Straight and narrow, Vol. 2, Issue 2 (Oct. 19, 2007)

The STRAIGHT and NARROW
Office of Internal Audit, Board of Regents of the University System of Georgia, (404) 657-2237

October 19, 2007 Volume 2, Issue 2

Hotline Regional Meeting Schedule:
There will be four opportunities to attend a regional meeting on the implementation of the new USG Hotline. The purpose of the meetings will be to discuss various features, functionalities, and "how to's" of the reporting system, as well as the required procedures by your local campus to go "live." The schedule of meetings is:
Abraham Baldwin Agricultural College 10/19/07 Atlanta (The Network 3rd company hotline party provider) 10/26/07 Savannah State University 11/02/07 Atlanta (The Network) 11/09/07
Please contact Michael Foxman at 404-656-3374 if you would like more information.
"Creating A More Educated Georgia"
www.usg.edu

From the Desk of Ron Stark

The current Purchasing Card program scrutiny should not be news to anyone in the financial areas of our institutions.
The Department of Audits report on P-Card fraud found at two of the four

University System of Georgia institutions that were sampled has been the subject of much discussion in the press, at the System Office and within the State legislature.
In the coming months, the Office of Internal Audit will

be scheduling a visit to each campus to complete the P-Card review that the Department of Audits started.
More information will be provided as our audit plan takes its final form.

Emergency Action Plans

In March, 2006 the Chancellor distributed a memo to institution Presidents noting that Emergency Operation Plan (EOP) updates had not been requested by the System Office since 2002.
While the deadline for this update to the System Office has come and gone, EOP at individual campuses should be updated on a regular basis.
Emergency Management Plans should follow the principles below: Comprehensive consider and take into account all hazards, phases, stakeholders and impacts relevant to disasters. Progressive anticipate future disasters and take preventive and preparatory measures to build disaster-resistant and resilient communities. Risk-driven utilize sound risk management principles. Priorities and resources are assigned on the basis of this process.

Integrated ensure, to the highest possible degree, unity of effort among all levels of government and community. Collaborative create and sustain broad and sincere relationships to encourage trust, advocate a team atmosphere, build consensus and facilitate communication. Coordinated synchronize the activities of all relevant stakeholders to achieve a common purpose. Flexible create innovative approaches to solving disaster challenges. Professional - value a science and knowledgebased approach based on education, training, experience, ethical practice, public stewardship and continuous improvement.
Here is what the Office of Internal Audit will be looking for in an institution's EOP: Well-defined cabinetlevel communications plan to include academic

affairs, student affairs, IT departments, and the USO. Consideration of the establishment of an Emergency Operations center. A business continuity plan to continue critical services after a disaster. Consideration [and implementing procedure] to waive standard campus rules and policies during certain emergency situations. Evacuation plans and plans for receiving evacuees. Identification of community partners who are willing and able to provide emergency support. Mutual Aid Agreement with the relevant county or city emergency management agency. Flu Pandemic Plan. Provisions for periodic drills. Record-keeping plan for duration of emergency.
From draft white paper of FEMA's Principles of Emergency Management Working Group

2 The STRAIGHT and NARROW

From the
Office of
Internal Audit
Reporting
Department
Save the Date!
Tentative dates for the FY2008 Year-End Workshop are: April 14-15, 2008
We are finalizing the location and will have more information soon!
Now is a good time to drop us a line on topics you would like covered at the workshop.

Did You Receive Your Letter Yet?

Beginning with the FY2007 year, the Department of Audits and Accounts is issuing Management Letters addressed to the President of the respective institution and Members of the Board of Regents in addition to their regular engagement reports.
This additional communication is a direct result of SAS 112 and 114.
The Management Letter contains internal control

deficiencies that fall below the Significant Deficiency and Material Weakness definitions of SAS 112.
Any Significant Deficiency and/or Material Weakness will continue to be reported in the Findings section of the engagement report.
Many institutions' Management Letters for FY2007 will include a comment on an overall lack of Internal Control Process Documentation.

This comment and any others that your institution receives will need to be remedied during FY2008 so that it is not reported as a Significant Deficiency in next year's report.
The Office of Internal Audit will provide guidance on formalizing Internal Control documentation in the coming months, but this should not prohibit any campus from addressing the Management Letter points as soon as possible.

Don't Wait Until Next Year-End

Some institutions had unusual transactions in FY 2007. These unusual transactions more often than not involved Capital Assets.
The accelerated year-end reporting window is definitely NOT the time to think about or begin the discussion on how to report such transactions.
Discussing the issue in advance of year-end gives the Reporting Department some lead time to research

and consult with OIIT or the Department of Audits, if necessary.
Three institutions had situations where they retired significant dollar value assets and then re-added them in order to either consolidate assets or change the useful lives.
Due to the accounting entries that were made when the individual Asset Management business processes were executed,

online journal entries were required to correct the Capital ledger and correctly report any Loss on Retirement, Depreciation Expense and the Additions and Reductions in Note 6 Capital Assets.
If your institution has a significant and unusual transaction this fiscal year, please give the Reporting Department the `Headsup' so that we can assist you in avoiding the issue at year-end.

