Resources

Letter from the Editor

Hello ACUA!

The nights are getting longer, there’s a chill in the air and (at least here in the Northeast) the leaves are aflame with vibrant color. As the season turns, the atmosphere seems charged with possibility and excitement. With the holidays quickly approaching and AuditCon behind us, now is the perfect time to look back and reflect on all of the changes, struggles and accomplishments of this eventful year. Autumn is a time of transition, which fits perfectly with our current theme of Reflection and Transformation.

Although the last year and a half has been tumultuous, it has resulted in a flurry of new activity within the higher education landscape. Here, our members share their thoughts about the new and evolving risks that have been brought to the forefront by this time of transformation. First, Kara Hefner details a Uniform Guidance-based approach to auditing pandemic relief funds – a topic that is surely at the forefront of many institutions’ audit plans this year! Lily Young shares her strategies for understanding the true cost of your university’s agency fund relationships, while Joseph Iannini provides professional tips and tricks for preliminary information gathering. In addition, David Terry and Kyra Castano offer their insights from Portland State University’s recent contracting and procurement services audit and discuss the benefits of co-sourcing with a trusted advisor. Finally, Todd Knowles and Diane Padgett explore key privacy regulations and risks in the first half of their Data Privacy Primer series. (Expect the second installment in our Winter issue!)

Every issue of College and University Auditor is a direct result of contributions from our incredibly knowledgeable community. Please consider sharing your experience and expertise with us in a future issue! The journal team is ready and willing to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (203) 218-7631.

Many thanks to our community, and I hope you all enjoy this issue of College and University Auditor!

Sincerely,
Claire Thomas

Preliminary Information Gathering (PING)

Introduction

One of the most challenging and time-consuming parts of an audit is drafting a well-written narrative that summarizes the significant processes and related internal controls. Factors such as client availability, lack of experience and scoping errors can contribute to the complexity of this task. This article offers a few suggestions to help navigate these common challenges.     

The term Preliminary Information Gathering process or “PING” refers to the phase of the audit that includes drafting an initial process narrative. PING is a critical stage for the ultimate success of the engagement, as it documents the significant processes and identifies the controls to be tested. Further, conducting a robust planning process is required to meet the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) standard 2200, Engagement Planning, which states:  
 
“Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.”


Clarifying the Scope and Objectives

Scoping

The foundation of any process narrative is agreement on scope and objectives. Before addressing scope, verify the significance of the process with the client, including the estimated dollar value, volume of transactions and recent changes. During this meeting, the audit team should clarify the systems used, locations involved and process owners. Auditors should also inquire about the level of process uniformity. This will help to develop the scope and estimate the resources needed for the engagement. Depending on the type of review, you may need to ask if the client has an operational dashboard or key performance indicators (KPIs) that are used to measure success. Assessing operational metrics can provide insight into potential process issues, such as an increase in student billing errors or refunds that should be considered during the PING.    

Objectives

Keep the overall objective simple and high level. Using the procurement process as an example, the primary objective would be to verify that only properly authorized purchases are made, and that the complete population of purchases is accurately processed and in the proper accounting period. A secondary and broader objective might be verifying that the procurement process uses the existing technology to the highest possible extent and minimizes the use of paper.  

Establishing agreement on the objectives minimizes any supervisor or client “expectation gap” and ensures any observations or recommendations are focused on the agreed-upon areas. Periodically refer back to the scope and objectives to keep the audit focused and avoid scope creep. 


Interview Preparation 

Many experienced internal auditors recall the stress of preparing for interviews and being overwhelmed with the amount of “data” obtained, much of which may not be needed. Often, the best weapons against stress are effective planning, ongoing communication and adherence to the agreed-upon scope and objectives. Consider this preparation time an investment in the future success of the audit rather than a burden. 

Preparation should include the following activities:

  • Research the audit area and read any available background information, as this builds credibility. Background information can be found in prior work papers, websites, newsletters or procedure manuals. Reviewing competitor information may also be useful and can provide additional industry insights that lead to value-adding recommendations.  
  • Contact the interviewee and verify the subject matter you plan to discuss and the meeting objectives. Use this knowledge to prepare a written agenda, which you should email to participants in advance of the meeting. Using the procurement example above, you can state that the meeting objective is to walk through the process from purchase approval to vendor payment. This will ensure the client is adequately prepared and that the appropriate process owners are included in the meeting.
    • If you plan to obtain document copies, make that clear in advance of the meeting. A useful tip is to ask the process owner to email screenshots (or other documentation) to you at each step of the interview, including a brief description of the document in the subject line. If it is not possible to get emails during the interview, keep a detailed list of requested items, and be certain to use the same document names as the client.
  • Include specific questions, clarifications needed and any required background information on the agenda. 
  • Confirm the meeting date, subject matter and other key points in writing a few days before the scheduled interview.   
  • Practice your interview questions to increase your confidence.


Conducting the Interview

When conducting the interview, the following strategies may be helpful:

  • Open the interview by introducing yourself and thanking the participants for their time. If there are several process owners in the meeting, ask each to introduce themselves and explain their areas of responsibility. 
  • Use terms that are understood by the client, not audit jargon. If the auditee uses an unfamiliar term, ask for clarification.  
  • Distribute a copy of the agenda and re-state the purpose of the interview and the topics you wish to cover.
  • Explain that you wish to walk through the entire process and clarify any expectations, such as obtaining screenshots. Give an example of the level of detail you wish to obtain and ask if they have any questions.
  • Critical Concept: Do not assume the points described above were previously communicated to all meeting attendees.  
  • Take notes to document key processes, but do not try to write down every word or phrase.  
  • It is good practice to pause periodically and re-state your understanding of the key points.
  • When ending the interview, state the next steps, such as providing a draft of the narrative for validation or scheduling a follow-up call to clarify any open points.


Critical Errors to Avoid

Missing Key Processes

When conducting a walkthrough, the main objective is to document the key processes and controls, not every step in the process. To keep things organized, it is helpful to think of a flowchart with decision boxes. For example, you may begin by asking about the procedure to approve a purchase. Once that process is understood, you can ask about the handling of unapproved or rejected purchases, and what would cause a purchase to be rejected (e.g., the purchase exceeds the purchase order limit). Asking about both approved and rejected transactions ensures that all relevant processes are documented. You may also want to ask how often purchases are rejected and why.

