Straight and narrow, Vol. 5, Issue 25 (July 2014)

The STRAIGHT and NARROW

July 2014
The Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.
We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.

Volume 5, Issue 25
Office of Internal Audit & Compliance, BOR -- USG, (404) 962-3020
From the Chief Audit Officer John M. Fuchko, III
Turning our Focus Towards Information Security
The OIAC will be turning our attention towards Information Security issues in the upcoming months.
The USG stores the personal information of hundreds of thousands of individuals associated with our student and employee records. Cloud computing, social media, mobility tools, and other advanced technologies have created new internal and external security challenges and risks that impact higher education. The OIAC is assessing these risks and looking at ways to partner with Information Security and Information Technology to further define and structure information security programs to counteract these emerging threats.
Our part of the security process is to provide assurance that the USG has implemented proper safeguards to protect vital data. To this end, the USO Information Security (INFOSEC) Audit will assess the effectiveness of information security controls in the University System Office (USO) and the implementation of the USG INFOSEC program. We will assess the adequacy of the governance structure provided by the USG Information Security and ePrivacy team to the USG institutions and other entities.

2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.

Inside this issue:

From the

1

Chief Audit Officer

Athle c Program Review

2

FY2013 Audit Results

4

The IT Security audit will primarily focus on the USO, however, it will extend to USG institutions and other entities for more detailed testing. Our goal is to identify potential weaknesses in USG's IT security protocols in order to adequately address emerging threats and risk.
The OIAC will review specific issues, such as: Organizational adherence to the USG IT Handbook and security protocols, IT Security Management practices designed to ensure confidentiality, integrity and
availability of information, data and IT services IT Security Plans outlining the appropriate level of security, asset inventory and
risk assessment Encryption mechanisms to protect access sensitive data Procedures to manage review of user accounts and related privileges; and Approaches to addressing and managing responsiveness to a security incident

OIAC/ACUA Wrap-up

6 The OIAC will provide additional information regarding this review in the near future.

Think Compliance First IT--Data Breaches Did You Know? Hotline--Ethical Culture Contact Us

7
I look forward to hearing your thoughts. Please feel free to contact me at 8 john.fuchko@usg.edu or 404-962-3025. Our Rolling Audit Plan may be found on the
OIAC website located at: www.usg.edu/audit/internal_audit.
10
John M. Fuchko, III 12 Chief Audit Officer & Associate Vice Chancellor

The STRAIGHT and NARROW

Page 2

Athle c Program Review

USG Policy on Auxiliary Enterprises and Intercollegiate
Athle cs
BOR 4.5 Intercollegiate Athle cs outlines the policy on establishing and funding intercollegiate athle c programs.
BOR 7.2.2 Auxiliary Enterprises Revenues and Expenditures provides guidance on funds spent and earned through enterprises ac vi es related to the mission of USG ins tu ons.
Auxiliary enterprise opera ons should operate on a self- supported basis with revenues derived from student fees and other non-state sources. Axillary Enterprises include [but are not limited to]: Housing; Food Services; Student Health Services; Student Ac vi es; Intercollegiate Athle cs; Parking; Transporta on; Stores and Shops; and Vending and Other Services.

Overview and Purpose
Athle c programs can poten ally be one of the most financially promising auxiliary opera ons managed by a University. Intercollegiate sports in all forms provide Universi es with the opportunity to generate revenues for special purposes not payable using "public" funds or tax payer dollars.
Some basic tenets of auxiliary opera ons include:
It must be self suppor ng--each auxiliary opera on should generate enough revenue to pay for the expenses incurred by an ins tu on to provide the service. This may include expenses for staffing, plant opera ons and facility maintenance, etc.
It must have a dedicated source of revenue--the provision of the service and the expenses a ributable to the provision of the service must be self-supported with revenues derived from student fees and other non-state sources.
The amount of resources expended and cash collected through an auxiliary program can create inten onal and uninten onal opportuni es for fraud, waste and abuse, poten ally jeopardizing the University's integrity and reputa on.
The upcoming USG audit will ini ally examine one auxiliary enterprise-- Intercollegiate Athle cs. BOR 4.5-- Intercollegiate Athle cs outlines USG policy on university athle cs. The policy governs an ins tu on's establishment of intercollegiate athle cs, expansion of sports, changes in intercollegiate athle c compe on levels, and funding of intercollegiate athle cs programs." (BoR minutes, March 2013).
The purpose of BOR 4.5 is to define two issues: 1) responsibility to establish the importance of athle c programs, and 2) establish some parameters for implemen ng and managing the ac vity ...in an ethically and fiscally responsible manner consistent with the rules, regula ons, and principles of the na onal intercollegiate

