I V o l u m e 5 2 I N u m b e r 2 I w in t e r 2 0 1 0 I Cutting Costs INSIDE: Cutting Costs: Leveraging the Technology You Have Credit Card Security Protects the College and Students An Inquiry into the Adoption of the Best Practices of Sarbanes-Oxley in Institutions of Higher Education W I N TE R 2 010 Contents ­Features ACUA Life 5 Letter from the Immediate Past President By J. Richard Dawson 6 Meet your ACUA Board Members: Richard Dawson and Mark Paganelli By Donna L. Stapleton 7 Governmental Affairs Committee Update By Mary Lee Brown 9 Professional Education Committee Update By Toni Messer 10Inside ACUA-L Compiled by Brenda K. Mowers Internal Audit Organization 12 Cutting Costs: Leveraging the Technology You Have By Mel Hudson-Nowak Higher Education Columns 15 Credit Card Security Protects the College and Students By Dan Toughey 18 An Inquiry into the Adoption of the Best Practices of Sarbanes-Oxley in Institutions of Higher Education By Guest Columnist James K. Seaman ACUA members are invited to submit letters and original articles to the editor. Go to www.acua.org and click on the FAQ and Publication for further guidelines. Please send your copy electronically to the editor or ACUA in Word 95 (or higher) or text file format. The editor reserves the right to reject, abridge or modify any advertising, editorial or other material. Editor John M. Fuchko, III, MBA, CIA, CCEP Board of Regents/ University System of Georgia john.fuchko@usg.edu (404) 656-9439 Contributing Editors ACUA Life: Vacant Internal Audit Organization: Claire Sams Milligan, Alabama Department of Postsecondary Education Internal Audit Practices: Amy Hughes, Michigan Technological University Higher Education: Michael J. Foxman, University System of Georgia Columns: Sterling Roth, Georgia State University Copy Editors Departments 1 2 4 From the Editor From the President From the Executive Director ACUA Life: Brenda Mowers, Montana State University – Bozeman Donna Stapleton, Technical College System of Georgia Internal Audit Organization: David Dixon, Governors State University Internal Audit Practices: Vacant Higher Education: Mary Ann MacKenzie, Auburn University Columns: Beverly Hawkins-Llewellyn, The University of Montana ACUA Management College & University Auditor is the official publication of the Association of College & University Auditors. It is published three times a year as a benefit of membership. Articles in College & University Auditor represent the opinions of the authors and do not necessarily represent the opinions of governance, members or the staff of the Association of College & University Auditors. Acceptance of advertising does not imply endorsement by ACUA. ©2010 Association of College & University Auditors. Send address changes to: ACUA PO Box 14306 Lenexa, KS 66285-4306 ACUA-info@goamp.com College & University Auditor Stephanie Newman, Executive Director Letter From The Editor Cutting Costs and Compliance – A Continued Challenge By John M. Fuchko, III, MBA, CIA, CCEP, Editor Our winter 2010 CandU Auditor theme is “Cutting Costs.” We also incorporated several articles on emerging compliance issues that may be of interest to our readers. We welcome reader’s feedback in the form of additional ideas for reducing expenses within higher education. This edition also strives to provide perspective on many of the perennial issues, such as fraud, that seem to become more widespread in times of economic downturn. Brief Overview and Seaman’s article touches Future Issues This edition starts with an excellent on numerous emerging introduction by our new ACUA President, Mark Paganelli, as to where issues and perennial we have been and where we are going as governance challenges a professional association. Readers will find Mark’s tone to be direct and that internal auditors must informative. Donna Stapleton provides us a brief personal introduction to Dick face. Dawson and Mark Paganelli while our Governmental Affairs Committee and Professional Education Committee chairs provide an update on relevant issues for ACUA members. The ACUA Life section is wrapped up with a summary of recent ACUA-L postings by Brenda Mowers. Our remaining articles are detailed and informative. Mel Hudson-Nowak, a regular contributor to these pages, provides her insight on how to leverage an institution’s current technology resources for audit needs. As a first step towards developing College and University Auditor online content, Mel has also provided a link within the article to an online brochure providing additional information on using Excel for audit tests. 1 College & University Auditor Dan Toughey’s article on PCI DSS and PA-DSS is an excellent introduction to recent changes that impact any institution that processes credit card payments. The recent stories of major security breaches involving private financial information certainly drive the point home when it comes to understanding the importance of these financial privacy and security issues. Finally, Jim Seaman provides a well-researched look at how the adoption of Sarbanes-Oxley “best practices” has, and will likely continue, to impact institutions of higher learning. Seaman’s article touches on numerous emerging issues and perennial governance challenges that internal auditors must face. In fact, the Institute of Internal Auditor Performance Standard 2110 requires internal auditors to perform work in the governance arena. We continue to seek authors for our upcoming editions. Our spring 2010 edition due date for articles is March 1. Published authors of professional content articles may be awarded CPE credit by ACUA for your efforts. Contact me for additional information. Our theme for the spring 2010 edition is “Back to Basics” and our summer 2010 theme is “Strategic Risks.” Finally, the College and University Auditor is looking for two additional volunteers. One, we need an online editor who can facilitate the development of our online presence. Next, we need a deputy editor who can assist me in my editor duties. Ideally, the deputy editor will be prepared to assume the role of Editor at some point during 2010. n Letter From The President Preserving Quality While Reducing Cost By Mark Paganelli, CPA, CIA, President The last year has seen some historic financial disasters. As a result, the federal government has spent $8.5 trillion to bail out or stabilize almost every sector of the U.S. economy, including the banking system, automobile manufacturing, the housing and mortgage industries, and even state and local governments. During 2008, the only three global financial markets to record positive gains were: • Ecuador +5.8% • Tunisia +16.99% • Ghana +60.93% Like everyone else, ACUA has Unfortunately, the endowments of most universities were not invested been impacted by the heavily in these markets, and ACUA does not have members from these economic downturn but is countries (although we will explore the possibilities during our next doing as much as possible to membership drive). Almost every institutional member of ACUA has provide the quality products been impacted by the recent economic downturn. Obviously, our members have grown to when ACUA’s members are impacted, so is ACUA. Past ACUA expect at reasonable prices. leaders, however, have left us in better shape than some organizations to weather this downturn. There are also some things that, given an opportunity to go back in time, we would have done differently. I want to briefly reflect on the positives, the items we wish we could do over, and plans for the future. Weathering the Storm When I began serving on the ACUA Board in 2005, ACUA was completing several profitable years. Membership continued to grow, as did conference attendance, and the association continued to build reserves. The annual conference grew from 366 attendees at the 2003 Nashville conference to a peak of 485 at the 2007 Atlanta conference. There was even talk that we would soon outgrow the meeting space available at a single hotel and might have to consider convention centers. The Board began to focus externally during this time, while placing an emphasis on improving the quality of the training events. Resources were spent on improving our logo and website, and marketing ourselves to other strategic higher educational organizations such as the National Association of College and Business 2 College & University Auditor Officers (NACUBO) and the Association of Governing Boards (AGB). The Board also began strategic planning sessions under the direction of Mr. Patrick Reed, past director for the University of California System. This plan has helped guide several leaders since then, and assists the Board in making many types of decisions today. Under the direction of Mr. Dick Dawson, then treasurer and director for the University of Texas at San Antonio, ACUA’s investment policy was revised and an investment company was selected to manage our funds. This was accomplished in 2006, and a committee to monitor our investments was implemented. The plan requires one year of operating funds to be placed in money market funds, which is extremely conservative, but saved ACUA thousands when the markets crashed in 2008. We also completed a successful membership drive under the direction of Mr. Kevin Robinson from Auburn. Membership rose from 520 in 2005 to a peak of 608 in 2008. We saw only a slight decline last year despite the economy. By all accounts, ACUA was soaring to new heights. The Board also realized that, to continue on this path, we needed to change the company that managed ACUA’s day-to-day operations. This was done for two reasons. First, we were not satisfied with the level of customer service provided to members, the Board, sponsors, and others. Second, the company’s IT capabilities prevented the Board from obtaining timely reports and implementing certain initiatives in a seamless manner, such as the risk dictionary and website upgrades. A request for proposals was sent to several association management companies, and ultimately Applied Measurement Professionals, Inc. (AMP) was selected. Although we are only one year into the contract with the new company, this move has already paid dividends for ACUA. These positive steps by the many past leaders and volunteers have prepared ACUA to weather a short-term downturn without the need to raid reserves or drastically increase prices. Do Overs Although we did many things right, I wish we could do a few over. I point these out to help future leaders avoid the same mistakes. First, things were going so well and the reserves were building to levels higher than we were accustomed to, that the Board began budgeting for deficits and wanted to use the reserves to give back to the ACUA members. As a result, we kept registration fees low for conferences while increasing speaker budgets, and offered new items such as the Cyber-Café. The Board also undertook initiatives such as improving the website, improving the risk dictionary, and outreach efforts. While this sounds like the right thing to do, in hindsight it may not have been. No one anticipated the type of economic downturn we are experiencing and, depending on its length, these reserves could have assisted ACUA’s members at a time of great need. ACUA has successfully weathered the current downturn, but we need to improve our reserves before another downturn occurs. When members’ budgets are being reduced, it is not the best time to increase dues or conference registration, nor is it the best time to sell ACUA’s long-term assets. ACUA’s reserves so far have prevented all of these from happening. AMP has advised us of the importance of maintaining reserves to cover two-and-a-half years of operating costs, which will be a goal once things improve. This is certainly a do-over item, in my opinion. Unfortunately, at the same time we were budgeting for losses, we also ventured into a new area that was an educational success, but not a financial one. It was felt