I V o l u m e 5 2 I N u m b e r 2 I w in t e r 2 0 1 0 I
Cutting Costs
INSIDE:
Cutting Costs: Leveraging the Technology
You Have
Credit Card Security Protects the College
and Students
An Inquiry into the Adoption of the
Best Practices of Sarbanes-Oxley in
Institutions of Higher Education
W I N TE R 2 010
Contents
­Features
ACUA Life
5
Letter from the Immediate Past President
By J. Richard Dawson
6
Meet your ACUA Board Members: Richard Dawson and
Mark Paganelli
By Donna L. Stapleton
7
Governmental Affairs Committee Update
By Mary Lee Brown
9
Professional Education Committee Update
By Toni Messer
10Inside ACUA-L
Compiled by Brenda K. Mowers
Internal Audit Organization
12
Cutting Costs: Leveraging the Technology You Have
By Mel Hudson-Nowak
Higher Education
Columns
15
Credit Card Security Protects the College and Students
By Dan Toughey
18
An Inquiry into the Adoption of the Best Practices of
Sarbanes-Oxley in Institutions of Higher Education
By Guest Columnist James K. Seaman
ACUA members are invited to submit
letters and original articles to the editor.
Go to www.acua.org and click on the
FAQ and Publication for further
guidelines. Please send your copy
electronically to the editor or ACUA in
Word 95 (or higher) or text file format.
The editor reserves the right to reject,
abridge or modify any advertising,
editorial or other material.
Editor
John M. Fuchko, III, MBA, CIA, CCEP
Board of Regents/
University System of Georgia
john.fuchko@usg.edu
(404) 656-9439
Contributing Editors
ACUA Life: Vacant
Internal Audit Organization:
Claire Sams Milligan,
Alabama Department of
Postsecondary Education
Internal Audit Practices:
Amy Hughes,
Michigan Technological University
Higher Education:
Michael J. Foxman,
University System of Georgia
Columns:
Sterling Roth, Georgia State University
Copy Editors
Departments
1
2 4
From the Editor
From the President
From the Executive Director
ACUA Life:
Brenda Mowers,
Montana State University – Bozeman
Donna Stapleton,
Technical College System of Georgia
Internal Audit Organization:
David Dixon, Governors State University
Internal Audit Practices:
Vacant
Higher Education:
Mary Ann MacKenzie,
Auburn University
Columns:
Beverly Hawkins-Llewellyn,
The University of Montana
ACUA Management
College & University Auditor is the official publication of the Association of College & University Auditors.
It is published three times a year as a benefit of membership. Articles in College & University Auditor
represent the opinions of the authors and do not necessarily represent the opinions of governance,
members or the staff of the Association of College & University Auditors. Acceptance of advertising does
not imply endorsement by ACUA. ©2010 Association of College & University Auditors.
Send address changes to:
ACUA
PO Box 14306
Lenexa, KS 66285-4306
ACUA-info@goamp.com
College & University Auditor
Stephanie Newman, Executive Director
Letter From
The Editor
Cutting Costs and Compliance – A Continued
Challenge
By John M. Fuchko, III, MBA, CIA,
CCEP, Editor
Our winter 2010 CandU Auditor theme is “Cutting
Costs.” We also incorporated several articles on
emerging compliance issues that may be of interest
to our readers. We welcome reader’s feedback in the
form of additional ideas for reducing expenses
within higher education. This edition also strives to
provide perspective on many of the perennial issues,
such as fraud, that seem to become more widespread
in times of economic downturn.
Brief Overview and
Seaman’s article touches
Future Issues
This edition starts with an excellent
on numerous emerging
introduction by our new ACUA
President, Mark Paganelli, as to where
issues and perennial
we have been and where we are going as
governance challenges
a professional association. Readers will
find Mark’s tone to be direct and
that internal auditors must informative. Donna Stapleton provides
us a brief personal introduction to Dick
face.
Dawson and Mark Paganelli while our
Governmental Affairs Committee and
Professional Education Committee
chairs provide an update on relevant
issues for ACUA members. The ACUA Life section
is wrapped up with a summary of recent ACUA-L
postings by Brenda Mowers.
Our remaining articles are detailed and informative.
Mel Hudson-Nowak, a regular contributor to these
pages, provides her insight on how to leverage an
institution’s current technology resources for audit
needs. As a first step towards developing College and
University Auditor online content, Mel has also
provided a link within the article to an online
brochure providing additional information on using
Excel for audit tests.
1 College & University Auditor
Dan Toughey’s article on PCI DSS and PA-DSS is
an excellent introduction to recent changes that
impact any institution that processes credit card
payments. The recent stories of major security
breaches involving private financial information
certainly drive the point home when it comes to
understanding the importance of these financial
privacy and security issues.
Finally, Jim Seaman provides a well-researched look
at how the adoption of Sarbanes-Oxley “best
practices” has, and will likely continue, to impact
institutions of higher learning. Seaman’s article
touches on numerous emerging issues and perennial
governance challenges that internal auditors must
face. In fact, the Institute of Internal Auditor
Performance Standard 2110 requires internal
auditors to perform work in the governance arena.
We continue to seek authors for our upcoming
editions. Our spring 2010 edition due date for
articles is March 1. Published authors of professional
content articles may be awarded CPE credit by
ACUA for your efforts. Contact me for additional
information. Our theme for the spring 2010 edition
is “Back to Basics” and our summer 2010 theme is
“Strategic Risks.”
Finally, the College and University Auditor is looking
for two additional volunteers. One, we need an
online editor who can facilitate the development of
our online presence. Next, we need a deputy editor
who can assist me in my editor duties. Ideally, the
deputy editor will be prepared to assume the role of
Editor at some point during 2010. n
Letter From
The President
Preserving Quality While Reducing Cost
By Mark Paganelli, CPA, CIA,
President
The last year has seen some historic financial
disasters. As a result, the federal government has
spent $8.5 trillion to bail out or stabilize almost
every sector of the U.S. economy, including the
banking system, automobile manufacturing, the
housing and mortgage industries, and even state and
local governments. During 2008, the only three
global financial markets to record positive gains
were:
• Ecuador +5.8%
• Tunisia +16.99%
• Ghana +60.93%
Like everyone else, ACUA has
Unfortunately, the endowments of
most universities were not invested
been impacted by the
heavily in these markets, and ACUA
does not have members from these
economic downturn but is
countries (although we will explore
the possibilities during our next
doing as much as possible to
membership drive). Almost every
institutional member of ACUA has
provide the quality products
been impacted by the recent
economic downturn. Obviously,
our members have grown to
when ACUA’s members are
impacted, so is ACUA. Past ACUA
expect at reasonable prices.
leaders, however, have left us in
better shape than some organizations
to weather this downturn. There are also some
things that, given an opportunity to go back in
time, we would have done differently. I want to
briefly reflect on the positives, the items we wish we
could do over, and plans for the future.
Weathering the Storm
When I began serving on the ACUA Board in 2005,
ACUA was completing several profitable years.
Membership continued to grow, as did conference
attendance, and the association continued to build
reserves. The annual conference grew from 366
attendees at the 2003 Nashville conference to a peak
of 485 at the 2007 Atlanta conference. There was
even talk that we would soon outgrow the meeting
space available at a single hotel and might have to
consider convention centers. The Board began to
focus externally during this time, while placing an
emphasis on improving the quality of the training
events. Resources were spent on improving our logo
and website, and marketing ourselves to other
strategic higher educational organizations such as
the National Association of College and Business
2 College & University Auditor
Officers (NACUBO) and the Association of
Governing Boards (AGB). The Board also began
strategic planning sessions under the direction of
Mr. Patrick Reed, past director for the University of
California System. This plan has helped guide
several leaders since then, and assists the Board in
making many types of decisions today. Under the
direction of Mr. Dick Dawson, then treasurer and
director for the University of Texas at San Antonio,
ACUA’s investment policy was revised and an
investment company was selected to manage our
funds. This was accomplished in 2006, and a
committee to monitor our investments was
implemented. The plan requires one year of operating
funds to be placed in money market funds, which is
extremely conservative, but saved ACUA thousands
when the markets crashed in 2008. We also
completed a successful membership drive under the
direction of Mr. Kevin Robinson from Auburn.
Membership rose from 520 in 2005 to a peak of 608
in 2008. We saw only a slight decline last year
despite the economy. By all accounts, ACUA was
soaring to new heights. The Board also realized that,
to continue on this path, we needed to change the
company that managed ACUA’s day-to-day
operations. This was done for two reasons. First, we
were not satisfied with the level of customer service
provided to members, the Board, sponsors, and
others. Second, the company’s IT capabilities
prevented the Board from obtaining timely reports
and implementing certain initiatives in a seamless
manner, such as the risk dictionary and website
upgrades. A request for proposals was sent to several
association management companies, and ultimately
Applied Measurement Professionals, Inc. (AMP) was
selected. Although we are only one year into the
contract with the new company, this move has
already paid dividends for ACUA. These positive
steps by the many past leaders and volunteers have
prepared ACUA to weather a short-term downturn
without the need to raid reserves or drastically
increase prices.
Do Overs
Although we did many things right, I wish we could
do a few over. I point these out to help future leaders
avoid the same mistakes. First, things were going so
well and the reserves were building to levels higher
than we were accustomed to, that the Board began
budgeting for deficits and wanted to use the reserves
to give back to the ACUA members. As a result, we
kept registration fees low for conferences
while increasing speaker budgets, and offered
new items such as the Cyber-Café. The Board
also undertook initiatives such as improving
the website, improving the risk dictionary,
and outreach efforts. While this sounds like
the right thing to do, in hindsight it may not
have been. No one anticipated the type of
economic downturn we are experiencing and,
depending on its length, these reserves could
have assisted ACUA’s members at a time of
great need. ACUA has successfully weathered
the current downturn, but we need to improve
our reserves before another downturn occurs.
