Straight and narrow, Vol. 3, Issue 16 (May 1, 2011)

The STRAIGHT and NARROW

Volume 3, Issue 16

May 1, 2011

Internal Audit & Compliance, Board of Regents of the University System of Georgia. 404-656-2237

Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.

We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.

Inside this issue:

From the Chief Audit Office

1/2

Presenting: The Georgia Health

3

Sciences University Office of

Internal Audit

Rogue Bank Accounts: Why vs.

4

Why Not?

New University of Georgia Audit Rating System

5

SACS & Internal Audit: Different

6

Teams , Same Goal

Spotlight On New Employees

7

Save The Date

8

Being a Leader Regardless of Level is Key To Success

9

From the Chief Audit Officer John M. Fuchko, III
The Office of Internal Audit and Compliance recently updated its rolling audit plan. This information should be useful to institutions scheduled for an engagement; however, the issues identified for audit review are potential audit issues at all institutions and so we have also included the issues in this forum.
Following is a list of schedule assurance (traditional audit) and consulting (advisory services) engagements. This list is subject to change.
Near-Term (starts May 2011 October 2011)
Academic Program Review process (assurance) Albany State University (assurance PPV audit) Armstrong Atlantic State University (assurance) Augusta State University (assurance PPV audit) Intellectual Property Management (assurance) North Georgia College and State University (consulting) USG Policy and Procedure Implementation (consulting) Waycross College (consulting)
Medium -Term (starts November 2011 March 2012)
College of Coastal Georgia (assurance) Columbus State University (consulting information technology) Course Planning and Throughput (consulting, system-wide) Macon State College (assurance) Savannah State University (assurance) Southern Polytechnic State University (assurance) Valdosta State University (assurance PPV audit)
Long -Term (starts April 2012 August 2012)
Atlanta Metropolitan College (assurance) Gainesville State College (assurance) Georgia Highlands College (assurance) Middle Georgia College (assurance) Skidaway Institute of Oceanography (assurance) University of West Georgia (assurance PPV audit)
Following are some of the areas that may be included in a traditional audit engagement. After each area is listed several questions that we may focus on as part of that audit area please note that this is only a partial list of questions. Many of these issues have been discussed in previous newsletter articles and should be referred to for a more complete list of potential audit areas.

The STRAIGHT and NARROW
From the Chief Audit Officer - Continued

Page 2

Accounts Receivable Are all institutional accounts receivable properly recorded? Are receivables collected in a timely manner? Are student tuition and fees collected in accordance with the Business Procedures Manual requirements? Are uncollectible receivables written off in a timely manner?
Cashiering This audit area will consist of an unannounced cash count. This cash count may take place at any USG institution to include those not listed on the audit plan.
Fraud Identification What controls has the institution implemented to prevent, detect, and report fraudulent activities? Are potential frauds reported to the Office of Internal Audit and Compliance as required?
Grants & Contracts Monitoring/Oversight What controls are in place to ensure compliance with grantor and contracting requirements? Does the institution comply with OMB Circular A-21? Are effort reports completed as required? Does the institution perform required sub-grantee monitoring?
Information Technology Security & Governance Does the institution protect its information systems? Is sensitive and/or confidential information identified and properly protected? Do the right people have the correct levels of access to our information technology systems? Is there an IT strategic plan? Is the IT organization structured to best support the strategic and transactional operations of the institution? Are key IT process defined, documented, and periodically reevaluated?
Implementation of Cost Saving Efforts Has the institution implemented a consistent and documented process to identify and implement cost savings initiatives?
Major Repair and Rehabilitation (MRR) Prioritization Are MRR funds used in accordance with stated plans and priorities?
Strategic Planning Implementation Are institutional strategic plans coordinated with the USG strategic plan? Are core strategic plan responsibilities assigned to named personnel? Are strategic plan measures tracked?
Student Fees Policy Implementation and Transactions Does the institution maintain a properly formed student fee committee(s) for all institutional mandatory fees? Has this committee reviewed the budget of, proposed increases in, and creation of new mandatory fees? Are students appointed by the institution's student government? Is the committee at least 50% students?
Tuition and Fees (Proper Classification, Admissions, etc.) Has the institution implemented the requirements of Board Policy 4.1.6, 4.3.2.3, and 4.3.4? Does the institution comply with the University System of Georgia Manual for Determining Tuition Classification and Awarding Out-of-State Tuition Waivers?
Annual MSRB Filing (Public Private Ventures) Is the Annual Filing to the Municipal Rulemaking Board accurate, timely and complete?
Conflict of Interest (Public Private Ventures) Is the PPV Foundation's Conflict of Interest policy consistent with Association of Governing Board's (AGB): Board of Directors' Statement of Conflict of Interest ( http://www.agb.org/news/2009-12/agb-board-directors-statement-conflictinterest)? Is the PPV foundation's conflict of interest policy reviewed annually and is this review documented in the Board minutes? Are conflict of interest disclosures required and are reported conflicts managed? Does the institution properly manage conflicts in those instances where institutional officials may be perceived as having dual responsibilities, i.e., to the institution and to the Foundation?
Bond Financial Information (Public Private Ventures) Does the institution monitor the original bond pro forma against actual performance? Is this information reported to the System Office insofar as required?

