Straight and narrow, Vol. 3, Issue 11 (Dec. 17, 2009)

The STRAIGHT and NARROW

December 17, 2009
Office of Internal Audit & Compliance (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management compliance and (GRCC) and internal control responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical con-

We have three strategic priorities:

1. Anticipate and help to prevent and mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.
Inside this issue:
GA Student Finance Commission 2

Tuition Classification

4

Internal Audit, Board of Regents of the University System of Georgia. 404- 656-2237 Volume 3, Issue 11
From the Chief Audit Officer John M. Fuchko, III
I previously had the privilege of working with Bill Goodwin of the Goodwin-Wright agency (a Northwestern Mutual agency) in Atlanta, Georgia. Bill is a legend in the insurance industry and was a great mentor and leader to me during my tenure with his organization. Among other things, Bill emphasized the "power of the question" as a tool to engage minds, create motivation, and inspire action. In the truest form, auditors also learn by asking questions. In fact, one definition of auditor is "one that hears or listens." A well-framed question allows both the speaker and listener to truly probe the substance of an issue versus talking over and around each other through statements of position or opinion.
It is the power of the question that we intend to harness as part of this publication going forward. Effective with our next issue, we are introducing a "Questions for Leaders" column. This column will address one or more topics in each issue. However, the column will focus less on offering advice on how to correct a problem and more on what questions leaders (Presidents, VPs, etc.) can ask that will provide them greater assurance that their institution is well prepared to handle the underlying issue being addressed in that column. We will select these topics in response to suggestions from our readers and in response to trends that we see during our audits.
Internal auditors know that "tone at the top" is one of the most important aspects of an effective internal control framework. Organizations fix those things that are measured, rewarded, or noticed by leaders. Leadership emphasis on asking questions and getting answers for those topics addressed in our column will help to improve the organization. Additionally, it is a tool for us to raise awareness around an issue that we are seeing at one institution before it becomes an issue at all institutions.
On a separate note, it is my pleasure to announce two staff changes within the Office of Internal Audit & Compliance.
Scott Woodison (previously our Director of IT Audit) is serving as our Interim Director of Compliance and Enterprise Risk. In this role, he is filling the position that I previously held. Scott will be the project manager for our Enterprise Risk Management (ERM) and Compliance implementation efforts. He also will manage our Ethics and Compliance Hotline and the associated malfeasance reporting.
Erwin "Chris" Carrow (previously our senior IT Auditor) is serving as our Interim Director of IT Audit. Chris is responsible for implementation of the IT portion of our audit plan and for project management for several internal information technology initiatives.
Scott and Chris bring a wealth of knowledge, experience, and technical expertise to their interim positions. Please know that you can contact Scott (scott.woodison@usg.edu) or Chris (erwin.carrow@usg.edu) with questions or concerns in their areas of expertise.
In closing, please do not hesitate to contact our office with any questions, concerns, or recommendations you might have.

