The STRAIGHT and NARROW January 2016 The Office of Internal Audit & Compliance's (OIAC) mission is to support the University System of Georgia management in meeting its governance, risk management and compliance and internal control (GRCC) responsibilities while helping to improve organizational and operational effectiveness and efficiency. The OIAC is a core activity that provides management with timely information, advice and guidance that is objective, accurate, balanced and useful. The OIAC promotes an organizational culture that encourages ethical conduct. We have three strategic priorities: Volume 6, Issue 28 Office of Internal Audit & Compliance, BOR -- USG, (404) 962-3020 From the Interim Chief Audit Officer, Michael J. Foxman Happy New Year Colleagues! Back to Basic! Turning Our Attention Towards Assurance and Compliance The OIAC has been hard at work ensuring that we added "value" during 2015. Our work plan included the accomplishment of: Presidential Transition Audits Systemwide ACA Consulting Engagement Systemwide Financial Aid Audit Engagement An Assessment of Services Provided to Non-student Minors on Campus University System Office Audit including travel, purchase cards, contracts; and Georgia Archives operation Systemwide Deferred Compensation 1. Anticipate and help to prevent and to mitigate significant USG GRCC issues. 2. Foster enduring cultural change that results in consistent and quality management of USG operations and GRCC practices. 3. Build and develop the OIAC team. Inside this issue: From the 1 Chief Audit Officer CFR200--Uniform 2-4 Requirements Training Opportunity 4 Minors on Campus Scholarships and 5-6 Fellowships In 2016, we will continue to provide internal audit and consultation services to USG institutions and business units. This year we are turning our attention towards assurance and financial compliance. What's on the horizon? A couple of very significant project worth mentioning include: IT Audit and PCI Compliance: The USG stores the personal information of hundreds of thousands of individuals associated with our student and employee records. Cloud computing, social media, mobility tools, and other advanced technologies have created new internal and external security challenges and risks that impact higher education. Our part in the IT security process is to provide assurance that the USG has implemented proper safeguards to protect vital data. Our IT Audit Director Patrick Jenkins will be visiting each institution to begin these assessment. Financial Assurance Reviews I would also like to acknowledge and welcome Mr. Kwabena J. Boakye to the OIAC. Kwabena joined the staff beginning December 2015. Please welcome him in his new role at the BOR. I am looking forward to working with each of you during this year as we continue to safeguard USG assets and the USG reputation. Please feel free to contact me at Michael.foxman@usg.edu 404-962-3021. Fraud Awareness Week PCI Monsters 6 Michael J. Foxman 7-9 Interim Chief Audit Officer Contact Us 10 The STRAIGHT and NARROW Page 2 Uniform Administra ve Requirements, Cost Principles and Audit Requirements for Federal Awards at 2 CFR 200 By Rob Roy Uniform Administra ve Requirements, Cost Principles and Audit Requirements for Federal Awards 2 CFR 200 TITLE 2--Grants and Agreements Sub tle A--Office of Management and Budget Guidance for Grants and Agreements Chapter II--Office of Management and Budget Guidance Part 200--Uniform Requirements Abbrevia ons UR--Uniform Requirements COFAR--Commi ee on Financial Assistance Reform IHE--Ins tutes of Higher Educa on ARRA--American Recovery and Reinvestment Act, 2009 PI--Principal Inves gator F & A Rate--Facili es and Administra ve Rate It has been a year since the new Administra ve Requirements went into effect. So in short, what is covered by the new Uniform Requirements (UR), frequently referred to as the Uniform Guidance, what is changing and what is not? Star ng about 3 years ago the Commi ee on Financial Assistance Reform (COFAR) addressing President Obama's direc ve to streamline guidance and increase accountability for federal grants has brought us these changes that went into effect on 26 Dec, 2014. The UR combined circulars A-21, A-110 and A-133 and 5 others into one uniform document that applies to Ins tutes of Higher Educa on (IHE), state and local governments and tribal na ons. The UR provides guidance to federal agencies on solicita on content and program rule development. This regula on covers how IHEs manage finances, purchasing and property purchased under a federal award. It also governs allowable cost, both direct and indirect. Direct cost such as personal services, travel, material and supplies, contracts and sub-awards as well as how space and u li es costs are used in F&A rate proposals. Under the UR risk management framework, the ins tu ons will rely heavily on their internal controls for