; Reports Submitted by Due Date

Annual Financial Reports:
On or before due date: 29 1 5 business days late: 5
6-10 business days late: 2 + 10 business days late: 1

Component Unit Reporting:

None to report:

5

On or before due date: 22

1-5 business days late: 4

6-10 business days late: 2

+10 business days late: 4

3 The STRAIGHT and NARROW

Not on My Watch! FRAUD Awareness

When we speak of fraud, what exactly do we mean?
The Institute of Internal Auditors defines fraud as, "An array of irregularities and illegal acts characterized by intentional deception." Fraud can range from minor theft and unproductive behavior to misappropriation of assets and fraudulent financial reporting.
Fortunately, fraud is not something we experience frequently on our campuses. The majority of our employees are honest and exhibit integrity in their work each and every day.
Here are some "red flags" that we should all be aware of that could allow fraud to occur:
Not separating the functional responsibilities of authorization, custodianship, and record keeping. Unlimited access to assets. Failure to record transactions, resulting in lack of accountability. Not comparing existing assets with recorded amounts. Transaction execution without proper authorizations. Not implementing prescribed controls because of lack of personnel or unqualified personnel. Ability to bypass controls through exercise of various overrides. Unrestricted access to computer applications.
Here are some danger signs that point toward the possibility of theft :
Borrowing small amounts from fellow employees. Placing personal checks in change funds undated, postdated or requesting others to "hold" checks. Inclination toward covering up inefficiencies by "plugging" figures. Replying to questions with unreasonable answers. Refusing to leave custody of assets during the day/refusing to take vacations. Use of duplicate invoices to support payments. High personnel turnover and low employee morale. Reconciliations not completed promptly. Unrealistic performance expectations. Write-offs of various asset accounts without attempts to determine cause.
We all play a role in reducing the risks of fraud through a combination of prevention, deterrence, and detection measures. What are some of the specific measures that we can take?
Realistic individual/department goals and objectives. Written policies that describe prohibited activities and the actions taken when violations are discovered. Appropriate authorization policies for transactions.

Policies, practices, procedures, reports, and other mechanisms to monitor activities and safeguard assets. Communication channels that provide adequate and reliable information. Recommendations for the establishment or enhancement of cost-effective controls to deter fraud.
There are ways in which we can create a culture of honesty and high ethics. These include in part:
Setting the tone by openly communicating the expectation for ethical behavior. Creating a positive workplace environment by 9 Positive feedback and recognition for job
performance. 9 Team-oriented, collaborative decision-making. 9 Training programs and career development
opportunities. Hiring and promoting appropriate employees. Articulating that all employees are accountable for their actions. Setting expectations about the consequences of committing fraud and that dishonest actions will not be tolerated.
How can we be proactive in reducing fraud opportunities? Some ideas to consider include:
Identify and measure fraud risk assess vulnerabilities such as financial reporting irregularities or misappropriation of assets. Mitigate risks through appropriate monitoring and making changes to activities and processes. Implement appropriate internal controls such as: 9 Developing well-written departmental policies and
procedures. 9 Ensuring that employees are acquainted with
university policies and procedures that pertain to their job responsibilities. 9 Making sure job descriptions exist and clearly state job responsibilities. 9 Hiring qualified individuals and ensuring the department has adequate training programs. 9 Performing employee evaluations on-time and recognizing good performance. 9 Ensuring appropriate action is taken when an employee does not comply with policies and procedures or behavioral standards.
If you would like additional guidance and information concerning fraud awareness, prevention, and detection, please contact the Office of Internal Audit.
Sawyer, Dittenhofer, and Scheiner, Sawyer's Internal Auditing, 5th ed. P. 1183, 1203-1205.

4 The STRAIGHT and NARROW

Compliance and what it can do for your Institution

Compliance is not a word that warms the hearts of hard-working staff within any organization. This is understandable given the inevitable visions of "nitpicking" inspectors out to find "minor" errors and otherwise embarrass hardworking employees.

educating employees on how to do the "right thing" in the "right way."
Next, a compliance program that meets the criteria of the Federal Sentencing Guidelines may be used to reduce fines and/or penalties associated with non-compliance.

While compliance may have earned this reputation, there are nevertheless several reasons why compliance is both a needed function and an institution's best friend. First, let's review what compliance actually does.
A compliance function should help to ensure that an institution and its employees perform its duties in an ethical manner consistent with the applicable Federal, state, and local laws, rules, and regulations. What does this mean?
Compliance identifies the laws, rules, and regulations with which an institution must adhere.
Compliance educates executive leadership, management, and employees on their responsibilities in respect to these laws, rules, and regulations.
Compliance also educates external regulators on needed changes in laws, rules, and regulations in order to support more effective and efficient organizational governance.
Compliance assesses, monitors, and reports on the "state of compliance" within individual institutions through hotlines, audits, reviews, and other tools.

Additionally, institutions with an effective compliance program may experience increased efficiency and effectiveness through the sharing of best practices and procedures.
Establishing and maintaining an effective compliance function does not happen overnight. However, there is no end in sight to the increase in laws, rules, and regulations with which our institutions must comply.
One might ask ... what is the University System doing to address these compliance needs?
Chancellor Davis recently charged Chief Audit Officer Ron Stark with creating a compliance function in the Office of Internal Audit.
To that end, John Fuchko, III, CIA, CCEP has moved into the newly created role of Assistant Director of Compliance and is charged with the responsibility of establishing this evolving function.
You may expect updates in the following months from the Office of Internal Audit as this process is established.
We will soon be looking for volunteers to assist us in forming a Compliance Working Group. Individuals willing to serve and with subject matter expertise in an area of state or Federal law are requested to contact John.

What can compliance do for an institution?
For one, a well-designed compliance program helps an organization to avoid problems with external regulators through

Please feel free to contact John by email at john.fuchko@usg.edu or by phone at 404-6569439 should you have any suggestions or questions.

Board of Regents of the University System of Georgia Office of Internal Audit 270 Washington Street S.W. Atlanta, GA 30334-1450 Phone (404)657-2237 Fax (404) 651-9444
"Creating A More Educated Georgia"
www.usg.edu
We're on the Web! See us at: www.usg.edu/offices/audit .phtml