Straight and narrow, Vol. 3, Issue 17 (Dec. 1, 2011)

The STRAIGHT and NARROW

Volume 3, Issue 17

December 1, 2011

Internal Audit & Compliance, Board of Regents of the University System of Georgia. 404-656-2237

Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.
We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.

Inside this issue:

From the Chief Audit Officer

1

Information Technology Govern- 2 ance--Important Yesterday, Critical Today!

NIH Releases Final Financial

3

Conflict of Interest (FCOI) Rule

Significant Changes in Govern-

4

ment Fund Balance Repotting

Human Resources Considera-

5

tions

Benford's Law & Spending

6

Patterns

Heed Little Reminders Avoid Big

Problems

7

From the Chief Audit Officer John M. Fuchko, III
We are Here to Help!
Auditors do more than audit. Gone are the days when the sole focus of an internal auditor was to count cash, validate accounts receivable, and assess whether duties are properly segregated. These activities are still part of the audit function ... but it is so much more!
The Institute of Internal Auditors (IIA) is the professional association for internal auditing and the promulgator of internal audit professional standards. The IIA defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
What does this mean? For the purposes of the article, I would like to focus on the word "consulting" in light of another key audit word, i.e., client.
In a traditional internal audit or "assurance" activity, our primary client at the System-level is the Board of Regents, the Chancellor, and the institution president. We attempt to provide those parties assurance ... that governance processes are working effectively, efficiently, and ethically ... that risks are being identified and mitigated ... that controls are effective ... that laws, policies, and contracts are being complied with ... and so on. In the course of performing our assurance/audit engagement, we also provide written recommendations that we believe will help the audited entity to improve operations. However, our scope is driven by where our client and the internal audit staff see risk.
Consulting activities are different. In a consulting activity, we consider our primary client to be the process owner or organizational leader that requested the engagement. Our scope is driven by the client's needs and the deliverable is not an audit report. Rather, our deliverable can range from a written consulting report to a process flowchart to an organizational chart. The deliverable and the scope are defined in a written charter signed by the audit team and the institution president.
Our office strives for approximately a 30/70 split between consulting and assurance engagements. Any USG institution may request a consulting engagement through a letter from the president to my office. A consulting engagement is a cost-effective alternative to hiring an outside firm and helps internal audit to meets its mission of supporting "the University System of Georgia in meetings its governance, risk management, compliance, and internal control responsibilities while helping to improve organizational and operational effectiveness and efficiency."
We hope to be able to partner with you!

Georgia 2011 Conference for

8

College and University Auditors

The STRAIGHT and NARROW

Page 2

Information Technology Governance - Important Yesterday, Critical Today
By Matthew Harrell & Erwin (Chris) Carrow