When members’ budgets are being reduced,
it is not the best time to increase dues or
conference registration, nor is it the best time
to sell ACUA’s long-term assets. ACUA’s
reserves so far have prevented all of these
from happening. AMP has advised us of the
importance of maintaining reserves to cover
two-and-a-half years of operating costs, which
will be a goal once things improve. This is
certainly a do-over item, in my opinion.
Unfortunately, at the same time we were
budgeting for losses, we also ventured into a
new area that was an educational success, but
not a financial one. It was felt that ACUA
failed to offer anything of significance to
advanced IT auditors. We therefore partnered
with the SANS Institute, a premier provider
of such training. This was a break from the
traditional offerings of the annual and midyear conferences. Although those who
attended loved the event, which occurred in
early 2008 (right before the economic
downturn), we failed to meet the anticipated
demand and lost $40,000. This is a do-over
item despite the lessons learned. To date, we
have received recommendations for regional
ACUA conferences, and the lessons learned
from this one should prevent us from making
some of these mistakes again. In addition to
this loss, we have had lackluster attendance at
the last three mid-years. The mid-year
attendance peaked at 294 in San Antonio in
2006 and then dropped to 175 in Costa Mesa.
Only 11 auditors from California attended.
The next mid-year was in Jacksonville,
Florida. Because of the Florida economy,
attendance from the Florida universities was
lower than expected. The last mid-year in
Austin was booked right after the San
Antonio conference, and the downturn was in
full force by the time of the conference.
Fortunately, we were in the right state, and
Texas universities were impacted less severely
than others. Nonetheless, we failed to meet
our room block and were concerned that we
might have to pay attrition fees of $50,000.
AMP was able to reduce this to $5,000 and
renegotiated the Minneapolis contract so that
we incurred no penalties. This is a huge
accomplishment, since attendance dropped
from 471 in Phoenix to 328 in Minneapolis.
The Professional Education Committee is
working diligently to turn around our midyear conferences and I feel we have a very
good one planned for Reno.
The Future
Through all of the ups and downs of the last
few years, ACUA is in a very good place. We
have a new energetic group of leaders and are
working hard to maintain quality while
keeping our costs low. The Board elected not
to increase membership dues this year and,
while registration fees for the annual
conference increased, it is still considerably
less than other organizations. ACUA’s annual
conference provided 22 hours of CPE for
$870, while the IIA’s upcoming international
conference provides 18 hours of CPE for
$1,195. The price per CPE hour is $39 for
ACUA versus $66 for IIA. We also offered
one-day registration, for those within driving
distance who wanted to attend only part of
the conference. Feedback indicated the
conference was a huge success, and several
attendees commented on the quality of the
training offered. We realize that travel
budgets have been reduced and we continue
to offer free webinars and even advertise
webinars of others not associated with ACUA
but beneficial to our members. Mr. Jim
Sleezer from Oklahoma State does an
outstanding job with these. We have also
renegotiated a block of rooms for the midyear in Reno for just $89 per night. Sandy
Jansen from Texas Tech is finalizing her list
of speakers for this mid-year, and Huron
Consulting has agreed to provide 2.5 days on
compliance, which I know will be outstanding,
and hope will attract some who have been
attending the higher education compliance
conference.
In addition to providing quality education at
reasonable prices, ACUA has tightened its
belt. We reduced travel by cancelling a Board
strategic planning session, which typically
takes place every 18 months, and is held apart
from the two regular Board meetings. Usually
the ACUA president attends NACUBO, and
to save money, Dick Dawson sent Seth
Kornetsky from Tufts in his place, since the
conference was in Seth’s hometown of Boston.
We eliminated scholarships since they have
little to do with our strategic initiatives, have
reduced sponsorships at other organizations,
and other outreach initiatives to save money.
We are also exploring providing the College
and University Auditor in electronic form,
which will reduce costs and increase
circulation. As everyone knows, we have
moved ACUA-L to save approximately $7,000
and will hopefully have the kinks worked out
soon (thanks for your patience during this
transition). The Board is also evaluating
3 College & University Auditor
revenue-producing ideas such as a vendor
section on the website, where vendors can
market their products and services. We hope
this will result in discounted services for
members and advertising fees for ACUA. We
are reviewing products that can be sold in an
ACUA store, such as training tapes and other
products beneficial to members. Also planned
is a membership initiative designed to
increase members and revenue.
Although there have been a few bumps in the
road, ACUA has been very successful for the
last five years. Like everyone else, ACUA has
been impacted by the economic downturn
but is doing as much as possible to provide
the quality products our members have
grown to expect at reasonable prices. I have
no doubt we will accomplish this and, when
the economy turns around, we will resume
our path toward being bigger and better.
Thanks for being a member and for all that
you do to improve internal auditing in higher
education. n
8th Conference for
Effective
Compliance
Systems
in Higher
Education
April 21–23, 2010
Dallas, Texas
LEARN MORE AND REGISTER NOW AT
www.highereducationcompliance.org
Letter From
The EXECUTIVE DIRECTOR
Cost-Effective Continuous Improvement – An Ongoing Goal
By Stephanie Newman,
Executive Director
In my last column, I mentioned the variety of ways, large
and small, that ACUA helps its members to obtain
education, volunteer, network with peers and access
resources. ACUA membership truly is a great value!
To make sure that membership remains a great value,
the staff works closely with the Board of Directors and
Committee Chairs. We are constantly
As always, feel free to
examining all aspects of the association
contact the Executive Office to ensure that we are meeting the
needs of our members and doing so in
the most cost-effective way possible
at acua-info@goamp.com
without sacrificing quality, and
with any questions or
hopefully even improving it. Ideas for
improving or streamlining existing
concerns. We’re here to
services as well as ideas for new services
are often generated by the feedback
help.
that the Board receives from members
through surveys, conference evaluations, emails, phone
calls and ACUA-L postings. The Board then ensures that
those ideas fit into the Association’s Strategic Plan so that
resources are focused on the top priorities and action
plans are formed.
One of the most recent examples of the staff and Board
seeking to provide a service in a more cost-effective way
was the transition of the software and the administrator
of ACUA-L. The decision to change was based on the
belief that ACUA-L would function as it had in the past
as well as gaining a more user friendly archive at a
significantly reduced price. With the old listserv, ACUA
was charged an annual licensing fee as well as a fee for
each message sent out multiplied by the number of
listserv subscribers. Since ACUA-L is heavily used by its
members, the expense for use added up to approximately
$6,000 – $7,000 per year. The new provider does not
charge a per message fee and only has a minimal monthly
maintenance fee which amounts to approximately $240
per year. It just made good financial sense to make the
change with the belief that we would have the same
functionality.
We learned when we made the switch that, however, that
not all listserv software is the same. The software that
the new provider uses was not as effective at filtering
out-of-office replies or read receipts from the listserv as
the old software. While the Association was certainly
saving money, the quality of the service was not the
same. Listening to the feedback from members on
ACUA-L assisted the Board with coming up with a
potential solution to the problem which will hopefully
allow ACUA-L users to both have the same quality of
service they enjoyed before while also saving a significant
expense each year. The Board is currently investigating
the possibility of purchasing its own license for the old
software (up front, one-time cost and the quality ACUA
is accustomed to) while staying with the current
administrator (no per message cost). A solution should be
in place by the time this issue is published. We have
appreciated your patience during this process.
In the coming year, the Board will be looking for other
areas where we might also be able to maintain, or ideally
improve, the quality of member services, while reducing
the expenses. Some ideas may be more successful than
others. The Board appreciates your continued patience
and your feedback while some of these changes are
implemented.
As always feel free to contact the Executive Office at
acua-info@goamp.com with any questions or concerns.
We are here to help. n
Join Us in 2010!
Join Us in 2010!
Visit www.ACUA.org for details and registration
Visit www.ACUA.org for details and registration
ACUA Midyear Conference – March 14-17
ACUA Annual Conference – September 19-23
ACUA
Midyear
Conference
ACUA
AnnualWaterfront
Conference
– September
19-23
John
Asuaga’s
Nugget––March
Reno, 14-17
Nevada
Marriott
– Baltimore,
Maryland
John Asuaga’s Nugget – Reno, Nevada
Marriott Waterfront – Baltimore, Maryland
4 College & University Auditor
The outgoing President
Looking Back
By J. Richard Dawson, CPA, CIA,
Immediate Past President
Wow, what a year as ACUA President! Barack H.
Obama was elected the United States of America’s
44th President, essentially based upon his promise of
change. Although I did not promise change for
ACUA, it has been a year of change. As with any
change, it can be difficult, but I believe it has all been
very positive and has set the stage for a better ACUA.
membership committee headed by Vijay Patel has
been very active this past year. In order for the Board
to better serve the wants and needs of its members, it
needs to know what the members think. Consequently,
monthly membership surveys are being conducted.
Please take time out of your busy schedules to
complete those surveys.
There have been several significant challenges during
the last 12 months. The economic downturn and
many institutions cutting back on travel expenses
dramatically affected our conference attendance at
both the Midyear and Annual conferences. As a result,
we have tried to cut expenses while trying to maintain
the kind of service our members have grown to
expect.
The Board also formally established an Ambassador
program with the purpose to identify individuals that
have held a leadership position with ACUA and would
like to continue to promote ACUA. Ambassadors will
have an internal focus and an external focus.
Also during the last year, ACUA changed its
management firm to Applied Measurement
Professionals, Inc. (AMP) from Olathe, Kansas. This
has been an extremely positive action because AMP
will be able to provide the kind of resources ACUA
needs to move forward and accomplish many of our
strategic initiatives. Our Executive Director, Stephanie
Newman, has already been hard at work helping us
identify areas where we could reduce spending. For
example, ACUA-L will now be handled by a new firm
and the charges will be significantly
During the last twelve months, smaller. While we are in the process
of overcoming some of the
we have continued to offer
unexpected technical difficulties
some of the best webinars that associated with this change, we hope
to see a substantial improvement in
our money can buy …
service at a lower cost. In fact, we
believe that the archive will be easier
especially since they were all
to use.
free.
