Straight and narrow, Vol. 5, Issue 22 (June 2013)

The STRAIGHT and NARROW

JUNE 2013
The Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.

Volume 5, Issue 22 Office of Internal Audit & Compliance, BOR -- USG, (404) 962-3020
From the Chief Auditor Officer John M. Fuchko, III
Assessing University System of Georgia (USG) Risks --Rolling Audit Plan
University System internal auditors have the responsibility to regularly assess risks facing the University System of Georgia. We utilize a vigorous process which includes reviewing internal audit results, monitoring changes in higher education, reviewing external audit results, and consulting with colleagues and USG leadership about emerging issues that may pose a potential risk. This process helps us to identify focus areas for inclusion in our audit plan. The chart below synthesizes the results of our risk assessment.
The annual audit plan was approved by the Board of Regents on May 14, 2013. The audit plan identifies the actual engagements and focus areas for the coming 18 months.

We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.
Inside this issue:

From the

1

Chief Audit Officer

Reserve Fund

2-5

Analysis

What will the OIAC seek to accomplish during this rolling audit plan? We want to ensure the USG institutions are complying with operational and business procedure requirements, that we have strong financial controls in place and that USG institutions are properly administering and managing financial resources. Our plan ensures that we focus audit resources to best address potential risks as follows:
Auxiliary Operations & Finances (Athletics)
Budget & Financial Management
Fiscal Operations: Accounts Receivable, Cash, Inventory
Fraud Prevention and Detection
Information Technology Security
Presidential Transition Audits
Public Private Venture Program
Student Financial Aid
Tuition & Fees
Our goal is to implement an annual audit plan that strengthens our infrastructure and safeguards our resources. In the upcoming months, OIAC staff will be deployed to work with institutional audit directors and staff on these nine issues and other risk areas as they arise.

Financial Repor ng Drowning in Logs

6-7 I look forward to hearing your thoughts. Please feel free to contact me at john.fuchko@usg.edu. Our Rolling Audit Plan may be found on the OIAC website
8-9 located at: www.usg.edu/audit/internal_audit.

Contact Us

10 John M. Fuchko, III Chief Audit Officer & Associate Vice Chancellor

The STRAIGHT and NARROW

Page 2

A New Audit Program -- Reserve Fund Analysis

Generally Accepted Accoun ng Principles (GAAP) is a framework of accoun ng standards, rules and procedures defined by the professional accoun ng industry. GAAP principles are the source of accoun ng guidelines that companies rely on when preparing their financial statements. The standards are established and administered by the American Ins tute of Cer fied Public Accountants (AICPA) and the Financial Accoun ng Standards Board (FASB). Generally there are:
Four Key Assump ons 1. Business En ty 2. Going Concern 3. Monetary Unit Assump on 4. Time Period Assump on
Four Basic Principles: 1. Cost Principle 2. Revenue Recogni on
Principle 3. Matching Principle 4. Full Disclosure
Four Basic Constraints 1. Objec vity Principle 2. Materiality 3. Consistency 4. Conserva sm (prudence)

At the beginning of the audit year, the OIAC distributed three new audit programs to audit directors at each institution. The three programs included Financial Aid, Contract Management and Reserve Fund Balance analysis. In this issue of the Straight and Narrow we are re-issuing the Reserve Fund Balance Analysis Audit Program as a reminder. The OIAC plans to follow up on this audit during the Spring rolling audit plan.
Background An institutions' statement of "net position" (sometimes referred to as the balance sheet), consists of assets, liabilities and fund balances. Fund balances are also referred to as net assets. The statement of net positions is divided into three major categories prepared in accordance with GAAP principles.
The first category, invested in capital assets, net of debt, provides the institution's equity in property, plant and equipment.
The second category is restricted assets, which is divided into two categories, nonexpendable and expendable resources. The corpus of nonexpendable restricted resources is only available for investment purposes. Expendable restricted resources are available for expenditure by the institution but must be spent for purposes as determined by donors and/or external entities that have placed time or purpose restrictions on the use of the resources.
The final category is unrestricted resources, which are assets available for any lawful purpose of the institution. Please note though, that even though there may be an unrestricted fund balance, there may not be cash to offset this amount. Some portion of unrestricted resources may be non-spendable simply because of its form (such as inventories and uncollectible accounts receivable).
Additionally, supplementary information provided with the financial statements is a non-GAAP basis, budget fund balance sheet (excludes auxiliary, agency, student activity, endowment and loan funds). In this statement, the fund balances are classified as reserved and unreserved accounts.

