Straight and narrow, Vol. 3, Issue 12 (Apr. 1, 2010)

The STRAIGHT and NARROW

Volume 3, Issue 12

April 1, 2010

Internal Audit & Compliance, Board of Regents of the University System of Georgia. 404- 656-2237

Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.
We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.

From the Chief Audit Officer John M. Fuchko, III
"We have forty million reasons for failure, but not a single excuse. So the more we work and the less we talk the better results we shall get." Rudyard Kipling, "The Lesson," 1899-1902
Readers of this column must certainly connect with Kipling's quote. Indeed, we are faced with managing the ongoing challenges of increased enrollment, decreasing budgets, and a rock-bottom commitment to quality in our core functions of teaching, research, and service. Internal audit's contribution to our mission is to provide USG senior leaders a degree of assurance that we are managing our core risks while assisting the System and individual institutions to better manage those risks. To that end, it is my pleasure to provide our readers with some insight on issues of potential relevance to them.
State Audit Reports Vice Chancellor Usha Ramachandran provided an initial overview of the state auditor reports for the Fiscal Year 2009 financial statements at the March 2010 Board meeting. The State Auditor's office and I will present these results to the Committee on Internal Audit, Risk, and Compliance at the April 2010 Board meeting. For this meeting, we will provide our traditional audit ratings on all reports (full audits, management reports, and agreed-upon procedures) conducted by the State Auditor's office.
Enterprise Risk Management (ERM) We recently had the opportunity to visit the University of West Georgia and Augusta State University in order to share our under development ERM framework with key administrative, faculty, and staff leaders at each institution. Since that time, additional Presidents have requested that we make a presentation at their institution. Please let Scott Woodison (scott.woodison@usg.edu) know if your institution might be interested in having Scott make a presentation on ERM in the University System of Georgia.
Information Technology Security Effective information technology security continues to be a challenging issue. Our recent presentation to the Board of Regents highlighted the risks we face in this area. However, institutions are not alone when it comes to dealing with these issues. Our Director of Information Technology Audit, Erwin Carrow (erwin.carrow@usg.edu), is a resource that should be contacted if you have IT audit questions. Additionally, the USG Office of Information Security is a key resource that institutions should be contacting for assistance with information technology security issues (http://www.usg.edu/infosec/).

3. Build and develop the OIAC team.

In closing, please check out our "Questions for Leaders" column in this edition. This column is intended to help institutional leaders identify questions that they can ask in order to help increase the level of "accountability" at USG institutions. Please do not hesitate to contact me with questions or concerns at john.fuchko@usg.edu or 404-656-9439.

Inside this issue:

Questions Senior Leadership

2

Should be Asking

New Staff

3

Know Your BPM!

4

Generally Accepted Privacy

5

Principles

Conflict of Interest Policy

6

Conflict of Interest Policy, contd. 7

Save the Date

8

Purchasing Card

9

The STRAIGHT and NARROW

Page 2

Questions Senior Leadership Should be Asking John M. Fuchko, III

We promised to publish a "Questions for Leaders" column in this edition of the "Straight and Narrow." Following are questions (grouped by category) that leaders may wish to ask pertaining to the administration of various programs and processes at their institution. Please note that the questions represent areas that we anticipate including in our audit procedures for future engagements.
American Recovery and Reinvestment Act of 2009 (ARRA)
Have you completed the "Have You?" checklist published by the State Accounting Office? Can you document completion of this checklist?
Have you taken steps to comply with each of the requirements detailed in Section 22 of the USG Business Procedures Manual (BPM) (http://www.usg.edu/fiscal_affairs/bpm_acct/bpm-sect22.pdf)?
Accounts Receivable
Does your current process for recording and managing accounts receivable actually include all significant accounts receivable at the institution or do individual departments run their own separate "shadow" systems for managing accounts receivable?
Does your institution follow the due diligence process for collecting and writing off accounts receivable as detailed in Section 10 of the USG BPM (http://www.usg.edu/fiscal_affairs/bpm_acct/bpm-sect10.pdf)?
Conflicts of Interest
Does your institution have defined and documented internal procedures to manage potential/actual conflicts of interest as noted in BOR Policy 8.2.15 (http://www.usg.edu/policymanual/section8/policy/8.2_general_policies_for_all_personnel/ #p8.2.15_outside_activities)?
Are employees aware of the conflict of interest policy and associated reporting procedures?
Suggestions for future topic areas should be emailed to Karen LaMarsh at karen.lamarsh@usg.edu.

In addition to "traditional" audit services, OIAC also performs consulting services. This involves working with senior campus management in jointly developing recommendations and potential action plans on an identified issue or challenge. For instance, we are currently working with an institution in integrating new housing operations in day-to-day campus life. This involves developing the proper organization structure, addressing policy and procedure issues, and accounting for revenue and expenditures. If you are interested, please contact John Fuchko at john.fuchko@usg.edu or Mike Foxman at michael.foxman@usg.edu to learn more.

