid, eligibility and roster sizes, and may be downloaded and utilized by Internal Audit for analytical testing.

Data Analytics

As previously mentioned, data may be downloaded from NCAA Compliance Assistant, student information systems (e.g. Banner) and the institutional financial system. Consider performing the following procedures:

  • Test individual and team equivalencies with financial aid data. This may include working with Financial Aid and the ACO to obtain information on cost of attendance and aid not counted as athletic aid.
  • For eligibility testing, you may use the student information system to find courses where larger pools of athletes are enrolled. Subsequently, test their grades against the general student population for those courses.    
  • Compare student-athlete rosters in NCAA Compliance Assistant to student-athlete rosters in the student information system.
  • Within the student information system, review incoming freshmen and transfer admissions data to determine if student-athletes are admitted in accordance with institutional standards. Assess the validity of exceptions granted to student-athletes for admission after stated deadlines.
  • Download financial data for athletics and compare with previous year(s) to determine if there are significant variances and whether the variances are reasonable. 

Conclusion

We know the world of college athletics is important and makes significant contributions to our colleges and universities. These contributions include increases in donations, financial aid, brand recognition and camaraderie. However, these benefits and financial commitments are accompanied by additional risk. As Yogi Berra once said: “The future ain’t what it used to be.” By helping our colleges and universities address the risks of college athletics, Internal Audit has the opportunity to be creative, stay ahead of the curve and provide value.

References

  1. Andrews, Katlyn (Dec. 17, 2020). Knight Commission report – key implications of a FBS and NCAA split., Baker Tilly, From:  https://www.bakertilly.com/insights/knight-commission-report-key-implications-of-a-fbs-ncaa-separation 
  2. Connect ACUA e-mail (Dec. 10, 2020), Re: Athletics Brainstorming, Summary by Brian Daniels. 

Note: My sincere thanks to members of the ACUA College and University Journal editorial staff (Jackie Pascoe, James Merritt and Paul Harris) for their editorial contributions.

Workplace Culture in Higher Education: Embracing Empathy

The focus of the summer 2021 issue of College and University Auditor is workplace culture, a topic which has moved to the forefront as employees assess their current work situation. ACUA members contributed articles related to emotional intelligence, professional feedback and changing stakeholders’ perceptions of internal audit. In this ConnectFurther article, we examine another component of workplace culture: empathy. Here, we provide some insight into what empathy is and how it can be utilized to enhance overall culture. We also reflect on the results of the workplace culture survey created by the ACUA journal staff. This survey asked our members how they view the culture at their workplaces and what methods they have introduced to foster a positive workplace environment.

Empathy is defined by the Cambridge Dictionary as: “the ability to share someone else’s feelings or experiences by imagining what it would be like to be in that person’s situation.”


Empathy is defined by the Cambridge Dictionary as: “the ability to share someone else’s feelings or experiences by imagining what it would be like to be in that person’s situation.”[1] While many of us were taught to be empathetic towards each other when we were young, exercising empathy in the workplace can be an entirely different challenge. For this to happen, we must all work to increase our awareness of and respect for the feelings, opinions, experiences and perspectives of our coworkers. This increased awareness may not happen overnight. However, by making this a focus of your institution’s communications and training, you can help to create an empathetic workplace culture. According to GovLoop[2], a knowledge-based training and thought leader for government and non-profit institutions, there are six key concepts related to fostering empathy in the workplace: Active Listening, Constructive Feedback, Emotional Intelligence, Conflict Management, Unconscious Bias, and Diversity, Equity & Inclusion.

