Straight and narrow, Vol. 5, Issue 26 (Oct. 2014)

The STRAIGHT and NARROW

October 2014
The Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct.
We have three strategic priorities:
1. Anticipate and help to prevent and to mitigate significant USG GRCC issues.
2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices.
3. Build and develop the OIAC team.
Inside this issue:

Volume 5, Issue 26 Office of Internal Audit & Compliance, BOR -- USG, (404) 962-3020
From the Chief Audit Officer John M. Fuchko, III
USG Participates in International Fraud Awareness Week
The University System of Georgia (USG) is a proud participant of International Fraud Awareness Week, Nov. 16-22, 2014. In support of this effort, USG institutions will be hosting activities to bring awareness to fraud and further promote an ethical culture on our campuses. As you know, no organization or institution is exempt from the potential for fraud and the resulting risk to institutional reputation and the reputation of its employees.
Ethical behavior is a hallmark of public service and public higher education. Dedicating a week to recognize the importance of maintaining and strengthening our ethical culture recognizes the hard work of all employees, and promotes our shared values of integrity, excellence, accountability and respect.
Activities during this week will help bring awareness to fraud prevention and the value of an ethical workplace culture which enhances employee moral, retention and productivity.
Our theme for this week is "The SPIRT of USG." Planned activities will emphasize:
Stewardship Prevention Integrity Responsibility Inspiration, and Trust

From the Chief Audit Officer
Fraud Awareness

1 The USG awareness program is part of our comprehensive Ethics and Compliance Program which includes mandatory ethics training, compliance training, assurance
2 audits, consulting engagements and an ethics and compliance reporting hotline.

BOR Ethics Policy

3--5

Lean Six Sigma for

6--7

Higher Educa on

Fraud Preven on

8

Three Lines of Defense in 9--10 Effec ve Risk Management

I look forward to hearing your thoughts. Please feel free to contact me at john.fuchko@usg.edu or 404-962-3025. You may also contact Wesley Horne, OIAC Director of Ethics and Compliance at wesley.horne@usg.edu or 404-962-3034 about Fraud Awareness Week activities.
John M. Fuchko, III Chief Audit Officer & Associate Vice Chancellor

Contact Us

11

The STRAIGHT and NARROW
USG POLICY The University System of Georgia has a very robust ethics policy, and fraud preven on and detec on program. The policy may be found in the Board of Regents Policy Manual Sec on 8.2.20. A link to the Policy is highlighted below.
Ethics & Compliance Program The USG Board of Regents has established a system-level Ethics & Compliance Program (Program). The Program is intended to assist the Board, the Chancellor, and ins tu on management in the discharge of their compliance oversight responsibili es. The Program is part of the Office of Internal Audit and Compliance (OIAC) which reports to the Chancellor and to the Board of Regents Commi ee on Internal Audit, Risk, and Compliance. OIAC's authority to manage the Ethics & Compliance Program is specified in the OIAC Charter. Link to Ethics Policy Link to Ethics Program

Page 2
Fraud Awareness
Fraud Awareness
The Associa on of Cer fied Fraud Examiners (ACFE) is celebra ng its 25th anniversary as the world's largest an -fraud organiza on and premier provider of an -fraud training and educa on. The mission of ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objec vity within the profession. According to a survey of Cer fied Fraud Examiners (CFEs) who inves gated cases between January 2010 and Fall of 2011, organiza ons worldwide lose an es mated 5 percent of their annual revenues to fraud. ACFE's annual Report to the Na ons on Occupa onal Fraud and Abuse provide sta s cs on fraud and abuse worldwide.
Interna onal Fraud Awareness week is scheduled November 16-- 22, 2014. It is a media campaign that encourages business leaders and employees to proac vely take steps to minimize the impact of fraud by promo ng ethical behavior as an organiza onal cultural norm. The USG is par cipa ng in Fraud Awareness week systemwide by promo ng fraud awareness educa on. We encourage USG ins tu ons to host training opportuni es, distribute fraud awareness informa on, and generally to promote an ethical culture during the week.
"We organize several outreach events, and will be doing a series of seminars during the week with students in our fraud examination minor and forensic accounting graduate (programs)."
-- Timothy Pearson Director, School of Accountancy Georgia Southern University - Center for Forensic Studies
For more informa on on Interna onal Fraud Week please browse www.fraudweek.com.
Fraud Preven on Tip of the Week Be proac ve. Adopt a code of ethics for management and employees. Set a tone at the top that the company will not tolerate any unethical behavior.

