Straight and narrow, Vol. 4, Issue 20 (Sept. 2012)

The STRAIGHT and NARROW

Volume 4, Issue 20

September 2012

Internal Audit & Compliance, Board of Regents of the University System of Georgia. 404-962-3020

The Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.

We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.

Inside this issue:

From the

1

Chief Audit Officer

Financial Aid Audit

2/3

Governance, Risk

4/5

Management,

Compliance (Part 2)

Top 10 IT Issues in

6/7

Higher Education

Georgia 2012 Audit

8/9

Conference--

President's Panel

Contact Us

10

From the Chief Audit Officer John M. Fuchko, III
Safeguarding USG Resources -- The Rolling Audit Plan
Each quarter, we review the status of the OIAC audit productivity, survey the USG risk landscape, review audit reports, and consult with colleagues and USG leadership about emerging issues that may pose a potential risk. Out of these conversations, (plus some additional research and requests for consulting services), I work with the audit staff to develop a rolling audit plan.
The audit plan was approved by the Board of Regents on August 8, 2012. The audit plan focuses OIAC on both where we will spend our time and what operational areas we will review. What will the OIAC seek to accomplish during this rolling audit plan? It is back to basics. We want to ensure that USG institutions are adhering to compliance requirements and that we have strong financial controls in place. Our plan ensures that we focus audit resources to best address potential risks as follows:
Operational: Compliance 1. Information Technology: Are adequate controls in place to protect
information systems from external threats and to manage information technology resources? 2. Facility Management: Is the institution properly reporting facility inventory; and prioritizing repair and renewal needs? 3. Human Resources: Is the institution properly documenting employee hires status and in compliance classifying employees employment status?
Financial: Reporting & Compliance 1. Reserves: Is the institution managing and properly utilizing institutional
reserves? 2. Budget & Cash Flow Management: Is there adequate oversight and
management of budget development, expenditures and management? 3. Procurement Life Cycle: Is the institution managing their contracts,
purchasing policy and procedure and managing its P-Card usage?
Students: Compliance, Financial, & Strategic 1. Student Fees: Is the institution adhering to Board Policy and USG procedures
governing the budgeting and use of student fees? 2. Financial Aid: Is the institution properly administering federal and state
financial aid programs? Is the institution managing its default rate? 3. Tuition and Fees: Is the institution following Board Policy in its admissions
practices and tuition policies? 4. Consolidation Flash Reviews: Are the consolidated institutions adequately
prepared for consolidation?
Our goal is to implement a rolling audit plan that strengthens our infrastructure, safeguards our resources and ultimately serves the needs of our constituents and stakeholders. In the upcoming months, OIAC staff will be deployed to work with institutional audit directors and staff on these 10 issues.

The STRAIGHT and NARROW

Page 2

A New Audit Program Eligibility for Participation in Title IV Student Aid Programs

Title IV of the Higher Education Act (HEA) authorizes programs that provide student financial aid to support attendance at a variety of institutions of higher education (IHEs). These institutions include public institutions, private nonprofit institutions, and private for-profit (proprietary) institutions. In order for students attending a school to receive federal Title IV assistance, the school must:
Be licensed or otherwise legally authorized to provide postsecondary education in the state in which it is located,
Be accredited by an agency recognized for that purpose by the Secretary of the U.S. Department of Education (ED), and
Be deemed eligible and certified to participate in federal student aid programs by ED.

Institutional Eligibility for Participation in Title IV Student Aid Programs Under the Higher Education Act: Background and Reauthorization Issues
The OIAC distributed the Title IV Financial Aid audit program to each audit shop this Summer, to be conducted during 2013. Title IV Funds include Federal Pell Grants, Military Service Grants, Teacher Education Assistance, Special Campus Based Programs, Federal Perkins Loan Program, Federal Work Study, Federal Educational Opportunity Grants, Federal Family Educational Loans, Federal Direct Student Loans, Bureau of Indian Affairs Loans, and Federal Plus Loans. Your campus may participate in some or all of these or perhaps others that are not mentioned here.
The objectives of the audit are to determine whether USG institutions are adequately administering financial aid programs in compliance with 34 CFR 668.16 guidelines and other financial aid guidance. Secondly, we seek to determine whether the institutions are in compliance with USG procedures regarding student accounts receivable and record retention.
What are the tests?
Fortunately, the criteria and standards are substantially outlined in Code of Federal Regulations Title 34 Education Section 668.16: Standards of Administrative Capability and other financial aid guidance and also in University System of Georgia Business Procedures Manual Section 10.1.1. Succinctly, we want to ensure that the institution:
a. Is administering the Title IV programs in accordance with statutory and regulatory provisions outlined in the regulations;
b. Has adequate segregation of duties in administering the financial aid programs;
c. Has knowledgeable and qualified personnel administering Title IV program(s);