Key Concepts

  1. Active Listening – This is the process of concentrating on the individual or individuals who are speaking, so that you can fully understand the information they wish to convey. Understanding what other people are trying to say is a vital component of being empathetic. In addition, active listening shows colleagues that you respect them and value their perspectives.Constructive feedback is extremely important in fostering a positive workplace culture.
  2. Constructive Feedback – Constructive feedback is extremely important in fostering a positive workplace culture. Instead of pointing out every negative aspect of an employee’s performance, practice empathy by giving feedback that recognizes their strengths while identifying how they could be more effective. This can increase employees’ openness to your suggestions and strengthen your organization’s overall workforce.
  3. Emotional Intelligence – While active listening allows people to understand each other’s perspectives or situations, providing training that increases emotional intelligence helps employees stay cognizant of their colleagues’ feelings as well. This enhances the productivity of communication between employees and fosters a supportive workplace culture.
  4. Conflict Management – Training in this area can help employees understand their unique style of conflict management and determine the style used by their coworkers. This knowledge allows employees to better navigate disagreements by approaching them from a place of mutual understanding rather than judgment.
  5. Unconscious Bias – Everyone is susceptible to unconscious biases formed by the content they consume and the experiences they have throughout their lives. Bias-related training can help employees identify and understand their own biases. Combining this awareness with the other elements of empathy can help break down unconscious biases by cultivating meaningful, thoughtful relationships.Senior management can set the tone throughout the institution by providing an open, non-judgmental forum for individuals to share their experiences.
  6. Diversity, Equity & Inclusion – Promoting practices that hold individuals accountable for fostering diversity and inclusion also creates a positive, welcoming workplace culture. To ensure a more diverse workforce, examine processes such as recruitment and conflict resolution using the elements of empathy. Senior management can set the tone throughout the institution by providing an open, non-judgmental forum for individuals to share their experiences.
     

Survey Overview

The ACUA journal staff created a workplace culture survey to gain a better understanding of how these six concepts have been implemented across our institutions. We received 25 responses, with 80% of respondents indicating they work in the public sector and 72% stating that they work in an audit shop of one to five individuals. Of these respondents, 68% hold the title of manager, director or Chief Audit Executive. In addition, 92% have been with their institutions for three years or longer, allowing them ample time to gain a good understanding of both the current workplace culture and recent changes.

Detailed Results

The survey asked a series of questions related to workplace culture. The first question (see chart below) asked individuals to rate their satisfaction with their current workplace culture from one (dissatisfied) to 10 (satisfied). Our respondents were largely satisfied with the culture at their workplaces, with 84% rating their current employers between six and eight, and 92% rating their institutions six or higher.




Although our response data is not comprehensive enough to draw comparisons against other industries, the results indicate that our ACUA members feel generally positive about their current workplaces and the efforts underway to enhance workplace culture.

Over 90% of the respondents acknowledged that their institutions have taken steps to address Diversity, Equity & Inclusion.


The next part of our survey explored which of the six key concepts of empathy respondents felt their organizations promoted or had taken steps to address. Over 90% of the respondents acknowledged that their institutions have taken steps to address Diversity, Equity & Inclusion. In contrast, only 33% recognized their organizations as promoting Empathy and Emotional Intelligence.



It is no surprise that the concept of Diversity, Equity & Inclusion ranked so high in our surveys, as this has been a hot topic in the United States of late. It is inspiring to see such a high percentage of our institutions actively working to address this issue and promote change. On the other hand, the relatively low percentage of organizations actively promoting Empathy and Emotional Intelligence highlights the challenges of implementing change in these areas.

The final question in our survey asked respondents to comment on methods their departments, organizations and institutions have utilized to promote these six key concepts. It is our hope that these responses may help to highlight steps that the rest of our community can take to continue building a positive workplace culture for everyone!

