As auditors, we are sometimes called upon to participate in investigations at our institution. Investigations may be the result of a financial fraud allegation, a complaint of time misappropriation submitted through an ethics hotline, or a management request regarding questionable travel and entertainment expenses. To some, the word “investigation” may be intimidating. In hopes of demystifying the process, this article provides general information on investigations, why they are performed, and what auditors should consider while conducting an investigation.
What is an investigation?
An investigation is a determination of facts related to a specific concern (or concerns) raised by an individual (e.g., via hotline complaint or management request) or, less often, as the result of an audit. The results of an investigation include determining whether the concerns are substantiated by assessing what happened, the timeline of events, and what policies or laws were violated. The matters under investigation often implicate an individual in wrongdoing, so they require a discrete, thorough, and independent analysis. Confidentiality is critical throughout an investigation to protect both a falsely accused person and the overall integrity of the process. While limited in scope, investigations focus on facts solely related to the concern(s) presented; provide all parties with an opportunity to be heard; and provide management with clear and concise findings, as well as potential recommendations when appropriate.
Why do auditors perform investigations?
As auditors, we are uniquely suited to perform the detailed, analytical work required to complete a thorough investigation. In addition, higher education auditors tend to have a breadth of institutional knowledge and an expansive professional network. We are independent, trained to recognize fraud red flags, and know what areas to focus on. Furthermore, there is a need—employee reports are the most common sources of uncovering fraud. Performing investigations exhibits to your institution’s community—students, faculty, staff, patients, visitors—that the institution is committed to an ethical culture rooted in honesty and accountability.
Auditor Considerations
General
Maintaining confidentiality is in the best interest of all parties involved in an investigation and should be discussed based on the nature of the investigation and parties involved
Review of documentation and interviews should be limited to the specific concerns raised
Availability of audit professional resources should be considered to complete investigations timely
Investigations inherently have increased litigation risk; therefore, the results (and supporting work-papers) of a given investigation may be subject to a subpoena if the matter is not resolved to either party’s satisfaction
All parties are entitled to an impartial, objective, and thorough investigation and have the right to be presumed innocent unless proven otherwise
Planning the Investigation
Understand the concern under investigation (interview hotline reporter or management, if necessary)
Identify, and request, any information necessary to substantiate the concern (e.g., general ledger, procurement details, Travel and Entertainment records, time system logs, emails, people to interview)
Review and identify any policies or regulations that may have been violated
Consider the amount of information provided by hotline reporters prior to moving forward with performing an investigation
Performing the Investigation
Follow procedures developed for audit investigation fieldwork and documentation
Maintain a document log as work-papers are requested, received, and prepared
Access to all documentation and work-papers should be limited to only those who have a need-to-know (i.e., Principle of Least Privilege)
All work-papers, both paper and electronic versions, are potentially subject to subpoena and must be maintained (refer to your institution’s record retention policy or general counsel for guidance)
Maintain open communication between team members, management, and peer units at the institution (e.g., Human Resources, Police Department, Compliance), disclosing only pertinent information for the investigation
Seek guidance from your institution’s General Counsel as to whether including “Confidential and Privileged”, or a similar statement, is appropriate to identify all work-papers, if included in the investigation’s legal documentation
Interviewing Key Participants
Conduct interviews in a location comfortable (and neutral) for you and the interviewee[1]
Identify pertinent questions requiring answers prior to the interview
Prepare for each interview individually (different interviews will warrant different questions)
Ask open-ended questions
Keep questions short and simple
Let the interviewee do most of the talking
Maintain an interview log (e.g., who, when, where)
Interview the individual accused of wrong-doing last
Reporting the Investigation Results
Write a straightforward report. (i.e., concern, procedures performed, conclusion)
Consider the necessity of including supporting documentation as appendices to report
Determine who the report will go to and who will be included on the distribution list
Complete report writing timely (definition is subjective at each institution and the nature of the investigation)
Common Jargon
Becoming familiar with and understanding key terms will help you navigate an investigation with ease. Below are some terms and definitions commonly used during the investigations process:
Term
Explanation
Allegation
Claim or assertion that someone has done something illegal or wrong
Arbitration
A form of alternative dispute resolution; a way to resolve disputes outside of court
Attorney/Client Privilege
Legal protection to keep communications between attorneys and clients confidential
E-discovery
Electronic information requested to be produced during litigation
Evidence
Compilation of documents and analyses supporting a conclusion
Grievance
Formal complaint raised by an employee within the workplace
Hotline
Reporting tool, typically with option to report anonymously
Dispute resolution using an impartial third party trained in specialized communication and negotiation techniques
Target (or Respondent)
Individual whom a hotline report is against
Participant
An individual interviewed and/or identified as a witness during an investigation
Subpoena
A court order commanding a person to appear in court
Substantiated
Results of an investigation support the concern/allegation
Unsubstantiated
Results of an investigation do not support the concern/allegation
Table of common terms and definitions used in the investigations process.
Conclusion
In closing, remember we are all investigators. Use your auditor tool box to perform tests and analyses to assist in closing an investigation. Document everything and file it separately from other audit work-papers. Communicate often with the investigation team and ask questions of the investigation owner (whether inside, or outside of, your audit department). Utilize the experience to learn a new process and/or deepen working relationships within your institution. Learn more about partnering with other investigative units at your institution at ACUA’s Audit Interactive 2021.
[1] Given the current pandemic, interviews may need to be conducted virtually. To conduct a virtual interview in as similar of circumstances as meeting in-person, all parties should utilize a video setting and be in a room without distractions.
The construction industry has historically been a slow adopter of technology, and rightfully so. The builders of our roads, homes, offices, and campuses need to be thoughtful when evaluating new technology that may impact safety and quality in exchange for speed and cost reduction. Consequently, the introduction of robotics, video monitoring, and automated quality controls has trailed behind other industries, such as manufacturing and distribution. Similarly, as the availability of digital information has increased, the implementation of automated construction audit techniques has lagged. However, high speed wireless communication, handheld devices, and a need for labor force alternatives continues to drive construction technology innovation and adoption. Construction auditors must remain knowledgeable with the latest industry tools and understand how to evaluate new construction technologies’ impact on construction risk management.
Technology and Construction Project Data Automation
The most established technological advancements, such as GPS-enabled cranes and heavy/highway equipment with onboard performance metrics, enable operators to cut, grade, and measure moved earth with a high degree of precision. The equipment can be monitored remotely, which allows companies to track their exact location, operating hours, consumables, and environmental conditions. The existence of this data also provides information for construction audits. Rather than analyzing paper copies of supporting documentation, construction auditors may now utilize available digital technology to download equipment metrics and capture quantities moved, hours operated, and other pertinent equipment usage data quickly.