Insignificant Processes

Another risk is getting bogged down in data that is immaterial. When walking through purchasing processes, there may be transactions that are exceptions to the normal process, such as manual purchase orders or emergency expenditures. Clarify the frequency and materiality of these items before deciding to invest time in documenting matters that may be immaterial or insignificant. These items can be discussed later if they are selected as part of your substantive sample.  

Jumping to Conclusions

Using the written agenda, you should have identified all key process owners. However, there may be situations where you believe process gaps or missing controls may exist. In that case, you should calmly verify the facts with the interviewee and then follow up with their supervisor. While your initial assessment may be correct, the supervisor may have already developed effective compensating controls.  


Manual or Automated?

When documenting a key process flow, you should clarify which steps, if any, are automated. This important point is often overlooked when drafting the preliminary walkthrough, and can lead to confusion and excessive follow-up questions.

No Time for Self-Review

Be sure to build time into your budget to review your draft narrative, and consider having a peer read the draft and give you feedback. Before performing the self-review, you may wish to set the document aside for a few hours to clear your mind so you have a fresh perspective. In addition, make use of the spelling and grammar check features in your software. Failure to do so may make the draft appear unprofessional and sloppy.

Inaccurate Information

Once the self-review is completed, send a copy of the narrative to the process owners and ask for their feedback. If additional clarity is needed, schedule a follow-up meeting with the process owner.  

Conclusion

The PING methodology that works best for each auditor will vary. However, the information above provides a framework to assist inexperienced auditors in approaching interviews and can be useful to more experienced auditors as a reminder of best practices and potential pitfalls.

Data Privacy Primer: Regulations & Risks

Privacy Background

What is this concept of “privacy” we hear so much about in today’s news? Where did privacy originate, and why does it matter? In this article we will define privacy, discuss its importance and review some applicable laws.

The modern-day concept of privacy is often attributed to Samuel Warren and Louis Brandeis’ 1890 essay “The Right to Privacy,” in which they acknowledge “the right to be let alone” in their argument that existing laws facilitate individual privacy protections. Privacy is generally defined as the right to be let alone, or freedom from interference or intrusion. The International Association of Privacy Professionals defines information privacy as “the right to have some control over how your personal information is collected and used.” However, the meaning of privacy may vary depending on an individual’s, organization’s or country’s perspective. For some, privacy means being protected from data breaches or identity fraud. For others, privacy is a fundamental right related to personal and family life, home and correspondence.

When we refer to privacy, we are referring to those elements comprising personally identifiable information (PII). Examples include, but are not limited to, name, date of birth, physical address, phone number, Social Security number, financial account numbers (e.g., bank account and credit card numbers) and protected health information. Privacy principles created and defined by the Organization of Economic Cooperation and Development in 1980 form the backbone of privacy laws and privacy protection frameworks worldwide. The following elements of these principles are found throughout most privacy regulations:

 Collection Limitation: Data collection should only take place with knowledge and consent of the affected individual or data subject.

Data Quality: Information should only be collected which is relevant and accurate for a particular purpose.

 Individual Participation: An individual should be aware that their information has been collected and be able to access it.

Purpose Specification: The intended use of personal data must be known at time of collection, and data should not be arbitrarily collected.

 Use Limitation: Collected data is to be used only for purposes specified at time of collection, not broader future use. Consent should be secured from data subjects for use of data for other purposes.

 Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification or disclosure. Most laws reference reasonable and appropriate security measures based on risk determination rather than perfection.

   Openness: Data subjects should be able to contact the entity collecting or storing their information to ascertain types of data collected.

  Accountability: Data collectors should be accountable for adhering to these principles. Ideally, there should be a person in the organization dedicated to ensuring privacy principles are followed. The concept of a data protection or privacy officer originated with this principle.

Defining Key Concepts

While data privacy focuses on the use and governance of PII, data security focuses on protecting PII from malicious attacks and improper disclosure. Privacy cannot be protected without an associated security component.

Privacy professionals frequently reference Privacy by Design, a proactive and intentional approach where privacy is the default in technology system design and is considered at the earliest stage1. As opposed to an ad hoc approach, where privacy discussions take place in later stages of system development, the Privacy by Design framework is applied to the data life cycle from creation through collection, storage, archiving, de-identification and deletion.

PII processing refers to any operation or set of operations performed on personal data whether or not by automated means. It can refer to data collection, recording, storage, retrieval and erasure.

With these definitions in hand, let’s explore why privacy is important in today’s world.


Importance of Privacy

An individual’s privacy is a fundamental right and is closely connected to human dignity. It is the foundation on which other human rights are built. Privacy protects against the abuse of power by limiting what can be ascertained about individuals and providing shelter from those who may wish to exert control. Ensuring individual privacy protects us from the arbitrary and unjustified use of power by states, companies and other actors.

However, data is an increasingly valuable asset. With the rise of the data economy, organizations and nation-states have found significant value in collecting, sharing and using data. Companies like Amazon, Facebook and Google have built their organizations on data2. Collecting data provides organizations with the power to explain, predict and even control behavior. This is particularly valuable for advertising and marketing endeavors. For example, Netflix uses data analytics for targeted advertising. With over 100 million subscribers, Netflix collects large volumes of data. If you are a subscriber, you are familiar with how the company provides suggestions for the next movie you should watch by using your search history and viewership data. This data gives them insights into your interests. Without proper regulatory protections and legal recourse, you would have little control over how Netflix and other companies use and share your personal data.

In her 2019 book titled “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power,” Shoshana Zuboff discusses how surveillance capitalism is an economic system centered around commodification of personal data with the core purpose of profit-making. Commodification makes personal data a valuable resource. Zuboff points out that tech companies and other corporations are mining users’ information to predict and shape their behavior, undermining personal autonomy and potentially eroding democracy.

Primary Privacy Laws

But surely there are privacy laws that provide protection against this abuse of personal data?

Unlike Europe, the U.S. has enacted a patchwork of privacy laws generally targeted to protect consumers. The Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for many businesses. Enforcement centers around fraud, deception and unfair business practices. Institutions that violate consumer privacy rights or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state authorities. The U.S. Department of Health and Human Services (HHS) governs health protections focusing on compliance guidance, with the Office of Civil Rights (OCR) acting as the enforcement arm for HHS privacy regulations.