Efficient governance is key for an institution to operate effectively. One part of governance that is often overlooked is Information Technology (IT) governance. According to the Institute of Internal Auditor's Professional Practice's Framework, "The internal audit activity must assess whether information technology governance of the organization sustains and supports the organizations strategies and objectives." IT governance refers to the way options are prioritized and decisions are made relative to Information Technology.
In essence, effective IT governance is about ensuring that information technology is meeting the institution's needs while using resources effectively. USG Information Technology internal audits have noted the challenges associated with understanding the underlying governance framework needed to effectively implement Enterprise Resource Planning (ERP) applications (e.g. Banner, PeopleSoft, ADP, etc.) for IT.
There are many practices that comprise effective IT governance. One of these practices is to identify "Business Owners," "Trustees," and "Stewards" for ERP applications. These roles are defined as follows:
1. Business Owners- Functional department leaders which determine the operations of their department and how the application(s) is applied. (Example: The owners for BANNER are typically the Bursar, Registrar, Financial Aid Director, and the Admissions Director);
2. Trustees- The personnel entrusted with the day-to-day tasks of data input, analysis, or reporting; and, 3. Stewards- Technical support and technical leaders (IT personnel).
The Information Technology department exist to support the institution's needs and, in particular, the business owner's needs. In general, business owners define their needs and expectations with technical advice and assistance from the IT personnel or "stewards."
In Information Technology audits, the auditors strive to answer the following questions: Do IT applications support institutional needs and perform at an acceptable level? Are risks to IT systems being identified and managed, .e.g., are we taking steps to ensure that controls in place are being effectively monitored? Are resources (money, people, time, applications, etc.) being effectively managed and is the overall performance of the IT department being managed?
For example, during an information security audit, the auditors will determine whether business owner(s): Ensure that job/position descriptions justify users' level access and the requested access is applicable to the job function and does violate segregation of duties. Ensure that only authorized users can access a given application and that the ability to execute transactions in those applications are limited to what is required to perform assigned duties; Ensure that user access is periodically reviewed and still needed; Ensure that there is business reason and management approval for any non-standard request (e.g. someone in Financial Aid needs access to Registrar screens ... the Director of Financial Aid must give a business justification for this access and the Registrar must approve it) Ensure that process of granting and taking away access is documented and adheres to policies governing access rights. Ensures that segregation of duties are adhered to with each application AS WELL AS across the various other applications. (For example, making sure that someone who has the ability to set-up an employee in ADP does not also have access in PeopleSoft to authorize payments); Ensures that a review of active users is completed by cross-checking active users' lists to active employee data to make sure all users are current and active employees.
In summary, the auditors are required to assess IT Governance. Preparation is key to a successful audit.

The STRAIGHT and NARROW

Page 3

NIH Releases Final Financial Conflict of Interest (FCOI) Rule By Sandy Evans

In August 2011, the National Institute of Health (NIH) released its final regulations on the disclosure and management of potential FCOI for research organizations receiving public funding. The new regulations replace rules adopted over 15 years ago, representing important steps towards transparency and preserving the public's trust.
Key requirements of this regulation are: 1. Institutions must develop and make publicly available their policies regarding the management of Conflicts of Interest
(COI); 2. Investigators must receive training on their institutional policy and investor disclosure obligations prior to engaging in
public health services (PHS) funded research; 3. Prior to receiving federal funding and at least annually, investigators must disclose to their institution, all significant fi-
nancial interests (SFIs) related to their responsibilities at their institution; 4. Institutions are responsible for determining if a SFI constitutes a FCOI; 5. If an FCOI is identified then the institutions must report to the funding agency; 6. Institutions are required to make public FCOI information regarding persons identified as senior/key personnel on the
grant application, progress reports, or other reports submitted to PHS, either on the institution's public website or by responding to individual requests for FCOI information within five business days.
Several important issues are noted for emphasis: The reporting of SFIs by the Investigator is not limited to the single Principal Investigator (PI). This reporting requirement
includes any other person(s) responsible for the design, conduct, or reporting of research funded by PHS, and their respective spouses and dependent children. SFI is reduced from $10,000 to $5,000. Travel reimbursements and sponsored travel are reported. FCOI details include the entity name, nature of FCOI (equity, fees, travel, honoraria, etc) and value of each financial interest.
The final rule could have a significant impact on research institutions with less evolved COI management infrastructure. In those organizations, new policies, processes and documentation will be necessary, requiring substantial new resources to meet the August 24, 2012, deadline.
The NIH final rule represents a step towards increased transparency regarding Conflicts of Interest and federally funded research.
For additional information on the NIH regulation: http://grants.nih.gov/grants/policy/coi/ or click here.