Rather than analyzing paper copies of supporting documentation, construction auditors may now utilize available digital technology to download equipment metrics. A large campus transformation project may include new buildings, new roads, and new underground infrastructure. This would require moving large amounts of dirt and parking contractor equipment at the jobsite, resulting in monthly bills for dirt hauling, aggregate purchases, and heavy equipment rental. To determine whether the quantities billed are representative of actual activity, an engineer could measure the dimensions of the dirt (i.e., how high and wide the dirt sits) to calculate the quantities moved.
Alternatively, the auditor could download the operating metrics from any cloud storage application to see the number of dump trucks that were on site, the trips each truck made, the weight of the product hauled, and the time spent loading and unloading. The auditor could then calculate cubic yards moved from the site to reconcile the trucking bill. A similar reconciliation could be performed using operating hours, GPS coordinates, and performance metrics from earthmoving equipment.
In addition, there are other methods of construction automation. One example is modular construction, which is an effective alternative to on-site construction methods. Modular construction is a process, in which a building constructed off-site under controlled plant conditions, uses the same raw materials as conventionally built facilities, and adheres to the same industry codes and standards—in about half the time. Buildings are produced in “modules,” which when put together on-site, reflect the identical design intent and specifications of the most sophisticated site-built facility. Furthermore, controlled plant conditions enable the contractor to leverage trade and craft automation to build walls, assemble plumbing, and fabricate ductwork.
Modular construction automation leads to the following areas of note:
Treatment of Sales Tax: Many higher education institutions benefit from sales tax exemptions. Auditors must be assured that the modular or unit pricing excludes any sales tax that may be embedded within the unit price. Additionally, purchase orders for raw materials can be reviewed to identify any disallowed sales tax incurred during procurement.
Potentially Duplicate Costs: Costs such as insurance, transportation, and warehousing could be duplicated in the unit pricing as well as the pay application. Modular builders frequently utilize enterprise resource systems, such as Oracle or SAP, that have fully loaded bills of material. The bill of material will contain a breakdown of the unit price, as well as the associated labor costs, and an equipment rate for any applicable robotics. It is important to review the details disclosed in the pay application to know where costs are being billed (and billed only once).
Digital Data Collection and Associated Risks
Data collection is an area that has experienced great advancement the last few years. Two areas that benefit from construction audits include employee tracking and direct labor hour collection. Historically, timesheet collection was a manual process and often the burden of the superintendent on the construction project. Now, mobile phone applications allow individual employees to enter their time and automatically forward their timesheet to the superintendent for approval. Once approved, the labor cost will post to the job cost ledger. In addition, large multi-disciplined projects are implementing wireless jobsite worker tracking. The employee enters through a control gate and swipes an identification card or wears a radio-frequency identification (RFID) badge, which captures physical jobsite location and enables the contractor to know, at any given time, who is on the jobsite and their location. The construction auditor may use this data to verify personnel and the number of hours worked on the jobsite. By reconciling this jobsite data with timesheet data and physical locations, timesheet errors can be detected and worker productivity can be audited.
As automated and digital data collection becomes more prominent, it will be necessary to place greater reliance on project controls to detect fraudulent or abusive behaviors.
As automated and digital data collection becomes more prominent, it will be necessary to place greater reliance on project controls to detect fraudulent or abusive behaviors. Auditors should thoroughly test the project controls before relying on these systems to generate accurate source transactions. Comprehensive audit programs should include project controls testing that include employee identification card issuance and replacement, timesheet rejection processes, rejection frequency tracking, and payroll-to-job cost adjustment reconciliations. In addition, audit programs should also include data integrity testing to gain assurance that the data collection and reporting systems are functioning as intended. The graphic shown below highlights some common data integrity tests.
Previously, construction audits often experienced roadblocks due to the inaccessibility of information. Today’s automation systems are digitizing source documents; therefore, enabling a more comprehensive testing at a lower cost per transaction tested. While this may provide an opportunity for more automated audit procedures, the audit methodology does not change.
Audit Methodology
Each phase of the methodology benefits from technological advancements and automation.
Phase 1: Contract Risk Assessment
This phase includes a technical review of the contract terms and conditions. By applying any past risk assessment experience, the contract terms are equated with known risks. For example, the cost of work requires labor burdens to be billed and reimbursed at cost, without additional markup. Some associated risks with labor billed in excess of cost may include inflated labor burden, duplicate benefit hours, or embedded profit. Business intelligence software now allows auditors to compile a database of past contract observations, and when paired with optical recognition software, a contract can be scanned and then the contract terms are mapped to known risks. The results produce a system generated preliminary contract risk analysis, which significantly reduces the amount of time to perform this same task manually.
Phase 2: Audit Program Development
Contract risks are mapped to a series of audit steps, allowing business intelligence software to then produce a draft audit program based on the associated contract risks. The database maintains the data requirements for the audit program and associated supporting documentation requirements, which is then provided to the contractor and owner so the audit can proceed.
Phase 3: Transaction Testing
Many transaction tests and reconciliations can be automated, which eliminates redundant data handling and relevant constraints on construction audit progress. Regardless of whether an auditor has a fully integrated business intelligence solution that can perform the testing, experience is still required to interpret the data, evaluate results, and assess whether new scenarios exist that were not addressed within the automated testing environment.
With the increases in the level of automation, auditors’ responsibilities grow significantly.
Phase 4: Audit Reporting
With the increases in the level of automation, auditors’ responsibilities grow significantly—whether it is an increase in testing or placing a greater emphasis on project controls interviews, control effectiveness, and results interpretation to mitigate construction project risk. Automation allows an increase in sample size and overall testing populations, which allows auditors to get better coverage and have more detailed findings.
Conclusion
Despite all the advances in technology that impact the construction industry, the audit solution is only as good as the subject matter experts that assess the contract risks and develop audit programs. Auditors will be needed regardless of the level of automation and should not be concerned about automation eliminating their jobs.
In September 2020, UC Berkeley agreed to pay a $2.35 million fine to the U.S. Department of Education (“ED”) and will be monitored for two years as a result of violating the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (“Clery Act”). According to an article in The Daily Californian, ED found that more than 1,100 out of approximately 32,000 records reviewed over a five-year period were misclassified. “Many of the violations were for technical errors,” said campus spokesperson, Janet Gilmore, in an email. “Compliance with Clery requirements is highly technical and differs from other types of crime reporting conducted by law enforcement agencies and others.”