that ACUA failed to offer anything of significance to advanced IT auditors. We therefore partnered with the SANS Institute, a premier provider of such training. This was a break from the traditional offerings of the annual and midyear conferences. Although those who attended loved the event, which occurred in early 2008 (right before the economic downturn), we failed to meet the anticipated demand and lost $40,000. This is a do-over item despite the lessons learned. To date, we have received recommendations for regional ACUA conferences, and the lessons learned from this one should prevent us from making some of these mistakes again. In addition to this loss, we have had lackluster attendance at the last three mid-years. The mid-year attendance peaked at 294 in San Antonio in 2006 and then dropped to 175 in Costa Mesa. Only 11 auditors from California attended. The next mid-year was in Jacksonville, Florida. Because of the Florida economy, attendance from the Florida universities was lower than expected. The last mid-year in Austin was booked right after the San Antonio conference, and the downturn was in full force by the time of the conference. Fortunately, we were in the right state, and Texas universities were impacted less severely than others. Nonetheless, we failed to meet our room block and were concerned that we might have to pay attrition fees of $50,000. AMP was able to reduce this to $5,000 and renegotiated the Minneapolis contract so that we incurred no penalties. This is a huge accomplishment, since attendance dropped from 471 in Phoenix to 328 in Minneapolis. The Professional Education Committee is working diligently to turn around our midyear conferences and I feel we have a very good one planned for Reno. The Future Through all of the ups and downs of the last few years, ACUA is in a very good place. We have a new energetic group of leaders and are working hard to maintain quality while keeping our costs low. The Board elected not to increase membership dues this year and, while registration fees for the annual conference increased, it is still considerably less than other organizations. ACUA’s annual conference provided 22 hours of CPE for $870, while the IIA’s upcoming international conference provides 18 hours of CPE for $1,195. The price per CPE hour is $39 for ACUA versus $66 for IIA. We also offered one-day registration, for those within driving distance who wanted to attend only part of the conference. Feedback indicated the conference was a huge success, and several attendees commented on the quality of the training offered. We realize that travel budgets have been reduced and we continue to offer free webinars and even advertise webinars of others not associated with ACUA but beneficial to our members. Mr. Jim Sleezer from Oklahoma State does an outstanding job with these. We have also renegotiated a block of rooms for the midyear in Reno for just $89 per night. Sandy Jansen from Texas Tech is finalizing her list of speakers for this mid-year, and Huron Consulting has agreed to provide 2.5 days on compliance, which I know will be outstanding, and hope will attract some who have been attending the higher education compliance conference. In addition to providing quality education at reasonable prices, ACUA has tightened its belt. We reduced travel by cancelling a Board strategic planning session, which typically takes place every 18 months, and is held apart from the two regular Board meetings. Usually the ACUA president attends NACUBO, and to save money, Dick Dawson sent Seth Kornetsky from Tufts in his place, since the conference was in Seth’s hometown of Boston. We eliminated scholarships since they have little to do with our strategic initiatives, have reduced sponsorships at other organizations, and other outreach initiatives to save money. We are also exploring providing the College and University Auditor in electronic form, which will reduce costs and increase circulation. As everyone knows, we have moved ACUA-L to save approximately $7,000 and will hopefully have the kinks worked out soon (thanks for your patience during this transition). The Board is also evaluating 3 College & University Auditor revenue-producing ideas such as a vendor section on the website, where vendors can market their products and services. We hope this will result in discounted services for members and advertising fees for ACUA. We are reviewing products that can be sold in an ACUA store, such as training tapes and other products beneficial to members. Also planned is a membership initiative designed to increase members and revenue. Although there have been a few bumps in the road, ACUA has been very successful for the last five years. Like everyone else, ACUA has been impacted by the economic downturn but is doing as much as possible to provide the quality products our members have grown to expect at reasonable prices. I have no doubt we will accomplish this and, when the economy turns around, we will resume our path toward being bigger and better. Thanks for being a member and for all that you do to improve internal auditing in higher education. n 8th Conference for Effective Compliance Systems in Higher Education April 21–23, 2010 Dallas, Texas LEARN MORE AND REGISTER NOW AT www.highereducationcompliance.org Letter From The EXECUTIVE DIRECTOR Cost-Effective Continuous Improvement – An Ongoing Goal By Stephanie Newman, Executive Director In my last column, I mentioned the variety of ways, large and small, that ACUA helps its members to obtain education, volunteer, network with peers and access resources. ACUA membership truly is a great value! To make sure that membership remains a great value, the staff works closely with the Board of Directors and Committee Chairs. We are constantly As always, feel free to examining all aspects of the association contact the Executive Office to ensure that we are meeting the needs of our members and doing so in the most cost-effective way possible at acua-info@goamp.com without sacrificing quality, and with any questions or hopefully even improving it. Ideas for improving or streamlining existing concerns. We’re here to services as well as ideas for new services are often generated by the feedback help. that the Board receives from members through surveys, conference evaluations, emails, phone calls and ACUA-L postings. The Board then ensures that those ideas fit into the Association’s Strategic Plan so that resources are focused on the top priorities and action plans are formed. One of the most recent examples of the staff and Board seeking to provide a service in a more cost-effective way was the transition of the software and the administrator of ACUA-L. The decision to change was based on the belief that ACUA-L would function as it had in the past as well as gaining a more user friendly archive at a significantly reduced price. With the old listserv, ACUA was charged an annual licensing fee as well as a fee for each message sent out multiplied by the number of listserv subscribers. Since ACUA-L is heavily used by its members, the expense for use added up to approximately $6,000 – $7,000 per year. The new provider does not charge a per message fee and only has a minimal monthly maintenance fee which amounts to approximately $240 per year. It just made good financial sense to make the change with the belief that we would have the same functionality. We learned when we made the switch that, however, that not all listserv software is the same. The software that the new provider uses was not as effective at filtering out-of-office replies or read receipts from the listserv as the old software. While the Association was certainly saving money, the quality of the service was not the same. Listening to the feedback from members on ACUA-L assisted the Board with coming up with a potential solution to the problem which will hopefully allow ACUA-L users to both have the same quality of service they enjoyed before while also saving a significant expense each year. The Board is currently investigating the possibility of purchasing its own license for the old software (up front, one-time cost and the quality ACUA is accustomed to) while staying with the current administrator (no per message cost). A solution should be in place by the time this issue is published. We have appreciated your patience during this process. In the coming year, the Board will be looking for other areas where we might also be able to maintain, or ideally improve, the quality of member services, while reducing the expenses. Some ideas may be more successful than others. The Board appreciates your continued patience and your feedback while some of these changes are implemented. As always feel free to contact the Executive Office at acua-info@goamp.com with any questions or concerns. We are here to help. n Join Us in 2010! Join Us in 2010! Visit www.ACUA.org for details and registration Visit www.ACUA.org for details and registration ACUA Midyear Conference – March 14-17 ACUA Annual Conference – September 19-23 ACUA Midyear Conference ACUA AnnualWaterfront Conference – September 19-23 John Asuaga’s Nugget––March Reno, 14-17 Nevada Marriott – Baltimore, Maryland John Asuaga’s Nugget – Reno, Nevada Marriott Waterfront – Baltimore, Maryland 4 College & University Auditor The outgoing President Looking Back By J. Richard Dawson, CPA, CIA, Immediate Past President Wow, what a year as ACUA President! Barack H. Obama was elected the United States of America’s 44th President, essentially based upon his promise of change. Although I did not promise change for ACUA, it has been a year of change. As with any change, it can be difficult, but I believe it has all been very positive and has set the stage for a better ACUA. membership committee headed by Vijay Patel has been very active this past year. In order for the Board to better serve the wants and needs of its members, it needs to know what the members think. Consequently, monthly membership surveys are being conducted. Please take time out of your busy schedules to complete those surveys. There have been several significant challenges during the last 12 months. The economic downturn and many institutions cutting back on travel expenses dramatically affected our conference attendance at both the Midyear and Annual conferences. As a result, we have tried to cut expenses while trying to maintain the kind of service our members have grown to expect. The Board also formally established an Ambassador program with the purpose to identify individuals that have held a leadership position with ACUA and would like to continue to promote ACUA. Ambassadors will have an internal focus and an external focus. Also during the last year, ACUA changed its management firm to Applied Measurement Professionals, Inc. (AMP) from Olathe, Kansas. This has been an extremely positive action because AMP will be able to provide the kind of resources ACUA needs to move forward and accomplish many of our strategic initiatives. Our Executive Director, Stephanie Newman, has already been hard at work helping us identify areas where we could reduce spending. For example, ACUA-L will now be handled by a new firm and the charges will be significantly During the last twelve months, smaller. While we are in the process of overcoming some of the we have continued to offer unexpected technical difficulties some of the best webinars that associated with this change, we hope to see a substantial improvement in our money can buy … service at a lower cost. In fact, we believe that the archive will be easier especially since they were all to use. free. In attempting to move our website to AMP, we determined that the website could not be moved without significant rework, so we have opted to basically start over with a completely new website that will be fresh and less confusing to use. We believe that it will better represent ACUA as we move forward. Our hope is to enhance the use of our