The STRAIGHT and NARROW

Page 3

Ethics Policy, BOR 8.2.20

8.2.20 University System of Georgia Ethics Policy
8.2.20.1 Introduc on
The USG is commi ed to the highest ethical and professional standards of conduct in pursuit of its mission to create a more educated Georgia. Accomplishing this mission demands integrity, good judgment and dedica on to public service from all members of the USG community.
While the USG affirms each person's accountability for individual ac ons, it also recognizes that the shared mission and the shared enterprise of its ins tu ons require a shared set of core values and ethical conduct to which each member of the USG community must be held accountable. Furthermore, the USG acknowledges that an organiza onal culture grounded in trust is essen al to suppor ng these core values and ethical conduct.
The following Statement of Core Values and Code of Conduct are intended to build, maintain and protect that trust, recognizing that each member of the USG community is responsible for doing his/her part by upholding the highest standards of competence and character.
8.2.20.2 Applicability
The USG Ethics Policy applies to all members of the USG community. The USG community includes:
All members of the Board of Regents;
All individuals employed by, or ac ng on behalf of, the USG or one of the USG ins tu ons, including volunteers, vendors, and contractors; and,
Members of the governing boards and employees of all coopera ve organiza ons affiliated with the USG or one of its ins tu ons.
Members of the Board of Regents and all individuals employed by the USG or one of its ins tu ons in any capacity shall par cipate in USG Ethics Policy training, and shall cer fy compliance with the USG Ethics Policy on a periodic basis as provided in the USG Business Procedures Manual. Coopera ve organiza ons, vendors, and contractors shall cer fy compliance with the USG Ethics Policy by wri en agreement as provided in the USG Business Procedures Manual.
The USG Ethics Policy governs only official conduct performed by or on behalf of the USG. Viola ons of the USG Ethics Policy may result in disciplinary ac on including dismissal or termina on.
8.2.20.3 Statement of Core Values
Every member of the USG community is required to adhere to the USG Statement of Core Values Integrity, Excellence, Accountability, and Respect that form and guide the daily work of the organiza on.

The STRAIGHT and NARROW

Ethics Policy, BOR 8.2.20, Cont'd

Page 4

Integrity We will be honest, fair, impar al and unbiased in our dealings both with and on behalf of the USG.
Excellence We will perform our du es to foster a culture of excellence and high quality in everything we do.
Accountability We firmly believe that educa on in the form of scholarship, research, teaching, service and developing others is a public trust. We will live up to this trust through safeguarding our resources and being good stewards of the human, intellectual, physical and fiscal resources given to our care.
Respect We recognize the inherent dignity and rights of every person, and we will do our utmost to fulfill our resul ng responsibility to treat each person with fairness, compassion and decency.
8.2.20.4 Purpose of the Code of Conduct
The USG recognizes that each member of the USG community a empts to live by his or her own values, beliefs and ethical decision-making processes. The purpose of the Code of Conduct is to guide members of the USG community in applying the underlying USG Statement of Core Values to the decisions and choices that are made in the course of everyday endeavors. Each USG ins tu on must ensure that its ins tu onal ethics policies are consistent with this USG Ethics policy.
8.2.20.5 Code of Conduct
We will:
Uphold the highest standards of intellectual honesty and integrity in the conduct of teaching, research, service and grants administra on.

II. Act as good stewards of the resources and informa on entrusted to our care.
III. Perform assigned du es and professional responsibili es in such a manner so as to further the USG mission.
IV. Treat fellow employees, students and the public with dignity and respect.
V. Refrain from discrimina ng against, harassing or threatening others.
VI. Comply with all applicable laws, rules, regula ons and professional standards.
VII. Respect the intellectual property rights of others.
VIII. Avoid improper poli cal ac vi es as defined in law and Board of Regents Policy.
IX. Protect human health and safety and the environment in all USG opera ons and ac vi es.