Compliance with Clery requirements is highly technical and differs from other types of crime reporting.
As of October 2020, ED rescinded the 265-page 2016 Clery Handbook (“2016 Handbook”), which served as a guide to institutional administrators about what to do to be compliant with the Clery Act. The 2016 Handbook was replaced with a 13-page Appendix in the Federal Student Aid Handbook; however, as of the date of this article’s submission, the Appendix does not yet have the force and effect of the law. This new guidance is effective for the 2021 reporting year and gives institutions more discretion on defining certain matters, such as which campus administrators must report campus crime statistics to ED and what area is considered the campus for data compilation purposes.[1]
Complying with the requirements in the Clery Act are indeed very technical and an internal auditor can spend hundreds of hours auditing all of the requirements. As of January 7, 2021, institutions may be fined up to $58,328[2] for each infraction and ED has the authority to suspend institutions from participating in federal financial aid programs, at their discretion. Therefore, testing controls to ensure that Clery processes are designed and operating as required is important!
Clery Compliance Controls
There are a few things that an internal auditor can review to get a sense of their institution’s Clery compliance controls. Focusing on a few key areas can help provide an indication of an institution’s compliance with Clery and will not consume hundreds of hours of auditor effort:
Check the police department’s daily crime log.
One of the easiest things to check is the daily crime log. Daily crime logs are required to be readily available to the public. The next time a member of your department is near the police department, just stop in and ask to see the daily crime log to verify it is readily available. The log should be up-to-date and easily accessible to anyone who asks to see it.
Compare the Annual Security Report (ASR) to ED’s Campus Safety and Security database.
Generally, ASR must be published and made available to the public by October 1st; however, due to an unprecedented year, the submission deadline for 2020 was extended to December 31, 2020.[3] In addition, the crime statistics must be uploaded to ED’s Campus Safety and Security system. Data entry into ED’s system is not foolproof and errors in data entry can easily occur. Comparing an institution’s ASR crime statistics to the crime statistics in the ED’s system is a quick process.
A strong indicator for CSA compliance is the accuracy and completeness of an institution’s list of CSAs.Campus Security Authorities must understand their roles and responsibilities related to campus safety and security. A strong indicator for CSA compliance is the accuracy and completeness of an institution’s list of CSAs, as well as evidence that the CSAs understand their roles and responsibilities. While ED does not require that CSAs be trained, a university can prove compliance by providing both a current list of CSAs and evidence of a robust communication/training program. A simple review of the most current list of CSAs and associated training records will provide insight on an institution’s Clery compliance efforts.
Perform a desk review of the ASR.
Performing a desk review of the ASR is another way to get a read on an institution’s culture of compliance with the Clery Act. The Clery Act mandates certain policy statements describing the various components of the campus Clery Act program be included in the ASR. There are 74 required policy statement elements, ten of which are only required for locations with on-campus housing facilities.
In addition, institutions are required to publish certain crime statistics for the previous three years in the ASR and those with on-campus housing facilities are also required to publish fire statistics. These statistics can be traced back to supporting documentation, such as university police reports, daily crime logs, and other source information for accuracy. It is important to gain an understanding of the process for gathering and assembling crime statistics to ensure the statistics are accurate and complete. This primarily includes statistics received from the university police department, student affairs on campus, and local law enforcement off campus.
Multiple campus locations can also be a problem area in the ASR. Institutions with multiple campus locations face challenges in making sure crime statistics and policy statements are included for each campus location.
Check timely warnings.
Institutions should have written procedures to address the use, content, and documentation of timely warnings. An easy check is to make note of any crimes on the daily crime log that would likely compel a timely warning (e.g., assault, theft of a vehicle, burglary of a building) and see if any were issued for those crimes. Ask to see the documented procedures for timely warnings and compare those procedures to the Clery Act guidelines.
The checklist in the appendix of the 2016 Handbook was a great resource for Clery compliance; it will be archived on the Department of Education’s website for future use. At the time of this article’s publication, a new presidential administration will be in office and there is a possibility that the Handbook could be brought back.
References
Information obtained from Inside Higher Ed: https://www.insidehighered.com/news/2020/10/19/education-department-pulls-handbook-clery-act-requirements
Distributed Information Systems Management (DISM) makes up information technology (IT) resources that are managed outside of an organization’s central IT department. A DISM environment can be as small as a few unmanaged laptops or a full-scaled IT shop with applications, a data center, networks, and endpoints.
Some institutions may be completely decentralized, requiring units within the organization to run their own services.
In higher education, central IT most often supports enterprise-wide IT services, such as human resource systems, financial systems, student information systems, collaboration services (e.g., email, calendar), networking (wireless/wired), and learning management systems. Although central IT typically runs these services across the enterprise, some institutions may be completely decentralized, requiring units within the organization to run their own services, or a hybrid of centralized and decentralized allowing units to choose to run their own services, such as email. Occasionally, the unit has specialized software and hardware needs and must run their own DISM because central IT does not offer the specialized services.
It is important to understand both the advantages and disadvantages to units having their own DISM. Some of the advantages that a unit would benefit from by having their own DISM include:
Control over the IT environment by personalizing services to faculty and students
Agility and speed when implementing new technologies (generally, smaller implementations take less time than larger enterprise solutions)
Ability to be tailored to meet specialized needs, such as libraries, research, engineering, and sciences
IT security frameworks provide the auditor with a list of controls to test within focused control areas.
While advantages exist in a DISM environment, it is important to understand the hidden costs. From an auditor’s perspective, DISM environments can be a risk nightmare. Often, we find that IT controls are not in place, which can lead to a plethora of IT-related issues. To reduce IT risk with these DISMs, conducting audits are crucial to ensuring policies, procedures, and best practices are followed.
Relevant IT controls can be found in a variety of IT security frameworks, such as the ISO 27000 Series or NIST SP 800-53. IT security frameworks provide the auditor with a list of controls to test within focused control areas (e.g., access controls, cryptographic technology, business continuity). The following include commonly identified weaknesses in the DISM environment:
Insufficient security vulnerability management: Lack of maintenance for servers and endpoints can lead to a hacker exploiting the software to gain access and steal data. Vulnerability scanning and analysis can help identify potential security holes.
Lack of IT training for DISM administrators: Those expected to support the DISM environment are not properly trained and may not configure, or secure, the environment properly.
Improper and/or untimely provisioning and deprovisioning: Not limiting access based on the need to know or timely removing access when a user’s role changes can lead to unauthorized access and the theft of intellectual property.