Top 10 Management Practices 5 Buyer identification Cards/PPV 6

The Fraud Hotline

7

Top 10 Suggestions for internal Controls

8

Building Our Audit Team

9

The STRAIGHT and NARROW

Page 2

Georgia Student Finance Commission Compliance by Richard M. Hawkshead

Editor's Note: We appreciate Richard Hawkshead's contribution to our newsletter. He is the Vice President of Internal Audit & Compliance for the Georgia Student Finance Commission.
WHAT WE DO
The primary objective in performing a Compliance Review for post-secondary institutions that administer State Scholarship and Grant programs is to determine if the institutions have established and are following policies and procedures in compliance with the laws and regulations governing the State Scholarship and Grant Programs.
The GSFC Compliance Team's goals in conducting Compliance Reviews are to provide guidance to institutions in their on-going administration of the Scholarship and Grant programs, identify training needs for the institution being reviewed and also to try and identify any training needs that might exist for institutions as a whole for issues regarding the State Scholarship & Grant Programs. In performing Compliance Reviews, the Compliance Team is expected to review student files in a manner that is consistent between all institutions, to be accountable for our regulatory interpretations and rulings and to communicate the results of the review clearly and concisely.
Compliance Reviews are conducted at each institution at a minimum of once every three years. Sample sizes are based on a statisti cally sound methodology to produce samples which will give a 95% confidence level with a +/- 10% margin of error. All State awards received by each student in a sample are reviewed.
WHAT WE LOOK FOR
A Compliance Review consists of several different stages. The Pre-Review stage consists of communication with institutions scheduled for review regarding the logistics of the Compliance Review and the information needed by the Compliance Officers for the Compliance Review.
During the On-Site Review, the Compliance Officers will review the students' institutional files and will also collect student information pertinent to the Post-Review stage. The type of information collected during the On-Site Review generally relates to documents that support the HOPE Scholarship GPA calculation and enrollment and invoicing issues; usually the students' institutional transcripts and transcripts from attendance at prior post-secondary institutions. Information is also collected that relates to possible findings that may be noted during the review process.
The Post-Review stage includes an in-depth review of the students' transcripts to determine the institution's compliance with the laws and regulations regarding the HOPE Scholarship GPA calculation and enrollment and invoicing issues. Information related to possible findings is also looked at in depth. During this stage, the Compliance Review reports are issued and the institution responses are addressed. The Compliance Review is closed once all issues arising from the Compliance Review have been resolved.
WHAT WE FIND
The 2007 and 2008 summaries of findings are shown on the next page. This summary of findings show that for both 2007 and 2008, just 20% of the finding types (Invoicing, GPA, Citizenship and Incorrect Reporting of Data) account for over 70% of the number of findings. These four finding types also account for over 65% of the benchmarking points accumulated for each year. Benchmarking points are used as indicators for potential training recommendations for institutions being reviewed. The total of the number of findings by type multiplied by the benchmarking points for that finding type is then divided by the sample size to arrive at an individual institution's benchmark value.
INSTITUTIONAL RESPONSIBILITIES
Beginning in 2009, TCSG and BOR institutions could choose to certify that their institutions abide by their governing bodies' policies regarding Georgia residency and SAP determination and therefore not have Georgia residency and SAP determinations included as a part of the Compliance Review process. For institutions that choose to provide this certification, any issues regarding Georgia residency and SAP will not be included in Compliance Review reports, but will be communicated to the institution and the institution's governing body only. The Compliance Team continues to review Georgia residency related to specific time requirements as required by the laws governing the HOPE Scholarship program.
All post-secondary institutions that participate in the State Scholarship and Grant Programs are expected to abide by the current State regulations and laws in awarding State funds to students. Conflicting data or information noted in any institutional office file should be resolved before State funds are awarded. Participating institutions are expected to make available to Compliance Officers all institutional files for the students in the sample, to respond to Compliance reports in a timely fashion and to implement any Corrective Acton Plans as specified in the reports. Participating institutions are also expected to attend mandatory training or to strongly consider attending recommended training as specified during the Compliance Review process. Any questions related to the Compliance Review process can be sent to ComplianceTeam@gsfc.org.

The STRAIGHT and NARROW

Page 3

Georgia Student Finance Commission Compliance cont'd by Richard M. Hawkshead

2007 Summary

2008 Summary

Finding Type & Benchmarking
Points*
Invoicing - 4

# of Find- Points ings

178

712

% of

% of

Findings Points per

per Type Type

14.91% 25.96%

# of Find- Points ings

297

1188

% of Findings per Type
22.33%

GPA - 4

70

280

5.86% 10.21%

112

448

8.42%

GA Residency - 4

40

160

3.35%

5.83%

47

188

3.53%

Return of Funds - 4

12

48

1.01%

1.75%

12

48

0.90%

Citizenship - 3

110

330

9.21% 12.03%

94

282

7.07%

Exceeded Hours - 3

41

123

3.43%

4.48%

68

204

5.11%

Enrollment Hours - 3

40

120

3.35%

4.37%

37

111

2.78%

Overaward - 3

18

54

1.51%

1.97%

24

72

1.80%

SAP -3

14

42

1.17%

1.53%

15

45

1.13%

Not Enrolled - 3

12

36

1.01%

1.31%

12

36

0.90%

Selective Service -

3

9

0.25%

0.33%

2

6

0.15%

3

Default - 3

2

6

0.17%

0.22%

3

9

0.23%

Drug-Free Act - 3

1

3

0.08%

0.11%

0

0

0.00%

Missing Sch/Grant

79

App - 2

Missing Transcript -

75

2

Incorrect Program

9

of Study - 2

Missing File - 2

4

158

6.62%

5.76%

150

6.28%

5.47%

18

0.75%

0.66%

8

0.34%

0.29%

36

72

2.71%

67

134

5.04%

1

2

0.08%

1

2

0.08%

Incorrect Reporting 482 of Data - 1

Book Allow. Error - 1

4

482

40.37% 17.57%

4

0.34%

0.15%

499

499

37.52%

3

3

0.23%

% of Points per Type
35.47% 13.38% 5.61% 1.43% 8.42% 6.09% 3.31% 2.15% 1.34% 1.07% 0.18%
0.27% 0.00% 2.15%
4.00%
0.06%
0.06% 14.90%
0.09%