The STRAIGHT and NARROW

Reserve Fund Analysis, Cont'd

Page 3

The following table represents how the USG generally categorizes its funds. Some funds are subject to lapse meaning surplus funds are returned to USG at year end. Some funds are exempt* from lapsing which means they can be carried forward. The funds labeled as "exempt" in the table below are only exempt as long as the legislature extends the carryover provisions which sunsets every 3 years. The uncollectible account receivable fund is not spendable. (This table may not be all inclusive).

Fund Type Reserved

Fund Number
14000
15000

Fund Name Dept. Sales & Services
Indirect Cost Recoveries

Example
Continuing Ed
Reimbursement of % of direct costs charged to grants

Subject to Lapse Exempt*
Exempt*

Reserved Reserved Reserved Reserved

16000
20000 Fund of origin 10500

General (Technology Fees)
Restricted Funds (Sponsored Funds) Uncollectible Accounts
Receivable
Tuition Carry-over

Mandatory student fees
Grants

Exempt*
Exempt* Not spendable Subject to limitations: maximum 3% of

10000

State appropriation

Lapse

Unreserved

10500 10600

Tuition
Other General (Student fees not elsewhere reported)

Lapse (adjusted by the carry-over allowed)
Lapse

50000

Unexpended Plant Funds

Lapse

The statement of cash flow is another valuable management tool meant to demonstrate the sources and uses of cash as well as the net change in cash during the year. The statement of cash flow report will highlight reasons for changes in cash: operating or financing activities for example? Cash flows will also be affected by increases or decreases in both accounts payable or accounts receivable? For purposes of the reserve audit, include the balances in mandatory student fee funds.

The STRAIGHT and NARROW

Page 4

Reserve Fund Analysis, Cont'd

Objectives: To opine on whether the institution is properly accounting for, managing, and disclosing its fund balances.

Scope: Fund balances at most recent FYE and subsequent transactions.

Criteria: USG Policies for expenditures and carry-forward of funds. Encumbered funds must be spent for the purpose for which they were encumbered (unless they are in one
of the carry-forward funds). USG Policy Manual Section 7.3.2 Student fees

Objective

Audit Steps

To opine on whether fund balances are properly accounted for, managed, and disclosed.

Summarize PeopleSoft balances by fund at most recent fiscal year end.
Describe what the balances represent; are they carry-forward funds or do they lapse?

Obtain Budget Compliance Reports and work papers evidencing they were prepared using PeopleSoft balances. Were these reports submitted to the BOR?

Are controls in place to ensure that funds were spent in compliance with the approved budget?

What is the procedure for allowing budget overrides? Who has access to override the budget? Determine when overrides took place and whether or not there is documentation to support the override.
Look for transfers between (dissimilar) funds. (Funds 10000, 10500, 10600 are similar; but Fund 13000 student activities fees - should stay in 13000 for example.)
Are changes in budget allocations approved by the appropriate persons? Is detailed budget information distributed to executive management?

How will the carry-forward funds be used?

Inquire as to the spending plan: Are operating reserves being spent for operating expenses or new projects? (should be for operating) Inquire specifically about Fund 14000 - Departmental sales and services Fund 15000 Indirect cost recoveries Fund 16000 Tech fees Fund 10500 Tuition carryover Fund 20000 Indirect Cost recoveries

The STRAIGHT and NARROW

Page 5

Reserve Fund Analysis, Cont'd

Objective Did fund balances related to mandatory student fees originate from fees properly authorized and charged to students?
Have these fees been spent for authorized and approved purposes?
Is the institution complying with reporting requirements?
Are fund balances properly encumbered and spent according to the purpose for which they were encumbered?