In attempting to move our website to AMP, we
determined that the website could not be moved
without significant rework, so we have opted to
basically start over with a completely new website that
will be fresh and less confusing to use. We believe
that it will better represent ACUA as we move
forward. Our hope is to enhance the use of our website
for many more benefits to members and as a revenue
producing tool.
Other improvements are taking shape with the ACUA
Risk Dictionary. Our corporate sponsor, Methodware,
has uploaded the new version of their software. And,
at the same time, the risks and controls have been
updated to be more useful. For example, there is now
a section of risks and controls related to export
controls.
Members have probably noticed more surveys coming
from ACUA headquarters over the last year. The
5 College & University Auditor
• Internally
o Serve as a knowledgeable resource for current
and potential members; and,
o Provide historical perspective and/or advise the
current board and board committees.
• Externally
o Create awareness of ACUA; and,
o Establish lines of communication with leaders of
other organizations.
During the last twelve months, we have continued to
offer some of the best webinars that our money can
buy … especially since they were all free. I want to
personally thank EthicsPoint for all their support and
coordination of these fantastic webinars. One of these
webinars resulted from research performed by Dr.
Urton Anderson from The University of Texas at
Austin and Dr. Margaret Christ from The University
of Georgia. Their research, which was funded by
ACUA, The University of California System, and the
IIA, identified potential attributes at a college or
university that could be used to determine the
appropriate staffing levels for the internal audit
function. The result will be a tool that ACUA
members can use to determine an appropriate staffing
level for their institution.
And finally, for the social butterflies, ACUA has now
established a presence on Facebook, Twitter, and
LinkedIn. So, start tweeting!
All of these wonderful changes and accomplishments
would not have been possible without all of the many
ACUA volunteers. I want to especially thank the
ACUA Board, the various committees and their
chairs, and all of the other volunteers that help to
make ACUA what it is. Without our volunteers,
ACUA would be just another association. Until you
serve as the President of such an organization, you do
not realize how much work gets done behind the
scenes. ACUA is truly a wonderful organization, so
please get involved and keep it that way! n
ACUA Life
Letter From
Meet Your ACUA Board Members –
Dick Dawson and Mark Paganelli
By Donna L. Stapleton, ACUA Life Copy Editor
I
n the last issue, College and
University Auditor readers
were introduced to Board
Member Scott Pierce and
former Immediate
When asked what top two to
Past President Kevin
Robinson. In this
three things that a member
issue, we introduce
could do to get more out of the you to our new Immediate Past President
Dick Dawson and President Mark
organization, his response was: Paganelli.
1. Get involved and volunteer;
Dick Dawson
Dick is no stranger to the ACUA Board,
2. Get involved and volunteer;
having previously also served as a Board
Member-at-Large, Secretary / Treasurer,
and, 3. Get involved and
and Vice President. Dick was born and
raised in Texas on a 2500 acre cattle
volunteer.
ranch which sustained 250 head of cattle.
The ranch is now run by his older brother. Dick is
married to Susan – his wife of 27 years. They have
two grown sons, one of which graduated from UT
(that is The University of Texas for the Tennessee
fans) and is now married and living in San Antonio.
Dick says that there are no grandchildren, so no
one to call him “Grandpa” or “PaPa,” and states
that he is way too young for those names. His other
son is currently attending Texas A&M and the
rivalries make for exciting Thanksgiving holidays.
About the Author
Dick is currently the Executive Director, Audit,
Compliance & Risk Services for the University of
Donna L. Stapleton is the
Texas at San Antonio. He has an MBA, CPA, and
Internal Auditor for the Technical
CIA. He has over 28 years of Internal Auditing
College System of Georgia. She is
experience with all of it in the higher education
one auditor responsible for 26
field.
technical colleges with over 50 total
campuses throughout the state.
Donna has only been an auditor
for the past two years and has only
been involved with government
accounting for that same amount of
time. She spent her previous career
in the private sector working as a
Plant Accountant, Accounting
Manager and Controller – mostly
in the manufacturing field. Her
forte has always been her ability
to go into companies with severe
problems in their accounting
departments and clean them up – a
good transition point for internal
auditing. She is divorced with two
sons, one of whom is a chef and the
other is in the Air Force Reserve.
When asked for information about himself that
might surprise the readership, he stated that he
wanted to be “an avatar someday and move into his
second life.” Seriously, he would like to see an
ACUA presence in second life or something similar.
He feels that this would provide training
opportunities to more individuals throughout the
world. He has also been associated with TACUA
and ACUA for over 12 years now. He plans to
continue his work on the ACUA Risk Dictionary as
this has been one of his pet projects for the past
several years. He would also like to formally
establish an ACUA ambassador program. This
would be to promote and develop mutually
6 College & University Auditor
beneficial relationships with
other organizations and enhance
the relationships with current
and potential ACUA members.
He feels these positions would
be held by persons who have
previously held leadership roles
within the organization and
want to continue involvement in some capacity.
When asked what top two to three things that a
member could do to get more out of the
organization, his response was: 1. Get involved and
volunteer; 2. Get involved and volunteer; and, 3.
Get involved and volunteer. He feels that although
it may take a little time, the rewards are
“extraordinary.”
Mark Paganelli
Mark also is no stranger to the ACUA Board. Mark
has previously served our organization as Vice
President for the last year and as a board member
from 2005 through 2008.
Although born in Chicago, Mark received his BA
in Accounting from The University of North
Alabama and then his MBA in Finance from the
University of Tennessee at Chattanooga. Mark is
presently the Executive Director, Audit and
Consulting Services for the University of Tennessee.
Mark has a total of 17 years in auditing all of which
has been in higher education and with the
University of Tennessee’s Department of Audit and
Consulting Services. He not only is a CPA, but also
a CIA. Mark also served four years in our armed
forces as a member of the United States Marine
Corp Reserves.
When it comes to the membership of the
organization, Mark feels that one of the great
benefits we have is the risk dictionary.
Mark stated: “The risk dictionary allows our members to quickly review the risk in a particular are
and build audit programs based upon this database
of risks and corresponding controls. This is a very
useful tool when building audit programs, performing risk assessments, or doing testing of processes or departments.” n
Update from Mary Lee Brown, CIA, Chairman – ACUA Governmental Affairs Committee
T
his article is intended to provide a brief
rundown of some of the current “hot topics”
and issues on the regulatory front.
Conflict of Interest). The HHS OIG 2010 Work
Plan is available here: http://oig.hhs.gov/08/Work_
Plan_FY_2010.pdf.
ARRA-1st Cycle Quarterly
Reporting & HHS OIG 2010 Work
Plan
By the time you read this, both the first and second
ARRA reporting deadline will have passed and
you and your research administration teams are
debriefing on what went well and what could be
improved upon. That was also much of the theme
of discussions, both formal and informal, at the
COGR winter meeting in late October. According
to reports from OMB, as well as representatives of
the larger federal agencies (e.g., NIH, NSF, Dept of
Energy), what went well was the fact that virtually
everyone managed to collect the required data and
submit by the deadline. There were some data
errors reported during the Agency review period
but, by and large, those were not considered
significant overall. As to what could be improved
upon, there seemed to be unanimous opinion from
the research community that calculating jobs
created/retained needs more guidance, and the
representative from OMB acknowledged this
would get some additional attention before the
January 10 reporting deadline.
NSF – Responsible Conduct of
Research: New Requirement
The 2007 America COMPETES Act directed NSF
to require that all funded students and postdocs
undergo training in the responsible conduct of
research (RCR). The implementation of this
requirement becomes effective January 4, 2010,
when all institutions submitting proposals to NSF
must certify that they have a training plan in place
for undergraduate students, graduate students, and
postdoctoral scholars who will be supported by
NSF to conduct research. This certification must be
in place at the time of proposal submission.
Training plans need not be submitted with the
proposal; however, they must be available for
review upon request. Institutions are responsible
for verifying that their undergraduate students,
graduate students and postdoctoral scholars receive
training. See http://edocket.access.gpo.gov/2009/
E9-19930.htm
As with any political/legislative
With regard to areas of interest and
implications for the audit community,
process, the identification of
it goes without saying that the
transparency
and
issues and their impact on any promised
accountability aspects of ARRA make
constituent group often takes a recipient compliance with award
terms and conditions a particular area
lot of deliberation and
of focus for the federal agency
sponsors, and in particular, the OIG’s.
correspondence before final
HHS OIG activity specific to NIH
resolution or proposed changes and the Recovery Act are addressed in
Appendix A of the referenced work
are achieved.
plan where, in addition to recipient
compliance with award terms, you will find plans
to examine College & University indirect costs
claimed as direct costs, recipient compliance with
reporting requirements and, recipient capability
audits. Apart from the ARRA emphasis, other
parts of the HHS OIG work plan that is of interest
to Colleges & Universities include the following
projects: Compliance with Cost Principles, Use of
Data Safety Monitoring Boards in Clinical Trials,
Oversight of Clinical and Translational Science
Awards (CTSA) and, Financial Interests held by
Institutions receiving NIH grants (aka Institutional
7 College & University Auditor
NSF – Labor and Effort Audits
As of this writing, reports of 12 audits have been
posted on the NSF OIG website thus far, and at
least 4 more are anticipated within the next few
months. The NSF OIG has indicated they will
publish a “capstone” report that accumulates and
summarizes all findings and recommendations
over the course of the entire audit program.
Current understanding is that this report could be
ready by Spring 2010. The completed reports are
posted at http://www.nsf.gov/oig/pubs.jsp.
FTC – Red Flags Rule
The Federal Trade Commission has again delayed
enforcement of the Red Flags Rule. Enforcement is
now set to take effect June 1, 2010. Readers may
recall that the rule requires financial institutions
and creditors with covered accounts to implement
written identity theft prevention programs to
identify, detect, and respond to “red flags” that
could signal identity theft. The rule originally
went into effect on January 1, 2008, with mandatory
compliance set for November 9, 2008. But
enforcement was then delayed until November 1,
2009 and now delayed again to June 1, 2010.