The STRAIGHT and NARROW
Welcome New Staff to OIAC

Page 3

Betsy Lessans is interning at the Office of Internal Audit and Compliance. Her well-rounded business experience includes individual tax preparation with H & R Block, office management and bilingual international communication with Usinor Steel, and small business accounts payable for various firms.
She earned a Bachelor of Arts degree in French from Arcadia University and an MBA from Kennesaw State University. Besides being fluent in French, she speaks Spanish. She enjoys listening to music, gourmet cooking, movies and travel.

Chuck Fell, CIA recently joined the Office of Internal Audit and Compliance. For seven years prior to joining our department, he was the Director of Internal Audit at Waffle House, Inc.
Chuck brings 14 years of experience in consolidation accounting, financial reporting, financial analysis, and internal audit with two major utilities in the Atlanta area, Southern Company and AGL Resources.
Chuck is a Certified Internal Auditor and a Florida Gator He graduated from the University of Florida with a Bachelor of Arts in Classics and subsequently completed a Bachelor of Arts in Accounting and Information Systems from the University of West Florida.

Debaleena Kabiraj is an audit intern at the Board of Regents. She is currently a graduate student at Kennesaw State University graduating with a Masters in Accounting this spring. Debaleena finished her Masters in Commerce specializing in International Business Operations prior to joining Kennesaw.
When she is not working or studying she enjoys reading a good novel or watching a good movie. She also likes listening to classical music both eastern and western.

Joseph Hines, CPA recently relocated to Atlanta from the Philadelphia, PA area. Prior to joining the Office of Internal Audit and Compliance, Joe held various staff and manager positions in internal audit at CIGNA and AEGON Insurance. These positions enabled Joe to travel to many areas in the US as well as to Toronto and Edmonton in Canada and to London, Tokyo and Singapore.
Joe attended Drexel University in Philadelphia, PA and earned a Bachelor of Science in Accounting and a Masters in Business Administration with a concentration in Finance. Joe is also a Certified Public Accountant.

The STRAIGHT and NARROW

Know your BPM!

Page 4

The USG Business Procedures Manual was originally created in 1978. This manual serves the following purposes:
Sets forth the essential procedural components that each institution within the University System of Georgia must follow to meet both Board of Regents policy mandates and the statutory or regulatory requirements of the state of Georgia and the federal government.
Provides new financial, business and human resources professional with the University System of Georgia the necessary information and tools to perform effectively.
Functions as a useful reference document for seasoned professionals at USG colleges and universities who need to remain current with changes in Board of Regents policy and state law.
The Office of Internal Audit and Compliance regularly references the BPM as "criteria" when assessing financial and operational performance. Adherence to the BPM will help ensure that your institution successfully manages its operations and receive a "clean" audit report. Check out the complete BPM at http://www.usg.edu/fiscal_affairs/bpm_acct/ for guidance on USG procedures that will aid you in your daily performance of duties.

Editor's Note: I apologize for not recognizing Lisa
Newham, Senior Compliance Officer with the Georgia Student Finance Commission in our last newsletter. She co-authored the Georgia Student Finance Commission Compliance Team article with Richard M. Hawkshead.

Congratulations to Jeanne Severns for passing the Certified Internal Auditor exam and earning the CIA designation! Also, Jana Briley at GA Southern has successfully passed the Certified Fraud Examiner exam and is now a CFE.

The STRAIGHT and NARROW
Generally Accepted Privacy Principles

Page 5

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. In addition to the mandatory requirements under FERPA, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have developed Generally Accepted Privacy Principles (GAPP). Although the adoption of GAPP is voluntary, the principles are a valuable tool in the application and implementation of FERPA requirements.
The Forward to the Generally Accepted Privacy Principles states:
"An underlying premise to these principles is that good privacy is good business. Good privacy practices are a key component of corporate governance and accountability. One of today's key business imperatives is maintaining the privacy of personal information collected and held by an organization. As business systems and processes become increasingly complex and sophisticated, growing amounts of personal information are being collected. Because more data is being collected and held, most often in electronic format, personal information may be at risk to a variety of vulnerabilities, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, individuals, and the public in general."
The ten principles include: 1) Management, 2) Notice, 3) Choice and Consent, 4) Collection, 5) Use, Retention and Disposal, 6) Access, 7) Disclosure to Third Parties, 8) Security for Privacy, 9) Quality, and 10) Monitoring and Enforcement.
Please see http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/* for more information and guidance on privacy and practical ways to use the GAPP framework.
(*Permission granted by AICPA to include url.)