The STRAIGHT and NARROW

Financial Aid Audit Program, cont'd

Page 3

d. Is acquiring, maintaining and retaining the required records and documentation to support student claims for financial aid;
e. Is frequently evaluating the default rates to ensure that the default rates do not exceed the regulatory levels; and,
f. Is in compliance with Satisfactory Academic Progress (SAP) policies, program participation agreements, the Free Application for Federal Student Aid (FAFSA) requirements and fund disbursement procedures.
These are a few but very important items that require scrutiny during the audit.
What you should know
Chapter 2 of the Blue Book1 (June 2001) discusses the "General Institutional Responsibilities" of schools participating in the U.S. Department of Education's (ED's) Title IV student financial aid programs (Title IV programs). The chapter presents information about institutional fiscal operations and network of responsibilities; institutional eligibility; financial responsibility; administrative capability (including separation of functions); and other areas such as consumer information, institutional policies and procedures, program evaluation, return of Title IV funds, record maintenance, and disclosing student information.1 This document was provided along with the audit program and it will significantly strengthen your efforts documenting audit findings.
Audit Program Emphasis
The Audit program mimics the regulatory requirements of the Department of Education. The audit program outlines:
Audit objectives;
Audit work steps to achieve the objectives;

Audit steps to assess SAP; and,
Audit steps to review return of Title IV funds.
As in past audit programs, the OIAC has taken great care to ensure that the Financial Aid audit program emphasizes the documentation of:
Policies and guidelines;
Evaluation, timing and frequency of SAP reviews;
Review and evaluation of institution financial aid policies that outline measurable factors and quantitative components to become eligible for financial aid;
Processes to notify student about financial aid awards;
Procedural processes that provide "due process" to students who apply/ are denied/ are eliminated from the financial aid process; and,
Audit Steps to review return of Title IV Funds, (Refer to USG Policy Manual Section 7.3.5 for additional information).
Reference Sources
U.S. Department of Education's Audit Guide, Audits of Federal Student Financial Assistance Programs at Participating Institutions and Institution Servicers, Office of the Inspector General, January 2000
National Association of Student Financial Aid Administrators Self-Evaluation Guide for Institutional Participation in Title IV and Other Federal Programs, 2011-12, Twenty-Seventh Edition
Information for Financial Aid Professionals, FAFSA Information to be Verified, http:// www.ifap.ed.gov/ifap/index.jsp
Standards of Administrative Capability, Presentation by Annmarie Weisman, U.S. Department of Education, DC-DE-MD Conference, Frederick, MD, March 2011

1 "The Blue Book", Information for Financial Aid Professionals (IFAP) published by the U.S. Department of Education for managing the Student Financial Aid Program.

The STRAIGHT and NARROW

Page 4

Governance, Risk Management, and Compliance by Jeanne Severns

This month's column focuses on the importance of procedures and internal controls for the budgeting process. We will discuss authorized budget procedures, aspects of internal budgetary controls, and will reference the tools necessary to meet USG requirements for budget development.
Typically, when we speak about governance, the conversation centers around common core management concepts:
Leadership, guidance, and a tone at the top, Achieving objectives, Overseeing and monitoring operations, Ensuring compliance with laws and accountability
for behavior, and Legal and ethical behavior.
We agree that the importance of effective governance in achieving an organization's goals is unquestionable. It's the "How do we get there?" part that should be given appropriate attention.
While each of the aforementioned components of a successful governance program are vital to the overall health of any organization, effectively and efficiently managing the financial resources of the institution may be the foremost objective for leadership to accomplish. The USG budget process, outlined in the USG Business Procedures Manual, Section 8.0, is the tool for planning, reviewing, monitoring, amending, and reporting budgetary revenue and expenditures.
Internal controls in the budget process are designed to achieve the following:
Assign responsibility for budget development and execution,
Authorize resources to meet planned expenses, Validate and approve expenditures against a valid
budget, Ensure data within the financial system are consistent
with Board-approved budgets and Presidential guidance and,

Monitor budget performance.
These internal controls help to provide early warning of financial or other risks as reflected in budget performance to management.
Budgetary controls should be documented through written procedures. The USG has several tools to assist institutions with developing these materials. We recommend institutions budget procedures incorporate the following:
When developing your budget, follow the steps outlined in Section 8.0 of the USG Business Procedures Manual.
When electronically documenting your budget, follow the steps outlined in the Governor's Office of Planning and Budget Annual Budget Instruction Manual.
When executing your budget, follow the steps mandated in the June 6, 2012 correspondence from Chancellor Huckaby to USG Presidents regarding budget hearings, quarterly financial reports, and external audits.