The STRAIGHT and NARROW

Page 5

Ethics Policy, 8.2.20, Cont'd

X. Report wrongdoing to the proper authori es; refrain from retalia ng against those who do report viola ons; and cooperate fully with authorized inves ga ons.
XI. Disclose and avoid improper conflicts of interest.
XII. Refrain from accep ng any gi or thing of value in those instances prohibited by law or Board of Regents policy.
XIII. Not use our posi on or authority improperly to advance the interests of a friend or rela ve.
8.2.20.6 Interpreta on and Sources
The Statement of Core Values and Code of Conduct do not address every conceivable situa on or ethical dilemma that may be faced by members of the USG community. Members of the USG community are expected to exercise good judgment absent specific guidance from this policy or other applicable laws, rules and regula ons.
Specific ques ons pertaining to the Statement of Core Values or Code of Conduct should be directed to a supervisor or other competent authority at the University System Office or at the ins tu on's office of Legal Affairs, Internal Audit, Compliance, Human Resources, Academic Affairs, or other appropriate office.
There are also mul ple sources of authority that address specific ques ons or situa ons. Examples include:
1. Board of Regents Policy Manual
2. Board of Regents Business Procedures Manual
3. Board of Regents Human Resources Administra ve Prac ce Manual
4. Ins tu onal policies, handbooks and procedures
5. State Laws and Regula ons
6. Federal Laws and Regula ons
Further specific explanatory notes and references may be found on the USG's website at: h p://www.usg.edu/audit/compliance/ ethics/ or its successor reference (BoR Minutes, November 2008).

International Fraud Awareness Week
November 16-22, 2014
For More Informa on Contact:
Wesley Horne, Director of Ethics & Compliance Office of Internal Audit and Compliance (OIAC) Email: Wesley.horne@usg.edu Telephone: 404-962-3034

The STRAIGHT and NARROW

Page 6

Ins tu onal Effec veness "Lean Six Sigma for Higher Educa on--Black Belt"
Jeanne Royal Severns, LSSHE, MBA, CPA, CIA Valdosta State University

Con nuous Improvement
Is it acceptable for a doctor to drop a newborn baby at birth? Of course not. Is it acceptable if one's pay check is short by $100 while another's is overpaid by $100? The sum of these two checks is the same either way; so, does it ma er? Of course it does. Quality ma ers. The best way to ensure quality, whether a manufactured product or a professional service is through con nuous improvement. How does one achieve con nuous improvement? It is achieved through the use of real data to understand a process, then by the elimina on of waste while ac vely promo ng consistency. A proven way to achieve the highest level of quality is to adopt the Six Sigma methodology. In somewhat technical terms, Six Sigma (or 6) means
99.9999997% of any process is between the Lower Control Limit and the Upper Control Limit. Translated into English, one gets "it" right 99.9999997% of the
me, or just one mistake 3.4 mes out of every one million a empts. The idea of Six Sigma can be

frightening unless you happen to have a good working knowledge of sta s cs. Here's what it looks like your mistakes are the outliers on the tail end of the curve. Everything else is acceptable.
Many believe that 99.9999997% accuracy is ridiculous. Students are expected to get a 70% or 75% to pass. Many are happy with an 80% and ecsta c with a 90%. But in actuality, even 99.9% accuracy in many processes is not good enough. Unless of course one is willing to accept:
50 new born babies dropped at birth by doctors everyday
1 hour of unsafe drinking water every month 12 newborns given to the wrong parents daily 880,000 credit cards in circula on with incorrect
cardholder informa on on their magne c strips.
Here's the good news one can learn and begin to incorporate Six Sigma processes into his/her work, whatever it is, without knowing sta s cs. Six Sigma techniques can be used to:
Assist in preparing ins tu onal effec veness reports and se ng realis c planning goals
Provide a template for problem solving Help establish measures Make processes visible Obtain informa on on the voice of the internal
and external customer and
Iden fy and reduce hidden costs.
Six Sigma is merely the name given to a customer focused, well defined, problem solving methodology supported by analy cal tools. The methodology results in con nuous improvement and consistency. With Six

The STRAIGHT and NARROW
Lean Six Sigma for Higher Educa on--Black Belt, Cont'd

Page 7

Sigma one can have confidence that what he/she plans to happen actually will happen.
GETTING STARTED Here are a couple of simple tools to get you started.
The first tool is the "Five Whys". Here's one
illustra on of how 5 Why's may get to the root cause of a
problem. My boss asks and I answer: 1. Why isn't your work finished? Because I get too
many phone calls. 2. Why do you get so many phone calls? Is it because
people are calling to ask you why your work is not finished? No. People are asking what me the office closes. 3. Why are they asking you that? We haven't published our summer hours on our website. 4. Why? Because I am responsible for pos ng changes to the website 5. Why haven't you done it? I don't know how. Solu on: Learn how to post the hours on the website.