U.S. laws to be aware of in the education and health care sector (i.e., those that affect academic medical centers) include:

Family Educational Rights and Privacy Act (FERPA) gives parents and students certain protections pertaining to student education records such as grade reporting, transcripts, disciplinary records, contact and family information, and class schedules. FERPA requires student or parent written consent for release of educational records.

Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under 13 years of age. It requires website or online service providers request parental permission to collect data on children and stipulates how the data can be processed and held.

Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined as companies offering financial products or services, to explain information sharing practices and protect against unauthorized access to, or use of, personal information that could result in substantial harm or inconvenience to a customer. GLBA stipulates financial institutions appropriately ensure the security and confidentiality of customers’ information.

Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the confidentiality and security of a patient’s health care information, defined as any information identifying the past, present or future physical or mental health of an individual. It includes all communication media, whether written, verbal or electronic. HIPAA includes the Privacy Rule, which protects a patient’s right to keep health information private, and the Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. HIPAA violations can result in significant penalties for noncompliant organizations and individuals.

In addition to these federal regulations, various states have enacted privacy laws to protect personal data in the consumer setting. Most notably, California enacted the California Consumer Privacy Act (CCPA) which is designed to protect the privacy rights of California’s citizens. It gives consumers the right to control how companies collect and use their personal data. Some states have already enacted similar laws, or carved out exceptions for the federal regulations, and more are expected to do so in the coming years. 

From an international perspective, institutions should be aware of country-specific privacy laws. Most notably, the General Data Protection Regulation (GDPR) requires organizations to ensure that personal data of European Union citizens is gathered legally and under specific conditions. Institutions that process personal data are obliged to protect it from misuse and exploitation and to respect data subjects’ rights. Those who fail to do so may face significant penalties. GDPR requirements spurred the development of privacy policies (and cookie banners), in which organizations offer transparency into their data collection and management practices.

Conclusion

As more attention is focused on privacy, both internationally and domestically, consumers and clients will increasingly expect institutions to protect their personal information and embed privacy considerations into their business strategies. In a report published in November 2019 as part of Cisco’s Cybersecurity Series, “Consumer Privacy Survey, The Growing Imperative of Getting Privacy Right,” 2,601 adults, or 32% of respondents, stated that they care about privacy and had already taken action by switching companies or providers in response to data policies or data sharing practices. Along with the increase in privacy regulations worldwide, this should be a catalyst for organizations to establish or update their privacy programs.

In the second part of this article, we will explore areas auditors should consider reviewing when evaluating functions and processes involving personal data.

References

1) Deloitte, GDPR Top Ten #6: “Privacy by Design and by Default”; Shay Danon; February 2017
2) MIT Technology Review: “It’s time to rein in the data barons”; Martin Giles; June 19, 2018

Letter from the Editor

Hello fellow ACUA members!

My name is Claire Thomas, and I am delighted to be the new editor for College and University Auditor. First, I’d like to thank the prior editor, Jackie Pascoe, for her many contributions to the journal. I have enjoyed getting to know Jackie, and I have great respect for her work with ACUA. I would also like to thank our deputy editor, James Merritt, for his assistance with my transition into this role.

For those of you who don’t know me, I am the Audit Manager for the Internal Audit & Advisory Services department at Boston University. Prior to that, I worked alongside James for several years as a Principal Auditor at Duke University, and I welcome this opportunity to collaborate with him again!

I have always enjoyed the unique challenges and opportunities associated with working in higher education. Our institutions are constantly evolving, and as auditors, we must be innovative and agile in order to meet their needs. Our ACUA network plays an important role in fostering this commitment to continuous growth and professional development, and I am excited to be taking part in such an important objective. I look forward to working alongside our members as they continue to share their insights, resources and experiences with the broader ACUA community.

This issue of the journal brings workplace culture to center stage. After the turmoil and pressures of the last year, conversations about culture have likely been relegated to the back burner. But as many of our organizations begin to resume in-person work, this topic is becoming increasingly important. What kind of environment awaits us when we return? In this issue, Sabine Charles provides recommendations for how internal auditors can enhance client relationships and overall success through emotional intelligence. Jennifer Roberson and Chrissy McKeown share their insights and discuss strategies related to delivering effective feedback, while Harold Lederman offers tips on how to improve client relationships throughout your audit. In addition, Jaime Fernandez discusses how to support and partner with your athletics department. Finally, the journal team has tabulated your responses to our recent survey on workplace culture. Our article offers results, insights and a few takeaways.

The content of this and every issue of College and University Auditor is made possible by the contributions of knowledgeable professionals throughout our community. Please consider sharing your experience and expertise with us. The journal team is always happy to assist in developing your ideas or fine-tuning your article. Feel free to reach out to me with questions, comments or ideas for future articles at editor@ACUA.org, or contact me by phone at (617) 353-3324.

Thank you for your time, and I hope you enjoy this issue of College and University Auditor!

Sincerely,
Claire Thomas

How to Improve Your Audit Product

Professionals are generally aware that the final deliverable of a product is judged on more than the quality of the service itself. A client’s overall perception throughout an engagement plays a vital role in their satisfaction and cooperation with internal audit. This article provides suggestions on how to improve the overall audit product and relationships with audit clients.

1. Make it clear that you are there to help

Ask the client how internal audit can help. 

Ask the client how internal audit can help. A great way to start the conversation is by asking for a list of process improvements over a period of time (e.g. two years) and then verifying that they were implemented. Depending on the structure of the institution’s audit report, process improvements should be addressed first, if they are included in the report. If they are not included in the official report, auditors should outline process improvements in an informal memorandum or discuss them verbally with the client.

Additionally, internal audit can provide assistance to clients through the audit report, which can be leveraged to help the client achieve their goals. For example, making recommendations and highlighting areas for improvement may have more impact when included in an audit report and suggested in this formal manner to senior leadership. However, it is important to keep in mind that internal audit should not be involved in any implementation of these recommendations to maintain independence and objectivity.

2. Use proper terminology when addressing clients

In the business world, clients are generally referred to as, well, clients. Avoid addressing clients in ways that could have negative connotations, such as “entity under audit” or “auditee.” It may be helpful to think from the client’s perspective on how it might feel to be audited and referred to as the auditee. Being respectful and friendly to the client during communications will help with the intimidation factor that clients may feel when being audited. 