website for many more benefits to members and as a revenue producing tool. Other improvements are taking shape with the ACUA Risk Dictionary. Our corporate sponsor, Methodware, has uploaded the new version of their software. And, at the same time, the risks and controls have been updated to be more useful. For example, there is now a section of risks and controls related to export controls. Members have probably noticed more surveys coming from ACUA headquarters over the last year. The 5 College & University Auditor • Internally o Serve as a knowledgeable resource for current and potential members; and, o Provide historical perspective and/or advise the current board and board committees. • Externally o Create awareness of ACUA; and, o Establish lines of communication with leaders of other organizations. During the last twelve months, we have continued to offer some of the best webinars that our money can buy … especially since they were all free. I want to personally thank EthicsPoint for all their support and coordination of these fantastic webinars. One of these webinars resulted from research performed by Dr. Urton Anderson from The University of Texas at Austin and Dr. Margaret Christ from The University of Georgia. Their research, which was funded by ACUA, The University of California System, and the IIA, identified potential attributes at a college or university that could be used to determine the appropriate staffing levels for the internal audit function. The result will be a tool that ACUA members can use to determine an appropriate staffing level for their institution. And finally, for the social butterflies, ACUA has now established a presence on Facebook, Twitter, and LinkedIn. So, start tweeting! All of these wonderful changes and accomplishments would not have been possible without all of the many ACUA volunteers. I want to especially thank the ACUA Board, the various committees and their chairs, and all of the other volunteers that help to make ACUA what it is. Without our volunteers, ACUA would be just another association. Until you serve as the President of such an organization, you do not realize how much work gets done behind the scenes. ACUA is truly a wonderful organization, so please get involved and keep it that way! n ACUA Life Letter From Meet Your ACUA Board Members – Dick Dawson and Mark Paganelli By Donna L. Stapleton, ACUA Life Copy Editor I n the last issue, College and University Auditor readers were introduced to Board Member Scott Pierce and former Immediate When asked what top two to Past President Kevin Robinson. In this three things that a member issue, we introduce could do to get more out of the you to our new Immediate Past President Dick Dawson and President Mark organization, his response was: Paganelli. 1. Get involved and volunteer; Dick Dawson Dick is no stranger to the ACUA Board, 2. Get involved and volunteer; having previously also served as a Board Member-at-Large, Secretary / Treasurer, and, 3. Get involved and and Vice President. Dick was born and raised in Texas on a 2500 acre cattle volunteer. ranch which sustained 250 head of cattle. The ranch is now run by his older brother. Dick is married to Susan – his wife of 27 years. They have two grown sons, one of which graduated from UT (that is The University of Texas for the Tennessee fans) and is now married and living in San Antonio. Dick says that there are no grandchildren, so no one to call him “Grandpa” or “PaPa,” and states that he is way too young for those names. His other son is currently attending Texas A&M and the rivalries make for exciting Thanksgiving holidays. About the Author Dick is currently the Executive Director, Audit, Compliance & Risk Services for the University of Donna L. Stapleton is the Texas at San Antonio. He has an MBA, CPA, and Internal Auditor for the Technical CIA. He has over 28 years of Internal Auditing College System of Georgia. She is experience with all of it in the higher education one auditor responsible for 26 field. technical colleges with over 50 total campuses throughout the state. Donna has only been an auditor for the past two years and has only been involved with government accounting for that same amount of time. She spent her previous career in the private sector working as a Plant Accountant, Accounting Manager and Controller – mostly in the manufacturing field. Her forte has always been her ability to go into companies with severe problems in their accounting departments and clean them up – a good transition point for internal auditing. She is divorced with two sons, one of whom is a chef and the other is in the Air Force Reserve. When asked for information about himself that might surprise the readership, he stated that he wanted to be “an avatar someday and move into his second life.” Seriously, he would like to see an ACUA presence in second life or something similar. He feels that this would provide training opportunities to more individuals throughout the world. He has also been associated with TACUA and ACUA for over 12 years now. He plans to continue his work on the ACUA Risk Dictionary as this has been one of his pet projects for the past several years. He would also like to formally establish an ACUA ambassador program. This would be to promote and develop mutually 6 College & University Auditor beneficial relationships with other organizations and enhance the relationships with current and potential ACUA members. He feels these positions would be held by persons who have previously held leadership roles within the organization and want to continue involvement in some capacity. When asked what top two to three things that a member could do to get more out of the organization, his response was: 1. Get involved and volunteer; 2. Get involved and volunteer; and, 3. Get involved and volunteer. He feels that although it may take a little time, the rewards are “extraordinary.” Mark Paganelli Mark also is no stranger to the ACUA Board. Mark has previously served our organization as Vice President for the last year and as a board member from 2005 through 2008. Although born in Chicago, Mark received his BA in Accounting from The University of North Alabama and then his MBA in Finance from the University of Tennessee at Chattanooga. Mark is presently the Executive Director, Audit and Consulting Services for the University of Tennessee. Mark has a total of 17 years in auditing all of which has been in higher education and with the University of Tennessee’s Department of Audit and Consulting Services. He not only is a CPA, but also a CIA. Mark also served four years in our armed forces as a member of the United States Marine Corp Reserves. When it comes to the membership of the organization, Mark feels that one of the great benefits we have is the risk dictionary. Mark stated: “The risk dictionary allows our members to quickly review the risk in a particular are and build audit programs based upon this database of risks and corresponding controls. This is a very useful tool when building audit programs, performing risk assessments, or doing testing of processes or departments.” n Update from Mary Lee Brown, CIA, Chairman – ACUA Governmental Affairs Committee T his article is intended to provide a brief rundown of some of the current “hot topics” and issues on the regulatory front. Conflict of Interest). The HHS OIG 2010 Work Plan is available here: http://oig.hhs.gov/08/Work_ Plan_FY_2010.pdf. ARRA-1st Cycle Quarterly Reporting & HHS OIG 2010 Work Plan By the time you read this, both the first and second ARRA reporting deadline will have passed and you and your research administration teams are debriefing on what went well and what could be improved upon. That was also much of the theme of discussions, both formal and informal, at the COGR winter meeting in late October. According to reports from OMB, as well as representatives of the larger federal agencies (e.g., NIH, NSF, Dept of Energy), what went well was the fact that virtually everyone managed to collect the required data and submit by the deadline. There were some data errors reported during the Agency review period but, by and large, those were not considered significant overall. As to what could be improved upon, there seemed to be unanimous opinion from the research community that calculating jobs created/retained needs more guidance, and the representative from OMB acknowledged this would get some additional attention before the January 10 reporting deadline. NSF – Responsible Conduct of Research: New Requirement The 2007 America COMPETES Act directed NSF to require that all funded students and postdocs undergo training in the responsible conduct of research (RCR). The implementation of this requirement becomes effective January 4, 2010, when all institutions submitting proposals to NSF must certify that they have a training plan in place for undergraduate students, graduate students, and postdoctoral scholars who will be supported by NSF to conduct research. This certification must be in place at the time of proposal submission. Training plans need not be submitted with the proposal; however, they must be available for review upon request. Institutions are responsible for verifying that their undergraduate students, graduate students and postdoctoral scholars receive training. See http://edocket.access.gpo.gov/2009/ E9-19930.htm As with any political/legislative With regard to areas of interest and implications for the audit community, process, the identification of it goes without saying that the transparency and issues and their impact on any promised accountability aspects of ARRA make constituent group often takes a recipient compliance with award terms and conditions a particular area lot of deliberation and of focus for the federal agency sponsors, and in particular, the OIG’s. correspondence before final HHS OIG activity specific to NIH resolution or proposed changes and the Recovery Act are addressed in Appendix A of the referenced work are achieved. plan where, in addition to recipient compliance with award terms, you will find plans to examine College & University indirect costs claimed as direct costs, recipient compliance with reporting requirements and, recipient capability audits. Apart from the ARRA emphasis, other parts of the HHS OIG work plan that is of interest to Colleges & Universities include the following projects: Compliance with Cost Principles, Use of Data Safety Monitoring Boards in Clinical Trials, Oversight of Clinical and Translational Science Awards (CTSA) and, Financial Interests held by Institutions receiving NIH grants (aka Institutional 7 College & University Auditor NSF – Labor and Effort Audits As of this writing, reports of 12 audits have been posted on the NSF OIG website thus far, and at least 4 more are anticipated within the next few months. The NSF OIG has indicated they will publish a “capstone” report that accumulates and summarizes all findings and recommendations over the course of the entire audit program. Current understanding is that this report could be ready by Spring 2010. The completed reports are posted at http://www.nsf.gov/oig/pubs.jsp. FTC – Red Flags Rule The Federal Trade Commission has again delayed enforcement of the Red Flags Rule. Enforcement is now set to take effect June 1, 2010. Readers may recall that the rule requires financial institutions and creditors with covered accounts to implement written identity theft prevention programs to identify, detect, and respond to “red flags” that could signal identity theft. The rule originally went into effect on January 1, 2008, with mandatory compliance set for November 9, 2008. But enforcement was then delayed until November 1, 2009 and now delayed again to June 1, 2010. Although originally intended for financial institutions, the Red Flags Rule became applicable to colleges, universities, and healthcare entities ACUA Life Governmental Affairs Committee Update because they are