Although originally intended for financial
institutions, the Red Flags Rule became applicable
to colleges, universities, and healthcare entities
ACUA Life
Governmental Affairs Committee
Update
because they are considered creditors. See http://www.ftc.gov/
opa/2009/10/redflags.shtm.
HITECH – ARRA
Those institutions with hospitals/academic medical centers, dental
schools, student health offices and other clinical operations will need
to pay particular attention to the ARRA Health Information
Technology for Economic and Clinical Health Act (HITECH). One of
the four goals of HITECH includes: strengthening Federal privacy
and security law to protect identifiable health information from
misuse as the health care sector increases use of health information
technology. As such, HITECH amends HIPAA privacy and security
requirements, adding new compliance obligations and increasing
enforcement authority and penalties. Some of the new obligations
include: A) a breach notification requirement for health information
that is not encrypted or otherwise made indecipherable - it requires
that an individual be notified if there is an unauthorized disclosure or
use of their health information; B) ensuring that new entities that
were not contemplated when the Federal privacy rules were written, as
well as those entities that do work on behalf of providers and insurers
(e.g., business associates), are subject to the same privacy and security
rules as providers and health insurers; C) providing transparency to
patients by allowing them to request an audit trail showing all
disclosures of their health information made through an electronic
record; D) requiring that providers attain authorization from a patient
in order to use their health information for marketing and fundraising
activities; and, E) strengthening enforcement of Federal privacy and
security laws by increasing penalties for violations and providing
greater resources for enforcement and oversight activities.
The above items only scratch the surface of current issues. As with any
political/legislative process, the identification of issues and their
impact on any constituent group often takes a lot of deliberation and
correspondence before final resolution or proposed changes are
achieved. Even then, the dialogue may continue in an effort to revise
the original resolution if that resolution is still not satisfactory to one
of the parties affected. n
Risk Simplified
PROACTIVE
Supplement
existing internal
audit resources
Effective ERM and audit
udit software
solutions from Methodware
hodware
sities
• Selected by universities
around the world
mplement
• Easy to use and implement
A
• We drive the ACUA
Risk Dictionary
For a limited time - learn
cial
more about our special
embers
pricing for ACUA members
Conduct risk
assessments
Higher
Education
COLLABORATIVE
CUSTOMIZED
Conduct internal
investigations
Delivering specialized audits, including technology,
sponsored research, construction, and fraud risks,
is what makes us one of the nation’s top accounting
and consulting firms. Challenging ourselves to
consider new approaches to serving our clients is
what sets us apart.
www.methodware.com
beersandcutler.com
09BC-CUAuditorAd_r4.indd 1
8 College & University Auditor
Tax
Assurance
Consulting
10/19/09 1:56:14 PM
ACUA Life
Professional Education
Committee Update
Update from Toni Messer, CPA, CIA, Chairman – ACUA Professional Education Committee
T
he Professional Education Committee provides
coordination and oversight activities for all ACUA
educational activities. The Professional Education
Committee includes the following ACUA members who are
always willing to get your input regarding ways to improve
ACUA’s educational activities:
• Toni Messer, Chair, tmesser@utdallas.edu
• Edwina Greer, Annual Conference Director,
greere@etsu.edu
• Sandy Jansen, Midyear Conference Director,
sandy.jansen@ttu.edu
• Jim Sleezer, Distance Learning Director,
jim.sleezer@okstate.edu
• Mary Barnett, Vice President
• Vijay Patel, Treasurer
• Kevin Robinson, Sponsorship Director
• Rob Clark, Sponsorship Director
• AMP Representatives: Stephanie Newman,
Melissa Whitaker and Megan Eastland
Annual Conference – September 19-23,
Baltimore, maryland
The ACUA Annual Conference Director’s objective is to put
together a terrific team of volunteers who work together to
secure a slate of dynamic speakers and topics each year for
our ACUA members. We hope to provide an
Start packing those bags outstanding conference full of professional
development opportunities tailored to the
for training in the Wild
needs of our membership and colleagues.
West that will WOW
Our various tracks at the annual conference
are geared toward “hot topics” and traditional
attendees.
core issues of our profession. There is always
opportunity for involvement if you would like to
volunteer. We need track coordinators to help assemble and
organize the session slots, engaging speakers who can share
their knowledge and experience, and proctors to be present
in each session for assistance as needed. If you would like to
get involved or just find out more about one of these
volunteer opportunities, contact Edwina Greer.
Midyear Conference – MARCH 14-17,
RENO, NEVADA
Start packing those bags for training in the Wild West that
will WOW attendees. The ACUA midyear conference is
right around the corner, and the PEC has planned this
conference to provide some of the best training at a price
that still fits into our diminishing budgets. There will be
five different tracks to choose from - auditing for fraud,
auditing information technology, performing data analysis
techniques, auditing in a higher education environment, or
compliance issues – there is something to meet a variety of
ACUA member needs.
Distance Learning
At least four hours of CPE a year, in your office and free,
that is the goal of ACUA’s distance learning chair. This
year’s webinar schedule included five presentations, all
hosted by EthicsPoint at no cost to participants. Recent
topics included a discussion of ethics issues, a review of
ARRA compliance issues, and guidance on rightsizing the
internal audit function. Selected topics are based on requests/
recommendations from ACUA members. Suggestions are
always welcome and should be directed to Jim
Sleezer. Archived presentations and registration for
upcoming webinars are available through links on the
Distance Learning page on the ACUA website at http://
www.acua.org/go/events-and-seminars/distance-learning/
webinars.
Check out More Free (or Almost Free)
CPE Opportunities
As a service to our members in these challenging economic
times, we are providing a list of other CPE opportunities
which may be of interest to our members. Check them out
at http://www.acua.org/go/events-and-seminars/distancelearning. n
Upcoming Conferences!
2010
2011
2012 (Tentative)
Annual Conference
Midyear Conference
Baltimore, MD
Marriott Waterfront
September 19-23
Las Vegas, NV
Tropicana
September 11-15
San Antonio, TX
Marriott
September 9-12
Reno, NV
John Asuaga’s Nugget
March 14-17
Orlando, FL
Rosen Centre Hotel
March 13-16
Charlotte, NC
Omni
April 1-4
9 College & University Auditor
Inside ACUA-L
Compiled by Brenda K. Mowers, ACUA Life Copy Editor
T
he ACUA listserv is your interactive resource
for experiences and knowledge specific to
internal auditing in higher education. A
wide variety of subjects have been discussed on
ACUA-L since our last issue - from pepper spray to
report benchmarks to sub-recipient monitoring.
Although we cannot cover all of the topics, here are
some of the highlights.
WHAT IS AN ORIGINAL INVOICE?
Janet Covington at Rice University
asked for responses to a short poll
A wide variety of subjects
about whether other schools allowed
have been discussed on
any leeway with regard to original
invoices or copies. Don Holdegraver
ACUA-L since our last issue at the University of North Texas
from pepper spray to report
System pointed out that with the
ever-increasing number of electronic
benchmarks to sub-recipient
purchases, one can print as many
monitoring.
copies as they want of an “original”
invoice. Add to that the relative ease with which
someone can falsify electronic invoices and you have
a real control issue on your hands.
About the Author
Brenda K. Mowers is a staff
auditor for the Montana State
University (MSU) Internal
Audit Department, a position she
has held since March 2006.
Prior to joining Internal Audit,
she worked for MSU’s University
Business Services for nine years.
She has served as volunteer Copy
Editor for CandU Auditor since
first joining Internal Audit.
Brenda, her husband Mark and
their two children live in
Manhattan, Montana and she
has grown twins that live in
Pony, Montana.
Don Holdegraver said you could be more confident
that you will not be processing duplicate documents
by having the right preventive controls over the
ability to bypass or override the system. In addition,
using applications such as ACL or IDEA can help
identify duplicate transactions as well as perform
other expenditure analysis. Michael Garcia from
Seton Hall University recommended that data entry
clerks be consistent when entering invoice numbers.
Sandy Kasahara from the University of Denver
reported the successful use of a third-party service
that analyzed expenditures for duplicate payments,
dollar amounts close to control limits and vendor
address comparison to employee addresses, among
other services. Don summed it up when he said that
in 5-10 years there might not be any paper
documents. We need to be on the cutting edge in
getting our AP departments to start thinking ahead
and build the right preventive controls into the
process, and not rely on the detective controls at the
end of the process.
STARTING POINT FOR STUDENT
AFFAIRS
Fred Chavez at the University of San Diego was
tailoring a self-review for student affairs and – after
checking the ACUA Risk Dictionary – asked the
listserv for audit programs or questionnaires in that
area.
10 College & University Auditor
• Jim Sleezer with Oklahoma State University /
A&M Board of Regents suggested looking at
student organizations, especially at diversion of
assets for personal gain and cash handling. He
also advised that if the University or student fees
fund a group, access to records should be open.
• Based on her discussion with Loyola Marymount
University’s VP of Student Affairs, Maureen
Cassidy identified Intramural Sports and Judicial
Affairs as high-risk areas.
• Mary Barnett included liability insurance for
on-campus programs and entertainers when she
audited this area. She also suggested that their
bulletin board or updated web page might offer
the population for a risk assessment.
• David Vartanian from Oakland University wrote
that since Student Affairs encompasses so many
high-risk areas, Fred should discuss with
management what its concerns are.
• Rita Moore with Western Illinois University
shared information she learned at ACUA’s annual
conference about the risk involved with how
Judicial Affairs and counseling centers (not
academic counselors) interact with campus police
for annual Clery Act security reports.
• Other audit programs recently requested include
Property Department, Recharge Center,
Academic Affairs, Office of Advancement/
Development and Facilities. If you can provide
audit programs for these areas or any others,
please send them to ACUA at acua-info@goamp.
com. Be sure to complete the Resource Library
Submission form and include your contact
information when you send items to ACUA.