TOTALS

1194

2743

1330

3349

The STRAIGHT and NARROW

Page 4

Tuition Classification: Tools & Resources by Sarah Wenham
Editor's Note: We appreciate Sarah Wenham's contribution to our newsletter. She is the Director of Student Access for USG Office of Student Affairs.
Each University System of Georgia institution has the responsibility to protect the taxpayers of Georgia by ensuring that students are correctly classified as "in-state" or "out-of-state" for tuition purposes. The overwhelming proportion of financial support for the operation of the public institutions of higher education in Georgia comes from citizens through the payment of taxes making correct tuition classifications critical. The practice of assessing a higher tuition rate for out-of-state students allows the taxpayers of the state to be assured that they are not assuming the financial burden of educating persons whose connection to the state of Georgia is temporary.
The Board of Regents tuition classification policies (Section 4.3.2 of the Board of Regents Policy Manual) reflect the requirements for instate classification as required by O.C.G.A. 20-3-66 passed by the Georgia Legislature in July 2008. In order to help institutions correctly apply BOR policy and O.C.G.A. 20-3-66, a number of tools and resources have been developed to assist institutions in their review and classification of students. The following tools and resources can be accessed from the USG Tuition Classification Resource Page (to be accessed by USG faculty and staff only). For the web link, you may contact Sarah Wenham at Sarah.Wenham@usg.edu.
The University System of Georgia Manual for Determining Tuition Classification and Awarding Out-of-State Tuition Waivers. The Man-
ual includes the following: 1. Guidelines for classifying students as "in-state" or "out-of-state" 2. Guidelines for awarding out-of-state tuition waivers 3. Tools for how a campus can conduct self-audits of their tuition classification determinations and awarding of out-of-state tuition waivers.
Frequently Asked Questions and Answers Sample waiver forms and a sample petition form Materials from previous tuition classification training sessions A list of the institutional Tuition Classification Officers
Each institution should create their own procedure manual of established accepted business practices for making tuition classification decisions or awarding our-of-state tuition waivers. It will reflect your organization, personnel and operations. This handbook should align with BOR policy and serve as a training tool.
Conducting regular audits of tuition classification determinations and the awarding of waivers is necessary to ensure BOR tuition classification and out-of-state tuition waiver policies are appropriately applied. When conducting an internal audit, the policy and guidelines found in the following should be referenced:
BOR Policy 4.3.2 Classification of Students for Tuition Purposes
(http://www.usg.edu/policymanual/section4/policy/4.3_student_residency/)
BOR Policy 7.3.4 Out-of-State Tuition Waivers and Waiver of Mandatory Fees (http://www.usg.edu/policymanual/section7/
policy/7.3_tuition_and_fees/#p7.3.4_out-of-state_tuition_waivers_and_waivers_of_mandatory_fees)
The Manual for Determining Tuition Classification and Awarding Out-of-State Tuition Waivers (http://www.usg.edu/student_affairs/
tuition_status/resman_0509.pdf)
When conducting a tuition classification audit, remember we are looking to mitigate the following risks:
Failure to comply with BOR policy Failure to comply with USG guidance Key controls not in place Unfair practice in tuition classification evaluation Unclear policies and procedures Lack of trained staff
Through the collaborative work of the campus Tuition Classification Officer and Audit staff, campuses can ensure their procedures support BOR policy. And, by encouraging open communication and sharing of information between the campus Tuition Classification Officer and all other staff involved with making, entering, reviewing or auditing tuition classification determinations, opportunities for misclassifications and the incorrect awarding of waivers can be minimized.

The STRAIGHT and NARROW
Top 10 Management Practices by Diane Novak

Page 5

1. Read all requests to spend college money before you sign them (check requests, travel expense vouchers, payroll time sheets, etc.) Never sign a document unless you have reviewed at least the most important information on that document. Satisfy yourself it is a wise use of taxpayer funds.
2. Develop written procedures for critical operations. These serve as a resource for current employees and a good training tool for new employees.
3. Develop measurable annual department goals based on your department's mission and strategic goals. Create an action plan to achieve goals and communicate to all employees.
4. Make sure each transaction has two people involved; one initiator and one approver. Separate these two duties to reduce the possibility of errors.
5. Print a procurement card report once a month, scan it for unusual transactions. Investigate anything that doesn't look right.
6. Deposit all cash and checks received daily with the college business office. If something has to stay in your office overnight, lock it up.
7. Don't be satisfied with "The way we've always done things". Review your processes on a continuous basis for inefficiency and duplication of effort.
8. Use the Department of Administrative Services' policies and procedures web page at www.doas.ga.gov . It has just about everything you need to know to purchase something and stay within the rules.
9. Maintain good supporting documentation for all purchases. Ask yourself "what would an auditor want to see?"
10 Make sure faculty and staff leave reporting are reviewed and signed off by a supervisor or someone who is familiar with the employee's work hours.