considered creditors. See http://www.ftc.gov/ opa/2009/10/redflags.shtm. HITECH – ARRA Those institutions with hospitals/academic medical centers, dental schools, student health offices and other clinical operations will need to pay particular attention to the ARRA Health Information Technology for Economic and Clinical Health Act (HITECH). One of the four goals of HITECH includes: strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care sector increases use of health information technology. As such, HITECH amends HIPAA privacy and security requirements, adding new compliance obligations and increasing enforcement authority and penalties. Some of the new obligations include: A) a breach notification requirement for health information that is not encrypted or otherwise made indecipherable - it requires that an individual be notified if there is an unauthorized disclosure or use of their health information; B) ensuring that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers (e.g., business associates), are subject to the same privacy and security rules as providers and health insurers; C) providing transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record; D) requiring that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities; and, E) strengthening enforcement of Federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities. The above items only scratch the surface of current issues. As with any political/legislative process, the identification of issues and their impact on any constituent group often takes a lot of deliberation and correspondence before final resolution or proposed changes are achieved. Even then, the dialogue may continue in an effort to revise the original resolution if that resolution is still not satisfactory to one of the parties affected. n Risk Simplified PROACTIVE Supplement existing internal audit resources Effective ERM and audit udit software solutions from Methodware hodware sities • Selected by universities around the world mplement • Easy to use and implement A • We drive the ACUA Risk Dictionary For a limited time - learn cial more about our special embers pricing for ACUA members Conduct risk assessments Higher Education COLLABORATIVE CUSTOMIZED Conduct internal investigations Delivering specialized audits, including technology, sponsored research, construction, and fraud risks, is what makes us one of the nation’s top accounting and consulting firms. Challenging ourselves to consider new approaches to serving our clients is what sets us apart. www.methodware.com beersandcutler.com 09BC-CUAuditorAd_r4.indd 1 8 College & University Auditor Tax Assurance Consulting 10/19/09 1:56:14 PM ACUA Life Professional Education Committee Update Update from Toni Messer, CPA, CIA, Chairman – ACUA Professional Education Committee T he Professional Education Committee provides coordination and oversight activities for all ACUA educational activities. The Professional Education Committee includes the following ACUA members who are always willing to get your input regarding ways to improve ACUA’s educational activities: • Toni Messer, Chair, tmesser@utdallas.edu • Edwina Greer, Annual Conference Director, greere@etsu.edu • Sandy Jansen, Midyear Conference Director, sandy.jansen@ttu.edu • Jim Sleezer, Distance Learning Director, jim.sleezer@okstate.edu • Mary Barnett, Vice President • Vijay Patel, Treasurer • Kevin Robinson, Sponsorship Director • Rob Clark, Sponsorship Director • AMP Representatives: Stephanie Newman, Melissa Whitaker and Megan Eastland Annual Conference – September 19-23, Baltimore, maryland The ACUA Annual Conference Director’s objective is to put together a terrific team of volunteers who work together to secure a slate of dynamic speakers and topics each year for our ACUA members. We hope to provide an Start packing those bags outstanding conference full of professional development opportunities tailored to the for training in the Wild needs of our membership and colleagues. West that will WOW Our various tracks at the annual conference are geared toward “hot topics” and traditional attendees. core issues of our profession. There is always opportunity for involvement if you would like to volunteer. We need track coordinators to help assemble and organize the session slots, engaging speakers who can share their knowledge and experience, and proctors to be present in each session for assistance as needed. If you would like to get involved or just find out more about one of these volunteer opportunities, contact Edwina Greer. Midyear Conference – MARCH 14-17, RENO, NEVADA Start packing those bags for training in the Wild West that will WOW attendees. The ACUA midyear conference is right around the corner, and the PEC has planned this conference to provide some of the best training at a price that still fits into our diminishing budgets. There will be five different tracks to choose from - auditing for fraud, auditing information technology, performing data analysis techniques, auditing in a higher education environment, or compliance issues – there is something to meet a variety of ACUA member needs. Distance Learning At least four hours of CPE a year, in your office and free, that is the goal of ACUA’s distance learning chair. This year’s webinar schedule included five presentations, all hosted by EthicsPoint at no cost to participants. Recent topics included a discussion of ethics issues, a review of ARRA compliance issues, and guidance on rightsizing the internal audit function. Selected topics are based on requests/ recommendations from ACUA members. Suggestions are always welcome and should be directed to Jim Sleezer. Archived presentations and registration for upcoming webinars are available through links on the Distance Learning page on the ACUA website at http:// www.acua.org/go/events-and-seminars/distance-learning/ webinars. Check out More Free (or Almost Free) CPE Opportunities As a service to our members in these challenging economic times, we are providing a list of other CPE opportunities which may be of interest to our members. Check them out at http://www.acua.org/go/events-and-seminars/distancelearning. n Upcoming Conferences! 2010 2011 2012 (Tentative) Annual Conference Midyear Conference Baltimore, MD Marriott Waterfront September 19-23 Las Vegas, NV Tropicana September 11-15 San Antonio, TX Marriott September 9-12 Reno, NV John Asuaga’s Nugget March 14-17 Orlando, FL Rosen Centre Hotel March 13-16 Charlotte, NC Omni April 1-4 9 College & University Auditor Inside ACUA-L Compiled by Brenda K. Mowers, ACUA Life Copy Editor T he ACUA listserv is your interactive resource for experiences and knowledge specific to internal auditing in higher education. A wide variety of subjects have been discussed on ACUA-L since our last issue - from pepper spray to report benchmarks to sub-recipient monitoring. Although we cannot cover all of the topics, here are some of the highlights. WHAT IS AN ORIGINAL INVOICE? Janet Covington at Rice University asked for responses to a short poll A wide variety of subjects about whether other schools allowed have been discussed on any leeway with regard to original invoices or copies. Don Holdegraver ACUA-L since our last issue at the University of North Texas from pepper spray to report System pointed out that with the ever-increasing number of electronic benchmarks to sub-recipient purchases, one can print as many monitoring. copies as they want of an “original” invoice. Add to that the relative ease with which someone can falsify electronic invoices and you have a real control issue on your hands. About the Author Brenda K. Mowers is a staff auditor for the Montana State University (MSU) Internal Audit Department, a position she has held since March 2006. Prior to joining Internal Audit, she worked for MSU’s University Business Services for nine years. She has served as volunteer Copy Editor for CandU Auditor since first joining Internal Audit. Brenda, her husband Mark and their two children live in Manhattan, Montana and she has grown twins that live in Pony, Montana. Don Holdegraver said you could be more confident that you will not be processing duplicate documents by having the right preventive controls over the ability to bypass or override the system. In addition, using applications such as ACL or IDEA can help identify duplicate transactions as well as perform other expenditure analysis. Michael Garcia from Seton Hall University recommended that data entry clerks be consistent when entering invoice numbers. Sandy Kasahara from the University of Denver reported the successful use of a third-party service that analyzed expenditures for duplicate payments, dollar amounts close to control limits and vendor address comparison to employee addresses, among other services. Don summed it up when he said that in 5-10 years there might not be any paper documents. We need to be on the cutting edge in getting our AP departments to start thinking ahead and build the right preventive controls into the process, and not rely on the detective controls at the end of the process. STARTING POINT FOR STUDENT AFFAIRS Fred Chavez at the University of San Diego was tailoring a self-review for student affairs and – after checking the ACUA Risk Dictionary – asked the listserv for audit programs or questionnaires in that area. 10 College & University Auditor • Jim Sleezer with Oklahoma State University / A&M Board of Regents suggested looking at student organizations, especially at diversion of assets for personal gain and cash handling. He also advised that if the University or student fees fund a group, access to records should be open. • Based on her discussion with Loyola Marymount University’s VP of Student Affairs, Maureen Cassidy identified Intramural Sports and Judicial Affairs as high-risk areas. • Mary Barnett included liability insurance for on-campus programs and entertainers when she audited this area. She also suggested that their bulletin board or updated web page might offer the population for a risk assessment. • David Vartanian from Oakland University wrote that since Student Affairs encompasses so many high-risk areas, Fred should discuss with management what its concerns are. • Rita Moore with Western Illinois University shared information she learned at ACUA’s annual conference about the risk involved with how Judicial Affairs and counseling centers (not academic counselors) interact with campus police for annual Clery Act security reports. • Other audit programs recently requested include Property Department, Recharge Center, Academic Affairs, Office of Advancement/ Development and Facilities. If you can provide audit programs for these areas or any others, please send them to ACUA at acua-info@goamp. com. Be sure to complete the Resource Library Submission form and include your contact information when you send items to ACUA. QUICK TAKES A couple of other items came over the listserv that deserve mention. ACUA now has an ACUA Fan page on Facebook. Sign up for access to discussions, pictures, events and more at www.facebook.com. In addition, ACUA members used Twitter to stay updated with everything going on at the Annual Conference. Check out Twitter at http://www. twitter.com/acua_info. Finally, it would be tough to count the listserv posts Pat Reed from the University of California system has contributed over the years, not to mention the personal guidance and advice he provided to many members of ACUA. It came to my attention that he retired from the University of California system as of September 30, 2009. Thank you, Pat, and best wishes to a true ACUA STAR! We will miss you. n Auditors Empowered with IDEA ACUA Platinum Sponsor ACUA Members Receive a 10% Discount on all IDEA Products & Services Through our strategic alliance and platinum-level sponsorship, we offer ACUA members preferred pricing on IDEA® – Data Analysis Software, training and other resources to help improve internal audit