3. Put clients at ease

For many clients, learning that they are being audited or even meeting with internal audit induces a level of fear or anxiety. While it seems that auditors are stereotyped as scary intruders who want to upset the status quo, it is helpful to gently remind clients this is not the case and work to change their perspective. The following suggestions offer some ideas that may help convey that internal audit wants to collaborate with clients to achieve mutual goals:

  • Start the audit with Preliminary Information Gathering (PING) meetings. This allows internal audit to gather history and become familiar with the client’s operations. This information can then be used to shape the audit program. 
  • Document internal audit’s understanding in writing and distribute it to stakeholders, requesting confirmation that it is correct. To further demonstrate that internal audit seeks to collaborate with the client, suggest in the communication that stakeholders make comments and edits as they see fit.  

4. Report audit findings in context

Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources.


Research the history of the audit area (e.g. changes to systems, processes or personnel) by using the client’s institutional knowledge and other resources. Including this information in the audit scope shows both stakeholders and leadership that internal audit has made a genuine effort to produce a quality, relevant deliverable.  

Example: Internal audit discovers that the database the client is using has duplications and errors. Internal audit becomes aware that the audit area had four directors in the last four years and that the data was managed by many individuals over this period. The current data manager has held the position for six months and made many improvements to fix the database. Internal audit highlights the data manager’s efforts during ongoing discussions and in the audit report. As a result, internal audit gains the trust and appreciation of the client and management, thereby developing the foundation for a great relationship.

5. Use graphics and other tools to emphasize your points and make them easily understood

The success of many online platforms depends on their ease of use and simplicity. Twitter, for example, limits messages to 280 characters. The most common length of a tweet is 33 characters. Historically, only nine percent of tweets hit Twitter’s former 140-character limit; now it is only one percent.

Another online platform, Pinterest, utilizes images, videos and text – infographics – that allow users to discover information through various means. As of the publication of this article, there are over 200 billion pins on Pinterest, and 87% of Pinners have purchased a product because of Pinterest.

The use of tables, graphs and slides can appeal to end users (e.g. stakeholders and leadership) and increase engagement during the presentation of a deliverable. Additionally, presenting a deliverable with PowerPoint seems to be underutilized in our profession. Introducing this as a method to present audit information and harnessing its formatting capabilities (e.g. fonts and color themes) can amaze management.  

6. Present executive highlights that convey some of the detail, and the entire picture, at the same time.

Management and clients want straightforward, easy-to-understand summaries.

While this may sound like a contradiction, here is how it is done. Auditors love spreadsheets, replete with formulas, tiny explanations, footnotes and other auditing paraphernalia. But, more often than not, it is only auditors who truly care about them. Management and clients want straightforward, easy-to-understand summaries. Therefore, consider highlighting – and succinctly conveying – major points with only as much detail as needed to clarify and support internal audit’s findings. These major points should be mutually exclusive and collectively exhaustive (MECE), which means they should stand alone and, together, present the complete picture. This allows internal audit to integrate the findings and recommendations in a way that conveys the total picture.  

In summary, internal audit can improve the quality of audits and relationships with clients by adhering to a few basic principles. Convey the idea that internal audit wants to help, treat clients respectfully, and keep the audience in mind when writing and presenting the audit report.  

Employee Engagement in 2021: What’s Feedback Got to Do With it? ‎

The definition of “feedback” in the Merriam-Webster dictionary is: “the transmission of evaluative or corrective information about an action, event, or process…”[1] As auditors, we should be great at this. We constantly give and receive feedback on our work through review notes. We should be masters of feedback!

But are we?

It doesn’t take much searching on the internet to find articles related to the latest and greatest team members in offices across the United States. Individuals from the Millennial and “Gen Z” demographics make up a growing percentage of the workforce, and research suggests that they want more feedback from their employers.

They aren’t alone. Lately, it seems that everyone would like more feedback. As a result, human resource departments have developed new strategies, such as upward, downward, anonymous and 360-degree performance feedback.

But employees don’t just want to receive more feedback; they also want it to be timely and constructive. To assist companies in meeting these expectations, HR software companies offer tools designed to generate feedback in real-time. For example, after giving a presentation, their systems allow you to send a request for immediate feedback using an app!

Many of us in leadership positions are expected to attend classes about how to give feedback, how to receive feedback and how to be candid with team members. In these classes we are taught opening phrases like: “Is now a good time for me to give you feedback?” We’re also told to “mirror” what we hear when we receive feedback by asking questions like: “Did I hear you say that I need to work on my communication skills?”

There are a plethora of books, articles and business journals full of information about better ways to give feedback. You may have picked up books along the way to help you have “Crucial Conversations,” maintain “The Growth Mindset” to fulfill your potential or discover how “The Feedback Imperative” will speed up your team’s success. These books provide specific tools to improve communication, stay open-minded and build resilience that is essential for living up to our potential. This is just a small sample of the resources available on this topic.

The 2017 State of the Global Workplace report[2] by Gallup lists six broad changes that organizations need to make to attract and retain the newest U.S. workforce generation. Two of these focus on feedback and emphasize the need to transition from a “boss” to a “coach” and from having “an annual review” to holding “ongoing conversations.”

Not long ago, a “60 Minutes” episode featured Bridgewater, the world’s largest hedge fund, which was founded by Ray Dalio. Mr. Dalio decided to build his company around a commitment to “radical transparency.” His book, “Principles,” is centered around this idea and offers 210 prescriptions for work and life. He believes that the way to be successful is to see the world clearly, no matter how positive or negative the reality is.

Every meeting at Bridgewater is videotaped and archived. These tapes are made available for all team members in the company to view in their “Transparency Library.” Employees are also able to score their colleagues in real time on an iPad after calls, meetings or other interactions. Bridgewater calls these real-time ratings a “baseball card.” Its intent is to hold each individual accountable for who they really are.

Because of his organization’s extreme stance on feedback, Dalio admitted that 30 percent of new hires leave within 18 months. But those who value the transparency and honesty stay.

Since research indicates that people want more frequent and robust feedback, then as the individuals responsible for employee engagement, our job is to help our team members get better at giving and receiving feedback.