The STRAIGHT and NARROW

Athle c Program Review

Page 3

athle c associa ons and the conferences with which the ins tu ons are affiliated (BoR minutes, March 2013).
The policy also defines the requirements for program oversight, iden fies the person/en ty responsible for the opera on of the athle c program, an finally, establishes the approval process for an athle c program and/or expansion of an exis ng program. Most significantly, the policy outlines the ins tu ons' responsibility for:
ensuring athle c program funding requirements are achieved distribu ng athle c scholarships to students maintaining financial viability and providing audit reports to the USG Chief Audit Officer.
The BOR 4.5 is lengthy and very explicit on the role, responsibili es and requirements for maintaining an athle c program. This policy will establish the basis for the upcoming audit program.

Audit Program Objec ves
The upcoming USG Audit will review all exis ng USG athle c programs. The audit will consist of an assurance and opera onal review. Our first objec ve is to assure the USO that proper safeguards are in place to adhere to policy, procedure and opera onal prac ces. We will also seek to iden fy poten al best prac ces and other similar efficiencies that may be relevant to USG opera ons.
Our second objec ve is to determine the level of compliance of USG athle c programs with exis ng policies and procedures, especially those related to internal controls designed to mi gate significant risks (e.g. con nued financial viability, inter-athle c conference program par cipa on, safety and athle c students success ).
Our review will incorporate many different aspects of athle c opera ons, including the following:
Alloca on and administra on of out-of-state tui on waivers to student-athletes Governance structure and characteris cs for athle c programs Descrip ve characteris cs of the programs, such as the number of teams, student-athletes, type
and gender of sports Financial characteris cs of athle c programs and teams Program and team staffing models
The OIAC is s ll in the process of developing and tes ng the sufficiency of the audit program. We want to ensure the program is properly ve ed before it is released to ins tu ons. We es mate distribu ng the audit program by September 2014. It will also be published in the next Straight and Narrow.

The STRAIGHT and NARROW

Page 4

Georgia Department of Audits and Accounts: FY 2013 Audit Results Common Audit Issues By Ted Beck, OIAC

The Georgia Department of Audits and Accounts

deficiencies, ranging in impact from material

(DOAA) recently completed their work for with the weakness findings to verbal comments, were

FY 2013 audit cycle. These engagements vary

associated with this category of excep ons. The

across ins tu ons, and take one of three forms: 1) most severe of these excep ons iden fied

a full financial statement audit, 2) a full disclosure

"significant and material errors and omissions"

management report, or 3) agreed-upon

within both budgetary and financial statements

procedures. The scope and level of detail for

presented by the ins tu on for audit.

these engagements is defined by the audit type,

Other common deficiencies included the

with full financial

following:

statement audits being the most

# of Issues

Subsidiary ledgers that could not be

comprehensive, and

reconciled to the

agreed-upon procedures focusing only on selected areas of tes ng. The overall results of the FY 2013 audit

17 41
29

Financial Reporting
Financial Management Financial Aid

general ledger (or that did not provide appropriate documenta on for various journal entries);

cycle demonstrate

Inaccurate or

posi ve change, most

inadequate tracking of

notably the

capital assets,

iden fica on of only two material weaknesses at a

including incorrect lease purchase obliga on

single ins tu on, in comparison to the FY 2012

calcula ons; and,

cycle, which had eight material weaknesses at

Incorrect pos ng of scholarship allowances,

three different ins tu ons.

resul ng in understatements of allowances

and overstatement of fellowships.