desk?
2. SET IN ORDER--- Priori ze and categorize work. Locate things so that you can find them quickly. "Everything has a place and everything should be in its place." Easy access saves me and searching.
3. SHINE--- Cleanliness and workplace appearance should be a part of normal opera ons. Neatness counts.
4. STANDARDIZE--- Everyone should have clear responsibili es and perform their task in standard ways. This step really goes to the heart of best prac ces. Look for personal best prac ces.
5. SUSTAIN--- Maintain the improvements gained in the first four steps. Repeat the event periodically.
Of course there is a lot more to Six Sigma than these two simple techniques. It is a data driven problem- solving methodology which teaches how to define problems, how to measure, and how to analyze. It includes many proven techniques for improving and then just as importantly controlling a process.
Embracing and implemen ng Six Sigma can result in lower costs, greater efficiencies and consistencies which leads to increased customer and employee sa sfac on -- and fewer dropped babies.

A second tool in the 6 toolbox is the 5S's. The
5S's can be implemented by everyone - right now.
1. SORT--- Clear the work area and discard any unnecessary items. Removed the clu er. You will probably find that doing nothing more than this will make you more efficient and organized. Do you some mes just get red of looking at the messy

Jeanne R. Severns Audit Director
Valdosta State University

The STRAIGHT and NARROW

Page 8

Fraud Preven on
Melissa B. Hall Georgia Ins tute of Technology

In today's Higher Educa on environment, pressures are growing. Our purpose is ed to managing enrollment, retaining and gradua ng more students, all while controlling spending and enhancing educa onal quality and maintaining affordability. The "do more with less" pressure can push some employees to make unethical decisions. The study of fraud tells us that when the external pressures mount, the occurrence of fraud increases. There are some simple things that each and every one of us can do to make a significant impact in the deterrence of fraud, waste, and abuse on our campus.
1) Educate your employees, about the way to report instances of fraud. Use every mee ng as an opportunity to educate. I never leave an audit interview without taking full advantage of that opportunity. I always ask...... "Have you been asked to do something you felt was wrong" or "have you observed someone doing something you felt was wrong?" I'm always surprised by their answers. If I find that they are reluctant to share, but can sense they have concerns, I use this as an opportunity to discuss our hotline and ensure they understand that the hotline is completely anonymous. These conversa ons are prime opportuni es to remind employees that they can make a difference too.
2) Begin an awareness campaign Adver sing execu ves will tell you that it takes approximately seven
mes for someone to hear your message for it to really be retained and understood. Crea ng awareness can be a very simple process, so don't let it be overwhelming. Begin with a simple postcard adver sement about your hotline. Indicate hotline numbers are on your website, and hang posters in common areas used by employees or in each department. Our analysis indicates that it is effec ve to adver se our hotline with a simple postcard every other month. This postcard is cri cal in the

process of reminding employees to report their concerns. We monitor the effec veness of the hotline adver sement, and each me we send out a postcard, there is an increase in the number of hotline incidents reported.
3) Assess your "tone in the middle" - We always hear about the "tone at the top", but I am challenging you to assess your department's "tone in the middle". A college campus by nature is a decentralized environment. Managers convey ethical expecta ons by their ac ons and by se ng ethical behavior. But, how do you know if your expecta ons are being carried out by your trusted middle managers? One way to measure the "tone in the middle" is to conduct a survey, including a sample of all employees, using an anonymous repor ng tool. Remind employees the survey tool is confiden al. Ask simple ques ons such as "Do you feel encouraged by your supervisor to do the right thing?" or "Do you know the most recent policy on a par cular topic?" As auditors, we o en discuss the tone at the top of an organiza on, however, unless the tone at the middle is the same as the top, all employees might not get the proper messages.
By implemen ng simple steps, organiza ons can make a difference in fraud preven on, waste and abuse... one employee at a me.
Melissa Hall Associate Director - Forensic Audits
Georgia Ins tute of Technology

The STRAIGHT and NARROW

Page 9

THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL IIA Posi on Paper, January 2013