The STRAIGHT and NARROW

Page 4

Significant Changes in Government Fund Balance Reporting--GASB 54 By Tracy Arner, CPA
One of the more recent, significant changes in government financial reporting is Governmental Accounting Standards Board (GASB), Statement 54, Fund Balance Reporting and Governmental Fund Type Definitions. This Statement, effective for financial statements with periods beginning after June 15, 2010, will transform the classification of fund balance. The GASB believes the new classifications will be more readily understood by financial statement users. This article will focus on the new requirements for Fund Balance Reporting.
The traditional categories of fund balance are reserved and unreserved. Reserved fund balance alerts the reader to the unavailability of fund balance for future appropriation. Unreserved fund balance may be classified as designated or undesignated. Unreserved, designated signifies plans the governing body has for future use of the fund balance. Only unreserved, undesignated balances could be used for future appropriations.
GASB Statement 54 replaces reserved fund balance with three different, distinct categories. These categories are: nonspendable, restricted, and committed. Nonspendable fund balance represents current assets that are not in spendable form or are legally required to remain intact. Examples of nonspendable fund balance include inventories, prepaids, or the principal portion of a Permanent Fund.
Restricted fund balance would include those amounts that legally restricted for a particular purpose by covenants, legislation, grants, or contracts. A typical example would be funds set aside to meet debt service requirements under a bond covenant.
Committed fund balance would require action of the governing body stating how the committed funds will be used. To be used for another purpose, the governing body must remove the commitment by formal action.
The unreserved category will be replaced with either assigned or unassigned classifications. Assigned fund balance is intended by the government to be used for a particular purpose but is neither committed nor restricted. For example, a government may assign a portion of the fund balance to be used to purchase green space.
Unassigned fund balance would represent the remaining amount of the fund balance after the other four classifications are used. Unassigned fund balance would only appear in the General Fund as the remaining governmental funds would have been established for a particular purpose and remaining funds would be assigned accordingly.
To implement GASB 54 related to fund balance, governments should review their policies regarding fund balance classification and develop guidance for reporting purposes. Disclosure in the financial statement notes of this policy is required.

The STRAIGHT and NARROW
Human Resource Considerations By Tom Scheer

Page 5

Guiding your institution's Human Resource function through compliance and employee relation issues can be very challenging. Countless issues provide potential risks. Based on recent events, here are areas to consider when evaluating the strength of internal procedures:

1.

Employee Termination Process most USG institutions have an employee termination process and an exit check-

list. The checklist should be completed when an employee terminates to ensure that all appropriate actions are tak-

en, including:

a) preparation of all appropriate paperwork to remove the employee from the payroll system;

b) return of institution property such as keys, access/purchasing/identification cards, computer equipment;

c) cancellation of access to computer systems;

d) payment of any miscellaneous amounts owed such as parking/library fines and travel advances;

e) proper calculation of vacation accruals; and,

f) completion of an exit interview.

2.

Annual Performance Evaluation Board of Regent (BOR) policies require annual evaluations for all full-time em-

ployees. Performance evaluations serve as the basis for personnel actions and assist the organization in operating effec-

tively and efficiently. Without proper training and feedback, employees may not be equipped to perform their jobs to the

best of their ability, which could lower the overall performance of the institution. By neglecting these evaluations and re-

lated documentation, management increases the risk of dispute and legal issues in the event of personnel actions, either

positive or negative.

Recommended institutional policies would include requirements for the completion of a performance evaluation at the end of the six-month provisional period. Additionally, all evaluations should be performed on a timely basis.

See BOR Human Resources Administrative Practice Manual: "Employee Relations Performance Evaluations" http://www.usg.edu/hr/manual/performance_evaluation/

3.

Training and Compliance with University System of Georgia (USG) Ethics Policy Comprehensive training on ethi-

cal behavior is important to any organization to help ensure that the employees are conducting their responsibilities in

accordance with established codes of conduct. BOR has clearly stated that the USG Ethics Policy applies to all members

of the USG community and that all such members shall participate in training and certify their compliance with the policy.

It is also the responsibility of each institution to collect accurate data for reporting to BOR.

Periodically, all employees must complete the latest BOR course on Ethics Policy. Full compliance with the USG Ethics Policy includes institutional tracking of training and certification compliance for all USG employees.
See BOR Policy Manual 8.2.20 - http://www.usg.edu/policymanual/section8/ policy/8.2_general_policies_for_all_personnel/#p8.2.20_university_system_of_georgia_ethics_policy

4.