At Stinnett, we’ve been focused on culture and employee engagement since 2014. We focus on building the culture that our team members want at work. Creating core values, guiding principles and a “why” statement that are authentic to who we are has required significant effort. Our culture was not manufactured by top leadership, but was created organically, by the team and for the team. This has allowed us to build a safe environment that encourages individuals to join and stay with the organization. This year, we were thrilled to earn a spot on the Great Place to Work’s Best Workplaces in Consulting and Professional Services. [3]

We’d like to provide you with four items that we believe must exist to make feedback work. We call these the STAR approach to feedback.

STRENGTHS –We know our team members want opportunities to learn and grow. We also understand that an individual’s greatest opportunity for growth and success is in their areas of strength, not weakness. Providing strength-based feedback inspires next-level performance.

As auditors, we are hardwired to review for errors. When we are reviewing the work of others, our first instinct is to look for mistakes and opportunities for improvement. Typical feedback also attempts to correct any negative behaviors or weaknesses. But research indicates that focusing on employee weaknesses doesn’t improve performance. Yes, critical feedback is sometimes necessary, but performance will be improved when feedback focuses on strengths as well as constructive criticism.

TRUST – We believe that no matter how many books you read or what software your organization invests in, feedback is only received well when managers first build trust. If you want to influence performance, people need to know you are interested in their development as a person. There is a quote, often attributed to Theodore Roosevelt, that we reference frequently when thinking about feedback: “They don’t care how much you know, until they know how much you care.”

Building trust begins with clarifying expectations. Each employee should be aware of their role and goals on the team or on the project, including discussions of appreciation for the employee’s strengths and the development opportunities the project brings. Once the project begins, the supervisor should check in with the employee frequently to stay abreast of their short-term priorities. This helps them see that the supervisor is invested in their day-to-day reality. Once or twice a month, managers should have a more in-depth conversation that focuses on short-term and long-term goals and priorities. This conversation deepens trust, as it is a frequent reminder that the supervisor is invested in the employee’s development and ensures that the goals set in the expectations discussion are being addressed.

ACCOUNTABILITY – What accountability looks like in feedback is the creation of agreements. If the manager has developed trust with the employee and provided clear expectations and ongoing communication, there is an agreement made that the employee will fulfill their obligations or communicate when they can’t. When these agreements are broken, either due to lack of clear communication or unfulfilled responsibilities, both parties must acknowledge their role in the broken agreement and agree to move forward. The underlying element of trust in the relationship allows each party to move on without blame.

RECOGNITION – In Marcus Buckingham and Ashley Goodall’s latest book, “Nine Lies about Work: A Freethinking Leader’s Guide to the Real World,” they dispel many of the accepted truths of the workplace today. Their fifth lie in the book is titled: “People Need Feedback.” Here, they argue against the theory that all people need feedback. Their research suggests that there are three theories related to feedback that are untrue. While we can’t hash out those three false beliefs in this article, they do reveal the truth that people need attention. Yes, feedback is attention. But Buckingham and Goodall argue that positive attention is 30 times more powerful than negative attention in creating high performance. The end goal should be to pay attention to what is working and help people build on it. Giving recognition and appreciation might be the most underused tool for increasing engagement and wellbeing.

Based on Gallup’s State of the Global Workplace report, employees in today’s workforce expect their managers to coach them. If you want employees who are engaged and high performing, we challenge you to utilize the STAR approach to feedback. Know and understand your employee’s STRENGTHS to create a field of inclusion and celebrate differences. Ensure you provide an environment of TRUST. Use ACCOUNTABILITY to promote a culture of reliability, and provide appropriate positive RECOGNITION and appreciation to increase positive energy across your entire team.
 
Further Reading:

  • “Crucial Conversations: Tools for Talking When Stakes Are High,” by Kerry Patterson, et al.
  • “The Feedback Imperative: How to Give Everyday Feedback to Speed Up Your Team’s Success,” by Anna Carroll
  • “The Growth Mindset: A Guide to Professional and Personal Growth,” by Joshua Moore and Helen Glasgow
  • “Nine Lies About Work: A Freethinking Leader’s Guide to the Real World,” by Marcus Buckingham and Ashley Goodall
  • “Principles: Life and Work,” by Ray Dalio
  • “StrengthsFinder 2.0,” by Tom Rath

References

  1. “Feedback.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/feedback. Accessed 22 Jun. 2021.
  2. Gallup. State of the Global Workplace. Gallup Press, December 2017.
  3. Great Place to Work. “Working at Stinnett & Associates.” (Certified Oct 2020-Oct 2021 USA). Great Place to Work®, www.greatplacetowork.com/certified-company/7022171.

Providing Value in the World of College Athletics

Many institutions have an athletics department (Division I, II or III), which presents a myriad of challenges for both institutional administrators and auditors. In addition to the traditional “big three” risks for athletics departments (student-athlete recruiting, financial aid and eligibility), societal pressures have created a plethora of dynamic risks:  

  • Name, Image and Likeness (NIL) – National Collegiate Athletics Administration (NCAA) regulations will now allow student-athletes the opportunity to make money from their name, image or likeness. With this new opportunity come potential risks like: (a) gauging fair market compensation for athletes who are contracted under NIL, (b) agent participation and regulation, and (c) differences in contracts for alchohol and gambling at private versus public schools.  
  • Knight Commission Guidance – This is a commission of university presidents, former athletic directors and other leaders. Risks are related to changes in their guidance in December 2020, which included recommending that:
    • A new entity be created, independent of the NCAA and funded by the College Football Playoff Committee (CFP), to oversee football in the Football Bowl Subdivision (FBS) and manage all related issues (e.g. athlete education, health and safety, revenue distribution, litigation, eligibility and enforcement).
    • The NCAA continues to govern all other sports, including football in the Football Championship Subdivision (FCS) and men’s basketball, under a reorganized governance system that would establish equal voting representation for all Division I conferences.
    • The NCAA and the new FBS football entity adopt governing principles to “maintain college athletics as a public trust, rooted in the mission of higher education” and prioritize student athletes’ education, health, safety and success. [1]
  • COVID Relief – Many institutions received federal funds from the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Risks associated with CARES relief include providing funding to student athletes who are ineligible and using money to upgrade athletic facilities. 
  • Financial Pressures Due to the COVID-19 Pandemic – The financial risks associated with the COVID-19 Pandemic include: a) loss of ticket revenue, b) increased financial aid obligations due to the NCAA granting athletes an extra year of eligibility, and c) potential increase of operational expenditures due to the need for more cleaning staff, contract tracing and testing.
  • Student-Athlete Health –  Potential student athlete health risks may be physical, arising from overtraining or unsafe practicing, or mental, due to academic and athletic pressures. 
  • Vaccine Distribution – There is concern over the equity of vaccine distribution and whether  athletes and coaches will be prioritized over other populations.
  • Donor Compliance – The athletics department must utilize funds in accordance with donor restrictions. Additionally donors may put pressure on the institution’s administration to retain unpopular coaches, not move to a desired conference, play or not play a particular rival, or change longtime traditions.
  • Concession Vendors – The athletics department may not always receive its agreed-upon share of revenues from third-party concession contracts.
  • Construction Audits – Construction projects generate significant capital expenditures and may encounter contract compliance issues.
  • Conflict of Interest – Coaches may not report all camps for which they are compensated.
  • Minors on Campus – Minors coming onto campus for athletics camps must be protected from physical, sexual and mental abuse. 
  • Athletics Fees – The athletics department should be compared to its conference/national peers to determine how fees are utilized and reported. [2] 
  • Team Roster Management – Due to new rules, student athletes may transfer without any penalities. 