The STRAIGHT and NARROW
Governance, Risk Management and Compliance, cont'd

Page 5

Establish a budget committee to include executive leadership and department heads from all functional areas. The committee's purpose is to develop an annual budget that is ultimately recommended to the President.

Use conservative and consistent student enrollment projections when developing the budget. Enrollment projections should take into account the impact of changes in Federal financial aid such as the availability of Pell Grants for summer classes and similar trends.

Ensure approved budgets are properly loaded into the PeopleSoft Financials ERP application or other official financial system, and that only a limited number of individuals are provided the authority to override the budget (and then, only with proper authorization).

Updated for 2012, the International Professional Practices Framework (IPPF)
2011 Edition

Design and implement procedures for continual monitoring of performance with explanations of variances. Variances in both revenues and expenditures should be explained and adjustments made as needed to maintain a balanced budget. Responsibility for performance monitoring should be assigned to functional budget managers. Responsibility for adjustments and re-allocation of resources should be assigned to budget managers external to that functional budget.
Establish a calendar for regularly held budget committee meetings throughout the year. Budget committee meetings should incorporate budget performance monitoring and reallocating resources as indicated to ensure the continued effective use of resources. Minutes of the meeting should be recorded.
Guidelines for preparing, recommending, and adopting the budget with special attention to the strategic allocation of resources to align with the institutions goals. These guidelines should address responsibility for calculating realistic revenue projections.
By following this guidance, including assigning responsibility and accountability for monthly budget monitoring and reporting, institutional financial managers will strengthen one of the core governance responsibilities of USG institutions managing its fiscal resources.
Jeanne Severns, CPA, MBA, CIA Email: Jeanne.severns@usg.edu

The Institute of Internal Auditors' (IIA's) International Professional Practices Framework (IPPF) is the authoritative guidance on the internal audit profession. The IPPF presents current, relevant, internationally consistent information that is required by internal audit professionals worldwide.
The IPPF includes mandatory and strongly recommended guidance: The official Definition of Internal
Auditing. The IIA's Code of Ethics. New and revised International
Standards for the Professional Practice of Internal Auditing with interpretations that enhance the understanding of current requirements. Practice Advisories that address highly recommended internal audit approach, methodologies, and consideration. Position Papers that assist in understanding significant governance, risk, or control issues and in delineating the related roles and responsibilities of the internal audit profession. Practice Guides that provide practical tools and techniques and step-by-step approaches such as those presented in The IIA's Global Technology Audit Guides and Guides to the Assessment of IT Risk. http://na.theiia.org

The STRAIGHT and NARROW
Top 10 IT Issues in Higher Education By Byron (B.J.) Gill

Page 6

EDUCAUSE, a nonprofit association and community of IT leaders, recently conducted a webinar on the "Top 10 IT Issues in Higher Education". The information shared through the webinar and feedback from the UGS IT Services is summarized in this article.

About EDUCAUSE
EDUCAUSE helps those who lead, manage, and use information technology to shape strategic IT decisions at every level within higher education. Its' membership consist of over 1,800 colleges and universities within and outside of the United States, over 300 corporations serving higher education institutions, and associations, state and federal agencies, and other nonprofit organizations. Since 2000, EDUCAUSE has identified the top issues confronting higher education information technology. Many of the same issues have appeared on the list for eight of the twelve years the list has been compiled. The 2012 list was compiled by surveying a membership panel that consisted of US and Canadian members from 2-year institutions to large research institutions, who responded to the question, "What is the single biggest IT related issue currently facing your institution?"
The top 10 issues identified were:
1. Updating IT professionals' skills and roles to accommodate emerging technologies and changing IT management and service delivery models (staff development).
2. Supporting the trends toward IT consumerization and bring-your-own device (BYOD).
3. Developing an institution-wide cloud strategy (cloud computing).
4. Improving the institution's operational efficiency through information technology (improving the bottom line).
5. Integrating information technology into institutional decision-making (business analytics).
6. Using analytics to support critical institutional outcomes (student retention).
7. Funding information technology strategically.
8. Transforming the institution's business with information technology.
9. Supporting the research mission through high-performance computing, large data, and analytics (research).
10. Establishing and implementing IT governance throughout the institution.
How do these risks compare to or align with the IT risk concerns of USG and Information Technology Services?
In a conversation with Dr. Curt Carver, USG CIO, and Stan Gatewood, USG CISO, the following issues were identified as IT risks that concern USG:
1. Domain Name System (DNS) Hardening 2. Logical Access Identity and Access Management 3. Privacy Identify Personal Identifiable Information (PII) 4. Bring-Your-Own-Device (BYOD) 5. IT Governance structure