REMINDER:
Did Your Institution Submit the Updated EAP for 2009? BPM 20.4.8 states that your institution's Emergency Action Plan needs to be updated and submitted annually to the Director of Safety and Security Mr. Bruce Holmes.

The STRAIGHT and NARROW

Page 6

Conflict of Interest Policy by James F. Winters, III
The purpose of this article is to heighten the awareness on conflict of interest issues and concerns and to instill thoughts on what we as the management team for the University System of Georgia can do to uncover and address the risks that are present pertaining to conflict of interest.
Since I joined the Office Internal Audit and Compliance team, I have received many requests asking for guidance and clarification on policies and procedures. One topic that has recently surfaced is an interest in "Conflict of Interest" concerns. I believe this is the result of the recent high profile conflict of interest violations, additional scrutiny by the public including the government (e.g., the new IRS form 990), additional regulations relating to research, and the pressures created by the current economic environment.
Conflict of Interest Principles - Employees
For colleges and universities within the University System of Georgia, conflict of interest concerns are directed toward our employees and our institution's foundation's board of directors. The underlining principles of a conflict of interest policy should be followed by everyone in their normal course of doing business. "The University System of Georgia is committed to the highest ethical and professional standards of conduct in pursuit of its mission to create a more educated Georgia. Accomplishing this mission demands integrity, good judgment and dedication to public service from all employees. Our Statement of Core Values and Code of Conduct are intended to build, maintain and protect public trust, recognizing that each member of the USG community is responsible for doing his/her part by upholding the highest standards of competence and character." References on conflict of interest are threaded throughout our Policy Manual, specifically in sections 8.2.13.2 titled "Appearance of Conflict of Interest" and in section 8.2.15 "Outside Interest." Our ethics policy, Sections 8.2.20 "University System of Georgia Ethics Policy," is embedded with connections to conflict of interest overtones.
As the management team we need to be highlighting the awareness of conflict of interest issues/concerns. This would include: Are employees aware of conflict of interest policies? How is a potential or actual conflict of interest reported? How is a potential or actual conflict of interest managed? How are the institutions tracking and managing their conflict of interest program? Are employees aware of the consequences of violations to our conflict of interest policy?
In the future, the focus on this topic will be increased because of the sensitive nature of the events that surround it. The Office of Internal Audit and Compliance has scheduled an audit on conflict of interest for the fiscal year beginning July 1, 2010.
Conflict of Interest Principles - Foundations Our universities and colleges do not have governing boards but their respective foundation's do. The Association of Governing Board's (AGB) approved a set of principles that are intended to provide guidance on standards and practices for boards. The following is a summary of the twelve guiding principles.

The STRAIGHT and NARROW

Page 7

Conflict of Interest Policy, contd. by James F. Winters, III
1. "Each board must bear ultimate responsibility for the terms and administration of its conflict of interest policy." It is the responsibility of the boards to manage and monitor their own governance standards. 2. "Boards must be sensitive to both actual and apparent conflicts. If reasonable observers, having knowledge of all the relevant circumstances, would conclude that the board member has an actual or apparent conflict of interest in a matter related to the institution, the board member should have no role for the institution in the matter." 3. "When a board member is barred by actual or apparent conflict of interest from voting on a matter, ordinarily the board member should not participate in or attend board discussion of the matter, even if to do so would be legally permissible." Boards should have documented procedures on how to handle conflicts of interest and should document the conflicts and any exceptions in the board meeting minutes. 4. Non-financial conflicts of interest need to be identified and reviewed. Examples are: the subjects of political gain, unmerited preference in hiring, student admission decisions, excessive executive compensation, and other conflicts that can compromise the integrity of the board. 5. Boards should conduct thorough annual reviews of the conflict of interest policies, ensure adherence to the policy, and document any exceptions. 6. Boards member should disclose annually through written documentation any personal actual or perceived conflict of interest. 7. Boards should have the highest standards in the policy and have financial thresholds for mandatory disclosures. 8. Board members should disclose all related actual or perceived conflict of interest to include interest involving members of a board member's immediate household. 9. Non board members should disclose annually all actual or perceived conflict of interest. This would include board committee members, officers of the organization, and highly paid staff members. 10. Boards should consider personal use of information obtained including investment advice. 11. Boards should consider if investment committees are held at a higher standard. 12. Boards should adopt the recommendations and be consistent with state and federal law requirements. Boards need to take ownership, assign reviews, and use an audit committee to monitor the conflict of interest policy. Board members have a duty to act in the best interests of the institution and to serve the trust of the public. Board members should maintain a sense of integrity and ethical awareness in their actions.