The following sec ons highlight the three most

common types of issues across the USG resul ng

Though most deficiencies reported in this

from the FY 2013 audit cycle, as well as

category were not of a significant or material

recommended resolu ons and other means of

nature, repeated or systemic findings in this area

mi ga ng these control deficiencies.

could be viewed as evidence of inadequate

financial management and accoun ng controls.

Financial Repor ng

We recommend that all USG ins tu ons ensure

As DOAA's work as an external auditor is largely

appropriate resources are dedicated to the

concerned with the fair presenta on, in all

financial management and repor ng func ons,

material aspects, of each USG ins tu on's

and take advantage of opportuni es such as the

financial posi on; the most common category of

year-end financial statement workshops. Finally,

findings was related to the accuracy of financial

ins tu ons should seek clarifica on or guidance

repor ng prac ces. Forty-one separate

from University System Office staff responsible for

The STRAIGHT and NARROW

Common Audit Issues, Cont'd

Page 5

the Consolidated Annual Financial Statements as needed to enhance the accuracy and reliability of these materials.

Financial Management The second most common category, represen ng 29 separately iden fied deficiencies, were excep ons related to financial management prac ces and, more
generally, issues regarding the controls for those prac ces. Specifically iden fied issues included the following: Incorrect prora on of summer tui on between
fiscal years; Recogni on of expenditures and other payables
in the wrong accoun ng periods; and, Failure to appropriately collateralize ins tu onal
checking accounts.
While the impact and severity of the findings iden fied in this area were largely of a limited nature, as with excep ons related to financial repor ng, repeated or evidence of systemic control issues can result in more significant audit concerns. We recommend that USG ins tu ons carefully assess the internal control structure for their respec ve financial management processes, and ensure that the associated risks be effec vely mi gated. The USG Business Procedures Manual offers substan ve guidance for most common business prac ces within the USG enterprise, to include the appropriate control structures for those ac vi es.
Financial Aid Findings related to the administra on of financial aid at USG ins tu ons represented the third-most common area of excep ons, totaling 17 separately iden fied deficiencies. Eight of these 17 findings (47 percent) were classified as significant deficiencies,

giving an indica on of the severity of the excep ons iden fied in this area. The most commonly iden fied deficiencies included the following: Incorrect calcula on and/or un mely return of
Title IV award payments to the U.S. Department of Educa on for students officially and/or unofficially withdrawing from the ins tu on, including
Improper determina on of student financial aid need; and
Errors in the methodology for and/or the assessment of student sa sfactory academic progress.
The ability of USG ins tu ons to accurately administer and disburse federal financial aid to students is of cri cal importance given the system's reliance on this funding as a revenue stream. Financial aid awards represent about 70% of the approximately $2 billion in tui on recognized by the USG each year. Thus, USG ins tu ons must ensure the necessary controls and well-defined business processes related to the administra on of federal financial aid are in place. We recommend that USG ins tu ons remain up-to-date on training

The STRAIGHT and NARROW

Common Audit Issues, Cont'd

Page 6

and compliance requirements for federal financial aid by par cipa ng in collec ve enterprise mee ngs such as the USG Financial Aid Directors mee ngs and other state- and na onally-based organiza ons such as the Georgia Associa on of Student Financial Aid Administrators (GASFAA), Southern Associa on of Student Financial Aid Administrators (SASFAA), and Na onal Associa on of Student Financial Aid Administrators (NASFAA).
Ted Beck, Audit Manager Office of Internal Audit & Compliance
Telephone: 404-962-3023 Email: ted.beck@usg.edu