Permission granted for use by Diane Novak Associate Vice Chancellor, Accounting Lone Star College System

Who We Are

The STRAIGHT and NARROW

Page 6

Internal auditing is an independent appraisal activity authorized by the Board of Regents to examine, evaluate and advise components of the University System of Georgia (USG).
We offer objective reviews for the purpose of providing an assessment on governance, risk management, & compliance internal control processes.
This is accomplished through:
1. Financial engagements 2. Performance engagements 3. Compliance engagements 4. IT engagements

Discontinue the Use of Buyer Identification Cards by Michael Foxman
We have noted that there are campuses that use Buyer Identification Cards to make purchases at Home Depot. The account is tied to a line of credit and is serviced by Citibank. According to the Business Procedures Manual Section 3.3 (Purchasing Card), other than authorized P-Cards, "USG institutions are not authorized to obtain any other credit card or debit card issued in the name of the institution or any other State of Georgia entity." If your campus is currently using Buyer Identification Cards, you should discontinue their use and destroy the cards.

The Compliance and Ethics (COMET) Program is also managed by the Office of Internal Audit with responsibility to:
1. Prevent misconduct through education and training;
2. Detect misconduct through reviews, anonymous reporting, and other means ; and
3. Protect the USG from the potential repercussions associated with misconduct by USG employees.
The COMET program accomplishes these objectives through:
1. Managing a USO compliance program;
2. Advising USG and institution management on significant compliance risks;
3. Coordinating and supporting institutional compliance functions; and
4. Conducting investigations and reviews as needed.
Website:
www.usg.edu/audit
Phone: (404) 656-2237
Fax: (404) 463-0699

Public Private Venture Program by Jim Winters

This article serves as an update on the Public Private Venture Auditing Program (PPV). The Internal Audit Directors were introduced to the program and to Jim Winters, PPV auditor, at their quarterly meeting on September 30th.
The PPV risk assessment was completed, which included interviews with members of campus leadership teams, attorneys, trustees, and members of the investment community. The risk assessment also included a questionnaire of five ranking questions and two discussion questions. The major concerns included: ability to access the bond markets when financing is needed, ability to increase revenue to pay for the project expenses, and appropriate monitoring of the PPV project's financial projections to detect and address areas of concern.
This is the first year that the University System of Georgia Foundation, Inc. financial statements will be included in the State of Georgia Comprehensive Annual Financial Report (CAFR). This was

a result of the first bond issue of $100 million for eight construction projects to be leased to seven of our institutions. The USG Foundation has subsequently issued an additional $100 million to finance five projects to serve three campuses.
We are about to begin a best practices review. This will include a review of the planning and construction phase, legal compliance, and financial performance monitoring. Please call Jim Winters (404) 656-5688 if you have any questions.
Public Private Venture
Is a contract between a public sector authority and a private party, in which the private party provides a public service or project and assumes substantial financial, technical and operational risk in the project.

University System of GA PPVP
Is a financing agreement utilizing a state issuing authority (e.g., The Georgia Higher Education Facilities Authority - GHEFA) which loans money to a foundation's LLC (e.g., The University System of Georgia Foundation's LLC) to construct physical plants (dorms, parking decks, food courts, and stadiums) to be leased to the University System of Georgia for the use of students of a College/ University.