Lack of security software: Many distributed units lack simple security software, such as anti-virus protections, especially on Linux machines. Identifying this weakness and correcting this simple control could help prevent malicious software from being installed or run on a machine.
Inappropriate administrative user access management: Allowing users to have root or administrative access on the endpoint assigned to them will allow the user to install unauthorized software, which could be malware. In addition, the user has the ability to change configurations, which could leave the machine open to a security breach.
User confusion: The central IT helpdesk has no knowledge of the DISM environment and the DISM helpdesk has limited knowledge of central IT systems. The lack of shared knowledge leaves users confused by not knowing who to contact for support. Without support, these users may take matters into their own hands, only exacerbating the problem.
If your institution utilizes DISM, the following can be implemented enterprise-wide, which may reduce IT risk in the DISM environment:
Use centralized IT commodities, such as an active directory, email services, and data storage. This will allow the department to gain economies of scale and reduce the risk. More importantly, this will allow the DISM to focus on unique IT solutions that are essential to their success.
Develop a DISM IT focus group to foster collaboration between central IT and DISM IT staff. Establishing a focus group ensures the distributed department is up to date on changes to policies and procedures, as well as security issues.
Consult with central IT before purchasing and implementing any software or devices. This creates the opportunity to take advantage of best pricing and reduce possible negative impacts on the enterprise security and architecture.
The DISM environment can often provide cutting-edge technologies and services that are attractive to prospective faculty and students.
The DISM environment can often provide cutting-edge technologies and services that are attractive to prospective faculty and students. However, this level of service can have a security cost if proper controls are not in place. Auditors spend a tremendous amount of time auditing the central IT systems. Yet, these same IT control deficiencies exist in the DISM environment and pose comparable risk to the enterprise. Adopting an IT security framework to audit against IT controls can help the auditor provide reasonable assurance that the right controls are in place across the entire enterprise, allowing the organization to better protect its assets.
Forward by College and University Auditor Journal Editor:
EDUCAUSE is a nonprofit association serving over 2,300 colleges, universities, and organizations across 45 countries, who are collectively responsible for developing over 16 million students. EDUCAUSE’s mission is to advance higher education through technology innovation—making it a great resource for ACUA members! EDUCAUSE’s president and CEO, Dr. John O’Brien, spent 30-years in higher education in key leadership roles and often shares his expertise regarding the intersection between higher education and technology. In May 2019, John interviewed ACUA Past-President, Justin Noble and published “The Internal Auditor as a Trusted Resource: An Interview with Justin Noble” in EDUCAUSE Review, and discussed how Information Technology (IT) leaders can partner with internal auditors. Now, ACUA interviewed John to understand how to work effectively with Chief Information Officers (CIOs), gain insight on some high-risk IT areas to watch out for, as well as information and resources available to member institutions. ACUA’s questions are in bold and John’s answers are below.
Internal auditors base our audits on risk. Based on your research and input from CIOs, what do you see as the high risk IT areas over the next few years?
For anyone tracking EDUCAUSE’s top 10 IT issues over the years, it will come to no surprise that the first words out of my mouth are “cybersecurity.” This is an ongoing, dynamically changing threat for colleges and universities. The pandemic seems to accelerate so many trends we are seeing, including more nefarious activities and more sophisticated threats, such as nation states targeting intellectual property.
There are, of course, many other risks on the radar of higher education CIOs, and because of the complexity of the risk landscape we strongly encourage campuses to consult resources on our IT Governance, Risk, and Compliance site, which includes risk management resources and a very useful IT risk register tool. With all the existing and changing risks, collaboration across an institution is necessary.
In addition, our October 2020 EDUCAUSE QuickPoll data suggests that around two-thirds of campuses are experiencing IT budget cuts, with 10% as the median reduction—and over 40% expect more to come. Navigating decreased investments in IT at a time when technology has been the linchpin of strategic campus pandemic responses will be a big challenge this year and perhaps for many to years to come. With inevitable declining budgets, institutions also may want to identify new efficiencies and other transformational approaches to risk, compliance, and privacy.
A significant shift to Cloud services is occurring across higher education. Are there EDUCAUSE resources auditors can leverage to keep up with Cloud developments?
The cloud can be a pretty risky place. In many cases you are handing institutional data over to third party providers, and it is important to go forward with a clear understanding of the risks involved in cloud vendor relationships. To help institutions measure vendor risks, we have developed (along with our member-led Higher Education Information Security Council) the Higher Education Community Vendor Assessment Toolkit (HECVAT). It is a questionnaire framework specifically designed for higher education solutions providers to confirm that information, data, and cybersecurity policies are in place that protect sensitive information. Preparing the IT Organization for the Cloud is a good resource for background information about the cloud. While not focused on cloud computing technology, it does include a wealth of information about what it takes to move services to the cloud and how an institution might prepare for that.
What skills and abilities would a typical higher education CIO hope that an IT auditor would possess (e.g., technical, interpersonal, communications)?
I think the dream auditor would be one who sees the engagement as an opportunity for collaborative discovery and who is willing to begin an audit with the goal of deep understanding, while resisting any rush to drive toward findings. In my opinion, what is true for great leaders is true for great auditors—a bias for “turning to wonder” rather than “turning to judgment.” It is easier to judge than to wonder genuinely why something initially seems out of the norm. I do understand that you could make the case that turning to judgment is woven into the job description for an auditor—that is true, but one might also expect that tactics and operations are a core competency for a CIO; however, that has changed over the last decade. IT is far more than executing tactics, especially in a pandemic.
We hope for auditors who understand that IT is more than just operations. IT has become less a utility and more and more a strategic asset. Understanding the work IT does in this broader strategic context would improve the audit process and results.
What are the best ways that internal audit can partner with CIOs to improve IT people, processes, and technology?
I think it would be remarkable if IT auditors would dig into the priority work at EDUCAUSE over the last few years around digital transformation (“Dx”) and bring this lens and thinking into play. Being a partner with IT in advancing digital transformation as an institutional differentiator has great promise connecting “people, processes, and technology.” The difference between ad hoc technology innovation and Dx is exactly that, that it embraces major shifts that go far beyond technology alone. Technology can be cool, but transformational change embodies changes in workforce and culture as well.
What do CIOs most appreciate about the audit process?
CIOs most appreciate when an audit process is transparent and thoughtfully scoped so that focused resources can be directed at supporting meaningful exploration and helpful findings. Anything that can illuminate a pathway of authentic curiosity and discovery will make it less likely that the engagement will take on the “gotcha” aspect that benefits no one. Additionally, CIOs especially appreciate it when audit findings help her or him make the case for needed or overdue investments in technology or staffing.