administra on and research awards. The UR applies to all federal awards made to the IHE. These rules, agency and program rules as well as special condi ons and the no ce of award itself will apply to an award. State regula ons and IHE policies and procedures will apply to all sponsored research under the doctrine of internal controls. One of the most significant changes in the UR is the use of the word "must" in place of the word "should". COFAR has made it clear that where the word "must" is used, an IHE is required to comply in their administra on of sponsored awards. In other words, these are auditable ac vi es of grants management. The word "must" appears over 800 mes in the UR. In addi on to this change from "should" to "must", researcher's program performance must reflect financial performance, very similar to ARRA repor ng. Specifically, the research progress must be mirrored by the financial progress. As indicated above there is an emphasis on internal controls and documenta on. This will be reflected in mely expenditures and cost transfers, as well as, the requirement for PI's to cer fy costs on their projects. When issuing or receiving a sub-award, increased documenta on is required. The STRAIGHT and NARROW Page 3 Uniform Administra ve Requirements, Cost Principles and Audit Requirements for Federal Awards at 2 CFR 200, Cont'd There are new limits on fixed price contracts, and changes in payment requirements. Greater financial and programma c performance monitoring is going to be required by the prime contractor. The changes will necessitate greater planning as contrac ng will be more constrained, purchasing will require more quotes and bids, and close-out melines will be more compressed. Many researchers will want to know what impact the UR will have on their awards. The following are some highlights: Proposals: The researchers will need to pay very close a en on to the solicita on issued by the sponsoring agency. Cost-sharing cannot be considered in proposal review and the requirement of cost share requires agency head approval. In short, do not propose cost-share unless it is required in the solicita on. Awarding agencies are expected to pay the full nego ated F&A rate; any devia ons must be approved by agency head and must be stated in the solicita on. Purchasing: Documenta on standards have changed when purchasing equipment and supplies. The threshold level of Micro-purchasing has been reduced from $10,000 to $3,000, with addi onal documenta on required and maintained for any purchase in excess of $3,000. Materials and Supplies: More a en on is will be required when budge ng and purchasing materials and supplies, as there is a new requirement for tracking and documen ng residual supplies at the end of a project and for late-term purchases/charges. New limits on the melines for making cost transfers are included, par cularly at the end of a project. Equipment: Equipment purchased with federal funds must be made available to other federally funded projects and there are disposi on requirements that must be adhered to at the end of a project. So what is not changing? The UR are s ll built on the founda on of Allowability, Allocability and Reasonableness. All charges to a federal project must adhere to these principles. The dual role of graduate students and post-doctoral trainees has been affirmed. Time and effort will con nue to be the standard for documen ng personnel charges. Travel regula ons will remain consistent with the regula ons of the state of Georgia. Compu ng devices that are essen al and allocable, but not solely dedicated to the performance of a federal award, may be allowable as a direct charge, if appropriate and meet the allowable, allocable and reasonable requirements. The expecta on to financially and programma cally close awards within 90 days of the term has not changed, what has changed is the process which the IHE must go through in the closeout process and therefore, the melines are going to be much ghter. Also not changing are the four cost accoun ng standards: 1) An ins tu on's prac ces used in es ma ng costs in pricing a proposal shall be consistent with the ins tu on's cost accoun ng prac ces used in accumula on and repor ng costs; 2) like costs in like circumstances must be treated in the same manner; 3) unallowable costs shall be excluded from any billing, claim, or proposal applicable to a sponsored project; 4) an ins tu on shall use their fiscal year as their cost accoun ng period. The STRAIGHT and NARROW Page 4 Uniform Administra ve Requirements, Cost Principles and Audit Requirements for Federal Awards at 2 CFR 200, Cont'd IHEs should, if they have not already done so, map their policies and procedures to the new UR and conduct informa on sessions to advise faculty and staff that the new UR are applicable to awards made a er 26 December, 2014. IHEs also need to be aware of agency specific