So Where Does Internal Audit Begin?

Develop Relationships with Key Stakeholders in Athletics

Set up a periodic meeting with the Athletic Director (AD) to determine if there are emerging risks or current areas of concern. 

  • Work on your relationship with the school’s Athletics Compliance Office (ACO). Ideally, aim to meet with the ACO at least once a quarter. This may be a challenge and will likely take a considerable amount of effort. To achieve this goal, let them know how it benefits them. For example, identify opportunities for improved controls that are not only more effective, but also more efficient for the ACO to monitor.  
  • Set up a periodic meeting with the Athletic Director (AD) to determine if there are emerging risks or current areas of concern. 
  • Talk to your institution’s athletics academic staff to gain insight into potential risk areas around eligibility and financial aid. This discussion may include staff members from the Offices of the Registrar, Admissions and Financial Aid. 

Have conversations with coaches and student-athletes to gain insight into additional risks.

  • Have conversations with coaches and student-athletes to gain insight into additional risks. For example, it may become apparent that the institution lacks adequate athletics compliance training.
  • Finally, it is vital to build a relationship with the school’s faculty athletic representative and, if possible, obtain a seat within the school’s athletic council. 

​Use Other Athletic Resources

  • Contact ACUA members who have athletics departments or reach out to institutional audit shops within your athletic conference. Keep abreast of collegiate information through newspaper sites (e.g. local or large city newspapers) and other sports media (e.g. ESPN and Yahoo). These sites may provide straightforward explanations of new NCAA regulations.
  • Periodically refer to the following online resources. They may be helpful in identifying significant risks to your institution:
  • ACUA also has valuable resources available:
    • NCAA Compliance: Eligibility, Financial Aid, and Recruiting Kick Starter
    • NCAA Division I and II compliance audit guides

Tools for Athletics Work

Auditing athletics compliance through the use of athletics compliance software (ACS) can help to automate the process. Many athletics compliance departments use Front Rush ACS to help manage their athletics compliance activities. Internal audit may explore utilizing their athletics compliance department’s ACS, which has the following benefits: 

  • Athletics compliance will not need to use additional resources to provide documentation for audits.
  • Internal Audit can assist with some of the work required of athletics compliance. 
  • Internal Audit may identify gaps in internal controls and provide ideas for increasing effectiveness.

Additionally, NCAA Compliance Assistant assists athletics administrators with the management of student-athlete information to ensure compliance with NCAA regulations. This tool houses information on financial aid, eligibility and roster sizes, and may be downloaded and utilized by Internal Audit for analytical testing.

Data Analytics

As previously mentioned, data may be downloaded from NCAA Compliance Assistant, student information systems (e.g. Banner) and the institutional financial system. Consider performing the following procedures:

  • Test individual and team equivalencies with financial aid data. This may include working with Financial Aid and the ACO to obtain information on cost of attendance and aid not counted as athletic aid.
  • For eligibility testing, you may use the student information system to find courses where larger pools of athletes are enrolled. Subsequently, test their grades against the general student population for those courses.    
  • Compare student-athlete rosters in NCAA Compliance Assistant to student-athlete rosters in the student information system.
  • Within the student information system, review incoming freshmen and transfer admissions data to determine if student-athletes are admitted in accordance with institutional standards. Assess the validity of exceptions granted to student-athletes for admission after stated deadlines.
  • Download financial data for athletics and compare with previous year(s) to determine if there are significant variances and whether the variances are reasonable. 

Conclusion

We know the world of college athletics is important and makes significant contributions to our colleges and universities. These contributions include increases in donations, financial aid, brand recognition and camaraderie. However, these benefits and financial commitments are accompanied by additional risk. As Yogi Berra once said: “The future ain’t what it used to be.” By helping our colleges and universities address the risks of college athletics, Internal Audit has the opportunity to be creative, stay ahead of the curve and provide value.

References

  1. Andrews, Katlyn (Dec. 17, 2020). Knight Commission report – key implications of a FBS and NCAA split., Baker Tilly, From:  https://www.bakertilly.com/insights/knight-commission-report-key-implications-of-a-fbs-ncaa-separation 
  2. Connect ACUA e-mail (Dec. 10, 2020), Re: Athletics Brainstorming, Summary by Brian Daniels. 

Note: My sincere thanks to members of the ACUA College and University Journal editorial staff (Jackie Pascoe, James Merritt and Paul Harris) for their editorial contributions.

Workplace Culture in Higher Education: Embracing Empathy

The focus of the summer 2021 issue of College and University Auditor is workplace culture, a topic which has moved to the forefront as employees assess their current work situation. ACUA members contributed articles related to emotional intelligence, professional feedback and changing stakeholders’ perceptions of internal audit. In this ConnectFurther article, we examine another component of workplace culture: empathy. Here, we provide some insight into what empathy is and how it can be utilized to enhance overall culture. We also reflect on the results of the workplace culture survey created by the ACUA journal staff. This survey asked our members how they view the culture at their workplaces and what methods they have introduced to foster a positive workplace environment.