When Board members (or CIOs) come from a corporate background, what should they know about higher education?
Folks moving from a corporate background to higher education should know that they may need to master another language. Some words and concepts that meant one thing in industry mean something else in higher education. For example, “customer” is inaccurate or even offensive to many in higher education circles, and even if it were generally accepted, it is more complex than for most businesses. IT’s “customer” may be the faculty, while faculty’s “customer” might be students or research funders, or both. And institutions don’t just serve students; they serve their communities, their local government bodies, and so much more. Aside from the language challenges, of course those from a corporate background will need to adjust to the fact that it simply takes considerably longer to get things done in higher education.
What EDUCAUSE resources are the most popular for your members?
EDUCAUSE Review (ER), our digital flagship magazine, has a wide range of articles and content on many topics. ER has received numerous awards and continues to keep our members up-to-date at the crossroads of higher education and technology innovation. Of course, like ACUA, professional development is a big part of how we serve our members, and our conferences and events are very popular. In 2020, we added virtual conferences and institutes to the mix, with great results, and in early 2021 we will be launching a new mentoring initiative that I am really excited about. If your institution is an EDUCAUSE member, please let us know if you would like to become, or connect with, a mentor. Additionally, our research is very popular with our members, most notably the Top 10 IT Issues, as well as the Student Technologies and Horizon Reports.
Finally, as we reflect on the tremendous racial injustices last year, our members have appreciated our intentional effort to prioritize diversity, equity, and inclusion (DEI), including infusion of DEI themes in our professional development, publications, and research. In the second half of 2020, around 20% of our publications were related to DEI themes. Our CIO DEI Commitment statement has been signed by nearly 600 to date, and this year we are focusing on going beyond words and statements and prioritizing action.
What could future collaboration between ACUA and EDUCAUSE look like?
So many ACUA members are members of EDUCAUSE as well, and we could intentionally seek out and promote opportunities to point each other toward our resources. We have—thanks to the pandemic—been moving toward faster responsiveness to members through QuickPolls that launch and report on timely topics in days, not the months you would expect from more traditional research. QuickTalks (like this one) make it possible to spin up discussions on emerging topics for members. This agile programming would be useful to ACUA members, and we could explore areas of interest to both our members in these and other venues. I enjoyed the chance to be a keynote speaker at AuditCon 2019 and discuss digital ethics, and I think topics like these are the kind of thing that captures the imagination of auditors and IT professionals alike.
Many institutions are EDUCAUSE members, but if yours is not yet, join today!
Forward by College and University Auditor Journal Editor:
Members of ACUA receive many benefits, such as Connect ACUA, an online community of internal audit, risk, and compliance professionals from higher education institutions sharing higher education-focused knowledge and experience. ACUA strives to share useful resources with its members to help them build their knowledge base and expand their network. We hope our readers will engage in discourse across many platforms to build their repertoire of awareness and intelligence. A growing and interactive community for internal audit professionals is AuditWithoutWalls!
Learn, Share, Explore, and Grow…
AuditWithoutWalls!, established in 2017, is a free virtual collective learning community for sharing knowledge and exploring ideas on technical issues, including governance, risks, and controls. The community began in Asia, and has since expanded across the world. It now has a global reach, connecting over 1,200 public sector internal auditors from more than 110 countries across all continents. While initially geared toward public sector internal auditors, it is now expanding into the private sector to provide more opportunities for developing professional and supportive relationships.
AuditWithoutWalls! fosters a democratic ethos, where all members play a vital role in the community’s learning.
A collective learning community enables individuals to learn without a hierarchal structure—learning is triggered and motivated by common interests, not by rigid rules. The needs and goals of members set the course of conversation and out-of-the-box thinking. AuditWithoutWalls! fosters a democratic ethos, where all members play a vital role in the community’s learning. The environment encourages members to share their personal knowledge and expertise, motivates one another to learn, commits to mentoring new auditors, and cultivates relationships by listening compassionately and exercising empathy.
AuditWithoutWalls! primarily uses a social media platform, Yammer, to collaborate and network, but also has a presence on LinkedIn. By using online discussions, members can ask questions and share information anytime, anywhere. Since members are from all over the world, this platform truly never sleeps! Interaction and participation is constant and thought provoking, making it a great resource to learn a myriad of new things. Hot topics discussed lately include leveraging digital technology in audit and adapting the audit plan to current risks (e.g., COVID-19 pandemic, cyber hygiene).
Interaction and participation is constant and thought provoking, making it a great resource to learn a myriad of new things.
The community also shares information on relevant continuing education opportunities, videos that provide useful information to internal auditors, and other useful internal audit services. The monthly bulletin called AuditorsHelpingAuditors! provides practitioners with up-to-date studies published by academics and researchers.
Join Today
AuditWithoutWalls! has an open-form membership concept, which allows members to join the community by requesting an invitation and also allows members to leave voluntarily. For more information, or to request an invitation to join, email auditwithoutwalls@adb.org.
I hope you had a restful holiday season and took time to enjoy those closest to you. I had the time to reflect and celebrate our accomplishments and, most of all, our resilience.
With a new year comes the opportunity to set new goals. ACUA is optimistic about 2021, as we plan to build an even stronger community to serve our industry. One way to achieve this is through continued contributions from industry leaders to College and University Auditor. The Journal provided a way for me to connect with individuals on a variety of topics, such as annual audit planning, fraud investigations, audit reporting, and even COVID-19.
I encourage you to reach out to our authors and learn from each other. I also encourage you to share your experiences in a future ACUA journal article. Turning to the Journal to gain valuable insights is just one of many benefits we have as a community. Many thanks to the authors, volunteers, and staff for showcasing their higher education knowledge.
In addition to sharing knowledge in a professional journal, ACUA is dedicated to providing relevant trainings and networking. So, you will not want to miss the opportunity to build on your professional expertise at Audit Interactive! The Professional Education Committee is hard at work, so save the dates—March 21-25, 2021. I hope to see a record number of attendees from our ACUA community.
I look forward to interacting with you on Connect ACUA and seeing everyone at Audit Interactive in March!
Purchasing card (P-Card) spending is on the rise, particularly among colleges and universities. The use of P-Cards is expected to increase 62 percent by 2018 reaching $377 billion, according to the 2014 RPMG Purchasing Card Benchmark Survey. The expansion of P-Card programs and use is expected to continue given the myriad of benefits P-Cards offer including streamlining the procurement-to-pay process, lowering operational costs and taking advantage of supplier discounts. Originally, P-Cards were used for small dollar transactions to help reduce or eliminate the need for petty cash. However, while P-Card use has grown, it has become increasingly challenging to maintain compliance as organizations struggle to gain insights into their program. Analyzing high transaction volumes using spreadsheets and manually reviewing receipts becomes labor-intensive and inefficient.