The STRAIGHT and NARROW
Top 10 IT Issues in Higher Education, Cont'd

Page 7

Want to become Geekier?
Here is some light reading to help increase your Geek factor!
A Must Read - USG IT Handbook
This BoR IT Handbook sets forth the essen al procedural components that each USG ins tu on must follow to meet both Board of Regents policy mandates, the statutory or regulatory requirements of the state of Georgia and the federal government, and best IT prac ces. Secondly, it is designed also to provide new IT professionals within the USG the necessary informa on and tools to perform effec vely. Finally, it serves as a useful reference document for seasoned professionals at USG colleges and universi es who need to remain current with changes in Board of Regents policy and federal and state law.
USG Information Technology Handbook
Policies and Procedures
Table of Contents Overview Introduction Section 1: Information Technology (IT) Governance Section 2: Project and Service Administration Section 3: IT Management Section 4: Financial and Human Resource Management Section 5: Information Security Section 6: Risk Management Section 7: Facilities Section 8: Appendix A:
Telecommunications Policy for Wireless Communication Devices Updates and Revisions
http://www.usg.edu/ information_technology_handbook/
introduction

6. Compliance with standards around sensitive information
Each of the six USG risk issues can be mapped to the `Top Ten'. Moreover, there are ongoing system level initiatives to address aspects of each of the `Top Ten' issues.
This result is also consistent with the OIAC Rolling Audit Plan and Risk Assessment, approved by the Board of Regents on August 8, 2012. The number one operational compliance risk issue is information technology. The IT concerns include: Is the institution adequately protecting our information systems from external threats? Is the institution controlling how employees can access and use our information systems? Is the institution effectively managing information resources?" The Office of Internal Audit and Compliance will be working with each of you as we assess and address risk issues around information at USG institutions.
The OIAC staff is currently working on a risk assessment profile that will be used to assess USG institutions as a part of the rolling audit plan. Our objective is to help USG institutions identify weaknesses in internal controls and th eprocess that may be utilized to protect information systems from external threats. A specific audit program will be provided to the USG institutions identified in the plan.
To learn more about EDUCAUSE, visit their website at www.educause.edu
To listen to the webinar, `The Top 10 IT Issues...', follow link http://www.educause.edu/library/resources/ top-ten-issues-higher-education-it-2012. Once at the site, select Session Recording to view the presentation.
Byron Gill, CISA, Six-Sigma Green Belt, CNE Information Technology Auditor II Email: Byron.gill@usg.edu

The STRAIGHT and NARROW

Page 8

Georgia 2012 Conference for College and University Auditors President's Panel Discussion --"The Takeaways"

The Georgia 2012 Conference for College and University Auditors, held July 30 and 31, was attended by more than 80 higher education audit and finance professionals from across the southeast. Of the many highlights of the conference was the Presidents Panel discussion, featuring four USG Presidents:
Dr. G.P. "Bud" Peterson, Georgia Institute of Technology,
Dr. Daniel S. Papp, Kennesaw State University,
Dr. Lisa Rossbacher, Southern Polytechnic State University, and
Dr. Beheruz N. Sethna, University of West Georgia.
The panel discussion provided attendees with the valuable opportunity to hear from and ask questions of several University Presidents in a group setting. The topic of discussion was "Setting the Tone at the Top The Importance of the Internal Audit Function as a Management Tool". Moderated by USG Chief Audit Officer and Associate Vice Chancellor John Fuchko, the Presidents provided their thoughts on the significance of the internal audit function as a key management tool, and how the internal audit function contributes to improvements in the Governance, Risk Management, Compliance, and Internal Controls (GRCC) model. Below are several question and answer segments featured as part of the panel's discussion.
Describe your management style, and how it incorporates the audit and compliance functions?
Each of the Presidents expressed positive attributes about their internal audit function, and about building a relationship of trust and openness. They emphasized the need to hear the "bad news" prior to the full impact of an emerging issue. Dr. Rossbacher discussed ways in which sensitive subjects may be broached, but again stressed the need to not bring the bad news "too late." Dr. Peterson indicated one of his objectives as President is to create a culture where staff can bring the bad news and openly express their concerns as well as solutions to leadership.
What are the most important characteristics of a high functioning audit organization, and what do you look for in terms of staff strengths, skills, and competencies?
The Presidents discussed attributes of excellence: trustworthiness, intelligence, collaboration, strong communication skills, competency, and technical proficiency. Two characteristics topping the list were integrity and confidentiality. Dr. Sethna included good managerial skills along with disclosing