efficiency and effectiveness. For a free demonstration CD of IDEA, visit us at audimation.com or call 888-641-2800. IDEA is a trademark of CaseWare International Inc. Cutting Costs: Leveraging the Technology You Have By Mel Hudson-Nowak, MBA, CIA, Senior Contributor T echnology is expense. Despite the fact that anyone can buy a two gigabyte flash drive for $19.95 or less, software solutions do not come cheaply. At the same time, audit work has become increasingly reliant on data and technology solutions to optimize effectiveness and efficiency. Faced with shrinking budgets and a riskier environment, the more an audit Faced with shrinking budgets office can leverage the investments an and a riskier environment, the institution has already made, the better. more an audit office can leverage the investments an As a group, auditors use software to collect data, store and transfer files and institution has already made, perform analysis. Most universities will have implemented some the better. combination of software packages with one or more solutions in each category. This article considers some alternatives available at Bowling Green State University but is not intended to endorse any specific solution. Data Collection There is no one-size-fits all solution for collecting data electronically. Methods include web-based survey applications, email templates and custom forms. No matter which electronic data collection method is chosen, one thing is true: paper surveys are the thing of the past. About the Author Mel Hudson-Nowak, MBA, CIA is the Director of Internal Audit at Bowling Green State University (BGSU), a position she has held since 2006. Prior to joining BGSU, she worked in various finance positions at Ford Motor Company, including an overseas assignment at Volvo Cars for Sarbanes-Oxley readiness. Mel has a BA from Smith College, an MBA from Michigan State and is a Certified Internal Auditor. Mel has previously served as both the Editor and the Internal Audit Practice Section Editor for the College and University Auditor. She is a regular contributor to these pages. • Web-based tools Survey applications use a web-based front end and a database back-end to collect information. Web-based surveys are particularly simple for survey takers because hyperlinks can be either embedded in email or provided on a website, access to the internet is easily available, and survey completion is intuitive. There are a large number of applications available for creating web-based surveys, making it likely that an organization already has one or more survey tools that are supported by the information technology or institutional research departments. ACUA, for example, utilizes a monthly webbased survey with Zoomerang to collect information from membership. The challenge is learning the specifics of each application and gaining any needed support from the technical team. 12 College & University Auditor • Email templates It is a largely unknown fact that the email format used by Microsoft Outlook can be customized to act as a mini-database. In environments that exclusively utilize PCs, Outlook-based surveys can be even easier for users to complete because it does not require exiting to the web. The simplicity of getting everything done within the email tool can significantly improve survey responses. However, the fact that responses are tagged with individual email addresses when they are returned can impact response rates for particularly sensitive information gathering and the inability to effectively send surveys from Outlook to Entourage (Microsoft’s Mac-based email application) limits effectiveness on college campuses. At BGSU, we are investigating a Microsoft Office package called InfoPath which is intended to link email data collection aggregation in Outlook, Excel or Access but we do not have any experience with the application functionality at this time. • Custom forms Perhaps the easiest of the electronic survey methods is using a software package to create a template that is forwarded (generally by email) to survey participants. At BGSU, our preferred software choice is Adobe Acrobat. We found Adobe Acrobat to be simple to learn and easy for our customers to use. Forms can be designed quickly in Microsoft Word and then customized to include commonly used form fields such as pull-down boxes and option buttons. Users who have been trained by other operational areas on campus to complete PDF forms require limited content-specific training to complete the template. The biggest downside to these forms is the limited data aggregation functionality, and the propensity of survey completers to fit it in, print it out and send it back via interoffice mail. File Storage and Transfer Years ago, the vast majority of audit work was done on paper. File storage involved huge file cabinets and file transfer meant carrying a large audit briefcase – the kind that look like it could hold a small typewriter. In 2009, file storage and transfer is nearly always electronic. Individual Hard Drive No. Back-up from hard drive is not usually available. ListServe Email Attachment Partial. Emails are generally stored on the mail server, with limits. Once moved to personal folder, info is stored on hard drive. Accessible to Teams No. Individual machines have logon credentials. Partial. Files shared at a point in time when distributed. Security Partial. In most cases, individual machines have logon credentials and may have encryption; can be overridden by users. Notification No. Cannot notify others when a new file is available. Partial. Emails can be intercepted while in transit or forwarded to others. Encryption software for email is not in place in most organizations. Yes. An email is itself a notification. Yes. Most security administrators will require a shared drive owner to authorize each user during set-up and periodically verify accuracy. No. Shared drives cannot be used to notify users of a new file for review. Potential Uses Temporary files that are not yet being posted to the active workpaper. Isolated communication (with or without attachment) to broad communities or senior management. Files created outside of the audit office requiring periodic review. Back-up and Redundancy Network Shared Drive Yes. Most IT Departments maintain standards for when files are backed up, how many versions are saved, and what protocols can be used to recover. Yes. Any individual with access to the network and shared drive has access to the files; generally, there is no access to individuals outside of the institution. OneNote Notebook Blackboard Community MyFiles Web Server Yes. Same as network, plus automatic sync when reconnected. Yes. Most IT Departments maintain standards for when files are backed up, how many versions are saved, and what protocols can be used to recover. Yes. Any individual in the institution has potential access. Access anytime via Internet. Yes. Most IT Departments maintain standards for when files are backed up, how many versions are saved, and what protocols can be used to recover. Yes. Any individual with Internet access can be added as a user. Yes. All users to a Blackboard community must be granted access to specific areas. Yes. Individuals must be granted a specific kind of access (read, edit) to specific folders or files. Password controls are less robust for external users. Yes. MyFiles allows an email to be sent to alert someone to a new available file. Yes. Same as shared drive, plus the software creates a replica copy on the hard drive which can be used when disconnected from network and is synchronized when reconnected. Yes. Most security administrators will require a shared drive owner to authorize each user during set-up and periodically verify accuracy. Yes. Flags can be used (see OneNote update) to let individuals know a file is available. Audit workpapers, audit manual, office productivity documents, shared task lists. Yes. A number of communication options are available to alert someone to a new file, including email and announcements. Communications with static long-standing groups on campus. File sharing with external constituencies, including external auditors. File storage methods are quite extensive, and range from individual hard drives to web-based storage systems. Each option has a unique set of characteristics, which are summarized in the attached table (see Exhibit: File Storage and Transfer). A couple notable highlights are: Although the majority of users in Excel are familiar with some the basic functions in Excel, fewer understand the range of audit functionality included. Some functions we find particularly useful include: • Email is an increasingly important source of audit evidence. Email text and attachments provide needed information for planning and testing throughout the audit process. Because of the inherent challenges in applying records retention criteria to inbox, sent items and personal folders, we have begun to ‘send’ those supporting emails to the OneNote notebook for each audit. In that way, the email can be shared among all members of the audit team (regardless of the original recipient) and it will be retained consistent with the requirements for the audit. • Text-based functions that allow data to be manipulated and converted. For example, ‘smart coded’ fields can be deconstructed using the LEFT, MID, and RIGHT functions, allowing a piece of an important field to be separated from the full string. • During our past external audit cycle, we utilized MyFiles to facilitate the information requests by the audit team. Each member of the internal team and audit team was provided with unique logon credentials, and needed files were shared on a secure website. In the past, challenges with lost files, large files or poor communication created obstacles to a successful audit. The increased transparency and ease of access improved the overall process. Data Analysis There are effective analytical tools designed specifically for auditors. Offices that have yet to invest in those solutions might be surprised by how much analytical firepower Excel and Access can provide. • Logical functions that allow data to be connected. A manual join can be created in Excel using the VLOOKUP or HLOOKUP functions, allowing critical data from a second worksheet to be quickly and easily appended to a core dataset. • Pivot tables that allow data to be aggregated. Pivot tables provide a quick and easy way to compare data in different categories or identify gaps and exceptions. In cases where Excel is unable to handle the volume of data generated, Access may be a better solution. Although Access can be harder to learn, the query functionality is fairly robust and can be used to deal with data interrogation. In one audit, more than 300,000 records from a student payroll system were analyzed to determine where the students failed to ‘punch out’ and were paid for the time between when they completed their shift and the start of their next shift. In our office, a home-grown brochure, “Excel Functions for Auditors” provides the basis for building skills in this fundamental software 13 College & University Auditor Internal Audit Practices Exhibit: File Storage and Transfer Exhibit: Audit Steps Status package that both students and current staff are likely to encounter throughout their careers. Please feel free to download a copy of the brochure on our website: http://www.bgsu.edu/offices/audit/. OneNote: Learning More The spring 2009 edition of College and University Auditor highlighted how Microsoft OneNote could be used to store the documentation created during the audit process. After using OneNote for a significant process-based audit, new functionality has been identified that makes it an even more effective tool. Reference and search As we expanded our use of OneNote, we started to think it of less like a word processor and more like a file share with a graphic interface. From that point, it was a natural