TWO PERSPECTIVES, ONE COMMON GOAL
From the standpoint of internal audit, the objective of a P-Card system is to rid the organization of fraud, waste and abuse. While there are a variety of ways to search for fraud, most are not foolproof. Sampling is unreliable for detecting and preventing misuse, and card issuer applications provide limited data. Spreadsheets have capacity limitations and are prone to errors.
Many auditors have found success in using purpose-built data analytics tools to extract and analyze data from different sources and file types to detect instances of fraud, waste and abuse. These tools provide the ability to examine 100 percent of the P-Card program data. More than ever, auditors are embracing technology to stay ahead of risks and exposures that may lead to revenue losses.
From a business standpoint, the objectives are slightly different. While detection of misuse is important, stakeholders within the organization not only need to know that something went awry; they want to dive deeper into specific risk areas to identify underlying causes. Data analytics can help auditors look through high volumes of transactional data to identify anomalies, but it is often a reactionary approach. Infractions are seldom caught in time to recover funds. In fact, it takes an average of 24 months to detect procurement fraud at which time 89 percent of all proceeds are unrecoverable. The business goal is to stay well ahead of the problem.
PREVENT A CULTURE OF MISUSE
The tolerance threshold varies for every organization. If a $300 million P-Card program incurs $20,000 in annual misuse, the convenience and administrative cost savings may offset the loss. However, inappropriate spend involving large sums of money could quickly become newsworthy and damaging to the organization’s reputation. Stakeholders need assurance that preventative measures are in place and working properly.
“Continuous monitoring is about creating a sustainable internal control environment, not creating more work. It goes beyond identifying a single set of problems to providing actionable insights to the business. Organizations can create a collaborative environment where everyone works to strengthen controls, while expanding the P-Card program.”
Transactional data can be analyzed, but misuse goes unnoticed without information from other sources such as accounts payables and human resources. For example, if John uses his P-Card to purchase gasoline while on vacation, the misuse is typically not found using traditional auditing techniques because fuel is a normal expense for John since his position requires business travel. John shares his clever cost-saving tactic with a close coworker, who begins to take advantage of similar weaknesses in the system for personal gain. The culture of misuse perpetuates and continues to go undetected.
When looking at exceptions, can you determine whether it was an isolated incident where clarification of policies and procedures need further explanation or a habitual problem? How many times has each employee violated the policies? Was one person in violation while the majority followed policy? Is there a department that tends to have multiple violations on a regular basis? Is misuse related to specific spending areas? These questions can only be addressed if the analysis includes data from different sources, such as employee data, category of spend, etc.
Running data analytics to test P-Card data provides some valuable details about exceptions, especially when you incorporate multiple data sources including:
P-Card Transaction Data – Provided by the card issuer and contains records of all transaction details including merchant category code, item description, purchase date, amount and vendor name.
Cardholder Master – Provided by the card issuer and contains data for all cardholders in the P Card program. Details include last four digits of each card, monthly card limit, card status, date issued, etc.
Employee Master File – File of employees with details such as employee name, identification number, department, vacation schedule and employment status.
Expense Signoff – Expenses submitted by employees with details such as purchase date, cardholder comments and manager signoff details.
Accounts Payable (AP) – Lists payments made by AP and details such as invoice date and number, vendor name, item description and transaction amount. This data can be used to detect duplicate transactions across P-Card and AP processes.
Additionally, if the organization uses an expense management system such as Concur, data can be automatically extracted and analyzed on a regular basis to ensure compliance. Expense management systems allow employees to submit expenses for approval and/or reimbursements.
Broadening the scope of data being examined helps bridge gaps and allows you to see fraud schemes that would be impossible to detect otherwise.
ASSESS RISK AND CONTROLS
To gain an understanding of the unique ways P-Cards are being used within the organization, and whether policies and procedures are being followed, perform a risk and controls assessment. By testing historical data, you can establish a benchmark to gauge the severity of issues and identify problem areas. Begin by comparing current data with the year prior to detect patterns for normal or abnormal spending trends. Calculate average spends by department to look for outliers and unusual spend patterns. Historical data is useful for assessing the entire data population year to year.
Examples of Analytics Tests/Queries:
Monitor for duplicate payments between P-Card merchants and Accounts Payable vendors
Check for charges at inappropriate or unusual merchants (i.e. department stores, cash, personal care) by MCC code or vendor name keyword search
Pinpoint split charges to circumvent purchasing card limits
Identify cards used by terminated employees and/or employees on leave of absence
Search for expenses that may be approved without verification of receipt
Look for cardholders who made purchases on weekends or holidays
Check for unused or duplicate cards, which may be causing unnecessary liability
Search for sales tax charges. As a non-profit organization, most universities are exempted from sales tax.
Identify the top 20 spenders to pinpoint which cardholders have the highest total purchases
Next, break the queries down into sub-processes to pinpoint problem areas such as:
Card issuance: Involves the assignment of cards to appropriate departments and employees
P-Card usage: Involves examining card spend across departments and employees to detect outliers or unusual spending patterns
Policy management: Determine whether existing policies and procedures are being followed by all employees
Reliable Remediation
When an exception is detected, how is it dealt with, or is it dealt with at all? Traditional remediation, usually involving emails, is time consuming, unreliable and error prone. Multiple follow-ups are necessary between several parties to ensure resolution, and managers are not always updated about whether or not the issue has been resolved. Continuous monitoring also automates remediation followups until resolution is achieved; including escalation if the issue is not addressed within a set timeframe. This process can be customized to align with business processes and structure.
Get the Big Picture of the P-Card Program
Continuous monitoring tools offer dashboards that present information graphically on key program metrics such as the amount of spend across a period of time and the level of exceptions. Dashboards can be configured based on what the end users want to see or what information is beneficial to department leaders.
Reviewing trend and patterns can help gauge the performance of controls and policies, and identify any potential gaps that need addressing. Visualization helps the end user consume data and insights by looking at patterns, not just rows and columns of numbers. Trends become more apparent, and the data becomes more useful to everyone participating in the review process.
Sustained Growth
P-Card programs often lose the support of top management if there are repeated cases of misuse, especially if they are discovered too late to take corrective action and recover losses. The administrative cost savings, convenience and efficiency gains associated with using P-Cards benefits the organization, but only if exposure and risk are managed properly. Management needs assurance that policies and procedures are being followed, and audit is staying ahead of misuse.