The STRAIGHT and NARROW

Page 3

Presenting: The Georgia Health Sciences University Office of Internal Audit
Meet The Crew

Mike Hill, CPA, CFE, CCEP
Chief Audit Officer
Began employment at GHSU -- July 1999
Nineteen years of senior level leadership experience (12+ years at a medical research university/ academic health center and 7+ years at a Division I athletic university), 2+ years of senior level audit experience, and 5+ years of investigative audit experience.
Certified Public Accountant Certified Fraud Examiner Certified Compliance and Ethics Professional
INFORMATION ABOUT GHSU & INTERNAL AUDIT
Georgia Health Sciences University (GHSU), formerly the Medical College of Georgia, founded in 1828, is the state's health sciences university. GHSU is home to the 13th oldest continuously operating medical school in the US and the third oldest in the southeast. GHSU has over 2400 students in five colleges, 900+ faculty, approximately 3500 university and 4000 clinical employees. GHSU's clinical facilities and activities are managed by MCG Health System which includes: MCG Health Medical Center (540 beds); MCG Health Children's Medical Center; MCG Health Cancer Center; and MCG Health Physicians' Practice Group. Enterprise-wide expenses total $1.1 billion.
On January 1, 2011, the internal audit functions for the university and the clinical activities were integrated forming one office, the Office of Internal Audit (IA). IA is responsible for the enterprise-wide internal audit functions, including both GHSU and the MCG Health System. During the integration process, the compliance and risk management functions for the university and clinical activities were separated and an enterprise-wide office was created, the Office of Compliance and Enterprise Risk Management. Both of these offices report directly to the president of the university and CEO of the Health System. At this time, IA consists of a chief audit officer, five staff auditors and one administrative support position. The office currently has one IT audit position vacancy.
Office Contact Information
Phone: (706) 721-2661 E-mail: INTERNAL_AUDIT@georgiahealth.edu Web Site: http://www.georgiahealth.edu/audits/