transition to create an Audit Manual in OneNote and to add various reference documents that used to reside on the shared drive. As critical reference material that had been lost within the folders of the shared drive came to life, the question emerged: was it better to insert the file as an attachment or print the document directly to OneNote? After considering the options, we elected both to print documents to OneNote and attach the original document as well. Why? We stumbled on a search feature that allows you to find text on a page section or notebook. Amazingly, the search functionality worked whether the text was type, printed from something type, or even printed from something scanned. We were shocked when a haphazardly scanned document from an old page became searchable simply by printing it to OneNote. Using Tags Another useful functionality is the ability to use tags to track key information about a page or specific content on a page. We use tags to indicate what steps of an audit program are assigned to each auditor, to track tasks given to our student employees and to track the type of work (audit plan, corrective action, policy support) those tasks support. We have customized tags to include check boxes that indicate to whom each task is assigned and who should be completing the review once complete. The tags bring an element of project management to OneNote that was missing before. Specifically, we are now able to track which audit program steps are open and who is responsible for ensuring the work is complete. The process of running a status report is simple: choose the ‘Tags Summary’ option and the pick create summary page; the text to the right of the tag will display for the subset of pages requested. The example graphic (see Exhibit: Audit Steps Status) shows the open steps of one module of our International Programs audit. The white page to the left is the actual audit program, including the risk questions, step number and tests, results and linked workpaper. The white box shows those steps that are incomplete (i.e., unchecked), including a color coding for a specific auditor. The Bottom Line At BGSU we are more convinced than ever that using OneNote is improving the quality and efficiency of our work. There is always a risk that Microsoft will abandon the software. If that happens, we will have to find a way to migrate our data back to a readable format before the software is taken away. We continue to formalize specific process decisions, and we are confident that heading into our next large scale audit, the tool will be even more effective. n 14 College & University Auditor Credit Card Security Protects the College and Students Auditors have special role in ensuring campus payment systems are secure By Dan Toughey ominous, but in the end, like all And while every business is obligated to protect the private information of customers, the stakes are higher at colleges due to family and parental expectations that colleges provide security for many students who are living away from home for the first time. deadlines, it is liberating. Nationwide, the threat is huge: Fraud related to credit and debit cards was $22 billion in 2008, up from $19 billion in 2007, according to Javelin Strategy & Research, a California consulting firm. Auditors can help ensure their institutions are employing solid strategies to prevent fraud. About the Author Dan Toughey, president of TouchNet Information Systems Inc. (touchnet.com) since 1989, has guided the company to becoming a leader in automated commerce management solutions serving more than 700 colleges and universities. A graduate of Augsburg College, Minneapolis, Minnesota, he formerly worked for leading financial services industry companies. In August, the U.S. Department of Justice indicted a 28-year-old Florida man, Albert Gonzalez, for hacking into computer networks used by major American retail and financial organizations and stealing data of more than 130 million credit and debit cards. This was just one of a number of large credit card losses to happen in the last six months. Just like financial institutions, universities certainly are not immune to attack. According to data collected by Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer information and advocacy organization, 36 information security breaches occurred at colleges and universities in the first nine months of 2009. Breaches included hacker access to computer records, misplaced laptops and thumb drives, and more. Hundreds of thousands of 15 College & University Auditor electronic records with private information were jeopardized. News such as this should raise fear in any merchant, but especially among colleges, whose mission is to educate students and prepare them for the real world. Universities have a mission to retain students and graduate them into the world with the best possible chance for personal, professional and financial success. If students – already vulnerable to risky personal financial management practices – lose funds or acquire damaged credit standing due to a college’s failure to comply with credit card security standards, the college’s reputation as a safe and secure environment could be threatened. Conversely, the college’s mission is enhanced when a wellsecured, high-integrity e-commerce management system creates the best possible transaction environment. STANDARDS ARE IN PLACE Colleges, of course, operate in the larger world, and standards to address credit card safety are available. More important, the standards that are soon to become a business requirement will in some states also become a legal requirement. Nevada recently passed a law requiring that merchants comply with industry standards, including a safe harbor provision that protects the merchant if they comply and a merchant’s customer is defrauded anyway. The standards stem from the decades-long effort of the payment card industry to protect private data of credit and debit cardholders. Those efforts have evolved into a formal organization: The Payment Card Industry Security Standards Council. The initial standard took effect in 2004 and is known as the Payment Card Industry Data Security Standard (PCI DSS). It covers security management, policies, procedures, network architecture and software design. There are six control objectives and twelve requirements in the PCI DSS standard. More recently, the council has established the Payment Higher Education T he role of colleges and universities in protecting private financial data is about to get a lot bigger, and the stakes could get even higher than they are now. The Payment Card Industry Data Security Standard (PCI DSS) first came into existence in 2004. The college’s role in protecting data is about to get even bigger because a second credit card industry security program becomes mandatory on July 1, 2010. This new standard is known as Payment Application Data Security Standard (PA-DSS). Campuses that do not comply with these standards may not The July 1 deadline may seem be able to process certain transactions. Application Data Security Standard (PA-DSS). This standard is focused on software products. Software following this standard does not store certain sensitive data and ensures that all payment applications support compliance with PCI DSS. It is the PA-DSS standard that becomes mandatory on July 1, 2010, and campuses that do not comply may not be able to process certain transactions. THE AUDITOR’S ROLE University auditors who provide oversight and guidance on campus financial affairs should be in a position to provide assurance that management has taken steps to drive PCI DSS and PA-DSS implementation in their institutions. Here are steps on how to proceed: 1. Inventory. Colleges, of course, accept payments from multiple merchants and channels on campus, ranging from the athletic department to the student health clinic, to say nothing of the cashier’s or bursar’s offices and the student union snack bar. The first step is to list every merchant, office or service that accepts credit or debit cards on campus, and the payment systems those entities use. 2. Verify. After identifying every transaction point, ensure that the payment application used by these points complies with PCI DSS, including the presence of firewalls and unique (not vendorsupplied) default passwords; anti-virus software and similar tools; and hard human safeguards such as unique identification codes and restricted physical access. Regular testing and access monitoring also are required. 3. Enforce. Advise vendors whose payment systems are not certified by the PCI Security Standards Council that they must comply. For convenience and consistency, it may be useful to recommend a university-deployed payment application system. 4. Centralize. Set up a PA-DSS certified payment environment and move all merchants to that environment. This environment removes all payment applications from internal systems and employs a “link in-link out” technology to allow the payment to occur securely in a certified location without the need to retain private data. 5. Educate. Make sure all the entities in the environment know how it works and how to conduct business within guidelines. Better, implement a program that encourages or requires vendors and merchants to review programs on a regular basis to ensure that compliance is maintained. ADDITIONAL BENEFITS Indirect benefits of full compliance with PA-DSS include increased efficiency and improved control. By bringing all campus payment points under the same security tent, every aspect of transaction processing can be more efficiently conducted. An added benefit is that fewer systems are needed, easing compliance and improving efficiency. Some smaller payment point managers, especially smaller entities such as student or alumni groups that might only collect funds periodically, may be unsettled by change. However, compliance will better protect these groups against possible fraud. By requiring compliance, the college in effect provides a service to these groups if they adopt a payment mechanism managed by or overseen by the institution. Best of all, compliance helps the university more efficiently control commerce management. The academic culture fosters silos of power. Department heads may have their own way of doing things, but PCI DSS and PA-DSS compliance encourages standardized money handling, simplifying operation and permitting internal leaders to focus on their own core missions. The result can be improved efficiency campus-wide that should enable reduced costs for this critical management function, which is a very welcome development in the current economy. SERVING STUDENTS FIRST The auditor’s role in any university typically will be removed from the classroom, which is the front line of the value delivered to customers. But as any college student or graduate will tell you, what happens outside the classroom is part of the total experience. It does no one any good if the student loves the professor but loses a credit rating or worse because of a breach of credit card security. The auditor is uniquely positioned to directly serve students by providing assurance that payment systems on campus are both efficient and secure. The July 1 deadline may seem ominous, but in the end, like all deadlines, it is liberating. For the good of the university overall, but mostly for the benefit of students, now is the time to move on PCI DSS and PA-DSS compliance. n A COMPLIANCE OVERVIEW Here are steps that can be taken to establish and ensure continued compliance with payment card industry standards for security of private financial data. Enlist support of university leadership. Make sure the president or chancellor is aware of the need to comply with data security standards and the benefit of doing so. Establish a cross-functional compliance team. Invite representatives of the business office, information technology, the retailer community