Audit Steps
Compare the Banner tables for student fees with the student fees approved by the Board of Regents. There should be no discrepancies.
Review the student handbook. Does it describe the duties of a student activities allocation board which complies with Board Policy (7.3.2.1 Mandatory student fees) regarding the budgeting of student fees and the make-up of the student fee committees? Is this policy followed?
What procedures are in place to ensure that expenditures for student fees agree with the budget recommended by the students? If there are changes to the budget, how are the students made aware of the changes?
Review expenditures from student mandatory fee funds during the FY. Determine if disbursements pertain to the fund from which they were made (for example you would expect to see payments to Blackboard made from tech fees). Also, look for journal entries which may be indicative of transfers made to other funds.
Obtain a list of encumbrances at FYE. Compare to current encumbrances. Were FYE encumbrances spent for the purpose for which they were encumbered? If not, were the encumbrances canceled and was the prior year fund equity handled properly?
Are any funds encumbered for what seems to be unreasonable lengths of time? If so, what is the explanation?
Does the institution follow written procedures to monitor encumbered funds?
Review expenditures from funds during fiscal year for appropriateness. Especially look for transfers out which may indicate re-purposing of funds.

Determine the source of one time funding initiatives and special projects.

Inquire of senior management at your institution regarding source of funds for special projects. Obtain minutes of budget meetings where allocation of funds for special projects were approved.
If possible, attend budget meetings to understand the budget and allocation process.

The STRAIGHT and NARROW

Page 6

Ins tu onal Effec veness Internal Control Assessment over Financial Repor ng
by Angela Uyeno and Ava Turner, VSU

External financial auditors expect their clients to provide them with some form of an entity prepared risk assessment often referred to as an internal control assessment over financial reporting. This risk assessment is an objective self-assessment tool designed to evaluate whether or not risks are managed to an acceptable level. If not, controls must be strengthened. At Valdosta State University we have identified four internal control assessment tools useful to help VSU identify and mitigate risks. We share these tools in this article.
The Georgia Department of Audits and Accounts (DOAA) provides tools to help financial services personnel employed by state agencies capture and categorize risks. When prepared by an institution, the internal financial control self-assessment profile provides useful information for campus auditors to supplement their own risk analysis. The tools identified below are located on the DOAA website at the following link:
www.audits.ga.gov/EAD/CollegeResources.html.
1. Financial Risk Assessment Documentation template. This template allows the institution to document their internal control structure, identify significant balance sheet and income statement accounts, and financial accounting systems that impact the Annual Financial Reports (AFR). The template is macro enabled. Therefore, once the significant accounts and systems are identified, the template will generate a self-assessment risk questionnaire.

Internal controls are designed to mitigate risks. Risks can be anything that keeps the institution from attaining their objectives. Internal auditors typically evaluate financial risk, but other risks, such as governance, reputational, non-compliance and information technology risks also pose threats to the institution.
At Valdosta State University we have identified four internal control assessment tools useful to help VSU identify and mitigate
2. Additional Risk Questions from SAO (The State Accounting Office). The DOAA website also has a link to the SAO, whose questionnaire should be completed to supplement the DOAA Financial Risk Assessment.
3. Separation of Duties Matrix (Matrix) is located on the GeorgiaFIRST Financials webpage (http:// www.usg.edu/gafirst-fin/site/login). The Matrix is designed to assist the internal auditor in structuring proper separation of duties by identifying areas where internal control might be lacking. The Matrix is distributed to campus department managers for completion. Once completed, the Matrix reveals where control weaknesses exist and incompatible duties overlap. Managers are asked to detail compensating controls in situations where an acceptable (minimal) level of separation of duties cannot be attained due to limited personnel.

The STRAIGHT and NARROW

Ins tu onal Effec veness, Cont'd

Page 7

In addition to the three templates, (Financial Control Assessment, Additional Risk Questions, and Separation of Duties Matrix), a fourth Internal Control Questionnaire (ICQ) may be completed by department heads. The ICQ is tailored to the work of the department. For example, a financial aid ICQ might include questions such as "do you employ an adequate number of qualified persons to administer Title IV Aid?" Athletics might be asked to describe their process for ticket sales.