Appropriate Documentation to Process Salary Changes and/or Supplements Salaries are one of the largest ex-

penditures for any institution. Effective salary administration is crucial to maintain compliance with BOR and institution poli-

cies, to meet obligations under federal and state regulations, to maintain appropriate relationships between personnel,

and to ensure effective use of budgetary resources.

All salary changes and/or supplements should include: a) all required approvals/signatures; b) documentation (such as a memorandum) attached to a Personnel Action Notice; c) current performance evaluation (satisfactory at a minimum); and d) compliance with all policies.

See BOR Human Resources Administrative Practice Manual: "Classification, Compensation, and Payroll Wage and Salary Administration Policy" - http://www.usg.edu/hr/manual/wage_and_salary_administration_policy/ "Interim and Acting Assignments" - http://www.usg.edu/hr/manual/interim_and_acting_assignments/ "Salary Increase Administration Process" http://www.usg.edu/hr/manual/salary_increase_administration_process/

The STRAIGHT and NARROW
Benford's Law and Spending Patterns By Ted Beck

Page 6

In 1938, American physicist Frank Benford "rediscovered" a pattern within the statistical distribution of first digits in a series of naturally occurring numbers, and did such a fine job of it, decided to put his name on the idea, despite it having existed in some form since the late 1800s. Through mathematical finagling, Benford demonstrated that the first digit in a large series of numbers should occur with the following frequencies in a base-10 counting system:

Digit 1 2 3 4 5 6 7 8 9

Frequency of Occurrence 30.1% 17.6% 12.5% 9.7% 7.9% 6.7% 5.8% 5.1% 4.6%

If needed, the reader is encouraged to take a moment to recover from having his or her mind blown. Better now? Let's proceed, then.
The clever (or impatient) internal auditor has now asked, "To what end, this Benford's Law?" A fine question, indeed as it happens, the expenditures of large organizations mirror this very distribution. The application of Benford's Law to the world of audit and fraud detection has been long documented, so the following offers a quick way to test a series of expense data for its "naturalness".
The curious auditor could begin by producing a report containing a series of AP transactions. In Excel, the first digit of each expenditure amount can be extracted using the following formula:
=LEFT(CELL REFERENCE, 1)
This will return the first digit of the number referred to by the "CELL REFERENCE" (e.g. A1). After populating this formula for all expenditure data, a quick pivot table can be produced from this column of data using the first digits as both the "Row Labels" and "Values" (count of), which will provide the number of times each digit occurred in the series. Similarly, a series of COUNTIF formulae could be used to capture the number of times each digit occurred:
=COUNTIF(SERIES REFERENCE, 1) =COUNTIF(SERIES REFERENCE, 2) ...

The STRAIGHT and NARROW
Benford's Law and Spending Patterns, contd.

Page 7

There are other ways to efficiently determine the number of times each digit occurs in the series, but the end result should be a short table from which one can analyze the distribution of these numbers among the data. The graphically inclined could even plot these frequencies, and compare them to the expected distribution:

12000

10000

8000

6000

4000

2000

0

1

2

3

4

5

6

7

8

9

Actual Expected

This chart details a full fiscal year of AP transactions for a mid-size state university. The blue columns indicate the number of transactions with that respective first digit, while the red columns demonstrate the expected distribution according to Benford's Law. As can be observed, the first digit of these transactions closely mirrors the frequencies one would anticipate, indicating that these expenditures were likely the product of naturally occurring business activity. These populations can be further limited to examine smaller portions of data (such as the transactions authored by a specific individual or department). However, as the sample size decreases, the "match" to the expected distribution may also naturally lessen.
Though by no means an exhaustive test of potentially fraudulent activity, Benford's Law and the wonders of commonly available software applications provide yet another tool for the effective internal auditor.