and major campus transaction points. Follow the money. Review and monitor how and where money flows through campus transaction points, and ensure that every avenue is covered. Formalize the policies. Publish – online and in print – the university’s requirements regarding what must be done to establish and operate a campus financial transaction point. Continue the education. Set up a central structure to keep merchants informed of policies, apprised of updates and continuously reminded of the need for compliance. Source: TouchNet Information Systems Inc. 16 College & University Auditor Peddle bank accounts? Nope. Profit from student data? Never. Hold up your money? No way. Help your school get PA-DSS compliant? Absolutely! Visit www.touchnet.com/enroll/pci-pa-dss/ to receive your FREE PCI-PA-DSS Solution Kit. www.touchnet.com 17 College & University Auditor An Inquiry into the Adoption of the Best Practices of Sarbanes-Oxley in Institutions of Higher Education By Guest Columnist James K. Seaman, Ph.D., CPA, CIA, CFE About the Author James K. Seaman, Ph.D., CPA, CIA, CFE is the vice president for internal audit and management consulting services for Drexel University and chief audit executive for the Drexel University College of Medicine. He has more than 20 years of audit and managerial experience. Prior to coming to Drexel, Jim was the vice president for internal audit services and corporate compliance officer for Mercy Health System and the associate director of internal audit for the University of Pennsylvania. He is a Certified Public Account, a Certified Internal Auditor and a Certified Fraud Examiner. He received his Ph.D. from Drexel University in Educational Leadership and Learning Technologies, his master of science degree in organizational dynamics from the University of Pennsylvania, and his bachelor of science degree from Villanova University. BACKGROUND The Sarbanes-Oxley Act is legislation enacted as a result of the financial criminal wrongdoings of companies such as Enron and WorldCom. As a result of such wrongdoings, the government intervened and legislation was passed in 2002 (the Sarbanes-Oxley act of 2002). The legislation mandates publicly traded companies to strengthen governance and document financial controls. The legislation has three overarching goals: (1) transparency - the financial information must be complete and accurate; (2) accountability – namely, the principal executive officer (such as the Chief Executive Officer or the President) and the principal financial officer (such as the Chief Financial Officer) must be held responsible for the financial information, and the Board of Directors is held responsible for the proper oversight of the corporation’s officers; and, (3) integrity - codes of conduct must be implemented and enforced. Although the act only applies to publicly traded companies, many institutions, including institutions of higher education, have adopted the “best practices” of the Sarbanes-Oxley Act. The best practices of Sarbanes-Oxley are considered parts of the Act that are relevant to institutions of higher education and appropriate for them to implement as defined by the National Association of Colleges and University Business Officers (NACUBO). For example, establishing an Audit Committee, and promoting a code of conduct and ethics policy would be relevant to institutions of higher education. Parts of the Act that pertain to Securities and Exchange Commission (SEC) reporting requirements would not be relevant to institutions of higher education. NACUBO developed a checklist as guidance for Colleges and Universities in implementing best practices. In an attempt to determine where institutions of higher education stand toward implementing these “best practices,” we conducted research that consisted of sending out a survey and conducting in-depth interviews. Overall, many of those interviewed stated that they instituted the above 18 College & University Auditor noted best practices because they thought it was the right thing to do. The general belief was that transparency, accountability and ethical conduct are prevalent in every organization, and institutions of higher education are not exempt. The purpose of this article is to summarize the research questions answered, to draw conclusions based on the research as they impact higher education, and to recommend future research. This research started with three questions: (1) At institutions of higher education that have adopted the best practices of the Sarbanes-Oxley Act, what have been the effects of adopting any or all of the best practices? (2) At institutions of higher education that plan to adopt the best practices of SarbanesOxley, what do those institutions believe will be the effect of implementing the best practices of Sarbanes-Oxley? (3) Of those institutions of higher education that did not implement the best practices of Sarbanes-Oxley, why have they not done so? This study attempts to qualitatively determine why institutions of higher education decided to implement any of the best practices. What, if any perceived benefits were gained, and if the institutions believed that they have achieved those benefits as of the time of the interviews. In August 2008, we sent out surveys to approximately 700 institutions. There were 27 institutions that responded to the survey. Since we received such a low response rate, and in an attempt to obtain a more in-depth understanding as to the results of the quantitative survey, interviews were conducted with respondents that agreed to participate in this portion of the research. Interviews were conducted with individuals within 10 of the participants that provided contact information and agreed to be interviewed. Responses represented a cross section of the country. The questions were developed with the intent to probe for “reasons” why an institution did or did not implement best practices of SarbanesOxley; therefore, open ended questions were utilized. The research findings indicated that many institutions of higher education already had some of these best practices in place prior to the enactment of SarbanesOxley. For example, many of the survey respondents implemented additional practices as a result of SarbanesOxley; however, all respondents already had some of the practices in place prior to the enactment of SarbanesOxley. During the interviews, participants responded that they reviewed current practices, the recommended best practices, identified any gaps between current practices and recommended best practices, and remediated any gaps as necessary. The research draws out the fact that, although institutions may have had some of these practices in place, such as having an audit committee, institutions still took time to voluntary review and to improve upon existing practices. In addition, institutions added additional best practices where necessary, such as instituting an employee hotline. The survey also showed that responding institutions have a whistleblower or employee complaint mechanism in place. Implementation was driven by the Board or a Committee thereof, with consultation of Management. Many believed that implementing the best practices of Sarbanes-Oxley enhanced integrity, thus increased confidence of current trustees and stakeholders, enhanced general governance, oversight and risk management, and according to the respondents, public perception/accountability were also enhanced. These are very compelling comments that lead towards the perception that implementing the best practices of Sarbanes-Oxley in institutions of higher education enhanced integrity, transparency, and accountability. The respondents stated their belief that there may be possible future mandates and/or regulation by the government, and that there would be greater demands on transparency and accountability. In addition, the respondents felt that implementing the best practices would provide improved financial controls and oversight, particularly in light of the greater demands for transparency and accountability. However, overall, the respondents stated that one of the reasons the best practices of Sarbanes-Oxley were implemented was because their board members and senior managers believed it was the right thing to do. How long practice has been in place after Sarbanes-Oxley enactment? How long practice has been in place after Sarbanes-Oxley enactment Greater 1-2 years 3-4 years 5-6 years than 6 yearsN/A Public accounting firm that 25.0% 16.7% 8.3% 16.7% conducts your annual audit prohibited from performing non-audit services 33.3% Audit Committee has a charter 9.1% 27.3% 18.2% 18.2% 27.3% Audit Committee has at least one financial expert 27.3% 18.2% 18.2% 9.1% 27.3% Audit Committee pre-approves all services provided by the auditor 33.3% 16.7% 16.7% 16.7% 16.7% The lead audit partner rotates off the audit every seven years 27.3% 9.1% 9.1% 0.0% 54.5% The audit engagement letter is addressed to the audit committee 20.0% 10.0% 20.0% 10.0% 40.0% Audit Committee evaluates performance of external auditor 0.0% 12.5% 25.0% 12.5% 50.0% Hotline established 38.5% 23.1% 0.0% 0.0% 38.5% Code of Conduct/Code of 20.0% Ethics Implemented 0.0% 30.0% 10.0% 40.0% 50.0% Independent Audit Committee 10.0% 10.0% 20.0% 10.0% Financial processes documented 0.0% 22.2% 33.3% 11.1% 33.3% CEO certifies annual audit report 10.0% 30.0% 10.0% 0.0% 50.0% CFO certifies annual audit report 0.0% 33.3% 11.1% 11.1% 44.4% 19 College & University Auditor States are also beginning to enact legislation on non-profits. According to GuideStar (2008) regulation has already been enacted in many states, such as California’s Nonprofit Integrity Act of 2004, which requires non-profit organizations that have revenue of at least $2 million to have an independent audit completed. Other states have also introduced or enacted legislation regarding nonprofit institutions, such as Massachusetts, which changed the thresholds at which non-profit organizations are required to obtain independents audits. New Hampshire requires every non-profit with revenues $500,000 or greater to submit audited financial statements along with the organization’s IRS form 990. Maine requires every non-profit organization renewing its registration as a charitable organization to submit audited financial statements with its IRS form 990. Connecticut requires nonprofit organizations with revenues greater than $200,000 to file audited financial statements, and Kansas requires those with contributions $500,000 or more to submit audited financial statements. Although most of this legislation is geared towards charities, and exempts institutions of higher education, it is clear that States are focusing on governance in non-profit organizations. This would also be consistent with the respondents’ concerns that possible future mandates and/or regulation by the government, and that there would be greater demands on transparency and accountability. Columns IMPLICATIONS OF THE SURVEY FINDINGS Overall, Sarbanes-Oxley has had an impact on how institutions of higher education conduct business. For example, institutions developed or modified their Board Audit Committee Charters to include independent members on the committee, and to ensure members were financially literate, with at least one financial expert as recommended in the best practices. In addition, institutions established As for long-term implications, it is hot-lines for staff and others to report suspected irregular activity, postulated that institutions of and established Codes of Conduct, which are signed by trustees, senior higher education that have managers, and some institutions implemented the best practices require the Codes of Conduct to be of Sarbanes-Oxley will be better signed at the employee level. Institutions that implemented or modified the best practices of poised should future regulation Sarbanes-Oxley Act subsequent to be enacted by the federal or its passage began to do