A staff accountant in the VSU financial services department compilesthe results of the four questionnaires. The Director of Accounting and/or Associate Vice President of Finance and Administration reviews the results. Senior accounting professionals make recommendations to department managers for improvement of internal controls based on weaknesses indicated in the assessments. Completing the questionnaires and implementing improvements is an excellent way for department managers to achieve internal control requirements.

The four internal control assessment tools are useful to internal auditors in their annual risk assessments.

The assessments provide valuable information concerning controls over financial reporting. The

assessment recommendations may be incorporated into an internal auditors' comprehensive risk

analyses.

Ava J. Turner, ajturner@valdosta.edu

Angela J. Uyeno, ajuyeno@valdosta.edu

? DID YOU KNOW-- New Requirements for Federal Student Aid Programs
beginning July 2012--June 2013 School Year
New U.S. Tax Return Regulations for financial Aid Applicants. Parental IRS tax return transcripts must be submitted to substantiate financial data submitted on the Free Application for Federal Student Aid (FAFSA) form
Eligibility of Students without a High School Diploma. A student must have a high school diploma or a recognized equivalent (i.e. General Educational Development certificate (GED) or a homeschool education) to be eligible for federal student aid. Passing an approved test or completing at least six credit hours or 225 clock hours of postsecondary education is no longer acceptable for admission to a postsecondary school.
Expected Family Contribution (EFC). The lower a student's Expected Family Contribution (EFC), the higher the student's federal student aid eligibility. Students automatically qualify for an EFC of zero if family income does not exceed $23,000.
Federal Pell Grant Program--Limits on Eligibility. Once a student receives a Pell Grant for 12 semesters, or the equivalent, they are no longer eligible for additional Pell Grants.
For more information:http://studentaid.ed.gov/about/announcements/recent-changes

The STRAIGHT and NARROW

Page 8

Drowning in Logs
Richard Davis, CISO Georgia Highlands College

Ask any network or server admin about the importance of logs as it relates to performing his or her job and chances are good they'll tell you it would be difficult, if not impossible, to operate without them. The problem is, networks aren't getting any smaller. At Georgia Highlands College, the size of our network has increased tenfold in the nearly seven years I've been there. For every router, switch, firewall, server or other device with an IP address added to our network, there are a commensurate number of logs to sift through when we encounter a problem. A few years ago, accessing and parsing log data meant we had to remotely connect to the device in question and utilize our skills using Windows Event Viewer, or more commonly for us, Grep. If only there was an easier way. This article focusses on Georgia Highlands College experience with log aggregation software.
To help us resolve the problem, Georgia Highlands began using the Splunk software. So, what is Splunk anyway? Splunk is data collection software that runs on Windows, OS X, Linux and UNIX. For every device on your network that generates log data, (i.e. SNMP traps or informs, Syslog, NetFlow data) a Splunk Universal Forwarder (a small daemon running on the system) will collect data and send it to an indexer. You must have at least one Splunk indexer which will serve as the actual collector of the data. The indexer also provides the web GUI with which you interact to search through the various data that has been indexed. The

Universal Forwarders can collect any data you tell them via modification of a file called "inputs.conf." The "inputs.conf" file points to the files on the file system that should be sent to the indexer. For example, from our Red Hat Enterprise Linux servers we typically send two files to the indexer: "/var/log/messages" and "/var/ log/secure." These files contain critical information about the system including remote access logs. The "outputs.conf" file specifies the location of the indexing server. In the case of Syslog data, a Universal Forwarder is not necessary because Splunk will function as a Syslog server to receive data.
The amount of data sent to the Splunk indexer depends on the user license. A free version of Splunk allows a user to index 500MB of data per day. The data index space for a paid license begins at 1GB per day. However, 1GB of log data every 24 hours may not be a large data capacity considering some Splunk enterprise customers generate as much as 1TeraByte of log data daily!
Using the Splunk GUI, is similar to conducting a Google search. Because Splunk has its own search language, you can build very granular searches to isolate very specific events. Splunk will automatically extract some fields from the log data and you can easily train the software to extract other fields via RegEx. For example, you could take some proprietary log file generated for a custom piece of software and train Splunk that the 3rd comma separated value is the IP address of the client establishing a connection to that software. You could then have Splunk grab that data and perform geographical lookups (GeoIP lookups) to determine the location of the IP address. By installing a free "Google Maps" app into Splunk, data can be plotted on a global map.
Splunk is very extensive and scalable; it also has