References: 8.2.13.2 Appearance of Conflicts of Interest
http://www.usg.edu/policymanual/section8/policy/8.2_general_policies_for_all_personnel/#main
8.2.20 University System of Georgia Ethics Policy http://www.usg.edu/policymanual/section8/policy/8.2_general_policies_for_all_personnel/ #p8.2.20_university_system_of_georgia_ethics_policy
8.2.15 Outside Activities http://www.usg.edu/policymanual/section8/policy/8.2_general_policies_for_all_personnel/
The Association of Governing Board's (AGB) WWW.AGB.org
AGB Board of Directors' Statement on Conflict of Interest http://www.agb.org/news/2009-12/agb-board-directors-statement-conflict-interest

The STRAIGHT and NARROW

Save the Date!!

Page 8

Save the Date Friday, April 30, 2010 11:00 AM to 2:30 PM KSU Center
Institute of Internal Auditors (IIA) and Kennesaw State University Free Student Day Event and Student Career Fair!!
Kick-off 2010 with an internship or a job!!!! Huge Student Day Event designed for Auditing, Accounting and Finance majors at Universities and Colleges throughout the State of Georgia. All juniors, seniors and grad students looking for internships or full-time entry level positions should come to this event. This event is free to all students and faculty to include a free buffet lunch. Student Day Event and Career Fair Agenda:
Date and Time Set for April 30, 2010 from 11:00 AM to 2:30 PM Location will be the KSU Center at Kennesaw State University Agenda is as follows:
11 AM to 11:10 Opening remarks and presentation of gift from IIA Atlanta Chapter to KSU Dave Bilko,
President, IIA Atlanta Chapter
11:10 AM to 12 Noon Audit Career Panel 11:30 AM to 1:30 PM Buffet Lunch and Networking 11 AM to 2:30 PM Career Fair
Career fair to include several of the largest employers in the Atlanta metro area
Location Kennesaw State University Center Convenient location next to I-75 and Exit 271 with plenty of free parking
Questions - Contact Nancy Thomas, Executive Administrator, IIA Atlanta Chapter (404.401.2277) atlantaiia@comcast.net or Fred Masci, Chair of Academic Relations Committee (770.779.6302) fred.masci@prgx.com

The STRAIGHT and NARROW

Page 9

Purchasing Card (P-Card) Internal Controls Reminder by Michael J. Foxman

As a reminder, please be aware of the various internal control measures that should be included in the administration of your institution's P-Card program. The responsibilities are detailed in USG Business Procedures Manual (BPM) 3.3.9 Purchasing Card Program Effectiveness and Efficiency. Among other requirements, on an annual basis 1) review the necessity of cards issued to employees and cancel those cards that are not needed, and 2) perform an independent review of a sample of P-Card purchases. See below for the listing of controls that are detailed in BPM 3.3.9.
1. Formally designate P-Card roles and responsibilities to include P-Card program administration, approving officials, and cardholders.
2. Formally identify job positions within the institution that would require the use of a P-Card.
3. Develop a training manual on the use of P-Cards that shall instruct cardholders and approving officials on the maximum value utilization of P-Cards, applicable policies and procedures, and purchasing rules that may impact P-Card usage.
4. Require initial and refresher training for both cardholders and approving officials. Failure to participate in initial training shall result in non-issuance of the P-Card, and failure to participate in refresher training shall result in card suspension until the training is completed.
5. Review not less than annually all P-Cards issued to employees, and eliminate P-Cards for employees who demonstrate consistently low usage of P-Cards or no longer have a demonstrated business need for the P-Card.
6. Limit the number of cardholders for which an approving official may be responsible to a reasonable number over which the approving official may exercise sufficient oversight. It is recommended that the number of cardholders for which an approving official is responsible not exceed ten (10) cardholders.
7. Ensure that a sample of P-Card purchases are independently reviewed by the P-Card program administrator, campus internal auditor, or other trained personnel independent of the approving official and cardholder under review at least annually.
More information about P-Card administration can be found in the USG BPM: http://www.usg.edu/fiscal_affairs/bpm_acct/bpmsect03.pdf.
The Georgia Department of Administrative Services offers process improvement tools that can be used for proper oversight of purchasing transactions and activities. See the Process and Performance page at http://doas.ga.gov/statelocal/spd/process/pages/ home.aspx.

Board of Regents of the University System of Georgia Office of Internal Audit & Compliance 270 Washington Street, SW Atlanta, GA 30334-1450
Phone: (404)656-2237
Fax: (404) 463-0699
"Creating A More Educated Georgia"
www.usg.edu

We're on the Web! See us at: http://www.usg.edu/audit/

Ask the auditor: If you have a control or ethics question that has been bothering you, it is a good bet someone else in the system is wondering the
same thing. We invite you to send your question to Karen.lamarsh@usg.edu and we may feature it in the next or future issues of the Straight & Narrow.
Any other comments or questions? Contact Karen LaMarsh at Karen.lamarsh@usg.edu
We are looking for suggestions and feedback.