Crystal Corey, CCSA-Audit Manager Began employment at GHSU May 2001 Previously an Internal Auditor with the Board of Regents, University System of Georgia (1998-2001); 12+ years auditing experience Certified in Control Self-Assessment
Neha Bhavsar-Senior Auditor Began employment at GHSU - July 2010 Previously a Compliance Manager with Kaiser Permanente, Oakland, CA and an Auditor with the Government Accountability Office in Washington, DC; 10+ years audit & compliance experience
LaQuenta Clarke-Senior Auditor Began employment at MCG Health as an Auditor - October 2006 Previously a Client Relations, Billing and Compliance Manager for MEDAC Inc. preceded by 11 years of combined healthcare finance and HIMS experience
Will Barnes, CPM-Auditor Began employment at GHSU - January 2008 Previously with the South Carolina Department of Revenue (retired) as Tax Auditor, Audit Supervisor and Regional Audit Manager; 32+ years professional auditing experience Certified Public Manager (SC)
Sheryl Brown, CISA, CGEIT, CDP-Information Systems Auditor Began employment at MCG Health as an IT Auditor November 2005 Previously with the Thermal Ceramics/Morgan LTD as IT Project Manager, Applications Manager, additional IT professional positions 32+ years professional IT experience, 5 + years IT auditing experience
Lisa Kedigh-Administrative Assistant III Joined Office of Internal Audit - September 2006 Previous GHSU work experience: College of Nursing (16 years), 20+ years of administrative support experience

The STRAIGHT and NARROW
Rogue Bank Accounts: Why vs. Why Not?

Page 4

Did you Know?: Off-campus, unauthorized bank accounts using the institution's name and tax ID number can and do exist. Transactions from these accounts are not recorded on the general ledger and the cash balance is not included on the balance sheet. However, the funds belong to the educational institution!
Why: A department, student organization, or even an individual staff or faculty member may consider opening a bank account as an expeditious way to pay vendors. A check can be written without the extra effort of check requests or purchase orders. Purchases can be made for otherwise un-allowed items. Documentation requirements are less stringent than those set forth by the accounting office or totally non-existent.
Why not: Unauthorized separate bank accounts are prohibited not only by generally accepted accounting principles but by board policy and the rules and regulations of the State of Georgia Office of Treasurer and Fiscal Services and the state Depository Board. (USG BPM, 9.1).
Prevention: Department heads, budget managers, or any person/ group running events and/or collecting cash should be aware of the policy prohibiting the establishment of unauthorized bank accounts. Funds collected for staff sponsored events are considered university funds and must be deposited following university rules e.g. at the Bursar's Office. Examples include fees collected for use of University facilities, concession sales at regularly held intramural games, and monies collected for other university sponsored events.
NOTE: Monies collected for fundraisers should be deposited in the appropriate foundation accounts.
Detection: Bank accounts, not recorded anywhere on the University's official records, are difficult to detect. One way is to look at activities where participants are charged a fee or where food or merchandise is sold. Verify the deposit receipts from the activities to assure the funds are placed into an authorized account and recorded on the General Ledger of the University.
Make departmental inquiries regarding petty cash accounts. If the revenue differs from recorded deposits, find out why.

The STRAIGHT and NARROW

Page 5

New University System of Georgia Audit Rating System By Michael Foxman
In November 2010, the Audit Ratings Committee (ARC) was formed at the request of John Fuchko, III, Chief Audit Officer. Chaired by Michael Foxman, Director of Internal Audit, the ARC included internal auditors from six different institutions within the university system. The ARC was tasked with evaluating the effectiveness of the current rating system and was asked to provide recommendations for change, as appropriate.
While not universal, it is common for internal audit reports to provide some form of qualitative/quantitative rating evaluating the subject matter of an audit. Ratings can be attributed to individual findings and/or to the overall subject of review. The University System of Georgia (USG) has used a published rating system for at least the last decade.
The ARC conducted surveys and interviews of stakeholders at the campus level (institutional management, including presidents, chief business/academic/information officers and others), and within the Board of Regents (Regents, Chancellor and various vice chancellor), to identify the best structure for ratings. It was important to recognize that different stakeholders may have different requirements. It was equally important to understand what each of these stakeholders require from audit reports. Additionally, the ARC considered recently published professional guidance on internal audit opinions.
The ARC made the following recommendations with an anticipated effective date of July 1, 2011. The finalized set of recommendations will be developed in early May for input from all USG Presidents, CBOs, and campus audit directors.
Uniformity Although each USG institution is unique, there is benefit derived when there is uniformity in applying the same methods on a system-wide basis. A rating system that employs the same well-defined terminology facilitates stakeholders in accurately evaluating risks associated with findings. Uniformity will also assist the Board of Regents' management in conducting high-level assessments of audit issues throughout the system as a whole.
Simplicity The audit rating structure should be simple. Fewer categories of ratings are preferable.
Ready Comprehension The ratings format should be readily understood by all readers of the report, whether the reader is a mid-level manager expected to implement corrective action, an institutional President, or a Regent of the university system.
Taking into consideration the need for uniformity, simplicity and comprehension, the ARC recommended three rating categories, the final language of which is under development:
1. No Issue (No Findings in the Area Reviewed) 2. Significant Issue 3. Material Issue
Observations that do not warrant one of these ratings should be included in a Management Letter.
The ARC also recommended eliminating an overall quantitative score for an engagement. Audit departments may opt to provide a written opinion summarizing the overall results of the audit engagement. Consistent with the revised Institute of Internal Auditors' professional standards, the scope and nature of the written opinion should be discussed with the auditee prior to initiating the engagement.

