Straight and narrow, Vol. 3, Issue 7 (Jan. 12, 2009)

The STRAIGHT and NARROW
Office of Internal Audit, Board of Regents of the University System of Georgia, (404) 657-2237

January 12, 2009 Volume 3, Issue 7

The Office of Internal Audit has a position opening for a Public Private Venture Auditor. See the link below for additional details: http://www.usg.edu/employ ment/jobs/
**Reminder** Audit Finding Status Reports are due to BOR Office of Internal Audit by January 31, 2009.

From the Desk of Ron Stark

Happy New Year to you all!
Effective with the New Year, the Annual Financial Reporting function is moving to the Office of Fiscal Affairs under Vice Chancellor Usha Ramachandran's leadership.

Diane Hickey will carry responsibility for the AFR into her new role as Controller for the University System Office and will be recruiting her replacement in the coming weeks.
This change will enable the Office of Internal Audit to

better focus on its primary objectives, which include Accountability, Governance, Enterprise Risk Management, Compliance, and Ethics.
We look forward to working on these initiatives with you at your institutions.

Why Does My $100 Item Need to be Bid?

Meet the Newest Members of the Office of Internal Audit
Sally Carter, Karen LaMarsh and Tracy Pinnock are featured on page 2.
"Creating A More Educated Georgia"
www.usg.edu

We all know that anything over $5,000 has to be bid. What some of us are just learning is that the $5,000 is not per item, but rather total University spend. Eeks! That pretty much means that anything you buy will accumulate to over $5,000 because if you need it, chances are that someone else will too. So how do we deal with that?
First, utilize State Contracts. Sometimes it appears that using the State Contract will result in paying a higher price. In some cases, the State Contract is mandatory and we really don't have a choice. In other situations the extra cost is not that much when you consider how much it would cost you in time and effort to bid. State Contracts should always be the first choice. Be careful though, not all items sold by a vendor are always included in the State Contract. Business Services can help you figure that out.

Second is to develop Agency Contracts. Those are contracts that KSU enters into with vendors as a result of a competitive solicitation, either an RFQ or an RFP. With a little thought, the contract can be structured to allow some flexibility to allow for renewals and amendments to cover additional products and services. The key to a successful solicitation is to think out of the box. While addressing the specifics of your immediate need, think about anything you may ever need of this type so we can include it in the initial solicitation. Again, Business Services can help.
Editor: Chapter 2, Section 5 of the Georgia Procurement Manual describes Statewide and Agency Contracts. Chapter 3, Section 1 of the Georgia Procurement Manual describes the competitive bidding process.

The Georgia Procurement Manual can be found at: http://statepurchasing.doa s.georgia.gov/00/channel_t itle/0,2094,35226973_353192 48,00.html and then click on the Georgia Procurement Manual hyperlink.
Editor's Note: This is a portion of a reprinted article that appeared in Kennesaw State University's October 2008 Financial Services Newsletter
By Susan Dalton, Controller, Kennesaw State University

2 The STRAIGHT and NARROW

Who We Are
Internal auditing is an independent appraisal activity authorized by the Board of Regents to examine, evaluate and advise components of the University System of Georgia (USG). We offer objective reviews for the purpose of providing an assessment on governance, risk management, and control processes. This is accomplished through financial, performance, compliance, information technology and other engagements. In addition, we provide consulting services concerning issues related to internal controls, special investigations and other areas of interest and concern.
The Compliance and Ethics (COMET) Program is also managed by the Office of Internal Audit with responsibility to prevent misconduct through education and training, to detect misconduct through reviews, anonymous reporting, and other means, and to protect the USG from the potential repercussions associated with misconduct by USG employees. The COMET program accomplishes these objectives through managing a USO compliance program, advising USG and institution management on significant compliance risks, coordinating and supporting institutional compliance functions, and conducting investigations and reviews as needed.
Website: www.usg.edu/offices/aud it.phtml Phone: (404) 656-2237 Fax: (404) 463-0699

FY2008 AFR is Complete!