The STRAIGHT and NARROW

Page 9

Drowning in Logs, Cont'd

applications software (APPS). By searching through Splunk Base, you will find dozens of free APPS which can extend the functionality by adding things like Google Maps or even Cisco firewall APPS that show firewall data in real time. Because most of Splunk is written in Python, you can easily use Python to extend the functionality even further by writing your own APPS.
Log aggregation software is just as beneficial for Information Security and eDiscovery as it is for network or server administrator troubleshooting. Georgia Highlands uses Splunk for security investigations to correlate data and obtain forensic evidence that can be used to track specific events. Additionally, let's assume a "bad guy" compromises a server. When this happens, the attacker often tries to cover his or her tracks by removing log data. With Splunk, even if the original log data is deleted, chances are it has already been sent to the indexer and is safely stored in Splunk's database. An alerting capability is also included, such that you could tell Splunk to search in real time for a particular event and send an email immediately upon detection of such an event. IT professionals should ensure log data has accurate timestamps. Time synchronization is critical not only for troubleshooting, but especially for investigative purposes. In short, use NTP wherever possible!
Splunk is useful as a "one stop shop" to search through log data from numerous sources simultaneously and can generate complex reports, perform event correlation, and generate alerts (and even fire off scripts when a particular alert has been triggered). Splunk aggregates log data relieving an IT professional from parsing and sifting through log data on multiple servers.
Richard Davis, rdavis@highlands.edu

Glossary of Terms APPS-- abbreviation or slang word that means "Applications (software)" GeoIP or Geolocation real-world geographic location of an IP address. Grep a Linux/UNIX command line search utility. NetFlow a protocol developed by Cisco Systems for collecting IP traffic information. NTP Network Time Protocol a protocol used for clock synchronization over IP networks. Python an interactive, extensible high-level programming language. RegEx Regular Expressions provides a pattern matching language for matching words, strings, and patterns of data. SNMP Simple Network Management Protocol an Internet standard protocol used for managing and monitoring network devices. Syslog a standard for computer data logging. Universal Forwarder a dedicated Splunk package used wherever data needs to be collected directly from endpoints.

Reference Reading
Writing Aids The Elements of Style (4th Edition), William Strunk (Author), E. B. White (Author), Roger Angell
(Foreword) On Writing Well, 30th Anniversary Edition: The Classic Guide to Writing Nonfiction, William Zinsser A Few Good Words: How Internal Auditors Can Write Better, More Insightful Reports by Sally F. Cutler Harvard Business Review Guide to Better Business Writing by Bryan A. Garner , Harvard Business Press
Books Professional Aid
Emotionally Intelligent Leadership (HBR Article Collection) by Daniel Goleman, Richard Boyatzis, Annie McKee

Board of Regents of the University System of Georgia
Office of Internal Audit & Compliance (OIAC) 270 Washington Street, SW Suite 7093 Atlanta, GA 30334-1450
Phone: (404) 962-3020
Fax: (404) 962-3033
Website: www.usg.edu/audit/

? Ask the Auditor ? If you have a governance, risk management, compliance or control ques on that has been challenging you, let us help you find the answer. Your ques on can help us to become be er auditors.
Want to Contribute to the Straight and Narrow? We invite you to send your ques ons and ideas for future ar cles to us for feature in upcoming Straight and Narrow newsle ers.
Contact Us: USG-OIACNewsle er@usg.edu
"Crea ng A More Educated Georgia" www.usg.edu