The STRAIGHT and NARROW

Page 6

SACS & Internal Audit: Different Teams, Same Goal
By Natalie Blackwell, Chief Campus Auditor, Georgia Highlands College and Dalton State College

Part I: Introduction to Who, What, and When
Let's start with a quiz no calculator, workpaper, or spreadsheet necessary. You won't even need a pencil or a smartphone. Here goes:
Who is SACS and what do they do? Where do USG schools stand in its SACS reaffirmation cycle? Who oversees the SACS reaffirmation process? Could Internal Audit be of assistance? What aspects of the college does the process impact? Who has input into the process and how is
that information obtained? What are the consequences of sanctions or the loss of accreditation?
If you don't have the answers to these questions, your first step is to access http://www.sacscoc.org/ inst_forms_and_info1.asp. The SACS reaffirmation process is critical to the continued education mission of USG and each affiliated institution. The SAC's group, while external to the colleges and seemingly an imposing force, has the same core objective as USG internal audit evaluating effectiveness in achieving objectives. The risks involved in SACS reaffirmation are ,the same risks that Internal Audit seeks to access. In partnership with institutional effectiveness, however, Internal Audit can provide a preliminary assessment, to allow some of the institutions to make final corrections prior to the scrutiny of the SACS reviewers.
Let's backup to answer the first two questions: The SACS (Southern Association of Colleges and Schools) reaffirmation process examines a campus's adherence to the "Principles of Accreditation: Foundations for Quality Enhancement". To maintain accreditation, a school must provide its educational and strategic objectives, illustrate the resources and capabilities related to those matters, and demonstrate appropriate success in achieving goals and milestones. The SACS Committee on Colleges Board of Trustees, based on recommendations from review committees, makes decisions on an institution's accreditation status, whether it is reaffirmed, sanctioned, denied, or some combination of those actions.
Between 2011 and 2014, twenty of the thirty-four accredited institutions in the USG will be up for reaffirmation, which occurs every ten years at every accredited campus in the eleven state coverage area. The SACS process provides a "Reaffirmation Track" or timeline that starts the college's process a full two and a half years prior to the Board of Trustees meeting in which decisions are announced. Thus, over half of USG campuses are awaiting reaffirmation decisions, participating in reviews, preparing documentation, or will start the process within the next twelve months. These timelines, along with handbooks and a plethora of information from which this article was compiled, can be found at: http://www.sacscoc.org/inst_forms_and_info1.asp.
Additional areas of this self-assessment warrant discussion, including benefits, intensity, and the ramifications of a review-gone-bad. This dialogue will continue in subsequent newsletters, when we will discuss the review itself, the campus information it covers, and the risks associated a negative result.