A big thanks from Yvette Usher and Diane Hickey to all involved with preparing the Annual Financial Report.
Half-way through with the FY2009 year, we are finally finished with FY2008 and will immediately launch into planning for the coming year end.
Once all audits are finalized

and published by the Department of Audits, we will analyze the audit adjustments and uncorrected misstatements as we have for the past two years.
We intend to communicate the results prior to the yearend workshop. We will be sure to highlight any common issues among

institutions so that they may be addressed before this year end.

Spotlight on Sally Carter and Karen LaMarsh

Sally Carter (pictured right) is a Wake Forest University graduate and has more than 20 years of experience in internal auditing. She has worked for Bank of America, Oxford Industries and Gold Kist, Inc. in Atlanta.
Sally's service to local and state government started in 1995 as auditor with Georgia Department of Audits. She has since worked at Georgia Public Library Service and Secretary of State's Business Regulation Division.
Carter, who earned masters' degrees in accounting and taxation from Georgia State University, is a CPA and Certified Information Systems Auditor.
Karen LaMarsh (pictured left) is

an Atlanta girl who received her undergraduate, B.S. in Health Systems, from Georgia Tech and her M.Ed. in Adult Education from the University of Georgia.
She comes to the Board of Regents from Kennesaw State University where she was the Director of Professional Development and Life Enrichment with the Continuing Ed division.
At KSU, she was instrumental in establishing policies and best practices. As the administrator for International Association for Continuing Education and Training (IACET) compliance at KSU, she also became an IACET com-

missioner helping to train organizations on adherence to IACET standards.
Karen and her husband, Steve, just celebrated their 28th anniversary. They have four wonderful children, one precious daughter-inlaw and a dachshund, Dudley.
Karen is proud to be at the Board of Regents to see a more global perspective of the University System of Georgia! Karen and Sally are both auditors.

Spotlight on Tracy Pinnock

Tracy Pinnock Tracy is a native New Yorker who migrated to Atlanta 6 years ago. She is a candidate for a B.S. in Psychology & Child Development from Kaplan University.
She comes to the Board of Regents from Quality Care for Children; a non-profit agency which ensures that infants and young children are nurtured

and educated, so that all children have superior early learning experiences and are ready for school.
At Quality Care for Children she was an Accountant for 4 years.
Tracy and her husband Christopher have been married for 2 years, soon to celebrate 3 years February 12, 2009, which is also

Tracy's birthday! They reside in Atlanta. Tracy will serve as the administrative assistant.

3 The STRAIGHT and NARROW

3

Auditing Emergency Management: A Framework for Evaluating Risk

Auditors know that in a people business, risks to health and safety have a big impact. Catastrophic events can result in loss of life or property, disruption to campus mission and activities, financial loss and, in extreme cases, an inability for the institution to recover.
A Framework for Audit The audit team at the University System of Georgia has developed a comprehensive audit program for reviewing emergency management at institutions of higher education. Based on the Federal Emergency Management Agency (FEMA) draft white paper, "Principles of Emergency Management"1 (Principles), the audit program is created around eight broad principles. The Principles state that an emergency management program must be: 1) comprehensive, 2) progressive, 3) risk-driven, 4) integrated, 5) collaborative, 6) coordinated, 7) flexible and 8) professional.
Principle 1: Comprehensive The Principles define a comprehensive program as one in which "emergency managers consider and take into account all hazards, all phases, all stakeholders and all impacts relevant to disasters."
Principle 2: Progressive Progressive emergency management means that "emergency managers anticipate future disasters and take preventative and preparatory measures to build disasterresistant and disaster-resilient communities." As the number and severity of disasters increase, it is important not simply to wait to respond to conditions, but to understand the unique exposure faced at your institution and what is being done proactively to reduce the likelihood and severity of a catastrophic event.
Principle 3: Risk-driven Auditors should have no trouble relating to a riskdriven approach one in which sound risk management principles (i.e., hazard identification, risk analysis, and impact analysis) drive the assessment of priorities and resources. The process that should be used by emergency managers to identify areas for review is remarkably similar to the process for determining an audit plan.
Principle 4: Integrated An integrated emergency management program is one that ensures "unity of effort among all levels of government and all elements of a community." Integration requires building of partnerships among disciplines and across sectors. Those partnerships should facilitate communication and shared decision-making among stakeholders.
Principle 5: Collaborative To be collaborative, emergency managers "create and sustain broad and sincere relationships" that builds an environment where coordination of efforts during an event will work. Collaboration is different than coordination. Coordination involves identification of specific tasks that need to be completed and assignment of roles and responsibilities; collaboration ensures that the right individuals are involved and that when they are called they have a sincere desire to listen and actively participate in the solution.