Approaches for Enhancing the Six Key Concepts of Empathy

  • Conducted mandatory training geared towards listening and communication
  • Established and required compliance with “Rules of Engagement” that address each of the six key concepts
  • Created open door policies and flexible scheduling
  • Formed Diversity, Equity & Inclusion committees to draft policies
  • Created a campus-wide Employee Engagement survey
  • Included Diversity, Equity & Inclusion in the university’s Strategic Plan
  • Created positions at the Vice President level to direct Diversity, Equity & Inclusion and Unconscious Bias training
  • Participated in a Franklin Covey[3] training series as a department
  • Embedded metrics centered around the six key concepts in the institution’s Human Resources review criteria

References

  1. Cambridge Dictionary. (n.d.). Empathy. In dictionary.cambridge.org dictionary. Retrieved June 29, 2021, from https://dictionary.cambridge.org/us/dictionary/english/empathy
  2. https://www.govloop.com/resources/empathy-in-the-workplace-a-govloop-toolkit/
  3. https://resources.franklincovey.com/culture-transformation

Letter from the President

Dear ACUA Colleagues,

Summer is upon us! You all deserve a long-awaited vacation with family and friends. I sincerely hope you take some time to kick back and celebrate all that we have accomplished and the new beginnings to come.  

If you joined us for the first annual virtual spring membership meeting, you already learned about the initiatives ACUA volunteers have been working on to continue to move our industry forward. The advocacy program, diversity and inclusive leadership efforts, and our new fall conference platform will help position ACUA and our industry for long-term success.   

Similarly, I hope this edition of the ACUA Journal provides some insight and inspiration as we look ahead to the next academic year. The articles collected here tap into the accumulated expertise of our ACUA community. Please consider taking the time to reach out to the authors to thank them for sharing their knowledge. You may get an idea for a future audit or article of your own or build upon your ACUA network.  

Our volunteers made the ACUA community thrive during the pandemic, and they deserve a special note of thanks. It is a pleasure to work with such a great community, and I hope to see many of you at ACUACon, whether you attend in person or virtually. 

Sincerely,

Patti Snopkowski

ACUA President 

Auditor as an Investigator?

As auditors, we are sometimes called upon to participate in investigations at our institution. Investigations may be the result of a financial fraud allegation, a complaint of time misappropriation submitted through an ethics hotline, or a management request regarding questionable travel and entertainment expenses. To some, the word “investigation” may be intimidating. In hopes of demystifying the process, this article provides general information on investigations, why they are performed, and what auditors should consider while conducting an investigation.

What is an investigation?

An investigation is a determination of facts related to a specific concern (or concerns) raised by an individual (e.g., via hotline complaint or management request) or, less often, as the result of an audit. The results of an investigation include determining whether the concerns are substantiated by assessing what happened, the timeline of events, and what policies or laws were violated. The matters under investigation often implicate an individual in wrongdoing, so they require a discrete, thorough, and independent analysis. Confidentiality is critical throughout an investigation to protect both a falsely accused person and the overall integrity of the process. While limited in scope, investigations focus on facts solely related to the concern(s) presented; provide all parties with an opportunity to be heard; and provide management with clear and concise findings, as well as potential recommendations when appropriate.

Why do auditors perform investigations?

As auditors, we are uniquely suited to perform the detailed, analytical work required to complete a thorough investigation. In addition, higher education auditors tend to have a breadth of institutional knowledge and an expansive professional network. We are independent, trained to recognize fraud red flags, and know what areas to focus on. Furthermore, there is a need—employee reports are the most common sources of uncovering fraud. Performing investigations exhibits to your institution’s community—students, faculty, staff, patients, visitors—that the institution is committed to an ethical culture rooted in honesty and accountability.

Auditor Considerations

General

  • Maintaining confidentiality is in the best interest of all parties involved in an investigation and should be discussed based on the nature of the investigation and parties involved
  • Review of documentation and interviews should be limited to the specific concerns raised
  • Availability of audit professional resources should be considered to complete investigations timely
  • Investigations inherently have increased litigation risk; therefore, the results (and supporting work-papers) of a given investigation may be subject to a subpoena if the matter is not resolved to either party’s satisfaction
  • All parties are entitled to an impartial, objective, and thorough investigation and have the right to be presumed innocent unless proven otherwise

Planning the Investigation

  • Understand the concern under investigation (interview hotline reporter or management, if necessary)
  • Identify, and request, any information necessary to substantiate the concern (e.g., general ledger, procurement details, Travel and Entertainment records, time system logs, emails, people to interview)
  • Review and identify any policies or regulations that may have been violated
  • Consider the amount of information provided by hotline reporters prior to moving forward with performing an investigation