Empathy is defined by the Cambridge Dictionary as: “the ability to share someone else’s feelings or experiences by imagining what it would be like to be in that person’s situation.”


Empathy is defined by the Cambridge Dictionary as: “the ability to share someone else’s feelings or experiences by imagining what it would be like to be in that person’s situation.”[1] While many of us were taught to be empathetic towards each other when we were young, exercising empathy in the workplace can be an entirely different challenge. For this to happen, we must all work to increase our awareness of and respect for the feelings, opinions, experiences and perspectives of our coworkers. This increased awareness may not happen overnight. However, by making this a focus of your institution’s communications and training, you can help to create an empathetic workplace culture. According to GovLoop[2], a knowledge-based training and thought leader for government and non-profit institutions, there are six key concepts related to fostering empathy in the workplace: Active Listening, Constructive Feedback, Emotional Intelligence, Conflict Management, Unconscious Bias, and Diversity, Equity & Inclusion.

Key Concepts

  1. Active Listening – This is the process of concentrating on the individual or individuals who are speaking, so that you can fully understand the information they wish to convey. Understanding what other people are trying to say is a vital component of being empathetic. In addition, active listening shows colleagues that you respect them and value their perspectives.Constructive feedback is extremely important in fostering a positive workplace culture.
  2. Constructive Feedback – Constructive feedback is extremely important in fostering a positive workplace culture. Instead of pointing out every negative aspect of an employee’s performance, practice empathy by giving feedback that recognizes their strengths while identifying how they could be more effective. This can increase employees’ openness to your suggestions and strengthen your organization’s overall workforce.
  3. Emotional Intelligence – While active listening allows people to understand each other’s perspectives or situations, providing training that increases emotional intelligence helps employees stay cognizant of their colleagues’ feelings as well. This enhances the productivity of communication between employees and fosters a supportive workplace culture.
  4. Conflict Management – Training in this area can help employees understand their unique style of conflict management and determine the style used by their coworkers. This knowledge allows employees to better navigate disagreements by approaching them from a place of mutual understanding rather than judgment.
  5. Unconscious Bias – Everyone is susceptible to unconscious biases formed by the content they consume and the experiences they have throughout their lives. Bias-related training can help employees identify and understand their own biases. Combining this awareness with the other elements of empathy can help break down unconscious biases by cultivating meaningful, thoughtful relationships.Senior management can set the tone throughout the institution by providing an open, non-judgmental forum for individuals to share their experiences.
  6. Diversity, Equity & Inclusion – Promoting practices that hold individuals accountable for fostering diversity and inclusion also creates a positive, welcoming workplace culture. To ensure a more diverse workforce, examine processes such as recruitment and conflict resolution using the elements of empathy. Senior management can set the tone throughout the institution by providing an open, non-judgmental forum for individuals to share their experiences.
     

Survey Overview

The ACUA journal staff created a workplace culture survey to gain a better understanding of how these six concepts have been implemented across our institutions. We received 25 responses, with 80% of respondents indicating they work in the public sector and 72% stating that they work in an audit shop of one to five individuals. Of these respondents, 68% hold the title of manager, director or Chief Audit Executive. In addition, 92% have been with their institutions for three years or longer, allowing them ample time to gain a good understanding of both the current workplace culture and recent changes.

Detailed Results

The survey asked a series of questions related to workplace culture. The first question (see chart below) asked individuals to rate their satisfaction with their current workplace culture from one (dissatisfied) to 10 (satisfied). Our respondents were largely satisfied with the culture at their workplaces, with 84% rating their current employers between six and eight, and 92% rating their institutions six or higher.




Although our response data is not comprehensive enough to draw comparisons against other industries, the results indicate that our ACUA members feel generally positive about their current workplaces and the efforts underway to enhance workplace culture.

Over 90% of the respondents acknowledged that their institutions have taken steps to address Diversity, Equity & Inclusion.


The next part of our survey explored which of the six key concepts of empathy respondents felt their organizations promoted or had taken steps to address. Over 90% of the respondents acknowledged that their institutions have taken steps to address Diversity, Equity & Inclusion. In contrast, only 33% recognized their organizations as promoting Empathy and Emotional Intelligence.



It is no surprise that the concept of Diversity, Equity & Inclusion ranked so high in our surveys, as this has been a hot topic in the United States of late. It is inspiring to see such a high percentage of our institutions actively working to address this issue and promote change. On the other hand, the relatively low percentage of organizations actively promoting Empathy and Emotional Intelligence highlights the challenges of implementing change in these areas.

The final question in our survey asked respondents to comment on methods their departments, organizations and institutions have utilized to promote these six key concepts. It is our hope that these responses may help to highlight steps that the rest of our community can take to continue building a positive workplace culture for everyone!

Approaches for Enhancing the Six Key Concepts of Empathy

  • Conducted mandatory training geared towards listening and communication
  • Established and required compliance with “Rules of Engagement” that address each of the six key concepts
  • Created open door policies and flexible scheduling
  • Formed Diversity, Equity & Inclusion committees to draft policies
  • Created a campus-wide Employee Engagement survey
  • Included Diversity, Equity & Inclusion in the university’s Strategic Plan
  • Created positions at the Vice President level to direct Diversity, Equity & Inclusion and Unconscious Bias training
  • Participated in a Franklin Covey[3] training series as a department
  • Embedded metrics centered around the six key concepts in the institution’s Human Resources review criteria

References

  1. Cambridge Dictionary. (n.d.). Empathy. In dictionary.cambridge.org dictionary. Retrieved June 29, 2021, from https://dictionary.cambridge.org/us/dictionary/english/empathy
  2. https://www.govloop.com/resources/empathy-in-the-workplace-a-govloop-toolkit/
  3. https://resources.franklincovey.com/culture-transformation

Letter from the President

Dear ACUA Colleagues,

Summer is upon us! You all deserve a long-awaited vacation with family and friends. I sincerely hope you take some time to kick back and celebrate all that we have accomplished and the new beginnings to come.  

If you joined us for the first annual virtual spring membership meeting, you already learned about the initiatives ACUA volunteers have been working on to continue to move our industry forward. The advocacy program, diversity and inclusive leadership efforts, and our new fall conference platform will help position ACUA and our industry for long-term success.   