QUICK TAKES
A couple of other items came over the listserv that
deserve mention. ACUA now has an ACUA Fan
page on Facebook. Sign up for access to discussions,
pictures, events and more at www.facebook.com. In
addition, ACUA members used Twitter to stay
updated with everything going on at the Annual
Conference. Check out Twitter at http://www.
twitter.com/acua_info.
Finally, it would be tough to count the listserv posts
Pat Reed from the University of California system
has contributed over the years, not to mention the
personal guidance and advice he provided to many
members of ACUA. It came to my attention that he
retired from the University of California system as
of September 30, 2009. Thank you, Pat, and best
wishes to a true ACUA STAR! We will miss you. n
Auditors Empowered with IDEA
ACUA Platinum Sponsor
ACUA Members Receive a
10% Discount
on all IDEA Products & Services
Through our strategic alliance and platinum-level sponsorship,
we offer ACUA members preferred pricing on
IDEA® – Data Analysis Software, training and other resources to help
improve internal audit efficiency and effectiveness.
For a free demonstration CD of IDEA, visit us at
audimation.com or call 888-641-2800.
IDEA is a trademark of CaseWare International Inc.
Cutting Costs: Leveraging the
Technology You Have
By Mel Hudson-Nowak, MBA, CIA, Senior Contributor
T
echnology is expense. Despite the fact that
anyone can buy a two gigabyte flash drive
for $19.95 or less, software solutions do not
come cheaply. At the same time, audit work has
become increasingly reliant on data and technology
solutions to optimize effectiveness and efficiency.
Faced with shrinking budgets and a
riskier environment, the more an audit
Faced with shrinking budgets
office can leverage the investments an
and a riskier environment, the
institution has already made, the
better.
more an audit office can
leverage the investments an
As a group, auditors use software to
collect data, store and transfer files and
institution has already made,
perform analysis. Most universities
will have implemented some
the better.
combination of software packages with
one or more solutions in each category. This article
considers some alternatives available at Bowling
Green State University but is not intended to
endorse any specific solution.
Data Collection
There is no one-size-fits all solution for collecting
data electronically. Methods include web-based
survey applications, email templates and custom
forms. No matter which electronic data collection
method is chosen, one thing is true: paper surveys
are the thing of the past.
About the Author
Mel Hudson-Nowak, MBA,
CIA is the Director of Internal
Audit at Bowling Green State
University (BGSU), a position she
has held since 2006. Prior to
joining BGSU, she worked in
various finance positions at Ford
Motor Company, including an
overseas assignment at Volvo Cars
for Sarbanes-Oxley readiness. Mel
has a BA from Smith College, an
MBA from Michigan State and is a
Certified Internal Auditor. Mel has
previously served as both the Editor
and the Internal Audit Practice
Section Editor for the College and
University Auditor. She is a regular
contributor to these pages.
• Web-based tools
Survey applications use a web-based front end
and a database back-end to collect information.
Web-based surveys are particularly simple for
survey takers because hyperlinks can be either
embedded in email or provided on a website,
access to the internet is easily available, and
survey completion is intuitive.
There are a large number of applications available
for creating web-based surveys, making it likely
that an organization already has one or more
survey tools that are supported by the information
technology or institutional research departments.
ACUA, for example, utilizes a monthly webbased survey with Zoomerang to collect
information from membership. The challenge is
learning the specifics of each application and
gaining any needed support from the technical
team.
12 College & University Auditor
• Email templates
It is a largely unknown fact that the email
format used by Microsoft Outlook can be
customized to act as a mini-database. In
environments that exclusively utilize PCs,
Outlook-based surveys can be even easier for
users to complete because it does not require
exiting to the web. The simplicity of getting
everything done within the email tool can
significantly improve survey responses.
However, the fact that responses are tagged with
individual email addresses when they are
returned can impact response rates for particularly
sensitive information gathering and the inability
to effectively send surveys from Outlook to
Entourage (Microsoft’s Mac-based email
application) limits effectiveness on college
campuses. At BGSU, we are investigating a
Microsoft Office package called InfoPath which
is intended to link email data collection
aggregation in Outlook, Excel or Access but we
do not have any experience with the application
functionality at this time.
• Custom forms
Perhaps the easiest of the electronic survey
methods is using a software package to create a
template that is forwarded (generally by email)
to survey participants. At BGSU, our preferred
software choice is Adobe Acrobat. We found
Adobe Acrobat to be simple to learn and easy for
our customers to use. Forms can be designed
quickly in Microsoft Word and then customized
to include commonly used form fields such as
pull-down boxes and option buttons.
Users who have been trained by other operational
areas on campus to complete PDF forms require
limited content-specific training to complete the
template. The biggest downside to these forms is
the limited data aggregation functionality, and
the propensity of survey completers to fit it in,
print it out and send it back via interoffice mail.
File Storage and Transfer
Years ago, the vast majority of audit work was done
on paper. File storage involved huge file cabinets
and file transfer meant carrying a large audit
briefcase – the kind that look like it could hold a
small typewriter. In 2009, file storage and transfer
is nearly always electronic.
Individual
Hard Drive
No. Back-up from hard
drive is not usually
available.
ListServe Email
Attachment
Partial. Emails are
generally stored on the
mail server, with limits.
Once moved to
personal folder, info is
stored on hard drive.
Accessible to
Teams
No. Individual machines
have logon credentials.
Partial. Files shared at a
point in time when
distributed.
Security
Partial. In most cases,
individual machines
have logon credentials
and may have
encryption; can be
overridden by users.
Notification
No. Cannot notify
others when a new file
is available.
Partial. Emails can be
intercepted while in
transit or forwarded to
others. Encryption
software for email is
not in place in most
organizations.
Yes. An email is itself a
notification.
Yes. Most security
administrators will
require a shared drive
owner to authorize
each user during set-up
and periodically verify
accuracy.
No. Shared drives
cannot be used to
notify users of a new
file for review.
Potential
Uses
Temporary files that are
not yet being posted to
the active workpaper.
Isolated communication
(with or without
attachment) to broad
communities or senior
management.
Files created outside of
the audit office
requiring periodic
review.
Back-up and
Redundancy
Network
Shared Drive
Yes. Most IT
Departments maintain
standards for when files
are backed up, how
many versions are
saved, and what
protocols can be used
to recover.
Yes. Any individual with
access to the network
and shared drive has
access to the files;
generally, there is no
access to individuals
outside of the
institution.
OneNote Notebook
Blackboard Community
MyFiles Web Server
Yes. Same as network,
plus automatic sync
when reconnected.
Yes. Most IT
Departments maintain
standards for when files
are backed up, how
many versions are
saved, and what
protocols can be used
to recover.
Yes. Any individual in
the institution has
potential access.
Access anytime via
Internet.
Yes. Most IT
Departments maintain
standards for when files
are backed up, how
many versions are
saved, and what
protocols can be used
to recover.
Yes. Any individual with
Internet access can be
added as a user.
Yes. All users to a
Blackboard community
must be granted access
to specific areas.
Yes. Individuals must
be granted a specific
kind of access (read,
edit) to specific folders
or files. Password
controls are less robust
for external users.
Yes. MyFiles allows an
email to be sent to alert
someone to a new
available file.
Yes. Same as shared
drive, plus the software
creates a replica copy
on the hard drive which
can be used when
disconnected from
network and is
synchronized when
reconnected.
Yes. Most security
administrators will
require a shared drive
owner to authorize
each user during set-up
and periodically verify
accuracy.
Yes. Flags can be used
(see OneNote update)
to let individuals know
a file is available.
Audit workpapers, audit
manual, office
productivity
documents, shared task
lists.
Yes. A number of
communication options
are available to alert
someone to a new file,
including email and
announcements.
Communications with
static long-standing
groups on campus.
File sharing with
external constituencies,
including external
auditors.
File storage methods are quite extensive, and range from individual
hard drives to web-based storage systems. Each option has a unique
set of characteristics, which are summarized in the attached table (see
Exhibit: File Storage and Transfer). A couple notable highlights are:
Although the majority of users in Excel are familiar with some the
basic functions in Excel, fewer understand the range of audit
functionality included. Some functions we find particularly useful
include:
• Email is an increasingly important source of audit evidence. Email
text and attachments provide needed information for planning and
testing throughout the audit process. Because of the inherent
challenges in applying records retention criteria to inbox, sent items
and personal folders, we have begun to ‘send’ those supporting
emails to the OneNote notebook for each audit. In that way, the
email can be shared among all members of the audit team
(regardless of the original recipient) and it will be retained
consistent with the requirements for the audit.
• Text-based functions that allow data to be manipulated and
converted. For example, ‘smart coded’ fields can be deconstructed
using the LEFT, MID, and RIGHT functions, allowing a piece of
an important field to be separated from the full string.
• During our past external audit cycle, we utilized MyFiles to
facilitate the information requests by the audit team. Each member
of the internal team and audit team was provided with unique
logon credentials, and needed files were shared on a secure website.
In the past, challenges with lost files, large files or poor
communication created obstacles to a successful audit. The
increased transparency and ease of access improved the overall
process.
Data Analysis
There are effective analytical tools designed specifically for auditors.
Offices that have yet to invest in those solutions might be surprised
by how much analytical firepower Excel and Access can provide.
• Logical functions that allow data to be connected. A manual join
can be created in Excel using the VLOOKUP or HLOOKUP
functions, allowing critical data from a second worksheet to be
quickly and easily appended to a core dataset.
• Pivot tables that allow data to be aggregated. Pivot tables provide
a quick and easy way to compare data in different categories or
identify gaps and exceptions.
In cases where Excel is unable to handle the volume of data generated,
Access may be a better solution. Although Access can be harder to
learn, the query functionality is fairly robust and can be used to deal
with data interrogation. In one audit, more than 300,000 records from
a student payroll system were analyzed to determine where the
students failed to ‘punch out’ and were paid for the time between
when they completed their shift and the start of their next shift.