The University of Miami, which includes academics, hospitals and research facilities, is growing at a rapid pace. Their growth will undoubtedly lead to an increase in P-Card use. The university’s internal audit department has already taken steps to move from periodically reviewing random samples of P-Card transactions to continuously monitoring 100 percent through the use of data analytics technology. Exceptions are shared with department managers to provide a comfort level about how P-Cards are being used within the organization, and whether policies and procedures are being followed.
“As our corporate cards program grows, we provide assurance at both the department and management levels that we have sufficient policies and procedures in place to review transactions,” said Hiram Sem, Executive Director of Treasury Operations and Cash Management, University of Miami. “Card holders must understand they are responsible and accountable, but we must also carefully monitor expenditures to identify unauthorized charges early. Technology has helped us refine our review process and handle larger data volumes that come with expansion.”
The value of continuous monitoring reaches well beyond exception detection. There are three advantages driving the trend towards continuous monitoring:
access to more data sources to get a complete picture of what is transpiring within the organization;
the ability to assess whether policies are being followed; and
the empowerment to improve business processes by gaining deeper insights.
When an organization is working towards a problem-free environment, it provides a sustainable process to proactively look for and address issues. When employees know every transaction is being monitored, it creates a catalyst for behavioral changes within the organization.
Internal audit offices are best positioned to enhance and protect their organizations when they provide both assurance and advisory services. Devoting more time to advisory services has both its risks and rewards. One of the greatest rewards includes enhancing relationships and building trust with management. However, if the advisory services do not meet clients’ expectations, there is a chance of harming the internal audit office’s reputation. This article will explore an example of advisory services from Montana State University as well as identify steps to enhance advisory services at your audit shop.
DEFINING ADVISORY SERVICES
According to the Institute of Internal Auditors (IIA), “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” At Montana State University (MSU), management has been more receptive to the term, advisory services, than to the term, consulting, because advisory services has more of a connotation of internal instead of external expert advice. These two terms will be used synonymously throughout this article.
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Internal auditors provide two basic types of services: assurance and consulting services. The IIA defines assurance services as, “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.” The IIA defines consulting services as, “Advisory and related client service activities, the nature and scope of which are agreed with the client, that are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility.”
According to these definitions, one major difference between these two types of services is the level of independence the auditor must maintain. Assurance services require the auditor to conduct an “independent assessment.” The consulting services definition level of independence is “without the internal auditor assuming management responsibility.”
These differences in the level of independence can be further highlighted by another key difference between assurance and advisory services. In Research Opportunities in Internal Auditing, Urton Anderson discusses the number of parties involved in assurance and advisory services. For assurance services, there are three parties involved: the auditor, activity management and the third party to which assurance is being provided. This third party could be the audit committee of the board, senior management or some other party, depending on the internal audit function’s specific circumstances.
Although many internal auditors may refer to activity management as the client for their assurance projects, this third party could also be considered a client because they are receiving the benefits of assurance. It would follow that clear independence is necessary to ensure that the assurance provided to the third party client is objective and unbiased. Auditor judgment on an assurance project’s objectives, scope, procedures, results or any other matters must not be subordinated to influence from activity management.
Advisory services only have two parties: the auditor and activity management, so activity management is clearly the client for these projects. The influence of activity management is built into advisory services because “the nature and scope of [the services] are agreed [upon] with the client.” Therefore, the level of independence for advisory services is for the auditor not to assume management responsibility.
Anderson also presented the idea of the assurance/consulting continuum (see Exhibit 1) in Research Opportunities in Internal Auditing. The three types of services on the left side of the continuum are the traditional assurance services that many internal audit offices likely provide. Remediation services, on the far right side of the continuum, are a type of consulting service where an internal auditor “assumes a direct role designed to prevent or remediate known or suspected problems on behalf of the client.” Assessment and facilitation services are the two types of services where internal auditors in higher education have great opportunities for helping to enhance their organization’s operations.
According to Anderson, assessment services are “engagements in which the auditor examines or evaluates a past, present or future aspect of operations and renders information to assist management in making decisions.” Examples of assessment services include:
The study and evaluation of the proposed restructure of the organization to reflect the most practical, economical and logical alignment;
Estimating the savings from outsourcing a process; and
Assessing the adequacy of internal control in a proposed accounts payable system.
Facilitation services are “engagements in which the auditor assists management in examining organizational performance for the purpose of promoting change. The auditor does not judge organizational performance in this role. Rather, the auditor guides management in identifying organizational strengths and opportunities for improvement.” Examples of facilitation services include:
Control self-assessment;
Benchmarking;
Business process reengineering support;
Assistance in developing performance measurement; and
Strategic planning support.
EXAMPLES OF ADVISORY SERVICES AT MSU
MSU’s Office of Audit Services (OAS) had the opportunity to provide both facilitation and assessment services as part of an administrative operations efficiency and effectiveness initiative called OpenMSU. The director of OAS reports directly to the MSU president with no other functional reporting lines. This reporting line places OAS closer to senior management than to the board or the system-level administrative body.
When MSU’s current president, Waded Cruzado, arrived in 2010, MSU was anticipating concerns about state appropriations as a result of the recession, so it began to consider new ways to become more efficient. President Cruzado initially developed a small working group to consider ways to more efficiently provide back-office administrative operations, such as finance, human resources and sponsored programs administration.
President Cruzado’s leadership style involves having regular and broad inclusion of the campus community in its improvement initiatives, so she grew the small working group of five people into a group of 17 that included deans, directors, department heads, faculty and staff. I provided facilitation services to my client, the president, as we proceeded to coordinate this group and to develop the initiative’s mission, goals and program management structure.
The goals of increased efficiency and improved effectiveness were balanced by goals of enriching the people who provide administrative services. Working with the 17 members of the OpenMSU steering committee was challenging, but rewarding, and led to the initiative’s unique character – the goals of increased efficiency and improved effectiveness were balanced by goals of enriching the people who provide administrative services and satisfying the people who receive the services. The plan for achieving these goals was to develop a series of recommendations for improvement based on thorough data collection and campus input.
This led to OAS providing assessment services with the clients being the OpenMSU executive sponsors: the president, provost and vice president for administration and finance. OAS was selected because it had the skill set to gather information about administrative services and because it was independent of the functions being assessed. These assessment services included administering two surveys, measuring administrative processes and conducting other activities. The first survey was provided to the population of people that provided administrative services and was intended to identify which processes they felt were the most critical to improve. The second survey was provided to a random sample of university employees and was based on the SERVQUAL methodology for measuring service quality.