so within the first few years of enactment. state legislators. News report, the acting U.S. Attorney stated that “this settlement sends a clear message that the regulations applicable to federally-funded research grants must be strictly adhered to.” This acts as a clear message that institutions that do not make an effort to improve financial controls and oversight to improve transparency and accountability may be subject to these types of investigations. How long practice has been in place prior to Sarbanes-Oxley enactment? How long practice has been in place prior to Sarbanes-Oxley enactment Greater 1-2 years 3-4 years 5-6 years than 6 yearsN/A Public accounting firm that conducts your annual audit prohibited from performing nonaudit services 7.1% 0.0% 7.1% 21.4% 64.3% Audit Committee has a charter 18.8% 12.5% 0.0% 43.8% 25.0% Audit Committee has at least one financial expert 0.0% 7.7% 7.7% 53.8% 30.8% Audit Committee pre-approves all services provided by the auditor 12.5% 6.3% 6.3% 31.3% 43.8% The lead audit partner rotates off the audit every seven years 23.1% 0.0% 7.7% 15.4% 53.8% The audit engagement letter is addressed to the audit committee 0.0% 16.7% 8.3% 33.3% 41.7% Audit Committee evaluates performance of external auditor 14.3% 0.0% 14.3% 35.7% 35.7% Hotline established 7.7% 23.1% 0.0% 7.7% 61.5% Code of Conduct/Code of Ethics Implemented 0.0% 15.4% 7.7% 38.5% 38.5% Independent Audit Committee 14.3% 7.1% 14.3% 50.0% 14.3% Financial processes documented 7.1% 0.0% 7.1% 57.1% 28.6% CEO certifies annual audit report 16.7% 0.0% 0.0% 8.3% 75.0% CFO certifies annual report 7.1% 57.1% 28.6% 7.1% 0.0% The IRS recently revised it Form 990. The Form 990 is an informational form filed by institutions of higher education and other non-profit organizations. Among many of the revisions are questions regarding the following: the number of voting members that are independent, and asks if the institutions have a conflict of interest policy, whistle blower policy, document retention and destruction policy, and about an institution’s Compensation practices. In addition, the IRS form 990 asks if a copy of the 990 is provided to the organizations governing body before it is filed. Again, these inquiries on the IRS form 990 regarding governance practices, institutional polices, and compensation practices lead institutions to believe, and is consistent with concerns noted in this research, that possible future mandates and/or regulation by the government would result in even greater demands on transparency and accountability. Future Implications for Education Although the Sarbanes-Oxley Act only applies to publicly traded companies, and is not directly applicable to institutions of higher education, institutions of higher education that have opted to implement such practices have done so for good reason. The adoption of best practices enables an institution to promote transparency by ensuring that its financial information is correct through the implementation of internal controls that help detect errors in the accounting records should any errors occur. It also promotes accountability by affixing the responsibility for the accuracy of the financial information on the President and Chief Financial Officer of the institution. This accountability is achieved by requiring the President and Chief Financial Officer to sign certifications certifying that the annual financial information is correct. Additionally, following the act’s best practices encourages integrity by requiring all members within the institution to sign an annual conflict of interest statement and disclose any relationships that employees or family members of employees have with anyone doing business with the institution. Do you believe that the result of implementing the best practices of Sarbanes-Oxley has added value in the following areas (check all that apply)? Do you believe that the result of implementing the best practices of Sarbanes-Oxley has added value in theResponse following areas (check all that apply)? Percent Obtaining Federal and other funding from various agencies 28.6% Obtaining gifts from donors 35.7% Attract students 0.0% Increase reputation 28.6% Recruited Trustees that are financially competent 42.9% No value obtained 28.6% In an article in the Michigan Law Review (2008), author Joseph Mead states that “those nonprofits that most need tighter financial management are unlikely to adopt the voluntary proposals because financial management is not a priority for them.” Mead makes a valid point, and continues, “when a scandal develops at one of these nonprofits, the resulting media attention damages the entire sector. Mandatory legislation provides a way to prevent these nonprofits from tainting the entire sector.” This reinforces the respondents’ concerns as to the reasons why possible future mandates and/or regulation by the government may occur. Increased public perception was also noted as an anticipated gain for institutions of higher education implementing the best practices of Sarbanes-Oxley … and for good reason. The Yale Daily News (December, 2008) reported that Yale University recently agreed to pay $7.6 million for allegedly making false claims on federal research grants. According to the Yale Daily 20 College & University Auditor Also, establishing a hot-line for employees and others to report suspected inappropriate activity enables those that wish to report to do so anonymously if they desire to do so. It also provides the institution the opportunity to investigate the suspected activity in-house, as opposed to the suspected activity being reported to the federal government. For example, Oakland City University in Indiana agreed to pay $5.3 million to settle a whistleblower’s complaint that the University improperly offered incentives in the form of commission and bonuses for employees to enroll students. Board members of non-profit organizations are typically not paid, but volunteer to serve on such boards. As there is an increasing demand from the government for Boards to carry out their fiduciary responsibilities, future research as to how Board members are responding would glean insight as to how these Board members are coping with such demands. Are organizations finding it difficult to attract and retain qualified board members, and how is this effecting such organizations? According to Laura S. Trombley (2007) president of Pitzer College; …while measures mandated by the Sarbanes-Oxley Act are not required for nonprofit organizations, they have heavily influenced the current practice and policies of colleges. Many, like my own, have had to create a separate audit committee of the board to serve as the institution’s fiduciary watchdog. All those aspects of board performance may prove daunting, particularly to new trustees. As institutions of higher education continue to implement the best practices of Sarbanes-Oxley, and with the demands placed on the institution’s boards, will this limit the ability of institutions to attract and retain competent board members? Ms. Trombley further adds that, at her own institution, she has “been fortunate to work with trustees who are actively interested in best practices in governance.” However, Ms. Trombley, who is also a commissioner at the Western Association of Schools and Colleges, and has served on many college-review panels for the association, states that “I have seen the powerful and detrimental effect a poorly functioning board can have upon an institution.” Research into how board members believe best practices in governance affect their decisions as to which boards to sit on, and which boards are no longer feasible to sit on due to greater demands, should prove beneficial. It is clear through the IRS’s revamping of Form 990 that the government is interested in knowing if non-profit organizations, including institutions of higher education, are creating a culture of transparency through the additional information that the 990 in now requesting. Those organizations that can answer such questions in the affirmative will be better poised should such Sarbanes-Oxley like legislation eventually be enacted within the non-profit environment. In the July/August 2009 issue of Trusteeship, Thomas Hyatt provides an excellent breakdown of the questions now posed on the new 990 in his article “Show Me What I’m Looking For: A Trustee’s Guide to Reviewing the New IRS Form 990.” As for long-term implications, it is postulated that institutions of higher education that have implemented the best practices of Sarbanes-Oxley will be better poised should future regulation be enacted by the federal or state legislators. As competition increases for a decreasing pool of federal funds, funding agencies will take into account the fact that there are organizations that are exercising their fiduciary responsibilities by implementing the best practices of Sarbanes-Oxley. Donors may be willing to give to institutions that show they are serious about exercising their fiduciary responsibilities, and have made attempts to be more transparent through implementing the best practices. These are areas where future research is needed. However, it is also more likely that implementing the best practices of Sarbanes-Oxley may have an impact on higher education that establishes an overall culture within the institution that strives to do what is ethical and right. As institutions set that ethical tone, this should attract higher caliber individuals to the institutions who want to work for such institutions, and also should motivate those that chose not to carry on in an ethical manner to get out of institutions. For example, in an interview with the Chronicle of Higher Education, Senator Grassley (ranking member of the U.S. Senate Finance Committee) stated that the National Institute of Health should get tough with academic scientists by revoking their grants if they fail to report financial conflicts of interest to their institutions. The comment was a result of the Senator’s investigators finding discrepancies when they asked pharmaceutical companies to list their payments to researchers, and then asked Universities to describe financial disclosures by those same investigators. In the most recent study conducted by NACUBO, the authors state that “Overall, it appears that SOX has served to underscore the importance of the traditional formal governance structures of colleges and universities while adding emphasis on ethical and transparent practices.” Future research in this area will determine if these practices have achieved what the institutions intended them to achieve. NACUBO states that it will continue to conduct follow-up surveys every two or three years, because the author believes that “the many mandates affecting the industry do not seem to be trailing off, we have every reason to believe that higher education will continue to adjust and improve its practices.” Holbeche also reminds us that “Success depends on extensive planning and design, precise assessment of the current situation, accurate anticipation of resistance to change and skill at overcoming this resistance.” In order to make course corrections along the way, understanding the cultural aspect to the changes of implementing the best practices of the Sarbanes-Oxley Act in institutions of higher education is critical for organizations to understand. n Columns The short-term implications of implementing the best practices of Sarbanes-Oxley will show employees and others outside the institution that the institution wants to do the right thing, i.e., that accountability and transparency are important. Also, it will help establish an ethical culture within the institutions of higher education through the institution’s code of conduct in communicating that improper behavior will not be tolerated. 21 College & University Auditor PRSRT STANDARD U.S. Postage PAID Shawnee Mission, KS 66202 Permit #143 P.O. Box 14306 Lenexa, KS 66285-4306