In our office, a home-grown brochure, “Excel Functions for Auditors”
provides the basis for building skills in this fundamental software
13 College & University Auditor
Internal Audit
Practices
Exhibit: File Storage and Transfer
Exhibit: Audit Steps Status
package that both students and current staff are likely to encounter
throughout their careers. Please feel free to download a copy of the
brochure on our website: http://www.bgsu.edu/offices/audit/.
OneNote: Learning More
The spring 2009 edition of College and University Auditor highlighted
how Microsoft OneNote could be used to store the documentation
created during the audit process. After using OneNote for a significant
process-based audit, new functionality has been identified that makes
it an even more effective tool.
Reference and search
As we expanded our use of OneNote, we started to think it of less like
a word processor and more like a file share with a graphic interface.
From that point, it was a natural transition to create an Audit Manual
in OneNote and to add various reference documents that used to
reside on the shared drive. As critical reference material that had been
lost within the folders of the shared drive came to life, the question
emerged: was it better to insert the file as an attachment or print the
document directly to OneNote?
After considering the options, we elected both to print documents to
OneNote and attach the original document as well. Why? We
stumbled on a search feature that allows you to find text on a page
section or notebook. Amazingly, the search functionality worked
whether the text was type, printed from something type, or even
printed from something scanned. We were shocked when a haphazardly
scanned document from an old page became searchable simply by
printing it to OneNote.
Using Tags
Another useful functionality is the ability to use tags to track key
information about a page or specific content on a page. We use tags to
indicate what steps of an audit program are assigned to each auditor,
to track tasks given to our student employees and to track the type of
work (audit plan, corrective action, policy support) those tasks
support. We have customized tags to include check boxes that
indicate to whom each task is assigned and who should be completing
the review once complete. The tags bring an element of project
management to OneNote that was missing before.
Specifically, we are now able to track which audit program steps are
open and who is responsible for ensuring the work is complete. The
process of running a status report is simple: choose the ‘Tags
Summary’ option and the pick create summary page; the text to the
right of the tag will display for the subset of pages requested. The
example graphic (see Exhibit: Audit Steps Status) shows the open steps
of one module of our International Programs audit. The white page to
the left is the actual audit program, including the risk questions, step
number and tests, results and linked workpaper. The white box shows
those steps that are incomplete (i.e., unchecked), including a color
coding for a specific auditor.
The Bottom Line
At BGSU we are more convinced than ever that using OneNote is
improving the quality and efficiency of our work. There is always a
risk that Microsoft will abandon the software. If that happens, we will
have to find a way to migrate our data back to a readable format before
the software is taken away. We continue to formalize specific process
decisions, and we are confident that heading into our next large scale
audit, the tool will be even more effective. n
14 College & University Auditor
Credit Card Security Protects the
College and Students
Auditors have special role in ensuring campus payment
systems are secure
By Dan Toughey
ominous, but in the end, like all
And while every business is obligated
to protect the private information of
customers, the stakes are higher at
colleges due to family and parental expectations
that colleges provide security for many students
who are living away from home for the first time.
deadlines, it is liberating.
Nationwide, the threat is huge: Fraud related to
credit and debit cards was $22 billion in 2008, up
from $19 billion in 2007, according to Javelin
Strategy & Research, a California consulting firm.
Auditors can help ensure their institutions are
employing solid strategies to prevent fraud.
About the Author
Dan Toughey, president of
TouchNet Information Systems Inc.
(touchnet.com) since 1989, has
guided the company to becoming a
leader in automated commerce
management solutions serving more
than 700 colleges and universities.
A graduate of Augsburg College,
Minneapolis, Minnesota, he
formerly worked for leading
financial services industry
companies.
In August, the U.S. Department of Justice indicted
a 28-year-old Florida man, Albert Gonzalez, for
hacking into computer networks used by major
American retail and financial organizations and
stealing data of more than 130 million credit and
debit cards. This was just one of a number of large
credit card losses to happen in the last six months.
Just like financial institutions, universities certainly
are not immune to attack. According to data
collected by Privacy Rights Clearinghouse, a San
Diego-based nonprofit consumer information and
advocacy organization, 36 information security
breaches occurred at colleges and universities in the
first nine months of 2009. Breaches included hacker
access to computer records, misplaced laptops and
thumb drives, and more. Hundreds of thousands of
15 College & University Auditor
electronic records with private information were
jeopardized.
News such as this should raise fear in any merchant,
but especially among colleges, whose mission is to
educate students and prepare them for the real
world.
Universities have a mission to retain students and
graduate them into the world with the best possible
chance for personal, professional and financial
success. If students – already vulnerable to risky
personal financial management practices – lose
funds or acquire damaged credit standing due to a
college’s failure to comply with credit card security
standards, the college’s reputation as a safe and
secure environment could be threatened. Conversely,
the college’s mission is enhanced when a wellsecured, high-integrity e-commerce management
system creates the best possible transaction
environment.
STANDARDS ARE IN PLACE
Colleges, of course, operate in the larger world, and
standards to address credit card safety are available.
More important, the standards that are soon to
become a business requirement will in some states
also become a legal requirement. Nevada recently
passed a law requiring that merchants comply with
industry standards, including a safe harbor provision
that protects the merchant if they comply and a
merchant’s customer is defrauded anyway.
The standards stem from the decades-long effort of
the payment card industry to protect private data of
credit and debit cardholders. Those efforts have
evolved into a formal organization: The Payment
Card Industry Security Standards Council.
The initial standard took effect in 2004 and is
known as the Payment Card Industry Data Security
Standard (PCI DSS). It covers security management,
policies, procedures, network architecture and
software design. There are six control objectives and
twelve requirements in the PCI DSS standard. More
recently, the council has established the Payment
Higher Education
T
he role of colleges and universities in
protecting private financial data is about to
get a lot bigger, and the stakes could get
even higher than they are now. The Payment Card
Industry Data Security Standard (PCI DSS) first
came into existence in 2004. The college’s role in
protecting data is about to get even bigger because
a second credit card industry security program
becomes mandatory on July 1, 2010. This new
standard is known as Payment Application Data
Security Standard (PA-DSS). Campuses that do not
comply with these standards may not
The July 1 deadline may seem be able to process certain transactions.
Application Data Security Standard (PA-DSS). This standard is
focused on software products. Software following this standard does
not store certain sensitive data and ensures that all payment
applications support compliance with PCI DSS.
It is the PA-DSS standard that becomes mandatory on July 1, 2010,
and campuses that do not comply may not be able to process certain
transactions.
THE AUDITOR’S ROLE
University auditors who provide oversight and guidance on campus
financial affairs should be in a position to provide assurance that
management has taken steps to drive PCI DSS and PA-DSS
implementation in their institutions. Here are steps on how to
proceed:
1. Inventory. Colleges, of course, accept payments from multiple
merchants and channels on campus, ranging from the athletic
department to the student health clinic, to say nothing of the
cashier’s or bursar’s offices and the student union snack bar. The
first step is to list every merchant, office or service that accepts
credit or debit cards on campus, and the payment systems those
entities use.
2. Verify. After identifying every transaction point, ensure that the
payment application used by these points complies with PCI DSS,
including the presence of firewalls and unique (not vendorsupplied) default passwords; anti-virus software and similar tools;
and hard human safeguards such as unique identification codes
and restricted physical access. Regular testing and access
monitoring also are required.
3. Enforce. Advise vendors whose payment systems are not certified
by the PCI Security Standards Council that they must comply. For
convenience and consistency, it may be useful to recommend a
university-deployed payment application system.
4. Centralize. Set up a PA-DSS certified payment environment and
move all merchants to that environment. This environment
removes all payment applications from internal systems and
employs a “link in-link out” technology to allow the payment to
occur securely in a certified location without the need to retain
private data.
5. Educate. Make sure all the entities in the environment know how
it works and how to conduct business within guidelines. Better,
implement a program that encourages or requires vendors and
merchants to review programs on a regular basis to ensure that
compliance is maintained.
ADDITIONAL BENEFITS
Indirect benefits of full compliance with PA-DSS include increased
efficiency and improved control. By bringing all campus payment
points under the same security tent, every aspect of transaction
processing can be more efficiently conducted. An added benefit is that
fewer systems are needed, easing compliance and improving efficiency.
Some smaller payment point managers, especially smaller entities
such as student or alumni groups that might only collect funds
periodically, may be unsettled by change. However, compliance will
better protect these groups against possible fraud. By requiring
compliance, the college in effect provides a service to these groups if
they adopt a payment mechanism managed by or overseen by the
institution.
Best of all, compliance helps the university more efficiently control
commerce management. The academic culture fosters silos of power.
Department heads may have their own way of doing things, but PCI
DSS and PA-DSS compliance encourages standardized money
handling, simplifying operation and permitting internal leaders to
focus on their own core missions.
The result can be improved efficiency campus-wide that should enable
reduced costs for this critical management function, which is a very
welcome development in the current economy.
SERVING STUDENTS FIRST
The auditor’s role in any university typically will be removed from the
classroom, which is the front line of the value delivered to customers.
But as any college student or graduate will tell you, what happens
outside the classroom is part of the total experience. It does no one any
good if the student loves the professor but loses a credit rating or
worse because of a breach of credit card security.
The auditor is uniquely positioned to directly serve students by
providing assurance that payment systems on campus are both
efficient and secure. The July 1 deadline may seem ominous, but in
the end, like all deadlines, it is liberating. For the good of the
university overall, but mostly for the benefit of students, now is the
time to move on PCI DSS and PA-DSS compliance. n
A COMPLIANCE OVERVIEW
Here are steps that can be taken to establish and ensure
continued compliance with payment card industry standards
for security of private financial data.
Enlist support of university leadership. Make sure the
president or chancellor is aware of the need to comply with
data security standards and the benefit of doing so.