Take-Aways from the OIAC and the Associa on of University and College Auditors (ACUA)
Georgia Conference, May 2014
The BOR Office of Internal Audit and Compliance (OIAC) and the Associa on of University and College Auditors (ACUA) co-sponsored our fi h annual Georgia Audit conference held at Clayton State University Conference Center. The conference theme was Enrollment Management. The program featured elements of Enrollment Management as a con nuum, beginning with the process of recrui ng prospec ve students, admi ng students, authorizing financial aid, mentoring and implemen ng strategies for at-risk students assuring campus safety, providing housing, , and finally gradua ng successful well-educated ci zens!
Eleven speakers represen ng seven USG ins tu ons presented. The President's panel with Dr. Cheryl Dozier, President, Savannah State University; Dr. David Bridges, President, Abraham Baldwin Agricultural College; and Dr. Kyle Marrero, President, University of West Georgia spoke about their perspec ves on the importance of enrollment management strategies and how to engage the en re campus community. This was a key take-away--"enrollment management is everyone's business".
Our guest speakers included two Special Agents of the Office of Inspector General, Jason Moran who discussed ins tu onal fraud issues and Yessyka Santana who discussed the seriousness of financial aid fraud; Louis Negron of United Way of Atlanta discussed Non-Profit Ini a ves Promo ng Higher Educa on; and A orney Sco Killingsworth presented issues per nent to Driving Compliance Results through Ethical Leadership and Organiza onal Culture. These presenta ons provided training beyond the boundaries of recruitment and admissions and demonstrated comprehensive techniques that can be incorporated into improving enrollment management strategies at ins tu ons. This was a second key take-away-- incorporate subject ma er from diverse areas to enhance enrollment management discussions and strategies. A third key take-away gleaned from Georgia State University, Dr. Renick's presenta on --use data analy cs to help iden fy students at-risk of not achieving academic progress.
Many thanks to par cipants who a ended the conference and all of the speakers! Next year, ACUA will sponsor the Mid-year conference in Atlanta, so OIAC invites auditors, accountants, and business officers to a end the ACUA conference.
Sandra Evans, Auditor, OIAC

The STRAIGHT and NARROW

Page 7

Ins tu onal Effec veness "Think Compliance First" Guest Contributor: Deann M. Baker, Managing Director Compliance Advisor Specialists, LLC

You might wonder how it is that a person or an organiza on would consider or "think compliance first." We "think compliance first" by contribu ng to the development of a "Do the right thing" culture. To understand how we all contribute to such a culture, we need to evaluate the following defini ons:
1. Culture is the set of shared values and goals that an organiza on follows. Culture is what sets an organiza on apart from its peers.
2. Values are o en wide-ranging ideals regarding the right course of ac on.
3. A value system is a set of consistent values and measures.
4. Compliance programs are systema c procedures established by an organiza on to ensure that requirements of the regula ons imposed by a government agency are met.
Organiza ons communicate their value system through wri en standards of conduct, o en referred to as a Code of Ethics or a Code of Conduct. These documents are the founda on of an organiza on's policies and procedures, and provide statements of the inten on to comply with requirements it must meet. Values give us a sense of what is right and wrong, and help us to know the "right course of ac on" to take. One of the purposes of a compliance program is to help create a "Do the right thing" culture.
There are guidelines that tell organiza ons how to

design and implement effec ve compliance programs. These guidelines address several requirements, including the need to create an ethical culture by (1) exercise due diligence to prevent and detect criminal conduct; and (2) promote an organiza onal culture that encourages ethical conduct and a commitment to compliance with the law."
A value system is a set of consistent values and measures. There is an old saying that what gets measured gets done. This is also true of incen ves. It is helpful if management es workforce incen ves to expected performance. The guidelines for designing and implemen ng compliance programs also address incen ves, and state: "The organiza on's compliance and ethics program shall be promoted and enforced consistently throughout the organiza on through appropriate incen ves to perform in accordance with the compliance and ethics program." An example of compliance ac vi es that can be measured and can incen vize is the par cipa on of the workforce in assigned compliance educa on and/or comple on of certain policies and procedures that address the organiza on's risks. "Do the right thing" culture.
Everyone has a part in crea ng an ethical culture, whether it is incen vized or not. When we all do our part to "do the right thing," we are "thinking compliance first."