requirements and excep ons to the UR that were published by each agency. Also, be aware that procurement requirements have been delayed another 12 months un l the beginning the next fiscal year cycle, 1 July 2017 for units of the USG and that DS2 are due within 90 days of the release of the new forms. The author would like to acknowledge that the above is excerpted from presenta ons made by Jilda Garton, Vice President for Research and General Manager, GTRC & GTARC . Robert Roy Research Associate and Director of Business Opera ons rob.roy@usg.edu Training Opportunity-- February 1, 2016 Best Prac ces for Protec ng Minors on Campus The training conference is designed for campus based personnel to learn important guidelines and procedures an ins tu on can implement to minimize risks when minors par cipate in camps and programs on college campuses. This upcoming training conference will cover Best Prac ces for protec ng minors . The conference keynote speaker is Ann Franke, an expert in risk management, employment, student affairs, and governance. Who would benefit from this experience? Consider representa ves from the following areas: Con nuing Educa on Conference Services Student Affairs Facili es / Housing Campus Safety Legal Counsel Athle cs Human Resources Risk Management Internal Audit Register at the conference webpage using the following link: h p://www.cvent.com/d/xfqkth Please share with staff and administrators at your ins tu on who supervise or work in programs designed for minors. The STRAIGHT and NARROW Page 5 Effec ve Management of Scholarship and Fellowship Funding Provided by a University Founda on By: Mark W. Long, CPA, CGMA; Chief Financial Officer, Georgia Tech Founda on Georgia Tech is fortunate to receive generous financial support from its alumni and friends to support scholarship and fellowship awards to our students. The contribu ons received may establish endowments, which provide a perpetual flow of income for student support, or the donor may choose to make a contribu on which is fully expendable. This type of private support is cri cal in advancing an ins tu on's goals in a rac ng and retaining the best and brightest students and making the ins tu on financially accessible to all qualified students. Effec ve management of scholarship and fellowship funds is a vital component in proper stewardship of the funds contributed. At Georgia Tech, three campus offices, the Georgia Tech Founda on, the Controller's Office and the Office of Scholarships and Financial Aid, work collabora vely to ensure the funds are efficiently awarded to our students. In fiscal year 2014, more than $18 million in scholarship support and more than $4 million in fellowship support was provided by the Founda on to Georgia Tech students. Upon receipt of a contribu on, the Founda on establishes an account on its books and records and assigns a unique Founda on account number. The Founda on forwards the informa on on the gi , including the scholarship criteria and the unit responsible for recipient selec on to the Controller's Office and to the Office of Scholarships and Financial Aid. The Accoun ng Services Department, within the Controller's Office, establishes a sponsored account, or Georgia Tech project number, per the following procedure: h p://policies.gatech.edu/ business-finance/establishing-scholarship-and- fellowship-projects. The Office of Scholarships and Financial Aid also establishes an account in its Banner system, no ng the Founda on account and the Georgia Tech project number. All of the numbers are linked in each system. The unit responsible for selec ng the recipients and the criteria for selec on are noted and recorded by both offices. As funds are received or made available by the Founda on, the budget is updated on the Georgia Tech records via a daily data feed. The appropriate campus unit selects the student to receive the scholarship or fellowship award, taking into considera on the ins tu on's goals and the criteria for the award. The award is credited to the student's account and is applied toward his or her tui on and fees. At the end of each month, the Controller's Office prepares a cumula ve invoice of all of the scholarship and fellowships paid for the month. The invoice is electronically sent to the Founda on, no ng the Founda on account number. The Founda on reimburses Georgia Tech for the monthly awards via a bank transfer. The Controller's Office reconciles the accounts to ensure the accounts are in balance. At Georgia Tech, proper stewardship of the funds entrusted to us is very important, including informing the donor of the impact of his or her gi . The GThanks program, located on the website at h p://www.finaid.gatech.edu/gthanks, encourages students who benefited from the generosity of our donors to thank them for their support. The program encourages interac on between the student and his or her benefactor