Establish a cross-functional compliance team. Invite
representatives of the business office, information technology,
the retailer community and major campus transaction
points.
Follow the money. Review and monitor how and where
money flows through campus transaction points, and ensure
that every avenue is covered.
Formalize the policies. Publish – online and in print – the
university’s requirements regarding what must be done to
establish and operate a campus financial transaction point.
Continue the education. Set up a central structure to keep
merchants informed of policies, apprised of updates and
continuously reminded of the need for compliance.
Source: TouchNet Information Systems Inc.
16 College & University Auditor
Peddle bank accounts?
Nope.
Profit from student data?
Never.
Hold up your money?
No way.
Help your school get PA-DSS compliant?
Absolutely!
Visit www.touchnet.com/enroll/pci-pa-dss/
to receive your FREE PCI-PA-DSS Solution Kit.
www.touchnet.com
17 College & University Auditor
An Inquiry into the Adoption
of the Best Practices of
Sarbanes-Oxley in Institutions
of Higher Education
By Guest Columnist James K. Seaman, Ph.D., CPA, CIA, CFE
About the Author
James K. Seaman, Ph.D., CPA,
CIA, CFE is the vice president for
internal audit and management
consulting services for Drexel
University and chief audit
executive for the Drexel University
College of Medicine. He has more
than 20 years of audit and
managerial experience. Prior to
coming to Drexel, Jim was the vice
president for internal audit
services and corporate compliance
officer for Mercy Health System
and the associate director of
internal audit for the University
of Pennsylvania. He is a Certified
Public Account, a Certified
Internal Auditor and a Certified
Fraud Examiner. He received his
Ph.D. from Drexel University in
Educational Leadership and
Learning Technologies, his master
of science degree in organizational
dynamics from the University of
Pennsylvania, and his bachelor of
science degree from Villanova
University.
BACKGROUND
The Sarbanes-Oxley Act is legislation enacted as a
result of the financial criminal wrongdoings of
companies such as Enron and WorldCom. As a
result of such wrongdoings, the government
intervened and legislation was passed in 2002 (the
Sarbanes-Oxley act of 2002). The legislation
mandates publicly traded companies to strengthen
governance and document financial controls. The
legislation has three overarching goals: (1)
transparency - the financial information must be
complete and accurate; (2) accountability – namely,
the principal executive officer (such as the Chief
Executive Officer or the President) and the principal
financial officer (such as the Chief Financial Officer)
must be held responsible for the financial
information, and the Board of Directors is held
responsible for the proper oversight of the
corporation’s officers; and, (3) integrity - codes of
conduct must be implemented and enforced.
Although the act only applies to publicly traded
companies, many institutions, including institutions
of higher education, have adopted the “best
practices” of the Sarbanes-Oxley Act. The best
practices of Sarbanes-Oxley are considered parts of
the Act that are relevant to institutions of higher
education and appropriate for them to implement as
defined by the National Association of Colleges and
University Business Officers (NACUBO). For
example, establishing an Audit Committee, and
promoting a code of conduct and ethics policy
would be relevant to institutions of higher education.
Parts of the Act that pertain to Securities and
Exchange Commission (SEC) reporting requirements
would not be relevant to institutions of higher
education. NACUBO developed a checklist as
guidance for Colleges and Universities in
implementing best practices.
In an attempt to determine where institutions of
higher education stand toward implementing these
“best practices,” we conducted research that
consisted of sending out a survey and conducting
in-depth interviews. Overall, many of those
interviewed stated that they instituted the above
18 College & University Auditor
noted best practices because they thought it was the
right thing to do. The general belief was that
transparency, accountability and ethical conduct are
prevalent in every organization, and institutions of
higher education are not exempt.
The purpose of this article is to summarize the
research questions answered, to draw conclusions
based on the research as they impact higher
education, and to recommend future research. This
research started with three questions: (1) At
institutions of higher education that have adopted
the best practices of the Sarbanes-Oxley Act, what
have been the effects of adopting any or all of the
best practices? (2) At institutions of higher education
that plan to adopt the best practices of SarbanesOxley, what do those institutions believe will be the
effect of implementing the best practices of
Sarbanes-Oxley? (3) Of those institutions of higher
education that did not implement the best practices
of Sarbanes-Oxley, why have they not done so? This
study attempts to qualitatively determine why
institutions of higher education decided to
implement any of the best practices. What, if any
perceived benefits were gained, and if the institutions
believed that they have achieved those benefits as of
the time of the interviews.
In August 2008, we sent out surveys to approximately
700 institutions. There were 27 institutions that
responded to the survey. Since we received such a
low response rate, and in an attempt to obtain a
more in-depth understanding as to the results of the
quantitative survey, interviews were conducted with
respondents that agreed to participate in this
portion of the research. Interviews were conducted
with individuals within 10 of the participants that
provided contact information and agreed to be
interviewed. Responses represented a cross section
of the country. The questions were developed with
the intent to probe for “reasons” why an institution
did or did not implement best practices of SarbanesOxley; therefore, open ended questions were
utilized.
The research findings indicated that many institutions
of higher education already had some of these best
practices in place prior to the enactment of SarbanesOxley. For example, many of the survey respondents
implemented additional practices as a result of SarbanesOxley; however, all respondents already had some of the
practices in place prior to the enactment of SarbanesOxley. During the interviews, participants responded
that they reviewed current practices, the recommended
best practices, identified any gaps between current
practices and recommended best practices, and
remediated any gaps as necessary. The research draws
out the fact that, although institutions may have had
some of these practices in place, such as having an audit
committee, institutions still took time to voluntary
review and to improve upon existing practices. In
addition, institutions added additional best practices
where necessary, such as instituting an employee hotline.
The survey also showed that responding institutions
have a whistleblower or employee complaint mechanism
in place.
Implementation was driven by the Board or a Committee
thereof, with consultation of Management. Many
believed that implementing the best practices of
Sarbanes-Oxley enhanced integrity, thus increased
confidence of current trustees and stakeholders,
enhanced general governance, oversight and risk
management, and according to the respondents, public
perception/accountability were also enhanced. These are
very compelling comments that lead towards the
perception that implementing the best practices of
Sarbanes-Oxley in institutions of higher education
enhanced integrity, transparency, and accountability.
The respondents stated their belief that there may be
possible future mandates and/or regulation by the
government, and that there would be greater demands
on transparency and accountability. In addition, the
respondents felt that implementing the best practices
would provide improved financial controls and oversight,
particularly in light of the greater demands for
transparency and accountability. However, overall, the
respondents stated that one of the reasons the best
practices of Sarbanes-Oxley were implemented was
because their board members and senior managers
believed it was the right thing to do.
How long practice has been in place after Sarbanes-Oxley enactment?
How long practice has been in place after Sarbanes-Oxley enactment
Greater 1-2 years
3-4 years
5-6 years than 6 yearsN/A
Public accounting firm that
25.0%
16.7%
8.3%
16.7%
conducts your annual audit prohibited from performing non-audit services
33.3%
Audit Committee has a charter
9.1%
27.3%
18.2%
18.2%
27.3%
Audit Committee has at least one financial expert
27.3%
18.2%
18.2%
9.1%
27.3%
Audit Committee pre-approves all
services provided by the auditor
33.3%
16.7%
16.7%
16.7%
16.7%
The lead audit partner rotates off the audit every seven years
27.3%
9.1%
9.1%
0.0%
54.5%
The audit engagement letter is addressed to the audit committee
20.0%
10.0%
20.0%
10.0%
40.0%
Audit Committee evaluates performance of external auditor
0.0%
12.5%
25.0%
12.5%
50.0%
Hotline established
38.5%
23.1%
0.0%
0.0%
38.5%
Code of Conduct/Code of 20.0%
Ethics Implemented
0.0%
30.0%
10.0%
40.0%
50.0%
Independent Audit Committee
10.0%
10.0%
20.0%
10.0%
Financial processes documented
0.0%
22.2%
33.3%
11.1%
33.3%
CEO certifies annual audit report
10.0%
30.0%
10.0%
0.0%
50.0%
CFO certifies annual audit report
0.0%
33.3%
11.1%
11.1%
44.4%
19 College & University Auditor
States are also beginning to enact legislation on
non-profits. According to GuideStar (2008)
regulation has already been enacted in many states,
such as California’s Nonprofit Integrity Act of
2004, which requires non-profit organizations that
have revenue of at least $2 million to have an
independent audit completed. Other states have also
introduced or enacted legislation regarding nonprofit institutions, such as Massachusetts, which
changed the thresholds at which non-profit
organizations are required to obtain independents
audits. New Hampshire requires every non-profit
with revenues $500,000 or greater to submit audited
financial statements along with the organization’s
IRS form 990. Maine requires every non-profit
organization renewing its registration as a charitable
organization to submit audited financial statements
with its IRS form 990. Connecticut requires nonprofit organizations with revenues greater than
$200,000 to file audited financial statements, and
Kansas requires those with contributions $500,000
or more to submit audited financial statements.
Although most of this legislation is geared towards
charities, and exempts institutions of higher
education, it is clear that States are focusing on
governance in non-profit organizations. This would
also be consistent with the respondents’ concerns
that possible future mandates and/or regulation by
the government, and that there would be greater
demands on transparency and accountability.
Columns
IMPLICATIONS OF THE SURVEY FINDINGS
Overall, Sarbanes-Oxley has had an impact on how
institutions of higher education conduct business. For
example, institutions developed or modified their Board
Audit Committee Charters to include independent
members on the committee, and to ensure members
were financially literate, with at least one financial
expert as recommended in the best practices. In
addition, institutions established
As for long-term implications, it is hot-lines for staff and others to
report suspected irregular activity,
postulated that institutions of
and established Codes of Conduct,
which are signed by trustees, senior
higher education that have
managers, and some institutions
implemented the best practices
require the Codes of Conduct to be
of Sarbanes-Oxley will be better signed at the employee level.