The STRAIGHT and NARROW

Page 8

Georgia 2011 Conference for College and University Auditors By Chuck Fell

In accord with the continuing professional development attribute in the International Standards for the Professional Practice of Internal Auditing, on July 25-26, 2011, the Office of Internal Audit and Compliance (OIAC) hosted the second regional conference in Georgia co-sponsored by Association of College and University Auditors (ACUA).
The OIAC's goal was to provide a conference focused on professional development for USG auditors and other participants in such a way as to qualify for 16 continuing professional education credits at significantly reduced costs for the University System of Georgia, including costs of registration, travel expenses, and opportunity costs. In addition, the OIAC provided a conference information website (http://www.usg.edu/audit/conference), downloadable copies of conference presentations, and great opportunities for networking with college and university auditors and other professionals!
Governance, risk and compliance topics were presented by accomplished professionals within a variety of conference formats. The list of presenters included:
Hank Huckaby, Chancellor, University System of Georgia; Dr. Richard Clune, Associate Professor, School of Accountancy, Kennesaw State University; G. Bliss Jones, CPA, Jones and Kolb; Dr. Curt Carver, Chief Information Officer and Vice Chancellor, University System of Georgia; Chloe Haidet, Director of Technology Risk and Assurance, Georgia Department of Audits; and, David McLaughlin, Senior Assistant Attorney General, Georgia Department of Law, Special
Prosecutions Unit.
During the Georgia 2011 Conference, there was extensive networking and discussion among the 56 USG institutional and OIAC auditors, 22 non-USG college and university auditors from the Atlanta metro area and the surrounding Southeastern states including:
Clark Atlanta University; Clemson University; Collin College; Daytona State College; Emory University; Rice University; Southwest Tennessee Community College; and, The University of Alabama.
The Georgia 2011 Conference was well received by all participants. The Office of Internal Audit and Compliance intends to host the third annual regional conference next year in the July-August timeframe! Attendees of the 2011 conference will be notified immediately upon finalization of plans for the 2012 conference. If you did not attend, please send an e-mail to Tracy.Pinnock@usg.edu to be placed on our notification list.

The STRAIGHT and NARROW

Page 9

Are There Unintended or Unattended Expenses Decimating Your Budget? By Sandy Evans

Budgets are tight and, during a period of scarce resources, managers tend to spend more time and effort in the decision of whether or not to incur an expense. After weighing the alternatives, options, and impact of a decision, the course of action is determined.
What is often not considered is the impact of not making a decision or not being proactive. Examples include:
Automatic renewal of maintenance contracts on heating or air conditioning equipment buildings that are not currently used or slated for demolition;
Hotel rooms, reserved for a conference, forgotten in the pre-conference rush, with the consequence of unused, excess rooms charged to the organization;
Periodic magazine, newspaper, or journal subscriptions that continue from year to year; Surplus leased items such as copiers, telecom equipment, vehicles , etc. should be
returned, with contracts terminated. If leases cannot be terminated, perhaps another organization could use the equipment and assume the lease.
Commons sense, you say? Consider this: Most copiers with the color option have an automatic reset feature activated after a time lapse from the last copy. If the reset is to the color option, employees desiring a black and white copy of a color document must manually reset to black only. If employees start the copy process before resetting to the black only option , the result would be excessive use of color toner.
Send your suggestions for savings to Tracy.Pinnock@usg.edu and we will include them in the next issue of the Straight and Narrow.

Board of Regents of the University System of Georgia Office of Internal Audit & Compliance 270 Washington Street, SW Atlanta, GA 30334-1450
Phone: (404)656-2237
Fax: (404) 463-0699
"Creating A More Educated Georgia"
www.usg.edu

We're on the Web! See us at: http://www.usg.edu/audit/

Ask the auditor: If you have a control or ethics question that has been bothering you, it is a good bet someone else in the system is wondering the
same thing. We invite you to send your question to sandra.evans@usg.edu and we may feature it in the next or future issues of the Straight & Narrow.
Any other comments or questions? Contact Sandra Evans at sandra.evans@usg.edu
We are looking for suggestions and feedback.