and has resulted in addi onal scholarship and fellowship dona ons. We believe this interac on will mo vate our current students, when they become alumni, to give back and help future students. The STRAIGHT and NARROW Interna onal Fraud Awareness Week A Success! Page 6 Once again, the USG was a proud par cipant of Interna onal Fraud Awareness Week November 15 21, 2015. It was great to see all of the system-wide ac vi es that took place at ins tu ons to bring awareness to the importance of an ethical culture. Studies have shown that organiza ons with an ethical culture are more produc ve and have higher employee reten on rates. No organiza on is exempt from the poten al for fraud and the resul ng risk to the reputa on of their employees. A recent survey by the Ethics Resource Center revealed that 41% of U.S. workers observed unethical or illegal misconduct on the job. The USG Awareness programs that took place during Interna onal Fraud Awareness Week help to recognize and promote our shared values of integrity, excellence, accountability and responsibility. Fraud awareness programs are part of the USG's comprehensive ethics and compliance program which includes ethics training, mandatory compliance training, assurance audits, consul ng engagements, and an ethics and compliance repor ng hotline. Thanks for all you do to create a more educated Georgia. Wesley Horne Director of Ethics & Compliance 404-962-3034 wesley.horne@usg.edu The STRAIGHT and NARROW The PCI Monsters under the Bed By Patrick Jenkins Page 7 I recently read an ar cle on University Business' website en tled "PCI Compliance Crackdown" by Pamela Mill-Senn. The ar cle centered on an interview with the founder and president of CampusGuard, Ron King. CampusGuard is a consul ng company focusing on special needs of higher educa on. Several of our USG schools have had engagements with CampusGuard to perform gap assessments related to Payment Card Industry (PCI) Data Security Standards (DSS). The interview with Mr. King went on to highlight some of the challenges that higher educa on is facing related to PCI compliance. The ar cle has some good, high-level informa on about PCI and is certainly worth the read h p://www.universitybusiness.com/ar cle/pci- compliance-crackdown I had the opportunity to have a casual mee ng with Mr. King in October of this year and we both agreed that probably the biggest challenge in higher educa on as it relates to PCI compliance is the fear, uncertainty, and doubt on the part of some administrators, hoping the problem will simply "go away". This approach reminds me of a child fre ng about the mean, nasty monsters lurking underneath the bed. A cause for concern is valid and it won't go away by curling under our blankets, squeezing our eyes shut and wishing for it to disappear. It must be confronted. A good way to confront the "monster" is to figure out exactly what kind of beast your campus is dealing with. Generically speaking there are only two kinds of monsters that exist in the PCI realm: Merchant and Service Provider. Understanding your PCI compliance requirements begins with understanding that if any part of your campus infrastructure "stores, processes, or transmits" payment card informa on it is in scope for PCI-DSS. I. PCI Monster 1: The Merchant Monster The first type of monster is the Payment Card Industry (PCI) Merchant. If your school (or affiliated departments) accepts credit/debit cards as forms of payment, your Ins tu on is required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). PCI Merchants range in levels from 1 to 4. The Merchant level is determined by the volume of payment card transac ons annually. Payment cards are those cards branded with an industry vendor logo, i.e. Visa, MasterCard, Discover, and American Express. Each card brand has their own merchant levels. How do YOU find out your PCI level? Your acquiring bank determines your merchant level. Your Chief Business Officer (CBO) should know your acquiring bank. Once you have this informa on, you can find out your PCI-DSS compliance requirements. For example, a PCI Merchant Level 1, for Visa transac ons, processes over 6 million Visa transac ons annually across all channels of Global Merchants iden fied as Level 1 by any Visa region. PCI levels 2, 3, 4 each have different annual transac on amounts and criteria. Source: www.visa.com/cisp If your ins tu on is a Merchant Provider, your ins tu on MUST: The STRAIGHT and NARROW The PCI Monsters under the Bed, Cont'd Page 8 Conduct an annual self-assessment. Have (clean) quarterly network scans by an Approved Scanning Vendor (ASV). The PCI Security Standards Council provides tailored guidance for the self-assessment. The self- assessment has two deliverables: the Self- Assessment Ques onnaire (SAQ) and the A esta on of Compliance (AOC). There are: SAQ A: This is for card-not-present (e-commerce or mail/telephone