Principle 6: Coordinated When efforts are well-coordinated, emergency managers "synchronize the activities of all relevant stakeholders to achieve a common purpose." Using a sports analogy, if collaboration means that everyone is willing and interested to be on the team, and then coordination means that the coach understands what plays should be called and that all the players understand and are ready to execute.
Principle 7: Flexible Emergency managers that "use creative and innovative approaches in solving disaster challenges" meet the flexible principle. No single strategy exists to reduce or eliminate risk, and in emergency management, identifying a range of mitigation strategies allows managers to identify not only the most efficient solution, but also the one that is most likely to work in any given circumstance i.e., effective.
Principle 8: Professional Emergency managers that are professional "value a science and knowledge-based approach" that has a common shared foundation. Understandings of ethics, a network of professional associations, certifications, specialized knowledge and use of best practices all create a foundation that ensures that emergency management is a profession not just a discipline or avocation.
The Bottom Line The vision outlined in the Principles states that "emergency management seeks to promote safer, less vulnerable communities with the capacity to cope with hazards and disasters." Dealing with the threat of a significant event is like any other risk that auditors assess; no control can eliminate all risk, and if it could, the cost would likely be unaffordable. Therefore, the goals become "safer" and "less vulnerable." In the people business of higher education where institutions are built anywhere there is a population that needs to learn and everyone carries a backpack audit has a role to help each institution understand the risk and control trade-offs at each phase of the emergency management process.
(Reprinted with permission of the College & University Auditor. Article was modified to meet spacing requirements.)

4 The STRAIGHT and NARROW
Internal Audit Department Best Practices
The Office of Internal Audit is currently conducting a quality assurance review of most of our campus internal audit departments. The purpose of the review is to assess the internal audit structure, compliance with professional audit standards, level of internal audit activity, and the value of internal audit contributions to our institutions. We are currently half-way through and anticipate finishing by late February.
Here are some best practices that we would like to share. These include in part:
Understanding that internal auditing is an objective assurance and consulting activity designed to add value and improve campus operations. Assurance can be in any area compliance (internal and external), operational/ financial/ information technology risks and controls.
Developing an annual audit plan that utilizes a riskbased methodology that includes risks and internal control concerns identified by campus management and staff.
Developing an internal audit charter that defines the authority, responsibilities, and scope of the internal audit department.
Submitting audit reports that clearly communicate the auditor's opinion regarding internal control, identifies significant control issues and provides recommendations that are realistic.
Evaluating the adequacy and timeliness of management's response to, and the corrective action taken on significant issues.
Reporting periodically on the status of the current year plan and sufficiency of department resources.
Ensuring the selection, development and supervision of competent and professional audit staff.
Striving to meet the International Standards for the Practice of Internal Auditing established by the Institute of Internal Auditors.
Continuing the pursuit of education related to internal auditing.
Keeping management informed of emerging trends and best practices in internal auditing.
Assisting in the investigation of significant suspected fraudulent activities.
At the conclusion of our review, a consolidated report will be issued to those campuses where a review was conducted. Additionally, campus-specific memos will be issued. We will highlight additional best practices in future editions of the Straight and Narrow.

Board of Regents of the University System of Georgia Office of Internal Audit 270 Washington Street S.W. Atlanta, GA 30334-1450 Phone (404)657-2237 Fax (404) 463-0699
"Creating A More Educated Georgia"
www.usg.edu
We're on the Web! See us at: www.usg.edu/offices/audit .phtml