Institutions that implemented or
modified the best practices of
poised should future regulation
Sarbanes-Oxley Act subsequent to
be enacted by the federal or
its passage began to do so within the
first few years of enactment.
state legislators.
News report, the acting U.S. Attorney stated that
“this settlement sends a clear message that the
regulations applicable to federally-funded research
grants must be strictly adhered to.” This acts as a
clear message that institutions that do not make an
effort to improve financial controls and oversight
to improve transparency and accountability may be
subject to these types of investigations.
How long practice has been in place prior to Sarbanes-Oxley enactment?
How long practice has been in place prior to Sarbanes-Oxley enactment
Greater 1-2 years
3-4 years 5-6 years than 6 yearsN/A
Public accounting firm that conducts your annual audit
prohibited from performing
nonaudit services
7.1% 0.0% 7.1% 21.4% 64.3%
Audit Committee has a charter 18.8% 12.5% 0.0% 43.8% 25.0%
Audit Committee has at least one
financial expert
0.0% 7.7% 7.7% 53.8% 30.8%
Audit Committee pre-approves all
services provided by the auditor
12.5% 6.3% 6.3% 31.3% 43.8%
The lead audit partner rotates off
the audit every seven years
23.1% 0.0% 7.7% 15.4% 53.8%
The audit engagement letter is
addressed to the audit committee
0.0% 16.7% 8.3% 33.3% 41.7%
Audit Committee evaluates
performance of external auditor
14.3% 0.0% 14.3% 35.7% 35.7%
Hotline established
7.7% 23.1% 0.0% 7.7% 61.5%
Code of Conduct/Code of Ethics
Implemented
0.0% 15.4% 7.7% 38.5% 38.5%
Independent Audit Committee 14.3% 7.1% 14.3% 50.0% 14.3%
Financial processes documented 7.1% 0.0% 7.1% 57.1% 28.6%
CEO certifies annual audit report 16.7% 0.0% 0.0% 8.3% 75.0%
CFO certifies annual report
7.1% 57.1% 28.6%
7.1% 0.0% The IRS recently revised it Form 990. The Form
990 is an informational form filed by institutions
of higher education and other non-profit organizations. Among many of the revisions are questions
regarding the following: the number of voting
members that are independent, and asks if the
institutions have a conflict of interest policy,
whistle blower policy, document retention and
destruction policy, and about an institution’s
Compensation practices. In addition, the IRS form
990 asks if a copy of the 990 is provided to the
organizations governing body before it is filed.
Again, these inquiries on the IRS form 990 regarding governance practices, institutional polices, and
compensation practices lead institutions to believe,
and is consistent with concerns noted in this
research, that possible future mandates and/or
regulation by the government would result in
even greater demands on transparency and accountability.
Future Implications for
Education
Although the Sarbanes-Oxley Act only applies to
publicly traded companies, and is not directly
applicable to institutions of higher education,
institutions of higher education that have opted to
implement such practices have done so for good
reason. The adoption of best practices enables an
institution to promote transparency by ensuring
that its financial information is correct through
the implementation of internal controls that help
detect errors in the accounting records should any
errors occur. It also promotes accountability by
affixing the responsibility for the accuracy of the
financial information on the President and Chief
Financial Officer of the institution. This
accountability is achieved by requiring the President
and Chief Financial Officer to sign certifications
certifying that the annual financial information is
correct. Additionally, following the act’s best practices
encourages integrity by requiring all members within
the institution to sign an annual conflict of interest
statement and disclose any relationships that employees
or family members of employees have with anyone
doing business with the institution.
Do you believe that the result of implementing the best practices of
Sarbanes-Oxley has added value in the following areas (check all that apply)?
Do you believe that the result of implementing the best
practices of Sarbanes-Oxley has added value in theResponse
following areas (check all that apply)?
Percent
Obtaining Federal and other funding from various agencies
28.6%
Obtaining gifts from donors
35.7%
Attract students 0.0%
Increase reputation
28.6%
Recruited Trustees that are financially competent
42.9%
No value obtained
28.6%
In an article in the Michigan Law Review (2008), author
Joseph Mead states that “those nonprofits that most
need tighter financial management are unlikely to
adopt the voluntary proposals because financial
management is not a priority for them.” Mead makes a
valid point, and continues, “when a scandal develops at
one of these nonprofits, the resulting media attention
damages the entire sector. Mandatory legislation
provides a way to prevent these nonprofits from tainting
the entire sector.” This reinforces the respondents’
concerns as to the reasons why possible future mandates
and/or regulation by the government may occur.
Increased public perception was also noted as an
anticipated gain for institutions of higher education
implementing the best practices of Sarbanes-Oxley …
and for good reason. The Yale Daily News (December,
2008) reported that Yale University recently agreed to
pay $7.6 million for allegedly making false claims on
federal research grants. According to the Yale Daily
20 College & University Auditor
Also, establishing a hot-line for employees and others to
report suspected inappropriate activity enables those
that wish to report to do so anonymously if they desire
to do so. It also provides the institution the opportunity
to investigate the suspected activity in-house, as opposed
to the suspected activity being reported to the federal
government. For example, Oakland City University in
Indiana agreed to pay $5.3 million to settle a whistleblower’s complaint that the University improperly
offered incentives in the form of commission and bonuses for
employees to enroll students.
Board members of non-profit organizations are typically not paid, but
volunteer to serve on such boards. As there is an increasing demand
from the government for Boards to carry out their fiduciary
responsibilities, future research as to how Board members are
responding would glean insight as to how these Board members are
coping with such demands. Are organizations finding it difficult to
attract and retain qualified board members, and how is this effecting
such organizations? According to Laura S. Trombley (2007) president
of Pitzer College;
…while measures mandated by the Sarbanes-Oxley Act are
not required for nonprofit organizations, they have heavily
influenced the current practice and policies of colleges.
Many, like my own, have had to create a separate audit
committee of the board to serve as the institution’s fiduciary
watchdog. All those aspects of board performance may prove
daunting, particularly to new trustees. As institutions of
higher education continue to implement the best practices of
Sarbanes-Oxley, and with the demands placed on the
institution’s boards, will this limit the ability of institutions
to attract and retain competent board members?
Ms. Trombley further adds that, at her own institution, she has “been
fortunate to work with trustees who are actively interested in best
practices in governance.” However, Ms. Trombley, who is also a
commissioner at the Western Association of Schools and Colleges, and
has served on many college-review panels for the association, states
that “I have seen the powerful and detrimental effect a poorly
functioning board can have upon an institution.” Research into how
board members believe best practices in governance affect their
decisions as to which boards to sit on, and which boards are no longer
feasible to sit on due to greater demands, should prove beneficial.
It is clear through the IRS’s revamping of Form 990 that the
government is interested in knowing if non-profit organizations,
including institutions of higher education, are creating a culture of
transparency through the additional information that the 990 in now
requesting. Those organizations that can answer such questions in the
affirmative will be better poised should such Sarbanes-Oxley like
legislation eventually be enacted within the non-profit environment.
In the July/August 2009 issue of Trusteeship, Thomas Hyatt provides
an excellent breakdown of the questions now posed on the new 990 in
his article “Show Me What I’m Looking For: A Trustee’s Guide to
Reviewing the New IRS Form 990.”
As for long-term implications, it is postulated that institutions of
higher education that have implemented the best practices of
Sarbanes-Oxley will be better poised should future regulation be
enacted by the federal or state legislators. As competition increases for
a decreasing pool of federal funds, funding agencies will take into
account the fact that there are organizations that are exercising their
fiduciary responsibilities by implementing the best practices of
Sarbanes-Oxley. Donors may be willing to give to institutions that
show they are serious about exercising their fiduciary responsibilities,
and have made attempts to be more transparent through implementing
the best practices. These are areas where future research is needed.
However, it is also more likely that implementing the best practices
of Sarbanes-Oxley may have an impact on higher education that
establishes an overall culture within the institution that strives to do
what is ethical and right. As institutions set that ethical tone, this
should attract higher caliber individuals to the institutions who want
to work for such institutions, and also should motivate those that
chose not to carry on in an ethical manner to get out of institutions.
For example, in an interview with the Chronicle of Higher Education,
Senator Grassley (ranking member of the U.S. Senate Finance
Committee) stated that the National Institute of Health should get
tough with academic scientists by revoking their grants if they fail to
report financial conflicts of interest to their institutions. The comment
was a result of the Senator’s investigators finding discrepancies when
they asked pharmaceutical companies to list their payments to
researchers, and then asked Universities to describe financial
disclosures by those same investigators.
In the most recent study conducted by NACUBO, the authors state
that “Overall, it appears that SOX has served to underscore the
importance of the traditional formal governance structures of colleges
and universities while adding emphasis on ethical and transparent
practices.” Future research in this area will determine if these practices
have achieved what the institutions intended them to achieve.
NACUBO states that it will continue to conduct follow-up surveys
every two or three years, because the author believes that “the many
mandates affecting the industry do not seem to be trailing off, we
have every reason to believe that higher education will continue to
adjust and improve its practices.” Holbeche also reminds us that
“Success depends on extensive planning and design, precise assessment
of the current situation, accurate anticipation of resistance to change
and skill at overcoming this resistance.” In order to make course
corrections along the way, understanding the cultural aspect to the
changes of implementing the best practices of the Sarbanes-Oxley Act
in institutions of higher education is critical for organizations to
understand. n
Columns
The short-term implications of implementing the best practices of
Sarbanes-Oxley will show employees and others outside the institution
that the institution wants to do the right thing, i.e., that accountability
and transparency are important. Also, it will help establish an ethical
culture within the institutions of higher education through the
institution’s code of conduct in communicating that improper
behavior will not be tolerated.
21 College & University Auditor
PRSRT STANDARD
U.S. Postage
PAID
Shawnee Mission,
KS 66202
Permit #143
P.O. Box 14306
Lenexa, KS 66285-4306