The STRAIGHT and NARROW

Page 7

The Fraud Hotline - A Self-Policing Tool by Steve Rosenthal

The last nine years have made many in the business world stop and scratch their heads. Why you ask? Fraud is the answer. You can help control the tide.
Years before Enron's actual collapse, whistleblowers said something was not right. Yet, on that gloomy December morning, the nation's 7th largest company filed Chapter 11. The fallout did not stop there. Workers lost their jobs, 401k's and retirement accounts disappeared, and one of the nation's largest accounting firms ceased to exist.
Yet again, in the last year, we've heard the names of Madoff, Sacrete Generate, Satyam and others in the spotlight for fraud. A turbulent financial market, rising unemployment rates and furloughs contribute to the equation.
You may ask how this affects me. Higher education systems are not exempt from possible occurrences of fraud even with the best one of measures. To paraphrase one of my professors, even with the best controls in place, if someone wants to commit fraud they will always try to find a way!
There are no simple answers but we in the university community must report issues of fraud, waste and abuse. Reporting can be done a number of ways: by calling the toll-free hotline, submitting an online report, contacting the Office of Internal Audit and Compliance or seeking a your supervisor or department head for assistance. Remember, one can do this anonymously.
Here are a few examples of areas that could present a potential issue: not having proper controls in place in the purchasing departments; maybe it's with the recording of sick or personal days; or, it could involve improper or poor record keeping for grant funding. These are just a few examples. If each institution had one instance, what would it mean? If not reported in time, it means more money out of the budget, employees accumulating more time then actually earned or the inability to conduct research. One might think that one instance really isn't going to affect an institution. However, when looked at over the entire University System, the amounts are significant.
According to USG BPM 16.4, the Board of Regents is committed to preventing instances of fraud, waste and abuse and USG employees have a responsibility to report the fraud, waste and abuse. In order to facilitate reporting, the University System of Georgia has established an ethics and compliance hotline. However, a recent review of institution websites suggests some hotlines might be difficult to locate. In reviewing the schools making up the university system, less than ten had the link to the ethics hotline easily accessible from their homepage. We recommend including a hotline link on the home page of the institutions website, in the Human Resources content area, in the site map and in the Legal Affairs area as well. Making it easier for people to report instances allows for better controls. In turn, it makes for a better University System now and in the future.

The STRAIGHT and NARROW

Page 8

Top 10 Suggestions for Internal Controls & Successful Business Operations by Kevin Robinson

1. Set a strong example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit's personnel.
2. Never sign something you don't understand. 3. Limit signature authority and don't let anyone sign your name (an employee should sign their own name). Never use a
signature stamp. 4. If something doesn't make sense, ask questions about it until you do. Pay attention to what your employees are doing. 5. Be familiar with University policies and procedures. Be willing to call and ask questions. 6. Consider unique risks your unit may have (e.g., cash collections, contracts and grants, etc.) and ensure additional oversight
is provided. 7. Ensure accounts are reconciled monthly and review this reconciliation for any unusual transactions. (This should include a
review of payroll and leave reports.) 8. Don't let one employee have complete control of any process. 9. Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with
identifying information.) 10. Ensure University assets are used for University business (incidental personal use is allowed).
Permission granted for use by M. Kevin Robinson CIA, CFE, CCEP Executive Director, Internal Auditing Auburn University

The STRAIGHT and NARROW

Page 9

Building Our Internal Audit Team by Michael Foxman

In the past few months, the Office of Internal Audit and Compliance has taken steps to develop our team and provide enhanced audit services. We recognize this is an ongoing effort. Some of the current projects include:
Get Certified Program As audit professionals we recognize the importance of certification. This includes Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Certified Fraud Examiner (CFE), Certified Information Systems Auditor (CISA) and others. We provide the necessary instructional material, time-off to take the certification exam and limited study time. Additionally, we provide incentive pay. Our team also recognizes that obtaining certification provides not only practical knowledge, but opportunities for potential advancement.
Shared Auditor Model Currently, 16 University System of Georgia (USG) campuses have an internal audit department. With the cooperation of various campuses, we are currently planning on expanding the number of institutions with an audit department. We recognize that with talented and trained Board of Regents internal audit staff, we may be able to staff the "Shared Auditor Model" with our own personnel. This also provides our institutions with personnel who have been trained and are familiar with the USG. This provides staff with opportunities for growth on a system-wide basis. This is a win-win situation.
Queries and Analysis We are all aware of our complex environment and the explosion of data afforded us by our BANNER, PeopleSoft and ADP information systems. We have obtained tools to help us extract data so that we can better analyze, review and report information. This is beneficial in pre-planning our fieldwork, reducing the amount of time spent in the field, reducing the impact on audite's time and providing better results. One such tool recently purchased is IDEA, Information Data Extraction and Analysis. This allows us to extract and analyze large amounts of data and obtain better sample data. Additionally, our staff has been trained in the use of PeopleSoft queries.
All of our efforts are directed towards an awareness of unity on the part of all team members, an opportunity to contribute and learn from each other, and an ability to attain a common goal.

Board of Regents of the University System of Georgia Office of Internal Audit & Compliance 270 Washington Street, SW Atlanta, GA 30334-1450
Phone: (404)656-2237
Fax: (404) 463-0699
"Creating A More Educated Georgia"
www.usg.edu

We're on the Web! See us at: www.usg.edu/audit

Ask the auditor: If you have a control or ethics question that has been bothering you, it is a good bet someone else in the system is wondering the
same thing. We invite you to send your question to Karen.lamarsh@usg.edu and we may feature it in the next or future issues of the Straight & Narrow.
Any other comments or questions? Contact Karen LaMarsh at Karen.lamarsh@usg.edu
We are looking for suggestions and feedback.