The STRAIGHT and NARROW
Spotlight On New Employees
Ted Beck is the latest addition to the Office of Internal Audit and Compliance. He has over five years of experience with state government as an analyst with the Governor's Office of Planning and Budget. He earned a Masters of Public Administration from the Andrew Young School of Policy Studies at Georgia State University, and a Bachelor's in Journalism from the University of Georgia.
Daniel Meek has joined the Office of Internal Audit and Compliance as a Summer Intern. He is a senior at Kennesaw State University, graduating in May with a BBA in Accounting from the Coles College of Business. Upon graduation, he will begin preparing for the CIA exam. He enjoys the different challenges faced within internal auditing and endeavors to add value to OIAC. Daniel is confident the experience gained from this internship will help him grow as an internal auditor and will be an asset in building his career.
Natalie E. Blackwell, CPA, CGFM, graduated from The Florida State University in 2000 with a Honors B. S. in Accounting, and started her career in public accounting the same year. She received her CPA certification in May, 2002, and her CGFM in July, 2010. Natalie has worked in public accounting, private industry, and municipal government, covering everything from budget forecasts to individual taxes over the past 11 years. She joined the BOR Internal Audit group in 2011 as Chief Campus Auditor for Dalton State College and Georgia Highlands College.

Page 7

The STRAIGHT and NARROW

SAVE THE DATE!

Page 8

Co-sponsored with the Association of College and University Auditors
SAVE THE DATE!
Register Today! 100 Seat Capacity!
GEORGIA 2011 CONFERENCE FOR COLLEGE AND UNIVERSITY AUDITORS Georgia Capitol Hill Campus July 25-26, 2011
CONFERENCE PROGRAM
16 CPE credits (Program/Directions available by mid-May at http://www.usg.edu/audit/)
$125 registration fee, if postmarked on or before June 30, 2011
REGISTRATION PROCESS
Email registration info (name, title, organization, phone, email, emergency contact) to: Tracy Pinnock, Conference Administrator; tracy.pinnock@usg.edu; (404) 656-2231
Make check payable to Board of Regents of the University System of Georgia; For: OIAC - Georgia 2011 Conference; mail check & a copy of above registration info to:
Board of Regents Attn: Office Resources, Suite 7096
270 Washington Street, SW Atlanta, Georgia 30334
RECOMMENDED LODGING
HOLIDAY INN ATLANTA CAPITOL CONFERENCE CENTER; Call (404) 591-2006
Special daily rates: $109.00 (room) and $10.00 (parking), if reserved before July 4th
BRAVES VS PIRATES GAME
Tickets available in Terrace Reserved @ $5 each on Monday, July 25th at 7:10 PM
Conference attendees and family are welcome! For seats together, email Jim Winters (Jim.Winters@usg.edu) by May 10. After May 10, email Alex Ingle (Alex.Ingle@braves.com) for tickets (random seating)

The STRAIGHT and NARROW

Page 9

Being a Leader Regardless of Level is Key To Success

Manager
Maintains status-quo

Leader
Welcomes change & uncertainty

Works in the system

Works on the system

Reacts

Creates opportunities

Controls risks

Turns risks into opportunities, if possible

Enforces organizational rules

Changes organizational rules

Seeks and then follows direction Provides a vision and strategic alignment

Controls people by pushing them in Motivates people by addressing their

the right direction

professional needs

Coordinates effort

Inspires achievement, energizes people

Provides instructions

Coaches followers, creates self-leaders, & empowers them

Are YOU A Leader Or Manager?
Author Unknown. Revised by: Michael Foxman & Sandy Evans

Board of Regents of the University System of Georgia Office of Internal Audit & Compliance 270 Washington Street, SW Atlanta, GA 30334-1450
Phone: (404)656-2237
Fax: (404) 463-0699
"Creating A More Educated Georgia"
www.usg.edu

We're on the Web! See us at: http://www.usg.edu/audit/

Ask the auditor: If you have a control or ethics question that has been bothering you, it is a good bet someone else in the system is wondering the
same thing. We invite you to send your question to sandra.evans@usg.edu and we may feature it in the next or future issues of the Straight & Narrow.
Any other comments or questions? Contact Sandra Evans at sandra.evans@usg.edu
We are looking for suggestions and feedback.