Similarly, I hope this edition of the ACUA Journal provides some insight and inspiration as we look ahead to the next academic year. The articles collected here tap into the accumulated expertise of our ACUA community. Please consider taking the time to reach out to the authors to thank them for sharing their knowledge. You may get an idea for a future audit or article of your own or build upon your ACUA network.  

Our volunteers made the ACUA community thrive during the pandemic, and they deserve a special note of thanks. It is a pleasure to work with such a great community, and I hope to see many of you at ACUACon, whether you attend in person or virtually. 

Sincerely,

Patti Snopkowski

ACUA President 

Auditor as an Investigator?

As auditors, we are sometimes called upon to participate in investigations at our institution. Investigations may be the result of a financial fraud allegation, a complaint of time misappropriation submitted through an ethics hotline, or a management request regarding questionable travel and entertainment expenses. To some, the word “investigation” may be intimidating. In hopes of demystifying the process, this article provides general information on investigations, why they are performed, and what auditors should consider while conducting an investigation.

What is an investigation?

An investigation is a determination of facts related to a specific concern (or concerns) raised by an individual (e.g., via hotline complaint or management request) or, less often, as the result of an audit. The results of an investigation include determining whether the concerns are substantiated by assessing what happened, the timeline of events, and what policies or laws were violated. The matters under investigation often implicate an individual in wrongdoing, so they require a discrete, thorough, and independent analysis. Confidentiality is critical throughout an investigation to protect both a falsely accused person and the overall integrity of the process. While limited in scope, investigations focus on facts solely related to the concern(s) presented; provide all parties with an opportunity to be heard; and provide management with clear and concise findings, as well as potential recommendations when appropriate.

Why do auditors perform investigations?

As auditors, we are uniquely suited to perform the detailed, analytical work required to complete a thorough investigation. In addition, higher education auditors tend to have a breadth of institutional knowledge and an expansive professional network. We are independent, trained to recognize fraud red flags, and know what areas to focus on. Furthermore, there is a need—employee reports are the most common sources of uncovering fraud. Performing investigations exhibits to your institution’s community—students, faculty, staff, patients, visitors—that the institution is committed to an ethical culture rooted in honesty and accountability.

Auditor Considerations

General

  • Maintaining confidentiality is in the best interest of all parties involved in an investigation and should be discussed based on the nature of the investigation and parties involved
  • Review of documentation and interviews should be limited to the specific concerns raised
  • Availability of audit professional resources should be considered to complete investigations timely
  • Investigations inherently have increased litigation risk; therefore, the results (and supporting work-papers) of a given investigation may be subject to a subpoena if the matter is not resolved to either party’s satisfaction
  • All parties are entitled to an impartial, objective, and thorough investigation and have the right to be presumed innocent unless proven otherwise

Planning the Investigation

  • Understand the concern under investigation (interview hotline reporter or management, if necessary)
  • Identify, and request, any information necessary to substantiate the concern (e.g., general ledger, procurement details, Travel and Entertainment records, time system logs, emails, people to interview)
  • Review and identify any policies or regulations that may have been violated
  • Consider the amount of information provided by hotline reporters prior to moving forward with performing an investigation

Performing the Investigation

  • Follow procedures developed for audit investigation fieldwork and documentation
  • Maintain a document log as work-papers are requested, received, and prepared
  • Access to all documentation and work-papers should be limited to only those who have a need-to-know (i.e., Principle of Least Privilege)
  • All work-papers, both paper and electronic versions, are potentially subject to subpoena and must be maintained (refer to your institution’s record retention policy or general counsel for guidance)
  • Maintain open communication between team members, management, and peer units at the institution (e.g., Human Resources, Police Department, Compliance), disclosing only pertinent information for the investigation
  • Seek guidance from your institution’s General Counsel as to whether including “Confidential and Privileged”, or a similar statement, is appropriate to identify all work-papers, if included in the investigation’s legal documentation

Interviewing Key Participants

  • Conduct interviews in a location comfortable (and neutral) for you and the interviewee[1]
  • Identify pertinent questions requiring answers prior to the interview
  • Prepare for each interview individually (different interviews will warrant different questions)
    • Ask open-ended questions
    • Keep questions short and simple
    • Let the interviewee do most of the talking
  • Maintain an interview log (e.g., who, when, where)
  • Interview the individual accused of wrong-doing last

Reporting the Investigation Results

  • Write a straightforward report. (i.e., concern, procedures performed, conclusion)
  • Consider the necessity of including supporting documentation as appendices to report
  • Determine who the report will go to and who will be included on the distribution list
  • Complete report writing timely (definition is subjective at each institution and the nature of the investigation)

Common Jargon

Becoming familiar with and understanding key terms will help you navigate an investigation with ease. Below are some terms and definitions commonly used during the investigations process:

TermExplanation
AllegationClaim or assertion that someone has done something illegal or wrong
ArbitrationA form of alternative dispute resolution; a way to resolve disputes outside of court
Attorney/Client PrivilegeLegal protection to keep communications between attorneys and clients confidential
E-discoveryElectronic information requested to be produced during litigation
EvidenceCompilation of documents and analyses supporting a conclusion
GrievanceFormal complaint raised by an employee within the workplace
HotlineReporting tool, typically with option to report anonymously
Hotline Reporter (or Complainant)Individual initiating hotline report (or complaint)
MediationDispute resolution using an impartial third party trained in specialized communication and negotiation techniques
Target (or Respondent)Individual whom a hotline report is against
ParticipantAn individual interviewed and/or identified as a witness during an investigation
Subpoena A court order commanding a person to appear in court
Substantiated Results of an investigation support the concern/allegation
UnsubstantiatedResults of an investigation do not support the concern/allegation
Table of common terms and definitions used in the investigations process.

Conclusion

In closing, remember we are all investigators. Use your auditor tool box to perform tests and analyses to assist in closing an investigation. Document everything and file it separately from other audit work-papers. Communicate often with the investigation team and ask questions of the investigation owner (whether inside, or outside of, your audit department). Utilize the experience to learn a new process and/or deepen working relationships within your institution. Learn more about partnering with other investigative units at your institution at ACUA’s Audit Interactive 2021.

[1] Given the current pandemic, interviews may need to be conducted virtually. To conduct a virtual interview in as similar of circumstances as meeting in-person, all parties should utilize a video setting and be in a room without distractions.