Performing the Investigation

  • Follow procedures developed for audit investigation fieldwork and documentation
  • Maintain a document log as work-papers are requested, received, and prepared
  • Access to all documentation and work-papers should be limited to only those who have a need-to-know (i.e., Principle of Least Privilege)
  • All work-papers, both paper and electronic versions, are potentially subject to subpoena and must be maintained (refer to your institution’s record retention policy or general counsel for guidance)
  • Maintain open communication between team members, management, and peer units at the institution (e.g., Human Resources, Police Department, Compliance), disclosing only pertinent information for the investigation
  • Seek guidance from your institution’s General Counsel as to whether including “Confidential and Privileged”, or a similar statement, is appropriate to identify all work-papers, if included in the investigation’s legal documentation

Interviewing Key Participants

  • Conduct interviews in a location comfortable (and neutral) for you and the interviewee[1]
  • Identify pertinent questions requiring answers prior to the interview
  • Prepare for each interview individually (different interviews will warrant different questions)
    • Ask open-ended questions
    • Keep questions short and simple
    • Let the interviewee do most of the talking
  • Maintain an interview log (e.g., who, when, where)
  • Interview the individual accused of wrong-doing last

Reporting the Investigation Results

  • Write a straightforward report. (i.e., concern, procedures performed, conclusion)
  • Consider the necessity of including supporting documentation as appendices to report
  • Determine who the report will go to and who will be included on the distribution list
  • Complete report writing timely (definition is subjective at each institution and the nature of the investigation)

Common Jargon

Becoming familiar with and understanding key terms will help you navigate an investigation with ease. Below are some terms and definitions commonly used during the investigations process:

TermExplanation
AllegationClaim or assertion that someone has done something illegal or wrong
ArbitrationA form of alternative dispute resolution; a way to resolve disputes outside of court
Attorney/Client PrivilegeLegal protection to keep communications between attorneys and clients confidential
E-discoveryElectronic information requested to be produced during litigation
EvidenceCompilation of documents and analyses supporting a conclusion
GrievanceFormal complaint raised by an employee within the workplace
HotlineReporting tool, typically with option to report anonymously
Hotline Reporter (or Complainant)Individual initiating hotline report (or complaint)
MediationDispute resolution using an impartial third party trained in specialized communication and negotiation techniques
Target (or Respondent)Individual whom a hotline report is against
ParticipantAn individual interviewed and/or identified as a witness during an investigation
Subpoena A court order commanding a person to appear in court
Substantiated Results of an investigation support the concern/allegation
UnsubstantiatedResults of an investigation do not support the concern/allegation
Table of common terms and definitions used in the investigations process.

Conclusion

In closing, remember we are all investigators. Use your auditor tool box to perform tests and analyses to assist in closing an investigation. Document everything and file it separately from other audit work-papers. Communicate often with the investigation team and ask questions of the investigation owner (whether inside, or outside of, your audit department). Utilize the experience to learn a new process and/or deepen working relationships within your institution. Learn more about partnering with other investigative units at your institution at ACUA’s Audit Interactive 2021.

[1] Given the current pandemic, interviews may need to be conducted virtually. To conduct a virtual interview in as similar of circumstances as meeting in-person, all parties should utilize a video setting and be in a room without distractions.

Emerging Technologies’ Impact on Construction Audits

Introduction

The construction industry has historically been a slow adopter of technology, and rightfully so. The builders of our roads, homes, offices, and campuses need to be thoughtful when evaluating new technology that may impact safety and quality in exchange for speed and cost reduction. Consequently, the introduction of robotics, video monitoring, and automated quality controls has trailed behind other industries, such as manufacturing and distribution. Similarly, as the availability of digital information has increased, the implementation of automated construction audit techniques has lagged. However, high speed wireless communication, handheld devices, and a need for labor force alternatives continues to drive construction technology innovation and adoption. Construction auditors must remain knowledgeable with the latest industry tools and understand how to evaluate new construction technologies’ impact on construction risk management.