The administrative process measurement activity was developed by first working with the different functions to inventory their processes. The APQC process classification framework was used as guidance for inventorying processes. Then Banner and other data was used to quantify process volumes (e.g., number of purchasing card transactions) and standard process times were obtained by working with a sample of departments’ staffs. This data proved to be very helpful as MSU worked to rightsize its first shared services operation. Shared services and the other projects that were undertaken as a result of recommendations from the OpenMSU initiative are included in the OpenMSU roadmap (see Exhibit 2). OpenMSU is now in its fifth year, and all of the projects on the roadmap are underway or completed.
OAS’s extensive work on OpenMSU was likely just a result of a unique set of circumstances. However, OAS still aims to include advisory services projects as a significant percentage of its annual work. During a typical year, OAS spends 10 percent to 15 percent of its direct time on advisory services, and this time is usually spent assisting management on emerging issues. For example, OAS intends to work with the Enterprise (information) Security Group (ESG) and the Payment Card Industry Data Security Standards (PCI DSS) working group in the current year. OAS will work with ESG by helping to implement a process to inventory servers maintained by distributed units and gather additional information on these servers, such as the type of data, the purpose of the server and the party responsible for security. For PCI DSS, OAS will augment the working group to assist departmental accountants and other merchants that receive credit card payments by helping them to understand the questionnaires that must be completed for all of MSU’s many credit card merchants.
OAS also provides advisory services to stay abreast of and to help with activities throughout the university by serving on committees and councils. OAS staff serve as non-voting members on the following committees and councils:
Environmental, Health and Safety Committee;
Information Security Council;
President’s Executive Council;
Research Compliance Committee; and
University Council (where all university policies are discussed and approved.
KEYS TO SUCCESSFUL ADVISORY SERVICES
An initial step in providing advisory services is having the office’s charter include a statement allowing advisory services. The biggest key, however, for successful advisory service is to build trust and relationships with management. Patience is essential as this takes time, but auditors should always treat management and all employees with respect, interact with others with a positive demeanor and not be perceived as playing “gotcha.”
Management also needs to know how having an auditor provide advisory services can help them… Management also needs to know how having an auditor provide advisory services can help them, so auditors should use opportunities to communicate to management about their strengths. Through auditors’ core competency of evaluating processes, they develop strengths such as rigorously researching regulations and policies to determine what is and isn’t allowed; analyzing data and processes to develop insights into opportunities and problems; and gathering information that can be used to understand complex situations. Management will be more likely to engage auditors for advisory services once they trust auditors and understand what they can bring to the table. Also, auditors shouldn’t be afraid to offer their services to management if they think their skills can add value to a project.
After management engages auditors for advisory services, it is important to clarify the expectations for the objectives, deliverables and level of audit resources that will be dedicated to the project. This could be done formally or informally. In addition, auditors should educate their clients about The IIA standards and auditors’ responsibility to maintain independence and objectivity, so that it is clear where the lines are drawn regarding the auditor’s involvement with the project.
RISK AND REWARDS OF ADVISORY SERVICES
The greatest risk of providing advisory services is the actual or perceived loss of independence. The greatest risk of providing advisory services is the actual or perceived loss of independence. According to “Internal Auditing: Assurance and Consulting Services,” there are two thresholds that auditors should not surpass when providing advisory services. Auditors must ensure that management responsibilities are not assumed, and auditors must not audit their own work. Auditing one’s own work is self-explanatory, however, assuming management responsibilities is more open to interpretation. “Internal Auditing: Assurance and Consulting Services” describes assumption of management responsibilities as follows, “Internal auditors should not make ultimate decisions or execute transactions as if they were part of management.”
Those in public universities could also be subject to the U.S. Government Accountability Office’s (GAO’s) Government Auditing Standards, also known as the Yellow Book. In Chapter 3 General Standards, Requirements for Performing Nonaudit Services, the Yellow Book lists 10 examples of management responsibilities. The following is a selection of these examples:
Setting policies and strategic direction for the audited entity;
Accepting responsibility for the management of an audited entity’s project;
Accepting responsibility for designing, implementing or maintaining internal control; and
Providing services that are intended to be used as management’s primary basis for making decisions that are significant to the subject matter of the audit.
Other risks associated with providing advisory services include: using limited audit office resources on less significant risks; not having the knowledge, skills or other competencies to perform a project; and suffering from a damaged reputation if services do not meet client expectations.
Building trust and better relationships with management is one of the greatest rewards of providing advisory services. These were also mentioned in the section on keys to successful advisory services because they are part of a virtuous cycle. Stronger relationships lead to greater involvement; this leads to a better reputation, which ultimately leads to being asked to be involved with more important projects. Building trust with management can also allow auditors to have greater access to organizational knowledge, which is critical to effectively assessing risk at the audit universe level.
Working on different types of projects also provides auditors with opportunities to develop new skills and knowledge. Advisory services projects particularly help auditors improve their understanding of the business, which is often cited as a key attribute of successful auditors. Finally, working with staff from other units helps auditors to become better at collaboration, which is essential to implementing positive change in higher education.
The IIA’s new Mission of Internal Audit is “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” “To enhance and protect” really sums up what internal audit can provide to its organizations. To enhance the organization by providing objective expert advice on operations, and to protect by looking for emerging issues and reviewing internal practices to assure leadership that all is well. Internal audit offices that can effectively provide both assurance and advisory services will be best equipped to deliver on fulfilling this mission to both enhance and protect their organizations.
References
International Professional Practices Framework, Altamonte Springs, FL: The Institute of Internal Auditors, 2013.
Anderson, Urton, Research Opportunities in Internal Auditing, Chapter 4: Assurance and Consulting Services, Altamonte Springs, FL: The Institute of Internal Auditors, Research Foundation, 2003.
Reding, K. F., Sobel, P. J., Anderson, U. L., Head, M. J., Ramamoorti, S., & Salamasick, M, Internal Auditing: Assurance & Consulting Services, Chapter 12: The Consulting Engagement, Altamonte Springs, FL: The Institute of Internal Auditors, Research Foundation, 2008.
GAO-12-331G Government Auditing Standards, Chapter 3 General Standards, Requirements for Performing Nonaudit Services, U.S. Government Accountability Office, December 2011.
Mission of Internal Audit, The Institute of Internal Auditors, Retrieved August 13, 2015 from: https://global.theiia.org/ standards-guidance/Pages/Mission-of-Internal-Audit.aspx.