This month's article on Operational Effectiveness consists of a three part position paper on risk management and control published by the Institute of Internal Auditors. Part I is reprinted in this newsletter. Parts II & III will be reprinted in the next Straight and Narrow publication.
Introduc on
In twenty-first century businesses, it's not uncommon to find diverse teams of internal auditors, enterprise risk management specialists, compliance officers, internal control specialists, quality inspectors, fraud inves gators, and other risk and control professionals working together to help their organiza ons manage risk. Each of these special es has a unique perspec ve and specific skills that can be invaluable to the organiza ons they serve, but because du es related to risk management and control are increasingly being split across mul ple departments and divisions, du es must be coordinated carefully to assure that risk and control processes operate as intended.
It's not enough that the various risk and control func ons exist -- the challenge is to assign specific roles and to coordinate effec vely and efficiently among these groups so that there are neither "gaps" in controls nor unnecessary duplica ons of coverage. Clear responsibili es must be defined so that each group of risk and control professionals understands the boundaries of their responsibili es and how their posi ons fit into the organiza on's overall risk and control structure.
The stakes are high. Without a cohesive, coordinated approach, limited risk and control resources may not be employed effec vely, and significant risks may not be iden fied or managed appropriately. In the worst cases, communica ons among the various risk and control groups may devolve to li le more than an ongoing debate about whose job it is to accomplish specific tasks.

The problem can exist at any organiza on, regardless of whether a formal enterprise risk management framework is used. Although risk management frameworks can effec vely iden fy the types of risks that modern businesses must control, these frameworks are largely silent about how specific du es should be assigned and coordinated within the organiza on.
Fortunately, best prac ces are emerging that can help organiza ons delegate and coordinate essen al risk management du es with a systema c approach.
The Three Lines of Defense model provides a simple and effec ve way to enhance communica ons on risk management and control by clarifying essen al roles and du es. It provides a fresh look at opera ons, helping to assure the ongoing success of risk management ini a ves, and it is appropriate for any organiza on -- regardless of size or complexity. Even in organiza ons where a formal risk management framework or system does not exist, the Three Lines of Defense model can enhance clarity regarding risks and controls and help improve the effec veness of risk management systems.
Before The Three Lines: Risk Management Oversight and Strategy Se ng
In the Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance oversight func ons established by management are the second line of defense, and independent assurance is the third. Each of these three "lines" plays a dis nct role within the organiza on's wider governance framework.

The STRAIGHT and NARROW
THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL IIA Posi on Paper, January 2013

Page 10

I. THE FIRST LINE OF DEFENSE: OPERATIONAL MANAGEMENT
The Three Lines of Defense model dis nguishes among three groups (or lines) involved in effec ve risk management:
Func ons that own and manage risks.
Func ons that oversee risks.
Func ons that provide independent assurance.
As the first line of defense, opera onal managers own and manage risks. They also are responsible for implemen ng correc ve ac ons to address process and control deficiencies. Opera onal management is responsible for maintaining effec ve internal controls and for execu ng risk and control procedures on a day -to-day basis.

Opera onal management iden fies, assesses, controls, and mi gates risks, guiding the development and implementa on of internal policies and procedures and ensuring that ac vi es are consistent with goals and objec ves.
Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execu on of those procedures by their employees.
Opera onal management naturally serves as the first line of defense because controls are designed into systems and processes under their guidance of opera onal management. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events.

USG FRAUD AWARENESS PROGRAM Suggested Ac vi es for Fraud Awareness Week
Events on- and off-campus to promote awareness and training Ongoing educa on/training Brown Bag lunch with experts discussing fraud preven on in the workplace, as well as overall fraud awareness
issues Open forums within larger divisions (Plant Opera ons, etc.) to explain types of fraud abuse, how to spot fraud,
waste, and abuse, and then how to properly report (Hotline) Symposium for community how to prevent credit card fraud, iden ty the , scams, etc. Informa on Technology host symposium on campus and/or in the community. Informa on booths with games, including "backpack" games where items related to work are placed in a
backpack and discuss whether certain items in the bag are stolen or not discussion about cost of small to large items taken from the office or work place or integrity/ethics quiz and allow employees to try and answer correctly.
SEND US YOUR SUCCESS STORIES: OIAC Ethics and Compliance

Board of Regents of the University System of Georgia
Office of Internal Audit & Compliance (OIAC) 270 Washington Street, SW Suite 7093 Atlanta, GA 30334-1450
Phone: (404) 962-3020
Fax: (404) 962-3033
Website: www.usg.edu/audit/

? Ask the Auditor ? If you have a governance, risk management, compliance or control ques on that has been challenging you, let us help you find the answer. Your ques on can help us to become be er auditors.
Want to Contribute to the Straight and Narrow? We invite you to send your ques ons and ideas for future ar cles to us for feature in upcoming Straight and Narrow newsle ers.
Contact Us: USG OIAC Newsle er
"Crea ng A More Educated Georgia" www.usg.edu