Technology and Construction Project Data Automation

The most established technological advancements, such as GPS-enabled cranes and heavy/highway equipment with onboard performance metrics, enable operators to cut, grade, and measure moved earth with a high degree of precision. The equipment can be monitored remotely, which allows companies to track their exact location, operating hours, consumables, and environmental conditions. The existence of this data also provides information for construction audits. Rather than analyzing paper copies of supporting documentation, construction auditors may now utilize available digital technology to download equipment metrics and capture quantities moved, hours operated, and other pertinent equipment usage data quickly.

Rather than analyzing paper copies of supporting documentation, construction auditors may now utilize available digital technology to download equipment metrics.
A large campus transformation project may include new buildings, new roads, and new underground infrastructure. This would require moving large amounts of dirt and parking contractor equipment at the jobsite, resulting in monthly bills for dirt hauling, aggregate purchases, and heavy equipment rental. To determine whether the quantities billed are representative of actual activity, an engineer could measure the dimensions of the dirt (i.e., how high and wide the dirt sits) to calculate the quantities moved.

Alternatively, the auditor could download the operating metrics from any cloud storage application to see the number of dump trucks that were on site, the trips each truck made, the weight of the product hauled, and the time spent loading and unloading. The auditor could then calculate cubic yards moved from the site to reconcile the trucking bill. A similar reconciliation could be performed using operating hours, GPS coordinates, and performance metrics from earthmoving equipment. 

In addition, there are other methods of construction automation. One example is modular construction, which is an effective alternative to on-site construction methods. Modular construction is a process, in which a building constructed off-site under controlled plant conditions, uses the same raw materials as conventionally built facilities, and adheres to the same industry codes and standards—in about half the time. Buildings are produced in “modules,” which when put together on-site, reflect the identical design intent and specifications of the most sophisticated site-built facility. Furthermore, controlled plant conditions enable the contractor to leverage trade and craft automation to build walls, assemble plumbing, and fabricate ductwork. 

Modular construction automation leads to the following areas of note:

  • Treatment of Sales Tax: Many higher education institutions benefit from sales tax exemptions. Auditors must be assured that the modular or unit pricing excludes any sales tax that may be embedded within the unit price. Additionally, purchase orders for raw materials can be reviewed to identify any disallowed sales tax incurred during procurement.
  • Potentially Duplicate Costs: Costs such as insurance, transportation, and warehousing could be duplicated in the unit pricing as well as the pay application. Modular builders frequently utilize enterprise resource systems, such as Oracle or SAP, that have fully loaded bills of material. The bill of material will contain a breakdown of the unit price, as well as the associated labor costs, and an equipment rate for any applicable robotics. It is important to review the details disclosed in the pay application to know where costs are being billed (and billed only once).

Digital Data Collection and Associated Risks

Data collection is an area that has experienced great advancement the last few years. Two areas that benefit from construction audits include employee tracking and direct labor hour collection. Historically, timesheet collection was a manual process and often the burden of the superintendent on the construction project. Now, mobile phone applications allow individual employees to enter their time and automatically forward their timesheet to the superintendent for approval. Once approved, the labor cost will post to the job cost ledger. In addition, large multi-disciplined projects are implementing wireless jobsite worker tracking. The employee enters through a control gate and swipes an identification card or wears a radio-frequency identification (RFID) badge, which captures physical jobsite location and enables the contractor to know, at any given time, who is on the jobsite and their location. The construction auditor may use this data to verify personnel and the number of hours worked on the jobsite. By reconciling this jobsite data with timesheet data and physical locations, timesheet errors can be detected and worker productivity can be audited.

As automated and digital data collection becomes more prominent, it will be necessary to place greater reliance on project controls to detect fraudulent or abusive behaviors.