The STRAIGHT and NARROW

Page 8

Informa on Technology--Understanding Data Breach Kenya a Morrison, OIAC

Understanding Data Breaches
Any ins tu on that houses cri cal assets such as Social Security numbers, Credit Card numbers, intellectual property or other proprietary data is at risk of a data breach. The size of the ins tu on does not ma er. A data breach is an incident where personally iden fiable data is accessed and/or stolen by an unauthorized source. The data can be compromised by an outside party, such as a hacker, or by an internal party (perhaps a disgruntled or recently terminated employee).
The US Secret Service 2011 Data Breach Inves ga ons Report described common traits of data breaches as:
83% of vic ms were targets of opportunity 92% of a acks were not highly difficult 96% of breaches were avoidable through simple or intermediate controls 89% of vic ms subject to Payment Card Industry Data Security Standard (PCI-DSS) had not
achieved compliance 76% of all data was compromised from servers 86% were discovered by a third party

But, when a "data breach" is reported, many people associate viola ons with companies like Target, Neiman Marcus and Michael's. Why? Each of these companies have been vic ms of recent data breaches where the personal informa on of its customers was compromised.
Data breaches have also occurred at universi es across the country. In February of this year, an outside source gained access to a University's secure records database and obtained more than 300,000 personal records for faculty, staff and students da ng back to 1998. The records included name, social security number, date of birth and University iden fica on number. The hackers did not change anything within the University's computer system, but did duplicate the informa on. In response to the intrusion, state and federal law enforcement authori es inves gated the incident. The University contacted each of the affected individuals to offer free credit monitoring service.
Below are examples of data breaches that occurred at other Universi es across the country this year:
Unauthorized access to a database, for one of its grand funded projects administered on the campus, containing personally iden fiable informa on for an es mated 50,000 individuals.
Staff error le informa on on 146,000 students exposed for 11 months. Names, email addresses and phone numbers of as many as 1,307 current and former students
were stolen from a web server and posted online by a hacker. Server containing the informa on of 291,465 former, current, and aspiring students and 784
employees was hacked.

Data Breaches can be costly to Ins tu on
The Chronicle of Higher Educa on reported that costs of data breaches at universi es can run into the millions. Even though there may not be any reports regarding illegal use of the compromised informa on, the ins tu on is s ll required to respond.
Expenses incurred in response to a data breach may include:
No fying all affected individuals Se ng up a call center to field ques ons from those affected Hiring IT forensics consultants to inves gate Providing credit protec on services to all those affected Obtaining legal representa on for your ins tu on
A 2013 study published by the Ponemon Ins tute reported that the average cost of a data breach in higher educa on is $111 per record. This can be an unexpected expense, as few ins tu ons have a line item in their budget for "data breach". In addi on, cybersecurity insurance in higher educa on is a fairly new phenomenon and rarely purchased. While there is data available on the average financial cost to an ins tu on, the damage to an ins tu on's reputa on cannot be appraised or determined.
How can an Ins tu on safeguard against data breaches?
The open technology architecture found at universi es allows faculty and students to do their work with ease, but open technology architecture opens the environment to exponen al security risks. To reduce the chance of a data breach at an ins tu on, the ins tu on must assess its vulnerabili es and take steps to help prevent data breach. Some low-cost steps can include:
Develop an IT risk management plan that includes a descrip on of all systems used, the data stored and processed, and assign ownership for the protec on of the data.
Educate faculty, staff and students on the need to protect sensi ve data and the mechanisms available to provide such protec on.
Delete data that is no longer needed. Prohibit the transmission of sensi ve informa on over unencrypted, unprotected email.
EVERYONE has a role in preven ng a data breach. It is no longer acceptable to look at data breaches from the "if" perspec ve, but it must be looked at from the "when" perspec ve. By trea ng the protec on of data as an ongoing prac ce, your ins tu on can help reduce the likelihood of exposure, minimize a poten ally costly data breach; and be prepared to respond when the no fica on comes, "We've had a data breach".
Kenya a Morrison Director of IT Audit, OIAC Telephone: 404-962-3028 Email: kenya a.morrison@usg.edu