The STRAIGHT and NARROW

President's Panel, Cont'd

Page 9

the right information at the right time. Dr. Rossbacher shared the "canary in the coal mine" metaphor; in that an effective auditor should be the first person who alarms the institution of potential risks and effective mitigation strategies. Dr. Papp described the intellectual attributes an audit or finance professional should possess, including social intelligence1, stating that to be successful, auditors need to possess social skills that would engender trust and confidence with their colleagues. Dr. Papp mentioned many of these views are similarly voiced in Stephen M.R. Covey, Jr.'s The Speed of Trust, which outlines 5 different types of trust and how an environment of trust helps all parties function more efficiently. The Presidents also stressed the role that Auditors should play in helping educate Faculty, Staff and Administrators about proper audit processes and procedures, internal controls and governance that would lead to good audit findings.
What are some of the most significant management and governance issues affecting the USG?
Dr. Rossbacher shared her thoughts on institutional accountability, and balancing internal audit's accountability to the governing Board while also recognizing them as "part of the team". Dr. Peterson discussed managing the expectations of the internal audit function, assigning staff to where there is value added, and working with the individuals to develop processes for compliance and control. Another area of concern was shared by Dr. Papp, in that dwindling funding and austerity programs continue to challenge institutions, saying that if an institution has good people in a bad system, the system will struggle along, but function; conversely, if there are bad people, even in a good system, the system will break. Dr. Rossbacher agreed and added that people facing increasing economic pressure can be pushed beyond the boundaries of their typical behavior. Dr. Sethna expressed that increased compliance and monitoring is one great challenge of the future. He reflected on Deming's fourteen points of quality management, which focus on consistency, continuity, pride of workmanship, and identifying the point of origin when an error is detected2.
What words of wisdom would you like to share with Auditors?
The Presidents responded largely in agreement, stating the takeaway from this discussion and situations such as the issues at Penn State is that bad decision making creates a culture in an organization of apathy. People may avoid speaking the truth due to fear of reprisal or the belief that nothing will be done. Dr. Sethna emphasized the value of Hotline reporting and the value offered by its anonymity. His preference is for people to use the chain of command within the organization, but finds great value in resources such as the Hotline. In addition, he cited the value of the dual reporting relationship with the Chief Auditor and the Presidents, which provides safety and value to the auditor. Dr. Rossbacher encouraged the audience to utilize the ERM process to identify and mitigate institutional risks. Dr. Peterson offered that creating partnership with the institutions to foster collegial relationships and to bridge communication to anticipate issues should remain a priority. These relationships have the potential to ward off problems down the road. Dr. Papp shared his thoughts on governance as a four part system, to include relationships between auditors and Presidents, auditors and the cabinet, auditors and administrators, and auditors and the USG system office.
References
1Writings by Harvard Professor Dr. Howard Gardner (MI), John Mayer, University of New Hampshire, and Yale's Peter Salovey, edited Dr. Daniel Goleman (EI) and, Karl Albrecht (SI),
2William Edward Deming, 1900 - 1993, The Deming System of Profound Knowledge; credited with concepts of Total Quality
Management.

Reference Reading Managerial Aids
Academically Adrift: Limited Learning on College Campuses, Richard Arum and Josipa Roksa, 2011 Surviving and Thriving in Uncertainty, Creating the Risk Intelligent Enterprise, Frederick Funston and Stephen Wagner, 2010 The Speed of Trust: One Thing That Changes Everything, Stephen M.R. Covey, Jr., 2006 The Emotionally Intelligent Manager: How to Develop and Use the Four Key Emotional Skills of Leadership, David Caruso & Peter Salovey, 2004
Professional Aids The International Professional Practices Framework (IPPF) 2011 Edition, Updated for 2012, The IIA, 2011 Elements of Management-Oriented Auditing, Lawrence B. Sawyer, JD, CIA, The IIA, Inc., 1988

Board of Regents of the University System of Georgia
Office of Internal Audit & Compliance (OIAC) 270 Washington Street, SW Suite 7093 Atlanta, GA 30334-1450
Phone: (404) 962-3020
Fax: (404) 962-3033
Website: www.usg.edu/audit/

? Ask the Auditor ?
If you have a governance, risk management, compliance or control question that has been challenging you, let us help you find the answer. Your question can help us to become better auditors.
Want to Contribute to the Straight and Narrow?
We invite you to send your questions and ideas for future articles to us for feature in upcoming Straight and Narrow newsletters.
Contact Us: oiac@usg.edu

"Creating A More Educated Georgia" www.usg.edu