As automated and digital data collection becomes more prominent, it will be necessary to place greater reliance on project controls to detect fraudulent or abusive behaviors. Auditors should thoroughly test the project controls before relying on these systems to generate accurate source transactions. Comprehensive audit programs should include project controls testing that include employee identification card issuance and replacement, timesheet rejection processes, rejection frequency tracking, and payroll-to-job cost adjustment reconciliations. In addition, audit programs should also include data integrity testing to gain assurance that the data collection and reporting systems are functioning as intended. The graphic shown below highlights some common data integrity tests.

Previously, construction audits often experienced roadblocks due to the inaccessibility of information. Today’s automation systems are digitizing source documents; therefore, enabling a more comprehensive testing at a lower cost per transaction tested. While this may provide an opportunity for more automated audit procedures, the audit methodology does not change.

Audit Methodology

Each phase of the methodology benefits from technological advancements and automation.


Phase 1: Contract Risk Assessment

This phase includes a technical review of the contract terms and conditions. By applying any past risk assessment experience, the contract terms are equated with known risks. For example, the cost of work requires labor burdens to be billed and reimbursed at cost, without additional markup. Some associated risks with labor billed in excess of cost may include inflated labor burden, duplicate benefit hours, or embedded profit. Business intelligence software now allows auditors to compile a database of past contract observations, and when paired with optical recognition software, a contract can be scanned and then the contract terms are mapped to known risks. The results produce a system generated preliminary contract risk analysis, which significantly reduces the amount of time to perform this same task manually.

Phase 2: Audit Program Development

Contract risks are mapped to a series of audit steps, allowing business intelligence software to then produce a draft audit program based on the associated contract risks. The database maintains the data requirements for the audit program and associated supporting documentation requirements, which is then provided to the contractor and owner so the audit can proceed.

Phase 3: Transaction Testing

Many transaction tests and reconciliations can be automated, which eliminates redundant data handling and relevant constraints on construction audit progress. Regardless of whether an auditor has a fully integrated business intelligence solution that can perform the testing, experience is still required to interpret the data, evaluate results, and assess whether new scenarios exist that were not addressed within the automated testing environment.

With the increases in the level of automation, auditors’ responsibilities grow significantly.

Phase 4: Audit Reporting

With the increases in the level of automation, auditors’ responsibilities grow significantly—whether it ‎is an increase in testing or placing a greater emphasis on project controls interviews, control ‎effectiveness, and results interpretation to mitigate construction project risk. Automation allows an ‎increase in sample size and overall testing populations, which allows auditors to get better coverage ‎and have more detailed findings.‎

Conclusion

Despite all the advances in technology that impact the construction industry, the audit solution is only as good as the subject matter experts that assess the contract risks and develop audit programs. Auditors will be needed regardless of the level of automation and should not be concerned about automation eliminating their jobs.

Clery Compliance from 80,000 Feet

In September 2020, UC Berkeley agreed to pay a $2.35 million fine to the U.S. Department of Education (“ED”) and will be monitored for two years as a result of violating the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (“Clery Act”). According to an article in The Daily Californian, ED found that more than 1,100 out of approximately 32,000 records reviewed over a five-year period were misclassified. “Many of the violations were for technical errors,” said campus spokesperson, Janet Gilmore, in an email. “Compliance with Clery requirements is highly technical and differs from other types of crime reporting conducted by law enforcement agencies and others.”

Compliance with Clery requirements is highly technical and differs from other types of crime reporting.

As of October 2020, ED rescinded the 265-page 2016 Clery Handbook (“2016 Handbook”), which served as a guide to institutional administrators about what to do to be compliant with the Clery Act. The 2016 Handbook was replaced with a 13-page Appendix in the Federal Student Aid Handbook; however, as of the date of this article’s submission, the Appendix does not yet have the force and effect of the law. This new guidance is effective for the 2021 reporting year and gives institutions more discretion on defining certain matters, such as which campus administrators must report campus crime statistics to ED and what area is considered the campus for data compilation purposes.[1]

Complying with the requirements in the Clery Act are indeed very technical and an internal auditor can spend hundreds of hours auditing all of the requirements. As of January 7, 2021, institutions may be fined up to $58,328[2] for each infraction and ED has the authority to suspend institutions from participating in federal financial aid programs, at their discretion. Therefore, testing controls to ensure that Clery processes are designed and operating as required is important!