The STRAIGHT and NARROW

Page 10

PROMOTING AN ETHICAL CULTURE: THE ETHICS & COMPLIANCE REPORTING HOTLINE

In January of 2008 the University System of Georgia's (USG) Ethics & Compliance Repor ng Hotline became opera onal. The hotline is just one part of a comprehensive ethics and compliance program which is designed to promote the highest standards of ethical and professional conduct within the USG. The following are the answers to frequently asked ques ons regarding the hotline.
Ques on: What is an Ethics & Compliance Repor ng Hotline?
Answer: The hotline is a way to confiden ally report concerns regarding fraud, waste, and abuse and any other improper, unprofessional, or illegal ac vity within the USG. The hotline does not replace exis ng repor ng mechanisms, to include repor ng concerns to an employee's supervisor, but rather serves as an addi onal repor ng op on, which may be used anonymously.
Ques on: How do I make a report?
Answer: Reports can be made on-line or by telephone 24 hours a day, 7 days a week. Each ins tu on and the System Office have a hotline web address and a telephone number assigned to it. A list of the web addresses and telephone numbers for each ins tu on and the system office can be accessed from the following web address:
h p://www.usg.edu/audit/compliance/repor ng_contacts

Ques on: Who can make a report?
Answer: Reports can be made by any USO employee, student or the public.

On the Ethics and Compliance contact page, select the link for your ins tu on.

Ques on: Will my report by confiden al?

Answer: All reports will be treated in a confiden al and professional manner. Those who make reports can choose to iden fy themselves or remain anonymous. The hotline is administered by a 3rd party vendor which provides for confiden al communica on. Those making reports will be provided with a Personal Iden fica on Number and instruc ons so they can follow-up with addi onal informa on or simply check on the status of a report.

The STRAIGHT and NARROW

Page 11

PROMOTING AN ETHICAL CULTURE: THE ETHICS & COMPLIANCE REPORTING HOTLINE Frequently Asked Ques ons

Ques on: What should be reported?
Answer: Employees should report viola ons of state or federal law and viola ons of USG policies. Employees should also report concerns regarding unprofessional or unethical prac ces. Of special concern are fraud, waste and abuse in that these types of malfeasance directly affect our stewardship responsibili es.
Ques on: What should not be reported?
Answer: The hotline should not be used as a tool to harass, embarrass or undermine co-workers or supervisors or to se le old scores. Reports should only be made in good faith where there is a reasonable belief in the truth or accuracy of the informa on provided. Any employee who knowingly files a false report may be subject to disciplinary ac on up to and including termina on.
Ques on: Would I be subject to retalia on?
Answer: State law and USG policy prohibit any employee from retalia ng against another employee who, in good faith, has reported concerns or wrongdoing or who has cooperated with an authorized inves ga on. Employees may make reports of wrongdoing without fear of reprisal.
You can look forward in the next issue of this publica on to informa on concerning the number and types of cases received on the USG hotline since 2008.

Do You Have Ques ons about Ethics & Compliance Prac ces or Issues? What Type of Ques ons would you like addressed?
I would like to hear from you!

Wesley Horne Director of Ethics and Compliance, OIAC
Telephone: 404-962-3034 Email: wesley.horne@usg.edu

Reference Reading
Professional Aids Fraud Auditing and Forensic Accounting, By Tommie W. Singleton, Aaron J. Singleton ,
John Wiley & Sons, 2012 Effective Interviewing and Interrogation Techniques, By William L. Fleisher, Nathan J. Gordon ,
Academic Press, 2011 The Internal Auditor's Guide to Risk Assessment, The IIA Research Foundation, Rick A. Wright Jr., 2013
Management Aids 10 Key Techniques to Improve Team Productivity: A Guide to Developing Your Team's Full Potential, The
Institute of Internal Auditors Research Foundation, Hernan Murdock, CIA, 2011 Reviewing Kettering Foundation Studies of the Role of HIGHER EDUCATION in American Democracy,
Kettering Foundation, 2012

Board of Regents of the University System of Georgia
Office of Internal Audit & Compliance (OIAC) 270 Washington Street, SW Suite 7093 Atlanta, GA 30334-1450
Phone: (404) 962-3020
Fax: (404) 962-3033
Website: www.usg.edu/audit/

? Ask the Auditor ? If you have a governance, risk management, compliance or control ques on that has been challenging you, let us help you find the answer. Your ques on can help us to become be er auditors.
Want to Contribute to the Straight and Narrow? We invite you to send your ques ons and ideas for future ar cles to us for feature in upcoming Straight and Narrow newsle ers.
Contact Us: USG-OIACNewsle er@usg.edu
"Crea ng A More Educated Georgia" www.usg.edu