order) merchants, and all cardholder data func ons are outsourced. This NEVER applies to face-to-face merchants. SAQ B: Imprint only merchants with NO electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. SAQ C-VT: Merchants using only web-based virtual terminals, no electronic cardholder data storage SAQ C: Merchants with payment applica on systems connected to the Internet, no electronic card holder data storage. SAQ D: All other merchants no included in descrip ons for SAQ types A through C and all service providers. Generic State College (GSC) has decided that its Bursars office will only take payments through online transac ons and has outsourced that func on to a 3rd party (i.e. TouchNet). Therefore, GSC would need to fill out a SAQ A for the Bursar's office. However, GSC's Parking Office accepts credit cards for payment of permits and fines in their office using tradi onal card swipe machines. GSC would need to complete a SAQ B for the Parking Office. GSC may need to complete mul ple SAQs for each area on campus that accepts credit cards. There is a chance your ins tu on may fall under several SAQ categories, thus you may need to complete mul ple SAQs. GSC will need an AOC for their school covering all areas that accept payment cards. Obtain a template at the Standards Council website: www.pcisecuritystandards.org II. PCI Monster 2: The Service Provider Chances are, your school has outsourced some of their credit card processing opera ons to a third party, such as TouchNet, who is considered a Service Provider under PCI-DSS. As their customer, you have the right to obtain their AOC. This is something the campus CBO or Compliance Officer should be doing on an annual basis as part of compliance efforts. However, some schools have (perhaps unknowingly) put themselves in the roll of a PCI Service Provider. A Service Provider is an en ty that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another en ty. This also includes companies that provide services that control or could impact the security of cardholder data. This means that if a school contracts with 3rd Party vendors, such as dining services companies like Sodexo, or food court-type vendors such as Subway, Taco Bell, Chick-fil-A, to provide an Internet connec on via the campus network for credit card processing, then that school is a PCI Service Provider. The challenge is not all ins tu ons recognize their ac ve role as a service provider, and this lack of awareness puts the ins tu on, the ins tu ons businesses; and customers at risk. A bigger challenge with unknowingly being a Service Provider is that contract language with the vendors may or may not cover the costs associated with implemen ng the required security controls of a service provider. The STRAIGHT and NARROW Page 9 The PCI Monsters under the Bed, Cont'd The ins tu on campus network engineering team must properly isolate PCI traffic to certain parts of the network. The value of a properly segmented network to handle PCI traffic cannot be understated. The service provider must have proper network segmenta on, the use of new credit card processing equipment that supports hardware data encryp on or data tokeniza on, and regular security scans of the environment. An IT security plan will aid in iden fying the proper solu on. Do not underes mate the need for network segmenta on. Improper documenta on and network configura on combined with a lack of clear understanding by IT and business administrators may create a costly problem for the ins tu on without adequate safeguards. Hopefully this ar cle has made you smile and scared you just a li le bit. The PCI monsters are indeed under the bed, but with a good flashlight and some clear understanding, we can keep them at bay. Patrick A. Jenkins Director of Informa on Technology Audit 404-962-3027 Email: Patrick.jenkins@usg.edu Reference Informa on 2 CFR 200, U.S. Office of Management and Budget Uniform Administra ve Requirements, Cost Principles and Audit Requirements for Federal Awards USG Informa on Technology Handbook h p://www.usg.edu/informa on_technology_handbook/ PCI Compliance: Understand and Implement Effec ve PCI Data Security Standard Compliance, Edi on 4, By Brandon L. Williams Board of Regents of the University System of Georgia Office of Internal Audit & Compliance (OIAC) 270 Washington Street, SW Suite 7093 Atlanta, GA 30334-1450 Phone: (404) 962-3020 Fax: (404) 962-3033 Website: www.usg.edu/audit/ ? Ask the Auditor ? If you have a governance, risk management, compliance or control ques on that has been challenging you, let us help you find the answer. Your ques on can help us to become be er auditors. Want to Contribute to the Straight and Narrow? We invite you to send your ques ons and ideas for future ar cles to us for feature in upcoming Straight and Narrow newsle ers. Contact Us: USG OIAC Newsle er "Crea ng A More Educated Georgia" www.usg.edu