Clery Compliance Controls

There are a few things that an internal auditor can review to get a sense of their institution’s Clery compliance controls. Focusing on a few key areas can help provide an indication of an institution’s compliance with Clery and will not consume hundreds of hours of auditor effort:

Check the police department’s daily crime log.

One of the easiest things to check is the daily crime log. Daily crime logs are required to be readily available to the public. The next time a member of your department is near the police department, just stop in and ask to see the daily crime log to verify it is readily available. The log should be up-to-date and easily accessible to anyone who asks to see it.

Compare the Annual Security Report (ASR) to ED’s Campus Safety and Security database.

Generally, ASR must be published and made available to the public by October 1st; however, due to an unprecedented year, the submission deadline for 2020 was extended to December 31, 2020.[3] In addition, the crime statistics must be uploaded to ED’s Campus Safety and Security system. Data entry into ED’s system is not foolproof and errors in data entry can easily occur. Comparing an institution’s ASR crime statistics to the crime statistics in the ED’s system is a quick process.

Reviewing Campus Security Authority (CSA) documentation.

A strong indicator for CSA compliance is the accuracy and completeness of an institution’s list of CSAs.Campus Security Authorities must understand their roles and responsibilities related to campus safety and security. A strong indicator for CSA compliance is the accuracy and completeness of an institution’s list of CSAs, as well as evidence that the CSAs understand their roles and responsibilities. While ED does not require that CSAs be trained, a university can prove compliance by providing both a current list of CSAs and evidence of a robust communication/training program. A simple review of the most current list of CSAs and associated training records will provide insight on an institution’s Clery compliance efforts.

Perform a desk review of the ASR.

Performing a desk review of the ASR is another way to get a read on an institution’s culture of compliance with the Clery Act. The Clery Act mandates certain policy statements describing the various components of the campus Clery Act program be included in the ASR. There are 74 required policy statement elements, ten of which are only required for locations with on-campus housing facilities.

In addition, institutions are required to publish certain crime statistics for the previous three years in the ASR and those with on-campus housing facilities are also required to publish fire statistics. These statistics can be traced back to supporting documentation, such as university police reports, daily crime logs, and other source information for accuracy. It is important to gain an understanding of the process for gathering and assembling crime statistics to ensure the statistics are accurate and complete. This primarily includes statistics received from the university police department, student affairs on campus, and local law enforcement off campus.

Multiple campus locations can also be a problem area in the ASR. Institutions with multiple campus locations face challenges in making sure crime statistics and policy statements are included for each campus location.

Check timely warnings. 

Institutions should have written procedures to address the use, content, and documentation of timely warnings. An easy check is to make note of any crimes on the daily crime log that would likely compel a timely warning (e.g., assault, theft of a vehicle, burglary of a building) and see if any were issued for those crimes. Ask to see the documented procedures for timely warnings and compare those procedures to the Clery Act guidelines.  

The checklist in the appendix of the 2016 Handbook was a great resource for Clery compliance; it will be archived on the Department of Education’s website for future use. At the time of this article’s publication, a new presidential administration will be in office and there is a possibility that the Handbook could be brought back.

References

  1. Information obtained from Inside Higher Ed: https://www.insidehighered.com/news/2020/10/19/education-department-pulls-handbook-clery-act-requirements 
  2. https://clerycenter.org/policy-resources/#:~:text=With%20fines%20of%20up%20to,environments%20for%20staff%20and%20students
  3. Despite the extended deadline for submission, the 2020 reporting year should still follow the 2016 Handbook for Campus Safety and Security Reporting.